DNSKEY Lookup
A DNSKEY Lookup tool helps you find the DNSKEY record published for a domain. It is useful for verifying key data, troubleshooting missing records, and understanding how a domain’s DNS security is configured.
Enter Domain to lookup DNSKEY records
DNSSEC Algorithm Compatibility Table
| Algorithm Number | Description | Mnemonic | Zone Signing | Trans. Sec. | Use for DNSSEC Signing | Use for DNSSEC Validation | Implement for DNSSEC Signing | Implement for DNSSEC Validation |
| 0 | Delete DS | DELETE | N | N | ||||
| 1 | RSA/MD5 (DEPRECATED, see 5) | RSAMD5 | N | Y | MUST NOT | MUST NOT | MUST NOT | MUST NOT |
| 2 | Diffie-Hellman | DH | N | Y | ||||
| 3 | DSA/SHA1 | DSA | Y | Y | MUST NOT | MUST NOT | MUST NOT | MUST NOT |
| 5 | RSA/SHA-1 | RSASHA1 | Y | Y | MUST NOT | RECOMMENDED | NOT RECOMMENDED | MUST |
| 6 | DSA-NSEC3-SHA1 | DSA-NSEC3-SHA1 | Y | Y | MUST NOT | MUST NOT | MUST NOT | MUST NOT |
| 7 | RSASHA1-NSEC3-SHA1 | RSASHA1-NSEC3-SHA1 | Y | Y | MUST NOT | RECOMMENDED | NOT RECOMMENDED | MUST |
| 8 | RSA/SHA-256 | RSASHA256 | Y | * | RECOMMENDED | RECOMMENDED | MUST | MUST |
| 10 | RSA/SHA-512 | RSASHA512 | Y | * | NOT RECOMMENDED | RECOMMENDED | NOT RECOMMENDED | MUST |
| 12 | GOST R 34.10-2001 (DEPRECATED) | ECC-GOST | Y | * | MUST NOT | MUST NOT | MUST NOT | MUST NOT |
| 13 | ECDSA Curve P-256 with SHA-256 | ECDSAP256SHA256 | Y | * | RECOMMENDED | RECOMMENDED | MUST | MUST |
| 14 | ECDSA Curve P-384 with SHA-384 | ECDSAP384SHA384 | Y | * | MAY | RECOMMENDED | MAY | RECOMMENDED |
| 15 | Ed25519 | ED25519 | Y | * | RECOMMENDED | RECOMMENDED | RECOMMENDED | RECOMMENDED |
| 16 | Ed448 | ED448 | Y | * | MAY | RECOMMENDED | MAY | RECOMMENDED |
| 17 | SM2 signing algorithm with SM3 hashing algorithm | SM2SM3 | Y | * | MAY | MAY | MAY | MAY |
| 23 | GOST R 34.10-2012 | ECC-GOST12 | Y | * | MAY | MAY | MAY | MAY |
| 253 | private algorithm | PRIVATEDNS | Y | Y | MAY | MAY | MAY | MAY |
| 254 | private algorithm OID | PRIVATEOID | Y | Y | MAY | MAY | MAY | MAY |
DNSKEY Flag Comparison
| Flag | Key Type | Purpose | Used To Sign | Typically Stored In |
| 256 | ZSK | Zone Signing Key | Zone data (A, AAAA, etc.) | Zone file |
| 257 | KSK | Key Signing Key | DNSKEY records | Parent zone (DS record) |
DNSKEY Record Format
A DNSKEY record is a resource record in DNSSEC that contains a public key, used to verify the digital signatures of DNS records. Its purpose is to allow resolvers to confirm that DNS data has not been modified in transit and originates from an authorized source.
A DNSKEY record generally contains these parts:
- Flags: Shows the role of the key. The purpose of this field is to help resolvers determine how the key should be used in DNSSEC validation.
- Protocol: Always set for DNSSEC use. Its purpose is to indicate the protocol for which the key is intended.
- Algorithm: Identifies the cryptographic algorithm. The purpose is to specify which algorithm is used for the digital signature.
- Public Key: The actual base64-encoded key material. The purpose is to provide the public key data needed for signature verification.
A DNSKEY resource record is generated during zone signing and is usually read-only, storing information that can be queried by anyone.
A basic DNSKEY record example looks like this: example.com. IN DNSKEY 257 3 8 AwEAAcExampleKeyValueHere
257 is the flag value, 3 is the protocol, 8 is the algorithm, and the long string is the public key. The record is considered valid if the digital signature on DNS data can be verified using this public key.
This format is what a DNSKEY check tool reads when validating DNSSEC information for a domain.
DNSKEY Types
There are two main DNSKEY types used in DNSSEC:
Zone Signing Key (ZSK)
The Zone Signing Key is used to sign the actual DNS records in a zone. It protects records like A, AAAA, MX, and CNAME by generating signatures that resolvers can verify.
Key Signing Key (KSK)
The Key Signing Key is used to sign the DNSKEY record set itself. It creates a chain of trust by connecting the zone’s keys to the parent zone through the DS record.
The DNSKEY type is usually identified by the flags field and 256 usually indicates a ZSK while 257 usually indicates a KSK.
DNSSEC and its importance
DNSSEC stands for Domain Name System Security Extensions. It is an optional security protocol designed to secure the DNS system. The internet relies on the DNS system for domain name resolution, and DNSSEC is crucial for protecting this process.
DNS vs DNSSEC
DNS is designed to answer domain lookup requests quickly, but it does not verify authenticity. During a DNS lookup, DNSKEY records are retrieved from authoritative servers as part of DNSSEC validation.
DNSSEC adds cryptographic validation so users and resolvers can trust the DNS response. DNSKEY records are used to verify DNSSEC signatures, ensuring the authenticity and integrity of DNS responses by allowing resolvers to verify DNSSEC signatures on DNS data.
Why DNSSEC matters?
DNSSEC helps protect against attacks such as DNS spoofing, cache poisoning, man-in-the-middle manipulation, redirecting users to fake websites. For domain owners, DNSSEC improves trust and strengthens the security of email, websites, and other DNS-based services.
Why do we need DNSKEY lookup?
DNSKEY lookup is important because it helps confirm whether a domain has properly published its DNSSEC keys. Users can check DNSKEY records using an online tool, which provides instant results for verifying keys.
- Check if DNSSEC is enabled on a domain
- Verify published key values
- Troubleshoot a DNSKEY missing issue
- Confirm whether KSK and ZSK records exist
- Review DNSKEY record format
- Validate DNS security after changing providers
- Investigate DNSSEC configuration errors
- Select specific DNS servers to query DNSKEY records for more accurate results
- Online tools like DNS Checker and NsLookup.io allow users to view and verify DNSKEY records
If a domain is expected to use DNSSEC but no DNSKEY record appears, that can indicate an incomplete setup or a broken trust chain.
A DNSKEY check is especially useful for administrators, developers, and security teams who want to make sure domain responses are protected and verifiable.