Administrating keys to sign your domain with DNSSEC has been unnecessarily complicated. Automated DNSSEC provisioning, which is now implemented in the .se and .nu zones, makes the process easier for the user.
DNSSEC-signing is currently used in close to half of all domains in the .se and .nu zones. But it could be more common. One problem blocking the growth of DNSSEC is that it is unnecessarily complicated for users to administer and publish keys.
To simplify this process, The Swedish Internet Foundation offers automated administration of keys using CDS records. This allows the holder of a .se or .nu domain to automate updates of the DNSSEC configuration, for example when rolling keys or changing registrar.
Avoids the need to update two zone files
The DNSSEC configuration of a domain example.se is split into two zone files handled by different operators. The signed DNS records and one or more DNSKEY records with the public keys are located in the child zone, the zone file for example.se. In the parent zone are DS records (Delegation signer) – they are also signed and point to the DNSKEY records in the child zone.
Earlier when a domain holder wanted to make changes in their DNSSEC configuration, the registrar or DNS operator needed to update not only their own zone file but also the parent zone. A registrar has the access and the tools needed to update the .se or .nu zone, but for independent DNS operators this has been a problem. They have been in some situations required to, at least in part, do this manually and making mistakes can mean the configuration isn’t executed or even causing problems with the zone.
The Swedish Internet Foundation has introduced support for a new kind of DNS record, CDS (Child DS), that is used in the child zone. Apart from key rollovers, CDS can be used to activate DNNSEC for an unsigned domain or deactivate it for a signed one.
Domains are scanned daily
A DNS operator who wants to update a DS record in the .se or .nu zones places the corresponding CDS record in the child zone. The Swedish Internet Foundation scans all .se and .nu domains once a day from three separate points of the Internet over TCP, and compares the results. Only records that have been found in all three scans are considered.
What happens after that depends on if the domain is signed with DNSSEC or not. For a signed domain the configuration changes will start immediately. A request to enable DNSSEC on an unsigned domain is postponed for two days and is only executed if an identical CDS post is found in the following two scans. That means it takes three days to enable DNSSEC for a previously unsigned domain.
Learn more about our CDS scanning and CDS record requirements in the document CDS Policy and Guidelines.
More information about automated DNSSEC provisioning
Policy and Guidelines for automated DNSSEC provisioning
FAQ for automated DNSSEC provisioning
Standard documents RFC 7344 and RFC 8078
Read more about DNSSEC
