The DS record consists of the key identifier tag calculated for the key it identifies, security algorithm identifier of the key, hash algorithm identifier of the DS record itself and a digest value (hexadecimal string) of the originating DNSKEY created using the hash algorithm.

There must be one DS record for each DNSKEY of the child zone that the parent zone trusts to be genuine.