Validate a domain's DNSSEC chain of trust: DS/DNSKEY/RRSIG, signing algorithms, expiry, and trust status
• Domain: enter a bare domain without https:// (e.g. cloudflare.com)
• Validates the DNSSEC chain of trust via Cloudflare / Google validating resolvers
• Unsigned is a normal state; bogus means signature validation failed and needs attention
DNSSEC validation checks whether a domain has enabled DNS Security Extensions and whether the full chain of trust — from the root zone through the TLD to the domain's own DNSKEY — is intact. It returns the trust status (secure, insecure, or bogus), the DS and DNSKEY records, the RRSIG signatures and their expiry, and any warnings about weak algorithms or broken chains.
Common uses include confirming that DNSSEC is correctly configured after enabling it, diagnosing 'bogus' status caused by a broken chain or expired RRSIG, auditing algorithm strength when migrating from RSASHA1 to ECDSAP256SHA256, and verifying that a recently added DS record at the TLD registry has propagated correctly.
'Secure' means the domain has DNSSEC enabled and the chain of trust validates successfully. 'Insecure' means there is no DNSSEC delegation from the parent zone — the domain is unsigned, which is normal for most domains. 'Bogus' means DNSSEC is configured but validation fails, which is a configuration error that needs fixing.
Most domains do not use DNSSEC. Without it, DNS responses are not authenticated and could theoretically be spoofed. Whether the risk justifies the operational complexity of DNSSEC depends on your use case.
Common causes include an expired RRSIG signature (DNSSEC records need regular resigning), a DS record at the parent that does not match the zone's DNSKEY, or a missing DNSKEY after key rollover. Check the RRSIG expiry and DS/DNSKEY match in the result.
RRSIG records have a signature validity window, typically 7 to 30 days, depending on the operator's key rollover policy. Most DNS hosting providers automatically resign records. If you manage your own zone, ensure your signing process runs before signatures expire.