Yes. CDS/CDNSKEY, as defined in RFC 8078, is a standard to signal via DNS that DNSSEC parameters are to be updated. This makes it easy for nameserver administrators to turn on/off DNSSEC or to perform key rollovers without having to upload DNSSEC data via EPP or a web interface.
Domainnameshop supports CDS/CDNSKEY in two different ways:
- For domains that use Domainnameshop's nameservers but Domainnameshop is not the registrar, we will automatically publish CDS/CDNSKEY records in DNS to signal to the parent zone which DNSSEC parameters (i.e. DS records) should be active. At the moment, only a handful of TLD operators (.ch, .li, .nu, .se and .sk) periodically check for CDS/CDNSKEY records, but many others (e.g. .no and .dk) have plans to start supporting this soon.
- For domains that do not use Domainnameshop's nameservers but Domainnameshop is the registrar, we will check daily for any CDS/CDNSKEY records in DNS. If we discover that the nameservers publish CDS/CDNSKEY records that do not match the existing DS/DNSKEY records for the zone, we will automatically update this via EPP and send an email to the domain's administrator, explaining which changes have been made. Many large DNS providers such as Cloudflare, Wix and Google Domains will automatically publish CDS/CDNSKEY records when DNSSEC is enabled. These will then be picked up by our system, making DNSSEC management safe and simple.
For domains that both use Domainnameshop's nameservers and Domainnameshop is the registrar, CDS/CDNSKEY is not used. Instead, DNSSEC is updated directly via EPP.