CDS/CDNSKEY Builder

Build CDS/CDNSKEY RRs from child DNSKEYs to enable automated DS updates at the parent. These records allow child zones to signal DS record changes to parent zones for automated DNSSEC maintenance.

DNSKEY Record

Using example data - modify to see your results

Owner Name

Generate CDS Records Generate CDNSKEY Record

Error: Invalid base64 public key

CDS Records

CDS (Child DS) records are placed in the child zone to signal DS record changes to the parent. Parents can automatically process these to update DS records in their zone.

CDNSKEY Records

CDNSKEY (Child DNSKEY) records are copies of DNSKEYs placed in the child zone. Parents can use these to generate DS records automatically using their preferred digest algorithm.

RFC 8078 Automation

These records enable automated DS maintenance as defined in RFC 8078. This reduces manual coordination between child and parent zones during key rollover.

Implementation Notes

Always use KSK (Key Signing Key) records for CDS/CDNSKEY generation. Verify parent support for automated DS updates before relying on this mechanism.