- The DS record contains a cryptographic hash of child’s KSK.
- A zone’s DS records only appear in its parent zone along with NS records at a delegation point.
This “DS record” at the parent name server is what binds your signed domain into the larger “chain of trust.
How to add DS record to the Registrar?
To get the DS record:* Login to your WHM ( https://<your_server_ip>:2087/ )
* Navigate to plugin section and click on DNSSEC Manager Standard Edition (cPanel) v1.0
* Click on the link that says "Show DS" against your domain.
Your dsset file has two lines. One is your KSK and one is your ZSK. You need to first add KSK key at registrar and then ZSK.
The following information in the DS record will have to be provided to your regisrar to get the DS record setup there:
* Key Tag
* Algorithm
* Digest Type
* Digest
For example in the DS record shown below:
test123.com. IN DS 39151 5 1 0C1615B3C20D36C0EF3272A25CA0469AD929C312
Key Tag = 39151
Algorithm = 5 (RSA/SHA)
Digest type = 1 (SHA-1) [For SHA-256 this will be 2]
Digest = 0C1615B3C20D36C0EF3272A25CA0469AD929C312
Repeat this for the second line, note that Digest type will change to 2 and your key on DSSET is like this: "6695CD1AEBDCFD2E0530361234564E67F9D4202BBE34FD719B8EB97F 3B12345F" . You may need to remove the space.