CuscusLab Logo

DNSSEC Checker Tool

DNSSEC Checker is a specialized security tool used to verify if a domain has enabled DNS Security Extensions. It ensures that DNS responses have not been intercepted or tampered with by validating cryptographic signatures.

Verify if a domain is protected by DNSSEC. Check the Chain of Trust by validating DS and DNSKEY records instantly.

No signup requiredChain of Trust AuditRFC Compliant

Type a domain to check DNS records.

Record FiltersDNS Toolkit
All RecordsA + AAAACAAALIAS (CNAME)MAIL (MX)NSSOASERVICE (SRV)TXTSPFDKIMDMARCPTRDNSSEC

Why DNSSEC Matters

What is DNSSEC?

DNSSEC adds a layer of security to the DNS lookup process. It uses digital signatures to ensure that the DNS data you receive implies valid origin authenticity and data integrity.

Protects Against

  • DNS Spoofing (Cache Poisoning)
  • Man-in-the-Middle Attacks
  • Redirection to malicious sites

Pro Tip: DNSSEC protects the "phone book" lookup. To secure the actual conversation data, you must also use SSL/TLS Certificates.

Key Records Explained

DS

Delegation Signer

Found in the parent zone (e.g., .com for example.com). It creates a chain of trust to your domain's DNSKEY.

DNSKEY

DNS Public Key

Public keys used to verify the digital signatures (RRSIG) of your DNS records.

RRSIG

Resource Record Signature

The cryptographic signature of a DNS record set, which can be verified using the DNSKEY.

DNSSEC Status Output

StatusDetails
SignedDS or DNSKEY records found
UnsignedNo DNSSEC records detected

Note: Unsigned does not mean broken; it only means DNSSEC is not enabled.

Common DNS Errors

NXDOMAIN

The domain does not exist in DNS. Check the spelling or registration status.

SERVFAIL

The resolver failed to answer. This can be caused by DNSSEC issues or upstream outages.

Timeout

The DNS server did not respond in time. Try again or check connectivity.

Related Tools

DNS Lookup

View all common DNS record types.

WHOIS Lookup

Check domain registration details.

SSL Checker

Verify SSL/TLS certificate chain.

Port Checker

Test for open ports and services.

Frequently Asked Questions

Does DNSSEC improve performance?

DNSSEC adds verification, which can slightly increase DNS response size, but improves security.

Is DNSSEC required?

DNSSEC is optional, but recommended for domains that require stronger DNS integrity.

What if DNSSEC is unsigned?

The domain can still resolve, but responses are not cryptographically validated.