PDF version

DNSSEC Signing Service

This document outlines the EPP commands used for the DNSSEC signing service.

 

Create Command

The create command adds a new domain to the DNSSEC signing service. As a result of this command, the following events occur:

  • The zone is added to our signing service database
  • A SOA and AXFR update for the zone is requested from the master nameserver
  • The zone is signed
  • The zone is published using AXFR to the slave nameserver

Once the zone is signed, a <secure> command needs to be issued to place DS records in the parent zone and achieve a full chain of trust.
The <dss:create> element will contain the following elements:

  • A <dss:zone> element giving the zone to sign
  • A <dss:unsignedMaster> element containing the registrar's details of the one to four hidden master dns servers
  • A <dss:signedSlave> element containing the registrar's details of the one to four slave dns servers

A <dss:unsignedMaster> or <dss:signedSlave> element will each contain one to four <dss:ns> elements which contain the following sub-elements:

  • A <dss:addr> element giving the ip address. This will have an "ip" attribute denoting whether the addr is "v4" or "v6" (similar to RFC 4392)
  • A <dss:tsig> element giving tsig information for the server. This will have the following sub elements:
    • A <dss:tsigName> element giving the name of the TSIG key
    • A <dss:tsigKey> element giving the base64 key
    • A <dss:tsigAlg> element giving the algorithm to be used. These algorithms are described in appendix A of RFC 4034 and in RFC 4635. At present we only support the mandatory algorithms listed in RFC 4635, i.e. MD5, SHA-1 and SHA-256

Example create command:


<?xml version="1.0" encoding="UTF-8"?>
 <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/epp-1.0 epp-1.0.xsd">
    <command>
        <create>
            <dss:create
                xmlns:dss="http://www.nominet.org.uk/epp/xml/nom-dss-1.0"
                xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/nom-dss-1.0 nom-dss-1.0.xsd">
               <dss:zone>epp-example.co.uk</dss:zone>
               <dss:unsignedMaster>
                   <dss:ns>
                       <dss:addr ip="v4">1.2.3.4</dss:addr>
                       <dss:tsigKey>
                           <dss:tsigName>test1.example.co.uk.</dss:tsigName>
                           <dss:tsigSecret>VQ3zuww0rFq2mcLM0E8gFr6dpac=</dss:tsigSecret>
                           <dss:tsigAlg>hmac-sha1</dss:tsigAlg>
                       </dss:tsigKey>
                   </dss:ns>
                   <dss:ns>
                       <dss:addr ip="v6">1:2:3:4:5:6:7:8</dss:addr>
                       <dss:tsigKey>
                           <dss:tsigName>test2.example.co.uk.</dss:tsigName>
                           <dss:tsigSecret>VQ3zuww0rFq2mcLM0E8gFr6dpac=</dss:tsigSecret>
                           <dss:tsigAlg>hmac-sha1</dss:tsigAlg>
                       </dss:tsigKey>
                   </dss:ns>
               </dss:unsignedMaster>
               <dss:signedSlave>
                   <dss:ns>
                       <dss:addr ip="v4">5.6.7.8</dss:addr>
                       <dss:tsigKey>
                           <dss:tsigName>test3.example.co.uk.</dss:tsigName>
                           <dss:tsigSecret>VQ3zuww0rFq2mcLM0E8gFr6dpac=</dss:tsigSecret>
                           <dss:tsigAlg>hmac-sha1</dss:tsigAlg>
                       </dss:tsigKey>
                   </dss:ns>
                   <dss:ns>
                       <dss:addr ip="v6">9:0:a:b:c:d:e:f:1:2</dss:addr>
                       <dss:tsigKey>
                           <dss:tsigName>test4.example.co.uk.</dss:tsigName>
                           <dss:tsigSecret>VQ3zuww0rFq2mcLM0E8gFr6dpac=</dss:tsigSecret>
                           <dss:tsigAlg>hmac-sha1</dss:tsigAlg>
                       </dss:tsigKey>
                   </dss:ns>
               </dss:signedSlave>
            </dss:create>
        </create>
    </command>
 </epp>

Create response

Successful creates will receive a standard response:

 <?xml version="1.0" encoding="UTF-8"?>
  <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/epp-1.0 epp-1.0.xsd">
      <response>
          <result code="1000">
             <msg>Command completed successfully</msg>
          </result>
          <trID>
              <clTRID>ABC-12345</clTRID>
              <svTRID>54321-XYZ</svTRID>
          </trID>
      </response>
  </epp>

 

Update command

As a result of a successful <update> command, the following actions will occur:

  • The changes are saved to our zone signing database

The<dss:update> element will contain the following sub elements:

  • A <dss:zone> element giving the name of the zone to modify signing details for
  • A <dss:unsignedMaster> element containing the registrar's details of the one to four hidden master dns servers
  • A <dss:signedSlave> element containing the registrar's details of the one to four slave dns servers.

The details provided in the <dss:unsignedMaster> and <dss:signedSlave> elements will be used to overwrite the entire set of servers for the zone.
 

Example update command:


 <?xml version="1.0" encoding="UTF-8"?>
  <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/epp-1.0 epp-1.0.xsd">
      <command>
          <update>
              <dss:update
                  xmlns:dss="http://www.nominet.org.uk/epp/xml/nom-dss-1.0"
                  xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/nom-dss-1.0 nom-dss-1.0.xsd">
                  <dss:zone>epp-example.co.uk</dss:zone>
                <dss:unsignedMaster>
                    <dss:ns>
                        <dss:addr ip="v4">1.2.3.4</dss:addr>
                        <dss:tsigKey>
                            <dss:tsigName>test1.example.co.uk.</dss:tsigName>
                            <dss:tsigSecret>VQ3zuww0rFq2mcLM0E8gFr6dpac=</dss:tsigSecret>
                            <dss:tsigAlg>hmac-sha1</dss:tsigAlg>
                        </dss:tsigKey>
                    </dss:ns>
                    <dss:ns>
                        <dss:addr ip="v6">1:2:3:4:5:6:7:8</dss:addr>
                        <dss:tsigKey>
                            <dss:tsigName>test2.example.co.uk.</dss:tsigName>
                            <dss:tsigSecret>VQ3zuww0rFq2mcLM0E8gFr6dpac=</dss:tsigSecret>
                            <dss:tsigAlg>hmac-sha1</dss:tsigAlg>
                        </dss:tsigKey>
                    </dss:ns>
                </dss:unsignedMaster>
                <dss:signedSlave>
                    <dss:ns>
                        <dss:addr ip="v4">5.6.7.8</dss:addr>
                        <dss:tsigKey>
                            <dss:tsigName>test3.example.co.uk.</dss:tsigName>
                            <dss:tsigSecret>VQ3zuww0rFq2mcLM0E8gFr6dpac=</dss:tsigSecret>
                            <dss:tsigAlg>hmac-sha1</dss:tsigAlg>
                        </dss:tsigKey>
                    </dss:ns>
                    <dss:ns>
                        <dss:addr ip="v6">9:0:a:b:c:d:e:f:1:2</dss:addr>
                        <dss:tsigKey>
                            <dss:tsigName>test4.example.co.uk.</dss:tsigName>
                            <dss:tsigSecret>VQ3zuww0rFq2mcLM0E8gFr6dpac=</dss:tsigSecret>
                            <dss:tsigAlg>hmac-sha1</dss:tsigAlg>
                        </dss:tsigKey>
                    </dss:ns>
                </dss:signedSlave>
              </dss:update>
          </update>
      </command>
  </epp>

Update commands will receive standard successful and failure messages.

 

Info command

The <dss:info> element will contain just a <dss:zone> element to identify the zone to obtain signing details for.
 

Info responses


 

For responses to info commands, the <resData> element will contain a <dss:infData> element. This will contain the following sub-elements:

  • A <dss:zone> element
  • A <dss:unsignedMaster> element
  • A <dss:signedSlave> element
  • A <dss:secured> element showing whether the domain is fully signed with DS chain of trust or not
  • A <dss:status> element showing whether the domain is fully signed with DS chain of trust or not
  • An optional <secDNS:dsData> element as described in RFC 5910 - this will be included if the zone has been signed
  •  * Each <dss:unsignedMaster> or <dss:signedSlave> element will each contain one to four <dss:ns> elements (as described for the <dss:create> command)

Example Info response



 <?xml version="1.0" encoding="UTF-8"?>
  <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/epp-1.0 epp-1.0.xsd">
      <response>
          <result code="1000">
              <msg>Command completed successfully</msg>
          </result>
          <resData>
              <dss:infData
                 xmlns:dss="http://www.nominet.org.uk/epp/xml/nom-dss-1.0"
                 xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/nom-dss-1.0 nom-dss-1.0.xsd">
                 <dss:zone>epp-example.co.uk.</dss:zone>
                 <dss:unsignedMaster> 
                   <dss:ns>
                     <dss:addr ip="v4">1.2.3.4</dss:addr>
                     <dss:tsigKey>
                       <dss:tsigName>test1.example.org.uk.</dss:tsigName>
                       <dss:tsigSecret>VQ3zuww0rFq2mcLM0E8gFr6dpac=</dss:tsigSecret>
                       <dss:tsigAlg>hmac-sha1</dss:tsigAlg> 
                     </dss:tsigKey> 
                   </dss:ns>
                   <dss:ns> 
                     <dss:addr ip="v6">1:2:3:4:5:6:7:8</dss:addr>
                     <dss:tsigKey>
                       <dss:tsigName>test2.example.org.uk.</dss:tsigName>
                       <dss:tsigSecret>VQ3zuww0rFq2mcLM0E8gFr6dpac=</dss:tsigSecret>
                       <dss:tsigAlg>hmac-sha1</dss:tsigAlg>
                     </dss:tsigKey>
                   </dss:ns>
                 </dss:unsignedMaster>
                 <dss:signedSlave>
                   <dss:ns>
                     <dss:addr ip="v4">5.6.7.8</dss:addr>
                     <dss:tsigKey>
                       <dss:tsigName>test3.example.org.uk.</dss:tsigName>
                       <dss:tsigSecret>VQ3zuww0rFq2mcLM0E8gFr6dpac=</dss:tsigSecret>
                       <dss:tsigAlg>hmac-sha1</dss:tsigAlg>
                     </dss:tsigKey>
                     </dss:ns>
                     <dss:ns>
                       <dss:addr ip="v6">5.6.7.9:0:a:b:c:d:e:f:1:2</dss:addr>
                       <dss:tsigKey>
                         <dss:tsigName>test4.example.org.uk.</dss:tsigName>
                         <dss:tsigSecret>VQ3zuww0rFq2mcLM0E8gFr6dpac=</dss:tsigSecret>
                         <dss:tsigAlg>hmac-sha1</dss:tsigAlg>
                       </dss:tsigKey>
                     </dss:ns>
                   </dss:signedSlave>
                   <dss:secured>N</dss:secured>
                   <dss:status>Pending</dss:status>
                   <secDNS:dsData
                        xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1"
                        xsi:schemaLocation="urn:ietf:params:xml:ns:secDNS-1.1 secDNS-1.1.xsd">
                     <secDNS:keyTag>123</secDNS:keyTag>
                     <secDNS:alg>3</secDNS:alg>
                     <secDNS:digestType>1</secDNS:digestType>
                     <secDNS:digest>49FD46E6C4B45C55D4AC</secDNS:digest>
                   </secDNS:dsData>
                </dss:infData>
            </resData>
            <trID>
                <clTRID>ABC-12345</clTRID>
                <svTRID>54321-XYZ</svTRID>
            </trID>
        </response>
  </epp>

 

Status command

The status command allows the registrar to query the current status of the zone. The <info> element will contain a <dss:status> element which will contain a single <dss:zone> element denoting the zone to query.
 

Example command


 <?xml version="1.0" encoding="UTF-8"?>
  <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/epp-1.0 epp-1.0.xsd">
      <command>
          <info>
              <dss:status
                  xmlns:dss="http://www.nominet.org.uk/epp/xml/nom-dss-1.0"
                  xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/nom-dss-1.0 nom-dss-1.0.xsd">
                  <dss:zone>epp-example.co.uk</dss:zone>
              </dss:status>
          </info>
      </command>
  </epp>

Status command response

For responses to <status> commands, the <resData> element will contain a <dss:statusData> element with the following sub elements:

  • A <dss:zone> element
  • A <dss:status> element giving the current status of the zone. The possible values are:  Pending, Signed, Secured

Status command response


 <?xml version="1.0" encoding="UTF-8"?>
  <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/epp-1.0 epp-1.0.xsd">
    <response>
      <result code="1000">
        <msg>Command completed successfully</msg>
      </result>
      <resData>
        <dss:statusData
         xmlns:dss="http://www.nominet.org.uk/epp/xml/nom-dss-1.0"
         xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/nom-dss-1.0 nom-dss-1.0.xsd">
          <dss:zone>epp-example.co.uk</dss:zone>
          <dss:status>Pending</dss:status>
        </dss:statusData>
      </resData>
      <trID>
        <clTRID>ABC-12345</clTRID>
        <svTRID>54321-XYZ</svTRID>
      </trID>
    </response>
  </epp>

 

Secure command

The secure command instructs the registry to publish the DS records for a zone that has previously been signed and achieve a full chain of trust.

The <update> element will contain a <dss:secure> element which will contain the following sub elements:

  • A <dss:zone> element giving the zone to secure.
  • A <dss:secure> element giving a flag Y. To remove DS records, set the flag to N.

Example Secure command

 <?xml version="1.0" encoding="UTF-8"?>
  <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/epp-1.0 epp-1.0.xsd">
      <command>
          <update>
              <dss:secure
                  xmlns:dss="http://www.nominet.org.uk/epp/xml/nom-dss-1.0"
                  xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/nom-dss-1.0 nom-dss-1.0.xsd">
                  <dss:zone>epp-example.co.uk</dss:zone>
                  <dss:secured>Y</dss:secured>
              </dss:secure>
          </update>
      </command>
  </epp>  

<Secure> responses

<secure> commands will receive standard successful and failure messages.

 

Delete command

The delete command will stop signing for a zone and, if the zone has been secured, will remove any DS record(s) which have been published for the domain from the zone file.

The <delete> element will contain a <dss:delete> element which will contain a single <dss:zone> element denoting the zone for which signing should be stopped.
 

Example Delete command

 <?xml version="1.0" encoding="UTF-8"?>
  <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/epp-1.0 epp-1.0.xsd">
      <command>
          <delete>
              <dss:delete
                  xmlns:dss="http://www.nominet.org.uk/epp/xml/nom-dss-1.0"
                  xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/nom-dss-1.0 nom-dss-1.0.xsd">
                  <dss:zone>epp-example.co.uk</dss:zone>
              </dss:delete>
          </delete>
      </command>
  </epp>

<Delete> responses

<delete> commands will receive standard successful and failure messages.

 

List command

The list command allows the user to list all domains subscribed to the service.
 

Example list command


 <?xml version="1.0" encoding="UTF-8"?>
  <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/epp-1.0 epp-1.0.xsd">
      <command>
          <info>
              <dss:list
                  xmlns:dss="http://www.nominet.org.uk/epp/xml/nom-dss-1.0"
                  xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/nom-dss-1.0 nom-dss-1.0.xsd">
              </dss:list>
          </info>
      </command>
  </epp> 

Example list response

For successful responses to the list command, the resData element will contain a single <dss:listData> element. The <dss:listData> element will contain a number of <dss:zone> elements showing the zones that are subscribed to the service. It will also have a "count" attribute.

An example list response is given:

 <?xml version="1.0" encoding="UTF-8"?>
  <epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/epp-1.0 epp-1.0.xsd">
      <response>
          <result code="1000">
              <msg>Command completed successfully</msg>
          </result>
          <resData>
              <dss:listData count="4"
                  xmlns:dss="http://www.nominet.org.uk/epp/xml/nom-dss-1.0"
                  xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/nom-dss-1.0 nom-dss-1.0.xsd">
                  <dss:zone>epp-example1.co.uk</dss:zone>
                  <dss:zone>epp-example2.co.uk</dss:zone>
                  <dss:zone>epp-example3.co.uk</dss:zone>
                  <dss:zone>epp-example4.co.uk</dss:zone>
              </dss:listData>
          </resData>
          <trID>
              <clTRID>ABC-12345</clTRID>
              <svTRID>54321-XYZ</svTRID>
          </trID>
      </response>
  </epp>

 

New EPP error codes

Error CodeMessageDescription
V319Too many <xxx> records specified (4 is the maximum)You can only specify a maximum of 4 unsigned master and 4 signed slave servers for a zone.
V320Zone <xxx> already exists on your tagThis error occurs if you attempt to create a zone which already exists on your tag.
V321Zone <xxx> is not on your tagThis error occurs if you attempt to make changes to a zone or to query information about a zone which does not exist on your tag.
V322Duplicate IP address <xxx> found for serverThis error occurs if you specify two or more unsigned master servers (or two or more signed slave servers) for a zone which have the same IP address.
V323The <xxx> operation cannot be used for zone <xxx>This error will be returned if an attempt is made to create a zone for a subordinate Nominet domain (for example foo.example.co.uk) or if an attempt is made to secure a zone for a domain which is not administered by Nominet (for example example.com).
V324Cannot add DS records to parent for zone <xxx> until zone is signedThis error indicates that an attempt was made to use the secure operation on a domain which was not yes signed. It is necessary to wait until the zone has been retrieved from your unsigned master nameserver, a key generated, and the zone signed for the first time.
V325You have not signed up for the DNSSEC Signing ServiceThis error will occur if you attempt to use any of the EPP DNSSEC Signing Service operations before you have registered for this using Online Services.