Updating DNSSEC verification with EIP-7951

🧑‍💻 ENS Development Contracts
1

Post Fusaka, Ethereum can now cheaply verify real-world DNSSEC proofs onchain. I built dnssec.eketc.co to test the new P-256 precompile in practice—specifically for gasless resolution and verification as a foundation for importing DNS data onchain.

The demo:

  • Fetches proofs offchain via gateway.eketc.co and verifies them onchain using the precompile
  • Fetches proofs from _ens.{domain} records, resolves them, and shows the verification chain
  • Displays gas benchmarks comparing the P-256 oracle against the current implementation

I’ve implemented and tested this update in PR #509, which replaces the EllipticCurve dependency in P256SHA256Algorithm.sol with the EIP-7951 precompile. The change follows ENS’s existing ModexpPrecompile pattern and maintains full compatibility with the existing Algorithm interface.

Technical specification → DNSSEC Onchain Resolution - Eureka

6 Likes
Contributor Report: estmcmxci.eth
2

Thank you so much for this! I’ll review the PR this week.

1 Like
ENS DAO Newsletter #104 — 1/15/26
3

Thanks, Nick!

The PR is now merged and live in the staging branch: ens-contracts/contracts/dnssec-oracle/algorithms at staging · ensdomains/ens-contracts · GitHub

Really exciting to see the P-256 precompile land. It massively drops the cost of DNSSEC verification onchain and finally makes DNS proofs economically feasible at protocol scale, enabling things like automated imports and higher-level DNS → ENS integrations (among many other applications).

3 Likes
[RFC] Scaling TLD Assignment with DNS-Verified, DAO-Governed Allocation