Free DNSSEC Checker

Instantly check whether DNSSEC is properly configured for any domain. Our free DNSSEC validator verifies DS records at your registrar, DNSKEY records at your authoritative nameserver, RRSIG signature validity, and the full chain of trust from your domain to the DNS root.

Get results in seconds

No signup required.

Best suited for DNS administrators & domain owners

Designed for troubleshooting DNSSEC validation failures.

DNSSEC Record Checker

Use this tool to lookup and validate your DNSSEC record.

Please enter a valid domain name, without http:// prefix

DNSSEC Status

Disabled

DNSSEC at Registrar

Disabled

DNSSEC at Nameservers

Disabled
Result Details
Registrar Status:

0+

Organisations worldwide

0+

Fortune 100 and governments

0+

countries served

What Does This DNSSEC Checker Validate?

Our DNSSEC checker runs six core validation checks on your domain:

1

DS Record at Registrar

Confirms the Delegation Signer record exists in your parent zone (at your registrar). This is the critical link that connects your signed zone to the global chain of trust.

2

DNSKEY Record in Zone

Verifies the public key record is published at your authoritative nameserver. A zone typically has two keys: a Zone Signing Key (ZSK) for daily use and a Key Signing Key (KSK) for signing the ZSK.

3

RRSIG Signature Validity

Checks that cryptographic signatures exist on your DNS records and have not expired. Expired RRSIGs break DNSSEC validation immediately.

4

DS-DNSKEY Match

Verifies the DS record at your registrar correctly references the DNSKEY in your zone. A mismatch (often from incomplete key rollover) causes validation to fail.

5

Algorithm Security

Identifies deprecated or weak signing algorithms. Weak algorithms can compromise the security benefits of DNSSEC.

6

Chain of Trust Integrity

Confirms the full chain from the DNS root through the TLD to your domain is intact. A broken link anywhere in this chain fails the entire validation.

The checker returns one of four statuses:

Enabled

All checks pass successfully across your records.

Partial

DNSKEY is present, but DS record is missing at your domain registrar.

Misconfigured

DS record exists, but the corresponding DNSKEY is missing.

Not Enabled

Neither DS nor DNSKEY records could be located.

What is DNSSEC?

DNSSEC (Domain Name System Security Extensions) is a set of cryptographic extensions to DNS that allows resolvers to verify that DNS responses are authentic and have not been tampered with in transit. DNSSEC adds digital signatures to DNS records and creates a chain of trust from the DNS root zone down to individual domains. This protects against DNS cache poisoning and DNS spoofing attacks that could redirect users to malicious servers.

DNSSEC does not encrypt DNS queries. That is handled by DNS-over-HTTPS or DNS-over-TLS. It also does not protect email content or replace DMARC/DKIM/SPF. Rather, it secures the DNS resolution process that those email authentication standards depend on.

For a deeper dive into DNSSEC mechanics, see our:

Understanding the Chain of Trust

DNSSEC validation works top-down through a hierarchical chain of trust:

DNS Root
TLD (.com, .org, etc.)
Your Domain

Each level is signed and authenticated by the level above it via a DS record. If this chain breaks at any level, even if your zone is perfectly configured, validation fails.

The most common break: The DS record hasn't been submitted to your registrar. Your zone is signed (DNSKEY exists), but it's not linked to the parent zone. The checker returns 'Partial'.

To fix: Submit your DS record (from your DNS host) to your registrar. Both pieces must exist for the chain to work.

DNSSEC Record Types Explained

DNSSEC uses four primary DNS record types, all of which our tool validates.

DNSKEY Record

Stores the public key used to verify DNSSEC signatures. Includes the ZSK (signs records) and KSK (signs the ZSK).

1
DS (Delegation Signer) Record

Contains a hash of the DNSKEY in the parent zone, linking your domain to the DNSSEC chain of trust.

2
RRSIG (Resource Record Signature)

Cryptographic signature for each DNS record set. Must be renewed before expiry to maintain DNSSEC validation.

3
NSEC / NSEC3 Record

Proves that DNS records do not exist (authenticated denial of existence). NSEC3 is the privacy-preserving variant. It prevents attackers from enumerating all names in your zone.

4

How to Enable DNSSEC for Your Domain

Enabling DNSSEC is a two-step process. Both steps must be completed for full validation:

Step 1

Enable DNSSEC Signing at Your DNS Hosting Provider

Log in to your DNS provider, enable DNSSEC signing for your domain, and copy the generated DS record. This creates your DNSKEY records and starts signing your DNS zone automatically.

Step 2

Submit the DS Record to Your Registrar

Log in to your domain registrar, open the DNSSEC settings, and add the DS record generated in Step 1. Save the changes to complete the DNSSEC chain of trust.

Timing: DNS propagation takes 24-48 hours.

Common Pitfall: Many users enable DNSSEC signing but forget to publish the DS record, leaving the chain of trust incomplete.

Common DNSSEC Errors and How to Fix Them

Here are the five most common DNSSEC misconfiguration errors and how to resolve them:

Status: Partial or Misconfigured

DS Record Missing or Misconfigured

Cause: The DNSKEY is present in your zone (so your zone is signed), but the DS record has not been submitted to your registrar, or it is incorrect. The chain of trust is broken at the registrar level.

Recommended Fixes:

  • Log into your domain registrar (GoDaddy, Namecheap, etc.)
  • Navigate to your domain's DNS settings
  • Find the DNSSEC or DS Record section
  • Obtain the DS record from your DNS hosting provider's control panel
  • Paste the DS record value into your registrar's DS Record field
  • Save and wait 24–48 hours for DNS propagation
  • Re-run the checker to confirm 'Enabled' status
Status: Not Enabled

DNSSEC Not Enabled at Registrar or Nameserver

Cause: DNSSEC signing is not enabled anywhere. Neither DNSKEY nor DS records exist.

Recommended Fixes:

  • Log into your DNS hosting control panel (Cloudflare, Route 53, etc.)
  • Find the DNSSEC or DNS Security section
  • Enable DNSSEC signing for your domain
  • Copy the DS record or DNSKEY data provided
  • Log into your registrar and add the DS record (steps above)
  • Wait 24-48 hours and re-run the checker
Status: Misconfigured

Expired RRSIG Signature

Cause: The signatures on your DNS records have passed their expiry date. This is usually caused by failed automated key rollover or a DNS hosting provider outage.

Recommended Fixes:

  • Log into your DNS hosting control panel
  • Find the DNSSEC section and trigger a "re-sign zone" or "refresh signatures" action
  • If no such action exists, disable and re-enable DNSSEC signing
  • Wait a few minutes for signatures to be regenerated
  • Re-run the checker
Status: Misconfigured

DS-DNSKEY Mismatch

Cause: The DS record at your registrar no longer matches the DNSKEY in your zone. This typically happens after a key rollover when the DS record was not updated.

Recommended Fixes:

  • Log into your DNS hosting control panel and obtain the current DS record (it may have changed during rollover)
  • Log into your registrar
  • Update the DS record with the new value from your DNS provider
  • Wait 24–48 hours and re-run the checker
Status: Partial

DNSSEC Enabled at Nameserver But Not Registrar

Cause: Your zone is signed (DNSKEY records are present) but the DS record is not at your registrar. This is the single most common DNSSEC misconfiguration state.

Recommended Fixes:

  • Log into your domain registrar (GoDaddy, Namecheap, etc.)
  • Navigate to your domain's DNS settings
  • Find the DNSSEC or DS Record section
  • Obtain the DS record from your DNS hosting provider's control panel
  • Submit it to your registrar

DNSSEC and Email Security

DNSSEC and email authentication standards (DMARC, DKIM, SPF) are complementary but separate layers of security.

How They Connect

DNSSEC secures DNS lookups, while SPF, DKIM, and DMARC secure email. It ensures the DNS records used for email authentication are genuine and haven't been tampered with.

Why DNSSEC Matters

Without DNSSEC, attackers can spoof DNS responses and replace your DKIM key with a fake one. DNSSEC prevents this by ensuring mail servers retrieve the authentic DKIM key from your DNS.

What DNSSEC Does Not Do

DNSSEC does not replace DMARC, DKIM, or SPF. All three are still required for email authentication. DNSSEC only hardens the DNS infrastructure they rely on.

Check If Your Domain Has Email Authentication Enabled

Check your DMARC record?

Instantly verify if your DMARC record is live, valid, and free of syntax errors using our free lookup tool.

DMARC Checker

At p=none? Move to enforcement.

PowerDMARC's hosted DMARC guides you safely from monitoring to full p=reject enforcement with real-time visibility.

Hosted DMARC

Want ongoing monitoring?

PowerDMARC automatically parses aggregate reports and alerts you when new senders appear or authentication issues arise.

Start Free

What Our Clients & Partners Say About Us

Steve Smith
Steve Smith

Auckland Regional Manager, Advantage

“Our business is based on trust, not only between us and clients but partners as well. The great partnership we have with PowerDMARC allows us to deliver exceptional services to our clients.”

Frequently Asked Questions

What is DNSSEC and how does it work?
DNSSEC adds cryptographic signatures to DNS records and establishes a chain of trust from the DNS root to individual domains. When a resolver queries a DNSSEC-signed domain, it verifies signatures at each level of the hierarchy to confirm the response is authentic and unmodified. See our full DNSSEC guide for detailed mechanics.
How do I check if DNSSEC is working?
Enter your domain in the checker above and click Check. The tool validates DS records at the registrar, DNSKEY records at your nameserver, and the full chain of trust, returning a status of Enabled, Partial, Misconfigured, or Not Enabled. You can also run dig DS yourdomain.com @8.8.8.8 from the command line to manually query for the DS record.
Is DNSSEC still relevant?
Yes. DNS cache poisoning remains an active attack vector, and DNSSEC is the only protocol-level defence against it. It is also a prerequisite for DANE (DNS-based Authentication of Named Entities), which provides certificate verification independent of certificate authorities. Many governments, regulators, and compliance frameworks now mandate DNSSEC for critical domains.
What is validated with DNSSEC?
DNSSEC validates the authenticity and integrity of DNS responses, confirming that the IP addresses, MX records, and other DNS data returned for a domain came from an authoritative server and were not modified in transit. It does not validate website content or email messages, and it does not encrypt DNS queries.

Ready to prevent brand abuse, scams and gain full insight on your email channel?