cds-updates icon indicating copy to clipboard operation
cds-updates copied to clipboard

verified publisher icon oskar456

Metadata

Info about CDS update support

Support for CDS/CDNSKEY/CSYNC updates

Relevant IETF Documents

  • https://datatracker.ietf.org/doc/html/rfc7344
  • https://datatracker.ietf.org/doc/html/rfc8078
  • https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/

Support in domain registries

Registry CDS CDNSKEY Delete Bootstrap from insecure Bootstrap via _dsboot CSYNC Notes
.ch Yes No Yes 72 hours TCP-only Yes No guidelines
.cr No Yes Yes 7 days TCP-only No No documentation found; FRED is used
.cz No Yes Yes 7 days TCP-only No FRED is used
.fo Yes No Yes 72 hours No guidelines
.li Yes No Yes 72 hours TCP-only Yes No guidelines
.nu Yes No Yes 72 hours TCP-only Yes Policy and Guidelines
.se Yes No Yes 72 hours TCP-only Yes Policy and Guidelines
.sk Yes No Yes 72 hours No No clear information about using TCP for bootstrapping
.alt.za, .edu.za Yes No Yes 72 hours No No
RIPE NCC Yes No Yes No No

Support in domain registrars

Registrar CDS CDNSKEY Delete Bootstrap from insecure Bootstrap via _dsboot CSYNC Notes
Glauca Yes Yes Yes All name servers must respond the same, TCP-only Yes ? Docs
Domainnameshop Yes Yes Yes All name servers must respond the same, TCP-only Possible future No

Support in DNS providers

Provider CDS CDNSKEY Delete Publishes _dsboot Notes
Cloudflare Yes Yes Yes Yes
deSEC Yes Yes Yes Yes docs
DNSimple Yes Yes blog post
Glauca HexDNS Yes Yes Yes Yes
GoDaddy Yes Yes presentation at ICANN 68
RcodeZero DNS Yes Yes No No

Parent-side software

dnssec-cds(8)

  • part of BIND 9
  • can use both CDS and CDNSKEY
  • can produce DSset file or script for nsupdate
  • no support for bootstrapping from insecure
  • no support for DNSSEC delete

cdnskey-scanner

  • part of FRED
  • only CDNSKEY records
  • supports bootstrapping from insecure
  • almost zero documentation :(

akm-multi-scanner

rcdss (RIPE NCC CDS Scanner)

  • written in Python using dnspython
  • reads RIPE Database objects
  • produces RPSL-like diff objects
  • multithreaded scanning
  • no support for bootstrapping from insecure

Child-side software

Knot

  • publishes both CDS and CDNSKEY records
  • automated KSK rollover based on feedback from the parent
  • controlled by cds-cdnskey-publish config option
  • can also submit DS change directly using DDNS

BIND9

  • publishes both CDS and CDNSKEY records
  • requires rndc dnssec -checkds published to advance the KSK rollover

PowerDNS

  • publishes both CDS and CDNSKEY records
  • controlled by pdnsutil set-publish-cds
  • requires manual KSK rollover
  • synthesis of _dsboot record via LUA records: Setup LUA records; LUA module; pdns config

Other links

  • https://archive.fosdem.org/2019/schedule/event/dns_dnssec_security_without_maintenance/
  • https://jpmens.net/2017/09/21/parents-children-cds-cdnskey-records-and-dnssec-cds/

Metadata

15
Stars
6
Forks
Watchers

Owner

verified publisher icon oskar456

Metadata

Info about CDS update support

Back