DNSSEC Checker
Verify whether a domain has DNSSEC enabled and its chain of trust is correctly configured. Checks DS, DNSKEY, and RRSIG records.
π DNSKEY Records
DNSKEY records contain the public keys used to sign DNS zone records. Two types exist: Zone Signing Keys (ZSK) which sign the zone's records, and Key Signing Keys (KSK) which sign the DNSKEY records themselves.
π DS Records
Delegation Signer records are published in the parent zone (.com, .org, etc.) and contain a hash of the child domain's DNSKEY. They create the chain of trust from ICANN's root zone down to your domain.
βοΈ RRSIG Records
RRSIG (Resource Record Signature) records contain the cryptographic signatures for each DNS record set. Validating resolvers verify these signatures against the DNSKEY to confirm authenticity.
DNSSEC β FAQ
Does my domain need DNSSEC?
DNSSEC is strongly recommended for any domain used for email or sensitive applications. Without it, attackers can potentially redirect your DNS queries to malicious servers (cache poisoning). Registrars like Cloudflare enable it in one click β there's little reason not to.
Can DNSSEC break my domain?
Misconfigured DNSSEC can make your domain completely unreachable for users with DNSSEC-validating resolvers. Always use an automated signing solution (like Cloudflare's) rather than managing keys manually.
What is the DNSSEC chain of trust?
DNSSEC works through a hierarchy of trust starting at the DNS root (".") which is signed by ICANN. Each TLD (.com, .org) is signed by its registry, and each domain is signed by its zone administrator. Resolvers verify the chain from root to domain.