DS Records

The DNS Delegation Signer (DS) record indicates that the delegated zone is digitally signed and contains the hash of the DNSSEC Key Signing Key (KSK).

The DS record contains the following fields:

  • Host - Entered as a standard host name validation.

  • Key Tag - A number between 0 and 65535 used to match the key to the signature that generated it.

  • Algorithm - The algorithm in the referenced DNSKEY record. Select one of the following options from the dropdown menu.

    • RSA/MD5 (1)

    • Diffie-Hellman (2)

    • DSA/SHA-1 (3)

    • Elliptic Curve (4)

    • RSA/SHA-1 (5)

      • Indirect (252)

  • Hash Type - The algorithm used to hash the public key. Select one of the following options from the dropdown menu.

    • SHA-1 (1)

      • SHA-256 (2)

  • Digest - Provide the hexadecimal value of the key. For SHA-1 the length of the digest key will be 40. For SHA-2 the length of the digest key will be 64.

  • TTL - The Time to Live (TTL) for the record. You can provide this value as either an integer or an annotated value (1h = 1 hour).

    • This field is not required, and will be set to the default value if left empty.

 

In the following example DS record:

  • DS 12345 3 1 123456789abcdef67890123456789abcdef67890

    • 12345 is the key tag.

    • 3 is the algorithm (DSA/SHA-1 in this case).

    • 1 is the hash type (SHA-1 in this case).

    • 123456789abcdef67890123456789abcdef67890 is the forty-character digest key.