// Tool
DNSSEC Chain Checker
Enter a parent domain to discover delegated child zones via Certificate Transparency logs, then verify the full DNSSEC chain of trust for each one — from root down to every zone.
Subdomains discovered from Certificate Transparency logs (crt.sh). NS delegation and DNSSEC checked via Cloudflare 1.1.1.1 DoH.
Frequently Asked Questions
How is this different from the DNSSEC Zone Checker?
The Zone Checker validates one zone. The Chain Checker discovers child zones (using Certificate Transparency to find subdomains) and validates the DNSSEC chain for each, catching a broken signer on a subdomain you may have forgotten.
What is a chain of trust in DNSSEC?
Each zone’s keys are vouched for by a DS record in its parent, up to the signed root. Validation walks root to TLD to domain to subdomain, confirming each link signs the next.
Why would a subdomain fail DNSSEC while the apex passes?
Subdomains can be delegated to different providers or signers. A missing DS at the delegation, an expired signature, or an unsigned child breaks that branch while the apex stays valid.
