Understanding DS Records and DNSSEC Delegation
DNS was not originally built with security in mind. That is where DNSSEC (Domain Name System Security Extensions) steps in, adding verification to DNS responses. At the heart of DNSSEC lies a key record type called the DS record, short for Delegation Signer.
DS records are essential for establishing a chain of trust between parent and child domains. Without them, DNSSEC cannot properly verify domain authenticity.
Look Up DS Records
Check DS records for any domain to verify DNSSEC configuration.
Look Up DS Records →What Does a DS Record Do?
A DS record lives at the parent zone, like .com, and it points to a cryptographic key in the child zone, like example.com. This creates a secure link in the DNS hierarchy that helps validate the responses from that child zone.
In short:
1. The parent holds the DS record.
2. The child holds the DNSKEY (public key).
3. Together, they allow DNSSEC to confirm that your domain's records have not been altered in transit.
What Is in a DS Record?
A typical DS record contains the following elements:
Let's break that down:
60485— Key tag (a short identifier for the DNSKEY)8— Algorithm used (like RSA/SHA-256)2— Digest type (defines how the hash is created)- The long string — Digest (a hash of your public key)
This hash links to the DNSKEY found in your domain's zone file, ensuring the parent can verify it.
Why DS Records Matter
If you are using DNSSEC, you absolutely need a DS record published at your domain's registrar. Without it, your signed DNS responses will not be validated by resolvers, and DNSSEC will not work for your domain.
Some key reasons DS records matter:
- They enable end-to-end trust from the root zone to your domain.
- They help prevent DNS spoofing and man-in-the-middle attacks.
- They serve as a vital part of domain security posture.
How to Look Up a DS Record
You can check a domain's DS record using built-in tools on your computer. Follow the steps below based on your operating system:
Windows
1. Click the Start menu and type cmd or PowerShell.
2. Press Enter to open the Command Prompt or PowerShell.
3. Type the following command and press Enter:
macOS
1. Open Finder, go to Applications > Utilities, then open Terminal.
2. Type one of the following commands and press Return:
or
Linux
1. Open your terminal. You can usually do this with Ctrl+Alt+T or by searching for "Terminal" in your application menu.
2. Type one of the following commands and press Enter:
or
If dig is not installed, you can add it with:
If you see output with key tags, algorithms, and digest values, the domain is likely secured with DNSSEC.
Final Thoughts
The DS record may not get much attention, but it is one of the most critical parts of a secure DNS setup. It is what allows DNSSEC to trust your domain, verify its records, and protect against forged responses.
If you have deployed DNSSEC, make sure your DS record is correctly configured and published with your domain registrar. Without it, the chain of trust cannot be completed.
Monitor DNS Records at Scale
DNS Explorer — Track DS records and all DNSSEC configurations across your entire domain portfolio. Built for IT teams, MSPs, and security professionals who need comprehensive DNS visibility.
Start free DNS Explorer trial14-day full-feature trial