GitLab

To support the multi-signer model (2), we want to allow arbitrary CDS/CDNSKEY records to be published in the zone. Currently this is not possible, because zone_cdscheck will error if there are CDS/CDNSKEY records in the zone that do not have a matching DNSKEY record.

The multi-signer model (2) ensures for a safe transition from one provider to another provider without going insecure. In this model, both providers have their own KSK. To rollover to the other provider, the DS records of both KSKs need to be published at some point, and if the double DS RRset is known to the world, the old DS record can be removed and the transition to the new provider is complete.

If the parent supports DNSSEC Child-Parent synchronization, it may query for the child zone servers for CDS/CDNSKEY records in order to update their DS RRset. In the case of a provider transition, both providers should publish the CDS/CDNSKEY RRset that contain two entries, one corresponding to the KSK of one provider, one corresponding to the KSK of the other provider.

It should be possible that such CDS/CDNSKEY record is added to the zone file, or it may be added with a Dynamic Update.