2 CDS records but just 1 DS record

On a domain I recently set up to use DNSSEC with deSEC NS, DNSViz shows a warning to the effect that the CDS records published by deSEC don’t match the actual DS record.

Technically this is true because there is only one DS record but 2 CDS records, one of which matches the DS record. So the second one is the difference. The two differ in the digest type used. The one with digest type 2 (SHA-256) corresponds to the DS record, while the one with digest type 4 (SHA-384) has no match.

Note: My registrar wanted the fields of the DNSKEY to set this up, not the DS record(s). And the TLD also displays the DNSKEY in the whois reply next to the NS glue entries, not the DS record. Other TLDs may handle this differently.

I am assuming this DNSViz warning can be ignored, correct?

Even the deSEC web interface only shows a single DS record (with digest type 2) in the Info box for the Zone after a change some time ago.

Does it make sense to keep publishing both CDS records?


Hi fiwswe,

Just a few days ago, I pointed out to DNSViz folks that this case should not really be considered a difference:

I think it’s fine if the CDS digest algo set is a superset of that of DS, as long as the latter contains one of the mandatory ones.


Not really. :slight_smile: Created an issue for it.

Stay secure,