DNSSEC Checker
What Is DNSSEC?
DNSSEC (Domain Name System Security Extensions) is a suite of specifications that adds cryptographic authentication to DNS responses. Without DNSSEC, DNS is vulnerable to spoofing attacks where an attacker intercepts DNS queries and returns false responses, redirecting users to malicious websites. DNSSEC solves this by allowing resolvers to verify that DNS data is authentic and has not been modified in transit.
DNSSEC works through a chain of trust rooted at the DNS root zone. Each DNS zone signs its records with a private key and publishes the corresponding public key as a DNSKEY record. The parent zone (for example, .com for example.com) stores a DS (Delegation Signer) record that contains a hash of the child zone's public key. This creates a verifiable chain from the root servers all the way down to your domain's records.
When a DNSSEC-validating resolver receives a DNS response, it checks the RRSIG (Resource Record Signature) records attached to the answer. It verifies the signature using the DNSKEY record, then follows the chain of DS records up to a trusted anchor (the root zone's key, which is built into resolvers). If any link in the chain is broken or invalid, the resolver returns a SERVFAIL error instead of the potentially spoofed data.
Enabling DNSSEC is recommended for all domains. Major DNS providers including Cloudflare, Google Cloud DNS, and AWS Route 53 support one-click DNSSEC activation. The main consideration is that misconfigured DNSSEC can make your domain unreachable for users behind validating resolvers - but this is preferable to serving potentially poisoned DNS data. Our tool checks whether DNSSEC is enabled and whether the configuration validates correctly.
After checking DNSSEC, verify your DNS records are correct, check your nameserver configuration, or test DNS propagation across global resolvers.
Frequently Asked Questions
What is DNSSEC?
DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify that responses are authentic and untampered. It protects against DNS spoofing and cache poisoning attacks.
How does DNSSEC work?
DNSSEC uses public key cryptography. Domain owners sign their DNS zone with a private key, and the public key is published as a DNSKEY record. A chain of trust extends from the root DNS servers through the TLD to the domain using DS records.
Should I enable DNSSEC for my domain?
Yes, DNSSEC is recommended for all domains. Most major DNS providers support easy DNSSEC activation. The main risk of misconfiguration is that your domain may become unreachable if signatures are invalid.
What happens if DNSSEC validation fails?
Validating resolvers return a SERVFAIL error instead of the DNS response, making the domain unreachable. This is by design - it is better to fail than to return potentially spoofed results.