What Is a DNSKEY Record? The Cryptographic Core of DNSSEC
DNS is the backbone of the internet, but it was not designed with security in mind. That is where DNSSEC (Domain Name System Security Extensions) comes in, adding cryptographic protection to DNS queries and responses.
Look Up DNSKEY Records
Check DNSKEY records for any domain using our free DNS lookup tool.
Look Up DNSKEY Records →
At the heart of DNSSEC lies the DNSKEY record. This is the actual public key used to validate signed DNS data and prove that it has not been tampered with.
If you are working with DNS security or even just curious about how DNS authentication works, understanding DNSKEY records is a must.
What Is a DNSKEY?
A DNSKEY record stores a public cryptographic key in DNS. This key is used to verify RRSIG signatures, which in turn confirm the authenticity of DNS records.
DNSKEYs live in the authoritative DNS zone for a domain and can play one of two roles:
- Zone Signing Key (ZSK): Used to sign zone data like A or MX records.
- Key Signing Key (KSK): Used to sign the DNSKEY record itself.
This separation of duties improves security and makes key management more flexible.
What Does a DNSKEY Record Look Like?
Here is an example DNSKEY record:
Let's break this down:
256— Flags (256 means it is a ZSK, 257 means it is a KSK)3— Protocol (always 3 for DNSSEC)8— Algorithm (e.g., RSA/SHA-256)- The rest — The actual base64-encoded public key
Why DNSKEY Records Matter
Without DNSKEY records, DNSSEC cannot function. These keys are used by resolvers to check whether DNS data has been signed and whether the signature is valid. This helps:
- Prevent forged DNS records
- Protect against man-in-the-middle attacks
- Maintain domain integrity across the DNS hierarchy
In short, DNSKEY is how DNS learns to trust itself.
How to Look Up a DNSKEY Record
You can check if a domain is publishing its DNSKEY using built-in tools on your computer. Follow the steps below based on your operating system:
Windows
1. Click the Start menu and type cmd or PowerShell.
2. Press Enter to open the Command Prompt or PowerShell.
3. Type the following command and press Enter:
macOS
1. Open Finder, go to Applications > Utilities, then open Terminal.
2. Type the following command and press Return:
Linux
1. Open your terminal. You can usually do this with Ctrl+Alt+T or by searching for "Terminal" in your application menu.
2. Type the following command and press Enter:
If dig is not installed, you can add it with:
If the domain uses DNSSEC, you will see one or more DNSKEY records. These will typically include both a ZSK and a KSK.
Final Thoughts
The DNSKEY record is not something most users interact with directly, but it plays a critical role in modern DNS security. If you manage DNS zones and plan to implement DNSSEC, you will need to generate, publish, and maintain DNSKEYs as part of your signing process.
When used properly, DNSKEY records help secure your domain against a range of DNS-based attacks and bring cryptographic trust to one of the internet's most fundamental systems.
Monitor DNS Security at Scale
DNS Explorer — Track DNSKEY records and all DNSSEC configurations across your entire domain portfolio. Built for IT teams, MSPs, and security professionals who need comprehensive DNS visibility.
Start free DNS Explorer trial14-day full-feature trial