ADVERT
🔐 DNSKEY Record Checker
Retrieve DNSKEY records published for DNSSEC validation, including algorithms, key tags, and public keys.
DNSKEY Record Checker
Retrieve DNSSEC public keys published for a zone so you can audit signing and key rollovers.
What you'll see
- Key tags, algorithms, and flag values for each DNSKEY in the zone.
- Base64-encoded public keys ready for validation tools or DS generation.
- Resolver status codes that reveal whether DNSSEC data validated successfully.
Common use cases
- Verify new ZSK or KSK material before publishing matching DS records at the registrar.
- Audit that multiple signing keys are present during a planned rollover.
- Confirm resolvers can see recently added keys after redeploying a signer.
DNS Resolver
Retrieve DNSKEY records published for DNSSEC validation, including key tags, algorithms, and public keys.
Prepared query:
example.comTroubleshooting tips
- Flag 257 denotes a key-signing key (KSK); flag 256 represents a zone-signing key (ZSK).
- Match the key tag in this view against the DS record at the parent zone to confirm delegation.
- Publish replacement keys in advance so validating resolvers have time to cache them before retiring old material.
FAQ
- What does the key tag tell me?
- The key tag is a short checksum derived from the DNSKEY. It lets you match keys to DS records and identify which key signed an RRSIG.
- Why are there multiple DNSKEY records?
- Zones commonly publish both a key-signing key and a zone-signing key. During rollovers you may see extra keys until validators trust the new material.
ADVERT
ADVERT