HomeDNS ToolsIPSECKEY Lookup
DNS Tool

IPSECKEY Lookup

Lookup IPSECKEY records and validate IPsec DNS key data publication, gateway targets, and deployment consistency checks. Run fast checks, interpret results,…

Record Type
IPSECKEY
Focused record verification for targeted DNS troubleshooting.
Best Use
Migration + incident checks
Validate live DNS answers during change windows.
Operational Context
Use this page to validate live resolver output during DNS cutovers, outage triage, and post-change verification windows.
IPSECKEY Lookup — Start Here
Waiting for input
Enter a domain and run check
How to Use

Use IPSECKEY Lookup in 4 Steps

01
Enter domain
Input the target domain in clean hostname format (no path or query string).
02
Run IPSECKEY Lookup
Execute IPSECKEY Lookup to pull live resolver output for this record scope.
03
Compare expected vs live
Match returned values with your intended DNS configuration at the source.
04
Cross-check related tools
Validate adjacent DNS layers to isolate cache vs source problems.

What is IPSECKEY Lookup?

IPSECKEY records publish keying material hints for IPsec endpoint discovery via DNS. They allow IPsec peers to bootstrap secure tunnel configuration by looking up gateway addresses and public keys for a target host in DNS.

IPSECKEY records specify a precedence value (for priority when multiple records exist), a gateway type (none, IPv4, IPv6, or hostname), a public key algorithm (DSA, RSA, ECDSA), and the base64-encoded public key. DNS-based IPsec endpoint discovery is defined in RFC 4025 and is used primarily in mesh VPN and IPSEC bootstrapping scenarios.

Best Use
IPsec bootstrap diagnostics and secure tunnel configuration audits for environments using DNS-based endpoint discovery.
Common Mistake
Mismatch between the gateway precedence values and the actual deployed endpoint topology, causing peers to try failed connections before reaching the correct gateway.
Validation Path
Check precedence, gateway type, and public key fields against the active IPsec topology. Verify gateway hostnames resolve to current IP addresses.

Quick Interpretation Table

Use this reference to diagnose common outcomes when running IPSECKEY Lookup.

Observed ResultLikely CauseNext Step
No IPSECKEY recordDNS-based IPsec endpoint discovery unavailablePublish IPSECKEY record if using DNS-based IPsec bootstrapping
Gateway hostname doesn't resolveIPsec peers cannot locate endpointEnsure gateway hostname has current A/AAAA records
Key data is outdatedAuthentication bootstrap will fail with current keysRe-export current public key and update the IPSECKEY record

CLI Examples

Run these commands directly from a terminal to verify IPSECKEY records without relying on a browser-based tool.

dig IPSECKEY example.com
Query IPSECKEY records for a domain
nslookup -type=IPSECKEY example.com
IPSECKEY lookup using nslookup (cross-platform)
dig IPSECKEY host.example.com
Query IPSECKEY for a specific host in the zone
dig IPSECKEY example.com +dnssec
Include DNSSEC signatures — IPSECKEY should be DNSSEC-signed for security

Troubleshooting Workflow

  • Run this record check first for a scoped signal on the target hostname.
  • Validate nameserver authority and SOA context if results are unexpected.
  • Use propagation checks when different regions return different values.
  • Re-run after applying fixes and compare values against your expected configuration.

Frequently Asked Questions

What is an IPSECKEY record?
An IPSECKEY record publishes keying material for IPsec endpoint discovery via DNS. It encodes a precedence value, gateway type (IPv4, IPv6, hostname, or none), a public key algorithm (DSA, RSA, or ECDSA), and the base64-encoded public key. RFC 4025 defines the format.
What does the IPSECKEY precedence field mean?
Precedence is an unsigned 8-bit integer that sets priority when multiple IPSECKEY records exist for the same name — lower values are preferred first (same concept as MX priority). This allows failover between multiple IPsec gateways: try precedence 10 first, fall back to precedence 20 if unavailable.
What gateway types does IPSECKEY support?
Type 0: no gateway (public key only). Type 1: IPv4 gateway address. Type 2: IPv6 gateway address. Type 3: DNS hostname gateway. The gateway field identifies the IPsec endpoint that the public key authenticates. Hostname gateways (type 3) must resolve to A or AAAA records.
Should IPSECKEY records be DNSSEC-signed?
Yes — DNSSEC signing is strongly recommended for IPSECKEY records. Without DNSSEC, an attacker performing DNS spoofing could substitute a malicious public key, redirecting IPsec connections to an attacker-controlled endpoint. IPSECKEY without DNSSEC provides no meaningful security benefit for key bootstrapping.
Is IPSECKEY widely deployed?
IPSECKEY is rarely used in practice. Most VPN and IPsec deployments use out-of-band key exchange (IKEv2 with certificates from a PKI, or pre-shared keys configured manually). DNS-based IPsec discovery is primarily relevant for large mesh VPN scenarios or environments with dynamic IPsec topology where centralized DNS management is preferable to manual configuration.
Record Scope
ToolIPSECKEY Lookup
Query TypeIPSECKEY
State SharingURL Param
Ops Checklist
• Verify source DNS values first
• Check authority (NS/SOA) if mismatch appears
• Compare with global propagation when needed
Free Newsletter

Get guides like this by email

DNS, email auth, and security playbooks delivered when they publish. No spam.