What is an Online DNSKEY Checker?
DNSKEY Lookup lets you check DNSKEY records for any domain. The online tool allows you to query the DNS servers and identify the DNSKEY records for the specified domain.
What is a DNSKEY record in DNS?
The Domain Name System (DNS) is the largest virtual database on the internet. That system translates the human-written domain name to its corresponding IP address. However, DNS was not designed with a security perspective like other internet services. That's why DNS was exposed to man-in-the-middle (MITM) attacks and cache poisoning. Therefore, an additional and optional security protocol (DNSSEC) was introduced to overcome that issue.
DNSSEC is the set of standards composed by the Internet Engineering Task Force (IETF) to secure communication between the DNS servers and clients.
The DNSSEC protocol overcomes man-in-the-middle (MITM) attacks and cache poisoning by adding cryptographic signatures to existing DNS records. These signatures verify whether the record came from a valid and authorized DNS server or not.
For implementing that security protocol, new DNS records were created, DNSKEY and DS, defined in RFC4034.
- DNSKEY contains the public signing key.
- DS has the hash of the DNSKEY record.
Why do you need a DNSKEY record?
The DNSKEY record contains the public signing key for the DNSSEC authentication process. The record holds a public key that the DNSSEC resolver uses to verify DNSSEC signatures in RRSIG records.
With the signing of the corresponding authoritative zone, these records are generated automatically, and that resource record object is read-only.
Components of DNSKEY records
An example of a DNSKEY record looks like this: abc.com. 3600 IN DNSKEY 257 3 13 ZhCa3rGLofZcndFN2aVd==
Host Label | TTL | Record Class | Record Type | Flags | Protocol | Algorithm | Public Key |
---|---|---|---|---|---|---|---|
abc.com. | 3600 | IN | DNSKEY | 257 | 3 | 13 | ZhCa3rGLofZcndFN2aVd== |
In the above example,
- abc.com is the hostname of the record.
- 3600 is the TTL (time to live) and is the record's expiry time.
- IN is the record class that is defaulted and generally used by internet users.
- DNSKEY is the DNS record type.
- 257, a value of 256 indicates that the DNSKEY contains a ZSK and a value of 257 indicates a KSK.
- 3 the protocol must be equal to 3. Otherwise, the record is not valid.
- 13 is the algorithm that identifies the public key's cryptographic algorithm and defines the format of the Public Key field.
- ZhCa3rGLofZcndFN2aVd== is the Public Key.
How do I check my DNSKEY record?
To check the DNSKEY record of a domain, perform the following steps.
- Open the DNSKEY Record Checker.
- Enter the domain name and select the DNS server. You can choose between Google DNS, Cloudflare DNS, OpenDNS, Quad9, Yandex DNS, and Authoritative DNS servers.
- Click on the "Show DNSKEY Records" button.
- The tool will perform the DNSKEY lookup, list a given domain's DNSKEY record(s), and check its propagation globally.