HomeDNS ToolsDNSKEY Lookup
DNS Tool

DNSKEY Lookup

Lookup DNSKEY records to validate DNSSEC key publication, key roles (KSK/ZSK), and signer readiness for secure delegation. Run fast checks, interpret results,…

Record Type
DNSKEY
Focused record verification for targeted DNS troubleshooting.
Best Use
Migration + incident checks
Validate live DNS answers during change windows.
Operational Context
Use this page to validate live resolver output during DNS cutovers, outage triage, and post-change verification windows.
DNSKEY Lookup — Start Here
Waiting for input
Enter a domain and run check
How to Use

Use DNSKEY Lookup in 4 Steps

01
Enter domain
Input the target domain in clean hostname format (no path or query string).
02
Run DNSKEY Lookup
Execute DNSKEY Lookup to pull live resolver output for this record scope.
03
Compare expected vs live
Match returned values with your intended DNS configuration at the source.
04
Cross-check related tools
Validate adjacent DNS layers to isolate cache vs source problems.

What is DNSKEY Lookup?

DNSKEY records publish the public keys used to sign DNS zone data. There are two key types: the Zone Signing Key (ZSK) which signs individual RRsets, and the Key Signing Key (KSK) which signs the DNSKEY RRset itself. Validating resolvers use DNSKEY data to verify DNSSEC signatures.

DNSSEC creates a chain of trust from the root zone down to individual domains. DNSKEY records are verified against the DS record in the parent zone — the parent holds a hash of the child's KSK. If DNSKEY and DS records don't align, the entire zone becomes SERVFAIL for validating resolvers.

Best Use
DNSSEC onboarding, key-roll checks, and parent-child chain validation before enforcing DNSSEC on a production zone.
Common Mistake
Publishing new DNSKEY records without first confirming that the DS record in the parent zone has been updated to match. The window between publishing a new KSK and updating the DS is a validation break period.
Validation Path
DNSKEY → DS → RRSIG must align: DNSKEY present in child zone, DS in parent zone hashes to the KSK, RRSIG records exist for all signed RRsets.

Quick Interpretation Table

Use this reference to diagnose common outcomes when running DNSKEY Lookup.

Observed ResultLikely CauseNext Step
DNSKEY present, DS missing in parentChain of trust is incomplete — zone not fully signedSubmit DS record to registrar so it appears in the parent (.com/.net/etc.) zone
Key algorithm mismatch between DNSKEY and DSValidator may reject signaturesAlign algorithm numbers between DNSKEY and DS records — use algorithm 13 (ECDSAP256SHA256)
Multiple keys during rolloverExpected behavior during a key rotation windowKeep both old and new keys active until TTL expires and propagation completes

CLI Examples

Run these commands directly from a terminal to verify DNSKEY records without relying on a browser-based tool.

dig DNSKEY example.com
Query DNSKEY records for the zone
dig DNSKEY example.com +dnssec
Include DNSSEC signatures (RRSIG) in the response
dig DS example.com @a.gtld-servers.net
Check the DS record in the parent (.com) zone directly
dnssec-keygen -a ECDSAP256SHA256 -b 256 -n ZONE example.com
Generate a new DNSSEC key pair using BIND tools (ECDSAP256SHA256 = algorithm 13)

Troubleshooting Workflow

  • Run this record check first for a scoped signal on the target hostname.
  • Validate nameserver authority and SOA context if results are unexpected.
  • Use propagation checks when different regions return different values.
  • Re-run after applying fixes and compare values against your expected configuration.

Frequently Asked Questions

What is a DNSKEY record?
DNSKEY records publish the public keys used to verify DNSSEC signatures in a zone. There are two key types: the Zone Signing Key (ZSK) signs individual RRsets like A and MX records, and the Key Signing Key (KSK) signs the DNSKEY RRset itself. Resolvers use these keys to verify that zone data hasn't been tampered with.
What is the difference between ZSK and KSK?
The KSK (Key Signing Key) is the trust anchor — it's a long-lived key whose hash is published in the parent zone as a DS record. The ZSK (Zone Signing Key) is rotated more frequently and signs the zone's data RRsets. The KSK signs the DNSKEY RRset to link the parent DS to the child zone's signing infrastructure.
What does DNSKEY flag 257 mean?
Flag value 257 (binary 0000 0001 0000 0001) identifies a KSK — both the Zone Signing Key bit (bit 8) and the Secure Entry Point bit (bit 15) are set. Flag value 256 identifies a ZSK with only the Zone Signing Key bit set. These flags tell resolvers which key type they're looking at.
What algorithm should I use for DNSKEY records?
Current best practice is ECDSAP256SHA256 (algorithm 13) or ECDSAP384SHA384 (algorithm 14). These provide equivalent security to RSA-2048/3072 with much smaller key sizes, reducing DNS response payload sizes. Avoid RSA-1024 (algorithms 5 and 7) — both are deprecated and considered cryptographically weak.
How do I verify DNSSEC is fully working?
Three things must all be true: (1) DNSKEY records are present in the child zone, (2) the DS record in the parent zone matches the KSK's key tag and algorithm, (3) RRSIG records are present for all signed RRsets. Use `dig DNSKEY example.com +dnssec` to query and Verisign's DNSSEC debugger for a full chain validation report.
Record Scope
ToolDNSKEY Lookup
Query TypeDNSKEY
State SharingURL Param
Ops Checklist
• Verify source DNS values first
• Check authority (NS/SOA) if mismatch appears
• Compare with global propagation when needed
Free Newsletter

Get guides like this by email

DNS, email auth, and security playbooks delivered when they publish. No spam.