Automated DNSSEC Provisioning
With a CDS (Child DS) record, a name server operator can signal to the registry which DS record should be set for a domain name in the .ch or .li zone. Our system checks all registered .ch and .li domain names for the presence of CDS records on a daily basis. This process allows for fully automated DNSSEC bootstrapping, key rollover or removal. To take advantage of this process your DNS software needs to support the publication of CDS records.
Changes signaled via CDS records are accepted and published in the .ch or .li zone if these acceptance criteria are met:
- A published CDS record set must not change for three consecutive days.
- A published CDS record set must not change for at least three verification runs.
- A CDS record set is only accepted if it does not break the chain of trust.
For bootstrapping DNSSEC, the following additional requirements apply:
- All authoritative name servers assigned to a domain name in our database are checked on all their IP addresses.
- These name servers must respond with a consistent result.
- The DNS query is sent over TCP only.
Read our guidelines for a more detailed description of our provisioning process.