{{ error }}
# Type Answer(s) TTL Query ms
{{ i + 1 }} {{ row.type }} {{ row.answer }} {{ row.ttl }} {{ row.time }}
DNSSEC Checks
{{ c.label }}
Categories: DNS , Networking , Security
Export to PDF Fullscreen

Domain Name System Security Extensions (DNSSEC) add digital signatures to DNS data, allowing resolvers to verify that responses come from an authentic source. You therefore reduce cache-poisoning attacks and man-in-the-middle risks.

This tool checks a domain for the two cornerstone DNSSEC records—DNSKEY and DS—via DNS-over-HTTPS (DoH). It collects each record, measures query latency, and evaluates essential key flags to confirm a continuous chain of trust.

Use the findings to confirm a new deployment, troubleshoot a failed rollover, or audit third-party name servers. A concise pass/fail list highlights urgent gaps so you can react before users encounter resolution errors.

Technical Details:

The report runs entirely in your browser and performs a focused, standards-based inspection.

  • Queries Cloudflare DoH endpoint for low-latency lookups.
  • Retrieves DNSKEY and DS records independently.
  • Displays raw answers, individual TTLs, and round-trip times.
  • Detects Key-Signing Keys (KSK flag 257) and Zone-Signing Keys (ZSK flag 256).
  • Generates pass/fail summaries with inline SVG ticks and crosses.
  • Breaks long key strings for stress-free horizontal scrolling.
  • Runs client-side only; no server stores, logs, or alters data.

Step-by-Step Guide:

Follow these steps to validate any domain’s DNSSEC posture.

  1. Enter the fully-qualified domain in the Domain field.
  2. Click Validate DNSSEC to start the lookup.
  3. Watch the busy spinner until queries finish.
  4. Review the record table for raw DNSKEY and DS answers.
  5. Check the DNSSEC Checks list for overall pass/fail results.
  6. Copy any missing flag information, update your zone, and retest.

FAQ:

Find quick answers to common DNSSEC validation questions.

What is a Key-Signing Key (KSK)?
A KSK signs the DNSKEY set itself. Its presence (flag 257) enables the parent zone to publish matching DS records.
Why do I see “—” instead of a record value?
No matching record was returned by the DoH server. Confirm that the zone file contains the record and that it has propagated.
Does the tool modify my DNS configuration?
No. All lookups are read-only and performed against a public resolver with no changes to your servers.
Which resolvers are supported?
The current build queries Cloudflare’s 1.1.1.1 DoH service. Future versions may add selectable providers.
How often should I validate DNSSEC?
Check after key rollovers, DNS-hosting migrations, or policy changes. Periodic validation (e.g., monthly) helps catch unnoticed issues.

Troubleshooting:

Resolve frequent problems using the guidance below.

Lookup failed
Verify internet connectivity and that your browser allows DoH requests.
Missing DS record
Publish the KSK’s digest at your registrar and wait for delegation cache expiry.
Unexpected algorithm code
Ensure both DNSKEY and DS use the same cryptographic algorithm.
Flag mismatch
A KSK should carry flag 257; ZSK flag 256. Update the key header bits accordingly.
Stale TTL values
Lower TTLs before rollovers to shorten propagation and minimise validation gaps.
Embed this tool into your website using the following code: