DNSSEC Check
Check whether a domain is DNSSEC-signed. Shows DS and DNSKEY records, algorithm and digest type, and whether the resolver returned an authenticated (AD) response.
Check DNSSEC validation
Queries the domain's SOA with DO bit set via DNS-over-HTTPS, then checks whether the resolver returned AD (authenticated) and whether DS/DNSKEY records exist.
What DNSSEC proves
DNSSEC is a chain of cryptographic signatures from the root zone down to your domain’s records. When a validating resolver returns an answer with the AD (Authenticated Data) flag set, it’s telling you the records weren’t tampered with in transit or by an intermediate cache.
Without DNSSEC, a network attacker can poison a cache or hijack a recursive resolver and point your MX records — or your A record — wherever they want.
What this tool shows
- AD flag — whether Google Public DNS validated the chain.
- DS records at the parent zone — the delegation-signer hash that anchors trust in your domain.
- DNSKEY records — the Key-Signing Key (KSK, flags
257) and Zone-Signing Key (ZSK, flags256). - Algorithm and digest type — pay attention to deprecated SHA-1 (digest
type
1) and older RSA variants.
Common failure modes
- DNSKEY present, no DS at parent — your zone is signed but the chain is broken. Publish the DS through your registrar.
- AD not set even though DS + DNSKEY exist — usually a signature or lookup error somewhere in the chain. Try dnsviz.net for a full trace.
Privacy
Client-side DNS-over-HTTPS lookup. Google Public DNS validates and returns the AD flag directly.