What is opportunistic IPsec encryption?

Opportunistic IPsec encryption allows hosts to automatically establish encrypted connections by discovering public keys via DNS (typically reverse DNS). Traffic is encrypted without pre-shared keys or manual VPN configuration.

What are the IPSECKEY gateway types?

Gateway type 0 means no gateway (direct connection), type 1 is an IPv4 address, type 2 is an IPv6 address, and type 3 is a domain name. The gateway field specifies where IPsec traffic should be sent.

Does IPSECKEY require DNSSEC?

Yes, DNSSEC is strongly recommended for IPSECKEY records. Without DNSSEC, an attacker could spoof IPSECKEY records and perform man-in-the-middle attacks on IPsec connections.

IPSECKEY Record Security

Q: What is an IPSECKEY record?

An IPSECKEY record (RFC 4025) publishes public keys for IPsec in DNS. It enables opportunistic encryption by allowing hosts to discover each other's IPsec keys without pre-configuration or manual key exchange.

The IPSECKEY record publishes public keys for IPsec (Internet Protocol Security) in DNS. Defined in RFC 4025, it enables opportunistic encryption by allowing hosts to discover each other's IPsec keys without pre-configuration.

Look Up IPSECKEY Records

Check IPSECKEY records for any domain using our free DNS lookup tool.

Look Up IPSECKEY Records →

What Is an IPSECKEY Record?

IPSECKEY records store public keys that can be used to establish IPsec security associations. This enables:

Opportunistic encryption — Encrypt traffic without pre-shared keys
Key distribution — Publish IPsec keys via DNS
Automatic discovery — Hosts find keys via reverse DNS
VPN simplification — Reduce manual key exchange

IPSECKEY Record Format

Example IPSECKEY Record

host.example.com.    3600    IN    IPSECKEY    10 0 2 . AQNRU3mG7TVN...

Precedence: 10, Gateway Type: 0 (none), Algorithm: 2 (RSA), Public Key follows.

IPSECKEY Record Fields

Field	Description	Example
Precedence	Priority (lower preferred)	10
Gateway Type	Type of gateway identifier	0, 1, 2, or 3
Algorithm	Public key algorithm	1 (DSA), 2 (RSA), 3 (ECDSA)
Gateway	IPsec gateway address	. (none), IP, or hostname
Public Key	Base64-encoded public key	AQNRU3mG7TVN...

Gateway Types

Value	Gateway Type	Gateway Field
0	No gateway	. (dot)
1	IPv4 address	192.0.2.1
2	IPv6 address	2001:db8::1
3	Domain name	gateway.example.com.

Algorithm Types

Value	Algorithm
0	No key present
1	DSA
2	RSA
3	ECDSA

IPSECKEY Use Cases

Opportunistic IPsec

; Host publishes its IPsec public key
1.2.0.192.in-addr.arpa.    IPSECKEY    10 0 2 . AQNRU3mG7TVN...

With Gateway

; Traffic should go through specific gateway
host.example.com.    IPSECKEY    10 3 2 vpn.example.com. AQNRU3mG7TVN...

Multiple Keys (Failover)

host.example.com.    IPSECKEY    10 1 2 192.0.2.1 AQNRU3mG7TVN...
host.example.com.    IPSECKEY    20 1 2 192.0.2.2 AQO8lIpN...

Reverse DNS for IPSECKEY

IPSECKEY records are typically published in reverse DNS zones, allowing hosts to look up keys by IP address:

; For IPv4 192.0.2.1
1.2.0.192.in-addr.arpa.    IPSECKEY    10 0 2 . AQNRU3mG7TVN...

; For IPv6 2001:db8::1
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.    IPSECKEY    10 0 2 . AQNRU3mG7TVN...

IPSECKEY Best Practices

Use DNSSEC — Sign zones to ensure key authenticity.
Publish in reverse DNS — Enable discovery by IP address.
Use appropriate algorithms — RSA or ECDSA recommended.
Set reasonable precedence — Use for failover ordering.
Keep keys updated — Rotate keys and update records.

Security Considerations

DNSSEC required — Without DNSSEC, keys can be spoofed.
Trust model — DNS becomes part of the trust chain.
Key management — Compromised keys must be quickly revoked.
Privacy — IPSECKEY reveals IPsec capability of hosts.

Troubleshooting IPSECKEY

Common issues and solutions:

Key not found — Check reverse DNS zone is properly configured.
Connection fails — Verify key format and algorithm match.
Trust issues — Ensure zone is DNSSEC-signed.
Gateway unreachable — Check gateway type and address are correct.

Check Your IPSECKEY Records

Use our DNS Record Finder to look up IPSECKEY records for any domain.