DNSSEC Test
Check whether DNS Security Extensions are enabled for a domain.
Powered by Geekflare DNSSEC API
What is DNSSEC?
Domain Name System Security Extensions (DNSSEC) is a suite of security protocols that adds cryptographic signatures to DNS records. It ensures that the DNS responses received by a user's browser have not been altered in transit. Without DNSSEC, attackers can manipulate DNS responses to redirect traffic to other websites.
Use the Geekflare tool to confirm that DNSSEC is configured on your domains. Misconfigured DNSSEC can cause a domain to become completely inaccessible, as validating DNS resolvers will reject queries with broken or expired signatures. This tool helps you verify the integrity of your chain of trust before configuration errors impact your users.
Key DNSSEC Records Analyzed
| Check | Why It Matters |
|---|---|
| DNSSEC status | Shows whether DNSSEC records were returned for the domain. |
| DNSKEY records | DNSKEY records publish the public keys used to validate signed DNS data. |
| RRSIG records | RRSIG records contain signatures over DNS record sets. |
| Algorithms and key tags | These values help identify which signing keys and algorithms are in use. |
How to Read the Results
If DNSSEC is Enabled, the domain returned DNSSEC records such as DNSKEY or RRSIG.
If DNSSEC is Disabled, the domain did not return DNSSEC records in this check. To enable DNSSEC, configure signing at your DNS provider, publish the right DS record, and verify the chain of trust after propagation.
DNSSEC validates DNS authenticity and integrity. It does not encrypt DNS queries or hide which domain is being resolved.