What Is a DNSKEY Record? The Cryptographic Core of DNSSEC
DNS is the backbone of the internet, but it was not designed with security in mind. That is where DNSSEC (Domain Name System Security Extensions) comes in, adding cryptographic protection to DNS queries and responses.
At the heart of DNSSEC lies the DNSKEY record. This is the actual public key used to validate signed DNS data and prove that it has not been tampered with.
If you are working with DNS security or even just curious about how DNS authentication works, understanding DNSKEY records is a must.
What Is a DNSKEY?
A DNSKEY record stores a public cryptographic key in DNS. This key is used to verify RRSIG signatures, which in turn confirm the authenticity of DNS records.
DNSKEYs live in the authoritative DNS zone for a domain and can play one of two roles:
- Zone Signing Key (ZSK): Used to sign zone data like A or MX records.
- Key Signing Key (KSK): Used to sign the DNSKEY record itself.
This separation of duties improves security and makes key management more flexible.
What Does a DNSKEY Record Look Like?
Here is an example DNSKEY record:
Let’s break this down:
256— Flags (256 means it is a ZSK, 257 means it is a KSK)3— Protocol (always 3 for DNSSEC)8— Algorithm (e.g., RSA/SHA-256)- The rest — The actual base64-encoded public key
Why DNSKEY Records Matter
Without DNSKEY records, DNSSEC cannot function. These keys are used by resolvers to check whether DNS data has been signed and whether the signature is valid. This helps:
- Prevent forged DNS records
- Protect against man-in-the-middle attacks
- Maintain domain integrity across the DNS hierarchy
In short, DNSKEY is how DNS learns to trust itself.
How to Look Up a DNSKEY Record
You can check if a domain is publishing its DNSKEY using dig:
If the domain uses DNSSEC, you will see one or more DNSKEY records. These will typically include both a ZSK and a KSK.
Final Thoughts
The DNSKEY record is not something most users interact with directly, but it plays a critical role in modern DNS security. If you manage DNS zones and plan to implement DNSSEC, you will need to generate, publish, and maintain DNSKEYs as part of your signing process.
When used properly, DNSKEY records help secure your domain against a range of DNS-based attacks and bring cryptographic trust to one of the internet’s most fundamental systems.