DNSSEC (Domain Name System Security Extensions) protects DNS from spoofing. Verification = confirm the domain publishes DNSKEY and a DS record in the TLD, and the signature chain is valid. Tools: online DNS checkers, dig +dnssec, delv, Verisign DNSSEC Analyzer.
Below: step-by-step, working examples, common pitfalls, FAQ.
Free online tool — DNS lookup tool: instant results, no signup.
dig +dnssec +short example.com DNSKEY for keys; dig +dnssec example.com DS for DS recordsdig +dnssec +trace example.com — trace from rootdelv @8.8.8.8 example.com — "fully validated" = OK| Scenario | Config / Record |
|---|---|
| Properly signed domain | dig +dnssec example.com → answer contains RRSIG + "ad" flag (Authenticated Data) |
| Unsigned domain | dig +dnssec → NO RRSIG in answer. DS record missing from TLD |
| Broken DNSSEC | delv reports "no valid signature" or "DNSKEY could not be retrieved" |
| Via 1.1.1.1 (validating) | dig @1.1.1.1 example.com → SERVFAIL = signature invalid |
dig +dnssec shows records but does not validate — use delv or +traceTo check DNSSEC for a domain, use the dig command-line tool with the +dnssec flag followed by the domain name. For example, dig +dnssec example.com will return DNSSEC-related records. Verify the presence of RRSIG and DNSKEY records to confirm DNSSEC is enabled. If you're in the EU, ensure compliance with GDPR when handling DNS data.
Domain Name System Security Extensions (DNSSEC) is a suite of extensions that add a layer of security to the DNS protocol. It ensures that the responses to DNS queries are authentic and have not been tampered with during transit. DNSSEC uses public key cryptography to sign DNS data, allowing resolvers to verify the authenticity of the data they receive.
In the context of DNSSEC, there are several key components:
When a resolver queries a DNSSEC-enabled zone, it receives both the DNS records and the corresponding RRSIG records. The resolver can then use the DNSKEY records to verify the RRSIG signatures, ensuring the integrity of the data.
To check if DNSSEC is enabled for a specific domain, follow these practical steps using the dig command-line tool:
dig +dnssec example.comReplace example.com with your domain name. The output will include several sections, but you should focus on the ANSWER SECTION and ADDITIONAL SECTION.
In the ANSWER SECTION, look for:
In the ADDITIONAL SECTION, you may find the DNSKEY record. If both RRSIG and DNSKEY records are present, DNSSEC is enabled for the domain.
For further verification, you can also check the DS records in the parent zone:
dig DS example.comIf a DS record is returned, it indicates that the parent zone knows about the DNSKEY, thus confirming DNSSEC is properly configured. For example, a DS record may look like:
example.com. 86400 IN DS 12345 8 2 3A2B...1234In this case, the values represent the key tag, algorithm, and digest type, respectively. Ensure that the values align with the DNSKEY records to maintain a secure chain of trust.
DNS (Domain Name System) translates domain names into IP addresses. DNS records are instructions that define where to route traffic, email, and how to verify domainownership.
Query all record types — A, AAAA, MX, NS, TXT, CNAME, SOA — in a single request.
Direct queries to authoritative servers. Results in milliseconds, no caching.
SPF, DKIM, and DMARC analysis to evaluate email protection against spoofing and phishing.
Save check results. Compare DNS records before and after registrar changes.
DNS check after deploy
SPF/DKIM/DMARC audit
DNS config audit
DNS zone control
v=spf1 TXT record.DNS check history, API keys and DNS change monitoring.
Sign up freeAuthenticated Data — the resolver's flag. If set, the resolver validated the signature and it is correct.
Yes. HTTPS protects transit, DNSSEC protects name resolution. Without DNSSEC an attacker can forge the IP → you land on their HTTPS site with their cert → no protection.
Not every resolver validates. Unbound, BIND, PowerDNS — yes. dnsmasq (home routers) — often no. Test via 1.1.1.1.
Only 4.1% of .ru domains. See the <a href="/en/s/research-dnssec-adoption-runet-2026">Enterno research</a>.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.