Help & Troubleshooting
DS Record
What this is
The DS (Delegation Signer) record lives in the parent zone (e.g. .com) and contains a hash of your zone's Key Signing Key. It is what links your DNSSEC keys into the global chain of trust, and it is managed through your registrar.
How to read your result
If your zone is signed, a DS should exist and its key tag should correspond to your current KSK. A DS with no matching DNSKEY — or DNSKEY with no DS — are the two broken half-states worth acting on.
Common problems and how to fix them
Stale DS record after switching DNS providers
How it shows up: The domain resolves for some users and SERVFAILs for others; the failures started right after a nameserver change.
How to fix it: Log in at the registrar and delete the old DS record (or replace it with one matching the new provider's keys, if the new provider signs the zone). This is the single most common DNSSEC outage.
Zone is signed but no DS was ever published
How it shows up: DNSSEC provides no protection — validating resolvers treat the zone as unsigned, though nothing is broken.
How to fix it: Get the DS data (key tag, algorithm, digest) from your DNS provider and enter it at your registrar. Many registrar panels have a dedicated DNSSEC section for this.
DS uses a deprecated digest (SHA-1)
How it shows up: Some validators warn or refuse; security audits flag it.
How to fix it: Publish a new DS using digest type 2 (SHA-256) and remove the SHA-1 one.