DS Record
DS records (Delegation Signer) are used to secure delegations (DNSSEC). A DS record with the name of the sub-delegated zone is placed in the parent zone along with the delegating NS Records. This DS record references a DNSKEY record in the sub-delegated zone.
DS records have the following components:
- Key Tag: Contains the tag value of the DNSKEY Resource Record that validates this signature.
- Algorithm: Identifies the algorithm used to produce a legitimate signature.
- Digest Type: Identifies the algorithm used to construct the digest.
- Digest: A cryptographic hash value of the referenced DNSKEY Record.
The DS record has the following look in your DNS zone management page:
| Host |
Type |
Points to: |
TTL |
| host.domain.com |
DS |
key_tag algorithm digest_type digest |
1 Hour |
How to add it?
Go to your DNS zone management page and click on Add new record. For Type choose DS and type as follows:
- Type: DS
- TTL: 1 Hour
- Host: host (You can not add a DS record for the root domain.) Please note that you need to have NS records for this host to be able to add DS records for it.
- Key Tag: It specifies the short numeric value which can help quickly identify the referenced DNSKEY record.
- Algorithm: It specifies the algorithm of the referenced DNSKEY record.
- Digest Type: (1) SHA-1, (2) SHA-256, (3) GOST R 34.11-94, (4) SHA-384. It specifies the cryptographic hash algorithm used to create the Digest value.
- Points to: This is the Digest. It specifies a cryptographic hash value of the referenced DNSKEY Record.