Skip to content

How to Check DNSSEC for a Domain

Key idea:

DNSSEC (Domain Name System Security Extensions) protects DNS from spoofing. Verification = confirm the domain publishes DNSKEY and a DS record in the TLD, and the signature chain is valid. Tools: online DNS checkers, dig +dnssec, delv, Verisign DNSSEC Analyzer.

Below: step-by-step, working examples, common pitfalls, FAQ.

Check your domain's DNS →

Step-by-Step Setup

  1. Online: Enterno DNS Checker → enter domain → DNSSEC section shows DNSKEY + DS + validation status
  2. Via dig: dig +dnssec +short example.com DNSKEY for keys; dig +dnssec example.com DS for DS records
  3. Full chain: dig +dnssec +trace example.com — trace from root
  4. delv (validation-focused): delv @8.8.8.8 example.com — "fully validated" = OK
  5. External analyzer: Verisign DNSSEC Analyzer — shows every chain issue
  6. Browser extension: DNSSEC/TLSA Validator (Firefox, Chrome) — address-bar icon

Working Examples

ScenarioConfig / Record
Properly signed domaindig +dnssec example.com → answer contains RRSIG + "ad" flag (Authenticated Data)
Unsigned domaindig +dnssec → NO RRSIG in answer. DS record missing from TLD
Broken DNSSECdelv reports "no valid signature" or "DNSKEY could not be retrieved"
Via 1.1.1.1 (validating)dig @1.1.1.1 example.com → SERVFAIL = signature invalid

Common Pitfalls

  • Default resolvers (routers, Windows) often do NOT validate — use 1.1.1.1, 8.8.8.8, 9.9.9.9
  • dig +dnssec shows records but does not validate — use delv or +trace
  • Broken DNSSEC = SERVFAIL for 25-40% of validating clients — domain becomes "down"
  • The DS record in the TLD is published by the registrar. Rotating keys without updating DS → every client gets SERVFAIL

TL;DR: How to Check DNSSEC for a Domain

To check DNSSEC for a domain, use the dig command-line tool with the +dnssec flag followed by the domain name. For example, dig +dnssec example.com will return DNSSEC-related records. Verify the presence of RRSIG and DNSKEY records to confirm DNSSEC is enabled. If you're in the EU, ensure compliance with GDPR when handling DNS data.

Understanding DNSSEC

Domain Name System Security Extensions (DNSSEC) is a suite of extensions that add a layer of security to the DNS protocol. It ensures that the responses to DNS queries are authentic and have not been tampered with during transit. DNSSEC uses public key cryptography to sign DNS data, allowing resolvers to verify the authenticity of the data they receive.

In the context of DNSSEC, there are several key components:

  • Zone Signing Key (ZSK): This key is used to sign the zone's DNS records.
  • Key Signing Key (KSK): This key is used to sign the ZSK and is stored in the parent zone.
  • Resource Records: These include RRSIG (signature records), DNSKEY (key records), and DS (Delegation Signer) records.

When a resolver queries a DNSSEC-enabled zone, it receives both the DNS records and the corresponding RRSIG records. The resolver can then use the DNSKEY records to verify the RRSIG signatures, ensuring the integrity of the data.

Practical Steps to Check DNSSEC

To check if DNSSEC is enabled for a specific domain, follow these practical steps using the dig command-line tool:

  1. Open your terminal: Ensure you have access to a terminal or command prompt.
  2. Run the dig command: Execute the following command to query the DNSSEC information:
dig +dnssec example.com

Replace example.com with your domain name. The output will include several sections, but you should focus on the ANSWER SECTION and ADDITIONAL SECTION.

In the ANSWER SECTION, look for:

  • RRSIG: This indicates that the records are signed. Verify the validity of the signature by checking its expiration date.
  • DNSKEY: This record contains the public key used to verify the RRSIG signatures.

In the ADDITIONAL SECTION, you may find the DNSKEY record. If both RRSIG and DNSKEY records are present, DNSSEC is enabled for the domain.

For further verification, you can also check the DS records in the parent zone:

dig DS example.com

If a DS record is returned, it indicates that the parent zone knows about the DNSKEY, thus confirming DNSSEC is properly configured. For example, a DS record may look like:

example.com. 86400 IN DS 12345 8 2 3A2B...1234

In this case, the values represent the key tag, algorithm, and digest type, respectively. Ensure that the values align with the DNSKEY records to maintain a secure chain of trust.

A / AAAAIPv4 and IPv6 host addresses
MX RecordsDomain mail servers
TXT / SPFVerification & anti-spoofing
NS / SOAName servers & zone authority

Why teams trust us

12
DNS record types
SPF+DKIM
email protection
<1s
DNS response
3
check regions

How it works

1

Enter domain

2

Select record type

3

Get DNS response

What are DNS Records?

DNS (Domain Name System) translates domain names into IP addresses. DNS records are instructions that define where to route traffic, email, and how to verify domainownership.

Complete Lookup

Query all record types — A, AAAA, MX, NS, TXT, CNAME, SOA — in a single request.

Instant Results

Direct queries to authoritative servers. Results in milliseconds, no caching.

Security Checks

SPF, DKIM, and DMARC analysis to evaluate email protection against spoofing and phishing.

Export & History

Save check results. Compare DNS records before and after registrar changes.

Who uses this

DevOps

DNS check after deploy

Email marketers

SPF/DKIM/DMARC audit

SEO

DNS config audit

Sysadmins

DNS zone control

Common Mistakes

Missing SPF recordWithout SPF, emails may land in spam. Add a v=spf1 TXT record.
Single NS serverIf the only NS fails, the domain becomes unreachable. Use at least 2 NS servers.
CNAME conflicting with other recordsCNAME cannot coexist with MX or TXT on the same name — this violates RFC.
TTL set too highWith 86400s TTL, DNS changes take a full day. Lower TTL to 300 before migrations.
Missing PTR recordMail servers check PTR. Without it, emails may be rejected.

Best Practices

Set up SPF + DKIM + DMARCThe trio of records that protects your email from spoofing and improves deliverability.
Use 2+ NS serversDistribute NS servers across different networks for redundancy.
Lower TTL before migrationSet TTL to 300 at least 24-48 hours before an IP change for fast propagation.
Verify DNS after changesAfter updating records, confirm changes propagated correctly and no errors remain.
Add a CAA recordCAA restricts which Certificate Authorities can issue SSL certificates for your domain.

Get more with a free account

DNS check history, API keys and DNS change monitoring.

Sign up free

Learn more

Frequently Asked Questions

What is the "ad" flag in dig?

Authenticated Data — the resolver's flag. If set, the resolver validated the signature and it is correct.

Do I need DNSSEC if I have HTTPS?

Yes. HTTPS protects transit, DNSSEC protects name resolution. Without DNSSEC an attacker can forge the IP → you land on their HTTPS site with their cert → no protection.

Why does DNSSEC validate on some resolvers but not others?

Not every resolver validates. Unbound, BIND, PowerDNS — yes. dnsmasq (home routers) — often no. Test via 1.1.1.1.

DNSSEC adoption in Runet

Only 4.1% of .ru domains. See the <a href="/en/s/research-dnssec-adoption-runet-2026">Enterno research</a>.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.