DNSKEY Lookup lets you check DNSKEY records for any domain. The online tool allows you to query the DNS servers and identify the DNSKEY records for the specified domain.
The Domain Name System (DNS) is the largest virtual database on the internet. That system translates the human-written domain name to its corresponding IP address. However, DNS was not designed with a security perspective like other internet services. That's why DNS was exposed to man-in-the-middle (MITM) attacks and cache poisoning. Therefore, an additional and optional security protocol (DNSSEC) was introduced to overcome that issue.
DNSSEC is the set of standards composed by the Internet Engineering Task Force (IETF) to secure the communication between the DNS servers and clients.
The DNSSEC protocol overcomes the man-in-the-middle (MITM) attacks and cache poisoning by adding cryptographic signatures to existing DNS records. These signatures verify whether the record came from the valid and authorized DNS server or not.
For implementing that security protocol, new DNS records were created, DNSKEY and DS, defined in RFC4034.
The DNSKEY record contains the public signing key for the DNSSEC authentication process. The record holds a public key that the DNSSEC resolver uses to verify DNSSEC signatures in RRSIG-records.
With the signing of the corresponding authoritative zone, these records are generated automatically, and that resource record object is read-only.
An example of a DNSKEY record looks like this:
abc.com. 3600 IN DNSKEY 257 3 13 ZhCa3rGLofZcndFN2aVd==
| Host Label | TTL | Record Class | Record Type | Flags | Protocol | Algorithm | Public Key |
|---|---|---|---|---|---|---|---|
| abc.com. | 3600 | IN | DNSKEY | 257 | 3 | 13 | ZhCa3rGLofZcndFN2aVd== |
In the above example,
To check the DNSKEY record of a domain, perform the following steps.
