For redirected domains, what DNS records are required?

Solution 1:

how do the DNS records for the primary domain and all the redirect domains differ?

They don't, as the DNS has no knowledge about "redirects", but just helps to resolve a name, through an IP address, so for all cases, through direct A or AAAA records, or with CNAME intermediate records.

All names must resolve to an IP address where a webserver listens for HTTP calls and does "redirects" (or proxying) as needed.

Am I correct in assuming that need an SSL cert for every domain, even the redirecting ones?

Again, this has nothing to do with the DNS. If you do an HTTPS call to https://www.example.com/ the webserver has to reply with a valid certificate for www.example.com and only after that it can reply with an HTTP 301, 302, 307 or 308 to denote a redirect to another URL.

PS: and please do not say "SSL cert" this has no meaning for at least two reasons.