Automatic DNSSEC Configuration via CDS Scanning

CDS is a special type of record in a child zone that is responsible for storing the DS record that must be transferred to the parent zone. Many modern DNS systems can automatically generate CDS records when signing a zone.

CDS scanning is a technology for automated DNSSEC bootstrap, published by IETF in RFC 8078.

DNS operators supporting this protocol publish CDS records in the DNS zone they manage. CDS contains the same information as the DS record that operators want to publish in the parent zone. For example:

; example zone example.uz
example.uz. 3600 IN CDS 12345 13 2 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abc

An agent launched by the .UZ domain administration automatically scans for CDS records from DNS operators, which are then added to the domain in the parent .UZ zone:

; in the .UZ zone:
example.uz. 3600 IN DS 12345 13 2 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abc

This enables DNSSEC delegation for the domain without the need to manually copy and paste DS records.

CDS Scanning Policy

The .UZ domain administration implemented CDS scanning for the .UZ top-level domain in 2024, forming the basis of our policy to increase DNSSEC delegation for domains in the .UZ zone.

1. Scanning is performed from the server dnssec.uz. Only domains previously added to the DNSSEC system by the domain Registrar are scanned.
2. Only CDS records are checked; CDNSKEY records are ignored (future support for CDNSKEY scanning may be added).
3. CDS records are not validated and are added to the DNSSEC system as is. Moderation is carried out later by the .UZ domain administration.
4. Domains are scanned every hour.
5. If one or more CDS records are found for an unsecured domain, these records will be added to the database as DS records.
6. Domains are scanned every hour. Changes in CDS records are checked against existing DS records. If CDS records differ from DS records in the database, the new CDS records will be added as updated DS records.
7. In the initial phase of DS automation, only NS servers on the whitelist are scanned. Currently, this includes NS servers from Cloudflare, GoDaddy, deSEC and certain NS servers of .UZ zone Registrars. To add an NS server to the whitelist, contact the .UZ domain administration at cctld@uzinfocom.uz.
8. If a DNS zone operator returns a CDS record in the following format:

example.uz. IN CDS 0 0 0 00

(format described in section 4 of RFC 8078), all DS records of the domain will be removed.

9. Note that since CDS records are checked against existing DS records for security, it is not possible to fix DNSSEC issues (e.g., a DS record added to an unsigned domain) using CDS scanning. In such cases, DS record adjustments should be made via the API or Registrar's control panel.
10. Similarly, in case of an emergency key rollover, use the API or Registrar's control panel to update the delegation.

Configuring Authoritative DNS to Publish CDS Records:

• BIND: https://bind9.readthedocs.io/en/v9.18.13/chapter5.html#fully-automated-key-and-signing-policy
• PowerDNS: https://doc.powerdns.com/authoritative/settings.html#default-publish-cdnskey