DNSKEY Record Lookup
Check DNSKEY records (DNSSEC public keys) for any zone. Free real-time DNS propagation checker.
What is a DNSKEY record?
A DNSKEY record publishes a zone's public key for DNSSEC, the protocol that lets resolvers cryptographically verify that DNS answers haven't been tampered with. If a zone is DNSSEC-signed, it has at least one DNSKEY (typically a Zone Signing Key + a Key Signing Key).
When to check DNSKEY
- Verifying that DNSSEC is actually enabled on a zone
- Comparing the published DNSKEY against the DS record at the parent zone
- Diagnosing DNSSEC validation failures
Reading the results
A DNSKEY record packs four fields: flags protocol algorithm public-key. Flag value 257 marks it as a Key Signing Key (KSK); 256 marks a Zone Signing Key (ZSK). The algorithm is a number from a registered list (8 = RSA/SHA-256, 13 = ECDSA P-256, 15 = ED25519).
Common errors and pitfalls
- DNSKEY exists but DNSSEC validation fails — usually a missing or mismatched DS at the parent zone. The chain of trust is broken.
- Multiple DNSKEYs — that's normal. A signed zone usually has both a KSK (long-lived, signs DNSKEY) and a ZSK (short-lived, signs everything else).
- Botched key rollover — removing the old key before the parent's DS record updates causes a SERVFAIL outage. Always publish both old and new keys during rollover.
FAQ
What's the difference between DNSKEY and DS?
DNSKEY publishes the public key itself at the zone you're checking. DS publishes a hash of that key at the parent zone — that's how the DNSSEC chain of trust works.
Should I deploy DNSSEC?
It's a trade-off. DNSSEC prevents DNS tampering on the path, but it's operationally fragile and doesn't help with eavesdropping (DoH/DoT do that). For high-security domains it's worth it; for everyday sites it's optional.
What does flag 257 vs 256 mean?
257 is a Key Signing Key — the key that signs other DNSKEYs and is referenced by the parent's DS. 256 is a Zone Signing Key — used to sign the actual records in the zone. Splitting roles makes routine ZSK rollover safe without involving the registrar.
Background reading
See DNSSEC for the full chain-of-trust picture and the DNS Records Explained guide.
All record-type lookups
WhereIsDNS has dedicated pages for each common DNS record type. Each one defaults the tool to that record type and includes background on what the record means and what to look for.
- A Record Lookup — IPv4 addresses for a hostname
- AAAA Record Lookup — IPv6 addresses for a hostname
- CNAME Lookup — Aliases pointing one hostname to another
- MX Record Lookup — Mail servers for a domain (with priorities)
- NS Record Lookup — Authoritative nameservers for a domain
- TXT Record Lookup — SPF, DKIM, DMARC, and other text records
- SOA Record Lookup — Authority metadata for a DNS zone
- CAA Record Lookup — Which CAs may issue certs for the domain
- SRV Record Lookup — Service location records (SIP, XMPP, _autodiscover, etc.)
- DS Record Lookup — DNSSEC delegation signer at the parent zone
- HTTPS Record Lookup — Modern HTTPS service binding (ALPN, ECH, etc.)
- SVCB Record Lookup — Generic service binding (RFC 9460)
- PTR (Reverse DNS) Lookup — Reverse DNS — IP back to a hostname
- Home (defaults to A records)