Network Diagnostic Tools

DNSSEC Check

Is the domain signed and validated?

What is DNSSEC?

DNSSEC (DNS Security Extensions) cryptographically signs DNS records so resolvers can verify they have not been tampered with, defending against cache poisoning and spoofing. It adds a chain of trust on top of ordinary DNS without changing what records mean. IPeek queries a validating DNS-over-HTTPS resolver and reports whether the domain is signed and authenticated.

How DNSSEC builds a chain of trust

DNSSEC works by signing each zone with a private key and publishing the matching public key in the DNS. Records are signed (RRSIG), keys are published (DNSKEY), and a fingerprint of the zone's key (the DS record) is placed in the parent zone. This links your zone to its parent, which links to its parent, all the way up to the root — a continuous chain of trust. A validating resolver follows that chain from the root down, checking each signature, and only trusts answers whose signatures verify.

How to read your DNSSEC check results

IPeek reports whether the domain is DNSSEC-signed and whether a validating resolver authenticates it. An authenticated result (often shown as the AD, or Authenticated Data, flag) means the chain of trust is intact and the records are verified. If the domain is unsigned, DNSSEC is simply not enabled — common and not an error, but it means the records are not protected. A signed domain that fails validation is more serious: it points to a broken chain, usually a missing or mismatched DS record at the registrar.

Common DNSSEC problems and how to fix them

The most common failure is a broken chain of trust, where the zone is signed but the DS record in the parent is missing, stale or does not match the current key. This makes validating resolvers return SERVFAIL and can take the domain completely offline for users behind validating resolvers. It usually happens during key rollovers or when enabling DNSSEC without uploading the DS record to the registrar. Fix it by ensuring the DS record at the registrar matches your zone's active key, and never remove old keys before the DS update has propagated.

Frequently asked questions

What does it mean if a domain is DNSSEC-signed?

A DNSSEC-signed domain has cryptographic signatures on its DNS records, letting validating resolvers confirm the answers are genuine and unmodified. Signing alone is not enough, though: the parent zone must also hold a matching DS record so the chain of trust reaches the domain. A signed and properly delegated domain is protected against spoofing and cache poisoning.

Is it a problem if a domain is not signed with DNSSEC?

No, an unsigned domain is not an error — many domains do not use DNSSEC. It simply means the records carry no cryptographic protection and could in theory be spoofed or poisoned in transit. Enabling DNSSEC adds that protection, but it is optional and requires correct setup at both your DNS provider and registrar.

What is a DS record and why does it matter?

A DS (Delegation Signer) record is a fingerprint of your zone's signing key, published in the parent zone at the registrar. It links your signed zone to the chain of trust above it. If the DS record is missing or does not match your current key, validating resolvers cannot verify the domain and may fail it entirely, so keeping the DS in sync is critical.

What does the AD flag mean in a DNSSEC result?

AD stands for Authenticated Data. When a validating resolver sets the AD flag, it confirms that the answer's DNSSEC signatures were checked and the chain of trust verified successfully. Its absence on a signed domain can indicate a validation failure or that the resolver did not validate. IPeek uses a validating resolver so the flag reflects genuine authentication.

Why would a DNSSEC-signed domain fail validation?

The usual cause is a broken chain of trust: the DS record at the registrar is missing, outdated or does not match the zone's active key, often after a key rollover. Validating resolvers then return SERVFAIL, which can make the domain unreachable for affected users. Aligning the registrar's DS record with the current signing key fixes it.

Related tools

Deutsch | English | Español | Français | Italiano | Português | Русский | Українська | 日本語 | 简体中文 | 한국어