DNSKEY Lookup
Shortcuts: / or Ctrl+L to focus, Esc to return
Our DNSKEY lookup shows the key-signing and zone-signing keys that protect your zone. Reviewing flags, algorithms, and key bits ensures your signing setup aligns with security and policy requirements.
Frequently Asked Questions
- What is a DNSKEY record?
- DNSKEY records publish the public keys that DNSSEC validators use to verify signatures for a zone.
- What do DNSKEY flags mean?
- Flag 256 marks a zone-signing key, while 257 marks a key-signing key that signs the DNSKEY set referenced by DS records.
- How can I tell which key signs my zone?
- Key-signing keys carry flag 257 and usually have larger key sizes. The matching DS digest in the parent zone points at the active key-signing key.
- Why are DNSKEY key tags important?
- Key tags give resolvers a stable identifier to pair RRSIG signatures and DS digests with the right DNSKEY without parsing the entire key.
- When should I roll DNSKEY records?
- Roll zone-signing keys regularly to limit exposure, and roll key-signing keys when policies require or when you change signing hardware or providers.
- Why do some zones publish multiple algorithms?
- During algorithm migrations or to support different validator capabilities, operators publish multiple DNSKEY sets so resolvers can validate with either algorithm.