DMARCdrift
ProductPricingDocsBlogToolsSign inGet started
Sign in
← All toolsLive DNSSEC validation

DNSSEC Checker

Check whether a domain has valid DNSSEC. See the chain of trust, DS, DNSKEY, and RRSIG records per zone, and the AD bit from a validating resolver.

Checked in your browser, no account required. Monitor your DMARC posture continuously.

See plans →

What this DNSSEC checker validates

Enter any domain and this tool queries a DNSSEC-validating resolver to check whether the domain has a complete and trusted chain of signatures from the DNS root down to the queried zone. Useful for verifying DNSSEC deployment, diagnosing broken delegation, or confirming that a registrar published your DS record correctly.

What the result shows

  • Status:secure (valid chain), insecure (unsigned), or bogus (broken chain)
  • AD bit:whether the validating resolver set the Authenticated Data flag, confirming the response passed DNSSEC validation
  • DS:Delegation Signer record published in the parent zone linking to the child zone's key
  • DNSKEY:the public key published in the zone used to verify record signatures
  • RRSIG:the cryptographic signature over DNS record sets, created with the zone signing key

Frequently asked questions

What does DNSSEC do?
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records so resolvers can verify that a response came from the authoritative nameserver and was not tampered with in transit. Without DNSSEC, an attacker who can intercept DNS traffic could redirect visitors to a fake server without detection. DNSSEC builds a chain of trust anchored at the DNS root that validators follow all the way down to your domain.
My domain shows 'unsigned' (insecure). Is that a problem?
Not necessarily. The vast majority of domains do not use DNSSEC, and an unsigned status simply means the domain has no DNSSEC records. DNS responses will resolve normally but without cryptographic verification. Whether you need DNSSEC depends on your threat model and registrar support. For high-value domains where DNS hijacking would be damaging, enabling DNSSEC is a worthwhile hardening step.
What does 'bogus' mean?
Bogus means DNSSEC is partially configured but the chain of trust is broken. A validating resolver will refuse to return answers for the domain, which can cause lookup failures for users on those resolvers. Common causes are an expired RRSIG, a DS record in the parent zone that does not match the DNSKEY in the child zone (for example after a key rollover without updating the registrar), or a missing DNSKEY. The reason field in the result explains the specific failure.
What is the AD bit?
The Authenticated Data (AD) bit is a flag a DNSSEC-validating resolver sets in the DNS response when it has verified the entire chain of trust for a response. If the AD bit is set and status is secure, a compliant resolver has confirmed the DNS data is authentic. The AD bit will not be set for unsigned domains or when validation fails.

Need to monitor your DMARC and DNS posture over time?

DMARCdrift tracks your DNS configuration continuously and alerts you when records change unexpectedly, so you catch misconfigurations before they affect deliverability or domain trust.

Get started free →

Get notified when your DNS configuration changes. Free monitoring.

See plans →