HomeDNS ToolsDS Lookup
DNS Tool

DS Lookup

Lookup DS records and validate parent-to-child DNSSEC delegation, digest integrity, and chain-of-trust continuity. Run fast checks, interpret results, and use…

Record Type
DS
Focused record verification for targeted DNS troubleshooting.
Best Use
Migration + incident checks
Validate live DNS answers during change windows.
Operational Context
Use this page to validate live resolver output during DNS cutovers, outage triage, and post-change verification windows.
DS Lookup — Start Here
Waiting for input
Enter a domain and run check
How to Use

Use DS Lookup in 4 Steps

01
Enter domain
Input the target domain in clean hostname format (no path or query string).
02
Run DS Lookup
Execute DS Lookup to pull live resolver output for this record scope.
03
Compare expected vs live
Match returned values with your intended DNS configuration at the source.
04
Cross-check related tools
Validate adjacent DNS layers to isolate cache vs source problems.

What is DS Lookup?

DS (Delegation Signer) records live in the parent zone and contain a cryptographic hash of the child zone's KSK (Key Signing Key). They complete the DNSSEC chain of trust by linking parent and child zones. For example, the .com zone holds DS records that point to KSKs in second-level domains like example.com.

DS records must be submitted to the registrar — not just published in the child zone. The registrar passes the DS to the TLD registry (e.g., Verisign for .com), which publishes it in the TLD nameservers. This is a separate step from publishing DNSKEY in your own zone, and missing it is the most common cause of DNSSEC validation failures.

Best Use
Registrar migration checks, DNSSEC break/fix diagnosis, and confirming delegation trust after key rollovers.
Common Mistake
Leaving old DS records in the parent zone after a key rollover. Stale DS records pointing to a retired KSK cause SERVFAIL for validating resolvers — remove them once the old key is no longer active.
Validation Path
Compare the DS digest type, algorithm, and key tag in the parent zone against the active KSK in the child zone's DNSKEY records.

Quick Interpretation Table

Use this reference to diagnose common outcomes when running DS Lookup.

Observed ResultLikely CauseNext Step
No DS in parent zoneDNSSEC chain of trust is incompleteSubmit DS record from current KSK to your registrar's DNSSEC management interface
DS digest doesn't match active DNSKEYStale delegation signer — key rollover not completedUpdate DS at registrar to match the current KSK key tag and digest
Unexpected number of DS recordsPossible rollover overlap or stale records from previous keyVerify key rollover plan — remove DS records for retired keys

CLI Examples

Run these commands directly from a terminal to verify DS records without relying on a browser-based tool.

dig DS example.com
Query DS records from the default resolver
dig DS example.com @a.gtld-servers.net
Query DS directly from the .com TLD nameserver — bypasses resolver cache
dnssec-dsfromkey Kexample.com.+013+12345.key
Generate DS record data from a DNSKEY key file using BIND tools
dig DNSKEY example.com | dnssec-dsfromkey -f -
Pipe DNSKEY output to generate corresponding DS record

Troubleshooting Workflow

  • Run this record check first for a scoped signal on the target hostname.
  • Validate nameserver authority and SOA context if results are unexpected.
  • Use propagation checks when different regions return different values.
  • Re-run after applying fixes and compare values against your expected configuration.

Frequently Asked Questions

What is a DS record?
A DS (Delegation Signer) record lives in the parent zone and contains a hash of the child zone's KSK (Key Signing Key). It creates the DNSSEC chain of trust between parent and child zones. For a .com domain, the .com TLD zone holds the DS record that validates the domain's DNSKEY.
Why is my DS record missing even though I have DNSKEY records?
DNSKEY records in your zone alone are not enough — DS records must be submitted to your registrar, who publishes them in the parent zone (the TLD). Without a matching DS in the parent, resolvers cannot verify the chain of trust and may treat the zone as unsigned (no DNSSEC protection).
What happens if my DS record doesn't match my DNSKEY?
Resolvers get SERVFAIL for all queries to your zone — the DNSSEC chain breaks completely and the domain becomes unreachable for DNSSEC-validating resolvers (which includes most public resolvers today). Always verify DS-DNSKEY alignment before completing a key rollover.
How do I generate a DS record from a DNSKEY?
Use `dnssec-dsfromkey` from BIND tools: `dnssec-dsfromkey -a SHA-256 Kexample.com.+013+12345.key`. Most DNS signing software generates DS records automatically. Your registrar's DNSSEC page accepts DS data in the format: Key Tag, Algorithm, Digest Type, Digest.
How long does DS record propagation take?
DS records propagate through the parent TLD zone, which typically has a TTL of 86,400 seconds (24 hours). After submitting to your registrar, allow up to 48 hours for global propagation. Monitor with `dig DS example.com @a.gtld-servers.net` to query the .com TLD zone directly and bypass resolver caching.
Record Scope
ToolDS Lookup
Query TypeDS
State SharingURL Param
Ops Checklist
• Verify source DNS values first
• Check authority (NS/SOA) if mismatch appears
• Compare with global propagation when needed
Free Newsletter

Get guides like this by email

DNS, email auth, and security playbooks delivered when they publish. No spam.