IPSECKEY Record Security
The IPSECKEY record publishes public keys for IPsec (Internet Protocol Security) in DNS. Defined in RFC 4025, it enables opportunistic encryption by allowing hosts to discover each other's IPsec keys without pre-configuration.
Look Up IPSECKEY Records
Check IPSECKEY records for any domain using our free DNS lookup tool.
Look Up IPSECKEY Records →What Is an IPSECKEY Record?
IPSECKEY records store public keys that can be used to establish IPsec security associations. This enables:
- Opportunistic encryption — Encrypt traffic without pre-shared keys
- Key distribution — Publish IPsec keys via DNS
- Automatic discovery — Hosts find keys via reverse DNS
- VPN simplification — Reduce manual key exchange
IPSECKEY Record Format
Example IPSECKEY Record
host.example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVN...Precedence: 10, Gateway Type: 0 (none), Algorithm: 2 (RSA), Public Key follows.
IPSECKEY Record Fields
| Field | Description | Example |
|---|---|---|
| Precedence | Priority (lower preferred) | 10 |
| Gateway Type | Type of gateway identifier | 0, 1, 2, or 3 |
| Algorithm | Public key algorithm | 1 (DSA), 2 (RSA), 3 (ECDSA) |
| Gateway | IPsec gateway address | . (none), IP, or hostname |
| Public Key | Base64-encoded public key | AQNRU3mG7TVN... |
Gateway Types
| Value | Gateway Type | Gateway Field |
|---|---|---|
| 0 | No gateway | . (dot) |
| 1 | IPv4 address | 192.0.2.1 |
| 2 | IPv6 address | 2001:db8::1 |
| 3 | Domain name | gateway.example.com. |
Algorithm Types
| Value | Algorithm |
|---|---|
| 0 | No key present |
| 1 | DSA |
| 2 | RSA |
| 3 | ECDSA |
IPSECKEY Use Cases
Opportunistic IPsec
; Host publishes its IPsec public key
1.2.0.192.in-addr.arpa. IPSECKEY 10 0 2 . AQNRU3mG7TVN...With Gateway
; Traffic should go through specific gateway
host.example.com. IPSECKEY 10 3 2 vpn.example.com. AQNRU3mG7TVN...Multiple Keys (Failover)
host.example.com. IPSECKEY 10 1 2 192.0.2.1 AQNRU3mG7TVN...
host.example.com. IPSECKEY 20 1 2 192.0.2.2 AQO8lIpN...Reverse DNS for IPSECKEY
IPSECKEY records are typically published in reverse DNS zones, allowing hosts to look up keys by IP address:
; For IPv4 192.0.2.1
1.2.0.192.in-addr.arpa. IPSECKEY 10 0 2 . AQNRU3mG7TVN...
; For IPv6 2001:db8::1
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. IPSECKEY 10 0 2 . AQNRU3mG7TVN...IPSECKEY Best Practices
- Use DNSSEC — Sign zones to ensure key authenticity.
- Publish in reverse DNS — Enable discovery by IP address.
- Use appropriate algorithms — RSA or ECDSA recommended.
- Set reasonable precedence — Use for failover ordering.
- Keep keys updated — Rotate keys and update records.
Security Considerations
- DNSSEC required — Without DNSSEC, keys can be spoofed.
- Trust model — DNS becomes part of the trust chain.
- Key management — Compromised keys must be quickly revoked.
- Privacy — IPSECKEY reveals IPsec capability of hosts.
Troubleshooting IPSECKEY
Common issues and solutions:
- Key not found — Check reverse DNS zone is properly configured.
- Connection fails — Verify key format and algorithm match.
- Trust issues — Ensure zone is DNSSEC-signed.
- Gateway unreachable — Check gateway type and address are correct.
Monitor Your IPsec Configuration
DNS Explorer validates IPSECKEY records, checks DNSSEC status, and tracks your IPsec key distribution.
Start free DNS Explorer trial14-day full-feature trial
Check Your IPSECKEY Records
Use our DNS Record Finder to look up IPSECKEY records for any domain.
Look Up IPSECKEY Records →Related Record Types
- SSHFP Record — SSH key fingerprints
- TLSA Record — TLS certificate association
- PTR Record — Reverse DNS
- DNSKEY Record — DNSSEC keys