Free tool
DNSSEC check.
Check DS records, DNSKEY presence, and chain-of-trust status. Understand whether your domain is protected by DNSSEC.
What is DNSSEC?
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records. It lets resolvers verify that DNS responses haven't been tampered with in transit — protecting against cache poisoning and man-in-the-middle attacks at the DNS layer.
How it works
Your DNS provider signs your zone with a private key (DNSKEY). The corresponding DS record is published at the parent zone (e.g., the .com registry). Resolvers walk the chain of trust from the root zone down to your domain to verify signatures.
What it protects
DNSSEC protects against DNS spoofing attacks where an attacker forges DNS responses to redirect traffic. Without DNSSEC, resolvers trust whatever answer they receive first — even if it's from an attacker.
Tradeoffs
DNSSEC adds complexity: larger DNS responses, key rotation requirements, and risk of breaking resolution if keys expire. Not all registrars and DNS providers support it well. Evaluate whether the protection is worth the operational overhead for your domain.
DNSSEC components
Record
Where
Purpose
DS (Delegation Signer)Parent zone (registrar)
Hash of the DNSKEY — links the parent zone to your zone's signing key
DNSKEYYour zone
Public key used to verify RRSIG signatures on your DNS records
RRSIGYour zone
Signature on each record set — proves records haven't been tampered with
NSEC/NSEC3Your zone
Authenticated denial of existence — proves a record doesn't exist
Related tools
DNSSEC monitoring
DNS Doctors monitors your DNSSEC chain of trust, detects expiring signatures, and alerts you before resolution breaks.
Learn more