What is the difference between KSK and ZSK?

KSK (Key Signing Key, flag 257) signs the DNSKEY records and is referenced by the DS record in the parent zone. ZSK (Zone Signing Key, flag 256) signs all other records in the zone. KSKs are typically larger and rotated less frequently.

Which DNSSEC algorithm should I use?

ECDSA (algorithm 13) or Ed25519 (algorithm 15) are recommended for new deployments. They provide strong security with smaller key sizes compared to RSA. RSA/SHA-256 (algorithm 8) is still widely supported as a fallback.

How do I check DNSKEY records for a domain?

Use 'dig example.com DNSKEY +dnssec' to query DNSKEY records with DNSSEC validation info. You can also use our DNS lookup tool to check DNSKEY records for any domain.

DNSKEY Record DNSSEC

Q: What is a DNSKEY record?

A DNSKEY record contains the public cryptographic keys used to verify DNSSEC signatures. It's a fundamental part of DNSSEC that allows resolvers to verify that DNS responses are authentic and haven't been tampered with.

The DNSKEY record contains the public cryptographic keys used to verify DNSSEC signatures. It's a fundamental part of DNSSEC that allows resolvers to verify that DNS responses are authentic and haven't been tampered with.

Look Up DNSKEY Records

Check DNSKEY records for any domain using our free DNS lookup tool.

Look Up DNSKEY Records →

What Is a DNSKEY Record?

DNSKEY records publish the public keys that correspond to the private keys used to sign DNS records. When a resolver receives a signed DNS response, it uses the DNSKEY to verify the signature.

DNSSEC typically uses two types of keys:

Key Signing Key (KSK) — Signs the DNSKEY records themselves
Zone Signing Key (ZSK) — Signs all other records in the zone

DNSKEY Record Format

Example DNSKEY Record

example.com.    3600    IN    DNSKEY    257 3 13 mdsswUyr3DPW...base64key...

DNSKEY Record Fields

Field	Description	Values
Flags	Key properties	256 (ZSK), 257 (KSK)
Protocol	Must be 3	3
Algorithm	Cryptographic algorithm	8 (RSA), 13 (ECDSA), 15 (Ed25519)
Public Key	Base64-encoded key	Variable length

Key Types: KSK vs ZSK

Aspect	KSK (257)	ZSK (256)
Purpose	Signs DNSKEY records	Signs all other records
Key size	Typically larger	Typically smaller
Rotation frequency	Less frequent (yearly)	More frequent (monthly)
DS record	Hash published in parent	Not in parent zone

Common DNSSEC Algorithms

Number	Algorithm	Status
8	RSA/SHA-256	Widely supported
10	RSA/SHA-512	Supported
13	ECDSA P-256/SHA-256	Recommended
14	ECDSA P-384/SHA-384	Supported
15	Ed25519	Modern, recommended

DNSSEC Chain of Trust

DNSKEY records are part of the DNSSEC chain of trust:

Root zone — Contains DNSKEY for the root
TLD — DS record in root points to TLD's DNSKEY
Your domain — DS record in TLD points to your DNSKEY
Your records — RRSIG records signed by your ZSK

Related DNSSEC Records

DS Record — Hash of DNSKEY in parent zone
RRSIG Record — Signatures for DNS records
NSEC Record — Proves record doesn't exist
NSEC3 Record — Hashed denial of existence

DNSKEY Best Practices

Use modern algorithms — Prefer ECDSA (13) or Ed25519 (15) over RSA.
Separate KSK and ZSK — Allows independent rotation schedules.
Plan key rollovers — Publish new keys before removing old ones.
Monitor DNSSEC validity — Set up alerts for expiring signatures.
Backup private keys securely — Loss of KSK requires DS update at parent.

Checking DNSKEY Records

# Query DNSKEY records
dig example.com DNSKEY

# With DNSSEC validation info
dig example.com DNSKEY +dnssec

# Check the trust chain
delv example.com

Troubleshooting DNSKEY

Common issues and solutions:

SERVFAIL with DNSSEC — Signature validation failed; check RRSIG expiration.
DS/DNSKEY mismatch — Update DS record at parent after key rollover.
Algorithm mismatch — Ensure DS and DNSKEY use the same algorithm.
Key tag collision — Rare but possible; regenerate key.

Check Your DNSKEY Records

Use our DNS Record Finder to look up DNSKEY records for any domain.