DNS DS (Delegation Signer) records are DNSSEC records that establish a secure delegation from a parent zone to a child zone. They contain cryptographic hash values of DNSKEY records from the child zone, enabling the creation of a chain of trust in the DNS hierarchy.
DS records contain a cryptographic digest (hash) of a DNSKEY record from a child zone. They are published in the parent zone to establish trust between the parent and child zones in DNSSEC. The DS record essentially tells DNSSEC validators which key from the child zone should be trusted for validation.
Each DS record contains four key pieces of information: a key tag (identifying which DNSKEY it references), the algorithm used by the DNSKEY, the digest algorithm used to create the hash, and the actual digest value. This structure ensures both security and efficiency in the validation process.
When a DNSSEC validator needs to validate records in a child zone, it first retrieves the DS records from the parent zone. These DS records point to the trusted DNSKEY records in the child zone. The validator then retrieves the DNSKEY records from the child zone and verifies that their hash matches the digest in the DS record.
Once the DNSKEY records are validated using the DS records, those keys can be used to validate other records in the child zone through their RRSIG signatures. This creates a secure chain of trust from the DNS root down to individual domains and subdomains.
DS records are crucial during DNSSEC key rollover procedures. When a child zone needs to change its DNSKEY records, new DS records must be published in the parent zone before the old keys can be safely removed from the child zone.
Here's what a DS record looks like for the domain example.com:
