DS Record DNSSEC
The DS record (Delegation Signer) is a crucial DNSSEC record that establishes the chain of trust between a parent zone and a child zone. It contains a hash of a child zone's DNSKEY, allowing resolvers to verify that the child zone's keys are authorized by the parent.
Look Up DS Records
Check DS records for any domain using our free DNS lookup tool.
Look Up DS Records →What Is a DS Record?
The DS record links a child zone's DNSSEC keys to its parent zone. For example, example.com's DS record is stored in the .com zone, creating a verifiable chain from the root zone down to your domain.
The DS record contains a hash (digest) of the child's KSK (Key Signing Key), not the actual key itself.
DS Record Format
Example DS Record
example.com. 3600 IN DS 12345 13 2 49FD46E6C4B45C55D4AC...DS Record Fields
| Field | Description | Example |
|---|---|---|
| Key Tag | Identifier for the DNSKEY | 12345 |
| Algorithm | Same as DNSKEY algorithm | 13 (ECDSA) |
| Digest Type | Hash algorithm used | 2 (SHA-256) |
| Digest | Hash of the DNSKEY | Hex string |
Digest Types
| Type | Algorithm | Status |
|---|---|---|
| 1 | SHA-1 | Deprecated (avoid) |
| 2 | SHA-256 | Recommended |
| 4 | SHA-384 | Supported |
DNSSEC Chain of Trust
- Root zone — Has DNSKEY, signed by root KSK
- .com zone — DS record in root points to .com's DNSKEY
- example.com — DS record in .com points to example.com's DNSKEY
- Your records — Signed by your DNSKEY
Resolvers follow this chain from the root (which they trust via the root trust anchor) down to your domain, verifying each link.
Setting Up DS Records
Unlike most DNS records, you don't create DS records in your own zone. Instead:
- Generate DNSSEC keys for your zone
- Sign your zone with the keys
- Calculate the DS record from your KSK
- Submit the DS record to your registrar
- Registrar adds DS to the parent zone
Generating DS Records
# From a DNSKEY record
dnssec-dsfromkey -2 example.com.dnskey
# Output format:
# example.com. IN DS 12345 13 2 49FD46E6...DS Record Best Practices
- Use SHA-256 (type 2) — SHA-1 is deprecated; always use SHA-256 or stronger.
- Only DS for KSK — Only create DS records for your Key Signing Key, not ZSK.
- Plan key rollovers carefully — Update DS at parent during KSK rollover.
- Verify before submitting — Test DNSSEC locally before adding DS to parent.
- Monitor chain integrity — Set up alerts for DNSSEC validation failures.
DS vs CDS Records
| Aspect | DS Record | CDS Record |
|---|---|---|
| Location | Parent zone | Child zone |
| Who creates | Parent (via registrar) | Child (zone owner) |
| Purpose | Actual delegation | Signal desired DS change |
| Automation | Manual submission | Automatic updates (RFC 8078) |
Troubleshooting DS Records
Common issues and solutions:
- SERVFAIL after enabling DNSSEC — DS record doesn't match DNSKEY; verify hash.
- Key tag mismatch — Ensure DS key tag matches your DNSKEY's computed tag.
- Algorithm mismatch — DS and DNSKEY must use the same algorithm number.
- Broken chain after key rollover — Update DS record before removing old key.
- DS record not appearing — Check with registrar; propagation may take time.
Validate Your DNSSEC Chain of Trust
DNS Explorer checks DS records, verifies chain integrity, and alerts you to DNSSEC configuration issues.
Start free DNS Explorer trial14-day full-feature trial
Check Your DS Records
Use our DNS Record Finder to look up DS records for any domain.
Look Up DS Records →Related Record Types
- DNSKEY Record — Public keys for DNSSEC
- CDS Record — Child-initiated DS updates
- RRSIG Record — DNSSEC signatures
- NS Record — Nameserver delegation