DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, protecting against cache poisoning and man-in-the-middle attacks.

Should my domain have DNSSEC?

DNSSEC is recommended for all domains but especially important for banking, government, and high-security sites. Check with your domain registrar to enable it.

DNSSEC Checker

Enter a domain to check if DNSSEC is enabled, protecting against DNS spoofing attacks.

Domain Name

DNSSEC checks run server-side via Google and Cloudflare resolvers.

How to use DNSSEC Checker

The DNSSEC checker inspects whether a domain has DNS Security Extensions enabled and whether its chain of trust validates correctly, examining the DNSKEY, DS and RRSIG records involved. DNSSEC adds cryptographic signatures to DNS answers so resolvers can detect tampering and cache-poisoning attacks that would otherwise redirect users to malicious servers without any visible sign. Use this tool to confirm DNSSEC is active for your domain, to verify the DS record at the registrar matches your zone, or to diagnose the validation failures that can make a signed domain unreachable.

Enter the domain you want to check for DNSSEC.
Click Check to query its DNSKEY, DS and signature records.
Confirm whether DNSSEC is enabled and validating.
Verify the DS record at the parent matches the zone’s key.
Investigate any chain-of-trust break the tool reports.

How the chain of trust works

DNSSEC builds a chain from the root zone down to your domain. Your zone signs its records with a key whose fingerprint is published as a DS record in the parent zone; the parent in turn is signed by its parent, all the way to the trusted root. A resolver validates each link in this chain. If any link is broken — most commonly a DS record at the registrar that no longer matches the zone’s active key after a key rollover — validation fails and security-aware resolvers return errors instead of answers, making the domain appear down.

Benefits and operational care

When it validates, DNSSEC guarantees the DNS answers a user receives are exactly what the domain owner published, defeating cache poisoning and many man-in-the-middle redirects. The trade-off is operational: signed zones must be maintained carefully, and key rollovers must be coordinated with the DS record at the registrar or the domain breaks for everyone using a validating resolver. Because such failures are all-or-nothing and hard to spot from an unvalidating client, periodic checks like this one are the best early warning.

DNSSEC records
Record	Role
DNSKEY	The public keys that sign the zone
DS	A key fingerprint held by the parent zone
RRSIG	The signatures over each record set

Glossary

DNSSEC: DNS Security Extensions that cryptographically sign DNS records.
DNSKEY: A record holding the public keys used to sign a zone.
DS record: A delegation signer record in the parent zone that anchors trust.
RRSIG: A signature record proving a record set is authentic.
Chain of trust: The linked signatures from the root zone down to a domain.

Frequently Asked Questions

Free · No spam

Get weekly tool tips & updates

New tools, power-user tips, and productivity hacks — delivered free every Friday.

No spam, ever. Unsubscribe with one click.

Why use DNSSEC Checker?

Real-time DNS lookups using live resolver queries
Supports IPv4 and IPv6 addresses
No software to install — runs entirely in the browser
Results include TTL values and record priority

Common use cases

Verify DNS propagation after updating nameservers
Check MX records when troubleshooting email delivery
Look up SPF/DKIM/DMARC records for email security audits
Test whether a SSL certificate is valid and up to date
Find the IP address behind a domain name

Related Network & DNS

DNS Lookup Tool

Look up DNS records for any domain — A, AAAA, MX, NS, TXT, CNAME, SOA, and CAA records. Free, instant results pulled from authoritative nameservers.

SSL Certificate Checker

Check any website's SSL/TLS certificate validity, issuer, expiry date, and days remaining. Instant SSL verification.

CAA Record Lookup

Look up CAA (Certification Authority Authorization) records for any domain. See which certificate authorities are allowed to issue SSL certificates.

DNS Propagation Checker

Check if your DNS changes have propagated worldwide. Test A, MX, and NS records across 8 global DNS servers to confirm updates are live everywhere.

What Is My IP Address?

Instantly find your public IP address. Shows your IPv4 address as seen by websites and servers, plus quick details about your connection.

HTTP Headers Checker

View HTTP response headers for any URL. Check status codes, security headers, caching, redirects, and server details instantly. Free and private.

Explore all Network & DNS.