DS Record Generator

Generate DS records (SHA-1/256/384) from a DNSKEY or public key, with copyable output for parent zone submission.

DNSKEY Examples

Owner Name (FQDN)

DNSKEY Record

Digest Types

SHA-1

SHA-256 Recommended

SHA-384 Recommended

DS Record Purpose

DS (Delegation Signer) records are published in the parent zone to establish a secure delegation to the child zone. They contain a hash of the child's KSK (Key Signing Key) and enable DNSSEC validators to verify the authenticity of the child zone's DNSKEY records.

Digest Algorithm Recommendations

SHA-256 and SHA-384 are recommended for new deployments. SHA-1 is deprecated but may still be required for compatibility with older systems. Most registrars accept multiple DS records with different digest types for redundancy.

Parent Zone Submission

Submit the generated DS records to your parent zone operator (registrar for TLDs, hosting provider for subdomains). The DS records must be published in the parent zone before enabling DNSSEC signing in the child zone to maintain the chain of trust.