How does domain creation work?

Hello there,

I am new to the concept of DNS and especially to deSEC. There are a few things related to the same topic I don’t understand at the moment, maybe there’ll be more :).

  • Do I need to buy a domain/subdomain somewhere from a domain provider, add it to my domains and then share the information that appears just after creating the domain (I tried a test domain with or is it just as easy as claiming a free subdomain (e.g., even with the API, and using it as if I had bought a domain without informing anyone about it?
    I’m not really sure, because the Terms of Use claim the following:

… may receive a deletion warning and may be deleted four weeks thereafter if that condition still applies.

Anyone who can prove ownership of a domain name by an upstream registry may claim control over this domain at all deSEC nameservers

  • If it would be the case that I can register a domain with, how would I set it up, because I’d still need to use the information provided in the instructions to set up that domain, that should normally be sent to the domain provider?

I’d be happy if someone could clarify the whole thing for me and please excuse my apparent lack of knowledge in that area. Thank you very much!

I’m a bit unclear as to what your actual questions are. But maybe this will help?

That depends on your use case. subdomains are meant primarily for DDNS (dynamic DNS) use. I.e. when you want a resolvable name for your host when it is on a connection with dynamic (changing) IPs as in many home Internet connection setups.

Thus deSEC reserves the right to clean up seemingly unused (unchanged) subdomains after a while to prevent old garbage subdomains from accumulating.

Note: DDNS also works best with very short TTLs. Subdomains of are automatically set up for this.

OTOH a real (second level) domain name may be better for marketing reasons as anyone who sees will assume that the services running unter the subdomain are not professionally hosted.

Huh? After registering a domain with a domain registrar the NS glue records in the zone of the parent domain will point to the name servers (probably those of the domain registrar). If you want to use deSEC name servers then you need to get the domain registrar to change the NS glue and the DS records in the parent zone. You do not share any information from the domain registrar with deSEC, other than the domain name.

The main function of a domain registrar is to reserve domain names (actually subdomains of top-level domains — TLDs) for their clients by communicating with the registry of the TLD. E.g. if you want to register then the registrar will contact the registry of the com. TLD to reserve the domain (if it is available). They must allow setting the NS glue records in the TLD’s zone and if the TLD supports DNSSEC they should allow setting the DS records there as well. A domain registrar also updates whois and similar databases. Often a domain registrar will also offer DNS service but that is not strictly mandatory. (I think you would need to provide name servers when registering the domain but they don’t need to be those of the registrar. Generally at least two name servers in different networks are required.)

That is a completely different case. Here deSEC e.V. owns the domain and they allow you to register a subdomain under that domain according to their rules and policies. No other domain registrar is involved in this case.

As I wrote above, subdomains of must conform to deSEC e.V.'s terms. And those terms include that there needs to some activity on the domain as would be normal for a domain used for DDNS.

Not sure what you are asking here. Once you have registered a subdomain of with deSEC you need to configure your router or some other host to update the A/AAAA records when they change. But no domain registrar is involved in this case. Of course you can use the web interface or the API to set other DNS records in the domain as well.

If you use a domain name and delegate DNS to deSEC then of course anyone who can prove they own that domain can make any changes. E.g. let’s say you register a domain but fail to renew after the initial term. Someone else grabs that domain and they can then do anything they want including setting the name servers to some other DNS provider. But in the case that they want to use deSEC that would be fine as well since they now own the domain. They would just need to prove ownership to deSEC e.V.


  • Use a subdomain of for DDNS. You will only deal with deSEC for this.

  • Use a domain registered somewhere else(*) for anything else.

*) Choose the domain registrar wisely because not every registrar allows you to set the DS records in the parent zone which is required for DNSSEC. And the propagation of DNSSEC is the declared goal of deSEC e.V. so it is not optional when using their name servers.


1 Like

Thank you for your answer.

Well, the domains are not really publicly visible, so it doesn’t matter and yes, I plan to use them for DDNS use to access the IP that is behind the DNS-Address and might be frequently changing.

What I still don’t understand is, when I create a subdomain under, what exactly do I need to do, in order to be able to assign an IP-Address to it, that shall be updated, when it changes (through the API). And all that should be able to happen automated through the API. What are those steps?

I’d start by reading the documentation :wink: