Verify your domain's DNSSEC configuration and chain of trust. Ensure DNS responses are cryptographically authenticated and protected against cache poisoning and spoofing attacks.
The Domain Name System was designed in the 1980s without any built-in security. When your browser looks up a domain name, it trusts whatever answer comes back from the DNS resolver with no way to verify authenticity. This fundamental weakness enables DNS cache poisoning, where an attacker injects forged records into a resolver's cache, silently redirecting your visitors to malicious servers. DNSSEC (DNS Security Extensions) was created to fix this by adding cryptographic signatures to DNS data.
DNSSEC works by creating a hierarchical chain of digital signatures. The process starts at the DNS root zone, which is signed by ICANN. The root zone then vouches for each top-level domain (.com, .org, .uk) through DS (Delegation Signer) records. Each TLD in turn vouches for the domains registered under it. This chain of trust means a DNSSEC-validating resolver can mathematically verify that every DNS response, from root to your specific A record, is authentic and unmodified.
Implementing DNSSEC involves two key record types. DNSKEY records contain your zone's public signing keys: a Key Signing Key (KSK) used to sign other keys, and a Zone Signing Key (ZSK) used to sign your actual DNS records. DS records are published in the parent zone (at your registrar) and contain a hash of your DNSKEY, linking your zone to the chain of trust. RRSIG records contain the actual signatures over your DNS record sets.
Modern DNSSEC implementations use ECDSA algorithms (ECDSAP256SHA256 or ECDSAP384SHA384) instead of older RSA, offering stronger security with smaller key sizes and faster validation. NSEC3 records provide authenticated denial of existence, proving that a queried name doesn't exist without revealing other names in the zone, which prevents zone enumeration attacks. These operational improvements have made DNSSEC significantly more practical than early implementations.
DNSSEC is especially important when combined with other security layers. It enables DANE (DNS-Based Authentication of Named Entities), which allows you to publish TLS certificate information in DNS, reducing reliance on certificate authorities. It also strengthens email security by ensuring that SPF, DKIM, and DMARC DNS records themselves are tamper-proof. For a comprehensive view of your domain's security posture, run a full domain security scan.
Type your domain name above. We begin by querying for DNSKEY and DS records to determine if DNSSEC is enabled for your zone.
We walk the DNSSEC chain from your domain up through the TLD to the root zone, verifying DS-to-DNSKEY linkage at each level.
RRSIG records are checked for validity, expiration, and correct algorithm usage. We verify that Zone Signing Keys and Key Signing Keys are properly configured.
You get a clear grade: A+ for a fully validated chain with modern algorithms, down to F for no DNSSEC at all, with specific remediation guidance for each issue.
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that DNS responses are authentic and haven't been modified in transit. Without DNSSEC, an attacker can perform DNS cache poisoning by injecting forged DNS records that redirect your visitors to malicious servers without anyone noticing. DNSSEC creates a chain of trust from the DNS root zone down to your domain, ensuring every DNS answer can be mathematically verified.
The DNSSEC chain of trust works like a certificate chain. The root zone (managed by ICANN) signs the TLD zone (e.g., .com), which signs your domain's zone. At each level, a DS (Delegation Signer) record in the parent zone points to a DNSKEY in the child zone. Resolvers follow this chain from root to your domain, verifying signatures at each step. If any link is broken (a missing DS record, an expired signature, or a mismatched key), the entire chain fails and DNSSEC-aware resolvers will reject the response.
DNSSEC protects DNS integrity, but what about email authentication and web security? Run a full scan to cover everything.
Yes, they protect different things. SSL/TLS encrypts the connection between a browser and your server, but it relies on DNS to find the correct server IP in the first place. Without DNSSEC, an attacker can poison DNS to redirect visitors to a different server entirely, and if they have a fraudulently obtained certificate, the connection will appear "secure" to the browser. DNSSEC ensures the DNS lookup itself is trustworthy, closing this gap. They work together as complementary security layers.
Despite being standardised since 2005, DNSSEC adoption hovers around 30% for major TLDs. The main barriers are operational complexity (key rotation, signature management), the risk of breaking DNS resolution if misconfigured, limited support from some DNS hosting providers, and a chicken-and-egg problem where not all resolvers validate DNSSEC. However, adoption is accelerating as major registrars and DNS providers automate DNSSEC management, and as regulatory requirements increasingly mandate it.
Our DNSSEC checker grades your domain based on several criteria: whether DNSSEC is enabled at all, the completeness of the chain of trust (DS records at the registrar matching DNSKEYs in your zone), signature validity and expiration, key algorithm strength (RSA vs ECDSA), and the presence of NSEC or NSEC3 records for authenticated denial of existence. An A+ indicates a fully validated chain with strong algorithms and current signatures.