DNS CDNSKEY Records Explained
DNS CDNSKEY (Child DNSKEY) records are used to communicate DNSSEC key information from a child zone to its parent zone. They enable automated DNSSEC key rollovers and initial DNSSEC setup without requiring manual intervention from the parent zone operator.
What is a CDNSKEY record?
A CDNSKEY record has the same format as a DNSKEY record — containing flags, protocol, algorithm, and public key fields — but it serves a different purpose. While DNSKEY records are used by resolvers to validate DNSSEC signatures, CDNSKEY records are published by child zones to signal to their parent zones which keys should be used to generate DS records.
This mechanism, defined in RFC 7344, automates the process of establishing and updating the chain of trust between parent and child zones, which traditionally required out-of-band communication between zone operators.
How do CDNSKEY records work?
When a child zone wants to update its DNSSEC keys with the parent, it publishes CDNSKEY records in its zone. The parent zone operator (or their automated systems) periodically checks for CDNSKEY records in child zones and uses them to create or update the corresponding DS records in the parent zone.
This process is particularly valuable during key rollovers, where the child zone needs to transition from one key signing key (KSK) to another. By publishing CDNSKEY records, the child can signal the change without requiring manual coordination with the parent zone operator.
To remove DNSSEC from a child zone, a special CDNSKEY record with algorithm 0 can be published, signaling to the parent that all DS records should be removed.
Example
Here's what a CDNSKEY record looks like for the domain example.com: