DNSSEC adds cryptographic signatures to DNS records so resolvers can verify that answers are authentic and unmodified. It defends against spoofing and cache poisoning.

What are DNSKEY and DS records?

DNSKEY holds a zone's public signing keys, and the DS record in the parent zone links to that key. Together they establish the DNSSEC chain of trust.

What does the AD flag indicate?

The Authenticated Data (AD) flag, set by a validating resolver, signals that the response was successfully validated against DNSSEC signatures.

DNSSEC Check

Check whether a domain is DNSSEC-signed and validates correctly.

No results yet

Enter a domain above and press Run to start the check.

About the DNSSEC Check

DNSSEC Check determines whether a domain is signed with DNS Security Extensions and whether the signatures validate correctly. It inspects the DNSKEY and DS records that form the chain of trust and looks for the Authenticated Data (AD) flag returned by a validating resolver. A properly signed and validating domain protects users against DNS spoofing and cache-poisoning attacks.

How to use

Enter the domain you want to test for DNSSEC.
Run the check to retrieve the DNSKEY and DS records.
Review whether the chain of trust is complete and the AD flag is set.

Frequently asked questions

What is DNSSEC?: DNSSEC adds cryptographic signatures to DNS records so resolvers can verify that answers are authentic and unmodified. It defends against spoofing and cache poisoning.
What are DNSKEY and DS records?: DNSKEY holds a zone's public signing keys, and the DS record in the parent zone links to that key. Together they establish the DNSSEC chain of trust.
What does the AD flag indicate?: The Authenticated Data (AD) flag, set by a validating resolver, signals that the response was successfully validated against DNSSEC signatures.

About the DNSSEC Check

How to use

Frequently asked questions

Related DNS tools