DNSSEC Verification
Verify domain DNSSEC status by inspecting DNSKEY/DS/RRSIG and validation results for secure DNS troubleshooting
DNSSEC verification uses public DoH resolvers (AD flag + DNSSEC records). Results are for troubleshooting and may differ from registrar-side settings.
Domain
DNSSEC Verification Documentation
What is DNSSEC?
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS to protect data integrity and authenticity.
With DNSSEC, resolvers can validate responses and reduce DNS spoofing and cache poisoning risks.
How it works
Query DNSKEY
Fetch DNSKEY records and the corresponding RRSIG.
Query DS
Check whether the parent zone publishes a DS record for the domain.
Check AD flag
A validating resolver sets AD=true when validation succeeds.
Make a verdict
Combine DNSKEY, DS, and AD to report status and troubleshooting hints.
FAQ
How do I enable DNSSEC?
Enable signing at your DNS host, then publish the DS record at your registrar (or use automated DNSSEC).
Does DNSSEC impact performance?
DNSSEC can increase response size and add validation cost, but caching and modern algorithms usually keep impact small.
Why do I see “Not delegated” or “Misconfigured”?
Common causes include missing/mismatched DS, expired signatures, incomplete key rollover, or stale resolver cache.