Free DNSSEC Checker
Validate your domain's DNSSEC configuration, check the chain of trust, and verify DNS Security Extensions are working correctly. No registration required.
What is DNSSEC?
DNSSEC (Domain Name System Security Extensions) adds a layer of cryptographic authentication to DNS responses. It ensures that the DNS answers you receive are genuine and haven't been tampered with during transit. Without DNSSEC, your domain is vulnerable to DNS spoofing and cache poisoning attacks that can redirect users to malicious sites.
Prevent DNS Spoofing
DNSSEC cryptographically signs DNS records, making it impossible for attackers to forge responses. This prevents man-in-the-middle attacks and cache poisoning that could redirect your visitors to fake websites.
Chain of Trust
DNSSEC creates a chain of trust from the root zone down to your domain. Each level signs the keys of the level below it, creating an unbroken chain of cryptographic verification from the DNS root to your records.
Data Integrity
DNSSEC guarantees that DNS data hasn't been modified in transit. Resolvers that support DNSSEC validation will reject tampered responses, ensuring your users always reach the real servers.
How DNSSEC Works
DNSKEY and RRSIG Records
When DNSSEC is enabled, your domain publishes DNSKEY records (public keys) and RRSIG records (digital signatures). Each DNS record set is signed with a private key, and resolvers use the corresponding public key to verify the signature. If the signature doesn't match, the response is rejected.
DS Records and Delegation
The DS (Delegation Signer) record at the parent zone (e.g., .com for example.com) contains a hash of the child zone's DNSKEY. This links the child zone to the parent, creating the chain of trust. Our checker verifies that this delegation is properly configured.
The AD Flag
The Authenticated Data (AD) flag in DNS responses indicates that a validating resolver has verified the DNSSEC signatures. Our checker queries multiple resolvers (Google, Cloudflare, Quad9) and checks the AD flag to confirm DNSSEC is properly validated end-to-end.
What Our DNSSEC Checker Validates
DNSKEY Records
Checks for the presence of DNSKEY records indicating DNSSEC is enabled for your domain.
AD Flag Validation
Verifies the Authenticated Data flag from multiple DNS resolvers to confirm signatures are valid.
CAA Records
Checks for Certificate Authority Authorization records, another DNS security mechanism.
Overall DNS Health
Full health score covering DNSSEC, SPF, DMARC, CAA, and all DNS record types.
DNSSEC Checker - Frequently Asked Questions
What is DNSSEC?
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records. It allows resolvers to verify that DNS responses are authentic and haven't been tampered with, preventing DNS spoofing and cache poisoning attacks.
How do I enable DNSSEC for my domain?
Contact your DNS provider or registrar to enable DNSSEC. Most major providers (Cloudflare, Google Cloud DNS, AWS Route 53) support DNSSEC. Your registrar needs to publish DS records at the parent zone for the chain of trust to work.
What happens if DNSSEC is misconfigured?
A broken DNSSEC chain of trust can make your domain completely unreachable for resolvers that validate DNSSEC (including Google and Cloudflare public DNS). This is why continuous monitoring is critical.
Does DNSSEC affect website performance?
DNSSEC adds a negligible amount of latency (a few milliseconds) because resolvers need to verify cryptographic signatures. The security benefits far outweigh this minimal performance impact.
What is the AD flag in DNS?
The Authenticated Data (AD) flag in a DNS response indicates that the resolver has validated the DNSSEC signatures. Our checker queries multiple resolvers and checks the AD flag to confirm DNSSEC is working end-to-end.
Monitor DNSSEC Validation Continuously
DNSSEC misconfigurations can make your domain unreachable. DNSMonit monitors DNSSEC status continuously and alerts you instantly if validation breaks, signatures expire, or DNSSEC is removed.