Skip to main content
ENS provides integration with the traditional DNS namespace, allowing owners of DNS domains to claim the corresponding ENS names. This integration is secured using DNSSEC (DNS Security Extensions), which provides cryptographic proof of DNS record ownership.

How DNS Integration Works

The DNS integration system allows DNS domain owners to:
  1. Prove ownership of a DNS domain using DNSSEC
  2. Claim the corresponding ENS name
  3. Set resolver and address records
This creates a bridge between traditional DNS and ENS, enabling DNS domain owners to leverage ENS functionality.

Key Components

The DNS integration system consists of several key contracts:

DNSRegistrar

The main contract that enables claiming DNS names in ENS. It verifies DNSSEC proofs and creates ENS records for proven DNS domains. Location: contracts/dnsregistrar/DNSRegistrar.sol

DNSSEC Oracle

Validates DNSSEC proofs by checking cryptographic signatures against trusted anchors. This ensures that only legitimate DNS owners can claim names. Location: contracts/dnssec-oracle/DNSSECImpl.sol

OffchainDNSResolver

Enables offchain DNS resolution through CCIP-Read, allowing ENS to resolve DNS records without storing all data onchain. Location: contracts/dnsregistrar/OffchainDNSResolver.sol

PublicSuffixList

Defines which top-level domains and public suffixes can be claimed through the DNS registrar. Location: contracts/dnsregistrar/PublicSuffixList.sol

DNSSEC Validation

DNSSEC provides cryptographic authentication for DNS records. The validation process:
  1. Trust Anchors: The DNSSEC oracle is initialized with root trust anchors
  2. Chain of Trust: Proofs form an unbroken chain from the root to the claimed domain
  3. Signature Verification: Each record’s signature is verified using public keys from the parent zone
  4. Timestamp Validation: Signatures must be valid at the current time
function verifyRRSet(
    RRSetWithSignature[] memory input
) external view returns (bytes memory rrs, uint32 inception);

Claiming Process

To claim a DNS name in ENS:

Step 1: Create DNS TXT Record

Add a TXT record to your DNS domain at _ens.yourdomain.com: 
_ens.yourdomain.com. IN TXT "a=0x1234567890123456789012345678901234567890"
This record specifies the Ethereum address that should own the ENS name.

Step 2: Submit DNSSEC Proof

Call proveAndClaim with the DNS name and a chain of signed DNSSEC records: 
function proveAndClaim(
    bytes memory name,
    DNSSEC.RRSetWithSignature[] memory input
) public;

Step 3: Claim is Validated

The DNSRegistrar:
  1. Verifies the DNSSEC proof through the oracle
  2. Checks that the domain is a valid public suffix
  3. Extracts the owner address from the TXT record
  4. Creates the ENS record with the specified owner

Public Suffix List

The Public Suffix List determines which domains can be claimed. Only domains under recognized public suffixes (like .com, .org, .net) can be registered. 
interface PublicSuffixList {
    function isPublicSuffix(bytes calldata name) external view returns (bool);
}
This prevents someone from claiming overly broad names like com itself.

Owner Record Format

The TXT record at _ens.yourdomain.com must follow this format: 
a=0x<ethereum_address>
Example: 
a=0x1234567890123456789012345678901234567890
The DNSClaimChecker library parses these records: 
function getOwnerAddress(
    bytes memory name,
    bytes memory data
) internal pure returns (address, bool);

Advanced: Claiming with Resolver

You can claim a name and set a resolver in a single transaction: 
function proveAndClaimWithResolver(
    bytes memory name,
    DNSSEC.RRSetWithSignature[] memory input,
    address resolver,
    address addr
) public;
This allows you to:
  • Claim the DNS name
  • Set a custom resolver
  • Set an address record (if resolver is provided)

Stale Proof Protection

The registrar tracks the inception time of proofs to prevent replay attacks: 
mapping(bytes32 => uint32) public inceptions;
Each new proof must have an inception time greater than or equal to the previous proof for that domain.

Events

The DNSRegistrar emits events for important actions: 
event Claim(
    bytes32 indexed node,
    address indexed owner,
    bytes dnsname,
    uint32 inception
);

event NewPublicSuffixList(address suffixes);

Security Considerations

DNSSEC Trust

The security of DNS claims depends on:
  • The integrity of DNSSEC root trust anchors
  • Proper DNSSEC signing of the DNS zone
  • Secure algorithm and digest implementations

Proof Freshness

Old DNSSEC signatures can be replayed. The inception tracking helps mitigate this, but domains should use reasonable signature validity periods.

Public Suffix Validation

Only enable public suffixes that are widely recognized and properly managed. Incorrect suffix configuration could allow improper claims.

Build docs developers (and LLMs) love

Get started for freeTalk to us