Skip to content

Add comprehensive DNSSEC documentation improvements #27630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ngayerie wants to merge 3 commits into
base: production
Choose a base branch
from
Open

Add comprehensive DNSSEC documentation improvements #27630

ngayerie wants to merge 3 commits into from
+144 −1

Conversation

@ngayerie
Copy link
Contributor

@ngayerie ngayerie commented Jan 14, 2026

Based on internal engineering discussions, add detailed explanations and best practices for DNSSEC features:

  1. Create DNSSEC FAQ page with:

    • CDS/CDNSKEY records explanation and purpose
    • How Cloudflare automates DS record management (RFC 8078)
    • Key rotation frequency and automation
    • Migration scenarios and limitations
    • Why existing DS records can't be reused (chain of trust)
    • EDNS0 support confirmation

  2. Enhance multi-signer DNSSEC technical details:

    • What happens when dnssec_multi_signer is enabled
    • How Cloudflare signs external ZSKs with its KSK
    • CDS/CDNSKEY generation for multi-signer setups

  3. Add multi-signer best practices:

    • Model 2 recommendation
    • DNSKEY flag reference (256 for ZSK, 257 for KSK)
    • Critical TTL adherence requirements
    • Provider compatibility verification
    • Testing recommendations

Addresses SPM-3058

@ngayerie
Add comprehensive DNSSEC documentation improvements
7aba498 
Based on internal engineering discussions, add detailed explanations
and best practices for DNSSEC features:

1. Create DNSSEC FAQ page with:
   - CDS/CDNSKEY records explanation and purpose
   - How Cloudflare automates DS record management (RFC 8078)
   - Key rotation frequency and automation
   - Migration scenarios and limitations
   - Why existing DS records can't be reused (chain of trust)
   - EDNS0 support confirmation

2. Enhance multi-signer DNSSEC technical details:
   - What happens when dnssec_multi_signer is enabled
   - How Cloudflare signs external ZSKs with its KSK
   - CDS/CDNSKEY generation for multi-signer setups

3. Add multi-signer best practices:
   - Model 2 recommendation
   - DNSKEY flag reference (256 for ZSK, 257 for KSK)
   - Critical TTL adherence requirements
   - Provider compatibility verification
   - Testing recommendations

Addresses SPM-3058
@ngayerie ngayerie requested review from a team and RebeccaTamachiro as code owners January 14, 2026 16:39
@github-actions github-actions bot added size/m product:dns Issues or PRs related to DNS labels Jan 14, 2026
@ngayerie
Add API link to multi-signer DNSSEC documentation
61d092e 
Link 'via API' text to the Edit DNSSEC Status API endpoint for easier
navigation to the API documentation.
@ngayerie
Remove F5 Silverline specific reference from multi-signer docs
3751038 
Remove specific vendor reference to keep documentation more general.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RebeccaTamachiro RebeccaTamachiro Awaiting requested review from RebeccaTamachiro RebeccaTamachiro is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@RebeccaTamachiro RebeccaTamachiro

Labels

product:dns Issues or PRs related to DNS size/m

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ngayerie @RebeccaTamachiro