How do I disable DNSSEC using CDS?

Publish a special CDS record with values '0 0 0 00' (RFC 8078). This signals the parent to remove all DS records, effectively disabling DNSSEC for the domain.

What's the difference between CDS and DS records?

DS records are stored in the parent zone and provide active DNSSEC delegation. CDS records are stored in the child zone and signal desired DS changes. The parent reads CDS and updates its DS record accordingly.

Which registries support CDS?

Support varies by TLD. Swedish (.se, .nu), Swiss (.ch, .li), and many European ccTLDs fully support CDS. Support for .com and .net depends on your registrar. Check with your registry for CDS processing availability.

CDS Record DNSSEC

Q: What is a CDS record?

A CDS (Child DS) record allows a child zone to signal desired changes to its DS record in the parent zone. This enables automated DNSSEC key management without manual registrar intervention.

The CDS record (Child DS) allows a child zone to signal desired changes to its DS record in the parent zone. This enables automated DNSSEC key management without manual intervention at the registrar.

Look Up CDS Records

Check CDS records for any domain using our free DNS lookup tool.

Look Up CDS Records →

What Is a CDS Record?

Traditionally, updating the DS record requires contacting your registrar manually. CDS records (RFC 7344, updated by RFC 8078) provide a way for the child zone to publish desired DS changes, which the parent can then automatically pick up and process.

The CDS record has the same format as a DS record but is published in the child zone.

CDS Record Format

Example CDS Record

example.com.    3600    IN    CDS    12345 13 2 49FD46E6C4B45C55D4AC...

Same format as DS: key tag, algorithm, digest type, digest.

How CDS Works

Child zone publishes CDS record with desired DS data
Parent zone (via registrar/registry) polls for CDS records
Parent validates the CDS is properly signed
Parent updates DS record to match CDS
Child can remove CDS after DS is updated

CDS Use Cases

Initial DNSSEC Setup

Publish CDS to request DS record creation in parent:

example.com.    CDS    12345 13 2 abc123...

Key Rollover

Publish new CDS during KSK rollover:

example.com.    CDS    67890 13 2 def456...  ; new key

DNSSEC Removal

Special CDS to request DS removal (RFC 8078):

example.com.    CDS    0 0 0 00

This signals the parent to remove all DS records, disabling DNSSEC.

CDS vs DS

Aspect	DS Record	CDS Record
Location	Parent zone	Child zone
Purpose	Active delegation	Signal desired change
Who creates	Parent/registrar	Child zone owner
Automation	Requires registrar action	Can be automated

Registry/Registrar Support

CDS automation requires support from your registry. Adoption varies:

.se, .nu — Full CDS support
.ch, .li — CDS support
.com, .net — Limited (depends on registrar)
Many ccTLDs — Increasingly supporting CDS

CDS Best Practices

Check registry support — Verify your TLD/registrar supports CDS.
Sign CDS records — CDS must be signed with a valid DNSKEY.
Use with CDNSKEY — Publish both CDS and CDNSKEY for broader compatibility.
Monitor propagation — Verify DS was updated after publishing CDS.
Remove after success — CDS can be removed once DS is in place.

Troubleshooting CDS

Common issues and solutions:

DS not updating — Check if registry supports CDS; may require registrar action.
Invalid signature — Ensure CDS is signed by a valid, chained DNSKEY.
Format mismatch — CDS fields must match expected DS format.
Polling delay — Registries may poll infrequently; wait for processing.

Check Your CDS Records

Use our DNS Record Finder to look up CDS records for any domain.