ZenovayTools

DNSSEC Checker

Check if a domain has DNSSEC enabled and properly validated. Verifies the AD (Authenticated Data) flag, DNSKEY and DS records, and algorithm used. Detects broken or missing DNSSEC chains.

How to Use DNSSEC Checker

  1. 1Enter your domain name (e.g., example.com).
  2. 2The tool queries DNS resolvers with DNSSEC validation enabled.
  3. 3DNSKEY and DS records are fetched and the AD (Authenticated Data) flag is checked.
  4. 4A grade A-F reflects your DNSSEC configuration — A means fully validated, F means missing or broken.
Zenovay

Track your website performance

Real-time analytics, session replay, heatmaps, and AI insights. 2-minute setup, privacy-first.

Try Zenovay Analytics — Free

Related Tools

Password GeneratorGenerate strong, random passwords with customizable length, characters, and complexity.
Password Strength CheckerCheck how strong your password is. Get an estimated crack time and improvement suggestions.
HMAC GeneratorGenerate HMAC signatures using SHA-256, SHA-384, or SHA-512 with the Web Crypto API.
AES Encryption/DecryptionEncrypt and decrypt text using AES-GCM with PBKDF2 key derivation. Runs entirely in your browser.

Frequently Asked Questions

What is DNSSEC and why does it matter?
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, preventing attackers from forging DNS responses. Without DNSSEC, an attacker on the network path (or a compromised DNS resolver) can redirect your domain to a malicious server — a DNS spoofing or cache poisoning attack. DNSSEC creates a chain of trust from ICANN root zone down to your domain, making forged DNS responses detectable and rejectable.
What is the AD flag and what does it mean?
AD stands for "Authenticated Data". When a DNSSEC-validating resolver (like Cloudflare 1.1.1.1 or Google 8.8.8.8) successfully verifies all DNSSEC signatures in the chain of trust for a DNS response, it sets the AD bit in the response. An AD=true result means a validating resolver confirmed the answer is authentic. AD=false with DNSKEY records present means signatures exist but validation may be failing.
What is the difference between DNSKEY and DS records?
DNSKEY records live in your zone and contain the public keys used to sign your DNS records. There are two types: KSK (Key Signing Key, flags=257) which signs other DNSKEY records, and ZSK (Zone Signing Key, flags=256) which signs your actual DNS records. DS (Delegation Signer) records live in the parent zone (your registrar) and contain a hash of your KSK — they form the link that connects parent and child zones in the chain of trust. Both are required for full DNSSEC validation.
My domain has DNSKEY but no DS records — is DNSSEC working?
No. If DNSKEY records are published but DS records are not registered with your registrar, the DNSSEC chain of trust is broken. Validating resolvers will treat your domain as insecure (not bogus, but unvalidated). To complete DNSSEC: (1) Generate DNSKEY records at your authoritative DNS provider, (2) Get the DS record hash, (3) Submit the DS record to your domain registrar through their control panel. Without the DS record in the parent zone, DNSSEC is effectively not enabled.
Which DNSSEC algorithm should I use?
Recommended algorithms in order of preference: Ed25519 (algorithm 15) — fastest, smallest keys, most modern; ECDSA P-256/SHA-256 (algorithm 13) — widely supported, good security; RSA/SHA-256 (algorithm 8) — widely compatible but larger keys. Avoid RSA/MD5 (1), RSA/SHA-1 (5), and DSA algorithms (3, 6, 7) — these are deprecated or cryptographically weak. Ed25519 is the best choice for new deployments and is supported by all major DNS providers.