DS Record

DS records (Delegation Signer) are used to secure delegations (DNSSEC). A DS record with the name of the sub-delegated zone is placed in the parent zone along with the delegating NS Records. This DS record references a DNSKEY record in the sub-delegated zone.

DS records have the following components:

  • Key Tag:  Contains the tag value of the DNSKEY Resource Record that validates this signature.
  • Algorithm: Identifies the algorithm used to produce a legitimate signature.
  • Digest Type: Identifies the algorithm used to construct the digest.
  • Digest: A cryptographic hash value of the referenced DNSKEY Record.

The DS Record has the following look in your DNS zone management page:

Host Type Points to: TTL
host.domain.com DS key_tag algorithm digest_type digest 1 Hour

Why do you need a DS record?

So let us imagine that your parent DNS zone is already DNSSEC signed and hosted here. And you intend to delegate a subdomain of your root domain somewhere else. There is nothing wrong with that. But you will also need to sign the delegated subdomain zone in order to preserve the chain of trust for DNSSEC. This can be done by placing the signer DS record for your subdomain in your parent zone hosted here.

How to create a DNS DS record?

Go to your DNS zone management page and click on Add new record. For Type choose DS and type as follows:

  • Type: DS
  • TTL: 1 Hour
  • Host: host (You can not add a DS record for the root domain.) Please note that you need to have NS records for this host to be able to add DS records for it.
  • Key Tag: It specifies the short numeric value which can help quickly identify the referenced DNSKEY record.
  • Algorithm: It specifies the algorithm of the referenced DNSKEY record.
  • Digest Type: (1) SHA-1, (2) SHA-256, (3) GOST R 34.11-94, (4) SHA-384. It specifies the cryptographic hash algorithm used to create the Digest value.
  • Points to: This is the Digest. It specifies a cryptographic hash value of the referenced DNSKEY Record.

How to add a DS Record - Step by Step video:

How to start managing DS records for your domain name?

  1. Open free account from here - free forever
  2. Verify your e-mail address
  3. Log into your control panel
  4. Create new Master DNS from the [add new] button - read more here
  5. Add or modify the DS records you need as it is described in this article

Support of DS records

ClouDNS provides full support for DS records for all our DNS services, including the listed below. Just write to our technical support, if you need any assistance with your DS records configuration. Our Technical Support team is online for you 24/7 via live chat and tickets.

FAQ

Question: Can I add a DS record for a subdomain, if there are already other records for the same hostname, such as A, MX, TXT, etc.?

Answer: No, you can't. First and foremost, in order for you to be able to add a DS record for your subdomain, the delegation part of your subdomain must be in action. In simple words, the relevant NS records for your subdomain, the "delegators" so to say, must be added first. And to add the NS records, there must be no other records for that particular hostname.

Sign up now!

Last modified: 2021-07-01
Online - Live Chat
Cookies help us deliver our services. By using our services, you agree to our use of cookies. Learn more