DNSKEY Key Tag Calculator

Compute the DNSKEY key tag from a DNSKEY RR (RFC 4034 algorithm) and display it alongside key metadata for DNSSEC validation purposes.

DNSKEY Examples

DNSKEY Record

Using example data - modify to see your results

Key Tag Calculation

Key Tag

44811

DNSKEY Metadata

Key Type KSK

Flags 257

Protocol 3

Algorithm 8 (RSASHA256)

Public Key (Base64)

AwEAAag

Key Tag Purpose

The key tag is a short identifier used to quickly identify which DNSKEY was used to generate a signature. It's calculated using a checksum algorithm defined in RFC 4034 and helps optimize DNSSEC validation by avoiding the need to test every key.

Key Types

KSK (Key Signing Key): Used to sign other keys (ZSKs). Has the SEP flag set (bit 15). ZSK (Zone Signing Key): Used to sign zone data. Does not have the SEP flag set.

Algorithm Support

Supports all modern DNSSEC algorithms including RSASHA256 (8), RSASHA512 (10), ECDSA P-256 (13), ECDSA P-384 (14), and Ed25519 (15). Legacy algorithms like RSAMD5 are deprecated and should not be used.

Validation Process

The tool validates DNSKEY format, checks protocol compliance (must be 3), verifies algorithm support, and ensures proper base64 encoding of the public key before calculating the key tag.