DNS CSYNC Records Explained
DNS CSYNC (Child-to-Parent Synchronization) records allow child zones to signal to their parent zones that certain DNS records should be updated. This mechanism automates the synchronization of NS records and glue address records between child and parent zones.
What is a CSYNC record?
A CSYNC record contains three fields: a SOA serial number, flags, and a list of record types that should be synchronized. The SOA serial number helps prevent replay attacks by ensuring that only current synchronization requests are processed.
Defined in RFC 7477, CSYNC records address the common problem of keeping parent zone delegation records in sync with the child zone's actual configuration. Without CSYNC, changes to nameservers or glue records require manual updates in the parent zone, which can be slow and error-prone.
How do CSYNC records work?
When a child zone changes its NS records or associated A/AAAA glue records, it publishes a CSYNC record listing the record types that need updating. The parent zone's systems detect the CSYNC record and automatically update the delegation information to match the child zone's current configuration.
The flags field controls the synchronization behavior. Flag bit 0 (immediate) requests that the parent process the update right away, while flag bit 1 (soaminimum) indicates the parent should use the SOA MINIMUM value as a delay before processing. These flags can be combined.
CSYNC records require DNSSEC validation to prevent unauthorized modifications to parent zone delegation data. The parent zone must verify the CSYNC record's authenticity before making any changes.
Example
Here's what a CSYNC record looks like for the domain example.com: