Why check DNSSEC?
DNSSEC (DNS Security Extensions) adds a cryptographic verification layer to DNS. Without DNSSEC, an attacker can forge DNS responses to redirect traffic to malicious servers (cache poisoning).
Three reasons to check your DNSSEC:
- Security: Ensure the chain of trust is intact and visitors actually reach your servers
- Compliance: More and more organizations require DNSSEC for sensitive domains
- Issue detection: Identify orphan DS records, weak algorithms or expired signatures before they cause outages
How to use the DNSSEC Checker in 3 steps
Step 1: Enter your domain
Enter the domain name to check (for example cloudflare.com or nic.fr). The tool accepts any domain, whether DNSSEC-signed or not.
Step 2: Analyze the zone-by-zone report
The tool walks the chain of trust from the DNS root:
- Root (.): Trust anchor verification
- TLD (e.g., .com): DS and DNSKEY verification for the TLD
- Your domain: DS, DNSKEY and RRSIG verification
For each zone, you see the DS, DNSKEY and RRSIG records along with their validation status.
Step 3: Fix detected issues
The report clearly identifies:
- Errors (broken chain, invalid signatures)
- Warnings (orphan DS, weak algorithms)
- Information (CSK detected, out-of-bailiwick NS)
What is the DNSSEC chain of trust?
The DNSSEC chain of trust works as a series of cascading verifications:
Root (.)
|-- TLD DS --> verifies the TLD DNSKEY
|-- The TLD ZSK signs your domain's DS
|-- Your domain's DS --> verifies your DNSKEY (KSK)
|-- Your KSK signs the DNSKEY RRSet
|-- Your ZSK signs the data (A, MX, SOA, NS)
Each link depends on the previous one. If a single link is broken, the entire validation fails.
What exactly does the tool check?
| Element | Description | Result |
|---|---|---|
| DS Records | DS records published at the parent | Match with DNSKEY, orphans, weak digest |
| DNSKEY Records | Zone public keys (KSK/ZSK) | Presence, algorithm, DS association |
| RRSIG on DS | DS RRSet signature by the parent's ZSK | Cryptographic validity |
| RRSIG on DNSKEY | DNSKEY RRSet signature by the KSK | Cryptographic validity |
| Algorithms | Signing algorithm type | Deprecated algorithm detection (RFC 8624) |
| DS Digests | DS hash type | Deprecated SHA-1 detection |
Common diagnostics and solutions
Orphan DS (DNSSEC_DS_ORPHAN)
Symptom: A DS record is published at the parent but no matching DNSKEY exists in your zone.
Likely cause: Incomplete key rollover or old key deleted before the DS.
Action: Remove the orphan DS at your registrar, or add the corresponding DNSKEY in your zone.
Weak algorithm (DNSSEC_WEAK_ALGO)
Symptom: Your zone uses a signing algorithm considered insecure.
Action: Plan a migration to ECDSAP256SHA256 (algorithm 13) or ED25519 (algorithm 15).
SHA-1 digest (DNSSEC_WEAK_DIGEST)
Symptom: Your DS uses SHA-1 as the digest type.
Action: Add a DS with SHA-256 (type 2) alongside it, then remove the SHA-1 DS once propagation is complete.
Complementary tools
| Tool | Purpose |
|---|---|
| DNS Domain Check | Complete DNS configuration audit including basic DNSSEC verification |
| DNS Lookup | Manually query DS, DNSKEY or RRSIG records |
| DNS Propagation Test | Check the propagation of DNSSEC changes worldwide |
Useful resources
- RFC 4033 - DNS Security Introduction: Introduction to DNSSEC extensions
- RFC 8624 - Algorithm Implementation Requirements: DNSSEC algorithm requirements
- Verisign DNSSEC Debugger: Reference tool for DNSSEC debugging
- DNSViz: Advanced DNSSEC chain visualization