Automated DNSSEC Provisioning
With a CDS (Child DS) record, a name server operator can signal to the registry which DS record should be set for a domain name in the .ch or .li zone. Our system checks all registered .ch and .li domain names for the presence of CDS records on a daily basis. This process allows for fully automated DNSSEC bootstrapping, key rollover or removal. To take advantage of this process your DNS software needs to support the publication of CDS records.
Changes to the DS record set signaled via CDS records are accepted and published in the .ch or .li zone only if these acceptance criteria are met:
- The current CDS record set can be validated.
- The new DS RRSET does not break the chain of trust.
- The CDS record set is signed with a key that is represented in both the current DNSKEY and DS record set.
For bootstrapping DNSSEC, the following additional requirements apply:
- A published CDS record set must not change for three consecutive days.
- A published CDS record set must not change for at least three verification runs.
- If the CDS records are authenticated according to https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-bootstrapping, the bootstrapping delay is removed and DS records will be activated immediately after the first verification run if all other checks pass.
- All authoritative name servers assigned to a domain name in our database are checked on all their IP addresses. These name servers must respond with a consistent result.
- The DNS query is sent over TCP only.
Read our guidelines for a more detailed description of our provisioning process.