DS Lookup lets you check DS records for any domain. The online tool allows you to query the DNS servers and identify the Delegation Signers (DS) record for the specified domain.
The Domain Name System (DNS) is the largest virtual database, and the internet's phone book contains a domain name and corresponding IP address. But there was one lack in the DNS system, that it was not designed with a security perspective. Therefore, it was exposed to man-in-the-middle (MITM) attacks and cache poisoning. To overcome that issue, an optional security protocol called DNSSEC was created so that the web owner could protect their websites and applications.
The security protocol (DNSSEC) is a set of specifications designed by the Internet Engineering Task Force (IETF) to secure the communication between the DNS servers and clients.
The system created two DNS records for implementing these cryptographic signatures, DNSKEY and DS, defined in RFC4034.
Each domain name part of the Domain Name System has several DNS records. For keeping these records in order, DNS zones are created. It contains all the records and settings of a domain name. Every domain name has one or more DNS zones, delegated to a legal entity—a person, organization, or company responsible for managing the DNS zone. In simple words, DNS zones provide more granular control over the DNS namespace.
Each DNSSEC zone is assigned with zone signing keys (ZSK). With each set is a pair of public and private keys. The private key is used to sign the DNS records in that zone, and the public one is used to validate that private one.
In the DNSSEC record, the public ZSK is published, which the DNSSEC resolver uses to ensure that the records from that zone are authentic. However, as an additional layer of security, the DNSSEC zones include a key signing key (KSK) as another DNSKEY record. That key verifies the authenticity of the public ZSK.
The DS record is needed to verify the authenticity of child zones of the DNSSEC zones. The DS record transfers a trust from the parent zone to the child zone. The DS record contains the hash of the DNSSEC record. Therefore, the DS record on a parent zone includes a hash of a child zone's KSK. So, to validate the child zone, a DNSSEC resolver first hash its KSK record and compare it to what's present in the DS key record on a parent zone.
An example of a DS record looks like this.
abc.com. @ 3600 IN DS 2371 13 2 1F987CC6583E92DF0890718C42
|Host Label||TTL||Record Class||Record Type||Key Tag||Algorithm||Digest Type||Digest|
In above example,
To check the DS record of a domain, perform the following steps.