| # | Type | Answer(s) | TTL | Query ms | Copy |
|---|---|---|---|---|---|
| {{ i + 1 }} | {{ row.type }} | {{ row.answer }} | {{ row.ttl }} | {{ row.time }} |
| DNSSEC Checks | Status | Copy |
|---|---|---|
| {{ c.label }} | Pass Fail |
Signed domain name records are cryptographic proofs that answers come from the correct zone and have not been altered. This checker summarizes keys, signatures, and delegation links in a clear domain signature validation checklist so you can see what passes.
Enter a domain and run the lookup, then read the simple status at the top and the detailed checks below. You will see whether the parent publishes a link to your key, whether signatures are present, and whether the timing is within the active window.
A typical positive result shows a key at the zone, a matching reference at the parent, at least one key for signing and one for delegation, and valid signatures that span the current time. If one piece is missing the summary moves from configured to partial or incomplete so you know what to fix first.
Use consistent domains and repeat checks after changes to compare runs. Remember that valid structure does not prove the service is reachable or the key is well protected.
Domain Name System Security Extensions (DNSSEC) add digital signatures to DNS records to create a trust path from a parent zone to a child zone. This report examines whether key material is present at the zone, whether the parent publishes a corresponding delegation reference, and whether signature windows currently cover the data.
The computation reads five record sets for the domain — DNSKEY, DS, RRSIG, NSEC, and NSEC3PARAM — via a resolver that returns structured answers, time‑to‑live values, and an authenticated‑data flag. From these, the tool derives a pass or fail outcome for each check and a concise overall status.
Results group naturally into bands: “Configured” when keys, delegation, and both key roles are present; “Partial” when essentials exist but one role is missing; “Incomplete” when only one side is visible; and “Missing” when neither appears. Values near a boundary, such as signatures close to expiration, deserve follow‑up even if they pass.
Comparisons are meaningful for the same domain at close times because caches, clock differences, and rollover stages can shift outcomes. The checks are structural and timing focused rather than full cryptographic verification of the chain to the root.
| Symbol | Meaning | Unit/Datatype | Source |
|---|---|---|---|
| Current time at evaluation | UTC Date | Derived | |
| RRSIG inception timestamp | UTC Date | From RRSIG | |
| RRSIG expiration timestamp | UTC Date | From RRSIG | |
| TTL | Record time to live | seconds | From answers |
| AD | Authenticated‑Data flag set by resolver | boolean | From answers |
example.com returns one DNSKEY with flag 257 and one with flag 256; a DS is present; RRSIG(DNSKEY) inception is 2025‑10‑01 00:00:00Z and expiration is 2025‑10‑31 00:00:00Z; the current time sits between them; digest type is 2 and the DS algorithm matches a DNSKEY algorithm. Result: all critical checks pass and the overall status is Configured.
| Band | Criteria summary | Action cue |
|---|---|---|
| Configured | DNSKEY and DS present; at least one KSK and one ZSK. | Monitor timing and plan routine rollovers. |
| Partial | DNSKEY and DS present, but a key role may be missing. | Add the missing role or complete propagation. |
| Incomplete | Only one of DNSKEY or DS present. | Publish the missing side to complete the link. |
| Missing | Neither DNSKEY nor DS detected. | Enable signing and publish delegation. |
| Field | Type | Min | Max | Step/Pattern | Error Text | Placeholder |
|---|---|---|---|---|---|---|
| Domain | string (FQDN or localhost) | 1 | 253 | /^(?=.{1,253}$)(?!-)([A-Za-z0-9-]{1,63}(?<!-)\.)+[A-Za-z]{2,63}$/ or prefix xn-- |
Enter a valid domain like example.com | example.com |
| Constant | Value | Source | Notes |
|---|---|---|---|
| Record types queried | DNSKEY, DS, RRSIG, NSEC, NSEC3PARAM | Code | Requested in parallel. |
| Acceptable DNSKEY algorithms | 8, 13, 14, 15, 16 | Code | At least one must appear. |
| Modern RRSIG algorithms | 13, 14, 15, 16 | Code | Applies to signatures that cover DNSKEY. |
| Acceptable DS digest types | 2 or 4 | Code | SHA‑256 or SHA‑384. |
| KSK flag | 257 | DNSKEY | At least one required. |
| ZSK flag | 256 | DNSKEY | At least one required. |
| DNSKEY protocol | 3 | DNSKEY | All keys must declare protocol 3. |
YYYYMMDDHHMMSS format and are parsed as UTC.| Input | Accepted Families | Output | Encoding/Precision | Rounding |
|---|---|---|---|---|
| Domain name | FQDN, punycode prefix xn--, or localhost |
Records, checks, summary | Text values; JSON and CSV available | Durations rounded to ms |
Lookups are requested from your browser to a DNS‑over‑HTTPS resolver at cloudflare-dns.com. Results are rendered locally; the app does not persist your inputs or outputs.
Five network requests are made in parallel and processed in linear time with respect to the number of answers returned. Rendering and charting operate on small in‑memory arrays.
Given identical inputs at the same moment, results are deterministic for that resolver. Differences may arise from caches, clock skew, or active key rollovers.
Privacy & compliance. Requests are issued from the browser to the resolver endpoint; the app does not transmit results to an application server or retain them beyond your session.
Domain signature validation produces a status and a checklist of key and delegation conditions.
Example: After publishing a new DS, rerun validation until both DNSKEY and DS appear and signature timing is active.
Pro tip: rotate keys during low‑traffic windows and watch signature windows before they hit expiry.
No. Inputs and results are rendered locally. Queries are sent to a DNS‑over‑HTTPS resolver and are not retained by the app.
It reflects your resolver’s view right now. Structural checks and timing windows are evaluated; full cryptographic validation of the chain is not performed.
Durations are milliseconds, TTL is seconds, and signature times are UTC.
No. It needs a network connection to query the resolver.
No purchase is required to run checks or download the outputs.
Confirm a DS exists, its algorithm matches a DNSKEY algorithm, the digest type is 2 or 4, and its key tag matches a DNSKEY signature’s key tag.
It often means signatures are near inception or expiration, or only one side of the delegation is visible. Re‑check after propagation.
Some resolvers clear the authenticated‑data flag by policy. A cleared flag does not always imply bad signatures.