DNS CDS Records Explained
DNS CDS (Child DS) records allow child zones to communicate DS (Delegation Signer) record information to their parent zones. They enable automated DNSSEC bootstrapping and key rollovers without requiring manual coordination between zone operators.
What is a CDS record?
A CDS record has the same format as a DS record — containing key tag, algorithm, digest type, and digest fields — but is published in the child zone rather than the parent zone. The child zone publishes CDS records to signal to the parent which DS records should be created or updated.
CDS records, defined in RFC 7344, work alongside CDNSKEY records to automate the DNSSEC delegation trust chain. While CDNSKEY records provide the full public key, CDS records provide the pre-computed digest, giving the parent zone operator flexibility in how they process the update.
How do CDS records work?
The child zone operator publishes CDS records containing the desired DS record content. The parent zone's automated systems periodically scan for CDS records and, after validation, create or update the corresponding DS records in the parent zone. This maintains the DNSSEC chain of trust.
CDS records are especially useful during DNSSEC key rollovers. When a child zone transitions to a new key signing key, it publishes updated CDS records so the parent can update its DS records accordingly, ensuring continuous DNSSEC validation.
To signal DNSSEC removal, a child zone can publish a CDS record with algorithm 0 and digest type 0, indicating that the parent should remove all DS records for the child zone.
Example
Here's what a CDS record looks like for the domain example.com: