What Are DNS CERT Records?

CERT records are a type of DNS record used to store public key certificates and related data (e.g., certificate revocation information) directly within a domain's DNS. They enable systems to retrieve certificate information via DNS to support identity validation and secure communications. While not widely used compared to other DNS records, CERT records can publish certificate data, such as X.509 certificates or PGP keys.

An example CERT record is:

Contents
A CERT record typically includes:

• Hostname: Domain or subdomain (e.g., example.com)
• Type: CERT
• TTL (Time to Live): How long the record is cached in seconds
• Certificate Type (e.g., X.509, PGP)
• Key Tag: Identifier for the certificate
• Algorithm: Cryptographic algorithm (e.g., 8 = RSA/SHA-256) 
• Certificate Data: Base64-encoded certificate

Key Aspects of CERT Records

Purpose
CERT records store certificate data in DNS, allowing applications to retrieve and use it for identity verification.

Security Function
Unlike records that define policy (e.g., CAA), CERT records contain actual certificate-related data that can be used in authentication processes.

An example CERT record in zone file format is:

example.com. 3600 IN CERT 1 12345 8 MIIC...base64data...

Common Usage

• Publishing PGP public keys
• Supporting certain secure email or network authentication systems
• Experimental or niche certificate distribution via DNS

Compared to Other DNS Security Records

• CAA (Certificate Authority Authorization): Specifies which certificate authorities are allowed to issue SSL/TLS certificates for a domain.
• CERT: Stores actual certificate or key data in DNS.
• TXT: Commonly used for email authentication (SPF, DKIM, DMARC) and other verification purposes.

Note: CERT records are relatively uncommon in modern deployments, as most certificate distribution relies on PKI infrastructure instead of DNS.

Our free CERT Lookup creates a list of DNS CERT records per queried domain.

Look Up CERT Records Now