Managing DNSSEC with EPP

This document explains how to use EPP for managing DS records for DNSSEC

EPP

DS records may be added to domain names using the <domain:create> and <domain:update> operations. DS records for a domain name may be queried using the <domain:info> operation.

Schema support for DNSSEC

Our support for DNSSEC in Standard EPP uses the standard secDNS-1.1.xsd schema for the addition and removal of all DS records and also for the responses to <domain:info> operations.

Our support for the secDNS-1.1 schema has the following constraints:

  • The optional Maximum Signature Lifetime (maxSigLife) element is not supported
  • We only support the DS Data Interface – we do not support the Key Data Interface
  • We do not support the optional “urgent” attribute in the <secDNS:update> element
  • A maximum of eight DS records is allowed for each domain

Any request which breaks these constraints will fail and the error message received will contain an automaton error code which indicates the reason for the failure.

Documentation for the secDNS schema can be found in RFC 5910 and details of the DS record fields are described in RFC 4034.

The secDNS-1.1 schema can be used in combination with the Standard EPP schemas already supported by Nominet. However, if any of the Nominet optional extensions to Standard EPP are used then the most recent schema set must be used (at least 1.0.2).

EPP Operations

<domain:create>

When a domain is created up to 8 DS Records can also be specified for the domain by using a <secDNS:create> element with one or more <secDNS:dsData> elements from the secDNS-1.1 extension schema. If more than 8 DS records are specified then the request will fail.

<domain:update>

The <domain:update> operation can be used to add or remove DS records for an existing domain by specifying a <secDNS:update> element.

A maximum of 8 DS records can be specified for removal or addition within the <secDNS:update> element – if more than 8 records are added or removed then the update will fail. The update will also fail if the result of adding new DS records to the domain would be that more than 8 DS records are associated with the domain.

<domain:info>

If the secDNS schema is used when logging in to EPP and the domain has DS records, then the response from the info command will include information about the DS records which are on the domain.
If the secDNS schema was not specified when logging in to EPP then no information about DS records will be included in the response.

<r:release>

When the release operation is used to move a domain name with DS records onto another tag the EPP system will check to see if the receiving tag supports DNSSEC.

If the receiving tag supports DNSSEC then the DS records for the domain will not be altered. However, if the receiving tag does not support DNSSEC then any DS records will be removed from the domain.

Contents of the <secDNS:dsData> element

When creating or changing DS records for a domain the following fields must be set in the <secDNS:dsData> element for each DS record:

  • keyTag: The Key Tag value for the DS record (as described in Section 5.1.1 of RFC 4034)
  • alg: The Algorithm number used in the DS record
  • digestType: The Digest Type – this identifies the algorithm used to construct the Digest field for the DS record
  • digest: The Digest for the DS record

These fields are described in more detail in RFC 4034. Full details of the DNSSEC algorithm and digest types supported by Nominet are on our DNSSEC page.

If the information supplied for a DS record is incomplete or invalid then the operation to create or update the domain will fail and the error message will contain an automaton error code which indicates the reason for the failure.

Example requests and responses

<domain:create>

Example request to create a domain on an existing account with the following DS Records:

  • Key-Tag: 101, Algorithm: 5, Digest-Type: 1, Digest: 38EC35D5B3A34B44C39B38EC35D5B3A34B44C39B
  • Key-Tag: 102, Algorithm: 5, Digest-Type: 2, Digest: D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd">
    <command>
        <create>
            <domain:create
             xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"
             xsi:schemaLocation="urn:ietf:params:xml:ns:domain-1.0 domain-1.0.xsd">
                <domain:name>epp-example.co.uk</domain:name>
                <domain:registrant>5558B07C241A072</domain:registrant>
                <domain:authInfo>
                    <domain:pw/>
                </domain:authInfo>
            </domain:create>
        </create>
    <extension>
      <secDNS:create
        xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1"
        xsi:schemaLocation="urn:ietf:params:xml:ns:secDNS-1.1 secDNS-1.1.xsd">
          <secDNS:dsData>
            <secDNS:keyTag>101</secDNS:keyTag>
            <secDNS:alg>5</secDNS:alg>
            <secDNS:digestType>1</secDNS:digestType>
            <secDNS:digest>38EC35D5B3A34B44C39B38EC35D5B3A34B44C39B</secDNS:digest>
          </secDNS:dsData>
          <secDNS:dsData>
            <secDNS:keyTag>102</secDNS:keyTag>
            <secDNS:alg>5</secDNS:alg>
            <secDNS:digestType>2</secDNS:digestType>
            <secDNS:digest>D4B7D520E7BB5F0F67674A0CCEB1E3E0614B93C4F9E99B8383F6A1E4469DA50A</secDNS:digest>
          </secDNS:dsData>
      </secDNS:create>
    </extension>
    <clTRID>ABC-12345</clTRID>
    </command>
</epp>

<domain:update>

Example request to remove one existing DS record and add 2 new DS records:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd">
    <command>
        <update>
            <domain:update
                xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"
                xsi:schemaLocation="urn:ietf:params:xml:ns:domain-1.0 domain-1.0.xsd">
                <domain:name>epp-example.co.uk</domain:name>
            </domain:update>
        </update>
    <extension>
      <secDNS:update
        xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1"
        xsi:schemaLocation="urn:ietf:params:xml:ns:secDNS-1.1 secDNS-1.1.xsd">
        <secDNS:rem>
          <secDNS:dsData>
            <secDNS:keyTag>123</secDNS:keyTag>
            <secDNS:alg>5</secDNS:alg>
            <secDNS:digestType>1</secDNS:digestType>
            <secDNS:digest>ABCDABCDABCDABCDABCDABCDABCDABCDABCDABCD</secDNS:digest>
          </secDNS:dsData>
        </secDNS:rem>
        <secDNS:add>
          <secDNS:dsData>
            <secDNS:keyTag>12345</secDNS:keyTag>
            <!-- RSA/SHA-1  -->
            <secDNS:alg>5</secDNS:alg>
            <!-- SHA-1  -->
            <secDNS:digestType>1</secDNS:digestType>
            <secDNS:digest>38EC35D5B3A34B44C39B38EC35D5B3A34B44C39B</secDNS:digest>
          </secDNS:dsData>
          <secDNS:dsData>
            <secDNS:keyTag>12346</secDNS:keyTag>
            <secDNS:alg>5</secDNS:alg>
            <secDNS:digestType>1</secDNS:digestType>
            <secDNS:digest>38EC35D5B3A34B44C39B38EC35D5B3A34B44C39B</secDNS:digest>
          </secDNS:dsData>
        </secDNS:add>
      </secDNS:update>
    </extension>
    <clTRID>ABC-12345</clTRID>
    </command>
</epp>

<domain:info>

Example response for a domain with 2 DS records:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/epp-1.0 epp-1.0.xsd">
  <response>
    <result code="1000">
      <msg>Command completed successfully</msg>
    </result>
    <resData>
      <domain:infData
        xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"
        xsi:schemaLocation="urn:ietf:params:xml:ns:domain-1.0 domain-1.0.xsd">
        <domain:name>epp-example.co.uk</domain:name>
        <domain:roid>109098-UK</domain:roid>
        <domain:registrant>9EB07F275D8F1BD</domain:registrant>
        <domain:ns>
          <domain:hostObj>ns0.epp-example.co.uk</domain:hostObj>
        </domain:ns>
        <domain:clID>EPP-EXAMPLE</domain:clID>
        <domain:crID>[email protected]</domain:crID>
        <domain:crDate>2010-01-19T09:01:38</domain:crDate>
        <domain:exDate>2012-01-19T09:01:38</domain:exDate>
      </domain:infData>
    </resData>
    <extension>
      <secDNS:infData
        xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1"
        xsi:schemaLocation="urn:ietf:params:xml:ns:secDNS-1.1 secDNS-1.1.xsd">
        <secDNS:dsData>
          <secDNS:keyTag>123</secDNS:keyTag>
          <secDNS:alg>5</secDNS:alg>
          <secDNS:digestType>1</secDNS:digestType>
          <secDNS:digest>0123456789ABCDEF0123456789ABCDEF12345678</secDNS:digest>
        </secDNS:dsData>
      </secDNS:infData>
      <secDNS:infData
        xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1"
        xsi:schemaLocation="urn:ietf:params:xml:ns:secDNS-1.1 secDNS-1.1.xsd">
        <secDNS:dsData>
          <secDNS:keyTag>124</secDNS:keyTag>
          <secDNS:alg>2</secDNS:alg>
          <secDNS:digestType>2</secDNS:digestType>
          <secDNS:digest>ABCD1234ABCD12345678ABCD1234ABCD1234567801234567890123456789ABCD</secDNS:digest>
        </secDNS:dsData>
      </secDNS:infData>
    </extension>
    <trID>
      <clTRID>EPP-XYZ-99900</clTRID>
      <svTRID>122454</svTRID>
    </trID>
  </response>
</epp>

<domain:info>

From the 5th April, a domain:info response will be structured as below:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xmlns="urn:ietf:params:xml:ns:epp-1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.nominet.org.uk/epp/xml/epp-1.0 epp-1.0.xsd">
    <response>
        <result code="1000">
            <msg>Command completed successfully</msg>
        </result>
        <resData>
            <domain:infData
                xmlns:domain="urn:ietf:params:xml:ns:domain-1.0"
                xsi:schemaLocation="urn:ietf:params:xml:ns:domain-1.0 domain-1.0.xsd">
                <domain:name>epp-example.co.uk</domain:name>
                <domain:roid>109098-UK</domain:roid>
                <domain:registrant>9EB07F275D8F1BD</domain:registrant>
                <domain:ns>
                    <domain:hostObj>ns0.epp-example.co.uk</domain:hostObj>
                </domain:ns>
                <domain:clID>EPP-EXAMPLE</domain:clID>
                <domain:crID>[email protected]</domain:crID>
                <domain:crDate>2010-01-19T09:01:38</domain:crDate>
                <domain:exDate>2012-01-19T09:01:38</domain:exDate>
            </domain:infData>
        </resData>
        <extension>
            <secDNS:infData
                xmlns:secDNS="urn:ietf:params:xml:ns:secDNS-1.1"
                xsi:schemaLocation="urn:ietf:params:xml:ns:secDNS-1.1 secDNS-1.1.xsd">
                <secDNS:dsData>
                    <secDNS:keyTag>123</secDNS:keyTag>
                    <secDNS:alg>5</secDNS:alg>
                    <secDNS:digestType>1</secDNS:digestType>
                    <secDNS:digest>0123456789ABCDEF0123456789ABCDEF12345678</secDNS:digest>
                </secDNS:dsData>
                <secDNS:dsData>
                    <secDNS:keyTag>124</secDNS:keyTag>
                    <secDNS:alg>2</secDNS:alg>
                    <secDNS:digestType>2</secDNS:digestType>
                    <secDNS:digest>ABCD1234ABCD12345678ABCD1234ABCD1234567801234567890123456789ABCD</secDNS:digest>
                </secDNS:dsData>
               </secDNS:infData>
        </extension>
        <trID>
            <clTRID>EPP-XYZ-99900</clTRID>
            <svTRID>122454</svTRID>
        </trID>
    </response>
</epp>

Minerva House, Edmund Halley Road, Oxford Science Park, OX4 4DQ, United Kingdom