DNSSEC Validator

Validate DNSSEC configuration for any domain. Check DNSKEY, DS, and RRSIG records and verify the chain of trust.

This tool is provided as a best-effort diagnostic aid. Results should be verified at the authoritative source before acting on them. This check runs from our infrastructure and may log queried information to improve accuracy and availability. Logs are retained for a short period and are not used for marketing.

Try:

What is DNSSEC?

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that responses have not been tampered with. It protects against DNS spoofing and cache poisoning attacks.

DNSKEY Records

Contain the public keys used to sign DNS records. A zone typically has a Key Signing Key (KSK, flags 257) and a Zone Signing Key (ZSK, flags 256).

DS Records

Published in the parent zone and contain a hash of the child zone's KSK. This creates the chain of trust from root to domain.

RRSIG Records

Contain the cryptographic signatures for each record set. Resolvers verify these using the DNSKEY to confirm data integrity.

Chain of Trust

DNSSEC works by building a chain from the root zone down to the domain. Each level vouches for the next via DS records.

Related Tools

DNS LookupQuery DNS records including DNSKEY and DSDNS Propagation CheckerCheck DNSSEC record propagation across global serversSecurity ScannerScan a domain for security issues including DNSSECWHOIS LookupCheck domain registration and nameserver details

Why DNSSEC Validation Matters

Without DNSSEC, DNS responses are unsigned and can be forged by attackers through cache poisoning or man-in-the-middle attacks. DNSSEC adds a layer of authentication to DNS, ensuring that the IP address you receive for a domain actually came from the authoritative name server and was not altered in transit. This is particularly important for domains handling sensitive data, financial transactions, or email authentication.

Common DNSSEC Issues

The most common DNSSEC problems include expired RRSIG signatures, mismatched DS records at the registrar, algorithm rollover failures, and missing DNSKEY records after zone transfers. A broken DNSSEC chain can cause validation failures for DNSSEC-aware resolvers, making your domain unreachable for users behind validating resolvers like those operated by Google, Cloudflare, and many ISPs.