DNSKEY
The DNSSEC record that publishes a zone's public signing keys (KSK and ZSK) so resolvers can verify RRSIG signatures.
A DNSKEY record publishes the public half of a DNSSEC signing key in the zone. A typical signed zone has at least two DNSKEYs: a ZSK (Zone Signing Key) used to sign every record set, and a KSK (Key Signing Key) used only to sign the DNSKEY set itself. Validating resolvers fetch the DNSKEY records, then use them to verify the RRSIG signatures on other records. The hash of the KSK is also published in the parent zone as a DS record, which is what extends the chain of trust upward. DNSKEY rollovers are one of the trickiest operational tasks in DNSSEC.
Reference
Related terms
See also
Referenced on
- Build a DNS Resolver from Scratch in Node.js
- Build a DNS Resolver from Scratch in Python
- DNS Root Servers Explained: The 13 Servers That Run the Internet
- DNS Zone Transfer Attack (AXFR): How a Single Query Exposes Your Entire Domain
- Free DNS Lookup Tool
- How DNS Queries Work: A Developer's Guide to the DNS Protocol
- SHA-256 Generator Free Online
- Troubleshooting Common DNS Issues: A Step-by-Step Guide
- What Is DNSSEC and Why Should You Enable It?
- What Is SERVFAIL? Understanding DNS Server Failure Responses
- Why DNSSEC Is Still Failing: Lessons from 240 Million Domains