Home

DNSKEY

DNSKEY is a DNS resource record type used in DNSSEC to publish a public key that resolvers use to validate signatures on DNS data. The DNSKEY RRset in a zone is signed by RRSIG records and is used together with Delegation Signer (DS) records in the parent zone to establish a chain of trust from the zone up to the root.

DNSKEY RDATA consists of four fields: Flags (16-bit), Protocol (8-bit, must be 3), Algorithm (8-bit), and Public

In practice, a ZSK signs most zone data, while a KSK signs the DNSKEY RRset. The DS

Management and lifecycle considerations include generating DNSKEYs with tools such as dnssec-keygen, distributing signed keys securely,

See also DNSSEC, DS, RRSIG, and key management practices related to DNS security.

Key
(variable
length,
base64-encoded
binary
data).
The
Flags
field
indicates
the
key's
role:
0x0100
(decimal
256)
designates
a
zone
signing
key
(ZSK);
0x0101
(decimal
257)
designates
a
key
signing
key
(KSK)
and
marks
it
as
a
secure
entry
point.
record
in
the
parent
zone
contains
a
digest
of
one
DNSKEY
and
serves
as
the
anchor
for
the
child
zone
in
the
DNSSEC
chain
of
trust.
Resolvers
validate
DNS
data
by
verifying
RRSIGs
using
the
DNSKEY,
with
trust
anchored
from
a
root
or
configured
trust
anchors.
and
handling
key
rollover.
KSKs
are
typically
kept
offline
or
highly
protected,
while
ZSKs
are
used
for
routine
zone
signing.
When
keys
are
rotated,
DNSKEY
and
DS
records
are
updated
and
re-signed
to
maintain
the
integrity
of
the
delegation
chain.