FAQ: Automated DNSSEC provisioning

With automated DNSSEC Provisioning, .se and .nu domain holders can update their DNSSEC configuration with the help of so called CDS records. This allows a holder, or the holder’s DNS provider, to e.g., roll the signing key or switch to another registrar without manually contacting the registry.

Who is it for?

The primary target group is DNS service providers who runs DNS for organizations and private persons. Registrars can also use the service, but for them it is usually easier to update DNSSEC configurations through the registry’s EPP interface.

I provide DNS service to my customers. Now, one of them wants to roll their signing key – how do I create the necessary CDS record?

Provided that you have kept your name server software up to date, it should have this function built in. PowerDNS, Knot and Bind do support CDS today.

Can I publish both CDS and CDNSKEY records?

Yes. The CDS record is required to initiate a configuration update, while the CDNSKEY record is optional. If you publish the latter, its content must be consistent with the CDS record, or the update will be canceled.

How soon will a requested change be executed?

The Internet Foundation scans the zone files daily. Updates for a signed domain will normally be executed the same day, while signing of a previously unsigned domain will require three days.

You can track the scanning of your domain on https://cds.registry.se/

The configuration change I requested has still not been executed. Why is this?

There are several requirements that must be met before a change is carried out. Please verify that your request meets them before contacting registrar support.

  1. All three scans must find the same data.
  2. The domain name is in the status ACTIVE.
  3. The domain is not in Registry Lock.
  4. The CDS record set does not contain syntactic or semantic errors.
  5. If CDNSKEY records are published, they must match the published CDS records.
  6. No more than six CDS records per domain.
  7. DNSSEC validation must succeed for each and every name server. All name servers must publish the same CDS RR-set, but not the same DNSKEY RR-set. Therefore, validation must be checked for each name server.

Where can I turn if I have questions about CDS?

Your first source of information is the https://cds.registry.se web page, where you can track the scanning of your domain. You may also contact the registrar support at registry@internetstiftelsen.se.