3.5. Keysets

A keyset contains information which represents a set of DNSSEC keys.

Namespace: http://www.nic.cz/xml/epp/keyset-1.3
Schema: keyset-1.3.4.xsd


DNSSEC keys mapping is partially based on the standard RFC 5910 but implemented with the following modifications:

  • keys are grouped in a set that is identified by a handle,

  • a standalone object instead of just a domain extension,

  • custom element structure for DNSSEC key representation,

  • association with technical contacts.

3.5.1. Object attributes

In addition to the common attributes, keysets also have the following attributes:


The keyset handle. See Handles of contacts, nssets and keysets.


The 1–10 DNSSEC key(s), consisting of:


Flags. Allowed values are: 0, 256, 257.


Protocol. The only allowed value is 3.


Algorithm number defined by IANA, see DNS Security Algorithm Numbers.

The FRED EPP server does not allow to use 0, 1, 2 and 252 by default.


Public key as keyset:keyT.


A DNSSEC key corresponds to a DNSKEY Resource Record, see RFC 4034#section-2.


The handle(s) of 1–10 technical contact(s).

3.5.2. Object states

A keyset can have one or more of the following statuses:

  • ok – no other states are set

  • linked – the keyset has relation to other records in the Registry

  • serverDeleteProhibited – deletion of the keyset is forbidden

  • serverTransferProhibited – transfer of the keyset is forbidden

  • serverUpdateProhibited – update of the keyset is forbidden

  • deleteCandidate – the keyset is scheduled for deletion

3.5.3. Command-response mapping

For command-response mapping see a specific command syntax description: