Skip to content
Pricing RU Sign In
RU

How to Check DNSSEC for a Domain

By · Updated
Key idea:

DNSSEC (Domain Name System Security Extensions) protects DNS from spoofing. Verification = confirm the domain publishes DNSKEY and a DS record in the TLD, and the signature chain is valid. Tools: online DNS checkers, dig +dnssec, delv, Verisign DNSSEC Analyzer.

Below: step-by-step, working examples, common pitfalls, FAQ.

Try it now — free →

Step-by-Step Setup

  1. Online: Enterno DNS Checker → enter domain → DNSSEC section shows DNSKEY + DS + validation status
  2. Via dig: dig +dnssec +short example.com DNSKEY for keys; dig +dnssec example.com DS for DS records
  3. Full chain: dig +dnssec +trace example.com — trace from root
  4. delv (validation-focused): delv @8.8.8.8 example.com — "fully validated" = OK
  5. External analyzer: Verisign DNSSEC Analyzer — shows every chain issue
  6. Browser extension: DNSSEC/TLSA Validator (Firefox, Chrome) — address-bar icon

Working Examples

ScenarioConfig / Record
Properly signed domaindig +dnssec example.com → answer contains RRSIG + "ad" flag (Authenticated Data)
Unsigned domaindig +dnssec → NO RRSIG in answer. DS record missing from TLD
Broken DNSSECdelv reports "no valid signature" or "DNSKEY could not be retrieved"
Via 1.1.1.1 (validating)dig @1.1.1.1 example.com → SERVFAIL = signature invalid

Common Pitfalls

  • Default resolvers (routers, Windows) often do NOT validate — use 1.1.1.1, 8.8.8.8, 9.9.9.9
  • dig +dnssec shows records but does not validate — use delv or +trace
  • Broken DNSSEC = SERVFAIL for 25-40% of validating clients — domain becomes "down"
  • The DS record in the TLD is published by the registrar. Rotating keys without updating DS → every client gets SERVFAIL

Related guides

A / AAAAIPv4 and IPv6 host addresses
MX RecordsDomain mail servers
TXT / SPFVerification & anti-spoofing
NS / SOAName servers & zone authority

Why teams trust us

12
DNS record types
SPF+DKIM
email protection
<1s
DNS response
3
check regions

How it works

1

Enter domain

2

Select record type

3

Get DNS response

What are DNS Records?

DNS (Domain Name System) translates domain names into IP addresses. DNS records are instructions that define where to route traffic, email, and how to verify domainownership.

Complete Lookup

Query all record types — A, AAAA, MX, NS, TXT, CNAME, SOA — in a single request.

Instant Results

Direct queries to authoritative servers. Results in milliseconds, no caching.

Security Checks

SPF, DKIM, and DMARC analysis to evaluate email protection against spoofing and phishing.

Export & History

Save check results. Compare DNS records before and after registrar changes.

Who uses this

DevOps

DNS check after deploy

Email marketers

SPF/DKIM/DMARC audit

SEO

DNS config audit

Sysadmins

DNS zone control

Common Mistakes

Missing SPF recordWithout SPF, emails may land in spam. Add a v=spf1 TXT record.
Single NS serverIf the only NS fails, the domain becomes unreachable. Use at least 2 NS servers.
CNAME conflicting with other recordsCNAME cannot coexist with MX or TXT on the same name — this violates RFC.
TTL set too highWith 86400s TTL, DNS changes take a full day. Lower TTL to 300 before migrations.
Missing PTR recordMail servers check PTR. Without it, emails may be rejected.

Best Practices

Set up SPF + DKIM + DMARCThe trio of records that protects your email from spoofing and improves deliverability.
Use 2+ NS serversDistribute NS servers across different networks for redundancy.
Lower TTL before migrationSet TTL to 300 at least 24-48 hours before an IP change for fast propagation.
Verify DNS after changesAfter updating records, confirm changes propagated correctly and no errors remain.
Add a CAA recordCAA restricts which Certificate Authorities can issue SSL certificates for your domain.

Get more with a free account

DNS check history, API keys and DNS change monitoring.

Sign up free

Related tools

SSL CheckWHOISPing & PortsSecurity Check

Learn more

How-to

Glossary

Research

Alternatives

Frequently Asked Questions

What is the "ad" flag in dig?

Authenticated Data — the resolver's flag. If set, the resolver validated the signature and it is correct.

Do I need DNSSEC if I have HTTPS?

Yes. HTTPS protects transit, DNSSEC protects name resolution. Without DNSSEC an attacker can forge the IP → you land on their HTTPS site with their cert → no protection.

Why does DNSSEC validate on some resolvers but not others?

Not every resolver validates. Unbound, BIND, PowerDNS — yes. dnsmasq (home routers) — often no. Test via 1.1.1.1.

DNSSEC adoption in Runet

Only 4.1% of .ru domains. See the <a href="/en/s/research-dnssec-adoption-runet-2026">Enterno research</a>.

Start monitoring for free

Sign up and get access to API, monitoring and notifications

Create Account API Documentation