DS Record Lookup
Check DS records (DNSSEC delegation signer) at the parent zone for any domain. Free DNS checker.
What is a DS record?
A DS record ("delegation signer") sits at the parent zone and contains a hash of the child zone's DNSKEY. It's the link in the DNSSEC chain of trust that connects a zone to its parent — without a matching DS at the parent, DNSSEC validation fails.
When to check DS
- Confirming that your registrar has uploaded the DS record after enabling DNSSEC
- Diagnosing DNSSEC validation errors
- Comparing the DS hash against the actual DNSKEY at the child zone
Reading the results
A DS value has four fields: key-tag algorithm digest-type digest. The digest is a hash of the child zone's DNSKEY. Algorithm and digest-type identify which crypto was used (e.g., algorithm 13 + digest-type 2 = ECDSA P-256 + SHA-256).
Common errors and pitfalls
- DS missing at registrar — the most common DNSSEC failure. Provider says DNSSEC is enabled, but the registrar still has no DS, so resolvers can't verify the chain.
- DS published but the hash doesn't match the zone's DNSKEY — usually because the zone's KSK was rolled but the registrar's DS wasn't updated. Causes immediate SERVFAIL on validating resolvers.
- Old DS still present after rollover — leave both old and new DS during a rollover, then remove the old once the new propagates fully.
FAQ
I just enabled DNSSEC at my DNS provider — why is validation failing?
The DS record has to be present at the registrar/parent, not at your DNS provider. Most registrars require you to manually copy the DS values from your DNS provider into the registrar's DNSSEC settings. Until that's done, the chain of trust is broken.
Why does the parent's DS even exist? Why not just publish DNSKEY everywhere?
Trust has to start somewhere. If a zone could vouch for itself, anyone could spoof a fake DNSKEY. The parent vouches for the child, the grandparent vouches for the parent, all the way up to the root, whose key is hard-coded into resolvers.
Background reading
See DNSSEC and the DNS Records Explained guide.
All record-type lookups
WhereIsDNS has dedicated pages for each common DNS record type. Each one defaults the tool to that record type and includes background on what the record means and what to look for.
- A Record Lookup — IPv4 addresses for a hostname
- AAAA Record Lookup — IPv6 addresses for a hostname
- CNAME Lookup — Aliases pointing one hostname to another
- MX Record Lookup — Mail servers for a domain (with priorities)
- NS Record Lookup — Authoritative nameservers for a domain
- TXT Record Lookup — SPF, DKIM, DMARC, and other text records
- SOA Record Lookup — Authority metadata for a DNS zone
- CAA Record Lookup — Which CAs may issue certs for the domain
- SRV Record Lookup — Service location records (SIP, XMPP, _autodiscover, etc.)
- DNSKEY Record Lookup — DNSSEC public keys for a zone
- HTTPS Record Lookup — Modern HTTPS service binding (ALPN, ECH, etc.)
- SVCB Record Lookup — Generic service binding (RFC 9460)
- PTR (Reverse DNS) Lookup — Reverse DNS — IP back to a hostname
- Home (defaults to A records)