DNSKEY Record Lookup

Check DNSKEY records (DNSSEC public keys) for any zone. Free real-time DNS propagation checker.

What is a DNSKEY record?

A DNSKEY record publishes a zone's public key for DNSSEC, the protocol that lets resolvers cryptographically verify that DNS answers haven't been tampered with. If a zone is DNSSEC-signed, it has at least one DNSKEY (typically a Zone Signing Key + a Key Signing Key).

When to check DNSKEY

Reading the results

A DNSKEY record packs four fields: flags protocol algorithm public-key. Flag value 257 marks it as a Key Signing Key (KSK); 256 marks a Zone Signing Key (ZSK). The algorithm is a number from a registered list (8 = RSA/SHA-256, 13 = ECDSA P-256, 15 = ED25519).

Common errors and pitfalls

FAQ

What's the difference between DNSKEY and DS?

DNSKEY publishes the public key itself at the zone you're checking. DS publishes a hash of that key at the parent zone: that's how the DNSSEC chain of trust works.

Should I deploy DNSSEC?

It's a trade-off. DNSSEC prevents DNS tampering on the path, but it's operationally fragile and doesn't help with eavesdropping (DoH/DoT do that). For high-security domains it's worth it; for everyday sites it's optional.

What does flag 257 vs 256 mean?

257 is a Key Signing Key: the key that signs other DNSKEYs and is referenced by the parent's DS. 256 is a Zone Signing Key: used to sign the actual records in the zone. Splitting roles makes routine ZSK rollover safe without involving the registrar.

Background reading

See DNSSEC for the full chain-of-trust picture and the DNS Records Explained guide.