What Is a DNSKEY Record?
Understanding DNSKEY records and DNSSEC public keys
Table of Contents
What Is a DNSKEY Record?
A DNSKEY record is a DNSSEC record that stores public keys used to verify DNS record signatures. DNSKEY records enable DNSSEC validation by providing public keys that DNS resolvers use to verify RRSIG (Resource Record Signature) signatures.
DNSKEY records include: public key data (RSA, ECDSA, or EdDSA keys), key flags (Key Signing Key or Zone Signing Key), protocol (always 3 for DNSSEC), and algorithm (RSA-SHA256, ECDSA-P256, etc.). DNSKEY records are essential for DNSSEC - without DNSKEY records, DNSSEC validation cannot occur.
Learn more about DNSSEC and RRSIG records.
DNSKEY Record Purpose
Public Key Publication
DNSKEY records publish public keys in DNS, allowing DNS resolvers to retrieve and use public keys for signature verification.
Signature Verification
DNS resolvers use DNSKEY public keys to verify RRSIG signatures, ensuring DNS records are authentic and untampered.
DNSSEC Validation
DNSKEY records enable DNSSEC validation by providing the cryptographic keys needed for signature verification.
Chain of Trust
DNSKEY records are linked via DS records to create a chain of trust from root DNS servers to authoritative name servers.
Key Management
DNSKEY records enable key management, including key rotation and key updates for DNSSEC security.
Key Types
DNSKEY records include different key types:
Key Signing Key (KSK)
KSK (Key Signing Key) is used to sign other DNSKEY records. KSK is published in parent zone DS records to create chain of trust.
Zone Signing Key (ZSK)
ZSK (Zone Signing Key) is used to sign DNS records (A, MX, etc.) in the zone. ZSK is used more frequently than KSK.
Key Flags
Key flags in DNSKEY records indicate key type: flag 257 = KSK, flag 256 = ZSK.
Key Rotation
KSK and ZSK can be rotated independently, with KSK rotated less frequently than ZSK.
Key Security
KSK requires higher security as it's used to sign other keys, while ZSK is used for regular DNS record signing.
DNSKEY Record Format
Record Format
DNSKEY records follow this format: flags protocol algorithm public-key
Example DNSKEY Record
example.com. DNSKEY 257 3 13 base64-public-key-data...
- Flags: 257 (KSK) or 256 (ZSK)
- Protocol: 3 (always 3 for DNSSEC)
- Algorithm: 13 (ECDSA-P256), 8 (RSA-SHA256), etc.
- Public Key: Base64-encoded public key data
Algorithms
Common DNSSEC algorithms: RSA-SHA256 (algorithm 8), ECDSA-P256 (algorithm 13), Ed25519 (algorithm 15).
Key Size
Key size varies by algorithm: RSA keys are larger (2048+ bits), ECDSA keys are smaller (256 bits).
Checking DNSKEY Records
1. DNS Lookup Tools
Use DNS lookup tools to query DNSKEY records and retrieve public key information for DNSSEC zones.
2. Command Line Tools
Use command-line tools (dig) to query DNSKEY records: dig DNSKEY example.com
3. DNSSEC Validation
Verify DNSSEC validation works correctly using DNSKEY records to verify RRSIG signatures.
4. Key Verification
Verify DNSKEY records are published correctly, keys are valid, and both KSK and ZSK are present.
5. Chain of Trust
Verify DNSKEY records are linked via DS records to create proper chain of trust.
