DNS tools

DNSSEC checker

Verify DS records at your registrar, DNSKEY records at your authoritative nameservers, and the full chain of trust from the DNS root.

Verify DS records at the registrar, DNSKEY and RRSIG at the nameservers, and the full chain of trust from the DNS root.

How to use the DNSSEC checker

Enter your domain

Type the domain you want to validate, we check the zone and its parent automatically.

We run six validations

DS record at the registrar, DNSKEY in the zone, RRSIG signature validity, DS-DNSKEY match, algorithm security, and chain-of-trust integrity from the DNS root.

Read the status

One of four statuses: Enabled, Partial, Misconfigured, or Not enabled, with a per-check breakdown telling you exactly what to fix.

Inspect the records

Expandable DS, DNSKEY, and RRSIG tables show key tags, algorithms, digests, and signature windows for a deep audit.

The four DNSSEC statuses

Enabled

All checks pass successfully across zones. Your DNS responses are cryptographically authenticated end to end.

Partial

DNSKEY is present but no DS record exists at the registrar (or vice versa). Signing is set up but the chain of trust is incomplete.

Misconfigured

Records exist but validation fails, expired signatures, mismatched DS digests, or broken delegation. This can make your domain unresolvable on validating resolvers. Fix immediately.

Not enabled

Neither DS nor DNSKEY records could be located. DNSSEC is simply not set up, enable signing at your DNS host, then submit the DS record to your registrar.

DNSSEC record types explained

DNSSEC adds a cryptographic chain of trust on top of DNS, so resolvers can verify responses were not tampered with.

DNSKEY

The public keys used to verify DNSSEC signatures, a Zone Signing Key (ZSK) for records and a Key Signing Key (KSK) that signs the ZSK.

DS (Delegation Signer)

A hash of your KSK published in the parent zone (via your registrar). It links your zone into the global chain of trust.

RRSIG

The cryptographic signature attached to each record set. Signatures have validity windows and must be re-signed before they expire.

Chain of trust

Validation walks from the DNS root, to the TLD, to your zone. Every link must verify, one broken link fails the whole chain.

Frequently asked questions

DNS Security Extensions add digital signatures to DNS responses, so resolvers can verify records are authentic and untampered. It protects against cache poisoning and DNS spoofing attacks.

No, DNSSEC authenticates responses but does not encrypt them. Query privacy comes from DNS-over-HTTPS or DNS-over-TLS, which are complementary technologies.

Two steps: enable DNSSEC signing at your DNS hosting provider (most do this in one click), then submit the generated DS record to your registrar. Both parts are required for a complete chain of trust.

Validating resolvers (including Google and Cloudflare public DNS) will refuse to resolve your domain, your website and email effectively go offline for a large share of the internet. Always fix a Misconfigured status urgently.

Yes, DNSSEC protects the DNS records your email depends on (MX, SPF, DKIM, DMARC) from tampering, and it is a prerequisite for DANE, which enforces TLS on mail delivery.

Try more email authentication tools

Strengthen your domain security with our free lookup tools.

Run this check once, or have it watched 24/7.

SenderSignal monitors these signals continuously: 48 blacklists, SPF, DKIM, DMARC, TLS and more, with alerts in Slack, email and signed webhooks.

Start monitoring free All free tools