A DS RR contains a hash of a child zone's KSK and can be used as a trust anchor in some security-aware resolvers and to create a secure delegation point for a signed subzone in DNS servers. As illustrated in Figure 22.1, the DS RR in the parent zone corpxyz.com contains a hash of the KSK of the child zone sales.corpxyz.com, which in turn has a DS record that contains a hash of the KSK of its child zone, nw.sales.corpxyz.com.
Anchor | ||||
---|---|---|---|---|
|
A
Aserver3.nw.sales.corp100.com
ftp1.nw.sales.corp100.comRRSIG A 5 2 86400....
DNSKEY256
DNSKEY257A
A A
RRSIG DS DNSKEY DNSKEYserver1.corp100.com
ftp.corp100.com sales.corp100.comA
A RRSIG DSAserver2.sales.corp100.com
ftp1.sales.corp100.com 5 2 86400....A 5
25924
256
2572 86400....
51DNSKEY
DNSKEY25854 5
256
2571corp100.comsales.corp100.comnw.sales.corp100.com
Following is an example of the DS RR:
corpxyz.com86400IN DS25924 5 1 49D2801B50E25D59440F1FF1A8012B568435
B622B1F8709F33D744C4C6D71EA2
Owner Name
TTL ClassRR Type
Key Tag
Algorithm
Digest Type Digest
Drawio | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Drawio | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
The first four fields specify the owner name, TTL, class and RR type. The succeeding fields are as follows:
- Key Tag: The key tag value that is used to determine which key to use to verify signatures.
- Algorithm: Identifies the algorithm of the DNSKEY RR to which this DS RR refers. It uses the same algorithm values and types as the corresponding DNSKEY RR.
- Digest Type: Identifies the algorithm used to construct the digest. The supported algorithms are:
...
- 1 = SHA-1
...
- 2 = SHA-256
- Digest: If SHA-1 is the digest type, this field contains a 20 octet digest. If SHA-256 is the digest type, this field contains a 32 octet digest.
...