What are DNSKEY and DS records?
The Domain Name System (DNS) is the phonebook of the Internet, but it was not designed with security in mind. To address this, an optional security protocol called DNSSEC (Domain Name System Security Extensions) was created.
DNSSEC increases security by adding cryptographic signatures to DNS records; these signatures can be checked to verify that a record originated from the correct DNS server and has not been tampered with. To implement these signatures, two specific record types were created: DNSKEY and DS.
1. The DNSKEY Record
The DNSKEY record contains a public signing key used to verify the digital signatures in a zone.
Zone Signing Keys (ZSK)
Each DNSSEC zone is assigned a set of Zone Signing Keys (ZSK), which includes a private and a public key:
- Private ZSK: Used to sign the DNS records in that specific zone.
- Public ZSK: Published in a DNSKEY record. A DNSSEC resolver uses this public key to ensure the records from that zone are authentic.
Key Signing Key (KSK)
As an added layer of security, DNSSEC zones contain a second DNSKEY record called a Key Signing Key (KSK). The KSK is used specifically to verify the authenticity of the Public ZSK itself.
2. The DS Record
The Delegation Signer (DS) record is used to verify the authenticity of child zones (delegated subdomains like blog.example.com).
The DS record exists in the parent zone and contains a hash of the KSK in the child zone. A DNSSEC resolver verifies the child zone by:
- Hashing the child zone's KSK record.
- Comparing that hash to the value stored in the parent zone's DS record.
What is a Cryptographic Hash? A hash is a one-way scrambling of alphanumeric input. For example, hashing "cantguessthis" might output
18fe9934cf77a759eb2471f2b304708a. It is impossible to reverse the hash to get the original input, making it a secure way to verify data integrity.
The Chain of Trust
The combination of DNSKEY and DS records creates a "Chain of Trust" that starts from the DNS Root Zone and extends down to individual subdomains. This prevents attacks like DNS spoofing or "man-in-the-middle" interceptions.
| Record Type | Location | Purpose |
|---|---|---|
| DNSKEY | Child Zone | Stores the public keys (ZSK/KSK) for verification. |
| DS | Parent Zone | Links the parent to the child via a hash of the child's KSK. |
Implementing DNSSEC in 2026
In today's hyper-connected landscape, enabling DNSSEC is a critical step for any business, especially those handling sensitive data or operating in competitive markets like India and the USA. Many Reliable Email Providers and domain registrars now offer "one-click" DNSSEC deployment to simplify this cryptographic process.
DNS Record Series Conclusion
With the addition of DNSSEC, you have now documented the complete spectrum of modern DNS infrastructure:
Would you like me to help you verify if your current domain has DNSSEC enabled, or should we create a troubleshooting guide for common DNSSEC validation errors?