DNSSEC Validator
∞ UnlimitedValidate a domain's DNSSEC chain — DS records at parent, DNSKEY at child, RRSIG signatures. Shows whether DNSSEC is enabled and correctly signed.
What is DNSSEC?
DNSSEC (DNS Security Extensions) is a set of extensions to the DNS protocol that adds cryptographic signatures to every DNS response. Without DNSSEC, an attacker can spoof your resolver (cache poisoning) and redirect you to a fake IP. With DNSSEC, the resolver verifies the signature and rejects tampered responses.
What does the DNSSEC Validator do?
Check DS records at parent
DS (Delegation Signer) records live at the parent zone (e.g. the .com registry for example.com) and declare: "this child domain uses DNSSEC, and this is the hash of its DNSKEY". If no DS exists at the parent, DNSSEC is not enabled.
Check DNSKEY at the domain
DNSKEY records are the domain's public keys. Two types: KSK (Key Signing Key, flag 257) that signs the DNSKEY records themselves, and ZSK (Zone Signing Key, flag 256) that signs the rest of the records (A, MX, TXT). The split allows easy ZSK rotation without notifying the parent.
Check RRSIG signatures
RRSIG records contain the actual signatures for each record set. They show: type covered, algorithm, key tag, inception/expiration. If absent, the domain isn't signing — so DNSSEC doesn't work even with DS+DNSKEY in place.
AD flag check
The most important confirmation. We query a validating resolver (Cloudflare 1.1.1.1) and check whether it returns the AD (Authenticated Data) flag. If yes, the DNSSEC chain validates end-to-end. If no, something is broken.
What do the statuses mean?
Enabled (green): DS + DNSKEY + RRSIG + AD flag set → DNSSEC works correctly. Disabled (yellow): no DS record at the parent → DNSSEC is not enabled for this domain. Broken (red): DS exists but either DNSKEY is missing or the chain fails validation — this is WORSE than disabled, because validating resolvers will return SERVFAIL and your domain becomes unreachable.
How do you enable DNSSEC?
At your DNS provider (Cloudflare, AWS Route 53, Google Cloud DNS, Hetzner, OVH): there's usually a toggle "Enable DNSSEC". This creates DNSKEY records in your zone and returns a DS record. Take that DS and add it at your domain registrar (where you bought the domain). When the registrar forwards it to the TLD registry, the chain completes and validation starts within a few hours.
FAQ
How important is DNSSEC today?
For critical domains (banks, government, high-volume e-commerce) it's a must. For blogs or marketing sites it's nice-to-have. The main benefit is blocking DNS cache poisoning attacks (like the Kaminsky bug) that can redirect users to phishing sites with legitimate-looking URLs.
Why does my domain show "Broken"?
Most common causes: (a) You changed DNS provider but didn't update the DS record at the registrar. (b) DNSKEY rotated but you didn't wait long enough before removing the old one. (c) Wrong DS hash algorithm at the parent. (d) Your zone changed without re-signing. All lead to SERVFAIL — the domain becomes unreachable on validating resolvers (Cloudflare, Quad9, Google), but works on non-validating ones (some ISP resolvers).
What does the AD flag mean?
Authenticated Data. When a validating resolver returns AD=1, it means "I cryptographically validated this response through the DNSSEC chain". It's the only definitive proof that DNSSEC works in practice — everything else (DS present, DNSKEY present) is just "components exist", not "components work together".
What is the CD flag?
Checking Disabled. When set on a query, the resolver returns the response WITHOUT validating it. Comparing CD-on vs CD-off responses: if they differ, validation is actively rejecting something (broken chain). If they match, either everything is OK or DNSSEC isn't deployed.
Which algorithms should I choose?
For new deployments: ED25519 (algorithm 15) or ECDSAP256/SHA-256 (13). They're faster, with smaller signatures and broad support. Avoid RSA/SHA-1 (5) — deprecated. RSA/SHA-256 (8) is acceptable but produces larger signatures.