DNSKEY Record Lookup

Use our tool to quickly find the DNSKEY record of any domain. The DNSKEY records contain the public signing keys for the domain, which are essential for the DNSSEC verification process.

Introducing Our DNSKEY Lookup Tool

Our free tool makes it very easy for anyone to check the DNSKEY records for their domain. DNSKEY records play an important role in the DNSSEC validation process and are used to contain the public signing keys. The public signing keys are used by DNSSEC-enabled resolvers to verify a domain’s response to a DNS query.

Using our tool to check the DNSKEY records can help in ensuring that the domain is compliant with DNSSEC and is configured to properly undergo the verification process.

How to Check DNSKEY Records Using Our Tool

Here are the steps that you need to follow:

  1. Enter the domain name that you want to check into the provided space
  2. Select the DNS server from the drop-down menu
  3. Click on the “DNSKEY Lookup” button to start the process
  4. Once the record is provided for the domain, you can copy them to your clipboard by using the copy button, or you can save them to your device by using the download option

Understanding the Results of the DNSKEY Lookup

Here is a breakdown of the results that you will be given when the DNSKEY lookup is done:

  • Type: This field in the record indicates which record it is. In this case, the “Type” field will contain “DNSKEY”
  • Domain name: This field will contain the name of the domain that you have entered for the DNSKEY lookup.
  • TTL: This field contains the time to live (TTL). The time to live refers to the time that the record has to be kept in the cache before being refreshed.
  • Algorithm: The algorithm here refers to the algorithm that was used to create the DNSSEC keys for that domain.
  • Protocol: This field contains the DNSSEC protocol version used by the domain. Currently, the only protocol used for DNSSEC is the version “3”.
  • Flag: The Flag field indicates whether the key stored in the DNSKEY record is a ZSK or a KSK. ZSK stands for zone signing key, while KSK stands for key signing key.
  • Key ID: The Key ID is used to identify a particular DNSKEY record. In other words, if the DNSKEY record of a domain contains more than one key, the key ID helps the resolvers distinguish between them. 
  • Key: The key field contains the main value of the record, the public key.

What Are Some Other Ways to Check the DNSKEY Records?

Using our tool to look up DNSKEY records for your domain is a very easy and simple method. However, there are some other ways that you can try as well, such as using Windows Powershell and the Terminal on macOS and Linux devices.

Here is a guide on how you can check DNSKEY records using the command line interface on your respective device.

Check DNSKEY Records on Windows

Here are the steps that you need to follow:

1. Open Windows PowerShell on your PC. You can simply press the Windows key and then type “PowerShell” in the search bar.

2. Once PowerShell is open, simply type in this command: 

Resolve-DnsName -Name example.com -Type DNSKEY (replace “example.com” with the domain that you want to get the record for)

3. Press enter, and the DNSKEY records will be provided with all the respective details, including the record type, TTL, flag, etc.

check DNSKEY records on Linux

Check DNSKEY Records on Linux

Use the dig command to check DNSKEY records on Linux. 

  • Open the terminal.

MAC OS terminal

  • Type: dig DNSKEY example.com and press Enter.

Checking DNSKEY Records on macOS

Replace "example.com" with your actual domain. The output will include information about the DNSKEY records associated with the specified domain.

Check DNSKEY Records on macOS

You can use the dig command in the Terminal. 
  • Simply access the Terminal.
  • Type: dig DNSKEY example.com and press Enter.
Substitute "example.com" with your actual domain. The result will display the DNSKEY records for the specified domain.

FAQs

Is it necessary to have a DNSKEY record configured for your domain?

Yes, it is necessary to have a DNSKEY record configured for your domain if DNSSEC is enabled. The DNSSEC verification process requires the public keys stored in the DNSKEY record, which is why they are necessary.

Is it possible for DNSSEC to work without a DNSKEY record?

No, it is not possible for DNSSEC to work without DNSKEY. The DNSKEY provides the public key used to verify the integrity of the DNS response.

Can you change the DNSKEY records for your domain?

You can change the DNSKEY records for your domain if you are the owner or administrator. You can visit your domain’s DNS records via the hosting provider and generate new public DNSSEC keys. Once the new keys are generated, they will be propagated in the form of DNSKEY records for that domain.