Free DNSSEC Checker
Get results in seconds
No signup required.
Best suited for DNS administrators & domain owners
Designed for troubleshooting DNSSEC validation failures.
Get results in seconds
No signup required.
Best suited for DNS administrators & domain owners
Designed for troubleshooting DNSSEC validation failures.
Use this tool to lookup and validate your DNSSEC record.
DNSSEC Status
DNSSEC at Registrar
DNSSEC at Nameservers
Our DNSSEC checker runs six core validation checks on your domain:
Confirms the Delegation Signer record exists in your parent zone (at your registrar). This is the critical link that connects your signed zone to the global chain of trust.
Verifies the public key record is published at your authoritative nameserver. A zone typically has two keys: a Zone Signing Key (ZSK) for daily use and a Key Signing Key (KSK) for signing the ZSK.
Checks that cryptographic signatures exist on your DNS records and have not expired. Expired RRSIGs break DNSSEC validation immediately.
Verifies the DS record at your registrar correctly references the DNSKEY in your zone. A mismatch (often from incomplete key rollover) causes validation to fail.
Identifies deprecated or weak signing algorithms. Weak algorithms can compromise the security benefits of DNSSEC.
Confirms the full chain from the DNS root through the TLD to your domain is intact. A broken link anywhere in this chain fails the entire validation.
The checker returns one of four statuses:
All checks pass successfully across your records.
DNSKEY is present, but DS record is missing at your domain registrar.
DS record exists, but the corresponding DNSKEY is missing.
Neither DS nor DNSKEY records could be located.
DNSSEC (Domain Name System Security Extensions) is a set of cryptographic extensions to DNS that allows resolvers to verify that DNS responses are authentic and have not been tampered with in transit. DNSSEC adds digital signatures to DNS records and creates a chain of trust from the DNS root zone down to individual domains. This protects against DNS cache poisoning and DNS spoofing attacks that could redirect users to malicious servers.
For a deeper dive into DNSSEC mechanics, see our:
DNSSEC validation works top-down through a hierarchical chain of trust:
Each level is signed and authenticated by the level above it via a DS record. If this chain breaks at any level, even if your zone is perfectly configured, validation fails.
The most common break: The DS record hasn't been submitted to your registrar. Your zone is signed (DNSKEY exists), but it's not linked to the parent zone. The checker returns 'Partial'.
To fix: Submit your DS record (from your DNS host) to your registrar. Both pieces must exist for the chain to work.
DNSSEC uses four primary DNS record types, all of which our tool validates.
Stores the public key used to verify DNSSEC signatures. Includes the ZSK (signs records) and KSK (signs the ZSK).
Contains a hash of the DNSKEY in the parent zone, linking your domain to the DNSSEC chain of trust.
Cryptographic signature for each DNS record set. Must be renewed before expiry to maintain DNSSEC validation.
Proves that DNS records do not exist (authenticated denial of existence). NSEC3 is the privacy-preserving variant. It prevents attackers from enumerating all names in your zone.
Enabling DNSSEC is a two-step process. Both steps must be completed for full validation:
Enable DNSSEC Signing at Your DNS Hosting Provider
Log in to your DNS provider, enable DNSSEC signing for your domain, and copy the generated DS record. This creates your DNSKEY records and starts signing your DNS zone automatically.
Submit the DS Record to Your Registrar
Log in to your domain registrar, open the DNSSEC settings, and add the DS record generated in Step 1. Save the changes to complete the DNSSEC chain of trust.
Timing: DNS propagation takes 24-48 hours.
Common Pitfall: Many users enable DNSSEC signing but forget to publish the DS record, leaving the chain of trust incomplete.
Here are the five most common DNSSEC misconfiguration errors and how to resolve them:
DS Record Missing or Misconfigured
Cause: The DNSKEY is present in your zone (so your zone is signed), but the DS record has not been submitted to your registrar, or it is incorrect. The chain of trust is broken at the registrar level.
Recommended Fixes:
DNSSEC Not Enabled at Registrar or Nameserver
Cause: DNSSEC signing is not enabled anywhere. Neither DNSKEY nor DS records exist.
Recommended Fixes:
Expired RRSIG Signature
Cause: The signatures on your DNS records have passed their expiry date. This is usually caused by failed automated key rollover or a DNS hosting provider outage.
Recommended Fixes:
DS-DNSKEY Mismatch
Cause: The DS record at your registrar no longer matches the DNSKEY in your zone. This typically happens after a key rollover when the DS record was not updated.
Recommended Fixes:
DNSSEC Enabled at Nameserver But Not Registrar
Cause: Your zone is signed (DNSKEY records are present) but the DS record is not at your registrar. This is the single most common DNSSEC misconfiguration state.
Recommended Fixes:
DNSSEC and email authentication standards (DMARC, DKIM, SPF) are complementary but separate layers of security.
DNSSEC secures DNS lookups, while SPF, DKIM, and DMARC secure email. It ensures the DNS records used for email authentication are genuine and haven't been tampered with.
Without DNSSEC, attackers can spoof DNS responses and replace your DKIM key with a fake one. DNSSEC prevents this by ensuring mail servers retrieve the authentic DKIM key from your DNS.
DNSSEC does not replace DMARC, DKIM, or SPF. All three are still required for email authentication. DNSSEC only hardens the DNS infrastructure they rely on.
Instantly verify if your DMARC record is live, valid, and free of syntax errors using our free lookup tool.
DMARC Checker →PowerDMARC's hosted DMARC guides you safely from monitoring to full p=reject enforcement with real-time visibility.
Hosted DMARC →PowerDMARC automatically parses aggregate reports and alerts you when new senders appear or authentication issues arise.
Start Free →
Auckland Regional Manager, Advantage
“Our business is based on trust, not only between us and clients but partners as well. The great partnership we have with PowerDMARC allows us to deliver exceptional services to our clients.”
dig DS yourdomain.com @8.8.8.8 from the command line to manually query for the DS record.