DS Record Lookup
Check DS records (DNSSEC delegation signer) at the parent zone for any domain. Free DNS checker.
What is a DS record?
A DS record ("delegation signer") sits at the parent zone and contains a hash of the child zone's DNSKEY. It's the link in the DNSSEC chain of trust that connects a zone to its parent: without a matching DS at the parent, DNSSEC validation fails.
When to check DS
- Confirming that your registrar has uploaded the DS record after enabling DNSSEC
- Diagnosing DNSSEC validation errors
- Comparing the DS hash against the actual DNSKEY at the child zone
Reading the results
A DS value has four fields: key-tag algorithm digest-type digest. The digest is a hash of the child zone's DNSKEY. Algorithm and digest-type identify which crypto was used (e.g., algorithm 13 + digest-type 2 = ECDSA P-256 + SHA-256).
Common errors and pitfalls
- DS missing at registrar: the most common DNSSEC failure. Provider says DNSSEC is enabled, but the registrar still has no DS, so resolvers can't verify the chain.
- DS published but the hash doesn't match the zone's DNSKEY: usually because the zone's KSK was rolled but the registrar's DS wasn't updated. Causes immediate SERVFAIL on validating resolvers.
- Old DS still present after rollover: leave both old and new DS during a rollover, then remove the old once the new propagates fully.
FAQ
I just enabled DNSSEC at my DNS provider: why is validation failing?
The DS record has to be present at the registrar/parent, not at your DNS provider. Most registrars require you to manually copy the DS values from your DNS provider into the registrar's DNSSEC settings. Until that's done, the chain of trust is broken.
Why does the parent's DS even exist? Why not just publish DNSKEY everywhere?
Trust has to start somewhere. If a zone could vouch for itself, anyone could spoof a fake DNSKEY. The parent vouches for the child, the grandparent vouches for the parent, all the way up to the root, whose key is hard-coded into resolvers.
Background reading
See DNSSEC and the DNS Records Explained guide.