DNSSEC Checker

Verify the DNSSEC chain of trust for any domain by checking DS, DNSKEY, and RRSIG records.

How does DNSSEC work?

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that responses are authentic and have not been tampered with. A DNSSEC-signed domain publishes DNSKEY records containing public keys, and signs all records with matching private keys (stored as RRSIG records). Specified in RFC 4034.

The chain of trust begins at the DNS root zone and passes through each parent zone via DS (Delegation Signer) records. For DNSSEC to work end-to-end, your domain registrar must publish a DS record in the parent zone pointing to your DNSKEY. This tool checks all three components: DNSKEY, DS delegation, and RRSIG signatures.