A DNSKEY-record holds a public key that resolvers can use to verify DNSSEC signatures in RRSIG-records.

 

DNSKEY-records have the following data elements:

- Flags: "Zone Key" (set for all DNSSEC keys) and "Secure Entry Point" (set for KSK and simple keys).

- Protocol: Fixed value of 3 (for backwards compatibility)

- Algorithm: The public key's cryptographic algorithm.

- Public key: Public key data.

 

To add a DNSKEY-record to a zone, use the DNSSEC Sign Zone function.

 

This record type is defined in RFC4034.