This time on PING, Peter Thomassen from SSE and DEsec.io discusses his analysis of the failure modes of CDS and CDNSKEY records between parent and child in the DNS. These records provide in-band signalling of the DS record, which is fundamental to maintaining a secure path from the Trust Anchor to the delegation through all the intermediate parent and grandparent domains. Many people use out-of-band methods to update this DS information. Still, the CDS and the CDNSKEY records are designed to signal this critical information inside the DNS, avoiding many of the pitfalls of passing through a registry-registrar web service.
The problem is, as Peter has discovered, the information across the various nameservers (denoted by the NS record in the DNS) of the child domain can get out of alignment, and the tests a parent zone needs to do to check CDS and CDNSKEY information aren’t sufficiently specified to wire down this risk.
Peter performed a ‘meta-analysis’ inside a far larger cohort of DNS data captured by Florian Steurer and Tobias Fiebig at the Max Planck Institute and discovered a low but persisting error rate, a drift in the critical keying information between a zone’s NS and the parent. Some of these related to transitional states in the DNS (such as when you move registry or DNS provider) but by no means all, and this has motivated Peter and his co-authors to look at improved recommendations for managing CDS / CDNSKEY data, to minimize the risk of inconsistency, and the consequent loss of a secure entry path to a domain name.
Read more about DNSSEC delegation at the APNIC Blog, and the IETF:
- Authenticated bootstrapping of DNSSEC delegations (NIls Wisiol, APNIC Blog, March 2022)
- Measurement of CDS/CDNSKEY inconsistencies (IETF 119 Presentation, March 2024)
- Generalised DNS NOTIFY (IETF Draft)
Subscribe and share your story
You can stream and subscribe to PING via the following channels:
If you’re interested in sharing your insights or research, please get in touch — we’re always looking for great stories from the community. Please let us know what you think of the podcast and the APNIC Blog so we can keep improving.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.