DNSSEC Checker
Real-time DNS queries, no data stored
Verify DNSSEC status and validate the chain of trust for any domain
Validate DNSSEC Status, Chain of Trust & Security Grade for Any Domain
Enter a domain name above
We'll check DNSSEC status, keys, and chain of trust
Check If DNSSEC Is Enabled with Full Chain of Trust Validation
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records, preventing attackers from redirecting users to malicious websites. This tool checks whether a domain has properly configured DNSSEC by validating DS records, DNSKEY records, and the complete chain of trust.
What You'll Discover
Can Find
- DNSSEC enabled/partial/not enabled status
- DS records at registrar (key tag, algorithm, digest)
- DNSKEY records in zone (KSK, ZSK, public keys)
- Chain of trust validation results
- Security grade (A-F) with scoring factors
- Algorithm security assessment
- Signature expiration dates
Cannot Find
- Private keys or signing secrets
- Real-time DNSSEC monitoring (one-shot check)
- DNSSEC configuration tools (we check, not configure)
- Multi-resolver comparison
- Historical DNSSEC status
How to Check DNSSEC Status
Validate DNSSEC configuration in three simple steps
Enter Domain Name
Type the domain you want to check (e.g., cloudflare.com). No need to include www or https:// - we'll clean the input automatically.
Run DNSSEC Check
Click 'Check DNSSEC' to query DS records from the parent zone (registrar) and DNSKEY records from the domain's authoritative nameservers.
Review Status & Grade
View the DNSSEC status (Enabled/Partial/Not Enabled), security grade (A-F), chain of trust validation results, key details, and algorithm security analysis.
Understanding Your DNSSEC Results
Here's what each section of your results means
DNSSEC Status
Shows whether DNSSEC is Enabled (both DS and DNSKEY present with valid chain), Partial (DNSKEY exists but DS missing at registrar), Misconfigured (DS exists but DNSKEY missing), or Not Enabled (neither DS nor DNSKEY found).
Enabled
Security Grade
An A-F grade rating the overall DNSSEC configuration quality. Grade A (90-100) means properly configured with modern algorithms. Lower grades indicate issues like missing keys, deprecated algorithms, broken chain, or expiring signatures. Points are deducted for each issue.
A (Excellent)
Chain of Trust
Shows 6 validation checks: DS Records at Registrar, DNSKEY Records in Zone, Key Signing Key (KSK) present, Zone Signing Key (ZSK) present, DS-DNSKEY Key Tag Match, and Secure Algorithm. All checks must pass for a complete chain of trust.
6/6 passed
DS Records
Delegation Signer records stored at the parent zone (registrar). Each DS record shows the key tag (identifier), algorithm (e.g., ECDSA P-256), digest type (e.g., SHA-256), and the digest hash. DS records link the parent zone to your domain's DNSKEY.
Key Tag: 2371, ECDSA P-256/SHA-256
DNSKEY Records
Public signing keys in the domain's DNS zone. Shows KSK (Key Signing Key, flag 257) used to sign DNSKEY records, and ZSK (Zone Signing Key, flag 256) used to sign all other DNS records. Both are needed for proper DNSSEC operation.
KSK: Tag 2371, ECDSA P-256
Signature Expiration
Shows when DNSSEC signatures (RRSIG records) will expire. Signatures must be renewed before expiration or DNSSEC validation will fail. Most DNS providers handle this automatically, but monitoring is important during migrations.
29 days until expiry
Why Use Our DNSSEC Checker
The most comprehensive DNSSEC validation tool available
Security Grade (A-F)
The only DNSSEC checker with a comprehensive scoring system. Get a clear A-F grade based on chain validation, algorithm security, key presence, and signature status. Know instantly if your DNSSEC is properly configured.
6-Point Chain Validation
Complete chain of trust verification: DS at registrar, DNSKEY in zone, KSK present, ZSK present, key tag match between DS and DNSKEY, and secure algorithm check. See exactly which checks pass or fail.
Algorithm Security Analysis
Identifies which cryptographic algorithms are used and flags deprecated ones (RSA/SHA-1, DSA, MD5) that weaken your DNSSEC. Recommends modern secure algorithms like ECDSA and Ed25519.
Signature Expiration Tracking
Shows when RRSIG signatures expire and alerts you to signatures expiring soon (within 7 days). Prevents DNSSEC validation failures from expired signatures.
Complete Key Analysis
View all DS and DNSKEY records with full details: key tags, algorithms, digest types, flags, and public key data. Understand the difference between KSK (Key Signing Key) and ZSK (Zone Signing Key).
Export Results
Download complete DNSSEC analysis in JSON, CSV, or plain text format. Perfect for documentation, audits, and troubleshooting.
When to Check DNSSEC
Common scenarios where DNSSEC validation matters
After Enabling DNSSEC
Verify that DNSSEC is properly configured after enabling it with your DNS provider. Check that DS records are published at your registrar and chain of trust is complete.
Security Auditing
Assess domain security posture as part of regular security audits. Verify DNSSEC status, check for deprecated algorithms, and ensure signatures aren't expiring.
DNS Provider Migration
When moving to a new DNS provider, verify DNSSEC continuity. Check that new DNSKEY records match DS records at registrar, or coordinate DS updates.
Troubleshooting DNS Issues
When experiencing DNS resolution failures, check if misconfigured DNSSEC is the cause. A broken chain of trust or expired signatures can cause complete DNS failures for DNSSEC-validating resolvers.
Compliance Verification
Many security standards and government requirements mandate DNSSEC. Verify compliance and document DNSSEC status with exportable reports.
How DNSSEC Works
DNSSEC adds cryptographic signatures to DNS, creating a chain of trust from root servers to individual domains.
The Chain of Trust Explained
DNSSEC creates a hierarchical chain of trust: Root servers sign TLD zones (.com, .org), TLD servers sign domain DS records, and domains sign their own DNS records. Each level cryptographically vouches for the level below. The DS (Delegation Signer) record at the parent zone contains a hash of the child's DNSKEY, establishing the link. If any link in this chain breaks—missing DS, mismatched keys, or invalid signatures—DNSSEC validation fails.
DS Records and DNSKEY Records
DS (Delegation Signer) records are published at your registrar in the parent zone. They contain: key tag (identifier), algorithm number, digest type (SHA-256 recommended), and digest (hash of DNSKEY). DNSKEY records are published in your domain's zone and contain the actual public keys. There are two types: KSK (Key Signing Key, flag 257) signs DNSKEY records and is referenced by the DS record; ZSK (Zone Signing Key, flag 256) signs all other DNS records like A, MX, TXT.
Algorithm Security
Not all DNSSEC algorithms are equally secure. Modern secure algorithms include: RSA/SHA-256 (algorithm 8), RSA/SHA-512 (10), ECDSA P-256 (13), ECDSA P-384 (14), Ed25519 (15), and Ed448 (16). Deprecated algorithms that should be avoided: RSA/MD5 (1) - MD5 is broken; DSA/SHA-1 (3) - SHA-1 is weak; RSA/SHA-1 (5, 6, 7) - SHA-1 is cryptographically weak. Using deprecated algorithms lowers your security grade and may leave your domain vulnerable.
RRSIG Signatures and Expiration
RRSIG (Resource Record Signature) records contain the cryptographic signatures for DNS records. Each signature has an expiration date—typically 1-4 weeks from creation. Your DNS provider must continuously resign records before expiration. If signatures expire, DNSSEC-validating resolvers will reject your DNS responses entirely, causing a complete outage for those users. Our tool monitors signature expiration and warns when signatures will expire within 7 days.
Common DNSSEC Issues
Partial status means DNSKEY exists but DS is missing at registrar—the zone is signed but not anchored to the parent. Misconfigured means DS exists but DNSKEY is missing—the registrar expects DNSSEC but the zone isn't signed. Key tag mismatch means DS doesn't match any KSK—usually happens after key rotation without DS update. Expired signatures cause validation failures—contact your DNS provider immediately. Deprecated algorithms like RSA/SHA-1 weaken security—consider migrating to ECDSA.
Technical Specifications
- Records Analyzed
- DS, DNSKEY, RRSIG
- Validation Checks
- 6 chain of trust checks
- Grade Scale
- A-F (100-point scoring)
- Algorithms Tracked
- 12 (7 deprecated, 5 secure)
- Digest Types
- 4 (SHA-1, SHA-256, GOST, SHA-384)
- Key Types
- KSK (257), ZSK (256)
- Cache Duration
- 1 hour
- Query Timeout
- 30 seconds
- API Access
- POST /api/v1/dnssec-checker
Frequently Asked Questions
What is DNSSEC?
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records. It prevents attackers from redirecting users to malicious websites by ensuring DNS responses haven't been tampered with. When properly configured, DNSSEC creates a chain of trust from the root DNS servers down to your domain, allowing resolvers to verify that DNS responses are authentic.
What does the security grade mean?
Our grade (A-F) rates the DNSSEC configuration quality based on multiple factors. Grade A (90-100) means properly configured with modern algorithms. Grade B (80-89) indicates good configuration with minor issues. Grade C (70-79) means missing some components like ZSK. Grade D (60-69) indicates significant issues. Grade F (0-59) means broken or critical problems. N/A means DNSSEC is not enabled. Points are deducted for missing keys (-20 for no KSK, -15 for no ZSK), deprecated algorithms (-25), broken chain (-40), or expired signatures (-30).
What are DS and DNSKEY records?
DS (Delegation Signer) records are published at your registrar in the parent zone. They contain a hash of your domain's DNSKEY and establish the chain of trust from the parent zone (like .com) to your domain. DNSKEY records contain the actual public keys used to sign DNS records and are published in your domain's zone. For DNSSEC to work, both must be present and the DS key tag must match the DNSKEY.
What do KSK and ZSK mean?
KSK (Key Signing Key, flag 257) is used to sign DNSKEY records. It's the key whose hash is stored in the DS record at the registrar. ZSK (Zone Signing Key, flag 256) is used to sign all other DNS records in the zone (A, MX, TXT, etc.). This separation allows you to rotate the ZSK frequently without updating the DS record at your registrar, which requires coordination.
Which DNSSEC algorithms are secure?
Secure algorithms include: RSA/SHA-256 (algorithm 8), RSA/SHA-512 (10), ECDSA P-256 (13, recommended), ECDSA P-384 (14), Ed25519 (15, modern), and Ed448 (16). Deprecated algorithms to avoid: RSA/MD5 (1) because MD5 is cryptographically broken, DSA/SHA-1 (3), RSA/SHA-1 (5, 6, 7) because SHA-1 is weak. Using deprecated algorithms lowers your security grade and may leave your domain vulnerable to attacks.
What does 'Partial' DNSSEC status mean?
Partial means DNSKEY records exist in your zone (your DNS is signed), but DS records are missing at your registrar. The chain of trust is incomplete—DNSSEC is configured in your DNS but not anchored to the parent zone. Resolvers cannot validate your DNS responses. You need to copy the DS record from your DNS provider and add it at your registrar to complete the setup.
How do I enable DNSSEC for my domain?
Enabling DNSSEC is a two-step process. First, enable DNSSEC at your DNS provider (Cloudflare, Route53, etc.)—they'll generate DNSKEY records and sign your zone. Second, get the DS record from your DNS provider and add it at your domain registrar. Both steps are required—our tool will show 'Partial' status if only the first step is done. The process varies by provider but typically takes a few minutes.
What does signature expiration mean?
DNSSEC signatures (RRSIG records) have expiration dates, typically 1-4 weeks from creation. Your DNS provider must continuously resign records before expiration. If signatures expire, DNSSEC-validating resolvers will treat your DNS responses as invalid, causing a complete outage for those users. Our tool shows when signatures will expire so you can ensure they're being renewed. Most providers handle this automatically.
Why does my domain show 'Misconfigured'?
Misconfigured status means DS records exist at your registrar but DNSKEY records are missing in your zone. This happens when you've added DS at the registrar but haven't enabled DNSSEC at your DNS provider, or when you've migrated DNS providers without updating or removing the DS record. This is a broken state—resolvers will fail to validate your DNS. Either enable DNSSEC at your DNS provider or remove the DS record from your registrar.
How often should I check DNSSEC status?
Check DNSSEC after any DNS changes: enabling DNSSEC, changing DNS providers, rotating keys, or updating registrar settings. For ongoing monitoring, check monthly as part of security audits. Pay special attention during DNS migrations—coordinate DS record updates carefully to avoid breaking the chain of trust. Our signature expiration tracking helps identify issues before they cause outages.
Verify Your Domain's DNSSEC Security
Check DNSSEC status, validate the chain of trust, and get a security grade in seconds
Check DNSSEC Now