DNS records and worldwide DNS propagation checker

DS Lookup

About DS Lookup - Online DS Checker Tool

DS Lookup lets you check DS records for any domain. The online tool allows you to query the DNS servers and identify the Delegation Signers (DS) record for the specified domain.

What is a DS record in DNS?

The Domain Name System (DNS) is the largest virtual database, and the internet's phone book contains a domain name and corresponding IP address. But there was one lack in the DNS system, that it was not designed with a security perspective. Therefore, it was exposed to man-in-the-middle (MITM) attacks and cache poisoning. To overcome that issue, an optional security protocol called DNSSEC was created so that the web owner could protect their websites and applications.

The security protocol (DNSSEC) is a set of specifications designed by the Internet Engineering Task Force (IETF) to secure the communication between the DNS servers and clients.

The DNSSEC protocol increases DNS security by adding cryptographic signatures to DNS records. These signatures verify whether the record came from the valid and authorized DNS server or not.

The system created two DNS records for implementing these cryptographic signatures, DNSKEY and DS, defined in RFC4034.

  1. DNSKEY contains the public signing key
  2. DS has the hash of the DNSKEY record

DNSSEC Zone

Each domain name part of the Domain Name System has several DNS records. For keeping these records in order, DNS zones are created. It contains all the records and settings of a domain name. Every domain name has one or more DNS zones, delegated to a legal entity—a person, organization, or company responsible for managing the DNS zone. In simple words, DNS zones provide more granular control over the DNS namespace.

Each DNSSEC zone is assigned with zone signing keys (ZSK). With each set is a pair of public and private keys. The private key is used to sign the DNS records in that zone, and the public one is used to validate that private one.

In the DNSSEC record, the public ZSK is published, which the DNSSEC resolver uses to ensure that the records from that zone are authentic. However, as an additional layer of security, the DNSSEC zones include a key signing key (KSK) as another DNSKEY record. That key verifies the authenticity of the public ZSK.

Why do you need a DS record?

The DS record is needed to verify the authenticity of child zones of the DNSSEC zones. The DS record transfers a trust from the parent zone to the child zone. The DS record contains the hash of the DNSSEC record. Therefore, the DS record on a parent zone includes a hash of a child zone's KSK. So, to validate the child zone, a DNSSEC resolver first hash its KSK record and compare it to what's present in the DS key record on a parent zone.

Components of DS records

An example of a DS record looks like this. abc.com. @ 3600 IN DS 2371 13 2 1F987CC6583E92DF0890718C42

Host Label TTL Record Class Record Type Key Tag Algorithm Digest Type Digest
abc.com. 3600 IN DS 2371 13 2 1F987CC6583E92DF0890718C42

In above example,

  • abc.com is the hostname of the record.
  • 3600 is the TTL (time to live) and is the record's expiry time.
  • IN is the record class that is default and generally used by internet users.
  • DS is the DNS record type.
  • 2371 is the key tag that helps in quickly identifying the referenced DNSKEY record. Any value allowed by RFC 4034 (integers in the range 0 to 65535)
  • 13 is the algorithm of the referenced DNSKEY record. That may be one of the following values:
    • 5 (RSASHA1)
    • 7 (RSASHA1-NSEC3-SHA1)
    • 8 (RSASHA256)
    • 10 (RSASHA512)
    • 12 (ECC-GOST)
    • 13 (ECDSAP256SHA256)
    • 14 (ECDSAP384SHA384)
    • 15 (Ed25519)
    • 16 (ED448)
  • 2 is the digest type. It's a cryptographic hash algorithm used to construct the Digest value. That may be one of the following values:
    • 1 (SHA-1)
    • 2 (SHA-256)
    • 3 (GOST)
    • 4 (SHA-386)
  • 1F987CC6583E92DF0890718C42 is the cryptographic hash value of the referenced DNSKEY record.

How do I check my DS record?

To check the DS record of a domain, perform the following steps.