Usage
Note that Hetzner currently only supports DS records but no DNSKEY records.
DS records contain the hashed public KSK (Key Signing Key) of a child Zone, as well as the algorithm used to generate the hash.
Example:
| Type | Name (use @ for root) | Tag / ID | Encryption | Hash type | Hash | TTL |
|---|---|---|---|---|---|---|
| DS | @ | 60485 | ED25519 | SHA-256 | 3A5F2B9D7C1E8F4A2B6D7E9C0F1A2B3C4D5E6F7A8B9C0D1E2F3A4B5C6D7E8F9 |
Parent zoneChild zone.com
DSexample.com<hashed-pubksk>
example.com
DNSKEY@<plaintext-pubksk>
Description
A DS record is needed to keep up the chain of trust in DNSSEC validation. You can find a detailed description of how DNSSEC validation works in the article "technical concepts".
A DS record involves two zones:
- A child zone that contains a DNSKEY record for the public KSK (Key Signing Key).
- A parent zone that contains a DS record, that contains a hash of the child zone's public KSK.
In a DS record, you have to provide the following information:
- Tag/ID: This is automatically calculated from the public KSK using a standard algorithm. It helps DNS resolvers to quickly find the right DNSKEY among potentially many keys in the child zone.
- Encryption: The algorithm used to generated the KSK key pair (private and public KSK) of the child zone.
- Hash type: The algorithm used to generate the hash of the public KSK.
- Hash: The hashed public KSK.