Help & Troubleshooting
IPSECKEY Record
What this is
IPSECKEY records publish IPsec public keys and gateway information in DNS, enabling opportunistic IPsec — encrypted tunnels negotiated with no prior key exchange.
How to read your result
Absence is the norm. If present, the record only deserves trust when the zone is DNSSEC-signed — unsigned IPSECKEY records could be forged by an attacker to intercept tunnels.
Common problems and how to fix them
IPSECKEY published in an unsigned zone
How it shows up: Peers using the record are vulnerable: an attacker who can spoof DNS answers can substitute their own key and man-in-the-middle the "encrypted" tunnel.
How to fix it: Sign the zone with DNSSEC (and publish the DS record) before relying on IPSECKEY, or distribute keys out-of-band instead.