DNSSEC Checker
Check whether a domain is signed with DNSSEC and validates correctly.
DNSSEC adds cryptographic signatures to DNS records to prevent them from being forged (cache poisoning, spoofing). This tool queries a validating resolver and tells you whether the domain publishes DNSSEC keys (DNSKEY) and whether the chain of trust validates (AD flag).
DNSSEC FAQ
DNSSEC (DNS Security Extensions) is a set of extensions that adds cryptographic signatures to DNS answers. It lets you verify that a response really comes from the legitimate domain and wasn't tampered with in transit.
AD (Authenticated Data) is a bit that a validating resolver sets when it has successfully verified the domain's entire DNSSEC chain. If it's set, the answer is authentic and has not been forged.
The DNSKEY record holds the public key used to sign the zone's records. If a domain publishes no DNSKEY, it has no DNSSEC enabled.
Usually because of expired RRSIG signatures or an incorrect or missing DS record at the parent (TLD). In this “bogus” state validating resolvers reject the answers, which can make the domain unreachable.
Ready to improve your DNS?
Choose the best free DNS server for your needs and configure it in minutes.