Key RecordHow does KEY record work?
KEY record is a type of DNS record used to store a public key that is associated with a DNS name. Originally defined in RFC 2535 as part of the DNS Security Extensions (DNSSEC), the KEY record allows the DNS to function as a public key distribution mechanism, supporting both DNS security itself and other protocols such as TLS, email, and IPsec. Each KEY record carries an algorithm identifier, a set of flags describing the key's intended use, a protocol field indicating which protocols the key applies to, and the public key data itself.
KEY record format
A typical KEY record looks like the following in standard BIND format:
$ORIGIN example.com.
@ 86400 IN KEY 256 3 5 AQPSKmynfzW4kyBv015MUG2DeIQ3Orjgebkq8bCl4QkM
An anatomy of the KEY record
@ 86400 IN KEY 256 3 5 AQPSKmynfzW4kyBv015MUG2DeIQ3Orjgebkq8bCl4QkM
looks like the below:
| Host Label | TTL | Record Class | Record Type | Flags | Protocol | Algorithm | Public Key |
|---|---|---|---|---|---|---|---|
| example.com. | 86400 | IN | KEY | 256 | 3 | 5 | AQPSKmynfzW4kyBv015MUG2DeIQ3Orjgebkq8bCl4QkM |
It defines the hostname of a record and whether the hostname will be appended to the label. Fully qualified hostnames terminated by a period will not append the origin.
TTL
The time-to-live in seconds. This is the amount of time the record is allowed to be cached by an outside DNS server.
Record Class
Mainly 3 classes of DNS records exist:
- IN (Internet) – default and generally what the internet uses.
- CH (Chaosnet) – used for querying DNS server versions.
- HS (Hesiod) – uses DNS functionality to provide access to databases of information that change infrequently.
The record format is defined using this field. Common record types are A, AAAA, CNAME, CAA, TXT etc. In the case of a KEY record, the record type is KEY.
Flags
The Flags field is a 16-bit value that controls the interpretation and intended use of the key. The two most significant bits (bits 0 and 1) indicate the key type:
- 00 – A general-purpose key associated with the named entity. The key may be used for authentication or other purposes as determined by the protocol field.
- 01 – The entity named in the record is not a zone key; the key is associated with a non-zone entity (e.g., a user or host).
- 10 – There is no key present. The record explicitly asserts that no key is associated with this name for the given protocol.
- 11 – No key present (no-key value). The algorithm field is not used in this case.
Protocol
The Protocol field is an 8-bit value specifying the protocol(s) for which the key is intended. Defined values are:
- 1 – TLS
- 2 – Email
- 3 – DNSSEC (the most common value; used for DNS zone keys and other DNS security keys)
- 4 – IPsec (Oakley/IPSEC)
- 255 – All protocols
Algorithm
The Algorithm field identifies the public key cryptographic algorithm used to generate the key. Common values are:
- 1 – RSA/MD5
- 2 – Diffie-Hellman
- 3 – DSA/SHA-1
- 5 – RSA/SHA-1
- 252 – Indirect key (the actual key is elsewhere)
- 253 – Private algorithm identified by a domain name
- 254 – Private algorithm identified by an OID
Public Key
The Public Key field contains the public key material, encoded in Base64. The format of this field depends on the algorithm specified. For RSA keys the field holds the RSA public exponent and modulus. For Diffie-Hellman keys the field holds the prime, generator, and public value. The field is empty when the no-key flag combination is set in the Flags field.
KEY record restrictions
No-Key records
When the top two bits of the Flags field are both set to 1 (the "no-key" value), the Public Key field must be absent and the Algorithm field is not used. This combination explicitly asserts that no public key exists for the given name under the given protocol, which is itself a useful security statement.
Flags and Algorithm interaction
If the no-key flag combination is set, an algorithm value of 0 must be used. A non-zero algorithm value is only valid when a public key is actually present. Security-aware implementations must handle at least two simultaneously valid keys of the same type associated with the same name.
$ORIGIN example.com.
@ 86400 IN KEY 256 3 5 AQPSKmynfzW4kyBv015MUG2DeIQ3Orjgebkq8bCl4QkM
@ 86400 IN KEY 512 3 1 AQOwHc/LDLbOjFkGTNfYbBIkm2IHkGKfbBekFhN8MaM
KEY record glossary
DNSSEC (Domain Name System Security Extensions)
DNSSEC is a suite of extensions to DNS that provides cryptographic authentication of DNS data. It uses public key cryptography and digital signatures to allow resolvers to verify that DNS responses have not been tampered with in transit. The KEY record is a foundational part of the original DNSSEC specification (RFC 2535).
Public Key Cryptography
A cryptographic system that uses a pair of keys: a public key that can be distributed freely, and a private key that is kept secret. Data encrypted with the public key can only be decrypted with the corresponding private key, and vice versa. The KEY record stores only the public key component.
Base64
A binary-to-text encoding scheme that represents binary data using a set of 64 printable ASCII characters. The public key field of a KEY record is encoded in Base64 to allow it to be stored and transmitted as text within a DNS zone file.
BIND
Berkeley Internet Name Daemon – the most commonly used DNS software on the Internet. Dynu observes BIND format for DNS zone records.
Wildcard
A wildcard DNS record is a record in a DNS zone that will match requests for non-existent domain names.