With a DS record you can ensure that a subdomain with an NS record pointing to an external name server can also be secured with DNSSEC.
In this article we explain what a DS record is and how to add a DS record to the DNS settings of your domain name.
A DS record, also known as "Delegation Signer", is a record that identifies the DNSSEC signing key of a delegated zone (the zone of the subdomain on another name server). This DS record is located in the zone of your domain name and refers to the DNSSEC data of your subdomain on the external name server so that the correct DNSSEC data of your subdomain can be verified.
A visitor's browser will verify that the subdomain's DNSSEC information is trustworthy via the DS record associated with the domain. Apart from that, the browser can check that the DNSSEC data of the root domain itself can be trusted by looking at the DS record for the domain name itself (which is automatically created at the registry if the domain is registered with TransIP and you use the TransIP name servers).
With this method that checks each step for it's trustworthiness, it can be verified that the DNS zone of the domain name is properly secured with DNSSEC. This principle is called the 'Chain of trust' and is the basis of DNSSEC security. For more information about DNSSEC, see the article: 'What is DNSSEC?'
When do I add a DS record?
If your domain name is registered with TransIP and you use our name servers then in most cases you do not need to enter a DS record for your domain name. This is all handled automatically by our system so the domain name is secured via DNSSEC and you don't have to worry about this.
The only exception is that if you have created NS records for one or more subdomains in the DNS settings of your domain name to use external name servers for the subdomain(s). If you use external name servers for a subdomain, you will need to set up DS records on your domain name for that specific subdomain to ensure that your subdomain's DNSSEC information on the external name servers will be trusted. This is essential to ensure that the subdomain is secured via DNSSEC.
The information you need to set up a DS record is found in the software you've used to sign the subdomain on the external name servers with DNSSEC. In addition to signing your subdomain, that software should also generate the necessary DS record information that you can use to add the DS record for the subdomain to your domain name.
Important:
- Adding a DS record yourself is only necessary if you have created NS records for a subdomain and therefore use external name servers for this specific subdomain. In all other cases you do not need to add DS records yourself.
- If you use external name servers for your subdomain, you must ensure that the subdomain is signed via DNSSEC on those external name server(s). This cannot be arranged via TransIP as we do not have access to external name servers. How you sign the subdomain with DNSSEC on your external name servers depends on the configuration of the external name server(s). For this you can contact the administrator of the external name server(s) or, if this is you, consult the manual of your name server software.
- If you use the TransIP name servers for your domain name and have no NS record(s) for any subdomains, then you do not need to add any DS record(s).
- If you use your own nameservers for a domain name, the DNS settings will not be handled via TransIP but need to configured on your own name servers. In this case, you can't add any DS record(s) with us. However, you will have to enter your own DNSSEC settings for your domain in your control panel if you want your domain name to be secured via DNSSEC.
Where do I add a DS record?
You can add all your DNS-records easily and free of charge via your control panel. Go to 'Domain' and select the domain in the left column for which you want to add the DS record (don't check the box).
Now scroll to 'Advanced Domain Settings', followed by 'DNS'. If you do not see this yet, first click the switch behind 'TransIP settings' so the TransIP settings are switched off.
You will then see an overview of the DNS records of your domain name which you can change at will. Make sure to leave the 'TransIP settings' turned off, otherwise these will overwrite your own DNS records.
How do I add a DS record?
The information you need to set up a DS record are not in your control panel. We do not have access to this information, which is why you cannot request the necessary information for the DS record from us.
The necessary information for the DS record will be shown by the software you used to sign the subdomain on the external name servers with DNSSEC. In addition to signing your subdomain, that software will also generate the necessary DS record with the information you can enter in the 'Value' field of a DNS record for your domain name.
In the example below you see a DS record and 3 NS records for the subdomain subdomain.transiptutorials.com.
We'll further explain these settings below:
- The NS records have the name subdomain and indicate which name servers are used for this subdomain. This means that DNS records for this subdomain must be set on the external name servers and not on the TransIP nameservers. In this example, this means that the DNS for this subdomain is handled by the following nameservers:
ns0.example.net
ns1.example.nl
ns2.example.eu - The DS record has the name subdomain and ensures that when visiting the website subdomain.transiptutorials.com it is clear to the intermediate resolvers that the zone of subdomain.transiptutorials.com on the external name servers uses DNSSEC. It also allows the DNSSEC information of this subdomain on the external name servers to be verified as being trustworthy. It is of course important that the subdomain is actually signed via DNSSEC on these external name server(s).
The above settings allow resolvers to verify the DNSSEC security of the subdomain when the subdomain is visited. In this example the verification would go like this: the relevant resolvers will check the encrypted KSK of the zone on the external name servers of subdomain.transiptutorials.com with the DS record set for the subdomain at transiptutorials.com. If this matches, then it proves that the DNS records are correct and the values have not been changed in the meantime. The subdomain is then secured with DNSSEC.
Name
You add a DS record by starting with the name. A DS record with TransIP can only be used for a subdomain and not for the root domain. Therefore you should always enter the subdomain itself, without the domain name behind it, and never @. For example: for the subdomein subdomain.transiptorials.com you would enter 'subdomain' without the quotation marks.
TTL
The 'TTL' of a DNS record signifies how long the record can remain in the cache. We recommend keeping the TTL low, for example 1 hour.
Type
Because you want to add a DS record, choose 'DS' under 'Type'.
Value
As 'Value' you need to enter 4 things. It is important that you enter these in the correct order in the 'Value' field, separated by spaces:
- The 'key tag' of the relevant KSK record that the subdomain is signed with on the external name server(s). This is usually a 5 digits number but can also be a number with 3 or 4 digits.
- The 'algorithm' used to generate the DNSSEC signature of the subdomain.
- The so-called 'digest type', this is the algorithm used to generate the 'digest'
- The 'digest' is the DS key and the actual contents of the DS record. This is a cryptographic hash of the DNSSEC data that the DS record points to. After all, the DS record must point to the subdomain's DNSSEC information on the subdomain's name servers.
An example of the 'Value' field of a DS record:
Please note: The 'digest' itself is only partially visible in the screenshot above as it is longer than the 'Value' field.
The following data was used in the example.
subdomain.transiptutorials.com IN DS 15288 5 2 CE0EB9E59EE1DE2C681A330E3A7C08376F28602CDF990EE4EC88D2A8BDB51539
The most important parts of the 'Value' field of the example are explained below:
- The key tag of the relevant KSK record that the subdomain is signed with on the external name server(s): 15288
- The algorithm, in this case: 5
- The so-called digest type, in this case: 2
- The contents of the DS record, also known as digest. In the example, that is the following value: CE0EB9E59EE1DE2C681A330E3A7C08376F28602CDF990EE4EC88D2A8BDB51539
Important:
- Make sure that you do not copy the information above, but that you use the information you've received from the software you used to sign the subdomain on the external name servers with DNSSEC. In addition to signing your subdomain, that software will also generate the necessary DS record with the information you can enter in the 'Value' field of a DNS record for your domain name.
- Keep in mind that it can take up to 24 hours for changes to DNS settings to be implemented globally. This is related to the way external systems process these changes and we have no influence on that. You usually see these changes well within 24 hours.
In this article we've explained what a DS record is and how you can add a DS record in your control panel. For a general explanation about DNS records and how to add them, see the article 'DNS and nameservers'.
Should you have any questions left regarding this article, do not hesitate to contact our support department. You can reach them via the ‘Contact Us’ button at the bottom of this page.