How to Get DNSSEC Root Keys

Objective: Get DNSSEC root KSK (key-signing keys) keys.

DNSSEC works by digitally signing records for DNS lookup using public-key cryptography. The correct DNSKEY record is authenticated via a chain of trust, starting with a set of verified public keys for the DNS root zone which is the trusted third party. Domain owners generate their own keys, and upload them using their DNS control panel at their domain registrar, which in turn pushes the keys to the zone operator who signs and publishes them in DNS.

The DNSSEC keys for DNS root are published and are publicly available, but you can also get it using the dig utility. You will just need to get the DNSKEY records from DNS root and filter for KSK (id is 257). Zone signing key (ZSK) has an id of 256.

The key is now in the file named root_dnssec_key. The key is in base64 format and it’s split into small chunks separated by spaces. If you prefer not to split the key, use the +nosplit option.

We can now use the key to verify DNSSEC signature chains for DNSSEC enabled domains using dig. We will need to inform dig that the trusted keys can be found in the key file.

ibrahim = { interested_in(unix, linux, android, open_source, reverse_engineering); coding(c, shell, php, python, java, javascript, nodejs, react); plays_on(xbox, ps4); linux_desktop_user(true); }