Every month, Digicert’s managed DNS services provide an analysis of Domain Name System (DNS) trends usage and attack trends. A standout trend for May 2025 was the resurgence of the IPSECKEY records, which saw a 79.9% month-over-month increase.
The IPSECKEY DNS record is an enhanced security feature that network administrators can use to implement additional protection. Like many DNS Security Extensions (DNSSEC) records, IPSECKEY is an underappreciated and often overlooked security option. TheIPSECKEY entry fulfills a specific function within the Internet Protocol Security (IPsec) framework by facilitating secure key exchanges.
With insight into what an IPSECKEY record does and how it enhances security, organizations can mitigate risk and improve the availability of their digital infrastructures.
What Is the IPSECKEY DNS Record?
The IPSECKEY DNS record is part of IPsec, the protocols that ensure the confidentiality, integrity, and authenticity of data transmissions between networked devices. IPSECKEY facilitates secure communication by storing the IPsec data, including:
- Protocol identifier
- Public key
- Gateway address
What Is the Purpose of IPSECKEY
RFC 4025 “A Method for Storing IPsec Keying Material in DNS” provides the technical details about how the IPSECKEY records allow hosts to obtain public keys that authenticate remote entities. Essentially, IPSECKEY provides the public key material necessary to establish encrypted IPsec connections between two computers. The IPSECKEY is the DNS record that stores:
- A pointer to a public encryption key, or
- A pointer to a public key, like another DNS name,
- How and where to use the key
Encryption relies on trusting the keys, and the IPSECKEY combined with DNSSEC ensures that no one has tampered with the public key.
What Are the Components of IPSECKEY?
The IPSECKEY record has five primary components:
- Precedence: Sets the priority when multiple IPSECKEY records exist so systems know what to use.
- Gateway type: Identifies the type of address used for the IPsec gateway so systems know how to reach the intended endpoint to initiate the tunnel.
- Algorithm type: Specifies the public key algorithm used so the client can interpret and use it.
- Gateway: IP address or fully qualified domain name (FQDN) for gateways so the system knows the destination to use when establishing the IPsec.
- Public key: Base64-encoded public key used for establishing trust and encrypting key exchanges
What Are the Benefits of Using IPSECKEY?
Using the IPSECKEY DNS record enables automatic and secure configurations, reducing the reliance on manual configurations and third-party key exchanges. When deploying IPsec in scalable or dynamic environments, the IPSECKEY DNS record offers the following practical and security-focused benefits:
- Automated and secure key distribution: Publishing the keys in the DNS records means that systems can automatically retrieve them which improves security and reduces manual processes across large, dynamic environments.
- Simplified IPsec configuration: Centralizing the key information in the DNS records streamlines network device and system configuration processes.
- Enabling multiple gateway types: Supporting IPv4, IPv6, or FQDNs for IPsec gateways which enables a diverse infrastructure with different networks using different addressing schemes.
- Integration with existing DNS infrastructure: Leveraging current DNS infrastructure reduces costs and complexity by eliminating the need for separate key distribution tools.
- Supporting redundancy and failover: Publishing multiple IPSECKEY records then using the precedence values to drive systems to the next available option for failover and load balancing.
- Scalability across dynamic environments: Allowing systems to look up the latest key and gate information at runtime to improve flexibility and automation across rapidly changing cloud and hybrid networks.
- Improved trust and security: Combining with DNSSEC to ensure keys remain authentic and unmodified as a way to mitigate man-in-the-middle (MitM) attack risks.
Why Do Organizations Struggle to Implement IPSECKEY?
While IPSECKEY seems like a simple way to improve security, many organizations have yet to implement it. In practice, organizations struggle to implement IPSECKEY records.
Low DNSSEC Adoption Rates
IPSECKEY relies on organizations first configuring DNSSEC, the DNS feature that authenticates responses to domain name lookups. However, DNSSEC adoption remains limited for various reasons, including:
- Complexity: Managing cryptographic keys, signing zones, handling key rollover, and ensuring consistency is complicated and misconfigurations can cause service outages.
- Fragmented support: Some DNS resolvers fail to validate DNSSEC while some domain registrars still fail to support easy DNSSEC key management or signing.
- Limited awareness: Developers, system admins, and other stakeholders may not know about DNSSEC or how it works.
IPSec Complexity
Organizations often consider IPsec overly difficult because the implementation requires technical skill to configure appropriately. IPsec is a low-level protocol that works at Layer 3, the network layer. IPsec must carefully align with the organization’s routing and network architecture which creates additional issues, like firewall rules blocking the ports that IPsec uses.
Alternatives Available
Using Public Key Infrastructures (PKI) and certificate authorities (CA) are often a workaround that organizations think will provide a similar level of security. They have broad ecosystem support and mature, automated tooling. While these may provide options, they suffer from structural security risks that include:
- Over reliance on CAs which can create a single point of failure.
- Certificate issuance or abuse that can compromise confidentiality or allow cybercriminals to impersonate the organization.
- Slow, unreliable revocation of compromised certificates or public keys
- Complex certificate life cycle management processes that increase security risk, operational burdens, and potential errors.
Operational and Change Management Concerns
Many organizations believe that IPSECKEY will create operational and change management costs. Often, this perception comes from a lack of awareness and familiarity with IPSECKEY, leading organizations to make assumptions about:
- Lack of available tooling: DNS platforms increasingly provide native DNSSEC and IPsec support.
- Risky change management processes: Changing cryptographic keys and updating DNS records is routine in TLS management, making it no different from other secure systems.
- Difficulty coordinating across multiple stakeholders: Using a centralized hub for managing all DNSSEC and IPsec streamlines collaboration between security, networking, and DNS teams.
UltraDNS: One Click Advanced DNSSEC
UltraDNS simplifies DNSSEC key management, eliminating the challenges associated with implementing IPKEYSEC. With UltraDNS, organizations gain a cost-efficient, DNSSEC-compliant platform with an easy-to-use web management portal. Our solution provides security extensions for their DNS traffic that protects against cache poisoning and ensures secure DNS routing that secure user connection.
With UltraDNS, organizations can transform their online experiences to ensure uninterrupted access to all online assets with a service designed for 100% uptime, keeping operations running smoothly. Our built-in security features, like DDoS protection and DNSSEC management help you mitigate risk while delivering a seamless user experience.
