DNSSEC Validator
Verify the status of Domain Name System Security Extensions (DNSSEC). Verify the existence of DNSKEY and DS records to audit cryptographic validation chains.
Check DNSSEC Status
—
—
Zone DNSKEY Records
| DNSKEY Record Value |
|---|
Parent DS (Delegation Signer) Records
| DS Record Value |
|---|
Comprehensive Guide to DNSSEC (Domain Name System Security Extensions)
The Domain Name System (DNS) was originally designed to be open and lightweight. However, this simplicity came at a cost: queries are unencrypted and unsigned. This design flaw allows attackers to perform **DNS Spoofing** or **Cache Poisoning** attacks—intercepting requests between a client and a recursive resolver and returning a fraudulent IP address, redirecting unsuspecting users to malicious replica websites.
To remediate this structural vulnerability, the Internet Engineering Task Force (IETF) introduced **DNSSEC (Domain Name System Security Extensions)**. DNSSEC adds a layer of cryptographic verification to DNS queries, ensuring that resolved data is authentic and has not been altered in transit.
1. How DNSSEC Establishes a Chain of Trust
DNSSEC uses asymmetric cryptography (public-key cryptography) to establish a continuous **Chain of Trust** starting from the root DNS zone down to the specific subdomain:
- The Root Anchor: The chain starts at the internet's root zone. The public Key Signing Key (KSK) of the root zone is universally distributed and trusted by all operating systems and recursive resolvers.
- TLD Verification: The root zone validates the Top-Level Domain (TLD) (e.g. `.com`) registry by signing the TLD's public keys. This signature is published as a **DS (Delegation Signer)** record in the root zone.
- Domain Verification: Similarly, the `.com` TLD registry signs the authoritative public keys of your specific domain name, publishing a corresponding DS record under your domain registry records.
2. Core DNSSEC Resource Records
Implementing DNSSEC introduces four new types of resource records into your domain's zone file:
- DNSKEY: Contains the public keys used to verify signatures. Typically, there is a Zone Signing Key (ZSK - flag 256) used to sign host records, and a Key Signing Key (KSK - flag 257) used to sign other DNSKEY records.
- RRSIG (Resource Record Signature): Contains the actual cryptographic signature generated by signing a specific record set (like an A or MX record set) using the ZSK private key.
- DS (Delegation Signer): Published at the parent registry (e.g. at the registrar dashboard). It contains a hash value of the KSK, linking the parent and child zones together.
- NSEC / NSEC3: Used to prove the non-existence of a record, preventing attackers from forging NXDOMAIN (domain does not exist) responses.
DNSSEC Command
You can query DNSSEC keys directly from your terminal using:
dig google.com DNSKEY