Claiming your DNS on ENS via Web (1/3: The theory)

Aug 7, 2018 · 3 min read

Back in April, I published a step by step guide of how to claim a DNS domain on ENS.

To be honest, the steps were not pleasant at all, especially the fact that you have to install golang onto your local machine. One of my main roles since joining the ENS team was to provide a set of tools to make the integration easier, and I will be demonstrating a very early version of the tool so that ENS Hackathon participants have extra toys to play with.

In this series of blog posts, I will cover the following topics:

  1. The Theory
  2. The Demo
  3. The Code

Today is day one, in which I talk about the theory behind enabling you to claim DNS names on ENS.

  1. The Theory


One of the cool things about the technology behind claiming DNS domains on ENS is that it leverages the Domain Name System Security Extensions (DNSSEC) — digital signatures on a domain name’s DNS records — to determine the authenticity of the source domain name.

DNSSEC was originally introduced to prevent malicious activities like cache poisoning, phishing, and man-in-the-middle attacks.

During the “Towards a Permanent ENS Registrar” talk at DevCon3, Nick Johnson described the mechanism in detail at 12:33

DNSSEC establishes a chain of trust from the root key which signed by ICANN (.) and down through each key. We start off knowing the hash of the root key of DNS (this is hard coded in the smart contract oracle).Given the hashes of that key, we can pass in the actual key, we can verify that it matches the hash and we can add it to the set of the trusted records.Given that key, we can now verify any record that is signed with that key, so in this case, it's the hash of the root of the xyz top level domain.Given that, we can recognize the key, and so on and so forth.
So next, you can regonize the key for the
Given that, we can recognize the hash for the key, and then key itself,and finally you can verify a signed text record that contains the Ethereum address.
A chain of trust via DNSSEC

You can inspect the relationship of signing across different zone (eg: .xyz signing in the interactive graph here).

Up until this part has to be done at each of you DNS domain management tools. In future, more forward thinking DNS registry operators will be seemingly integrating this process on their services.

1.2 DNSSEC Oracle

Given the ownership of each domain can be provable using DNSSEC, anyone (not even the owner of the domain) can extract the proof from any DNS server and add the proof into the Oracle smart contract to claim the DNS name on ENS. Here is the direct quote from the DevCon3 presentation starting at 13:23.

Given the chain of trust established previously, users can submit proofs to DNSSEC oracle on the chain. The proof is what we saw earlier.Once they have done that, users can call the new DNSSEC Registrar, which has `claim` function. The registrar then queries the Oracle and checks there is a text record for the name they're trying to claim. It responds with any text records and the Registrar parses those text records for Ethereum addresses.If it finds one it checks that the person who's calling the Registrar is in fact the address specified, and if they are, then it calls ENS and sets the record in ENS. This is now fully functional on the Ropsten network, where you can register any .xyz DNS domain.
The flow of claiming DNS ownership on ENS


Hope you get the basic understanding of how chain of trust of DNSSEC works and ENS can make use of it. In the next blog post, I will demonstrate you how it actually look like in action.

The Ethereum Name Service

The official source for news related to the Ethereum Name Service (ENS). Follow this publication for the latest ENS developments.


Written by

The Ethereum Name Service

The official source for news related to the Ethereum Name Service (ENS). Follow this publication for the latest ENS developments.