Skip to content

oskar456/cds-updates

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Support for CDS/CDNSKEY/CSYNC updates

Relevant IETF Documents

  • RFC 7344: Automating DNSSEC Delegation Trust Maintenance
  • RFC 8078: Managing DS Records from the Parent via CDS/CDNSKEY
  • RFC 9615: Automatic DNSSEC Bootstrapping Using Authenticated Signals from the Zone's Operator

Support in domain registries

Registry CDS CDNSKEY Delete Bootstrap from insecure Bootstrap via _dsboot CSYNC Notes
.ch Yes No Yes 72 hours TCP-only Yes No guidelines
.cr No Yes Yes 7 days TCP-only No No documentation found; FRED is used
.cz No Yes Yes 7 days TCP-only No FRED is used
.fo Yes No Yes 72 hours No guidelines
.li Yes No Yes 72 hours TCP-only Yes No guidelines
.nu Yes No Yes 72 hours TCP-only Yes Policy and Guidelines
.se Yes No Yes 72 hours TCP-only Yes Policy and Guidelines
.sk Yes No Yes 72 hours No No clear information about using TCP for bootstrapping
.uz Yes No Yes 2 hours No No Policy and Guidlines
.alt.za, .edu.za Yes No Yes 72 hours No No
RIPE NCC Yes No Yes No No

Support in domain registrars

Registrar CDS CDNSKEY Delete Bootstrap from insecure Bootstrap via _dsboot CSYNC Notes
Glauca Yes Yes Yes All name servers must respond the same, TCP-only Yes ? Docs
Domainnameshop Yes Yes Yes All name servers must respond the same, TCP-only Possible future No

Support in DNS providers

Provider CDS CDNSKEY Delete Publishes _dsboot Notes
Cloudflare Yes Yes Yes Yes
deSEC Yes Yes Yes Yes docs
DNSimple Yes Yes blog post
Glauca HexDNS Yes Yes Yes Yes
GoDaddy Yes Yes presentation at ICANN 68
RcodeZero DNS Yes Yes No No

Parent-side software

dnssec-cds(8)

  • part of BIND 9
  • can use both CDS and CDNSKEY
  • can produce DSset file or script for nsupdate
  • no support for bootstrapping from insecure
  • no support for DNSSEC delete

cdnskey-scanner

  • part of FRED
  • only CDNSKEY records
  • supports bootstrapping from insecure
  • almost zero documentation :(

akm-multi-scanner

rcdss (RIPE NCC CDS Scanner)

  • written in Python using dnspython
  • reads RIPE Database objects
  • produces RPSL-like diff objects
  • multithreaded scanning
  • no support for bootstrapping from insecure

Child-side software

Knot

  • publishes both CDS and CDNSKEY records
  • automated KSK rollover based on feedback from the parent
  • controlled by cds-cdnskey-publish config option
  • can also submit DS change directly using DDNS

BIND9

  • publishes both CDS and CDNSKEY records
  • automated KSK rollover with checkds option

PowerDNS

  • publishes both CDS and CDNSKEY records
  • controlled by pdnsutil set-publish-cds
  • requires manual KSK rollover
  • synthesis of _dsboot record via LUA records: Setup LUA records; LUA module; pdns config

Other links

About

Info about CDS update support

Resources

Readme

License

MIT license
Activity

Stars

43 stars

Watchers

19 watching

Forks

12 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors