Diagnostic suite · live

DNSSEC Checker

Verify whether a zone is signed with DNSSEC and whether the chain of trust validates. Shows DS records at the parent, DNSKEY records at the zone, and the AD flag returned by a validating resolver (Cloudflare 1.1.1.1).

About the DNSSEC Checker

The DNSSEC Checker inspects whether a domain is signed with DNSSEC and whether the resulting chain of trust actually validates end-to-end. We query DS records at the parent zone, DNSKEY records at the zone itself, and issue lookups against Cloudflare 1.1.1.1 with the DO (DNSSEC OK) bit set — then report the AD (Authenticated Data) flag returned for A, SOA, DS and DNSKEY queries. AD=true means a validating resolver has cryptographically verified the answer.

DNSSEC prevents cache poisoning and DNS spoofing by adding digital signatures to DNS records. A zone is 'signed' when its DNSKEY records exist and the parent zone publishes a matching DS record. It is 'validating' when a resolver walks that chain — root → TLD → your DS → your DNSKEY → your RRSIG on the record — and every signature verifies. Signed-but-not-validating usually means a missing or mismatched DS at the registrar, an expired signature, or an algorithm the resolver doesn't support.

Use DNSSEC Checker before enabling MTA-STS or DANE (both benefit from DNSSEC-signed zones), before migrating registrars (DS records break during transfer if you don't republish them), and when hardening high-value zones like your primary brand, email, or payment domains. Pair with SOA Lookup to see the current serial and with the Propagation Checker to confirm DNSKEY changes have replicated.

How to use this tool

  1. 1Enter the required value in the input field above (domain, IP, URL, or text depending on the tool).
  2. 2Click the action button to run the check — results are computed instantly from our edge network.
  3. 3Review the parsed output, key fields and any warnings shown in the result card.
  4. 4Copy the result, share the page URL, or jump to a related tool from the sidebar to continue debugging.

Key features

  • Shows DS records at the parent zone with algorithm and digest type
  • Shows DNSKEY records with KSK/ZSK detection and algorithm name
  • AD (Authenticated Data) flag from a real validating resolver
  • Human-readable algorithm names (RSASHA256, ECDSAP256SHA256, ED25519, …)
  • Actionable summary: signed, validating, or not enabled
Related searches: dnssec checker · check dnssec online · ds record lookup · dnskey lookup · chain of trust dns · verify dnssec validation · dnssec debugger

Frequently asked questions

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records so a validating resolver can prove the answers weren't tampered with in transit. It defends against cache poisoning and spoofing attacks like the classic Kaminsky flaw.