What is a DS record?DNSSEC introduces a Delegation Signer (DS) record to allow the transfer of trust from a parent zone to a child zone. In order for DNSSEC to work, you must be able to add a DS record for your domain which appears in the DNS records in TLD name servers (the parent of the zone) in order to establish a chain of trust to your zone (the child zone). The DS record contains a hashed DNSKEY record containing the Key Signing Key (KSK), and acts as a pointer to the next key in the chain of trust.
DS record format
A typical DS record looks like the following in standard BIND format:
$ORIGIN example.com. @ 3600 IN DS 2371 13 2 1F987CC6583E92D443F3CBBF94FC227D87BB5E4D235593A4CB734F0890718C42An anatomy of the DS Record
@ 3600 IN DS 2371 13 2 1F987CC6583E92D443F3CBBF94FC227D87BB5E4D235593A4CB734F0890718C42looks like the below:
|Name||TTL||Record Class||Record Type||Key Tag||Algorithm||Digest Type||Digest|
It defines the hostname of a record and whether the hostname will be appended to the label. Fully qualified hostnames terminated by a period will not append the origin.
The time-to-live in seconds. It specifies how long a resolver is supposed to cache or remember the DNS query before the query expires and a new one needs to be done.
Mainly 3 classes of DNS records exist:
- IN (Internet) – default and generally what internet uses.
- CH (Chaosnet) – used for querying DNS server versions.
- HS (Hesiod) – uses DNS functionality to provide access to databases of information that change infrequently.
The record format is defined using this field. Common record types are A, AAAA, CNAME, CAA, TXT etc. In the case of a DS record, the record type is DS.
A short numeric value which can help quickly identify the referenced DNSKEY-record.
The algorithm of the referenced DNSKEY-record.
Cryptographic hash algorithm used to create the Digest value.
A cryptographic hash value of the referenced DNSKEY-record.
How to add a DS record?
First you must enable DNSSEC at your DNS provider. If you are hosting your DNS with us, the DS record will be provided to you once you have DNSSEC enabled. You can then provide the DS record to your domain registrar to have them add the DS record for you at the TLD level. If your domain name is registered with us, you can open a ticket to have the DS record added.
DS record glossary
DNSSEC protects against forged DNS answers. DNSSEC protected zones are cryptographically signed to ensure the DNS records received are identical to the DNS records published by the domain owner.
Berkeley Internet Name Daemon - is the most commonly used DNS software on the Internet and Dynu observes BIND format.
RRset refers to resource record set. All the records with the same type are grouped into an RRset and this full RRset get digitally signed instead of individual DNS records. For example, if you have three TXT records for the same hostname relay.domain.com in the domain.com zone, the three TXT records will be bundled into a single TXT RRset. This is the first step towards securing a zone with DNSSEC.
ZSK (Zone-Signing Keys)
Each zone with DNSSEC enabled has a zone-signing key pair (ZSK): the private key and the public key. The private ZSK is used to create digital signatures for each RRset and the digital signatures are stored in the name server as RRSIG records. When a DNSSEC resolver requests a particular record type (e.g., TXT), apart from returning the TXT record itself, the name server also returns the corresponding RRSIG. The public ZSK is published as a DNSKEY record so that the resolver can then pull the DNSKEY record containing the public ZSK from the name server to verify against the RRSIG signature. The RRset, RRSIG, and public ZSK together can validate the response.
KSK (Key-Signing Keys)
The key-signing key is used to prevent the situation where the zone-signing key is compromised. The KSK validates the ZSK DNSKEY record in exactly the same way as the ZSK secure the RRSets. It signs the public ZSK (which is stored in a DNSKEY record), creating an RRSIG for the DNSKEY record. The public KSK is published in another DNSKEY record which can be used by resolvers to verify against the RRSIG.