NT NetTools.fi
DNS · DNSSEC · Validation

DNSSEC check

Check whether a domain uses DNSSEC and whether it has a valid chain of trust from the root zone to the domain’s DNSKEY records.

Enter only the domain name, for example domain.com, without the https:// prefix.

Enter a domain and start the check.
Guide · DNSSEC

What does this DNSSEC check do?

The DNSSEC check shows whether a domain’s DNS responses are protected with DNSSEC signatures and whether they can be validated. DNSSEC adds signatures to DNS so that resolvers can verify that DNS responses have not been modified in transit.

DS record

A DS record is published in the parent zone and connects the domain to the DNSSEC chain of trust.

DNSKEY

DNSKEY records contain public keys used to verify DNSSEC signatures.

Chain of trust

Working DNSSEC requires an unbroken chain from the root zone through the TLD to the checked domain.

Validation

If validation succeeds, DNS responses can be authenticated using their signatures.

Why does DNSSEC matter?

DNSSEC protects the integrity of DNS responses. It does not encrypt DNS traffic, but it helps verify that a response comes from the correct DNS zone and has not been changed on the way.

DNSSEC is especially important when a domain uses security mechanisms that depend on DNS, such as DANE/TLSA records. Without working DNSSEC, DANE cannot provide the same level of trust.

How to interpret the result

Secure means that DNSSEC validation succeeded and the chain of trust is working. Unsigned means that no validated DNSSEC chain was found. This usually does not break the domain, but DNSSEC protection is not enabled.

Validation failed is more serious. It can mean that DS and DNSKEY data do not match or that signatures are invalid. Validating resolvers may refuse to return DNS answers for the domain.

Frequently asked questions

Does DNSSEC encrypt DNS queries?

No. DNSSEC verifies the integrity and origin of DNS responses, but it does not encrypt queries. Encryption requires other technologies such as DoT or DoH.

Can broken DNSSEC break a domain?

Yes. If the DNSSEC chain is broken, validating resolvers can reject DNS responses. This can make the website and email fail for some users.

Is DNSSEC always required?

DNSSEC is not mandatory for every domain, but it improves DNS trust and is practically required for security mechanisms such as DANE/TLSA.