[EP5.1] [Executable] Upgrade DNSSEC support

Status Active
Votes Agora


Deploy a new version of the DNSSEC oracle and DNS registrar that enables ‘gasless DNSSEC’ functionality.


The ENS labs team has been working on a new version of the DNSSEC oracle and the DNS registrar that, combined with wildcard resolution (ENSIP 10) and CCIP-Read, allow for ‘gasless DNSSEC’ - enabling the use of DNS names inside ENS with no onchain transactions required. This proposal replaces the existing DNSSEC registrar with the new one.

Existing DNS names will continue to function as before, and names can still be imported using the ‘legacy’ method. The new registrar also allows configuring a name by setting a TXT record on _ens.name.tld, containing the address of a special resolver contract to use, followed by any resolver-specific data. Resolvers designed for the purpose can be configured to parse this extra data, making configuration entirely offchain a possibility.

Alongside the new registrar and oracle contracts, a simple resolver is provided that reads the Ethereum address to resolve a name to from the extra data.

Post-execution, ENS Labs will run a process to upgrade all current DNS TLDs to use the new registrar. TLDs will only function with the new registrar once this (permissionless) transaction is sent for the TLD.


Call setController on the Root contract at root.ens.eth, passing in the address of the new DNS registrar (0xb32cb5677a7c971689228ec835800432b339ba2b).


Address Value Function Argument Value
root.ens.eth 0 setController address 0xb32cb5677a7c971689228ec835800432b339ba2b
enabled true

How does that affects frontend implementations? Since the address is offchain, does it mean that the client is doing the work on checking the DNS address?

Yes - via a CCIP gateway, so to the client it looks like any other wildcard name with a CCIP-Read resolver.

This is now available for voting on Agora and Tally.