Verify DS records at your registrar, DNSKEY records at your authoritative nameservers, and the full chain of trust from the DNS root.
Type the domain you want to validate, we check the zone and its parent automatically.
DS record at the registrar, DNSKEY in the zone, RRSIG signature validity, DS-DNSKEY match, algorithm security, and chain-of-trust integrity from the DNS root.
One of four statuses: Enabled, Partial, Misconfigured, or Not enabled, with a per-check breakdown telling you exactly what to fix.
Expandable DS, DNSKEY, and RRSIG tables show key tags, algorithms, digests, and signature windows for a deep audit.
All checks pass successfully across zones. Your DNS responses are cryptographically authenticated end to end.
DNSKEY is present but no DS record exists at the registrar (or vice versa). Signing is set up but the chain of trust is incomplete.
Records exist but validation fails, expired signatures, mismatched DS digests, or broken delegation. This can make your domain unresolvable on validating resolvers. Fix immediately.
Neither DS nor DNSKEY records could be located. DNSSEC is simply not set up, enable signing at your DNS host, then submit the DS record to your registrar.
DNSSEC adds a cryptographic chain of trust on top of DNS, so resolvers can verify responses were not tampered with.
The public keys used to verify DNSSEC signatures, a Zone Signing Key (ZSK) for records and a Key Signing Key (KSK) that signs the ZSK.
A hash of your KSK published in the parent zone (via your registrar). It links your zone into the global chain of trust.
The cryptographic signature attached to each record set. Signatures have validity windows and must be re-signed before they expire.
Validation walks from the DNS root, to the TLD, to your zone. Every link must verify, one broken link fails the whole chain.
DNS Security Extensions add digital signatures to DNS responses, so resolvers can verify records are authentic and untampered. It protects against cache poisoning and DNS spoofing attacks.
No, DNSSEC authenticates responses but does not encrypt them. Query privacy comes from DNS-over-HTTPS or DNS-over-TLS, which are complementary technologies.
Two steps: enable DNSSEC signing at your DNS hosting provider (most do this in one click), then submit the generated DS record to your registrar. Both parts are required for a complete chain of trust.
Validating resolvers (including Google and Cloudflare public DNS) will refuse to resolve your domain, your website and email effectively go offline for a large share of the internet. Always fix a Misconfigured status urgently.
Yes, DNSSEC protects the DNS records your email depends on (MX, SPF, DKIM, DMARC) from tampering, and it is a prerequisite for DANE, which enforces TLS on mail delivery.
Strengthen your domain security with our free lookup tools.
SenderSignal monitors these signals continuously: 48 blacklists, SPF, DKIM, DMARC, TLS and more, with alerts in Slack, email and signed webhooks.