Skip to main content

DNSSEC Checker

Verify whether a domain has DNSSEC enabled and inspect its DNSKEY and DS records.

About the DNSSEC Checker

DNSSEC adds a layer of cryptographic verification to DNS, allowing resolvers to confirm that the DNS records they receive genuinely came from the authoritative source and were not tampered with along the way. Without it, DNS is vulnerable to certain interception and spoofing attacks that can redirect traffic to malicious servers without any obvious sign to the user. This tool checks whether a domain has DNSSEC properly enabled and whether the chain of trust between the domain and its parent zone is correctly configured.

How it works

DNSSEC works by publishing cryptographic signatures alongside DNS records, verified using DNSKEY records published by the domain and DS records published by the parent zone, forming a chain of trust back to the root. DNSbyte checks for the presence of both DNSKEY and DS records and reports whether DNSSEC is fully enabled, not enabled at all, or partially configured, which happens when one of the two pieces is present without the other, indicating a broken chain of trust.

A partial configuration is often worse than no DNSSEC at all, since some validating resolvers will treat an incomplete chain as a sign of tampering and refuse to resolve the domain entirely.

Frequently asked questions

Why would I want DNSSEC if my domain works fine without it?

DNSSEC protects against a specific class of attack where DNS responses are intercepted or forged to redirect traffic, which is invisible to normal browsing and does not cause obvious everyday problems until it is actively exploited, so working fine day to day does not mean the domain is protected against this risk.

What does a partial DNSSEC status mean and is it dangerous?

It means either a DS record exists at the parent zone without a matching DNSKEY at the domain, or the reverse, breaking the chain of trust between the two. This can be worse than having no DNSSEC at all, since validating resolvers may refuse to resolve the domain entirely rather than simply skipping verification.

How do I actually enable DNSSEC for my domain?

This is configured through your DNS provider and domain registrar together, typically your DNS provider generates the DNSKEY records, and you then submit the corresponding DS record to your registrar, who publishes it to the parent zone. The exact steps vary by provider.

Will enabling DNSSEC slow down my website?

It adds a small amount of overhead to DNS resolution due to the cryptographic verification involved, but this is generally negligible for typical website performance and is not a meaningful concern for most domains.

Do I need DNSSEC if I already use HTTPS everywhere?

They protect different things, HTTPS secures the connection between a browser and a server once a connection is established, while DNSSEC verifies the DNS lookup itself is trustworthy before that connection is even made, so the two are complementary rather than one making the other unnecessary.

Related tools

SSL Certificate Inspect the SSL certificate chain, expiry and subject alternative names. HTTP Headers Check which security response headers a server is returning. Blacklist Check Test whether an IP or domain appears on common email blacklists. DNS over HTTPS Query DNS records over HTTPS using the Google public DoH resolver. Reachability Test whether a domain or IP is reachable and measure its response time. CAA Records Check which certificate authorities are authorised to issue SSL certificates for a domain.