DS Record Configuration
Understanding and configuring DS (Delegation Signer) records correctly
What are DS Records?
DS (Delegation Signer) records are the critical link in the DNSSEC chain of trust. They're published in the parent zone (your registrar) and contain a cryptographic hash of your domain's DNSKEY record. This creates the trust relationship between parent and child zones.
DS Record Format
example.com. IN DS key-tag algorithm digest-type digest- key-tag: Identifies which DNSKEY this DS record refers to (16-bit number)
- algorithm: Cryptographic algorithm used (13 = ECDSAP256SHA256, 8 = RSA/SHA-256)
- digest-type: Hash algorithm (2 = SHA-256, 1 = SHA-1 deprecated)
- digest: Cryptographic hash of the DNSKEY record
How DS Records Work
- Your DNS provider generates DNSKEY records for your zone
- A DS record is created by hashing the DNSKEY record
- The DS record is added to your registrar's DNS (parent zone)
- Resolvers verify the chain: Root → TLD (DS) → Your Domain (DNSKEY)
- If the hash matches, the chain of trust is validated
Generating DS Records
Most DNS providers generate DS records automatically when you enable DNSSEC. However, you can also generate them manually:
Using Our Tool
Use our DS Record Generatorto generate DS records from DNSKEY records. Paste your DNSKEY record and select the digest type.
Using Command Line
# Get DNSKEY record
dig DNSKEY example.com
# Generate DS record (using dnssec-dsfromkey)
dnssec-dsfromkey -a SHA-256 example.com.keyAdding DS Records to Registrar
Critical: DS records must be added at your domain registrar (where you purchased the domain), NOT at your DNS provider (Cloudflare, Route 53, etc.).
- Log in to your domain registrar's control panel
- Navigate to DNS or DNSSEC settings
- Find the "DS Records" or "Delegation Signer" section
- Add each DS record provided by your DNS provider
- Save changes
- Wait for propagation (15 minutes to 48 hours)
Multiple DS Records
It's normal to have multiple DS records if you have multiple Key Signing Keys (KSKs). Each KSK will have its own DS record. Add all DS records provided by your DNS provider.
Best Practice: During key rotation, maintain both old and new DS records until the transition is complete, then remove the old DS record.
Verifying DS Records
After adding DS records, verify they're published:
dig DS example.comYou should see your DS records in the ANSWER section. Use our chain of trust verifierto verify the complete chain.
Common Issues
DS Records Not Showing
Wait for propagation (up to 48 hours). Verify you added them at the registrar, not DNS provider. Check for typos in the DS record values.
Wrong DS Records
DS records must match your current DNSKEY records. If you rotated keys, you need new DS records. Regenerate from your DNS provider.
Registrar Doesn't Support DS Records
Some registrars don't support DNSSEC. You may need to transfer your domain to a registrar that does, or use a registrar that fully supports DNSSEC (like Cloudflare Registrar).
DS Record Best Practices
- Always use SHA-256 digest type (digest-type 2)
- Keep backups of your DS records
- Document when DS records were added/removed
- Verify DS records match DNSKEY records before adding
- Test DS record changes on non-production domains first
Next Steps
- Use our DS generator to create DS records
- Verify with our chain verifier
- Learn about key rotation
- Read troubleshooting guide if you encounter issues