DS Record DS Record

What is a DS record?

DNSSEC introduces a Delegation Signer (DS) record to allow the transfer of trust from a parent zone to a child zone. In order for DNSSEC to work, you must be able to add a DS record for your domain which appears in the DNS records in TLD name servers (the parent of the zone) in order to establish a chain of trust to your zone (the child zone). The DS record contains a hashed DNSKEY record containing the Key Signing Key (KSK), and acts as a pointer to the next key in the chain of trust.

DS record format

A typical DS record looks like the following in standard BIND format:

$ORIGIN example.com.
@ 3600 IN DS 2371 13 2 1F987CC6583E92DF0890718C42 
An anatomy of the DS Record @ 3600 IN DS 2371 13 2 1F987CC6583E92DF0890718C42 looks like the below:
Host Label TTL Record Class Record Type Key Tag Algorithm Digest Type Digest
example.com. 3600 IN DS 2371 13 2 1F987CC6583E92DF0890718C42
Host Label
It defines the hostname of a record and whether the hostname will be appended to the label. Fully qualified hostnames terminated by a period will not append the origin.

The time-to-live in seconds. It specifies how long a resolver is supposed to cache or remember the DNS query before the query expires and a new one needs to be done.

Record Class
Mainly 3 classes of DNS records exist:
  • IN (Internet) – default and generally what internet uses.
  • CH (Chaosnet) – used for querying DNS server versions.
  • HS (Hesiod) – uses DNS functionality to provide access to databases of information that change infrequently.
Record Type
The record format is defined using this field. Common record types are A, AAAA, CNAME, CAA, TXT etc. In the case of a DS record, the record type is DS.

Key Tag
A short numeric value which can help quickly identify the referenced DNSKEY-record.

The algorithm of the referenced DNSKEY-record.

Digest Type
Cryptographic hash algorithm used to create the Digest value.

A cryptographic hash value of the referenced DNSKEY-record.

How to add a DS record?

First you must enable DNSSEC at your DNS provider. If you are hosting your DNS with us, the DS record will be provided to you once you have DNSSEC enabled. You can then provide the DS record to your domain registrar to have them add the DS record for you at the TLD level. If your domain name is registered with us, you can open a ticket to have the DS record added.

DS record glossary

DNSSEC protects against forged DNS answers. DNSSEC protected zones are cryptographically signed to ensure the DNS records received are identical to the DNS records published by the domain owner.

Berkeley Internet Name Daemon - is the most commonly used DNS software on the Internet and Dynu observes BIND format.

RRset refers to resource record set. All the records with the same type are grouped into an RRset and this full RRset get digitally signed instead of individual DNS records. For example, if you have three TXT records for the same hostname relay.domain.com in the domain.com zone, the three TXT records will be bundled into a single TXT RRset. This is the first step towards securing a zone with DNSSEC.

ZSK (Zone-Signing Keys)
Each zone with DNSSEC enabled has a zone-signing key pair (ZSK): the private key and the public key. The private ZSK is used to create digital signatures for each RRset and the digital signatures are stored in the name server as RRSIG records. When a DNSSEC resolver requests a particular record type (e.g., TXT), apart from returning the TXT record itself, the name server also returns the corresponding RRSIG. The public ZSK is published as a DNSKEY record so that the resolver can then pull the DNSKEY record containing the public ZSK from the name server to verify against the RRSIG signature. The RRset, RRSIG, and public ZSK together can validate the response.

KSK (Key-Signing Keys)
The key-signing key is used to prevent the situation where the zone-signing key is compromised. The KSK validates the ZSK DNSKEY record in exactly the same way as the ZSK secure the RRSets. It signs the public ZSK (which is stored in a DNSKEY record), creating an RRSIG for the DNSKEY record. The public KSK is published in another DNSKEY record which can be used by resolvers to verify against the RRSIG.