DNSSEC Checker

Query a domain's DNSKEY record against multiple public DNS resolvers (Google, Cloudflare, and more) to check whether its DNSSEC signature chain validates correctly.

Tips

  • The AD (Authenticated Data) flag is only set when the DNS resolver you queried performed DNSSEC validation itself. Resolvers that don't support DNSSEC can't give a meaningful result.
  • "DNSSEC not enabled" is not an error — most domains still don't use DNSSEC, and it has no direct effect on search ranking or email deliverability.
  • If validation fails, first check whether the key tag and digest in the DS record registered at your registrar match your current DNSKEY.
  • DNSSEC signatures (RRSIG) have an expiration date. Confirm that your DNS software's automatic re-signing hasn't stopped.
  • Right after enabling DNSSEC, validation may briefly show as "failed" until the DS record propagates to the parent zone.

Frequently Asked Questions

"DNSSEC not enabled" by itself is not dangerous — the large majority of domains still operate without it. That said, enabling it is worth considering as a defense against DNS cache poisoning if you have the option.

Users on resolvers that enforce DNSSEC (many corporate networks and some ISPs) may be unable to resolve the domain at all, since it gets treated as SERVFAIL. Unless this is a temporary state right after enabling DNSSEC while the DS record propagates, it needs prompt fixing.

Right after a DNSKEY rollover (key rotation), old and new keys can briefly coexist across resolver caches, causing validation results to differ temporarily. Wait a while and check again.

No. DNSSEC guarantees that a name-resolution response hasn't been tampered with, while SSL/TLS guarantees that the connection itself is encrypted and that the server holds the certificate it presents. They're independent — a domain can have one without the other.

This tool only checks surface-level status: whether a DNSKEY is published and whether resolvers report the AD flag. For a rigorous analysis of the full signature chain (RRSIG/NSEC/NSEC3 consistency, etc.), pair this with a specialized tool such as dnsviz.net.
ツールくん

Side Note — Why DNS needed a way to stop spoofing

When DNS was designed in 1983, it had no cryptographic way to confirm who actually sent a response. A resolver trusted any UDP packet that arrived with a plausible-looking transaction ID — a protocol built on good faith, vulnerable to source-IP spoofing and ID guessing. In 2008, security researcher Dan Kaminsky showed the industry that this weakness could be exploited to perform practical, fast cache poisoning attacks (injecting forged records into a resolver's cache), a discovery that sent shockwaves through the DNS community.

DNSSEC (DNS Security Extensions) is the standardized answer to that problem. It uses public-key cryptography to prove that a response was signed by the zone's legitimate operator. A domain signs its records with its DNSKEY, and a DS record registered in the parent zone attests to that key's digest — building an unbroken chain of trust from the DNS root down to the individual domain.

The AD (Authenticated Data) flag in a DoH (DNS over HTTPS) response is the result of the resolver performing that DNSSEC validation on your behalf. Applications don't need to implement signature verification themselves — querying a trusted resolver and seeing AD=true is an indirect assurance that the response wasn't tampered with, provided the transport between the resolver and the app (HTTPS) is separately secured.