DNSSEC Checker:
Validate Your Domain’s Security

Check the DNSSEC status of your domains within seconds!

DNSSEC Record Checker

Use this tool to lookup and validate your DNSSEC record.

Please enter a valid domain name, without http:// prefix

DNSSEC Status

Disabled

DNSSEC at Registrar

Disabled

DNSSEC at Nameservers

Disabled
Result Details
Registrar Status:

Analyze DNSSEC the right way with PowerDMARC

Start 15-day trial Book a demo

Understanding DNSSEC

DNSSEC (Domain Name System Security Extensions) is a security extension that works like a seal of authenticity for websites. It ensures that whenever you type in a web address onto your browser (e.g. www.adomainname.com) you are redirected to the correct website instead of a fraudulent one.

It is not a single record type, but rather a suite of extensions that add cryptographic signatures to existing DNS records. This helps to ensure the authenticity and integrity of DNS data, protecting against various attacks like DNS poisoning and spoofing.

Here are the key DNSSEC record types:

DNSKEY: Contains the public key used to verify the digital signatures of other DNSSEC records in the zone.   

RRSIG: Contains the digital signature for a specific record set (e.g., A, MX, etc.).   

DS: Contains a hashed version of the DNSKEY record, used for delegation and trust anchoring.   

By adding these record types to a DNS zone, DNSSEC enables resolvers to verify the authenticity of DNS responses, providing a higher level of security for domain name resolution.

The Importance of Setting Up DNSSEC

The Risks of Not Using DNSSEC

Risk of Impersonation

Domains that have DNSSEC disabled are easy impersonation targets for hackers.

Risk of Cyber Attacks

Domains that have DNSSEC disabled are much more vulnerable to cyber attacks like DNS spoofing and Man-in-the-middle.

Risk of Reputation Damage

Without DNSSEC, domains are prone to reputational damage and distrust among users.

How to Check DNSSEC Status: Step-by-Step

Using Our DNSSEC Checker Tool

You can easily check if DNSSEC is enabled for your domain using our DNSSEC analyzer tool. This process for DNSSEC lookup is instant, error-free, and the most convenient with our tool – providing accurate results every time! 

  1. Enter your domain name (e.g. company.com)
  2. Hit the “Lookup” button 
  3. Analyze your DNSSEC validation results

Checking DNSSEC with Command-Line Tools

You can use a command-line tool like Dig to check DNSSEC status, however, this DNSSEC lookup process is a little more complicated than using an automated tool. 

  1. Install Dig if it’s not pre-installed on your operating system
  2. Open your dig command prompt 
  3. Run the following command:
    dig +dnssec +multi
  4. Analyze your outputs

Ensuring DNSSEC is Working Correctly

Interpreting DNSSEC Validation Results

Result: Valid

  • DNSSEC Status: Enabled

  • DNSSEC at Registrar: Enabled (FullySigned)

  • DNSSEC at Nameservers: Enabled

Explanation: Everything seems to be running with the DNSSEC setup, for this domain. DNSSEC is activated at both the registrar and nameserver levels and the domain is secured with a DNSSEC signature. This indicates that all DNS requests for this domain are being authenticated accurately to ensure the responses are genuine and trustworthy.

Result: Invalid

  • DNSSEC Status: Disabled

  • DNSSEC at Registrar: Disabled (Unsigned)

  • DNSSEC at Nameservers: Disabled

Explanation: The DNSSEC setup for the domain is not working properly as its disabled at both the registrar and nameserver levels. The domain lacks a DNSSEC signature for validation of authenticity in DNS queries. Enabling DNSSEC is advised to boost the security of the domain’s DNS system.

DNSSEC Validation Failures and Solutions

1. Missing or Incorrect Records

Checks-the-existence-of-your-published-SPF-record

Issue: The DS (Delegation Signer) record or DNSKEY record is missing, misconfigured, or contains errors. This will lead to the breakage of the chain of trust and subsequently cause DNSSEC validation failure. 

Solution: Make sure you edit and set up error-free DS and DNSKEY records.

2. DNSSEC Not Setup Correctly

Detects-Multiple-Lookups

Issue: DNSSEC has to be set up correctly at both registrar and nameservers. If it’s not set up at either, DNSSEC validation will fail and can cause DNS resolving issues for the domain.

Solution: Check and configure your DNSSEC at both registrar and nameservers.

3. Expired DNSSEC Signatures

Notifies-Syntax-Errors

Issue: Your DNSSEC Signature (RRSIG) has passed its expiration date, leading to validation failure.

Solution: Use automated software tools to re-sign DNS records before the expiration date is crossed.

4. Mismatched DS Records

Helps-Fix-Errors-Faster

Issue: The DS records in the parent zone and child zone’s DNSKEY were a mismatch, leading to DNSSEC validation failure. 

Solution: Make sure the DS records in both zones match and are aligned.

Additional Tips for Successful DNSSEC Implementation

For a smooth rollout, you can consider the following additional tips:

  • Test your DNSSEC setup in a dummy environment first

  • Implement DNSSEC for non-critical domains in the beginning stages

  • Don’t use deprecated DNSSEC algorithms

  • Automate key rotation with online tools

  • Test DNSSEC periodically to ensure it’s functioning properly

Ready to prevent brand abuse, scams and gain full insight on your email channel?

Start 15-day trial Book a demo