wiredepth
Run a check

Free tool · DNS posture

DNSSEC checker

Paste any domain. We query a DNSSEC-validating resolver (Cloudflare 1.1.1.1) and tell you whether the chain validates end-to-end (Secure), the zone is unsigned (Insecure), or the chain is broken (Bogus - validating resolvers refuse the domain entirely). No signup.

What this tool checks

DNSSEC adds cryptographic signatures to DNS responses so the resolver can verify the data hasn't been tampered with on its way back. Without DNSSEC, a man-in-the-middle (compromised public Wi-Fi, ISP-level attacker, BGP-hijack mishap) can substitute a fake IP for a real lookup and direct your customers to a phishing site that looks identical to yours.

The chain has three parts: a DNSKEY published at your apex (the public key used to sign records), an RRSIG on every signed record (the actual signature), and a DS record published at the parent zone (anchoring your DNSKEY into the global trust chain so resolvers know to trust it). Break any one of those and DNSSEC fails.

Validating resolvers (Cloudflare 1.1.1.1, Google 8.8.8.8, Quad9, most major ISPs in the EU + AU) refuse to return data when signatures don't verify - they return SERVFAIL. That's the "Bogus" state: your domain is silently unreachable for ~30-40% of internet users.

How to read the results

Verdict tiers:

  • Secure: AD flag set, DNSKEY at apex, DS at parent. Validating resolvers trust the chain. Nothing to do.
  • Insecure: no DNSKEY at apex (zone unsigned), OR DNSKEY present but no DS at parent (chain unanchored). Enable DNSSEC at your DNS provider + publish the DS at your registrar.
  • Bogus: signatures fail to validate. Either an expired RRSIG, a DS/DNSKEY algorithm mismatch, or a half-removed DNSSEC state. URGENT - fix or roll back. Customers using validating resolvers cannot reach your domain.

What "Bogus" looks like in production: customers report intermittent "site won't load" but only on some networks (the ones using validating resolvers). Easy to misdiagnose as a CDN issue. The give-away: SERVFAIL responses for ANY query on the domain, not just A records.

Frequently asked questions

Why does Cloudflare 1.1.1.1 say SERVFAIL but my ISP resolver returns the IP?

Your ISP resolver probably doesn't validate DNSSEC. Validating resolvers (1.1.1.1, 8.8.8.8, Quad9) refuse responses with bad signatures; non-validating resolvers just pass the data through. The Bogus state means SOME customers (~30-40% of global traffic) silently can't reach your domain - the rest are fine. Easy to misdiagnose as intermittent network trouble.

What is the DS record and why does my registrar care?

The DS (Delegation Signer) record lives at your domain's PARENT zone (e.g., for example.com the DS lives in .com's zone files). It anchors your DNSKEY into the global DNSSEC trust chain. Your DNS provider generates the DS values; your registrar publishes them. Without DS at the parent, your DNSKEY records exist but no validator trusts them.

How do I enable DNSSEC?

Most major DNS providers (Cloudflare, Route 53, Google Cloud DNS, Azure DNS, DNSimple) offer one-click DNSSEC sign-up in the zone management UI. After signing, you copy DS values from the DNS provider into your registrar. Full propagation: 24-48 hours. Risks: a misconfigured rollover can leave you Bogus - test before relying on it for production traffic.

My domain shows Insecure but I enabled DNSSEC yesterday - why?

Two likely causes. (1) Parent-zone DS publication takes 24-48 hours to propagate. Wait a day, re-check. (2) Your DNS provider signed the zone but you forgot to publish DS at the registrar (common). Find the DS values in your DNS provider UI and add them at your registrar.

Does DNSSEC slow down DNS lookups?

Marginally - validating resolvers do a few extra lookups (DNSKEY + DS + RRSIG fetches) on first request. Cached after that. Real-world latency penalty: 10-50ms on cold cache, ~0ms on warm. Most cached for hours; never user-perceivable for an active site.

Related free tools

DNS health

Full DNS posture: SOA, NS, MX, CAA, registrar expiry, mail blocklists.

TLS / SSL check

Cert chain, expiry, protocols. Pairs with DNSSEC for full transport security.

MTA-STS + TLS-RPT

Mail-transport security policy. Inbound mail companion to DNSSEC.

Infrastructure map

Visual graph of NS / MX / SPF / DKIM / DMARC dependencies.