DNSSEC Check
Confirm whether a domain is signed with DNSSEC
Verify signed vs unsigned DNS zones in seconds.
Type a domain to check DNSSEC status.
What is DNSSEC?
DNSSEC (Domain Name System Security Extensions) protects DNS lookups by adding signatures to DNS records.
Why DNSSEC matters
Signed zones help prevent cache poisoning and spoofed DNS responses.
What this check shows
We look for DNSSEC-related records such as DS and DNSKEY to determine signing status.
DNSSEC verification explained
DNSSEC uses a chain of trust from the root to the domain. DS and DNSKEY records help validate signatures.
A signed zone publishes DNSSEC keys and delegates trust through DS records.
DNSSEC status output
The tool reports whether DNSSEC records are detected.
| Status | Details |
|---|---|
| Signed | DS or DNSKEY records found |
| Unsigned | No DNSSEC records detected |
Unsigned does not mean broken; it only means DNSSEC is not enabled.
If the resolver does not support DNSSEC queries, the check may fail.
Common DNS errors
NXDOMAIN
The domain does not exist in DNS. Check the spelling or registration status.
SERVFAIL
The resolver failed to answer. This can be caused by DNSSEC issues or upstream outages.
Timeout
The DNS server did not respond in time. Try again or check connectivity.
Frequently Asked Questions
Does DNSSEC improve performance?
DNSSEC adds verification, which can slightly increase DNS response size, but improves security.
Is DNSSEC required?
DNSSEC is optional, but recommended for domains that require stronger DNS integrity.
What if DNSSEC is unsigned?
The domain can still resolve, but responses are not cryptographically validated.