-.\" Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
.\"
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.PP
The
\fBdnssec\-cds\fR
-command changes DS records at a delegation point based on CDS or CDNSKEY records published in the child zone\&. If both CDS and CDNSKEY records are present in the child zone, the CDS is preferred\&.
+command changes DS records at a delegation point based on CDS or CDNSKEY records published in the child zone\&. If both CDS and CDNSKEY records are present in the child zone, the CDS is preferred\&. This enables a child zone to inform its parent of upcoming changes to its key\-signing keys; by polling periodically with
+\fBdnssec\-cds\fR, the parent can keep the DS records up to date and enable automatic rolling of KSKs\&.
.PP
Two input files are required\&. The
\fB\-f \fR\fB\fIchild\-file\fR\fR
\fBdnssec\-dsfromkey\fR, or the output of a previous run of
\fBdnssec\-cds\fR\&.
.PP
+The
+\fBdnssec\-cds\fR
+command uses special DNSSEC validation logic specified by RFC 7344\&. It requires that the CDS and/or CDNSKEY records are validly signed by a key represented in the existing DS records\&. This will typicially be the pre\-existing key\-signing key (KSK)\&.
+.PP
For protection against replay attacks, the signatures on the child records must not be older than they were on a previous run of
\fBdnssec\-cds\fR\&. This time is obtained from the modification time of the
dsset\-
.RE
.SH "COPYRIGHT"
.br
-Copyright \(co 2017 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
.br
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
- - Copyright (C) 2017 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2017, 2018 Internet Systems Consortium, Inc. ("ISC")
-
- This Source Code Form is subject to the terms of the Mozilla Public
- License, v. 2.0. If a copy of the MPL was not distributed with this
The <span class="command"><strong>dnssec-cds</strong></span> command changes DS records at
a delegation point based on CDS or CDNSKEY records published in
the child zone. If both CDS and CDNSKEY records are present in
- the child zone, the CDS is preferred.
+ the child zone, the CDS is preferred. This enables a child zone
+ to inform its parent of upcoming changes to its key-signing keys;
+ by polling periodically with <span class="command"><strong>dnssec-cds</strong></span>, the
+ parent can keep the DS records up to date and enable automatic
+ rolling of KSKs.
</p>
<p>
Two input files are required. The
<span class="command"><strong>dnssec-dsfromkey</strong></span>, or the output of a previous
run of <span class="command"><strong>dnssec-cds</strong></span>.
</p>
+ <p>
+ The <span class="command"><strong>dnssec-cds</strong></span> command uses special DNSSEC
+ validation logic specified by RFC 7344. It requires that the CDS
+ and/or CDNSKEY records are validly signed by a key represented in the
+ existing DS records. This will typicially be the pre-existing
+ key-signing key (KSK).
+ </p>
<p>
For protection against replay attacks, the signatures on the
child records must not be older than they were on a previous run
The <span class="command"><strong>dnssec-cds</strong></span> command changes DS records at
a delegation point based on CDS or CDNSKEY records published in
the child zone. If both CDS and CDNSKEY records are present in
- the child zone, the CDS is preferred.
+ the child zone, the CDS is preferred. This enables a child zone
+ to inform its parent of upcoming changes to its key-signing keys;
+ by polling periodically with <span class="command"><strong>dnssec-cds</strong></span>, the
+ parent can keep the DS records up to date and enable automatic
+ rolling of KSKs.
</p>
<p>
Two input files are required. The
<span class="command"><strong>dnssec-dsfromkey</strong></span>, or the output of a previous
run of <span class="command"><strong>dnssec-cds</strong></span>.
</p>
+ <p>
+ The <span class="command"><strong>dnssec-cds</strong></span> command uses special DNSSEC
+ validation logic specified by RFC 7344. It requires that the CDS
+ and/or CDNSKEY records are validly signed by a key represented in the
+ existing DS records. This will typicially be the pre-existing
+ key-signing key (KSK).
+ </p>
<p>
For protection against replay attacks, the signatures on the
child records must not be older than they were on a previous run