Support for CDS/CDNSKEY/CSYNC updates

Relevant IETF Documents

Support in domain registries

Registry	CDS	CDNSKEY	Delete	Bootstrap from insecure	Bootstrap via `_dsboot`	CSYNC	Notes
.ch	Yes	No	Yes	72 hours TCP-only	Yes	No	guidelines
.cr	No	Yes	Yes	7 days TCP-only		No	No documentation found; FRED is used
.cz	No	Yes	Yes	7 days TCP-only		No	FRED is used
.fo	Yes	No	Yes	72 hours		No	guidelines
.li	Yes	No	Yes	72 hours TCP-only	Yes	No	guidelines
.nu	Yes	No	Yes	72 hours TCP-only		Yes	Policy and Guidelines
.se	Yes	No	Yes	72 hours TCP-only		Yes	Policy and Guidelines
.sk	Yes	No	Yes	72 hours		No	No clear information about using TCP for bootstrapping
.alt.za, .edu.za	Yes	No	Yes	72 hours	No	No
RIPE NCC	Yes	No	Yes	No		No

Support in domain registrars

Registrar	CDS	CDNSKEY	Delete	Bootstrap from insecure	Bootstrap via `_dsboot`	CSYNC	Notes
Glauca	Yes	Yes	Yes	All name servers must respond the same, TCP-only	Yes	?	Docs
Domainnameshop	Yes	Yes	Yes	All name servers must respond the same, TCP-only	Possible future	No

Support in DNS providers

Provider	CDS	CDNSKEY	Delete	Publishes `_dsboot`	Notes
Cloudflare	Yes	Yes	Yes	Yes
deSEC	Yes	Yes	Yes	Yes	docs
DNSimple	Yes	Yes			blog post
Glauca HexDNS	Yes	Yes	Yes	Yes
GoDaddy	Yes	Yes			presentation at ICANN 68
RcodeZero DNS	Yes	Yes	No	No

Parent-side software

dnssec-cds(8)

part of BIND 9
can use both CDS and CDNSKEY
can produce DSset file or script for nsupdate
no support for bootstrapping from insecure
no support for DNSSEC delete

cdnskey-scanner

part of FRED
only CDNSKEY records
supports bootstrapping from insecure
almost zero documentation :(

akm-multi-scanner

rewritten cdnskey-scanner part of FRED
supports scanning from multiple locations
source code location unknown :(
there is diploma thesis and presentation in Czech

rcdss (RIPE NCC CDS Scanner)

written in Python using dnspython
reads RIPE Database objects
produces RPSL-like diff objects
multithreaded scanning
no support for bootstrapping from insecure

Child-side software

Knot

publishes both CDS and CDNSKEY records
automated KSK rollover based on feedback from the parent
controlled by cds-cdnskey-publish config option
can also submit DS change directly using DDNS

BIND9

publishes both CDS and CDNSKEY records
requires rndc dnssec -checkds published to advance the KSK rollover

PowerDNS

publishes both CDS and CDNSKEY records
controlled by pdnsutil set-publish-cds
requires manual KSK rollover
synthesis of _dsboot record via LUA records: Setup LUA records; LUA module; pdns config

Name		Name	Last commit message	Last commit date
Latest commit History 24 Commits
LICENSE		LICENSE
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

Support for CDS/CDNSKEY/CSYNC updates

Relevant IETF Documents

Support in domain registries

Support in domain registrars

Support in DNS providers

Parent-side software

dnssec-cds(8)

cdnskey-scanner

akm-multi-scanner

rcdss (RIPE NCC CDS Scanner)

Child-side software

Knot

BIND9

PowerDNS

Other links

About

Uh oh!

Releases

Packages

License

klaus-nicat/cds-updates

Folders and files

Latest commit

History

Repository files navigation

Support for CDS/CDNSKEY/CSYNC updates

Relevant IETF Documents

Support in domain registries

Support in domain registrars

Support in DNS providers

Parent-side software

dnssec-cds(8)

cdnskey-scanner

akm-multi-scanner

rcdss (RIPE NCC CDS Scanner)

Child-side software

Knot

BIND9

PowerDNS

Other links

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Packages