Paste your DNSKEY record here
About DS Records
DS (Delegation Signer) records are the critical link in the DNSSEC chain of trust. They contain a cryptographic hash of your zone's DNSKEY record and are published in the parent zone, which is typically your domain registrar. These records create the trust relationship between the parent zone (like .com) and your domain.
The DS record format includes a key tag (identifying which DNSKEY it refers to), the algorithm used, the digest type (hash algorithm), and the actual hash value. When a DNS resolver validates DNSSEC, it uses the DS record from the parent zone to verify the DNSKEY record in your zone, ensuring the chain of trust is unbroken.
Important Note: This is a simplified generator for educational purposes. In production environments, DS record generation requires proper cryptographic hashing of the DNSKEY using the specified digest algorithm. Most modern DNS providers (Cloudflare, Route 53, etc.) generate DS records automatically when you enable DNSSEC, so manual generation is rarely needed.
DS records must be added to your domain registrar's DNS settings, not your DNS provider's settings. This is a common point of confusion. The registrar is where you purchased the domain, while the DNS provider is where your DNS records are hosted. The DS records create the link between these two systems.
How to Get Your DNSKEY: Query your domain's DNSKEY records using:dig DNSKEY example.com
For more information, see our DS Record Configuration Guide.