DNSKEY
E738666
DNSKEY is a DNS Security Extensions (DNSSEC) resource record that stores public keys used to verify digital signatures and authenticate DNS data.
All labels observed (2)
How this entity was disambiguated
This entity first appeared as the object of triple T8513131 — resolving that mention is where its identity was fixed. The disambiguator weighed these candidate entities and picked the highlighted one (or “None”, minting a new entity). This is how homonymy is resolved: the same surface form can point to different entities.
Target entity: DNSKEY Context triple: [RFC 5702, definesUsageInRecordType, DNSKEY]
-
A.
DNSSEC
DNSSEC (Domain Name System Security Extensions) is a suite of specifications that adds cryptographic authentication and integrity protection to DNS data to prevent attacks such as cache poisoning and spoofing.
-
B.
DNSSEC KSK
The DNSSEC KSK (Key Signing Key) is a long-term cryptographic key used to sign and authenticate a zone’s DNSKEY records, forming the trust anchor at the top of the DNSSEC validation chain.
-
C.
DNSSEC ZSK
DNSSEC ZSK (Zone Signing Key) is the cryptographic key used in DNS Security Extensions to sign individual DNS zone data, ensuring the authenticity and integrity of DNS responses.
-
D.
DNSSEC root key signing ceremony
The DNSSEC root key signing ceremony is a highly controlled, regularly scheduled cryptographic event where trusted personnel generate and manage the root cryptographic keys that secure the global Domain Name System.
-
E.
TSIG
TSIG (Transaction SIGnature) is a security protocol used in DNS to authenticate and protect DNS messages between servers using shared secret keys and message authentication codes.
- F. None of above. chosen
- G. Unsure - the case is ambiguous/there is not enough information to decide.
Target entity: DNSKEY Target entity description: DNSKEY is a DNS Security Extensions (DNSSEC) resource record that stores public keys used to verify digital signatures and authenticate DNS data.
-
A.
DNSSEC
DNSSEC (Domain Name System Security Extensions) is a suite of specifications that adds cryptographic authentication and integrity protection to DNS data to prevent attacks such as cache poisoning and spoofing.
-
B.
DNSSEC KSK
The DNSSEC KSK (Key Signing Key) is a long-term cryptographic key used to sign and authenticate a zone’s DNSKEY records, forming the trust anchor at the top of the DNSSEC validation chain.
-
C.
DNSSEC ZSK
DNSSEC ZSK (Zone Signing Key) is the cryptographic key used in DNS Security Extensions to sign individual DNS zone data, ensuring the authenticity and integrity of DNS responses.
-
D.
DNSSEC root key signing ceremony
The DNSSEC root key signing ceremony is a highly controlled, regularly scheduled cryptographic event where trusted personnel generate and manage the root cryptographic keys that secure the global Domain Name System.
-
E.
TSIG
TSIG (Transaction SIGnature) is a security protocol used in DNS to authenticate and protect DNS messages between servers using shared secret keys and message authentication codes.
- F. None of above. chosen
Statements (48)
| Predicate | Object |
|---|---|
| instanceOf |
DNS resource record type
ⓘ
DNSSEC record ⓘ |
| canRepresentKeyType |
Key Signing Key
ⓘ
Zone Signing Key ⓘ |
| containsField |
Algorithm
ⓘ
Flags ⓘ Protocol ⓘ Public Key ⓘ |
| definedInRFC |
RFC 4034
NERFINISHED
ⓘ
RFC 4035 NERFINISHED ⓘ |
| flagBit |
Revocation flag (bit 8)
ⓘ
Secure Entry Point flag (bit 15) ⓘ Zone Key flag (bit 7) ⓘ |
| hasPurpose |
authenticate DNS data origin
ⓘ
enable verification of DNS digital signatures ⓘ store public keys for DNSSEC ⓘ support data integrity in DNS ⓘ |
| hasRRTypeCode | 48 ⓘ |
| isAuthenticatedBy | DS record in parent zone ⓘ |
| isCachedBy | recursive resolvers ⓘ |
| isPartOf | DNSSEC trust chain ⓘ |
| isPublishedAt | zone apex ⓘ |
| isPublishedIn | zone file ⓘ |
| isSignedBy | RRSIG over DNSKEY RRset ⓘ |
| isUsedAt |
root zone
ⓘ
second-level domains ⓘ top-level domains ⓘ |
| isUsedToVerify | RRSIG records ⓘ |
| isValidatedBy | DNSSEC validators ⓘ |
| mayUseAlgorithm |
ECDSAP256SHA256
ⓘ
ECDSAP384SHA384 ⓘ ED25519 ⓘ ED448 ⓘ RSASHA1 ⓘ RSASHA256 ⓘ RSASHA512 ⓘ |
| protocolFieldReservedFor | DNSSEC NERFINISHED ⓘ |
| relatedRecord |
DS
ⓘ
NSEC ⓘ NSEC3 ⓘ RRSIG ⓘ |
| securityProperty |
does not provide confidentiality
ⓘ
provides data integrity ⓘ provides data origin authentication ⓘ |
| supportsOperation |
algorithm rollover
ⓘ
key rollover ⓘ |
| usedIn | Domain Name System Security Extensions NERFINISHED ⓘ |
| usesProtocolValue | 3 ⓘ |
How these facts were elicited
The pipeline generated the facts above by prompting gpt-5.1 with this entity's name + description and the instruction below.
You are a knowledge base construction expert. Given a subject entity and a description of it, return factual statements that you know for the subject as a JSON list of dictionaries(triples), where keys must be "subject", "predicate" and "object". The number of facts may be very high, between 25 to 50 or more, for very popular subjects. For less popular subjects, the number of facts can be very low, like 5 or 10. # Requirements - If you don't know the subject at all, return an empty list. - If the subject is not a named entity, return an empty list. - Include at least one triple where predicate is "instanceOf". - Do not get too wordy. - Separate several objects into multiple triples with one object.
Subject: DNSKEY Description of subject: DNSKEY is a DNS Security Extensions (DNSSEC) resource record that stores public keys used to verify digital signatures and authenticate DNS data.
Referenced by (2)
Full triples — surface form annotated when it differs from this entity's canonical label.