If you’ve activated DNSSEC with your DNS provider, you must create complementary DS records within your domain registration.
When you are signing a zone on your nameserver to enable DNSSEC, the Delegated Signer (DS) resource record must be propagated to the parent of the zone (in this case, the TLD registry) in order to establish a chain of trust to your zone. The DS record contains a digest of your DNSSEC Key Signing Key (KSK), and acts as a pointer to the next key in the chain of trust.
We recommend you create two DS records per algorithm that you plan to support – one record for the current DS record and another record for the next DS record to use in the future after the current record expires.
-
Article Contents
- Creating a DS Record
- Modifying a DS Record
- Deleting a DS Record