DS Resource Records

A DS RR contains a hash of a child zone's KSK and can be used as a trust anchor in some security-aware resolvers and to create a secure delegation point for a signed subzone in DNS servers. As illustrated in the below figure, the DS RR in the parent zone corpxyz.com contains a hash of the KSK of the child zone sales.corpxyz.com, which in turn has a DS record that contains a hash of the KSK of its child zone, nw.sales.corpxyz.com.

The first four fields specify the owner name, TTL, class and RR type. The succeeding fields are as follows:

• Key Tag: The key tag value that is used to determine which key to use to verify signatures.
• Algorithm: Identifies the algorithm of the DNSKEY RR to which this DS RR refers. It uses the same algorithm values and types as the corresponding DNSKEY RR.
• Digest Type: Identifies the algorithm used to construct the digest. The supported algorithms are:
  • 1 = SHA-1
  • 2 = SHA-256
• Digest: If SHA-1 is the digest type, this field contains a 20 octet digest. If SHA-256 is the digest type, this field contains a 32 octet digest.