DNSSEC is currently enabled for almost half of the .se zone, and slightly less than that for .nu. To reach the other half of the “market”, DNSSEC needs to be more accessible. That is why we now add a new and easier method of updating records.
– Traditionally, DNSSEC management has been performed by the domain's registrar using EPP updates. We now add an additional method of updating Delegation Signer (DS) records, one that is better suited for DNS operators who do not have EPP access to our system, says Ulrich Wisser, DNS specialist at DNS-Labs.
By placing a CDS ("Child DS") record in the zone file for a .se/.nu domain, the domain holder or DNS operator signals to the registry that they want to update DNSSEC configuration for that domain. The CDS records are then polled daily by the registry to process DS updates.
Czechia and Switzerland are early adopters
– The registries in Switzerland (.ch) and Czechia (.cz) have already implemented DNSSEC Automation with CDS, and .cz now manages 50,000 signed domains that way. We believe that we have similar conditions in the .se and .nu zones and hope to see a similar percentage increase for us, says Ulrich Wisser.
– The standard document, RFC 8078, describes three use cases for CDS records: enable DNSSEC validation; roll the key-signing key; and turn off DNSSEC validation. We will support all three.
Zone scanning is carried out daily from three separate and geographically separated points in the network over TCP; name servers that only answer over UDP are disregarded. If all three polls see the same DS record, and the domain passes a number of sanity checks, the requested configuration change is executed, unless it is a request to enable DNSSEC. The sanity checks include if the domain is active and if changes to the configuration are allowed (i.e., the domain cannot be under Registry Lock), DNSSEC validation (if available) and a few more restrictions.
A request to enable DNSSEC for a domain is postponed for two days and is only executed if an identical CDS post is found in the following two scans. In other words, it takes three days to enable DNSSEC for a previously unsigned domain.
Online tool makes it easier to check status
The Swedish Internet Foundation maintains a status page where DNS operators can see the current state of CDS processing for a domain name. This status page shows the expected processing date for ongoing change requests as well as information about any error preventing a requested change from going forward. If an otherwise valid change is blocked by the domain being under Registry Lock, the registrar is notified by email and can contact the domain holder to resolve this issue.
The scanning software that the foundation uses has been developed in-house.
– We have written it so that scanning is spread out over the entire day, to minimize network impact , says Ulrich Wisser.
Zonemaster, the Foundation's DNS health check tool for domains, has also been updated to show information about CDS records.