What Is a DS Record?

What Is a DS Record?

A DS (Delegation Signer) record is a DNSSEC record that creates a chain of trust by linking parent zone DNSKEY records to child zones. DS records enable DNSSEC validation across DNS zones by providing cryptographic proof that child zone DNSKEY records are authentic.

DS records include: key tag (identifies DNSKEY record), algorithm (signing algorithm), digest type (hash algorithm), and digest (hash of DNSKEY record). DS records are published in parent zones (e.g., .com zone for example.com) and reference child zone DNSKEY records.

DS records are essential for DNSSEC chain of trust - without DS records, DNSSEC validation cannot cross zone boundaries. Learn more about DNSSEC and DNSKEY records.

DS Record Purpose

Chain of Trust

DS records create a chain of trust from root DNS servers through TLD servers to authoritative name servers, enabling DNSSEC validation across zone boundaries.

DNSKEY Authentication

DS records provide cryptographic proof that child zone DNSKEY records are authentic and authorized by parent zones.

Zone Delegation Security

DS records secure DNS zone delegation by ensuring child zone DNSKEY records are legitimate and haven't been tampered with.

DNSSEC Validation

DS records enable DNSSEC validation to work across DNS zones, allowing resolvers to verify DNS records from root to authoritative name servers.

Trust Establishment

DS records establish trust between parent and child zones, enabling secure DNS resolution across the DNS hierarchy.

Chain of Trust

What Is Chain of Trust?

DNSSEC chain of trust is a cryptographic chain linking DNS zones from root DNS servers to authoritative name servers, enabling DNSSEC validation across zones.

How DS Records Create Chain

DS records create chain of trust by: parent zones publish DS records referencing child zone DNSKEY records, child zones publish DNSKEY records referenced by parent zone DS records, and DNS resolvers verify chain by checking DS records match DNSKEY records.

Chain Components

• Root zone DNSKEY → TLD zone DS → TLD zone DNSKEY
• TLD zone DNSKEY → Domain zone DS → Domain zone DNSKEY
• Domain zone DNSKEY → RRSIG signatures → DNS records

Chain Validation

DNS resolvers validate chain of trust by verifying DS records match DNSKEY records at each level of the DNS hierarchy.

Chain Breakage

If DS records don't match DNSKEY records, chain of trust breaks and DNSSEC validation fails. Learn more about why DNSSEC validation fails.

DS Record Format

Record Format

DS records follow this format: key-tag algorithm digest-type digest

Example DS Record

example.com. DS 12345 13 2 abcdef1234567890...

• Key Tag: 12345 (identifies DNSKEY record)
• Algorithm: 13 (ECDSA-P256), 8 (RSA-SHA256), etc.
• Digest Type: 2 (SHA-256), 1 (SHA-1), etc.
• Digest: Hash of DNSKEY record

Key Tag

Key tag is calculated from DNSKEY record and identifies which DNSKEY record the DS record references.

Digest

Digest is a hash of the DNSKEY record, providing cryptographic proof that DS record matches DNSKEY record.

Algorithm Matching

DS record algorithm must match DNSKEY record algorithm for chain of trust to work.

Checking DS Records

1. DNS Lookup Tools

Use DNS lookup tools to query DS records and retrieve chain of trust information for DNSSEC zones.

2. Command Line Tools

Use command-line tools (dig) to query DS records: dig DS example.com

3. Parent Zone Lookup

DS records are published in parent zones, so query parent zone (e.g., .com zone) for domain DS records.

4. Chain Verification

Verify DS records match DNSKEY records in child zones to ensure chain of trust is properly configured.

5. DNSSEC Validation

Test DNSSEC validation to verify DS records enable proper chain of trust and DNSSEC validation works correctly.