DNSKEY Record DNSSEC
The DNSKEY record contains the public cryptographic keys used to verify DNSSEC signatures. It's a fundamental part of DNSSEC that allows resolvers to verify that DNS responses are authentic and haven't been tampered with.
Look Up DNSKEY Records
Check DNSKEY records for any domain using our free DNS lookup tool.
Look Up DNSKEY Records →What Is a DNSKEY Record?
DNSKEY records publish the public keys that correspond to the private keys used to sign DNS records. When a resolver receives a signed DNS response, it uses the DNSKEY to verify the signature.
DNSSEC typically uses two types of keys:
- Key Signing Key (KSK) — Signs the DNSKEY records themselves
- Zone Signing Key (ZSK) — Signs all other records in the zone
DNSKEY Record Format
Example DNSKEY Record
example.com. 3600 IN DNSKEY 257 3 13 mdsswUyr3DPW...base64key...DNSKEY Record Fields
| Field | Description | Values |
|---|---|---|
| Flags | Key properties | 256 (ZSK), 257 (KSK) |
| Protocol | Must be 3 | 3 |
| Algorithm | Cryptographic algorithm | 8 (RSA), 13 (ECDSA), 15 (Ed25519) |
| Public Key | Base64-encoded key | Variable length |
Key Types: KSK vs ZSK
| Aspect | KSK (257) | ZSK (256) |
|---|---|---|
| Purpose | Signs DNSKEY records | Signs all other records |
| Key size | Typically larger | Typically smaller |
| Rotation frequency | Less frequent (yearly) | More frequent (monthly) |
| DS record | Hash published in parent | Not in parent zone |
Common DNSSEC Algorithms
| Number | Algorithm | Status |
|---|---|---|
| 8 | RSA/SHA-256 | Widely supported |
| 10 | RSA/SHA-512 | Supported |
| 13 | ECDSA P-256/SHA-256 | Recommended |
| 14 | ECDSA P-384/SHA-384 | Supported |
| 15 | Ed25519 | Modern, recommended |
DNSSEC Chain of Trust
DNSKEY records are part of the DNSSEC chain of trust:
- Root zone — Contains DNSKEY for the root
- TLD — DS record in root points to TLD's DNSKEY
- Your domain — DS record in TLD points to your DNSKEY
- Your records — RRSIG records signed by your ZSK
Related DNSSEC Records
- DS Record — Hash of DNSKEY in parent zone
- RRSIG Record — Signatures for DNS records
- NSEC Record — Proves record doesn't exist
- NSEC3 Record — Hashed denial of existence
DNSKEY Best Practices
- Use modern algorithms — Prefer ECDSA (13) or Ed25519 (15) over RSA.
- Separate KSK and ZSK — Allows independent rotation schedules.
- Plan key rollovers — Publish new keys before removing old ones.
- Monitor DNSSEC validity — Set up alerts for expiring signatures.
- Backup private keys securely — Loss of KSK requires DS update at parent.
Checking DNSKEY Records
# Query DNSKEY records
dig example.com DNSKEY
# With DNSSEC validation info
dig example.com DNSKEY +dnssec
# Check the trust chain
delv example.comTroubleshooting DNSKEY
Common issues and solutions:
- SERVFAIL with DNSSEC — Signature validation failed; check RRSIG expiration.
- DS/DNSKEY mismatch — Update DS record at parent after key rollover.
- Algorithm mismatch — Ensure DS and DNSKEY use the same algorithm.
- Key tag collision — Rare but possible; regenerate key.
Monitor Your DNSSEC Configuration
DNS Explorer validates DNSKEY records, checks chain of trust, and alerts you to DNSSEC issues before they cause outages.
Start free DNS Explorer trial14-day full-feature trial
Check Your DNSKEY Records
Use our DNS Record Finder to look up DNSKEY records for any domain.
Look Up DNSKEY Records →Related Record Types
- DS Record — DNSSEC delegation
- RRSIG Record — DNSSEC signatures
- NSEC Record — Denial of existence
- CDNSKEY Record — Automated DS updates