Free tool
DNSSEC checker
Test a domain's DNSSEC chain of trust, zone by zone
Free DNSSEC checker and test. Enter a domain to see whether its chain of trust is set up correctly, from the top-level domain down to the domain itself, with per-zone diagnostics and clear fixes. The check runs in your browser.
DNSSEC analysis
Warnings
Chain of trust
Each row is one zone in the delegation, from the top-level domain down to the domain you entered. Open a zone to see its per-check breakdown and keys.
How to check DNSSEC for a domain
Four steps from a domain name to a clear verdict on its DNSSEC setup.
-
1
Enter a domain
Type any domain into the form above. Apex domains and subdomains both work. International domain names are converted to punycode for you.
-
2
Run the check
The tool queries DNS-over-HTTPS from your browser and walks the chain of trust from the top-level domain down. Results appear inline in a few seconds.
-
3
Read the verdict
The banner shows one of six states: secure, unsigned, partial, misconfigured, bogus, or error. Open each zone to see which checks passed, warned, or failed.
-
4
Fix any warnings
Follow the per-zone notes. A missing DS record, an expired signature, or a legacy algorithm each has a specific fix at your registrar or DNS host.
What you can learn from a DNSSEC check
A DNSSEC check is the fastest way to confirm a signed domain still validates. Use it to:
- Confirm a newly signed domain validates end to end before you rely on it.
- Diagnose a SERVFAIL outage: a bogus verdict with the resolver's reason points straight at the broken link.
- Verify a DS record was added correctly at the registrar after enabling DNSSEC at your DNS host.
- Catch an RRSIG signature that is about to expire before it takes the domain offline.
- Spot a legacy signing algorithm (RSASHA1, RSAMD5) that RFC 8624 says to retire.
- Check a partner or vendor domain before depending on DANE or DNSSEC-validated MX lookups.
Understanding DNSSEC
What is DNSSEC?
DNS is the phone book of the internet: it turns a name like example.com into the addresses that computers connect to. Plain DNS has no way to prove an answer is genuine, so an attacker who sits between you and a DNS server can hand back a forged answer and send you to the wrong place. DNSSEC (DNS Security Extensions) fixes that by signing DNS records with cryptographic keys. A resolver that supports DNSSEC checks the signature on every answer. If the signature matches, the answer is genuine. If it does not, the resolver refuses the answer instead of passing along something forged. DNSSEC protects the integrity of DNS answers. It does not hide them and it is not a replacement for SPF, DKIM, or DMARC.
How the chain of trust works
No single key signs the whole internet. Instead, each zone vouches for the one below it, forming a chain. The DNS root is signed, and its key is built into every validating resolver as a trust anchor. The root signs a record that points at the .com key. The .com zone signs a record that points at the example.com key. The example.com zone signs its own records. To validate a name, a resolver follows this chain link by link from the root down. Each link has two parts: a DS record in the parent zone that fingerprints the child's key, and a DNSKEY record in the child zone that holds the actual key. When the DS fingerprint matches the DNSKEY, the link holds. This checker walks the same chain and shows you each link.
Signed is not the same as secure
A domain can publish DNSSEC keys and still fail to validate. Being signed means the zone has DNSKEY records and signs its answers. Being secure means the chain is also complete: the parent publishes a matching DS record and the signatures check out, so resolvers set the Authenticated Data flag. If the DS record at the parent is missing, resolvers treat the zone as unsigned and the keys do nothing. If the DS record points at a key that no longer exists, resolvers return an error and the domain goes dark. That is why enabling DNSSEC is a two-step job done in the right order: publish keys at your DNS host first, then add the DS record at your registrar. Once your DNS is trustworthy, close the loop on email with a full DMARC, SPF, and BIMI check.
Frequently asked questions
- What is DNSSEC?
- DNSSEC (DNS Security Extensions) adds digital signatures to DNS records. A validating resolver checks those signatures against a chain of trust that starts at the signed DNS root and runs down through each zone to the domain. If the signatures match, the resolver knows the DNS answer was not tampered with in transit. DNSSEC protects the integrity of DNS answers; it does not encrypt them and it does not replace SPF, DKIM, or DMARC.
- How do I check if a domain has DNSSEC?
- Enter the domain in the checker above and run it. The tool queries DNS-over-HTTPS from your browser, walks the chain of trust from the top-level domain down to the domain, and reports one of six verdicts: secure, unsigned, partial, misconfigured, bogus, or error. Each signed zone gets a per-zone breakdown so you can see exactly where the chain succeeds or breaks.
- Is DNSSEC worth it?
- DNSSEC stops one specific attack: someone forging or tampering with the DNS answers for your domain, such as cache poisoning. That protection also covers the DNS records other systems rely on, including MX, SPF, and MTA-STS lookups, and it is a prerequisite for DANE. The trade-off is operational: a broken signature or an expired key makes your domain unreachable for anyone behind a validating resolver. Most domains run fine without DNSSEC. It is most valuable for high-value domains where DNS tampering is a real threat and where the operator can manage key rollovers carefully.
- What does a bogus DNSSEC status mean?
- Bogus means the domain is signed but the chain does not validate: a signature is wrong, a key is missing, or a DS digest does not match the DNSKEY it points to. Validating resolvers respond with SERVFAIL instead of an answer, so anyone using such a resolver cannot reach the domain at all. A bogus result is an outage, not a warning. The usual causes are a key rollover that removed a key too early, an expired signature, or DNSSEC being turned off at the DNS host without removing the DS record at the registrar.
- Does DNSSEC improve email deliverability?
- Not directly. Mailbox providers judge deliverability on SPF, DKIM, DMARC, sending reputation, and content, not on whether your zone is signed. DNSSEC helps email indirectly by protecting the integrity of the DNS answers that email authentication depends on, such as your SPF include lookups, DKIM public keys, and MTA-STS policy host. It is also required for DANE (RFC 7672), which some providers use to enforce TLS on inbound mail. Set up SPF, DKIM, and DMARC first; treat DNSSEC as a separate DNS-integrity control.
- What is the difference between a signed domain and a secure one?
- A signed domain publishes DNSKEY records and signs its DNS answers. A secure domain is signed and its parent publishes a matching DS record, so the chain of trust is complete and validating resolvers set the Authenticated Data flag. A domain can be signed but not secure: if the DS record at the parent is missing (partial) or does not match the keys (bogus), resolvers either treat the zone as unsigned or refuse to answer. This checker tells the two apart.
- Is this DNSSEC checker free?
- Yes. The DNSSEC checker is completely free with no signup required. The check runs in your browser using public DNS-over-HTTPS resolvers, so nothing about your query is stored on our servers.
Related tools
DMARC checker
Check any domain's DMARC, SPF and DKIM in seconds.
DMARC generator
Build a valid DMARC record from a few simple choices.
SPF generator
Create and validate an SPF record for your senders.
BIMI generator
Generate the BIMI record that shows your logo in inboxes.
DMARC report analyzer
Decode raw DMARC XML reports into readable results.
MX lookup
Look up the mail servers a domain publishes.
Email header analyzer
Parse email headers to trace delivery and authentication.
BIMI SVG Tiny P/S converter
Convert an SVG logo to the BIMI Tiny P/S profile.
Watch your domain's DNS for changes
A DNSSEC check is a snapshot. A free account watches your domain's DNS records and email authentication around the clock and alerts you the moment a record changes, so an expiring key or a broken delegation never becomes a silent outage.