What is a DS Record (Delegation Signer)?

A DS record (Delegation Signer record) is a special type of DNS record used in DNSSEC (Domain Name System Security Extensions). It plays a key role in creating a chain of trust between a parent and child zone (for example, between example.com and .com), ensuring that DNS responses haven’t been tampered with.

Think of the DS record as a digital handshake — it tells the parent zone which cryptographic key is valid for the child zone, helping to secure DNS lookups.

The Structure of a DS Record:

A DS record contains the following fields:

• Key Tag: A short identifier for the DNSKEY record.

• Algorithm: The cryptographic algorithm used to create the key (e.g., RSA, ECDSA).

• Digest Type: The hash algorithm used to generate the digest (e.g., SHA-1, SHA-256).

• Digest: The hashed version of the child zone’s public key.

Format Example:
12345 13 2 AB12CD34EF56GH78...
(Key-Tag, Algorithm, Digest-Type, Digest)

Together, these elements allow DNS resolvers to validate that a DNSKEY record (in the child zone) is authentic and corresponds to what the parent zone expects.

How Does a DS Record Work?

When DNSSEC is enabled:

1. The child zone (e.g., example.com) generates a public/private key pair.

2. It publishes its DNSKEY record (public key) in its zone.

3. A DS record is then created using this DNSKEY and submitted to the parent zone (.com).

4. When a resolver looks up a DNSSEC-enabled domain, it checks the DS record in the parent and the DNSKEY in the child. If they match and are correctly signed, the record is trusted.

Why is a DS Record Important?

• Prevents DNS Spoofing: Ensures DNS data comes from a trusted source.

• Establishes Trust: Enables cryptographic validation from the root zone down to individual domains.

• Essential for DNSSEC: Without a valid DS record in the parent zone, DNSSEC can’t validate your domain, making it vulnerable to attacks.