DNSSEC Check
Check whether a domain is protected by DNSSEC and that its chain of trust validates.
Free • no sign-up • results run live in your browser via public DNS resolvers.
What is DNSSEC?
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS so that resolvers can verify answers really came from the authoritative source and weren't tampered with in transit. Without it, DNS responses can be forged — the basis of cache-poisoning and man-in-the-middle attacks.
How we check it
We ask a validating resolver for your domain and look for the Authenticated Data (AD) flag, which is only set when the full chain of trust validates. We also check for a DS record (published at your registrar/parent zone) and DNSKEY records (published in your zone). For DNSSEC to work, the DS record at the parent must match your DNSKEY.
Frequently asked questions
Turn on DNSSEC at your DNS host to generate the keys, then copy the resulting DS record into your domain registrar. Both halves must be in place for validation to succeed.
Usually the DS record at your registrar is missing or doesn't match your current DNSKEY. Re-publish the correct DS record at the registrar.
No. DNSSEC authenticates DNS data (proves it's genuine and unmodified) but does not encrypt it. For encryption you'd use DNS-over-HTTPS or DNS-over-TLS.