DNSSEC Validator

Verify the status of Domain Name System Security Extensions (DNSSEC). Verify the existence of DNSKEY and DS records to audit cryptographic validation chains.

Check DNSSEC Status

Enter a domain name to verify cryptographic zone signing.
Audit status:
0%

Zone DNSKEY Records
DNSKEY Record Value
Parent DS (Delegation Signer) Records
DS Record Value

Comprehensive Guide to DNSSEC (Domain Name System Security Extensions)

The Domain Name System (DNS) was originally designed to be open and lightweight. However, this simplicity came at a cost: queries are unencrypted and unsigned. This design flaw allows attackers to perform **DNS Spoofing** or **Cache Poisoning** attacks—intercepting requests between a client and a recursive resolver and returning a fraudulent IP address, redirecting unsuspecting users to malicious replica websites.

To remediate this structural vulnerability, the Internet Engineering Task Force (IETF) introduced **DNSSEC (Domain Name System Security Extensions)**. DNSSEC adds a layer of cryptographic verification to DNS queries, ensuring that resolved data is authentic and has not been altered in transit.


1. How DNSSEC Establishes a Chain of Trust

DNSSEC uses asymmetric cryptography (public-key cryptography) to establish a continuous **Chain of Trust** starting from the root DNS zone down to the specific subdomain:

  • The Root Anchor: The chain starts at the internet's root zone. The public Key Signing Key (KSK) of the root zone is universally distributed and trusted by all operating systems and recursive resolvers.
  • TLD Verification: The root zone validates the Top-Level Domain (TLD) (e.g. `.com`) registry by signing the TLD's public keys. This signature is published as a **DS (Delegation Signer)** record in the root zone.
  • Domain Verification: Similarly, the `.com` TLD registry signs the authoritative public keys of your specific domain name, publishing a corresponding DS record under your domain registry records.

2. Core DNSSEC Resource Records

Implementing DNSSEC introduces four new types of resource records into your domain's zone file:

  • DNSKEY: Contains the public keys used to verify signatures. Typically, there is a Zone Signing Key (ZSK - flag 256) used to sign host records, and a Key Signing Key (KSK - flag 257) used to sign other DNSKEY records.
  • RRSIG (Resource Record Signature): Contains the actual cryptographic signature generated by signing a specific record set (like an A or MX record set) using the ZSK private key.
  • DS (Delegation Signer): Published at the parent registry (e.g. at the registrar dashboard). It contains a hash value of the KSK, linking the parent and child zones together.
  • NSEC / NSEC3: Used to prove the non-existence of a record, preventing attackers from forging NXDOMAIN (domain does not exist) responses.
DNSSEC Command

You can query DNSSEC keys directly from your terminal using:

dig google.com DNSKEY