DS Lookup
Lookup DS records and validate parent-to-child DNSSEC delegation, digest integrity, and chain-of-trust continuity. Run fast checks, interpret results, and use…
Use DS Lookup in 4 Steps
What is DS Lookup?
DS (Delegation Signer) records live in the parent zone and contain a cryptographic hash of the child zone's KSK (Key Signing Key). They complete the DNSSEC chain of trust by linking parent and child zones. For example, the .com zone holds DS records that point to KSKs in second-level domains like example.com.
DS records must be submitted to the registrar — not just published in the child zone. The registrar passes the DS to the TLD registry (e.g., Verisign for .com), which publishes it in the TLD nameservers. This is a separate step from publishing DNSKEY in your own zone, and missing it is the most common cause of DNSSEC validation failures.
Quick Interpretation Table
Use this reference to diagnose common outcomes when running DS Lookup.
| Observed Result | Likely Cause | Next Step |
|---|---|---|
| No DS in parent zone | DNSSEC chain of trust is incomplete | Submit DS record from current KSK to your registrar's DNSSEC management interface |
| DS digest doesn't match active DNSKEY | Stale delegation signer — key rollover not completed | Update DS at registrar to match the current KSK key tag and digest |
| Unexpected number of DS records | Possible rollover overlap or stale records from previous key | Verify key rollover plan — remove DS records for retired keys |
CLI Examples
Run these commands directly from a terminal to verify DS records without relying on a browser-based tool.
dig DS example.comdig DS example.com @a.gtld-servers.netdnssec-dsfromkey Kexample.com.+013+12345.keydig DNSKEY example.com | dnssec-dsfromkey -f -Troubleshooting Workflow
- Run this record check first for a scoped signal on the target hostname.
- Validate nameserver authority and SOA context if results are unexpected.
- Use propagation checks when different regions return different values.
- Re-run after applying fixes and compare values against your expected configuration.
Frequently Asked Questions
Get guides like this by email
DNS, email auth, and security playbooks delivered when they publish. No spam.