DNSSEC Validator

Validate a domain's DNSSEC chain via a validating resolver; show DS / DNSKEY / RRSIG at every zone cut.

Monitor this automatically

NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.

Start monitoring free → See all monitoring products

Frequently Asked Questions

What does DNSSEC protect against?

DNSSEC protects against DNS cache poisoning and spoofing — attacks where an attacker injects false DNS responses to redirect traffic. It does this by digitally signing DNS records with cryptographic keys that resolvers can verify against a chain of trust anchored at the DNS root. DNSSEC authenticates data integrity but does not encrypt DNS queries.

What is the DNSSEC chain of trust?

The chain starts at the DNS root, which publishes its public keys (DNSKEY). Each parent zone signs the public key hash (DS record) of its child zones. For example.com: the root signs the .com DS record; .com signs example.com's DS; and example.com uses its DNSKEY to sign its own resource records (RRSIG). A validating resolver walks this chain to verify every response.

What is the difference between DNSKEY and DS records?

A DNSKEY record contains the zone's public key — typically a Key Signing Key (KSK) that signs other DNSKEYs, and a Zone Signing Key (ZSK) that signs zone data. A DS (Delegation Signer) record lives in the parent zone and contains a hash of the child zone's KSK — it's the cryptographic link between parent trust and child keys.

What does 'BOGUS' mean in DNSSEC validation?

BOGUS means validation failed — signatures exist but don't verify correctly. This could indicate tampering, a configuration error (mismatched DS/DNSKEY), or an expired signature (RRSIG records have validity periods and must be re-signed regularly). A BOGUS result causes a validating resolver to return SERVFAIL — failing closed is the intended security behaviour.

My domain is INSECURE — should I be worried?

INSECURE means the domain has no DNSSEC signatures, not that there's an active attack. Most domains don't have DNSSEC enabled — it's the normal unsigned state. Consider enabling DNSSEC through your registrar for added protection, especially for domains handling sensitive services like email, banking, or authentication.