Checking uploaded DS record

When investigating DNSSEC issues. A good starting point can be to manually checking that the DS record is as expected.

This is because the DS record isn’t served by your DNS server, but rather it’s stored in the parent domain.

For example DS records for example.co.uk are stored in the .uk domain, and ds records for example.com are stored in the .com domain.

Thus we can use DIG to check the DS record, even if our own DNS server is not reachable.

ravenstar68@box:~$ dig ds ravenstar68.co.uk

; <<>> DiG 9.11.3-1ubuntu1.13-Ubuntu <<>> ds ravenstar68.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53266
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 33862a40631d145038e102bc5fc3f21f6237e2ef8974f50d (good)
;; QUESTION SECTION:
;ravenstar68.co.uk.             IN      DS

;; ANSWER SECTION:
ravenstar68.co.uk.      3600    IN      DS      15321 7 2 955FE55BC347842C995A5B5215985D0C0AD9A4CE4AC5267338849E7E D0DD35F2

;; Query time: 111 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 29 19:10:23 GMT 2020
;; MSG SIZE  rcvd: 122

You can compare this with the information in your admin pages system status pages, and also with the in your configuration pages at the registrar.