/ˈdiː-ɛs/
n. “The chain that links the trust.”
DS, short for Delegation Signer, is a special type of DNS record used in DNSSEC to create a secure chain of trust between a parent zone and a child zone. It essentially tells resolvers: “The key in the child zone is legitimate, signed by authority, and you can trust it.”
In DNSSEC, every zone signs its own data with its private key, producing RRSIG records. But a validating resolver needs to know whether that signature itself is trustworthy. That’s where DS comes in — it links the child’s DNSKEY to a hash stored in the parent zone.
When a resolver looks up a domain in a child zone, it starts at the parent zone, retrieves the DS record, and uses it to verify the child’s DNSKEY. Once the public key is verified against the DS, the resolver can check the RRSIG on the actual records. This process builds the chain of trust from the root down to the leaf domains.
Without DS, a child zone’s signatures would be isolated. They could prove internal integrity but wouldn’t be anchored to the larger DNS hierarchy. DS provides the glue that allows validators to trust a signed zone without needing to manually install its keys.
Consider a hypothetical domain, example.com. The .com parent zone publishes a DS record pointing to the hash of the DNSKEY used by example.com. When a client queries example.com with DNSSEC validation, the resolver fetches the DS from .com, confirms the hash matches the child DNSKEY, then trusts the RRSIGs within example.com. If the hash doesn’t match, the resolver discards the response, preventing tampered or forged data from being accepted.
DS records do not encrypt data or prevent eavesdropping. They only provide a verifiable link in the chain of trust. If an attacker can manipulate the parent zone or inject a fraudulent DS, security fails — highlighting why operational security at registries is critical.
In short, DS is the handshake between parent and child in DNSSEC, establishing that the child’s keys are legitimate and forming the backbone of secure, authenticated DNS resolution. It transforms the DNS from a fragile trust-on-first-use system into one where the chain of signatures can be validated cryptographically at every step.