DNSKEY Record
A DNSKEY record (RFC 4034) stores the public cryptographic key used to verify [[dnssec|DNSSEC]] signatures in a zone. Every DNSSEC-signed zone publishes at least one Zone Signing Key (ZSK) and one Key Signing Key (KSK). The KSK's hash is published as a DS record in the parent zone, forming the [[dnssec|chain of trust]] from the DNS root downward. DNSKEY records have a specific flags, protocol, and algorithm field format.
Example
Running `dig DNSKEY cloudflare.com` returns the public keys Cloudflare uses to sign its DNSSEC records — validators use these keys to verify all other DNSSEC signatures in the zone.