DNS DNSKEY records are a fundamental component of DNSSEC (Domain Name System Security Extensions) that contain cryptographic public keys used to verify the authenticity and integrity of DNS data. These records play a crucial role in establishing a chain of trust in the DNS hierarchy.
DNSKEY records store public cryptographic keys that are used in DNSSEC to verify the digital signatures of other DNS records. These records contain the actual public key data along with metadata such as the key's algorithm, usage flags, and key tag. DNSKEY records are essential for establishing trust in DNS responses.
There are typically two types of DNSKEY records: Zone Signing Keys (ZSK) used to sign individual DNS records within a zone, and Key Signing Keys (KSK) used to sign the DNSKEY records themselves. This two-key system provides operational flexibility and enhanced security for key management.
When DNSSEC is enabled for a domain, DNSKEY records are published in the DNS zone alongside the regular DNS records. DNS resolvers that support DNSSEC validation retrieve these keys and use them to verify the digital signatures (RRSIG records) that accompany other DNS records.
The validation process involves checking that the RRSIG signature was created using the private key corresponding to the public key in the DNSKEY record. This ensures that the DNS data has not been tampered with and originates from the legitimate zone owner.
DNSKEY records are typically rotated periodically for security reasons. During key rollover procedures, both old and new keys may be present simultaneously to ensure continuous validation during the transition period.
Here's what a DNSKEY record looks like for the domain example.com:
