Announcing CDS/CDNSKEY Support
Anthony Eden
on
In January 2019 we started including CDS and CDNSKEY records for all newly signed zones. CDS and CDNSKEY are useful for signaling a change in a zone's DNSSEC status – either updating the key the zone is signed with or disabling DNSSEC altogether. CDS and CDNSKEY are defined in RFC8078 and provide a means to automate DNSSEC key rotation directly through DNS.
To learn more about DNSimple and DNSSEC, visit the DNSSEC support article.
How Does It Work?
Every time a DNSKEY is added to or removed from a zone, corresponding CDS and CDNSKEY records are created automatically by our system. These records appear in your zone just like any other DNS record.
Here's an example of the dig output when DNSimple's name servers are queried for a domain with a CDS record present:
; <<>> DiG 9.10.6 <<>> @1.1.1.1 dnsimple.zone cds
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49356
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dnsimple.zone. IN CDS
;; ANSWER SECTION:
dnsimple.zone. 3600 IN CDS 25906 8 2 5E5856124EA7D02CA2F69E58B174157BACAB88D256D50EA7A44D54EE 1707FB18
;; Query time: 53 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Aug 31 09:33:33 BST 2021
;; MSG SIZE rcvd: 90
And here's the query to the parent name server that delegates dnsimple.zone for its DS record:
; <<>> DiG 9.10.6 <<>> @37.209.198.7 dnsimple.zone ds
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->\>HEADER<<- opcode: QUERY, status: NOERROR, id: 41047
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnsimple.zone. IN DS
;; ANSWER SECTION:
dnsimple.zone. 86400 IN DS 1159 8 2 3EE59BD6C33C8ECE08957EEFEFB67B9903B9F3E62B74DB9FD0B52C96 2B6E8D99
;; Query time: 60 msec
;; SERVER: 37.209.198.7#53(37.209.198.7)
;; WHEN: Wed Feb 06 16:03:49 EST 2019
;; MSG SIZE rcvd: 90
Note that the DS content is the content of the CDS record. If CDS/CDNSKEY were supported by the .ZONE registry for handling DNSSEC changes, then automated key rotation is easy to implement without needing to get the domain registrar involved.
Who Is Supporting CDS/CDNSKEY?
Very few registries support CDS/CDNSKEY. As far as we're aware, only .cz is supporting CDS/CDNSKEY at this time. Most registries require going through domain registrars to set the DS record for your domain.
Our hope is that more registries will see the value of supporting CDS/CDNSKEY for automating DNSSEC DS record management and will choose to support CDS/CDNSKEY soon. It's also possible that registrars will begin supporting CDS/CDNSKEY, which would be beneficial for furthering domain management automation as well.
More Ways to Automate
For security protocols to work well, especially ones involving interaction between multiple parties, key rotation and secure exchange of signing details is critical. We believe that automated management of key rotation is the best way to ensure a healthy, secure environment, and we believe CDS/CDNSKEY is a step in the right direction to achieve this.
We will continue adopting new technologies that help support domain management automation, and we encourage you to let your other domain providers that they too should support technologies such as CDS/CDNSKEY.
More information is available in the CDS/CDNSKEY section of the DNSSEC article.
Anthony Eden
I break things so Simone continues to have plenty to do. I occasionally have useful ideas, like building a domain and DNS provider that doesn't suck.
We think domain management should be easy.
That's why we continue building DNSimple.
