What's the difference between CDS and CDNSKEY?

CDS contains the DS hash (digest) directly, while CDNSKEY contains the full public key. With CDNSKEY, the parent computes the DS hash. Publishing both provides maximum registry compatibility.

How do I remove DNSSEC using CDNSKEY?

Publish a special CDNSKEY with values '0 3 0 AA==' (RFC 8078). This signals the parent to remove all DS records, effectively disabling DNSSEC for the domain.

Should I use CDS or CDNSKEY?

Publish both for maximum compatibility. Some registries prefer CDS, others prefer CDNSKEY, and many support both. Using both ensures your automated DNSSEC updates work with any registry.

CDNSKEY Record DNSSEC

Q: What is a CDNSKEY record?

A CDNSKEY record publishes a child zone's DNSKEY for automated DS record updates. The parent zone reads the CDNSKEY and computes the DS record from it, enabling automated DNSSEC key management.

The CDNSKEY record (Child DNSKEY) works alongside CDS records to enable automated DNSSEC key management. It publishes the child zone's DNSKEY in a format the parent can use to automatically compute and update DS records.

Look Up CDNSKEY Records

Check CDNSKEY records for any domain using our free DNS lookup tool.

Look Up CDNSKEY Records →

What Is a CDNSKEY Record?

While CDS contains the hash (digest) of the key, CDNSKEY contains the actual public key. The parent zone can then compute the DS record directly from the CDNSKEY.

Publishing both CDS and CDNSKEY provides maximum compatibility with different registry systems.

CDNSKEY Record Format

Example CDNSKEY Record

example.com.    3600    IN    CDNSKEY    257 3 13 mdsswUyr3DPW...base64key...

Same format as DNSKEY: flags, protocol, algorithm, public key.

CDNSKEY vs CDS

Aspect	CDNSKEY	CDS
Contains	Full public key	Key hash (digest)
Parent computes DS	Yes (from key)	No (DS provided)
Size	Larger	Smaller
Flexibility	Parent chooses digest	Child specifies digest

How CDNSKEY Works

Child publishes CDNSKEY with desired KSK
Parent retrieves and validates CDNSKEY
Parent computes DS hash from CDNSKEY
Parent publishes DS record

DNSSEC Removal with CDNSKEY

Special CDNSKEY to request DNSSEC removal (RFC 8078):

example.com.    CDNSKEY    0 3 0 AA==

This signals the parent to remove all DS records.

CDNSKEY Best Practices

Publish with CDS — Use both for maximum registry compatibility.
Sign properly — CDNSKEY must be signed by a valid DNSKEY.
Only publish KSK — CDNSKEY should be for Key Signing Keys only.
Monitor updates — Verify parent processes the change.
Clean up — Remove CDNSKEY after DS is successfully updated.

Registry Support

CDNSKEY support varies by registry. Some prefer CDS, others prefer CDNSKEY, and many support both. Check with your registry/registrar for specific requirements.

Troubleshooting CDNSKEY

Common issues and solutions:

Parent not processing — Verify registry supports CDNSKEY.
Signature invalid — Ensure CDNSKEY is signed by active DNSKEY.
Key mismatch — CDNSKEY should match one of your DNSKEYs exactly.
Wrong flags — Ensure flag 257 (KSK) is used.

Check Your CDNSKEY Records

Use our DNS Record Finder to look up CDNSKEY records for any domain.