ServerRecords

Help & Troubleshooting

IPSECKEY Record

What this is

IPSECKEY records publish IPsec public keys and gateway information in DNS, enabling opportunistic IPsec — encrypted tunnels negotiated with no prior key exchange.

How to read your result

Absence is the norm. If present, the record only deserves trust when the zone is DNSSEC-signed — unsigned IPSECKEY records could be forged by an attacker to intercept tunnels.

Common problems and how to fix them

IPSECKEY published in an unsigned zone

How it shows up: Peers using the record are vulnerable: an attacker who can spoof DNS answers can substitute their own key and man-in-the-middle the "encrypted" tunnel.

How to fix it: Sign the zone with DNSSEC (and publish the DS record) before relying on IPSECKEY, or distribute keys out-of-band instead.

Run a look up for this record