DS Lookup - Verify Delegation Signer (DS) Records for DNSSEC Validation

Use HasheTools’ DS Lookup tool to instantly check and validate the Delegation Signer (DS) records of any domain. DS records are a critical part of DNSSEC (Domain Name System Security Extensions); they link your domain’s DNSKEY to its parent zone, ensuring a secure cryptographic chain of trust across the DNS hierarchy.

Our free online DS record lookup tool helps you verify DNSSEC configuration, detect mismatched or missing DS records, and confirm your domain’s authenticity against global DNS servers.

What Is a DS Record in DNS?

A Delegation Signer (DS) record is a special DNS record that stores a hash of a DNSKEY record from a child zone. It is placed in the parent zone and acts as a bridge of trust between the two.

In simple terms, the DS record ensures that the DNSKEY record in your child zone is valid and has not been tampered with, forming part of the DNSSEC validation process that protects users from DNS spoofing and cache poisoning.

Role of DS Records in DNSSEC

DNSSEC adds cryptographic signatures to DNS data, confirming that the responses you get come from legitimate servers. DS records play a key role by securely linking your domain’s DNSKEY to its parent, allowing resolvers to validate your domain’s DNSSEC chain.

DS Record vs. DNSKEY Record

Record Type	Function	Stored In
DNSKEY	Contains the public key used to verify digital signatures.	Child Zone
DS Record	Contains a hash of the DNSKEY for validation.	Parent Zone

Together, they ensure that the DNS data served for your domain is secure and authentic.

Why DS Lookup Matters

Checking your DS records regularly is essential for maintaining DNSSEC integrity and preventing security gaps.

Establishes a Chain of Trust

The DS record links your domain to the DNS root, creating a cryptographic trust chain that validates your domain’s authenticity from top to bottom.

Prevents Spoofing and MITM Attacks

Without DNSSEC and DS validation, your domain is vulnerable to man-in-the-middle or DNS spoofing attacks. DS Lookup confirms that your DNSSEC keys are trusted and uncompromised.

Detects DS-DNSKEY Mismatches

If your DS and DNSKEY records don’t match (for example, after a DNSSEC key rollover), validation fails. Our tool helps identify these mismatches instantly so you can fix them.

Improves Overall DNS Security

A correctly configured DS record ensures that resolvers can authenticate DNS responses, boosting domain security, email integrity, and web trustworthiness.

How to Perform a DS Record Lookup

Running a DS Lookup with HasheTools is quick and easy:

Step 1: Enter Your Domain

Type your domain name (e.g., example.com) into the search field.

Step 2: Click “Validate DS Lookup”

Our system queries authoritative DNS servers around the world to fetch your domain’s DS records.

Step 3: Review the Results

You’ll instantly see all relevant DS record details, including:

Key Tag
Algorithm
Digest Type
Digest Value

Use this information to confirm that your DNSSEC configuration is complete and error-free.

Example DS Record Explained

Here’s an example of what a DS record looks like:

example.com. 3600 IN DS 2371 13 2 1F987CC6583E92DF0890718C42

DS Record Components

Field	Meaning
example.com	The domain name associated with the DS record.
3600	TTL (Time to Live), how long the record is cached.
IN	Internet class of the record.
DS	Record type (Delegation Signer).
2371	Key Tag, identifies the referenced DNSKEY record.
13	Algorithm, cryptographic algorithm (e.g., ECDSAP256SHA256).
2	Digest Type, hash type (e.g., SHA-256).
1F987CC6583E92DF0890718C42	Digest Value, hash of the DNSKEY.

This information helps DNS resolvers confirm the legitimacy of your DNSKEY and, by extension, your domain.

Common DS Record Issues

Even small DS misconfigurations can break your DNSSEC chain. Here are the most common issues:

Mismatched Key Tag

Occurs when the Key Tag doesn’t match the DNSKEY in the child zone, causing validation to fail.

Incorrect Digest Type

If the hashing algorithm used differs from what the parent expects, DNSSEC breaks.

Missing DS Record

If the parent zone doesn’t contain your DS record, your DNSSEC chain of trust is incomplete.

Outdated or Expired Records

After a DNSKEY rotation, old DS records may become invalid. Always update them immediately.

Unsigned Child Zone

If your child zone isn’t DNSSEC-signed, no DS record will exist in the parent, leaving your domain insecure.

How DS Records Are Created and Validated

When you enable DNSSEC on your domain:

Your DNS provider generates a DNSKEY pair (public and private keys).
A hash of the public key is created; this becomes your DS record.
The DS record is submitted to your domain registrar or parent zone.
The parent zone publishes it, allowing DNS resolvers to validate your DNSSEC chain.

This process ensures end-to-end integrity from the DNS root to your individual domain.

Best Practices for Managing DS Records

Follow these tips to maintain a healthy DNSSEC configuration:

Keep DS and DNSKEY Records in Sync: After every DNSKEY rollover, ensure your DS record is updated in the parent zone.
Use Modern Cryptographic Algorithms: Prefer RSA/SHA-256, ECDSAP256SHA256, or ECDSAP384SHA384 for better security.
Validate Regularly: Test your DNSSEC setup using HasheTools’ DS Lookup and DNSKEY Lookup tools.
Verify After DNS or Registrar Changes: Any DNS migration or registrar transfer can impact DNSSEC data; always recheck DS records.
Remove Old Keys and Records: Stale DS records can cause validation errors; clean them up after key rollovers.

How to Lookup DS Records on Different Systems

You can also check DS records manually using terminal commands.

Windows

Windows’ nslookup doesn’t support DS record queries directly. You can use:

WSL (Windows Subsystem for Linux) → Run Linux dig command, or
HasheTools DS Lookup (fast, browser-based).

macOS

Open Terminal.
Type:

dig example.com DS

Review the “ANSWER SECTION” for your DS records.

Linux

Open a terminal.
Run the same command: