Zero Signup ToolsFree browser tools

Developer Tools

DS Record Generator

Generate a DNSSEC DS record from a DNSKEY in your browser. Computes the key tag and SHA-256, SHA-1, or SHA-384 digest, with zone-file and registrar output.

DS record generator and parser

A DS record lives in the parent zone and pins a child zone's DNSKEY. The data is key-tag algorithm digest-type digest, where the digest is a hash of the owner name and the DNSKEY.

Paste a full DNSKEY line or just the flags protocol algorithm key RDATA. Use the Key Signing Key (flags 257) for a DS record. To get it from a running zone: dig DNSKEY example.com. The key is public, so this is safe to paste.

Zone name and TTL

The digest is computed over this name, so it must match the DNSKEY's owner exactly.

Digest types to generate

Many operators publish SHA-256 only. You can add SHA-1 for older parents, but SHA-256 (digest type 2) is the recommended default.

Output

Your DS record

Verify and publish

Publish the DS record at your domain's registrar (the parent zone), not inside the child zone. Then confirm the chain of trust:

# Show the child zone's DNSKEY records (where the DS digest comes from)
dig +dnssec DNSKEY dskey.example.com

# Show the DS records published at the parent
dig DS dskey.example.com

# Recompute the DS records from the live DNSKEY and compare
dig DNSKEY dskey.example.com | dnssec-dsfromkey -f - dskey.example.com

# Check that the chain of trust validates end to end
delv +rtrace dskey.example.com

The four DS fields

  • key tag: a 16-bit fingerprint of the DNSKEY, computed from its bytes. It is a quick hint, not a secure identifier.
  • algorithm: the DNSKEY's signing algorithm number, copied as-is (8, 13, 15, and so on).
  • digest type: the hash used for the digest, 1 (SHA-1), 2 (SHA-256), or 4 (SHA-384).
  • digest: the hash of the owner name plus the DNSKEY, in hex.

How the DS record fits in

DNSSEC builds a chain of trust from the root down. Each zone signs its records with its own keys, and the parent zone publishes a DS record that fingerprints the child's Key Signing Key. A resolver walks from a parent it already trusts to the DS record, then to the child's DNSKEY, then to the signed answer. Publish the DS record at your registrar to switch DNSSEC on for the zone.

KSK vs ZSK

A DS record should fingerprint the Key Signing Key, which carries flags 257. The Zone Signing Key (flags 256) signs the everyday records and is not referenced by the parent.

Rolling a key

During a key rollover it is normal to publish two DS records for a while, one per key tag, so resolvers can validate with either key until the old one is retired.

Privacy

The key tag and digest are computed in your browser with the Web Crypto API. DNSKEY public keys are public by design, no private key is needed, and nothing you paste is uploaded, logged, or stored. The tool makes no DNS queries.

How to use

  1. Keep the Build from DNSKEY tab selected and paste the child zone's DNSKEY record. A full line from dig DNSKEY example.com works, or just the flags protocol algorithm key data. Use the Key Signing Key (flags 257).
  2. Confirm the zone name. It is read from the pasted line when present, and the digest is computed over this exact owner name, so it must match the DNSKEY.
  3. Choose the digest types to generate. SHA-256 (digest type 2) is selected by default and recommended; add SHA-1 only for parents that still need it.
  4. Read the computed key tag and copy the DS record data, the full zone-file line, or the registrar field values, then publish them at your domain's registrar (the parent zone).
  5. Switch to Parse and explain to paste an existing DS record and confirm the key tag, algorithm, digest type, and digest length are all valid.

About this tool

DS Record Generator builds the DNSSEC Delegation Signer record from a child zone's DNSKEY, and parses an existing one in plain English. A DS record is the link in the DNSSEC chain of trust: it lives in the parent zone (which is why registrars ask for it when you turn DNSSEC on) and publishes a fingerprint of the child zone's Key Signing Key. A resolver that already trusts the parent reads the DS record, then fetches the child's DNSKEY, confirms it matches, and only then trusts the signed answers from that zone. The record data is three small numbers and a hex digest: key tag, algorithm, digest type, and digest. The key tag is a 16-bit fingerprint of the DNSKEY computed from its bytes with the reference algorithm in RFC 4034 Appendix B, and getting it by hand is fiddly, so this tool computes it for you. The algorithm is the DNSKEY's own signing algorithm number copied verbatim (8 for RSA/SHA-256, 13 for ECDSA P-256, 15 for Ed25519, and so on); it is not the digest algorithm, which is a common point of confusion. The digest type is the hash used for the digest: 1 for SHA-1, 2 for SHA-256 (the recommended default from RFC 4509), or 4 for SHA-384 (RFC 6605). The digest itself is that hash applied to the canonical wire form of the owner name concatenated with the DNSKEY record data, which means the owner name must match the DNSKEY exactly, down to the trailing labels. The mechanical work this tool removes is real: it encodes the owner name into canonical wire format with length-prefixed, lowercased labels and a terminating zero octet, rebuilds the DNSKEY record data from the flags, protocol, algorithm, and the base64-decoded public key, computes the key tag, and hashes the result with SHA-1, SHA-256, or SHA-384 using the Web Crypto API. In the Build tab you paste the child zone's DNSKEY, either a full zone-file line straight from dig or just the flags, protocol, algorithm, and key, pick which digest types to emit, and the tool shows the key tag, each DS record's data, a full zone-file line with the hex wrapped the way dig and BIND display it, the four fields laid out the way a registrar DNSSEC form asks for them, and snippets for BIND, Route 53, and Google Cloud DNS. It flags a deprecated signing algorithm and reminds you that the DS record should fingerprint the Key Signing Key (flags 257), not the Zone Signing Key. The Parse tab takes an existing DS record, names the algorithm and digest type, and checks that the digest length matches the digest type, so a SHA-256 record that is not 32 bytes is caught before it breaks a delegation. Two things make DNSSEC actually work: publish the DS record at your registrar (the parent), not inside the child zone, and during a key rollover keep both DS records live, one per key tag, until the old key is retired. Everything runs locally. DNSKEY public keys are public by design, no private key is ever needed, and nothing you paste is uploaded or logged. No DNS queries are made.

Free to use. Works in your browser. No signup, no login.

Related tools

You may also like

All tools
Developer

TLSA Record Generator

Turn a TLS certificate or public key into a DANE TLSA record, with the owner name, zone-file line, and provider snippets.

Open tool

Developer

SSHFP Record Generator

Turn an SSH public key into SSHFP DNS records with SHA-1 and SHA-256 fingerprints, a zone-file line, and provider snippets.

Open tool

Security

CAA Record Generator

Build a CAA record from allowed CAs and iodef contacts, or parse an existing record to validate and explain it.

Open tool

Security

DMARC Record Generator

Build a DMARC TXT record from policy, alignment, percentage, and reporting fields, or paste an existing record to validate and explain it.

Open tool

Developer

DNS Record Types Reference

Searchable DNS record types cheat sheet with examples, RFC links, and a compare panel.

Open tool

Developer

SOA Record Generator

Build a DNS SOA record from the primary name server, contact email, serial, and timers, or parse one to validate it and read each value in plain English.

Open tool

All toolsDeveloper Tools