A DS (Delegation Signer) record is stored in the parent zone and contains a hash of the child zone's DNSKEY. It establishes the chain of trust between parent and child zones in DNSSEC, allowing resolvers to verify the child zone's keys are authorized.

Where is the DS record stored?

The DS record is stored in the parent zone, not in your zone. For example, if your domain is example.com, the DS record is stored in the .com zone. You submit the DS record to your registrar, who adds it to the parent zone.

What digest type should I use for DS records?

Use SHA-256 (digest type 2). SHA-1 (type 1) is deprecated and should be avoided. SHA-384 (type 4) is also supported but SHA-256 is the recommended standard.

How do I set up a DS record?

Generate DNSSEC keys for your zone, sign your zone, compute the DS record from your KSK, then submit the DS record to your registrar. The registrar adds the DS record to the parent zone to complete the chain of trust.

DS Record DNSSEC

The DS record (Delegation Signer) is a crucial DNSSEC record that establishes the chain of trust between a parent zone and a child zone. It contains a hash of a child zone's DNSKEY, allowing resolvers to verify that the child zone's keys are authorized by the parent.

Look Up DS Records

Check DS records for any domain using our free DNS lookup tool.

Look Up DS Records →

What Is a DS Record?

The DS record links a child zone's DNSSEC keys to its parent zone. For example, example.com's DS record is stored in the .com zone, creating a verifiable chain from the root zone down to your domain.

The DS record contains a hash (digest) of the child's KSK (Key Signing Key), not the actual key itself.

DS Record Format

Example DS Record

example.com.    3600    IN    DS    12345 13 2 49FD46E6C4B45C55D4AC...

DS Record Fields

Field	Description	Example
Key Tag	Identifier for the DNSKEY	12345
Algorithm	Same as DNSKEY algorithm	13 (ECDSA)
Digest Type	Hash algorithm used	2 (SHA-256)
Digest	Hash of the DNSKEY	Hex string

Digest Types

Type	Algorithm	Status
1	SHA-1	Deprecated (avoid)
2	SHA-256	Recommended
4	SHA-384	Supported

DNSSEC Chain of Trust

Root zone — Has DNSKEY, signed by root KSK
.com zone — DS record in root points to .com's DNSKEY
example.com — DS record in .com points to example.com's DNSKEY
Your records — Signed by your DNSKEY

Resolvers follow this chain from the root (which they trust via the root trust anchor) down to your domain, verifying each link.

Setting Up DS Records

Unlike most DNS records, you don't create DS records in your own zone. Instead:

Generate DNSSEC keys for your zone
Sign your zone with the keys
Calculate the DS record from your KSK
Submit the DS record to your registrar
Registrar adds DS to the parent zone

Generating DS Records

# From a DNSKEY record
dnssec-dsfromkey -2 example.com.dnskey

# Output format:
# example.com. IN DS 12345 13 2 49FD46E6...

DS Record Best Practices

Use SHA-256 (type 2) — SHA-1 is deprecated; always use SHA-256 or stronger.
Only DS for KSK — Only create DS records for your Key Signing Key, not ZSK.
Plan key rollovers carefully — Update DS at parent during KSK rollover.
Verify before submitting — Test DNSSEC locally before adding DS to parent.
Monitor chain integrity — Set up alerts for DNSSEC validation failures.

DS vs CDS Records

Aspect	DS Record	CDS Record
Location	Parent zone	Child zone
Who creates	Parent (via registrar)	Child (zone owner)
Purpose	Actual delegation	Signal desired DS change
Automation	Manual submission	Automatic updates (RFC 8078)

Troubleshooting DS Records

Common issues and solutions:

SERVFAIL after enabling DNSSEC — DS record doesn't match DNSKEY; verify hash.
Key tag mismatch — Ensure DS key tag matches your DNSKEY's computed tag.
Algorithm mismatch — DS and DNSKEY must use the same algorithm number.
Broken chain after key rollover — Update DS record before removing old key.
DS record not appearing — Check with registrar; propagation may take time.

Check Your DS Records

Use our DNS Record Finder to look up DS records for any domain.