Skip to main content

Requesting Secure Delegation in the ENUM Domain

Example of an ENUM domain object, including a "ds-rdata:" attribute

descr:      Stichting ENUM Nederland
org:        ORG-SEN3-RIPE
admin-c:    MD6066-RIPE
tech-c:     ENT6-RIPE
zone-c:     ENT6-RIPE
ds-rdata:   10567    5   1   8f138cd3e55db6590f51fe47e390a2d1743b5bd4
mnt-by:     ENUM-NL-MNT
source:     RIPE # Filtered

The four steps to updating an ENUM delegation to have a secure DS record in

Step 1: Setup your servers to serve a secure zone.

Ensure that the zone you are serving is signed and it contains a Key Signing Key (KSK) marked with the SEP flag.

Step 2: Create your domain object.

The "ds-rdata:" attribute of your domain object should be created by performing a hash over the SEP KSK key. An easy way to create a domain object which includes the ds-rdata: hash is to visit the RIPE NCC Delegation Checker, input your zone name and follow the instructions provided. The end result will be a domain object you can use in Step 3.

Step 3: Submitting the domain object

Once you have set up your server(s) to serve the ENUM zones you are ready to request delegation by submitting a domain object:

1. By using webupdates

  • First authorise yourself in the authorisation section. Then go to the add section
  • Select domain, by clicking on 'Create a New Object' and then click on 'Add Object'
  • Fill in all the available fields
  • Use the 'Add New Field' feature to add at least two "nserver:" attributes. Here, you supply the names of the name servers that are serving the zones as set up in Step 3 and that you have specified in the NS resource records of those zones
  • For the "mnt-by:" attribute use the mntner you prepared in Step 1

2: By email

You need to create a domain object containing information about the zone you need reverse delegation for. For details on creation and authorisation please refer to the RIPE Database Reference Manuals.

These are the basic steps:

Obtain a template using whois -t domain and fill in the details.

domain:        [mandatory]  [single]     [primary/look-up key]		


descr: [mandatory] [multiple] [ ]
admin-c: [mandatory] [multiple] [inverse key]
tech-c: [mandatory] [multiple] [inverse key]
zone-c: [mandatory] [multiple] [inverse key]
nserver: [optional] [multiple] [inverse key]


sub-dom:       [optional]   [multiple]   [inverse key]
dom-net: [optional] [multiple] [ ]
remarks: [optional] [multiple] [ ]
notify: [optional] [multiple] [inverse key]


mnt-by:        [optional]   [multiple]   [inverse key]
mnt-lower: [optional] [multiple] [inverse key]
refer: [optional] [single] [ ]
changed: [mandatory] [multiple] [ ]
source: [mandatory] [single] [ ]

(1) Here you put the name of your domain.

(2) Enter the names of your name servers which correspond to the name servers as used in Step 3; use multiple lines, one nserver: name server name per line. Do not forget to include if you request reverse delegation for a IPv4/16 domain. Do not include in other cases.

(3) For the "mnt-by:" attribute you use the mntner you prepared in Step 1

Send your domain object to [email protected].

Step 3: Verifying the setup

Once you have submitted the domain object you will receive a notification.

You should then be able to query for your object in the RIPE Database (e.g whois -h After the object appears in the RIPE Database it may take between 15 and 60 minutes before the delegation information is available in the DNS.

The ultimate test is to query a recursive name server that is not authoritative for your zone for a record from your zone.

Please contact us if, six hours after the appearance of your domain object in the database, your delegation does not appear. Include the details such as name server addresses and the domain object in your request. Also include the full response, including headers, as received from the database.

Any resolver which has the DNSSEC public key for configured should now return DNS answers which have the authenticated data bit set.

Additional Notes

From time to time, you may have to roll the keys in your zone. When you do this, make sure that you also update the ds-rdata information. This places a new DS record in the parent zone.

For further details on rolling keys and other important information on DNSSEC operational practices we recommend reading RFC 4641.