Free DNSSEC Checker

Verify DNSSEC (Domain Name System Security Extensions) status for any domain. Check signing status, algorithms, key tags, and DS records to ensure DNS integrity.

No signup

Instant check

100% free

What Is DNSSEC?

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records to prevent attackers from spoofing DNS responses and redirecting traffic to malicious servers. It creates a chain of trust from the root DNS servers down to the authoritative name servers for a domain, ensuring that DNS responses are authentic and have not been tampered with.

Why It Matters

Without DNSSEC, an attacker who compromises or poisons a DNS resolver can redirect your users to phishing sites, intercept email, or perform man-in-the-middle attacks. DNSSEC prevents this by cryptographically verifying every DNS response.

Common Mistakes

Not enabling DNSSEC at the registrar after signing the zone, using weak algorithms (RSA/SHA1 instead of RSA/SHA256 or ECDSA), failing to update DS records after key rollovers, and not monitoring for DNSSEC validation failures are common oversights.

ROOT KSK

TRUSTED

ZONE SIGNATURE

VALID

DNSSEC_CHAIN_V2

CHAIN VALID

How It Works

Input Domain

Type the domain to check DNSSEC status.

Query Root

We trace the DNSSEC chain of trust from root servers.

Validate Signatures

Zone signatures, DS records, and key tags are verified.

Report Status

DNSSEC enabled/missing, algorithm, and key details are shown.

Chain of Trust Validation

Verifies the complete DNSSEC chain from the root DNSKEY down to the target domain's DS and DNSKEY records. Detects broken trust chains and missing signatures.

Algorithm Detection

Identifies the cryptographic algorithm used for signing (e.g., RSA/SHA-256, ECDSA P-256). Flags deprecated or weak algorithms that should be upgraded.

DS Record Check

Validates the DS (Delegation Signer) record at the parent zone and checks the digest type and key tag. The DS record is what bootstraps DNSSEC trust for a domain.

Key Tag & Digest

Displays the key tag identifier and digest hash for the domain's DNSKEY. Use this to verify your registrar has published the correct DS record.

Signed Zone Detection

Confirms whether the DNS zone itself is signed with RRSIG records. Unsigned zones cannot benefit from DNSSEC protection regardless of DS record presence.

Pass/Fail Summary

Provides a clear pass/fail summary indicating whether DNSSEC is properly configured and the chain of trust validates end-to-end from the root to your domain.

Frequently Asked Questions

What is DNSSEC?

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records to prevent attackers from spoofing DNS responses. It creates a chain of trust from root DNS servers down to your domain's authoritative name servers.

How does DNSSEC work?

DNSSEC uses public-key cryptography to sign DNS records. The root DNS servers sign their keys, which are used to sign top-level domain (TLD) keys, which in turn sign domain keys. Resolvers verify this chain of signatures to ensure responses are authentic.

Why should I enable DNSSEC?

Without DNSSEC, attackers who compromise DNS resolvers or perform cache poisoning can redirect your users to malicious sites, intercept email, or hijack connections. DNSSEC prevents these attacks by cryptographically verifying every DNS response.

Does DNSSEC encrypt DNS traffic?

No. DNSSEC provides authentication (proof that DNS data is genuine and unmodified) but not confidentiality (encryption). For encrypted DNS, consider DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH).

What is a DS record?

A DS (Delegation Signer) record is published in the parent zone (e.g., the .com zone for example.com). It contains a hash of the child zone's DNSKEY and is what bootstraps the chain of trust for DNSSEC validation.

Is this DNSSEC checker free?

Yes, this tool is 100% free with no signup required. For automated DNSSEC monitoring, chain-of-trust validation, algorithm deprecation alerts, and key rollover tracking, upgrade to CyberFurl Pro.

Related Security Tools

DNS Lookup

Query DNS records

DANE Checker

DNS-based TLS validation

DNS Propagation

Global propagation check

Need Continuous DNSSEC Monitoring?

Automate DNSSEC chain validation, track key rollovers, detect algorithm deprecation, and get alerted when DNSSEC signatures expire or the chain of trust breaks.

Start Free Trial View Pricing