eureka, etcetera

TLD Oracle

Claim TLDs in ENS using DNSSEC proofs. DNS registries can register their TLDs by proving ownership through their _ens.nic.{tld} TXT record. The v2 contract enforces a DAO-controlled allowlist of 1,166 post-2012 ICANN New gTLD Program strings eligible for self-serve claims.

Testnet Deployment: This is deployed on Sepolia with a 15-minute timelock for testing. In production, the timelock will be 10 days to allow DAO review.

Allowlist Security Model (v2): Only 1,166 post-2012 ICANN New gTLD Program TLDs are on the contract allowlist and eligible for self-serve claims.

Pre-2012 gTLDs (.com, .net, .org) and ccTLDs (.uk, .de) require a full ENS DAO governance proposal. The nic.tld namespace is only contractually reserved for post-2012 gTLDs under the ICANN New gTLD Agreement, so pre-2012 TLDs need governance approval to prevent fraudulent claims.

Claim TLD

How it works: Anyone can submit a claim (acting as a gas relayer), but the TLD is always minted to the owner address specified in the _ens.nic.{tld} TXT record — which only the DNS registry can set.
Note: In production, only the TLD owner will be able to initiate claims to ensure explicit intent.
⚠ Proof Freshness: The contract requires proofs ≤14 days old to prevent replay attacks. Registry must re-sign.
.
1
Check TLD Availability
Verify TLD is on the allowlist and not already claimed
2
Fetch DNSSEC Proofs
Query _ens.nic.{tld} TXT record
3
Submit Claim
Send transaction to TLDMinter contract

Ready to Claim

P-256

These 7 TLDs are on the allowlist and have published _ens.nic.{tld} TXT records with working DNSSEC chains.

Using Algorithm 13 (ECDSA-P256) for lower gas costs. Verisign migrated .com/.net/.edu to P-256 in 2023, signaling industry-wide adoption.

Claim Status:
Available Pending Ready Claimed Vetoed
Proof Freshness:
Fresh = Proof ≤ 14 days oldStale = Proof > 14 days (cannot claim)
Contract requires proofs ≤14 days old to prevent replay attacks. Registry must re-sign.

On the Allowlist

1,166

1,166 post-2012 ICANN New gTLD Program TLDs are on the contract allowlist and eligible for self-serve claims — but most haven't published their _ens.nic.{tld} TXT records yet.

The allowlist is the contract-level gate; DNS readiness is the practical gate. Check if a specific TLD is on the allowlist below.

.
Why an allowlist? The nic.tld namespace is only contractually reserved for post-2012 gTLDs under the ICANN New gTLD Agreement. Pre-2012 gTLDs (.com, .net, .org) and ccTLDs (.uk, .de) have no such guarantee, so they need DAO governance approval to prevent fraudulent claims.
The allowlist check happens before DNSSEC verification, so non-allowed TLDs revert immediately without burning gas on proof verification.

Governance & Veto

During the timelock window, the ENS DAO or Security Council can veto a pending claim to prevent fraudulent TLD registrations.

!Who can veto?
  • DAO Timelock — ENS governance proposals that pass a vote
  • Security Council — A multisig for emergency response (e.g., fraudulent DNS proofs)
?When would a veto happen?
  • Fraudulent DNSSEC proofs (compromised DNS zone)
  • Disputed TLD ownership
  • TLD that should require governance approval but was incorrectly allowlisted
TLDMinter.solVeto mechanism
function veto(
    bytes32 labelHash,
    string calldata reason
) external {
    // Only DAO or Security Council can veto
    if (
        msg.sender != daoTimelock &&
        msg.sender != securityCouncilMultisig
    ) revert NotVetoAuthority();

    MintRequest storage req = requests[labelHash];
    if (req.owner == address(0))
        revert NoActiveRequest();

    req.vetoed = true;
    emit ClaimVetoed(labelHash, msg.sender, reason);
}

On testnet, the Security Council is a mock multisig. In production, this will be a Gnosis Safe controlled by elected ENS DAO security council members.

How It Works

1

Allowlist Check

Contract verifies TLD is on the 1,166-entry post-2012 gTLD allowlist before processing

2

Setup DNS Record

DNS registry publishes a=0x... in _ens.nic.{tld}

3

Submit Claim

Fetch DNSSEC proofs and submit claim to TLDMinter contract

4

Wait for Timelock

15 minutes (testnet) or 10 days (mainnet) for DAO review and potential veto

5

Execute Claim

After timelock expires, execute to mint the TLD in ENS

Contract Addresses (Sepolia)

TLDMinter:0x48729B7e0bA736123a57c4B6A492BDAbedAF980F
DNSSEC Oracle:0x31D1acba033d8A4Ab3f6334355289034d32cFD89