DS record explained

The DS record is a specific DNS record that is used to secure the DNS (DNSSEC). It uses cryptographic keys to verify zones from the DNSSEC chain of trust.

What is DNSSEC?

DNSSEC is the solution to secure, otherwise unsecured DNS. It is a chain of trust that uses a combination of public and private cryptographic keys to authenticate each step of DNS resolving processes. Starting from the authoritative name server, going through each step on the way, and checking that the DNS records to see if they are truly coming from the authoritative name server for the zone.

DS record explained

DS record is short for delegation signer record. You need DS records to apply DNSSEC.

Create DS records for the sub-domains, and, later, you need to add them to the parent zone, together with NS records. That way, the zones below will be verified.

Inside the DS record, you will find the cryptographic DNSKEY hash that contains KSK (key signing key) and orientate, where is the next key in the chain of trust.

You need to sign the subdomains, to maintain the trust on all of the levels.

Important note, if there are other DNS records already for a particular subdomain like MX, TXT, A, etc., you can’t add a DS record. The only record that could and must exist for the subdomain are NS records.

How to add a DS record?

To be able to use DS records, your DNS provider must support DNSSEC and be enabled. Pay attention that not all the TLDs support DNSSEC. You create the DS record inside your DNS provider’s control panel. First, you need to create a Master DNS zone and add it there.

Later you will need to put it in your domain registrar account at the TLD level. Some DNS providers do this process for you, others don’t, but the DS record must be at the highest level because that way, it can verify those below.

What’s inside a DS record?

  • Host: The host/subdomain for which you want to add the DS record.
  • Key Tag: the DNSKEY’s tag value that validates the signature. It is used as an easy identifier.
  • Algorithm: This shows the algorithm that is used to create the signature.
  • Digest Type: This shows the algorithm that is used to create the digest. SHA-1, SHA-256, GOST R 34.11-94, SHA-384.
  • Digest: DNSKEY Record’s cryptographic hash value.


DS record serves to keep the same trust from the parent zone to the child zone. For using it, you will need access to the parent zone and putting a DNS record there. It shows that the delegated zone is signed digitally, and the zone takes the zone key as a valid one.
DNSSEC is very important because it serves as a protection against DNS poisoning attacks. DNS poisoning attacks could modify the cache inside the DNS name server and change DNS records. The users could request a DNS record and get the modified one that points them to another place. They can be fulled, and they can lose valuable private data. DNS security is matters.

Leave a Reply

Your email address will not be published. Required fields are marked *