DNSSEC Checker
Verify whether a domain has DNSSEC enabled. Check DS records, DNSKEY records, signing algorithm, and key tags.
What is DNSSEC?
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records. It allows resolvers to verify that a DNS response has not been tampered with in transit. Without DNSSEC, attackers can forge DNS responses to redirect users to malicious sites (DNS spoofing).
How does DNSSEC work?
The domain owner signs their DNS zone with a private key, producing DNSKEY and RRSIG records. A DS (Delegation Signer) record is placed in the parent zone to chain trust upward. When a resolver queries the domain, it uses the public DNSKEY to verify the RRSIG signatures and the DS record to confirm the key is trusted by the parent zone.
Why enable DNSSEC?
DNSSEC protects against cache poisoning, man-in-the-middle attacks on DNS, and unauthorized DNS modifications. It is increasingly required for compliance frameworks and is a recommended best practice by NIST (SP 800-81-2) and ICANN. Many TLDs and registrars now support one-click DNSSEC activation.
FAQ
Frequently asked questions
Is this DNSSEC checker free?+
Yes, completely free. No signup or credit card required. Check any public domain's DNSSEC configuration instantly.
What is a DS record?+
A DS (Delegation Signer) record is published in the parent DNS zone (e.g., the .com zone for a .com domain). It contains a hash of the domain's DNSKEY and establishes a chain of trust from the parent zone to the domain's own signed records.
What is the difference between KSK and ZSK?+
A KSK (Key Signing Key) signs the DNSKEY record set itself and is referenced by the parent zone's DS record. A ZSK (Zone Signing Key) signs all other records in the zone. Separating these keys allows you to rotate the ZSK frequently without updating the DS record at the registrar.
Which DNSSEC algorithm should I use?+
ECDSA P-256/SHA-256 (algorithm 13) or Ed25519 (algorithm 15) are recommended for new deployments. They produce smaller signatures than RSA, reducing DNS response sizes. RSA/SHA-256 (algorithm 8) is still widely supported but generates larger responses.
DNSSEC Checker is just the start.
CQwerty Shield checks SSL, DMARC, SPF, DNS, HTTP headers, WHOIS, breach intel, and more — with CVE/KEV cross-references on every finding.
Free full scan — no signup →