DNSSEC Checker
Validate your domain’s DNSSEC chain of trust end to end — from the root, through the TLD, down to your zone — and catch the broken states that quietly take a domain offline.
Validates the full chain of trust (root → TLD → your zone) over DNS-over-HTTPS, and flags broken states like a DS with no DNSKEY.
What DNSSEC does — in plain terms
Plain DNS is unauthenticated: when your computer asks “what’s the IP for this domain?”, it has no way to prove the answer really came from the domain owner and wasn’t forged along the way (DNS cache-poisoning / spoofing). DNSSEC fixes this by signing DNS answers with cryptographic keys, forming an unbroken chain of trust: the root signs the TLD, the TLD signs your zone, and your zone signs its records. A validating resolver checks every link.
The three links we verify
- Zone signed — your zone publishes a
DNSKEY, so its records are signed. - Anchored in the parent — a
DSrecord at your registrar/parent points to your key, connecting your zone to the chain above it. - Validates to the root — a validating resolver (we use Cloudflare over DNS-over-HTTPS) returns the Authenticated Data flag, meaning the whole chain root → TLD → zone checked out.
The broken states that matter
A misconfigured DNSSEC setup is worse than none — it can make your domain disappearfor everyone using a validating resolver (a big and growing share of the internet). We specifically catch:
- DS but no DNSKEY — the parent still points to a key your zone no longer serves. Validating resolvers treat the domain as bogus and refuse it: a live outage. Usually caused by turning off signing without removing the DS.
- Bogus (DS + DNSKEY but validation fails) — typically a stale DS after a key rollover; the DS at your registrar no longer matches your current key.
- Island of security — your zone is signed but there’s no DS in the parent, so nothing anchors it. The signing does nothing until you add the DS.
- Deprecated crypto — RSASHA1/MD5/DSA algorithms or SHA-1 DS digests, which resolvers are phasing out.
How to turn DNSSEC on correctly
Enable DNSSEC at your DNS host first (it generates the keys and signs the zone), then copy the resulting DS record to your registrar to anchor it. After any key change, redo the DS. To turn DNSSEC off safely, remove the DS at the registrar first, wait for it to expire from caches, then unsign the zone — never the other way around.
Related tools
- DNS Lookup — all records plus SPF/DMARC, with DNSSEC status.
- SSL / TLS Checker and WHOIS / RDAP Lookup.
Frequently asked questions
▸ ▾ What does the AD flag mean?
Authenticated Data — a validating resolver's confirmation that the full DNSSEC chain from the root down to your zone verified successfully. It's the closest thing to a single 'DNSSEC is working' signal.
▸ ▾ Why is 'DS but no DNSKEY' so serious?
The parent zone still vouches for a signing key your zone no longer publishes. Validating resolvers treat the domain as tampered and refuse to resolve it, so it goes offline for many users until you fix or remove the DS.
▸ ▾ Is DNSSEC required?
No — it's an optional extra layer and still uncommon, but valuable for high-trust domains and for email security (DANE/TLSA). If you enable it, configure it carefully: a broken chain is worse than none.