DNSSEC Checker

Last updated:

Verify a domain DNSSEC setup in seconds. We check the DNSKEY and DS records, confirm the chain of trust, and tell you whether resolvers can validate your domain and how to fix gaps.

Enter a domain to check DNSSEC:

How the Checker Works

  1. Query the records, DNSKEY and DS records are fetched.
  2. Check validation, the authenticated data flag is read.
  3. Verify the chain, keys and DS records are matched up.
  4. Report, you get a clear verdict and a fix if needed.

Why It Matters

  • Spoofing protection, signatures stop forged DNS answers.
  • Visitor safety, users reach the real server, not an attacker.
  • Trust signals, secure DNS supports email and domain integrity.
  • Outage prevention, a healthy chain avoids validation failures.

DNSSEC is powerful but unforgiving, a stale DS record or an expired signature can take a domain offline. Our website maintenance services set up DNSSEC correctly and monitor it so the chain of trust never silently breaks.

DNSSEC Records Reference

DNSSEC works as a chain of trust: the root zone signs the top-level domain, which signs your domain, which signs its own records. Each link is proven by a small set of record types. A resolver follows the chain from the root down, and if any link is missing or invalid, validation fails. Here is the role each record plays.

Record Role
DSDelegation Signer. Stored in the parent zone, it holds a hash of your Key Signing Key. This is the link that lets the parent vouch for your domain and connects you to the global chain of trust. You publish it at your registrar.
DNSKEYPublishes your zone public keys. Validating resolvers use these to verify signatures. A zone usually has a Key Signing Key (referenced by the DS) and a Zone Signing Key (used to sign records).
RRSIGThe cryptographic signature on a record set. Resolvers verify each RRSIG against the matching DNSKEY to confirm the answer is authentic and unaltered. Signatures have validity windows and must be re-signed before they expire.
NSEC / NSEC3Authenticated denial of existence. They cryptographically prove that a name or record type does not exist, so a forged empty answer cannot be slipped in. NSEC3 hashes names to make zone enumeration harder.

Next steps

DNSSEC Checker related tools and articles

Continue with the closest follow-up checks and guides based on this tool's topic, crawl intent, and optimization workflow.

DNSSEC Checker: FAQ

What DNSSEC evidence does this checker retrieve?
It sends DNS-over-HTTPS queries to Google for DNSKEY, DS, SOA, and RRSIG. The result reports whether those record types were found, whether Google set the Authenticated Data flag, parsed DNSKEY roles and algorithms, parsed DS digest details, and a configuration recommendation.
What do DNSSEC enabled and chain complete mean here?
Enabled means at least one DNSKEY was found. Chain complete means both DNSKEY and DS records were present. Those labels describe record presence in this implementation; they do not independently cryptographically match each DS digest to a DNSKEY.
What does Validated by resolver mean?
It means at least one Google DNS response set the Authenticated Data flag, indicating that the validating resolver accepted the signed answer and chain. This is stronger evidence than record presence alone, although it remains one resolver's view at the time of the query.
Why is DNSKEY present but DS missing?
The zone publishes signing keys, but the parent zone does not publish the delegation signer needed to connect those keys to the DNS hierarchy. If signing is intended, obtain the current DS values from the DNS provider and add them through the registrar, then verify validation after propagation.
Can DNSSEC be present and still break resolution?
Yes. A stale or incorrect DS record, expired signatures, failed key rollover, or inconsistent authoritative servers can cause validating resolvers to return failure even while records exist. Do not rely only on the presence labels; verify the AD result and use a full DNSSEC debugger before changing keys.
How should I enable or repair DNSSEC safely?
Enable zone signing at the authoritative DNS provider, publish exactly the DS values it supplies at the registrar, and wait for propagation. During key rollover, follow the provider sequence so old and new trust data overlap correctly. Remove a stale DS before disabling signing to avoid an outage.
Why might the DNSSEC query time out or disagree with another tool?
The API waits up to ten seconds for four Google DNS-over-HTTPS responses. Resolver cache timing, propagation, geographic DNS behavior, or a transient upstream failure can differ from authoritative or other recursive views. Retry and compare authoritative servers when the result is unexpected.
What data is sent during a DNSSEC check?
The public domain is sent to the Web Aloha API, which forwards DNSKEY, DS, SOA, and RRSIG queries to Google DNS-over-HTTPS. The form asks for no credentials or personal information, and the endpoint contains no application-storage step for the domain or results.

Free 48-Hour Website Audit

Not sure what to fix first on your own website? We'll review it and tell you, in plain English. Free & non-obligatory.

Want Secure, Reliable DNS?

We configure DNSSEC, harden DNS, and keep your domain resilient against spoofing and outages.