DNSSEC Verification

Verify domain DNSSEC status by inspecting DNSKEY/DS/RRSIG and validation results for secure DNS troubleshooting

DNSSEC verification uses public DoH resolvers (AD flag + DNSSEC records). Results are for troubleshooting and may differ from registrar-side settings.

Domain

DNS Resolver (DoH)

DNSSEC Verification Documentation

What is DNSSEC?

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS to protect data integrity and authenticity.

With DNSSEC, resolvers can validate responses and reduce DNS spoofing and cache poisoning risks.

How it works

Query DNSKEY

Fetch DNSKEY records and the corresponding RRSIG.

Query DS

Check whether the parent zone publishes a DS record for the domain.

Check AD flag

A validating resolver sets AD=true when validation succeeds.

Make a verdict

Combine DNSKEY, DS, and AD to report status and troubleshooting hints.

FAQ

How do I enable DNSSEC?

Enable signing at your DNS host, then publish the DS record at your registrar (or use automated DNSSEC).

Does DNSSEC impact performance?

DNSSEC can increase response size and add validation cost, but caching and modern algorithms usually keep impact small.

Why do I see “Not delegated” or “Misconfigured”?

Common causes include missing/mismatched DS, expired signatures, incomplete key rollover, or stale resolver cache.

Common algorithms

RSASHA256

SHA-256 (recommended)

RSASHA1

SHA-1 (legacy)

ECDSAP256SHA256

ECC (modern)

ED25519

Ed25519 (newer)

Domain

Related Tools

DSA Sign/Verify

ECDSA Sign/Verify

SSL Certificate Checker

Ed25519 Sign/Verify

Scrypt Online Encryption/Verification

DNS TXT Record Editor

CSR Generator & Viewer

DNS Cache Flush

DNSSEC Verification Documentation

What is DNSSEC?

How it works

FAQ

Common algorithms