What is a DS Record? Strengthen DNS Security

DS records (Delegation Signer) are used to secure delegations (DNSSEC). A DS record with the name of the sub-delegated zone is placed in the parent zone along with the delegating NS Records. This DS record references a DNSKEY record in the sub-delegated zone.

In the context of DNSSEC, the DS record serves as a crucial link in the chain of trust, providing a cryptographic hash of the DNSKEY record in the child zone. This cryptographic hash, known as a digest, is then signed with the private key of the parent zone, adding an additional layer of security to the delegation process. By validating the DS record, DNS resolvers can verify the authenticity and integrity of the DNSKEY records associated with the sub-delegated zone, thereby improving the overall security of the DNS infrastructure.

Components of DS records

DS records have the following components:

• Key Tag:  Contains the tag value of the DNSKEY Resource Record that validates this signature.
• Algorithm: Identifies the algorithm used to produce a legitimate signature.
• Digest Type: Identifies the algorithm used to construct the digest.
• Digest: A cryptographic hash value of the referenced DNSKEY Record.

The DS Record has the following look in your ClouDNS Control Panel:

Why do you need a DS record?

So let us imagine that your parent DNS zone is already DNSSEC signed and hosted here. And you intend to delegate a subdomain of your root domain somewhere else. There is nothing wrong with that. But you will also need to sign the delegated subdomain zone in order to preserve the chain of trust for DNSSEC. This can be done by placing the signer DS record for your subdomain in your parent zone hosted here. Note that it is easy to make a mistake in setting up the record, which can lead to a disruption in service or other serious issues.

How to create a DNS DS record?

Go to your DNS zone management page and click on Add new record. For Type choose DS and type as follows:

• Type: DS
• TTL: 1 Hour
• Host: host (You can not add a DS record for the root domain.) Please note that you need to have NS records for this host to be able to add DS records for it.
• Key Tag: It specifies the short numeric value which can help quickly identify the referenced DNSKEY record.
• Algorithm: It specifies the algorithm of the referenced DNSKEY record.
• Digest Type: (1) SHA-1, (2) SHA-256, (3) GOST R 34.11-94, (4) SHA-384. It specifies the cryptographic hash algorithm used to create the Digest value.
• Points to: This is the Digest. It specifies a cryptographic hash value of the referenced DNSKEY Record.

How to add a DS Record - Step by Step video:

DNSSEC and DS records

DNSSEC is a protocol designed to bolster DNS security by confirming the authenticity and integrity of records contained within the system. This protocol utilizes public key cryptography and digital signatures to verify the legitimacy of DNS information, ensuring that records have not been modified. To assist in this process, two new DNS record types were created: DNSKEY and DS, also known as trust anchors or trust points. The DNSKEY record holds a public signing key, and the DS record contains a hash of a DNSKEY record. 

Delegation Signer records are used to link subdomains and their associated public keys to the parent zone, allowing DNSSEC to function correctly. By correctly setting up DS records, users can rest assured that the information they procure from DNS is authentic and accurate.

How to check DS record

In Windows, the DS record type cannot be looked up easily because it is not supported by Nslookup or Powershell's Resolve-DnsName. Nevertheless, you have the option to install WSL(Windows Subsystem for Linux) and then follow the Linux/macOS instructions below, or you can use an online lookup tool like ClouDNS Free DNS tool to check your DS record.

If you are a Linux/macOS user, you can open the Terminal and check your DS record via DIG. Here is an example:

$ dig example.com ds

Then the information about DS records will appear.

How to start managing DS records for your domain name?

1. Open free account from here - free forever
2. Verify your e-mail address
3. Log into your control panel
4. Create new Master DNS from the [add new] button - read more here
5. Add or modify the DS records you need as it is described in this article

Support of DS records

ClouDNS provides full support for DS records for all our DNS services, including the listed below. Just write to our technical support, if you need any assistance with your DS records configuration. Our Technical Support team is online for you 24/7 via live chat and tickets.

• Free DNS
• Premium DNS
• DDoS Protected DNS
• GeoDNS

FAQ

Question: When do I need DS records?

Answer: Whenever DNSSEC needs to be enabled, DS records should be set up in the parent zone. They are also necessary any time a domain name's public key needs to be updated.

Question: Who can set up DS records?

Answer: Only the registrar and the domain owner have access to the DNS zone file, meaning that only they have the authority to set up and maintain DS Records.

Question: Can I add a DS record for a subdomain, if there are already other records for the same hostname, such as A, MX, TXT, etc.?

Answer: No, you can't. First and foremost, in order for you to be able to add a DS record for your subdomain, the delegation part of your subdomain must be in action. In simple words, the relevant NS records for your subdomain, the "delegators" so to say, must be added first. And to add the NS records, there must be no other records for that particular hostname.

Question: Do all domains need DNS DS records?

Answer: No, DS records are only necessary for domains that implement DNSSEC for added security. If you don't use DNSSEC, you won't have DS records.

Question: How often should DS records be updated?

Answer: DS records may need updating when there are changes in the DNSSEC key or algorithm. Regularly review and update these records based on your security policy or key rollover requirements.