The DS record is not one of the most common DNS records. It is used with DNSSEC and to keep the chain of trust between the parent zone (TLD level) and the one you manage. Do you what to know how exactly the DS record works? Here we go!
What is DNSSEC?
The DNSSEC is the additional layer of security that the old DNS does not have by default. We can’t simply stop using DNS, so better to fix it, right? The DNSSEC signs each zone and provides a public key in each zone, so the recursive servers can get that key and verify the DNS data. Having DNSSEC activated, those recursive DNS servers can verify that the data is actually coming from the zone it should and that also that the data hasn’t been modified on the way.
Each of the public keys is signed by its parent zone to ensure that the public keys are correct. All except the highest level – the root zone. There is nothing above to sign it.
What is a DS record?
The D stands for a delegation and the S for a signer. The DS record is a delegation signer record. You will need to use DS records to apply DNSSEC by signing the zones.
First, you will need to create a DS record for one of the sub-domains, and later you need to add them to the next zone, its parent zone, in combination with NS records showing the name servers. Putting it inside the parent zone will verify the zone below and continue the chain of trust.
In case that the parent zone is the TLD zone, you need to upload the DS record to that zone. For that purpose, you need to use the control panel of the domain registrar or contact it directly on that matter. As we said already, the first level “root zone” doesn’t need that, but the rest do.
The DS record content will show you a DNSKEY hash that has the key signing keys (KSK) and points to the next key.
Each zone must be signed, from up to down, so the DNS data integrity is safe and the trust is kept all the way.
The DS record, just like the CNAME record, is not one of those that can coexist with other DNS records. The only other record type that you can add inside the same zone is the NS record.
How to add a DS record?
Before you start, you should check if the TLD and your DNS provider both support DNSSEC. Otherwise, you won’t be able to do anything.
From the control panel that your DNS service provider offers you, you can add a Master DNS zone in which you need to add the NS records and DS records.
The DS record will indicate the host for which it is created (the sub-zone) and the hash of the key. You need to put it inside its parent zone, which means to send it to the TLD name server. Do you through your registrar control panel.
What’s inside a DS record?
Host: The sub-zone that you want to sign with the DS record.
Key Tag: The DNSKEY key that serves for the validation of the signature.
Algorithm: Identifies the exact algorithm that is in use for the signature.
Digest Type: SHA-1, SHA-256, GOST R 34.11-94, SHA-384 are all digest types that you can use.
Digest: The digest is a cryptographic hash.
DNS delegation and DS record
DNS delegation occurs when a domain’s NS (Name Server) record is directed to another DNS server that is given the responsibility of managing records for a particular subdomain. The DS (Delegation Signer) record is used along with DNS delegation, it is a DNS resource record that a child zone uses to authenticate the delegation of an authoritative name server. It contains information, such as the DNSSEC public key, that is used to securely establish the trust of the parentzone and its delegation to the child zone.
With the DS record, you show that you have the right to administrate a domain and create the DS record. The Latest you send it to the parent zone, which checks it and validates the child zone based on a positive result.
With this simple act, the DNSSEC is showing that the chain of trust is unbroken and that the DNS data hasn’t been modified.
Keep DNSSEC active and lower the chance of DNS poisoning and phishing attacks for your visitors.