DNS records and worldwide DNS propagation checker


About DNSKEY Lookup - Online DNSKEY Checker Tool

DNSKEY Lookup lets you check DNSKEY records for any domain. The online tool allows you to query the DNS servers and identify the DNSKEY records for the specified domain.

What is a DNSKEY record in DNS?

The Domain Name System (DNS) is the largest virtual database on the internet. That system translates the human-written domain name to its corresponding IP address. However, DNS was not designed with a security perspective like other internet services. That's why DNS was exposed to man-in-the-middle (MITM) attacks and cache poisoning. Therefore, an additional and optional security protocol (DNSSEC) was introduced to overcome that issue.

DNSSEC is the set of standards composed by the Internet Engineering Task Force (IETF) to secure the communication between the DNS servers and clients.

The DNSSEC protocol overcomes the man-in-the-middle (MITM) attacks and cache poisoning by adding cryptographic signatures to existing DNS records. These signatures verify whether the record came from the valid and authorized DNS server or not.

For implementing that security protocol, new DNS records were created, DNSKEY and DS, defined in RFC4034.

  1. DNSKEY contains the public signing key.
  2. DS has the hash of the DNSKEY record.

Why do you need a DNSKEY record?

The DNSKEY record contains the public signing key for the DNSSEC authentication process. The record holds a public key that the DNSSEC resolver uses to verify DNSSEC signatures in RRSIG-records.

With the signing of the corresponding authoritative zone, these records are generated automatically, and that resource record object is read-only.

Components of DNSKEY records

An example of a DNSKEY record looks like this: abc.com. 3600 IN DNSKEY 257 3 13 ZhCa3rGLofZcndFN2aVd==

Host Label TTL Record Class Record Type Flags Protocol Algorithm Public Key
abc.com. 3600 IN DNSKEY 257 3 13 ZhCa3rGLofZcndFN2aVd==

In the above example,

  • abc.com is the hostname of the record.
  • 3600 is the TTL (time to live) and is the record's expiry time.
  • IN is the record class that is default and generally used by internet users.
  • DNSKEY is the DNS record type.
  • 257, a value of 256 indicates that the DNSKEY contains a ZSK and a value of 257 indicates a KSK.
  • 3 the protocol must be equal to 3. Otherwise, the record is not valid.
  • 13 is the algorithm that identifies the public key's cryptographic algorithm and defines the format of the Public Key field.
  • ZhCa3rGLofZcndFN2aVd== is the Public Key.

How do I check my DNSKEY record?

To check the DNSKEY record of a domain, perform the following steps.