DS records (Delegation Signer) are used to secure delegations (DNSSEC). A DS record with the name of the sub-delegated zone is placed in the parent zone along with the delegating NS Records. This DS record references a DNSKEY record in the sub-delegated zone.
In the context of DNSSEC, the DS record serves as a crucial link in the chain of trust, providing a cryptographic hash of the DNSKEY record in the child zone. This cryptographic hash, known as a digest, is then signed with the private key of the parent zone, adding an additional layer of security to the delegation process. By validating the DS record, DNS resolvers can verify the authenticity and integrity of the DNSKEY records associated with the sub-delegated zone, thereby improving the overall security of the DNS infrastructure.
DS records have the following components:
The DS Record has the following look in your ClouDNS Control Panel:
| Host | Type | Points to: | TTL |
| host.domain.com | DS | key_tag algorithm digest_type digest | 1 Hour |
So let us imagine that your parent DNS zone is already DNSSEC signed and hosted here. You intend to delegate a subdomain of your root domain somewhere else. There is nothing wrong with that. But you will also need to sign the delegated subdomain zone in order to preserve the chain of trust for DNSSEC. This can be done by placing the signer DS record for your subdomain in your parent zone hosted here. Note that it is easy to make a mistake in setting up the record, which can lead to a disruption in service or other serious issues.
Go to your DNS zone management page and click on Add new record. For Type, choose DS and type as follows:
DNSSEC is a protocol designed to bolster DNS security by confirming the authenticity and integrity of records contained within the system. This protocol utilizes public key cryptography and digital signatures to verify the legitimacy of DNS information, ensuring that records have not been modified. To assist in this process, two new DNS record types were created: DNSKEY and DS, also known as trust anchors or trust points. The DNSKEY record holds a public signing key, and the DS record contains a hash of a DNSKEY record.
Delegation Signer records are used to link subdomains and their associated public keys to the parent zone, allowing DNSSEC to function correctly. By correctly setting up DS records, users can rest assured that the information they procure from DNS is authentic and accurate.
In Windows, the DS record type cannot be looked up easily because it is not supported by Nslookup or Powershell's Resolve-DnsName. Nevertheless, you have the option to install WSL(Windows Subsystem for Linux) and then follow the Linux/macOS instructions below, or you can use an online lookup tool like ClouDNS Free DNS tool to check your DS record.
If you are a Linux/macOS user, you can open the Terminal and check your DS record via DIG. Here is an example:
$ dig example.com DS
Then, the information about DS records will appear.
ClouDNS provides full support for DS records for all our DNS services, including the ones listed below. Just write to our technical support if you need any assistance with your DS records configuration. Our Technical Support team is online for you 24/7 via live chat and tickets.
Question: When do I need DS records?
Answer: Whenever DNSSEC needs to be enabled, DS records should be set up in the parent zone. They are also necessary any time a domain name's public key needs to be updated.
Question: Who can set up DS records?
Answer: Only the registrar and the domain owner have access to the DNS zone file, meaning that only they have the authority to set up and maintain DS Records.
Question: Can I add a DS record for a subdomain if there are already other records for the same hostname, such as A, MX, TXT, etc.?
Answer: No, you can't. First and foremost, in order for you to be able to add a DS record for your subdomain, the delegation part of your subdomain must be in action. In simple words, the relevant NS records for your subdomain, the "delegators" so to say, must be added first. And to add the NS records, there must be no other records for that particular hostname.
Question: Do all domains need DNS DS records?
Answer: No, DS records are only necessary for domains that implement DNSSEC for added security. If you don't use DNSSEC, you won't have DS records.
Question: How often should DS records be updated?
Answer: DS records may need updating when there are changes in the DNSSEC key or algorithm. Regularly review and update these records based on your security policy or key rollover requirements.