DS Specification

The following table lists all fields of a DS record - tags and allowed values:

Name Valid Characters
Keytag Digits only, A number between 1 to 65535
Algorithm Digits only, at the moment these are the supported algorithms numbers under ISOC-IL registry: 3, 5, 6, 7, 8, 10, 13, 14. For more information see: IANA Domain Name System Security (DNSSEC) Algorithm Numbers
Digest Type Digits only, At the moment these are the supported digest types under ISOC-IL registry: 1 (SHA1), 2 (SHA256). For more information see: IANA Delegation Signer (DS) Resource Record (RR) Type Digest Algorithms
Digest Hex digits {0, 1, ... , 9, A, ... , F} only. Length depends on digest type: For SHA1 - the length is 40 hex digits. For SHA256 - the length is 64 hex digits

Information about the DS resource record can be found at RFC4034 section 5.1. All fields are mandatory and must match the key which was used to sign the DNSKEY RRset for the zone.

Optionally KeyData information can be submitted as part of the DS data. KeyData information has the following fields and values:

Name Valid Characters
Flags Either 0, 256 or 257
Protocol Always 3
Algorithm Digits only, at the moment only the following algorithms numbers are supported under ISOC-IL registry: 3, 5, 6, 7, 8, 10, 13, 14. For more information see: IANA Domain Name System Security (DNSSEC) Algorithm Numbers
Public Key Public key MUST be represented as a Base64 [RFC3548], Whitespace is allowed within the Base64 text.

Information about the DNSKEY resource record can be found at RFC4034 section 2.1.

When KEYDATA information is submitted, it must match the DS data and should include all fields the listed above. EPP request including KEYDATA only are not supported.

Important Information:

In addition DS validation check was added. Upon update of DS information, set of checks will be performed against the Name servers for the domain to ensure the domain does not disappear from the domain space as a result of mis-configuration. Failing such validation would cause request rejection.

  • The validation is performed against the DNS servers for the domain.
    • If new information about the DNS servers would be found in the request, the validation will be performed against them, otherwise the information will be taken from the existing domain information.
  • If there is no DNS information, a request containing DS data will be rejected.
  • If a DS update request is submitted and there is an open UPDATE request in the queue, including NS / DS changes, the request will be rejected. This is because the UPDATE request refers to the current information in the domain.
  • The maximum number of DS entries allowed per domain is six.