Help a n00b - Offchain Gasless DNSSEC Names in ENS

I own a website (domain). I want to establish the free, corresponding ENS name for it. I have read:


but it’s really not clear what exactly I need to do. I’m understanding that I need to ask my nameserver guy to create a TXT record for my site that looks something like this:

TXT @ ENS1 0xcc9506Fa9c23f5f00fC6305374072862cAd57B3e

and then the nameserver guy needs to furnish me a “Digest”/hash that I can enter into my NameCheap dashboard for the site’s advanced DNS setting.

Is that TXT line the correct format (my site is How does the nameserver guy generate a corresponding digest/hash for that record?

Can I also add TXT records for non-ethereum wallet addresses? If not, how would I do that? Would I have to do an onchain method and then manage via the ENS site?

To enable just an Ethereum address:

ENS1 dnsname.ens.eth 0xcc9506Fa9c23f5f00fC6305374072862cAd57B3e

The following is a technical demo:

TOR supports this feature, however in a purely-gasless setup, it can only relay your name to another server. TOG is one possible server.

I operate a demo TOG at It supports many different types of routers, which you can think of as applications that translate a name into ENS.

If you resolve the name a.b.c using the mydns router, the TOG will fetch the contents of https://a.b.c/mydns.json and display it in ENS, using the human-readable format defined in resolverworks/enson.js.

It also lets you specify a basename: if, then a.b.c will translate to

I created with the following DNS TXT:

ENS1 0x84c5AdB77dd9f362A1a3480009992d8d47325dc3 0x2Fc3Fd8444211091De2DF9052741f80e4d78eeee

  • 0x84c5..5dc3 — TOR contract on mainnet
  • 0x2Fc3..eeee — the signer of my server
    • URL of my server
    • /mydns — which router to use
    • /e1 — which TOR resolver
    • ?base=raffy.eth — provide an alternative basename to mydns

I also created

	"name": "pmbug",
	"description": "TOR/TOG demo for ENS",
	"avatar": "",
	"$eth": "0xcc9506Fa9c23f5f00fC6305374072862cAd57B3e",
	"$btc": "1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa",
	"url": ""

You can test this yourself:

  1. Set your DNS TXT:

ENS1 0x84c5AdB77dd9f362A1a3480009992d8d47325dc3 0x2Fc3Fd8444211091De2DF9052741f80e4d78eeee

  1. Create a JSON file at
  2. Resolve in ENS

Thank you raffy for your detailed and thoughtful reply. Unfortunately, I’m a simple guy and 99% of what you posted went way over my head.

What I got from your response is that this offchain method was really only designed to effect a ENS mapping for an Ethereum address and it takes quite a bit work to try and set up addresses for other crypto tokens/blockchains.

Even with respect to the Ethereum address I’m sadly still confused as to what needs to be done. You said:

To enable just an Ethereum address:

ENS1 dnsname.ens.eth 0xcc9506Fa9c23f5f00fC6305374072862cAd57B3e

What is considered “dnsname”? In my case would I need:

ENS1 0xcc9506Fa9c23f5f00fC6305374072862cAd57B3e
ENS1 0xcc9506Fa9c23f5f00fC6305374072862cAd57B3e

Is “.ens.eth” always appended and if so, what is the ENS name that I am establishing here (ie. what is the ENS name that I will eventually be able to share with people - “” or “”)?

If I have my webhost/server guy add that TXT record to the nameserver for me, is that all I need to do? Or do I need to create a DNSSEC record for my domain registrar (Namecheap) using some specific digest/hash value? If I need to create this record, how do I figure out what the digest/hash is supposed to be?

1 Like

Ah, I understand your confusion: dnsname.ens.eth is an actual ENS name for a resolver.

The general syntax is: ENS1 $RESOLVER $CONTEXT...

When you resolve in the gasless setup, the following happens:

  1. First, your name is resolved according to ENSIP-10:
  2. "" doesn’t exist on chain, try the parent
  3. "com" does exist on-chain
  4. get the on-chain resolver of "com"OffchainDNSResolver
  5. call OffchainDNSResolver.resolve("", ...)
  6. OffchainDNSResolver requests a proof for the DNS TXT of
  7. OffchainDNSResolver verifies the proof and looks for a TXT record that starts with "ENS1 "
  8. if found, it parses $RESOLVER from the ENS1 record
  9. if it’s an ENS name, it resolves it to a hex address, otherwise it expects a literal hex address
  10. this is the actual resolver for your name
  11. call $RESOLVER.resolve("", ..., $CONTEXT)
  12. as a bonus: the $CONTEXT, which is the remaining part of your ENS1 record, is passed to this new resolver contract
  13. dnsname.ens.eth is a special resolver, that when it receives a resolution request for your ETH address, it interprets the $CONTEXT as an ETH address and returns that.

So when you use: ENS1 dnsname.ens.eth 0xcc9506Fa9c23f5f00fC6305374072862cAd57B3e

This is like saying: To continue resolving my name, supply 0xcc9506Fa9c23f5f00fC6305374072862cAd57B3e to dnsname.ens.eth resolver —which is an immutable trustless contract that echos the supplied $CONTEXT as an ETH address.

TOR contract fills the same role as dnsname.ens.eth, it except it interprets the $CONTEXT differently.

  1. instead of $CONTEXT being your literal ETH address, the $CONTEXT is parsed as two separate arguments: a $SIGNER (another ETH address) and $ENDPOINT the location of an offchain server.
  2. TOR make an offchain request to $ENDPOINT
  3. TOR verifies the response was signed by $SIGNER
  4. TOR then returns the corresponding data
  5. this allows TOR to support any text record, any address record, contenthash, etc.

In this picture:

  1. Resolver is the resolver for “xyz” in ENS
  2. DNS ENS1 shows the different parts of the DNS TXT record
  3. DNS Resolver is what I set in my ENS1 record ($RESOLVER above)
  4. In this example, DNS Resolver = TOR
  5. is my server
  6. 0x2Fc3Fd8444211091De2DF9052741f80e4d78eeee is the signer for my servers responses
  7. As you can see, there are multiple text and address records.
1 Like

Oh snap! lol. I thought “dnsname” was a placeholder for my domain name - a variable for simple text replacement. So the wallet address is really the only variable in the TXT line that I need to set/replace.

So, place the TXT record in my domain’s nameserver/DNS and that’s it? What is all the fuss about DNSSEC then? Is that for more advanced stuff like what Coinbase is doing with the <> names with Coinbase Wallet?

DNSSEC is required so your DNS TXT record can be proven (by an on-chain contract.)

FYI, there is an OffchainDNSResolver on all of the major TLDs (com, net, org, etc.). That contract has the potential to provide records for any DNS name that isn’t imported into ENS.

This is similar to DNS providers (many ISPs in early 2000s) that serve ads or redirects on domains that don’t exist, except OffchainDNSResolver will only utilize the corresponding ENS1 record if there is a valid DNSSEC proof, that the resolver itself can verify.

OK, then I’m lost again. I can ask my server guy to add the TXT record to the DNS for my website. Namecheap (my domain registrar) allows me to set a DNSSEC record, but I have no idea how to figure out what data (the “Digest”/hash) needs to go there. :frowning:

Also, I’m sorry, but I did not understand your comment regarding an OffchainDNSResolver. Is this a different mechanism than putting a TXT record in the DNS and then setting a DNSSEC record? Are you saying that the TXT record could reference “OffchainDNSResolver” instead of " dnsname.ens.eth"?

Sorry I’m giving too much information.

For Namecheap, you just need to enable DNSSEC (on/off). Namecheap should automatically manage the corresponding DNSSEC records (RRSIG, DS, DNSKEY, etc.).

Then update your DNS TXT record:

ENS1 dnsname.ens.eth 0xcc9506Fa9c23f5f00fC6305374072862cAd57B3e

And resolve in ENS.

Thank you raffy. I appreciate your patience and willingness to help me.

I will give it a try.