DNSSEC Status Checker

Queries DS and DNSKEY records via validating DNS-over-HTTPS resolvers (Cloudflare, Google). Returns success when either record is present - signing-chain validation happens at the resolver.

Instant audit. No account required.

What the DNSSEC Status audit checks

Three checks, one verdict. Each tile is a primitive your AI agent can read alongside the full JSON payload.

DNSKEY at zone

Confirms the child zone publishes a DNSKEY record so a validating resolver has a public key to verify signatures against.

DS at registrar

Checks the parent registrar publishes a Delegation Signer record - the cryptographic anchor that ties your zone into the global trust chain.

Signing chain

Resolves the domain through a validating resolver and confirms no SERVFAIL falls out - the only end-to-end proof the chain actually works.

UpMonitor's DNSSEC Checker verifies if your domain has Domain Name System Security Extensions (DNSSEC) correctly enabled. It checks for DS, DNSKEY, and RRSIG records to ensure your DNS responses are authenticated and protected against spoofing and hijacking. Free to use - no signup required.

Protect your DNS integrity and prevent man-in-the-middle attacks with a comprehensive DNSSEC audit.

ℹ️

DNSSEC is a suite of extension specifications by the IETF for securing data exchanged by the Domain Name System (DNS) in Internet Protocol (IPv4/v6) networks. It provides cryptographic authentication of data, authenticated denial of existence, and data integrity.

What Our DNSSEC Checker Validates

Our free security tool performs a deep dive into your DNS configuration:

✅ DS Record Check

Verifies the presence of Delegation Signer (DS) records in the parent zone. This record establishes the chain of trust between the parent (e.g., .com) and your domain.

✅ DNSKEY Analysis

Audits your zone's public keys used for signing. We look up DNSKEY records (both Zone Signing Keys and Key Signing Keys).

✅ Validating Resolver Cross-Check

We query multiple DNSSEC-validating DNS-over-HTTPS resolvers (Cloudflare, Google). If any of them return your DNSKEY / DS records, it confirms your signatures pass validation in the real world - a misconfigured zone (bad RRSIG, expired signature, or broken chain of trust) would cause those resolvers to refuse the response.

Why DNSSEC Security Matters

RiskImpact
DNS Cache PoisoningAttackers redirect your users to malicious servers by injecting fake DNS records.
DNS HijackingYour domain's traffic is intercepted at the network level.
Lack of Data IntegrityNo way for clients to verify that the DNS response they received is the one you sent.
Trust IssuesSecurity-conscious browsers and services may flag your domain as untrusted.

DNSSEC Best Practices

Monitor Signature Expiry

DNSSEC signatures have a limited lifetime. If they expire before being rolled over, your entire domain will go offline for DNSSEC-validating resolvers.

Use Strong Algorithms

Ensure you are using modern, secure cryptographic algorithms (like ECDSA Curve P-256) for your keys.

Frequently Asked Questions

Does DNSSEC encrypt my DNS traffic?

No. DNSSEC provides authentication and integrity, but it does not provide confidentiality. Your DNS queries and responses are still sent in plain text (unless you also use DNS over HTTPS or DNS over TLS).

Can DNSSEC break my website?

If misconfigured (e.g., invalid signatures or missing DS records), DNSSEC-validating resolvers will refuse to resolve your domain, making your site appear "down" to those users.

How do I enable DNSSEC?

You typically enable it through your domain registrar and your DNS hosting provider. They will generate the keys and provide the DS record to be added to the parent zone.

Set Up Continuous Security Monitoring

The free checker above is great for a manual audit, but DNSSEC is complex and prone to "silent failures" during key rollovers.

With a UpMonitor account, you can:

  • ✅ Monitor your DNSSEC health 24/7
  • ✅ Get instant alerts for signature expiration
  • ✅ Track key rollovers and DS record changes
  • ✅ Receive warnings for weak cryptographic algorithms

Secure your DNS for free →

Also useful for this stack

Pair the audit you just ran with these checkers - the failure modes tend to travel together.

DNS Records

Resolves A, AAAA, CNAME, MX, TXT, and NS records for your domain and measures resolver response time. Fails when no A/AAAA/CNAME records are returned or the hostname doesn't exist.

SSL Certificate

Validates your TLS certificate: chain integrity, expiry date, and negotiated protocol version. Warns when expiry is under 30 days away or the server negotiates deprecated TLS 1.0/1.1.

Security Headers

Checks for seven key security headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin-Opener-Policy. Also performs a deep-dive on HSTS quality.

Stop running this audit by hand.

Schedule DNSSEC Status every minute from 12 regions. Get an AI-drafted remediation prompt the moment a check fails - delivered to your inbox, Slack, or MCP-connected agent.

Monitor this site free See pricing