Erase CDNSKEY record for .CZ domain

I have a .cz domain set up with Cloudflare for which I have enabled DNSSEC. I’ve published a keyset object at my registrar as told and so the process was successful. However since CF also publishes CDS and CDNSKEY records for automatic setup, after 24 hours my own keyset gets overwritten by one with a randomly generated ID that has the central registry listed as a technical contact. Whenever I change it back to mine, it gets overwritten again after 24 hours.

This new keyset has all the same settings and public key, but a different random ID and contact, and I’d prefer the option to have my own keyset associated with my domain, listing me as the technical contact. How can I stop CF from publishing the CDS and CDNSKEY records to exclude it from automated key management? (English toggle available at the top)

I’m trying to see how those look in my domain. Where are you seeing these records?

@mvavrusa is probably the only person who can respond authoritatively here.

I suspect you are not by the definition, the technical contact/manager. You are the domain holder, which is not the same thing.

1 Like

It is not currently possible to disable CDS/CDNSKEY publishing when DNSSEC is enabled.

The reason for this is to decrease the possibility to customer breaking their domains when DNSSEC is enabled by .
While I can certainly understand the sentiment to control the DS keyset yourself, this have no actual technical effects as you mention, the keyset remains the same. So it’s more aesthetics than technical

I’m making this into a feature request.
May I’d also suggest raise the issue to opt-out of CDS/CDNSKEY scanning at the registrar/registry

2 Likes

I’m not able to see the CDS and CDNSKEY records, however according to this blog post, this is how it works. “TLDs .ch and .cz already support this automated method through Cloudflare and any other DNS operators that choose to support RFC8078.”

For .cz domains, there are multiple “objects” besides the domain itself, like the nameserver set (NSSET) or the KEYSET, each having a technical contact object associated with them. I am listed as the holder and administrative contact for the domain, and technical contact for the NSSET (the only contact option available for NSSET and KEYSET). Before an overwrite happens, I am also in fact listed as technical contact for the keyset object I created for the domain. I am the only person associated with this domain, I manage its settings at the registrar, DNS settings here etc. no one else has access to it. I don’t know who else should be listed as the technical contact.

I understand that it’s for safety purposes and that there are no technical differences. The registry is only able to send information about the keyset object to the technical contact’s email address and right now I’m not able to receive any communication in case anything happens I need to know about. I’d appreciate if you could add the option for users who know what they are doing. It can be a somewhat hidden, more obscure setting. I believe there are also other potentially dangerous and site breaking settings in the dashboard but they show the appropriate warnings which should be sufficient.

I’m also contacting the registry about disabling scanning. Thank you.

1 Like

Standard tools will show the records.

dig CDS example.cz
dig CDNSKEY example.cz

In some cases it is the person who has technical control of the nameservers, and I suspect that is the case here. If there is a technical issue with the scanning, only the person with control of the nameservers could intervene and resolve.

In a similar fashion to the SOA for all domains where Cloudflare operate the nameservers, the RNAME is Cloudflare, not the owner/admin/billing contact from Whois.

Thank you for the clarification. Right now, the contact is “CZ-NIC”, which is basically a dummy object, so it’s not even Cloudflare. I’ll try asking if at least this detail of the keyset object can be changed, if not the object itself.

The registry told me that unfortunately they can’t disable scanning for CDNSKEY of the domain. I’d be really grateful if you could add the option to the dashboard. Thank you.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.