supdns

DS Records

Delegation Signer: Building the DNSSEC Chain of Trust.

What is a DS Record?

A DS record (Delegation Signer record) is a critical part of DNSSEC (DNS Security Extensions). It's used to link a signed subdomain or zone to its parent zone, creating a continuous "Chain of Trust" from the root of the internet down to your domain.

Structure of a DS Record

example.com. 86400 IN DS 2371 13 2 ABCDE...

How the Chain of Trust Works

For DNSSEC to be effective, a resolver must be able to verify that the digital signatures in your zone are authentic.

  1. Your DNS provider signs your zone with a Key Signing Key (KSK).
  2. A hash (fingerprint) of your KSK is created. This is the DS record.
  3. You upload this DS record to your domain registrar (e.g., Namecheap, GoDaddy, Cloudflare).
  4. The registrar publishes the DS record in the parent TLD zone (e.g., the .com registry).
  5. When a resolver looks up your domain, it first gets the DS record from the .com servers to verify your zone's KSK.

Warning: Breaking the Chain

If the DS record in the parent zone does not match the key in your DNS zone (e.g., after changing DNS providers or rotating keys), your domain will become **unreachable** for anyone using a DNSSEC-validating resolver. Always ensure your DS records are updated correctly!

Components of a DS Record

  • Key Tag: A short numeric identifier for the KSK being referenced.
  • Algorithm: The cryptographic algorithm used (e.g., 13 for ECDSA Curve P-256 with SHA-256).
  • Digest Type: The hash algorithm used (e.g., 2 for SHA-256).
  • Digest: The actual hash of the Key Signing Key.