A DNSKEY-record holds a public key that resolvers can use to verify DNSSEC signatures in RRSIG-records.
DNSKEY-records have the following data elements:
Flags: "Zone Key" (set for all DNSSEC keys) and "Secure Entry Point" (set for KSK and simple keys).
Protocol: Fixed value of 3 (for backwards compatibility)
Algorithm: The public key's cryptographic algorithm.
Public key: Public key data.
To add a DNSKEY-record to a zone, use the DNSSEC Sign Zone function.
This record type is defined in RFC4034.