The DS key record is a part of the DNS security extension records. The DS RR contains a hash of a child zone’s KSK and can be used as a trust anchor in some security-aware resolvers and to create a secure delegation point for a signed subzone in DNS servers. It is used to authorize the DNSKEY records of the child zone and thus to establish the DNSSEC chain of trust.
The DS resource record is defined in RFC 4034.
The DS resource records are automatically generated upon the signing of the child zone of an authoritative zone residing on the appliance.
References to record:ds are object references. The name part of a DNS DS object reference has the following components:
- The name of the record.
- The name of the view.
Example: record:ds/ZG5zLmJpsaG9zdA:us.example.com/default.external
The object does not support the following operations:
The object cannot be managed on Cloud Platform members.
These fields are actual members of the object; thus, they can be requested by using _return_fields, if the fields are readable.
The basic version of the object contains the field(s): name, view.
The algorithm of the DNSKEY RR to which this DS RR refers. It uses the same algorithm values and types as the corresponding DNSKEY RR.
Type
String.
Search
The field is available for search via
Notes
The algorithm cannot be updated.
algorithm cannot be written.
Structure containing all cloud API related information for this object.
Type
A/An Cloud Information struct.
Search
The field is not available for search.
Notes
The cloud_info cannot be updated.
cloud_info cannot be written.
The comment for the record.
Type
String.
Values with leading or trailing white space are not valid for this field.
Search
The field is available for search via
Notes
The comment cannot be updated.
comment cannot be written.
The creation time of the record.
Type
Timestamp.
Search
The field is not available for search.
Notes
The creation_time cannot be updated.
creation_time cannot be written.
Creator of the record.
Type
String.
Search
The field is available for search via
Notes
The creator cannot be updated.
creator cannot be written.
The digest of the DNSKEY resource record that is stored in a DS Record object.
Type
String.
Search
The field is not available for search.
Notes
The digest cannot be updated.
digest cannot be written.
The algorithm used to construct the digest.
Type
String.
Search
The field is available for search via
Notes
The digest_type cannot be updated.
digest_type cannot be written.
The name for the DS record in punycode format.
Type
String.
Values with leading or trailing white space are not valid for this field.
Search
The field is not available for search.
Notes
The dns_name cannot be updated.
dns_name cannot be written.
The key tag value that is used to determine which key to use to verify signatures.
Type
Unsigned integer.
Search
The field is available for search via
Notes
The key_tag cannot be updated.
key_tag cannot be written.
The time of the last DNS query in Epoch seconds format.
Type
Timestamp.
Search
The field is not available for search.
Notes
The last_queried cannot be updated.
last_queried cannot be written.
The name of the DNS DS record in FQDN format.
Type
String.
Search
The field is available for search via
Notes
The name is part of the base object.
The name cannot be updated.
name cannot be written.
The Time To Live (TTL) value for the record. A 32-bit unsigned integer that represents the duration, in seconds, for which the record is valid (cached). Zero indicates that the record should not be cached.
Type
Unsigned integer.
Search
The field is not available for search.
Notes
ttl is associated with the field use_ttl (see use flag).
The ttl cannot be updated.
ttl cannot be written.
Use flag for: ttl
Type
Bool.
Search
The field is not available for search.
Notes
The use_ttl cannot be updated.
use_ttl cannot be written.
The name of the DNS View in which the record resides. Example: “external”.
Type
String.
Values with leading or trailing white space are not valid for this field.
Search
The field is available for search via
Notes
The view is part of the base object.
The view cannot be updated.
view cannot be written.
The name of the zone in which the record resides. Example: “zone.com”. If a view is not specified when searching by zone, the default view is used.
Type
String.
Values with leading or trailing white space are not valid for this field.
Search
The field is available for search via
Notes
The zone cannot be updated.
zone cannot be written.
| Field | Type | Req | R/O | Base | Search |
|---|---|---|---|---|---|
| algorithm | String | N | Y | N | = |
| cloud_info | struct | N | Y | N | N/A |
| comment | String | N | Y | N | : = ~ |
| creation_time | Timestamp | N | Y | N | N/A |
| creator | String | N | Y | N | = |
| digest | String | N | Y | N | N/A |
| digest_type | String | N | Y | N | = |
| dns_name | String | N | Y | N | N/A |
| key_tag | Unsigned int | N | Y | N | < = > |
| last_queried | Timestamp | N | Y | N | N/A |
| name | String | N | Y | Y | : = ~ |
| ttl | Unsigned int | N | Y | N | N/A |
| use_ttl | Bool | N | Y | N | N/A |
| view | String | N | Y | Y | = |
| zone | String | N | Y | N | = |
record:dnskey : DNS DNSKEY record object.
