What is a DNSKEY record?

A DNSKEY-record holds a public key that resolvers can use to verify DNSSEC signatures in RRSIG-records.

DNSKEY record format

A typical DNSKEY record looks like the following in standard BIND format:

$ORIGIN example.com.
@ 3600 IN DNSKEY 257 3 13 ZhCa3rGLofZcndFN2aVd== 
An anatomy of the DNSKEY Record @ 3600 IN DNSKEY 257 3 13 ZhCa3rGLofZcndFN2aVd== looks like the below:
Host Label TTL Record Class Record Type Flags Protocol Algorithm Public Key
example.com. 3600 IN DNSKEY 257 3 13 ZhCa3rGLofZcndFN2aVd==
Host Label
It defines the hostname of a record and whether the hostname will be appended to the label. Fully qualified hostnames terminated by a period will not append the origin.

The time-to-live in seconds. It specifies how long a resolver is supposed to cache or remember the DNS query before the query expires and a new one needs to be done.

Record Class
Mainly 3 classes of DNS records exist:
  • IN (Internet) – default and generally what internet uses.
  • CH (Chaosnet) – used for querying DNS server versions.
  • HS (Hesiod) – uses DNS functionality to provide access to databases of information that change infrequently.
Record Type
The record format is defined using this field. Common record types are A, AAAA, CNAME, CAA, TXT etc. In the case of a DNSKEY record, the record type is DNSKEY.

"Zone Key" (set for all DNSSEC keys) and "Secure Entry Point" (set for KSK and simple keys).

The Protocol field must have value 3, and the DNSKEY RR must be treated as invalid during signature verification if it is found to be some value other than 3.

The Algorithm field identifies the public key's cryptographic algorithm and determines the format of the Public Key field.

Public Key
Public key data.

How to add a DNSKEY record?

First you must enable DNSSEC at your DNS provider. If you are hosting your DNS with us, the DNSKEY records will be automatically created and added to your zone once you enable DNSSEC.

DNSKEY record glossary

DNSSEC protects against forged DNS answers. DNSSEC protected zones are cryptographically signed to ensure the DNS records received are identical to the DNS records published by the domain owner.

Berkeley Internet Name Daemon - is the most commonly used DNS software on the Internet and Dynu observes BIND format.

RRset refers to resource record set. All the records with the same type are grouped into an RRset and this full RRset get digitally signed instead of individual DNS records. For example, if you have three TXT records for the same hostname relay.domain.com in the domain.com zone, the three TXT records will be bundled into a single TXT RRset. This is the first step towards securing a zone with DNSSEC.

ZSK (Zone-Signing Keys)
Each zone with DNSSEC enabled has a zone-signing key pair (ZSK): the private key and the public key. The private ZSK is used to create digital signatures for each RRset and the digital signatures are stored in the name server as RRSIG records. When a DNSSEC resolver requests a particular record type (e.g., TXT), apart from returning the TXT record itself, the name server also returns the corresponding RRSIG. The public ZSK is published as a DNSKEY record so that the resolver can then pull the DNSKEY record containing the public ZSK from the name server to verify against the RRSIG signature. The RRset, RRSIG, and public ZSK together can validate the response.

KSK (Key-Signing Keys)
The key-signing key is used to prevent the situation where the zone-signing key is compromised. The KSK validates the ZSK DNSKEY record in exactly the same way as the ZSK secure the RRSets. It signs the public ZSK (which is stored in a DNSKEY record), creating an RRSIG for the DNSKEY record. The public KSK is published in another DNSKEY record which can be used by resolvers to verify against the RRSIG.