- https://datatracker.ietf.org/doc/html/rfc7344
- https://datatracker.ietf.org/doc/html/rfc8078
- https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping/
| Registry | CDS | CDNSKEY | Delete | Bootstrap from insecure | Bootstrap via _dsboot |
CSYNC | Notes |
|---|---|---|---|---|---|---|---|
| .ch | Yes | No | Yes | 72 hours TCP-only | Yes | No | guidelines |
| .cr | No | Yes | Yes | 7 days TCP-only | No | No documentation found; FRED is used | |
| .cz | No | Yes | Yes | 7 days TCP-only | No | FRED is used | |
| .fo | Yes | No | Yes | 72 hours | No | guidelines | |
| .li | Yes | No | Yes | 72 hours TCP-only | Yes | No | guidelines |
| .nu | Yes | No | Yes | 72 hours TCP-only | Yes | Policy and Guidelines | |
| .se | Yes | No | Yes | 72 hours TCP-only | Yes | Policy and Guidelines | |
| .sk | Yes | No | Yes | 72 hours | No | No clear information about using TCP for bootstrapping | |
| .alt.za, .edu.za | Yes | No | Yes | 72 hours | No | No | |
| RIPE NCC | Yes | No | Yes | No | No |
| Registrar | CDS | CDNSKEY | Delete | Bootstrap from insecure | Bootstrap via _dsboot |
CSYNC | Notes |
|---|---|---|---|---|---|---|---|
| Glauca | Yes | Yes | Yes | All name servers must respond the same, TCP-only | Yes | ? | Docs |
| Domainnameshop | Yes | Yes | Yes | All name servers must respond the same, TCP-only | Possible future | No |
| Provider | CDS | CDNSKEY | Delete | Publishes _dsboot |
Notes |
|---|---|---|---|---|---|
| Cloudflare | Yes | Yes | Yes | Yes | |
| deSEC | Yes | Yes | Yes | Yes | docs |
| DNSimple | Yes | Yes | blog post | ||
| Glauca HexDNS | Yes | Yes | Yes | Yes | |
| GoDaddy | Yes | Yes | presentation at ICANN 68 | ||
| RcodeZero DNS | Yes | Yes | No | No |
- part of BIND 9
- can use both CDS and CDNSKEY
- can produce DSset file or script for
nsupdate - no support for bootstrapping from insecure
- no support for DNSSEC delete
- part of FRED
- only CDNSKEY records
- supports bootstrapping from insecure
- almost zero documentation :(
- rewritten
cdnskey-scannerpart of FRED - supports scanning from multiple locations
- source code location unknown :(
- there is diploma thesis and presentation in Czech
rcdss (RIPE NCC CDS Scanner)
- written in Python using dnspython
- reads RIPE Database objects
- produces RPSL-like diff objects
- multithreaded scanning
- no support for bootstrapping from insecure
- publishes both CDS and CDNSKEY records
- automated KSK rollover based on feedback from the parent
- controlled by
cds-cdnskey-publishconfig option - can also submit DS change directly using DDNS
- publishes both CDS and CDNSKEY records
- requires
rndc dnssec -checkds publishedto advance the KSK rollover
- publishes both CDS and CDNSKEY records
- controlled by
pdnsutil set-publish-cds - requires manual KSK rollover
- synthesis of
_dsbootrecord viaLUArecords: Setup LUA records; LUA module; pdns config