DNS DNSKEY and DS Records

The DNSKEY and DS records are used by DNSSEC resolvers to verify the authenticity of DNS records.

Learning Objectives

After reading this article you will be able to:

  • Understand the purpose of the DNSKEY record
  • Understand the role the DS record plays in DNSSEC

Copy article link

What are the DNSKEY and DS records?

The Domain Name System (DNS) is the phonebook of the Internet, but it was not designed with security in mind. For this reason, an optional security protocol called DNSSEC was created so that owners of web properties could better secure their applications. DNSSEC increases security by adding cryptographic signatures to DNS records; these signatures can be checked to verify that a record came from the correct DNS server.

For the implementation of these cryptographic signatures, two new DNS record types were created: DNSKEY and DS. The DNSKEY record contains a public signing key, and the DS record contains a hash* of a DNSKEY record.

Each DNSSEC zone is assigned a set of zone signing keys (ZSK). This set includes a private and public ZSK. The private ZSK is used to sign the DNS records in that zone, and the public ZSK is used to verify the private one.

The public ZSK is published in a DNSSEC record, which is how it is provided to a DNSSEC resolver; the resolver will use the public ZSK to ensure the records from that zone are authentic. As an added layer of security, DNSSEC zones contain a second DNSKEY record containing a key signing key (KSK), which verifies the authenticity of the public ZSK.

The DS record is used to verify the authenticity of child zones** of DNSSEC zones. The DS key record on a parent zone contains a hash of the KSK in a child zone. A DNSSEC resolver can therefore verify the authenticity of the child zone by hashing its KSK record, and comparing that to what is in the parent zone's DS record.

*A cryptographic hash is a one-way scrambling of alphanumeric input; hashes are often used for storing sensitive information like passwords on servers. For example, a hash of the input ‘cantguessthis’ is 18fe9934cf77a759eb2471f2b304708a. Every time ‘cantguessthis’ is put through the hashing function, it outputs the same hash. But there is no way to get the original input using just the hash. The hash on its own is essentially useless.

**A child zone is a delegated subdomain of another zone. For instance, a URL of example.com could have child zones with domains like blog.example.com and mail.example.com.