Skip to main content

DNSSEC Checker

Validate the DNSSEC chain of trust for your domain

DNSSEC protects your domain against cache poisoning and man-in-the-middle attacks. This tool verifies every link in the chain of trust, from the DNS root to your zone, and detects configuration issues.

Mode

Complete chain of trust

Zone-by-zone verification from the root (.) to your domain, validating each DS/DNSKEY delegation.

Weak algorithm detection

Identifies obsolete signing algorithms (RSAMD5, DSA) and deprecated digests (SHA-1) per RFC 8624.

Orphan DS and inconsistencies

Detects DS records published at the parent without a matching DNSKEY in the child zone.

RRSIG signature verification

Validates each RRSIG signature on DS and DNSKEY RRSets, and checks they are within their validity window.

Detailed diagnostics

Complete report with errors, warnings and information sorted by severity for each zone in the chain.

Why check DNSSEC?

DNSSEC (DNS Security Extensions) adds a cryptographic verification layer to DNS. Without DNSSEC, an attacker can forge DNS responses to redirect traffic to malicious servers (cache poisoning).

Three reasons to check your DNSSEC:

  • Security: Ensure the chain of trust is intact and visitors actually reach your servers
  • Compliance: More and more organizations require DNSSEC for sensitive domains
  • Issue detection: Identify orphan DS records, weak algorithms or expired signatures before they cause outages

How to use the DNSSEC Checker in 3 steps

Step 1: Enter your domain

Enter the domain name to check (for example cloudflare.com or nic.fr). The tool accepts any domain, whether DNSSEC-signed or not.

Step 2: Analyze the zone-by-zone report

The tool walks the chain of trust from the DNS root:

  • Root (.): Trust anchor verification
  • TLD (e.g., .com): DS and DNSKEY verification for the TLD
  • Your domain: DS, DNSKEY and RRSIG verification

For each zone, you see the DS, DNSKEY and RRSIG records along with their validation status.

Step 3: Fix detected issues

The report clearly identifies:

  • Errors (broken chain, invalid signatures)
  • Warnings (orphan DS, weak algorithms)
  • Information (CSK detected, out-of-bailiwick NS)

What is the DNSSEC chain of trust?

The DNSSEC chain of trust works as a series of cascading verifications:

Root (.)
  |-- TLD DS --> verifies the TLD DNSKEY
  |-- The TLD ZSK signs your domain's DS
        |-- Your domain's DS --> verifies your DNSKEY (KSK)
        |-- Your KSK signs the DNSKEY RRSet
        |-- Your ZSK signs the data (A, MX, SOA, NS)

Each link depends on the previous one. If a single link is broken, the entire validation fails.

What exactly does the tool check?

ElementDescriptionResult
DS RecordsDS records published at the parentMatch with DNSKEY, orphans, weak digest
DNSKEY RecordsZone public keys (KSK/ZSK)Presence, algorithm, DS association
RRSIG on DSDS RRSet signature by the parent's ZSKCryptographic validity
RRSIG on DNSKEYDNSKEY RRSet signature by the KSKCryptographic validity
AlgorithmsSigning algorithm typeDeprecated algorithm detection (RFC 8624)
DS DigestsDS hash typeDeprecated SHA-1 detection

Common diagnostics and solutions

Orphan DS (DNSSEC_DS_ORPHAN)

Symptom: A DS record is published at the parent but no matching DNSKEY exists in your zone.

Likely cause: Incomplete key rollover or old key deleted before the DS.

Action: Remove the orphan DS at your registrar, or add the corresponding DNSKEY in your zone.

Weak algorithm (DNSSEC_WEAK_ALGO)

Symptom: Your zone uses a signing algorithm considered insecure.

Action: Plan a migration to ECDSAP256SHA256 (algorithm 13) or ED25519 (algorithm 15).

SHA-1 digest (DNSSEC_WEAK_DIGEST)

Symptom: Your DS uses SHA-1 as the digest type.

Action: Add a DS with SHA-256 (type 2) alongside it, then remove the SHA-1 DS once propagation is complete.

Complementary tools

ToolPurpose
DNS Domain CheckComplete DNS configuration audit including basic DNSSEC verification
DNS LookupManually query DS, DNSKEY or RRSIG records
DNS Propagation TestCheck the propagation of DNSSEC changes worldwide

Useful resources