dnssec-cds command

Edit online

Purpose

Changes the delegation signer (DS) records for a child zone based on child delegation signer (CDS) and child domain name server key (CDNSKEY).

Syntax

dnssec-cds [-a alg…] [-c class] [-D] {-d dsset-file} {-f child-file} [-i**[extension]] [-s** start-time] [-T ttl] [-u] [-v level] [-V] {domain}

Description

The dnssec-cds command changes DS records at a delegation point based on CDS or CDNSKEY records that are published in the child zone. If both CDS and CDNSKEY records are present in the child zone, the CDS is preferred. This enables a child zone to inform its parent zone about upcoming changes to its key-signing keys (KSKs); by polling periodically using the dnssec-cds command. The parent zone can keep the DS records up-to-date and enable automatic rolling of KSKs.

Two input files are required. The -f child-file option specifies a file that contains the child’s CDS and CDNSKEY records, along with the resource record signature (RRSIG) and DNSKEY records so that the records can be authenticated. The -d path option specifies the location of a file that contains the current DS records. For example, the file might be a dsset- file generated by the dnssec-signzone command, or the output of the dnssec-dsfromkey command, or the output of the dnssec-cds command that was previously run.

The dnssec-cds command uses special DNSSEC validation logic that is specified by RFC 7344. The dnssec-cds command requires the CDS and CDNSKEY records to be signed by a key that is represented in the existing DS records. This is typically the pre-existing KSK.

For protection against replay attacks, the signatures on the child records must not be older than they were on a previous run of the dnssec-cds command. The signature age is obtained from the modification time of the dsset- file, or by using the -s option.

To protect the DS records against breaking the delegation, the dnssec-cds command ensures that the DNSKEY resource record set (RRset) can be verified by every key algorithm in the new DS RRset, and that the same set of keys are covered by every DS digest type.

By default, replacement DS records are written to the standard output by using the -i option; the input file is overwritten. The replacement DS records are the same as the existing records, when no change is required. The output can be empty if the CDS and CDNSKEY records specify that the child zone needs to be insecure.

Attention: Do not delete the DS records when the dnssec-cds command fails. Alternatively, use the dnssec-cds -u command to write an nsupdate script to the standard output. Both the -u and -i options can be used to maintain a dsset- file and to trigger an nsupdate script.

Flags

-a algorithm

Specifies a digest-algorithm that must be used when converting CDNSKEY records to DS records. This option can be used again to create multiple DS records for each CDNSKEY record. This option is not useful when you use CDS records.

The value of algorithm can be SHA-1, SHA-256, or SHA-384. These values are case-insensitive, and the hyphen can be omitted. If no algorithm is specified, the default value is SHA-256.

-c class

Specifies the DNS class of zones.

-D

Generates DS records from CDNSKEY records if both CDS and CDNSKEY records are present in the child zone. By default, CDS records are preferred.

-d path

Specifies the location of parent DS records. The path can be the name of a file that contains the DS records; if it is a directory, the dnssec-cds command searches for a dsset- file for the domain in the directory.

To protect the DS records against replay attacks, child records are rejected if it were signed before the modification time of the dsset- file. You can adjust the timing by using the -s option.

-f child-file

Specifies the file that contains the child’s CDS and CDNSKEY records, along with its DNSKEY records and the covering RRSIG records, so that they can be authenticated.

-iextension

Updates the dsset- file instead of writing DS records to the standard output.

There must be no space between the -i and extension. If extension is not specified, the old dsset- is discarded. If an extension is specified, a backup of the old dsset- file is saved with the extension value appended to its file name.

To protect the DS records against replay attacks, the modification time of the dsset- file is set to match the signature inception time of the child records, provided that it is later than the file’s current modification time.

-s start-time

Specifies the date and time after which RRSIG records become acceptable. This can be either an absolute or a relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20170827133700 denotes 13:37:00 UTC on August 27th, 2017. A time relative to the dsset- file is indicated with -N, which means N seconds before the file modification time. A time relative to the current time is indicated with now+N.

If start-time is not specified, the modification time of the dsset- file is used.

-T ttl

Specifies a time-to-live (TTL) that must be used for new DS records. If the value is not specified, the default value is the TTL of old DS records. If the old DS records had no explicit TTL, the new DS records also will not have explicit TTL.

-u

Writes a nsupdate script to the standard output instead of printing the new DS records. The output is empty if no change is needed.

Note: The TTL of new records needs to be specified in the original dsset- file by using the -T flag or the nsupdate ttl command.
-V

Prints version information.

-v level

Sets the debugging level. Level 1 is intended to be useful for general users; higher levels are intended for developers.

domain

Indicates the name of the delegation point or child zone apex.

Exit status

The dnssec-cds command exits 0 on success, or non-zero if an error occurs.

Examples

Before running the dnssec-signzone command, ensure that the delegations are updated by running the dnssec-cds command on every dsset- file.

To fetch child records that are required by dnssec-cds, invoke the dig command as shown in the following script. Even if the dig command fails, the dnssec-cds command performs all necessary checks.

for f in dsset-*
do
    d=${f#dsset-}
    dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
    dnssec-cds -i -f /dev/stdin -d $f $d
done

When the parent zone is automatically signed by the named command, the dnssec-cds command can be used with the nsupdate command to maintain a delegation as follows. The dsset- file does not allow the script to fetch and validate the parent DS records, and it maintains the replay attack protection time.

dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -u -i -f /dev/stdin -d $f $d |
nsupdate -l