The DNS record that holds the DNSSEC public signing key is the DNSKEY record. The DS record is related, but it stores a hash of the DNSKEY, not the public key itself.

Quick Scoop

If you’re looking for the record type that publishes the public key used in DNSSEC validation, it’s DNSKEY.

In DNSSEC, the zone’s private key creates signatures, and the corresponding public key is stored in a DNSKEY RRset so resolvers can verify those signatures.

Related record

  • DNSKEY : contains the public signing key.
  • DS : contains a hash of the DNSKEY and helps establish trust with the parent zone.

If you want, I can also explain how DNSKEY, DS, RRSIG, and KSK/ZSK fit together in one simple diagram.