Use DNSKEY Lookup utility to check DNSKEY records of a domain. It helps you verify DNSSEC configuration, validate DNS signatures, and identify DNSSEC-related issues.
A DNSKEY (DNS Key) record is a DNS record used by Domain Name System Security Extensions (DNSSEC) that stores one or more public cryptographic keys that DNSSEC validators use to verify digital signatures associated with a DNS zone. This key is used to verify digital signatures within a DNS zone.
DNSKEY records are used by DNSSEC to validate that DNS data has not been altered during transmission. When a resolver receives a DNS response, it uses the DNSKEY record to verify the accompanying digital signatures.
Without DNSKEY records, DNSSEC validation cannot take place.
Perform a DNSKEY Lookup to check DNSKEY record of a domain. Follow these steps:
The tool will run DNSKEY Lookup for the provided domain name and show results. Use the returned records to review the domain's DNSSEC configuration and troubleshoot any configuration issues.
When you perform a DNSKEY record check with our tool, you get the following information in the results.
|
Field |
Description |
|
Type |
Indicates the type of lookup performed - DNSKEY |
|
Domain Name |
Domain whose DNSKEY records are retrieved |
|
TTL |
How long can the record remain cached |
|
Algorithm |
The cryptographic algorithm used for signing |
|
Protocol |
DNSSEC protocol value, typically 3 |
|
Flag |
Identifies the type of key among Zone Signing Key (ZSK) and Key Signing Key (KSK) |
|
Key ID |
Unique identifier for the key |
|
DNS Public Key |
Public cryptographic DNS key used for verification |
DNSSEC is a security framework that protects DNS information through digital signatures and cryptographic validation. DNSKEY is one of the DNS record types used within DNSSEC.
Many people confuse the DNSKEY checker with the DNSSEC record checker. DNSSEC is an entire security setup, while DNSKEY is a component that makes the system work. Our tool only performs a DNS public key check.
DNSSEC includes several record types:
Together, these records help create a trusted DNS infrastructure.
The DS record acts as a bridge between DNS zones, while the DNSKEY record provides the public key needed for validation. To check DS records for a domain, use the DS Lookup utility.
|
Feature |
DNSKEY Record |
DS Record |
|
Purpose |
Stores public signing keys |
References a trusted DNSKEY |
|
Location |
Child zone |
Parent zone |
|
Used For |
Signature verification |
Building a chain of trust |
|
Contains |
Public DNS KEY |
Digest of the key |
|
Role in DNSSEC |
Validates signatures |
Connects zones securely |
|
Publisher |
Domain zone administrator |
Parent zone operator |
Our DNSKEY lookup utility is useful for many DNS administration and security tasks. You can use it to:
DNSKEY Lookup is the process of retrieving the public DNS Key configured for a domain. These records contain the public keys used for DNSSEC validation.
The DNSKEY record holds the DNSSEC public signing key. Validators use these public keys to verify the digital signatures on DNS data.
DNSKEY records are needed to make DNSSEC work. They contain the public cryptographic keys that resolvers use to verify DNSSEC signatures. Without DNSKEY records, DNS resolvers cannot validate signed DNS records, making DNSSEC protection impossible.
If DNSSEC is enabled, your domain will typically publish DNSKEY records along with related DNSSEC records such as DS and RRSIG. A DNSKEY Lookup can help confirm whether public DNSSEC keys are available for the domain.
A Key Signing Key (KSK) and a Zone Signing Key (ZSK) are two primary types of public DNS Keys. KSK signs DNSKEY records, while a ZSK signs the DNS records within the zone.
If your domain does not have a DNSKEY record, either you have not configured these records, or you might have disabled DNSSEC.
