DNSSEC Checker

Checks for DS and DNSKEY records and whether a validating resolver authenticates the zone (AD bit).

What this DNSSEC checker does

DNSSEC adds cryptographic signatures to DNS so that a resolver can detect forged or tampered answers. This tool uses DNS-over-HTTPS to look up a domain's DS and DNSKEY records and to read the AD (Authenticated Data) flag set by a validating resolver. From those it reports whether the zone is signed and whether validation currently succeeds.

DNSKEY — the public keys published in the zone itself.
DS — a digest of the zone's key, published in the parent zone, which links the chain of trust from the root down to the domain.
AD flag — set by a validating resolver (here, Cloudflare's 1.1.1.1) when the answer was successfully authenticated.

A domain is properly protected only when it has DNSKEY records and a matching DS record in the parent, so the chain of trust is unbroken. Related reading: DNSSEC explained.

Frequently asked questions

My domain has DNSKEY but no DS — is it protected?

Not fully. Without a DS record in the parent zone (uploaded to your registrar), resolvers cannot build the chain of trust to your keys, so signatures are not validated end to end. Add the DS record at your registrar to complete DNSSEC.

Does DNSSEC encrypt my DNS queries?

No. DNSSEC provides integrity and authenticity (you know the answer is genuine and unmodified) but not confidentiality. For privacy of the query itself you need DNS-over-HTTPS or DNS-over-TLS.

Why might a signed domain still show as not authenticated?

Expired signatures (RRSIG), a missing or mismatched DS at the parent, or a clock skew can all break validation. A validating resolver would then return SERVFAIL rather than the AD flag.