In January 2019 we started including CDS and CDNSKEY records for all newly signed zones. CDS and CDNSKEY are useful for signaling a change in a zone's DNSSEC status – either updating the key the zone is signed with or disabling DNSSEC altogether. CDS and CDNSKEY are defined in RFC8078 and provide a means to automate DNSSEC key rotation directly through DNS.

To learn more about DNSimple and DNSSEC, visit the DNSSEC support article.

How Does It Work?

Every time a DNSKEY is added to or removed from a zone, corresponding CDS and CDNSKEY records are created automatically by our system. These records appear in your zone just like any other DNS record.

Here's an example of the dig output when DNSimple's name servers are queried for a domain with a CDS record present:

; <<>> DiG 9.10.6 <<>> dnsimple.zone cds
;; global options: +cmd
;; Got answer:
;; ->\>HEADER<<- opcode: QUERY, status: NOERROR, id: 62294
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;dnsimple.zone.			IN	CDS

;; ANSWER SECTION:
dnsimple.zone.		299	IN	CDS	0 8 2 3EE59BD6C33C8ECE08957EEFEFB67B9903B9F3E62B74DB9FD0B52C96 2B6E8D99

;; Query time: 197 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Feb 06 16:03:45 EST 2019
;; MSG SIZE  rcvd: 90

And here's the query to the parent name server that delegates dnsimple.zone for its DS record:

; <<>> DiG 9.10.6 <<>> @37.209.198.7 dnsimple.zone ds
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->\>HEADER<<- opcode: QUERY, status: NOERROR, id: 41047
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dnsimple.zone.			IN	DS

;; ANSWER SECTION:
dnsimple.zone.		86400	IN	DS	1159 8 2 3EE59BD6C33C8ECE08957EEFEFB67B9903B9F3E62B74DB9FD0B52C96 2B6E8D99

;; Query time: 60 msec
;; SERVER: 37.209.198.7#53(37.209.198.7)
;; WHEN: Wed Feb 06 16:03:49 EST 2019
;; MSG SIZE  rcvd: 90

Note that the DS content is the content of the CDS record. If CDS/CDNSKEY were supported by the .ZONE registry for handling DNSSEC changes, then automated key rotation is easy to implement without needing to get the domain registrar involved.

Who Is Supporting CDS/CDNSKEY?

Very few registries support CDS/CDNSKEY. As far as we're aware, only .cz is supporting CDS/CDNSKEY at this time. Most registries require going through domain registrars to set the DS record for your domain.

Our hope is that more registries will see the value of supporting CDS/CDNSKEY for automating DNSSEC DS record management and will choose to support CDS/CDNSKEY soon. It's also possible that registrars will begin supporting CDS/CDNSKEY, which would be beneficial for furthering domain management automation as well.

More Ways to Automate

For security protocols to work well, especially ones involving interaction between multiple parties, key rotation and secure exchange of signing details is critical. We believe that automated management of key rotation is the best way to ensure a healthy, secure environment, and we believe CDS/CDNSKEY is a step in the right direction to achieve this.

We will continue adopting new technologies that help support domain management automation, and we encourage you to let your other domain providers that they too should support technologies such as CDS/CDNSKEY.

More information is available in the CDS/CDNSKEY section of the DNSSEC article.