DNSSEC Signature Expiration

Days remaining before a domain's DNSSEC signatures (RRSIGs) expire.

Monitor this automatically

NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.

Start monitoring free → See all monitoring products

Frequently Asked Questions

What does this check?

DNSSEC signatures (RRSIG records) are only valid for a fixed window and must be re-signed regularly — usually by automated tooling. This checks every signature in the domain's chain of trust (DS/DNSKEY at each zone cut, plus the record's own signature) and reports the soonest one to expire. If signing automation breaks, this is the first symptom, days or weeks before validation actually starts failing.

My domain shows no signatures — is that a problem?

Not necessarily. Most domains don't have DNSSEC enabled at all, which shows as "insecure" with no signatures to check — that's the normal unsigned state, not an error. This tool is only useful for domains that already have DNSSEC enabled.

How is this different from DNSSEC Validator?

DNSSEC Validator is the full chain-of-trust diagnostic — DS/DNSKEY matching at every zone cut, resolver choice, verdict detail. This tool is the same underlying signature data, narrowed to just the expiration question, so it's simple to set thresholds on in a monitor.