DS record

A DS (Delegation Signer) record is the DNSSEC handshake between a parent zone and a child zone. It lives at the parent and identifies the key the child uses to sign its records.

example.com.   DS   12345 13 2 ABCDEF1234567890...

Fields:

• 12345 — key tag (matches the DNSKEY at the child).
• 13 — algorithm (13 is ECDSAP256SHA256, modern default).
• 2 — digest type (2 is SHA-256).
• The rest is the hash of the child's DNSKEY.

Why DS records matter

DNSSEC works by signing DNS records with a key. But how does a resolver know your key is legit? It checks the DS record at your parent. The parent's records are signed by the parent's key. The parent's DS at the grandparent's zone confirms the parent's key. All the way up to the root, which everyone trusts.

This chain of DS records is the "chain of trust" in DNSSEC. Break the chain (e.g., your parent doesn't have a DS for you), and validating resolvers treat your DNSSEC as broken.

When you set DS records

When you enable DNSSEC on your zone, your DNS provider gives you a DS record. You take it to your registrar and paste it into the "DS records" section in the domain's settings. The registrar publishes it at the parent (the TLD operator's zone). Now resolvers can validate your zone.

Why most SaaS don't bother

DNSSEC adoption is still under 30% globally. It catches DNS spoofing but adds complexity and a hard dependency on your DNS provider. For most SaaS, the cost-benefit doesn't pencil out unless you have specific regulatory or banking customers who require it.