DNSSEC Checker

Check whether a domain has DNSSEC (DS/DNSKEY) enabled.

DNSSEC Checker verifies whether a domain has DNSSEC (DNS Security Extensions) signing enabled. It queries the DS record registered in the parent zone and the zone's own DNSKEY record in parallel, then tells you at a glance whether the domain is signed.

A DNSSEC-signed domain lets resolvers cryptographically verify that responses haven't been tampered with, protecting DNS answers from attacks like cache poisoning. Just enter a domain — no protocol or path needed. Queries go to a trusted public resolver over DNS over HTTPS. Check the domain's other records with DNS Record Lookup and its delegated nameservers with NS Check.

Domaine.g. cloudflare.com (domain only, no protocol or path)

What DNSSEC is

Plain DNS responses aren't signed, so a tampered answer is hard for clients to detect. DNSSEC attaches a digital signature to each zone's records and validates that signature through a chain of trust up to the parent zone, guaranteeing the integrity and origin of responses.

DS records and DNSKEY records

DNSKEY: the public key a zone uses to sign its own records. It lives inside the zone.
DS (Delegation Signer): a hash of the DNSKEY, registered in the parent zone (e.g. .com). It links a parent's trust to the child zone's key.
If either record exists, this tool reports DNSSEC as enabled. Full validation, however, requires both DS and DNSKEY to be correctly linked.

Why it matters

The DS record must be registered in the parent zone for the chain of trust to complete. If a DNSKEY exists but no DS, validation may not actually happen. When you move a domain or roll over keys, a missing DS entry can cause DNSSEC validation failures that block access to the site — so periodic checks are worthwhile.

Frequently asked questions

Does it check the AD flag?

No. Due to tool limitations, it doesn't inspect the resolver's AD (Authenticated Data) flag; it determines DNSSEC status from the presence of DS or DNSKEY records. For full chain validation, use a dedicated validator.

What if there's a DNSKEY but no DS?

The zone has signatures internally, but the parent zone doesn't vouch for that key. The chain of trust is broken, so validation may not work. You'd need to register a DS record with your registrar.

Is the domain I enter stored anywhere?

No. Only the domain name is queried against a public DNS resolver over DNS over HTTPS, and results are briefly cached (about 2 minutes) to reduce load. Nothing else is stored.

It says DNSSEC isn't enabled — is that a security problem?

Lacking DNSSEC isn't an immediate vulnerability by itself. But you're missing an extra layer of defense against DNS response tampering like cache poisoning, so enabling it is recommended for security-sensitive domains.

Related tools

DNS / Domain →

Domain Status Code Decoder

Explain EPP domain status codes like clientTransferProhibited.

DNS Change Impact Checklist

Check risks before changing NS, MX or TXT records.

Typosquatting Domain Generator

Generate look-alike and typo domains for phishing/brand protection.

DNS Record Lookup

Look up A, AAAA, MX, TXT, NS, CNAME and SOA records for a domain.

DNS Propagation Check

Compare a record across multiple public resolvers to check propagation.

Reverse DNS (PTR) Lookup

Look up the hostname (PTR record) for an IP address.