DNS · DNSKEY / DS / RRSIG
DNSSEC record lookup
DNSSEC adds cryptographic signatures to DNS responses — receivers verify that records are authentic and unmodified. Three record types: DNSKEY (the public keys), DS (parent's hash of child's key), RRSIG (signatures).
advanced
DNSKEY / DS / RRSIG
How to look it up
Four ways to query — pick by what's available on your machine.
dig (DNSKEY)dig DNSKEY example.com +short
dig (DS at parent)dig DS example.com +short
dig (validate)dig +sigchase +trusted-key=./root.keys example.com
delv (validating resolver)delv example.com
dotdigdotdig dnssec example.com
Sample response
256 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0d... (DNSKEY ZSK) 2371 13 2 b80...c3a (DS at parent)
Format
DNSKEY: `<flags> <protocol> <algorithm> <key>`. Flags 256 = ZSK (zone-signing), 257 = KSK (key-signing). Algorithm 13 = ECDSAP256SHA256 (modern), 8 = RSASHA256.
Common pitfalls
- WARNING: DNSSEC misconfiguration = entire domain unresolvable. Failed signature → resolver returns SERVFAIL. Test thoroughly with `delv` before publishing DS at parent.
- Key rotation requires careful sequencing: pre-publish new key → wait TTL → switch zone signing → wait TTL → remove old key. Skip steps = downtime.
- DS at parent and DNSKEY at child must match. Migration gotcha: DNS provider changes invalidate DNSSEC unless DS is updated at registrar.
Why it matters for security
security relevance
DNSSEC prevents cache poisoning and DNS spoofing. Required by some government/enterprise policies. Adoption is ~1-5% of public domains as of 2025.
Use cases
- Verifying DNSSEC chain after key rollover
- Compliance audits requiring DNSSEC
- Diagnosing SERVFAIL after DS update
- Pre-migration DNSSEC review
Look up DNS without flag soup
dotdig is a friendly DNS resolver — formatted output, custom resolver support, DNSSEC validation. Zero-config alternative to dig.
Open dotdig