About DNSKEY Records
DNSKEY records contain the public keys used in DNSSEC for cryptographic signing and verification. These records are published in your DNS zone and allow resolvers to verify the authenticity of RRSIG (signature) records. Understanding the structure and properties of DNSKEY records is essential for proper DNSSEC management.
There are two types of DNSKEY records, distinguished by their flags:
- KSK (Key Signing Key): Long-lived key with flag 256 (SEP bit) used to sign Zone Signing Keys. Typically rotated every 1-2 years. The KSK is used to generate DS records that are added to the parent zone.
- ZSK (Zone Signing Key): Shorter-lived key with flag 128 (Zone Key bit) used to sign actual DNS records. Typically rotated every 3 months. The ZSK creates RRSIG records for your DNS data.
The key tag is a 16-bit number calculated from the DNSKEY record that identifies which DNSKEY corresponds to a DS record in the parent zone. This allows resolvers to match DS records from the parent zone with the correct DNSKEY in your zone, completing the chain of trust verification.
Analyzing DNSKEY records helps you understand your DNSSEC key configuration, verify key types, check algorithms, and ensure proper key management. For detailed information about key management, see our Key Management Guide.