3.5. Keysets

A keyset contains information which represents a set of DNSSEC keys.

Namespace: http://www.nic.cz/xml/epp/keyset-1.3
Schema: keyset-1.3.2.xsd


DNSSEC keys mapping is partially based on the standard RFC 5910 but implemented with the following modifications:

  • keys are grouped in a set that is identified by a handle,
  • a standalone object instead of just a domain extension,
  • custom element structure for DNSSEC key representation,
  • association with technical contacts.

3.5.1. Object attributes

In addition to the common attributes, keysets also have the following attributes:

The keyset handle. See Handles of contacts, nssets and keysets.

The 1–10 DNSSEC key(s), consisting of:

Flags. Allowed values are: 0, 256, 257.
Protocol. The only allowed value is 3.

Algorithm number defined by IANA, see DNS Security Algorithm Numbers.

The FRED EPP server does not allow to use 0, 1, 2 and 252 by default.

Public key as keyset:keyT.


A DNSSEC key corresponds to a DNSKEY Resource Record, see RFC 4034#section-2.

The handle(s) of 1–10 technical contact(s).

3.5.2. Object states

A keyset can have one or more of the following statuses:

  • ok – no other states are set
  • linked – the keyset has relation to other records in the Registry
  • serverDeleteProhibited – deletion of the keyset is forbidden
  • serverTransferProhibited – transfer of the keyset is forbidden
  • serverUpdateProhibited – update of the keyset is forbidden
  • deleteCandidate – the keyset is scheduled for deletion

3.5.3. Command-response mapping

For command-response mapping see a specific command syntax description: