DNS CERT Records Explained
DNS CERT (Certificate) records store public key certificates or references to them in DNS. They enable secure distribution of certificates for authentication, encryption, and digital signatures without requiring a separate certificate authority infrastructure.
What is a CERT record?
CERT records contain public key certificates that can be used for various cryptographic purposes. The certificate data can be stored directly in the DNS record or the record can contain a reference to where the certificate can be retrieved. This provides a standardized way to distribute certificates through DNS infrastructure.
Each CERT record contains four key pieces of information: the certificate type (such as PKIX for X.509 certificates or PGP for OpenPGP keys), a key tag for identification, the algorithm used, and the certificate data itself (usually Base64 encoded). This structure supports multiple certificate formats within a single record type.
How are CERT records used?
CERT records enable applications to retrieve certificates directly from DNS without requiring connection to a certificate authority or key server. This can be useful for email encryption, where a sender needs to obtain the recipient's public key, or for authenticating network services.
When combined with DNSSEC, CERT records provide a secure and verifiable method of certificate distribution. The chain of trust established by DNSSEC ensures that the certificate data has not been tampered with during transmission.
Common use cases include storing S/MIME certificates for email encryption, PGP keys for secure communication, and X.509 certificates for TLS/SSL server authentication. The flexibility of the CERT record format allows it to support various certificate standards as they evolve.
Example
Here's what a CERT record looks like for the domain example.com: