DS records (Delegation Signer) are used to secure delegations (DNSSEC). A DS record with the name of the sub-delegated zone is placed in the parent zone along with the delegating NS Records. This DS record references a DNSKEY record in the sub-delegated zone.
DS records have the following components:
The DS Record has the following look in your DNS zone management page:
| Host | Type | Points to: | TTL |
| host.domain.com | DS | key_tag algorithm digest_type digest | 1 Hour |
So let us imagine that your parent DNS zone is already DNSSEC signed and hosted here. And you intend to delegate a subdomain of your root domain somewhere else. There is nothing wrong with that. But you will also need to sign the delegated subdomain zone in order to preserve the chain of trust for DNSSEC. This can be done by placing the signer DS record for your subdomain in your parent zone hosted here. Note that it is easy to make a mistake in setting up the record, which can lead to a disruption in service or other serious issues.
Go to your DNS zone management page and click on Add new record. For Type choose DS and type as follows:
DNSSEC is a protocol designed to bolster DNS security by confirming the authenticity and integrity of records contained within the system. This protocol utilizes public key cryptography and digital signatures to verify the legitimacy of DNS information, ensuring that records have not been modified. To assist in this process, two new DNS record types were created: DNSKEY and DS, also known as trust anchors or trust points. The DNSKEY record holds a public signing key, and the DS record contains a hash of a DNSKEY record.
Delegation Signer records are used to link subdomains and their associated public keys to the parent zone, allowing DNSSEC to function correctly. By correctly setting up DS records, users can rest assured that the information they procure from DNS is authentic and accurate.
In Windows, the DS record type cannot be looked up easily because it is not supported by Nslookup or Powershell's Resolve-DnsName. Nevertheless, you have the option to install WSL(Windows Subsystem for Linux) and then follow the Linux/macOS instructions below, or you can use an online lookup tool like ClouDNS Free DNS tool to check your DS record.
If you are a Linux/macOS user, you can open the Terminal and check your DS record via DIG. Here is an example:
$ dig example.com ds
Then the information about DS records will appear.
ClouDNS provides full support for DS records for all our DNS services, including the listed below. Just write to our technical support, if you need any assistance with your DS records configuration. Our Technical Support team is online for you 24/7 via live chat and tickets.
Question: When do I need DS records?
Answer: Whenever DNSSEC needs to be enabled, DS records should be set up in the parent zone. They are also necessary any time a domain name's public key needs to be updated.
Question: Who can set up DS records?
Answer: Only the registrar and the domain owner have access to the DNS zone file, meaning that only they have the authority to set up and maintain DS Records.
Question: Can I add a DS record for a subdomain, if there are already other records for the same hostname, such as A, MX, TXT, etc.?
Answer: No, you can't. First and foremost, in order for you to be able to add a DS record for your subdomain, the delegation part of your subdomain must be in action. In simple words, the relevant NS records for your subdomain, the "delegators" so to say, must be added first. And to add the NS records, there must be no other records for that particular hostname.