Using DNSSEC with EPP and WDM

To use DNSSEC to secure the DNS records for a domain it is necessary to publish DNSSEC Delegation Signer (DS) records for the domain in the parent zone file.

Our systems support DS records and additionally we have an EPP Testbed to allow registrars to test their DNSSEC implementation.

Documentation about how to modify or view the DS Records associated with domain names is provided for EPP and Web Domain Manager (WDM).

Supported values in DS Records

DS Records include the following fields (as specified by RFC 5910 and RFC 4034):

  • Key Tag
  • Algorithm
  • Digest Type
  • Digest

Our implementation of DNSSEC supports the values defined in the RFCs with limitations on algorithms defined in RFC 8624.

Allowed values
Key Tag Any value allowed by RFC 4034 (integers in the range 0 to 65535)
Algorithm This may be one of the following values:
8 (RSASHA256)
10 (RSASHA512)
13 (ECDSAP256SHA256)
14 (ECDSAP384SHA384)
15 (Ed25519)
16 (ED448)
Digest Type This may be one of the following values:
1 (SHA-1)
2 (SHA-256)
4 (SHA-384)
Digest String value containing only hexadecimal digits

Web Domain Manager (WDM)

Web domain manager can be used to add and remove DS records for domain names in the parent zone file.

Adding and removing DS records

From the domain list in web domain manager, click on a domain name – a summary of the domain name’s details will be shown. DS records will be listed immediately after the list of nameservers for the domain. If there are currently no DS records for the domain, an ‘Add DS record’ link will be available. If DS records have already been added then the link will be ‘Add/remove DS records’.

Click the appropriate link to add or change DS records. Below the list of existing DS records there is a text field for new DS records. Text for DS records should be of the form:

<key tag> <algorithm> <digest type> <digest>

For example: 5498 5 1 FAA0119283234239872398723498234987ABD001

Creating new DNSSEC enabled domain names

It is not currently possible to add a new domain name with DS records attached at the time of creation. The new domain name should be created as usual, then edited to add the DS record as above.

Minerva House, Edmund Halley Road, Oxford Science Park, OX4 4DQ, United Kingdom