dnssec-cds command

Edit online

Purpose

Changes the delegation signer (DS) records for a child zone based on child delegation signer (CDS) and child domain name server key (CDNSKEY).

Syntax

dnssec-cds [-a alg…] [-c class] [-D] {-d dsset-file} {-f child-file} [-i**[extension]] [-s** start-time] [-T ttl] [-u] [-v level] [-V] {domain}

Description

The dnssec-cds command changes DS records at a delegation point based on the CDS or CDNSKEY records that are published in the child zone. If both the CDS and CDNSKEY records are present in the child zone, the CDS records are preferred. This enables a child zone to inform its parent zone of upcoming changes to its key-signing keys (KSKs) by polling periodically by using the dnssec-cds command. The parent zone keeps the DS records up-to-date and enable automatic rolling of KSKs.

The -f child-file option specifies a file that contains the CDS records of a child file and the CDNSKEY records, along with the resource record signature (RRSIG) and DNSKEY records so that the records are authenticated. The -d path option specifies the location of a file that contains the current DS records. For example, the file might be a dsset- file that is generated by the dnssec-signzone command, or the output of the dnssec-dsfromkey command, or the output of the previous dnssec-cds command.

The dnssec-cds command uses special DNSSEC validation logic that is specified by RFC 7344. The dnssec-cds command requires that the CDS and CDNSKEY records are signed by a key that is represented in the existing DS records. This requirement is typically the pre-existing KSK.

For protection against replay attacks, the signatures on the child records must not be older than they were on a previous run of the dnssec-cds command. The signature age is obtained from the modification time of the dsset- file, or by using the -s option.

To protect the DS records against breaking the delegation, the dnssec-cds command ensures that the DNSKEY resource record set (RRset) is verified by every key algorithm in the new DS RRset. The same set of keys are covered by every DS digest type.

By default, replacement DS records are written to the standard output by using the -i option and the input file is overwritten. The replacement DS records are the same as the existing records, when no change is needed. The output can be empty if the CDS and CDNSKEY records specify that the child zone needs to be insecure.

Attention: Do not delete the DS records when the dnssec-cds command fails. Alternatively, use the dnssec-cds -u command to write a nsupdate script to the standard output. Both the -u and -i options can be used to maintain a dsset- file and to trigger a nsupdate script.

Flags

-a algorithm

Specifies a digest-algorithm that must be used when converting CDNSKEY records to DS records. This option can be used again to create multiple DS records for each CDNSKEY record. If none of the CDS records use an acceptable digest type, dnssec-cds tries to use CDNSKEY records instead. If there are no CDNSKEY records, it reports an error.

The value of algorithm can be SHA-1, SHA-256, or SHA-384. These values are case-insensitive, and the hyphen can be omitted. If no algorithm is specified, the default value is SHA-256.

-c class

Specifies the DNS class of zones.

-D

Generates DS records from CDNSKEY records if both CDS and CDNSKEY records are present in the child zone. By default, CDS records are preferred.

-d dsset-file

Specifies the location of parent DS records. The path is the name of a file that contains the DS records. If it is a directory, the dnssec-cds command searches for a dsset- file for the domain in the directory.

To protect the DS records against replay attacks, child records are rejected if it were signed before the modification time of the dsset- file. You can adjust the timing by using the -s option.

-f child-file

Specifies the file that contains the CDS records of the child file and CDNSKEY records, along with DNSKEY records and the covering RRSIG records, so that they can be authenticated.

-iextension

Updates the dsset- file instead of writing DS records to the standard output.

There must be no space between the -i and the extension. If extension is not specified, the old dsset- is discarded. If an extension is specified, a backup of the old dsset- file is saved with the extension value that is appended to its file name.

To protect the DS records against replay attacks, the modification time of the dsset- file is set to match the signature inception time of the child records, if it is later than the current modification time of the file.

-s start-time

Specifies the date and time after which RRSIG records become acceptable. This can be either an absolute or a relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation. 20170827133700 denotes 13:37:00 Coordinated Universal Time (UTC) on 27 August 2017. A time relative to the dsset- file is indicated with -N, which means N seconds before the file modification time. A time relative to the current time is indicated with now+N.

If start-time is not specified, the modification time of the dsset- file is used.

-T ttl

Specifies a time-to-live (TTL) that must be used for the new DS records. If the value is not specified, the default value is the TTL of the old DS records. If the old DS records had no explicit TTL, the new DS records also do not have explicit TTL.

-u

Writes a nsupdate script to the standard output instead of printing the new DS records. The output is empty if no change is needed.

Note: The TTL of new records needs to be specified in the original dsset- file by using the -T flag or the nsupdate ttl command.
-V

Prints version information.

-v level

Sets the debugging level. Level 1 is intended to be useful for general users. Higher levels are intended for developers.

domain

Indicates the name of the delegation point or child zone apex.

Exit status

The dnssec-cds command exits with a return status value of 0 on success, or nonzero if an error occurs. If successful, the DS records might not need to be changed.

Examples

Before you run the dnssec-signzone command, ensure that the delegations are updated by using the dnssec-cds command on every dsset- file.

To fetch child records that required by the dnssec-cds command, start the dig command as shown in the following script. Even if the dig command fails, the dnssec-cds command does all necessary checks.

for f in dsset-*
do
    d=${f#dsset-}
    dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
    dnssec-cds -i -f /dev/stdin -d $f $d
done

To maintain a delegation by using dnssec-cds command with the nsupdate command when the named command automatically signs the parent zone, enter the following command:

dig +dnssec +noall +answer $d DNSKEY $d CDNSKEY $d CDS |
dnssec-cds -u -i -f /dev/stdin -d $f $d |
nsupdate -l

The dsset- file does not allow the script to fetch and validate the parent DS records, and it maintains the replay attack protection time.