DS records (Delegation Signer) are used to secure delegations (DNSSEC). A DS record with the name of the sub-delegated zone is placed in the parent zone along with the delegating NS Records. This DS record references a DNSKEY record in the sub-delegated zone.
DS records have the following components:
- Key Tag: Contains the tag value of the DNSKEY Resource Record that validates this signature.
- Algorithm: Identifies the algorithm used to produce a legitimate signature.
- Digest Type: Identifies the algorithm used to construct the digest.
- Digest: A cryptographic hash value of the referenced DNSKEY Record.
The DS record has the following look
Why do you need a DS record?
So let us imagine that your parent DNS zone is already DNSSEC signed and hosted here. And you intend to delegate a subdomain of your root domain somewhere else. There is nothing wrong with that. But you will also need to sign the delegated subdomain zone in order to preserve the chain of trust for DNSSEC. This can be done by placing the signer DS record for your subdomain in your parent zone hosted here.