Use this DS Lookup tool to check DS records for any domain. It helps you confirm that a domain's DNSSEC configuration is linked to its parent zone.
DS record lookup is a free utility that helps domain owners and network administrators validate the DNSSEC chain of trust. It helps you troubleshoot DNSSEC-related issues.
DS records play an important role in DNSSEC. They connect a domain's DNSKEY records to its parent zone. These records help DNS resolvers verify that DNS records have not been modified.
A Delegation Signer (DS) record is a type of record that is used for DNS security (DNSSEC). This record is used for establishing a chain of trust between a parent zone (for example.com) and a child zone (a particular domain). The purpose of a DS record is to establish trust between a parent zone and a child zone by allowing DNS resolvers to verify DNSSEC information.
DS records are not stored in the child domain's DNS zone. Instead, they are published in the parent zone through the domain registrar.
Here’s how DS records work in action.
If both match, the DNS resolver trusts the DNS information and continues the lookup. If they do not match, DNSSEC validation fails because the DNS data cannot be verified.
To check DS record of a domain, use the DS record checker.
You can also check DS records using the dig command on Linux & macOS.
When you perform a DS lookup using our tool, you get the following in results.
|
Domain name |
Domain associated with the DS record |
|
TTL (Time to Live) |
Time for which DNS resolvers can cache the DS record before requesting an updated version |
|
Key tag |
A numeric identifier that helps DNS resolvers find the correct DNSKEY record during DNSSEC validation |
|
Algorithm |
The cryptographic algorithm used to create the DNSSEC key |
|
Digest type |
The hashing method used to generate the digest value stored in the DS record |
|
Digest value |
Cryptographic fingerprint of the domain's DNSKEY record used to establish trust in the DNSSEC chain |
Our DS record checker mainly helps you verify DS record for a domain. It also serves many different purposes.
Check whether a domain has a published DS record and confirm that DNSSEC delegation is configured.
View the DS record stored in the parent zone that establishes trust between the parent and child domains.
Our DS checker retrieves important DS record information.
As an example, if you perform a DS lookup for a domain, let’s say cloudflare.com, you will see the key DS components in the results, like below:
|
Type |
Domain Name |
TTL |
Key Tag |
Algorithm |
Digest Types |
Digest |
|
DS |
cloudflare.com |
977 |
2371 |
13 |
2 |
32996839A6D808AFE3EB4A795A0E6A7A39A76FC52FF2 28B22B76F6D63826F2B9 |
This information helps you identify missing or incorrect DS records that may cause DNSSEC validation failures.
DS and DNSKEY records work together to support DNSSEC. However, they serve different purposes.
A DNSKEY record contains the public key used to verify DNSSEC signatures for a domain. A DS record contains a secure fingerprint of that DNSKEY record.
|
Feature |
DS Record |
DNSKEY Record |
|
Full Name |
Delegation Signer |
DNS Public Key |
|
Purpose |
Links a domain to its parent zone and establishes trust |
Stores the public key used for DNSSEC validation |
|
Location |
Stored in the parent zone (such as .com, .net, or .org) |
Stored in the domain's DNS zone |
|
Contains |
A fingerprint (digest) of a DNSKEY record |
A public cryptographic key |
|
Used For |
Verifying that a DNSKEY record is trusted |
Verifying DNSSEC signatures |
|
Used By |
DNS resolvers during DNSSEC validation |
DNS resolvers during signature verification |
DNS resolvers use the DS record to verify that the DNSKEY record belongs to the domain and can be trusted.
You can find your domain's DS record using a DS Lookup tool. You can also view it in your domain registrar account if DNSSEC is enabled for your domain.
Open Command Prompt and run the following command:
nslookup -type=DS example.com
You can also use an online DS Lookup tool to check DS records without using the command line.
Open Terminal and run:
dig DS example.com
Replace example.com with your domain name. The command will return the domain's DS record if one exists.
DS records are usually managed through your domain registrar. Log in to your domain registrar account and enable DNSSEC with your DNS provider. Then add or update the DS record in your registrar account using the DNSSEC information provided by your DNS provider.
If a DS record does not match the domain's DNSKEY record, DNSSEC validation will fail. In such a case, some DNS resolvers may treat the domain as invalid. This can make the website, email, or other services inaccessible to users.
No. A domain only has a DS record when DNSSEC is enabled and configured.
Yes. Domains may publish multiple DS records during DNSSEC key rollovers or when using multiple signing keys.
