Delegation Signer (DS) | Playful Sparkle

A Delegation Signer (DS) record is a fundamental component of DNSSEC. It resides in the parent zone (e.g., at the Registrar/TLD level) and contains a hash of the child zone’s DNSKEY.

The DS record is what allows the “Chain of Trust” to work. When a resolver looks up your domain, it first checks the parent zone (.com) for a DS record. If found, it uses that record to verify that the DNSSEC keys provided by your domain’s name servers are authentic. Without a DS record at the registrar, your domain’s internal DNSSEC signatures cannot be validated by the rest of the world.

Frequently Asked Questions

Your DNS provider (like Cloudflare or your host) will generate the DS record once you enable DNSSEC. You then must copy this record and paste it into your Domain Registrar’s dashboard (e.g., Namecheap, GoDaddy).

Caution: You must disable DNSSEC at your registrar (remove the DS record) before changing name servers. If you move to a new provider that uses different keys while the old DS record is still active, your domain will stop resolving globally.

Build a high-performance engine. From securing your site with HTTPS and SSL/TLS to building custom REST APIs, our Web Development team ensures your infrastructure is scalable, secure, and future-proof.

Frequently Asked Questions

Where do I get my DS record?

What happens if I change DNS providers while having a DS record?

Let’s amplify your success together!

Newsletter Sign Up