DNSKEY Lookup

Use our free DNSKEY Lookup Tool to fetch and validate the DNSSEC public keys of any domain. Instantly check whether your DNSKEY records are properly configured, detect mismatched DS or RRSIG records, and ensure that your domain’s cryptographic trust chain is fully secure.

HasheTools’ online DNSKEY checker performs live queries against authoritative name servers and displays detailed DNSKEY information, including key flags, protocol, algorithm, and public key data, so you can easily verify the integrity of your DNSSEC implementation.

DNSKEY Lookup Tool

The DNSKEY Lookup Tool helps you verify DNSSEC (Domain Name System Security Extensions) keys for any domain name. These keys play a vital role in preventing attacks such as cache poisoning and DNS spoofing by validating that DNS responses are authentic and untampered.

When you perform a lookup, our tool retrieves DNSKEY records directly from the domain’s authoritative name servers. You’ll get instant results showing the public keys used to verify DNSSEC signatures, ensuring your domain’s DNS responses are secure, trusted, and compliant with global standards.

What Is a DNSKEY Record in DNSSEC?

Role of DNSKEY in DNS Security

A DNSKEY record contains a cryptographic public key that allows resolvers to verify the authenticity of DNS data. It is one of the core record types introduced by DNSSEC, alongside DS and RRSIG records.

While traditional DNS translates domain names into IP addresses, it doesn’t guarantee the integrity of those responses. This gap leaves DNS vulnerable to man-in-the-middle and cache-poisoning attacks. DNSSEC adds a digital signature layer, ensuring that DNS data hasn’t been altered during transit.

How DNSSEC Protects Against Spoofing and MITM Attacks

DNSSEC uses asymmetric cryptography to sign DNS records digitally. Each zone signs its data with a private key and publishes the corresponding public key in a DNSKEY record. When a resolver receives a DNS response, it verifies the attached RRSIG (signature) using the public key from the DNSKEY record. If the signature matches, the data is trusted.

DNSKEY vs DS and RRSIG Records

• DNSKEY: Contains the public key used to verify DNS signatures.
• DS (Delegation Signer): Located in the parent zone, it holds a hash of the DNSKEY (linking trust between zones).
• RRSIG: Holds the actual cryptographic signature for a record set.

Together, these records form the DNSSEC chain of trust, ensuring that every DNS response is verified from the root to the domain level.

Components of a DNSKEY Record

A typical DNSKEY record looks like this: example.com. 3600 IN DNSKEY 257 3 8 AwEAAcfsdZgW9yHq89Xr...

Let’s break down what each field means:

KSK vs ZSK: Two Key Types You Should Know

• Zone Signing Key (ZSK): Signs all DNS records within the zone except DNSKEY.
• Key Signing Key (KSK): Signs only the DNSKEY record and links to the parent zone via a DS record.

For strong DNSSEC security, both keys must be correctly configured and synchronized.

Why DNSKEY Lookup Is Important

Verify DNSSEC Integrity

DNSSEC ensures that users connect to your real website instead of a spoofed or hijacked one. DNSKEY Lookup verifies that your public keys are valid and accessible, forming the first step in a complete DNSSEC validation process.

Detect Misconfigurations

Misaligned or missing DNSKEY records can break the DNSSEC chain, leading to validation failures. Our lookup tool instantly reveals mismatched KSK/ZSK pairs or invalid signatures before they affect your website’s reachability.

Strengthen Domain Security and Compliance

Verifying DNSKEYs is essential for organizations adhering to cybersecurity best practices, government regulations, or enterprise security frameworks. A properly configured DNSSEC setup enhances your brand trust, email deliverability, and website reliability.

How to Use HasheTools DNSKEY Lookup

Checking DNSKEY records with HasheTools is simple and requires no technical expertise.

Step 1: Enter Your Domain

Type the domain name (for example: example.com) into the lookup field.

Step 2: Select a DNS Server

Choose from public DNS servers such as:

• Google DNS (8.8.8.8)
• Cloudflare DNS (1.1.1.1)
• OpenDNS
• Quad9
• Yandex DNS

Or use the authoritative DNS server option for the most accurate data.

Step 3: Run the Lookup

Click “Validate DNSKEY Lookup” to begin. The tool queries the chosen DNS servers in real time and retrieves all available DNSKEY records.

Step 4: View Detailed Results

You’ll see:

• Flags (ZSK/KSK)
• Protocol
• Algorithm type
• Base64-encoded public key

Compare the output with DS Lookup results to confirm a valid trust chain.

Pro Tip: After a KSK rollover, always check that the DS record in your parent zone matches the new DNSKEY digest.

How to Check DNSKEY Records on Different Operating Systems

If you prefer manual verification, here’s how to check DNSKEY records using the dig command.

On Windows

Windows nslookup and PowerShell’s Resolve-DnsName don’t natively support DNSKEY queries.
To check DNSKEY manually:

1. Install Windows Subsystem for Linux (WSL).
2. Open WSL terminal.
3. Run:

dig example.com dnskey

On macOS

1. Open Spotlight → search “Terminal.app”.
2. Type:

dig example.com dnskey

1. Press Enter to view DNSKEY records under the ANSWER SECTION.

On Linux

1. Open your terminal.
2. Type:

dig example.com dnskey

1. Review the records displayed in the results.

Prefer an easier way?

Use our online DNSKEY Lookup Tool; no installation, instant global results, and DNSSEC validation in one click.

Common DNSKEY Record Issues and Fixes

Even small DNSSEC misconfigurations can break the trust chain. Here are common issues to look out for:

1. Missing DNSKEY Records

If no DNSKEY record exists in your zone, DNSSEC validation fails.

Fix: Add a valid KSK and ZSK pair to your DNS configuration.

2. Mismatched DS and DNSKEY Digests

When the DS record in the parent zone doesn’t match the DNSKEY hash, resolvers reject DNS responses.

Fix: Update the DS record after rolling over the KSK.

3. Algorithm Mismatch

Each DNSKEY must use the same algorithm as the RRSIG record.

Fix: Ensure that DNSKEY and RRSIG share compatible algorithms (e.g., RSA/SHA-256).

4. Expired Keys

If old keys aren’t replaced during rotation, they can cause validation errors.

Fix: Rotate keys regularly and verify propagation.

5. Incorrect Flag Settings

Improperly set flags (256 or 257) may cause the key to be treated incorrectly.

Fix: Assign 256 to ZSK and 257 to KSK.

Best Practices for Managing DNSKEY Records

Use Strong Cryptographic Algorithms

Prefer algorithms such as RSA/SHA-256, RSA/SHA-512, or ECDSA P-256/P-384 for robust security.

Rotate Keys Periodically

To minimize exposure, rotate both KSK and ZSK regularly. Always update DS records after each KSK rollover.

Automate DNSSEC Signing

Modern DNS platforms allow automated signing and rollover, reducing the chance of human error.

Monitor DNSSEC Status

Use online validation tools like HasheTools, DNSKEY, and DS Lookup regularly to ensure your DNSSEC setup remains valid and consistent.

Tool Features and Benefits

Instant DNSKEY Record Retrieval

Perform live DNSKEY lookups and view real-time results directly from authoritative servers.

Custom DNS Server Selection

Choose between multiple global resolvers (Google, Cloudflare, OpenDNS, Quad9, etc.) for diverse and accurate results.

Detailed Record Analysis

See algorithm type, flag, and key data for complete transparency of your DNSSEC configuration.

Fast and User-Friendly Interface

Simple input, one-click validation, and clearly formatted results make this tool perfect for both beginners and DNS professionals.

Security and Compliance Support

Helps webmasters, security engineers, and IT admins maintain DNSSEC integrity for compliance with Internet security standards.

How DNSKEY and DS Record Validation Work Together

DNSKEY and DS records form the backbone of DNSSEC’s trust model.

Verifying the DNSSEC Trust Chain

1. A resolver checks the RRSIG record for a domain.
2. It then retrieves the DNSKEY record to verify the signature.
3. The parent zone provides a DS record (hash of the DNSKEY KSK) that authenticates the child zone’s key.

If all steps succeed, the DNS response is considered authentic and trusted.

Matching DNSKEY KSK with DS Digest

The DS record’s digest value must match the hash of the DNSKEY KSK.

A mismatch breaks the chain, causing “SERVFAIL” errors during DNSSEC validation.

Use DS Lookup for Complete Validation

After running DNSKEY Lookup, cross-verify results using our DS Lookup Tool. It ensures your DNSKEY and DS pairs are synchronized, maintaining an unbroken DNSSEC chain of trust.