DS Lookup
Shortcuts: / or Ctrl+L to focus, Esc to return
Use the DS lookup to inspect the key tags, algorithms, and digests that anchor your zone to the DNSSEC trust chain. Understanding these values helps verify a successful key-signing-key rollover and diagnose validation failures.
Frequently Asked Questions
- What is a DS record?
- A DS (Delegation Signer) record links a child zone's DNSKEY to the parent zone, creating the DNSSEC chain of trust.
- How do DS and DNSKEY records relate?
- Each DS digest references a key-signing DNSKEY. Validators compare the digest to ensure they retrieved the correct DNSKEY set.
- Which digest algorithm should I publish?
- Digest type 2 (SHA-256) works for every modern resolver, while digest type 4 (SHA-384) adds strength when your parent zone supports it.
- Why might validators reject my DS record?
- If the digest no longer matches the active key-signing key, resolvers mark the zone insecure. Update the DS after rolling keys or changing algorithms.
- When should I rotate DS records?
- Rotate DS entries whenever you perform a KSK rollover or migrate to a new signing provider. Publish the new digest before retiring the old key.
- Why are there multiple DS records for a zone?
- Multiple DS records are common during key rollovers or when serving different algorithms so validators can trust either key during the transition.