← Back to Tools
// Tool

DNSSEC Zone Checker

Enter any domain or subdomain to verify its DNSSEC configuration — DS records at the parent, DNSKEY publication, RRSIG signatures, and full chain validation via Cloudflare's 1.1.1.1 resolver. Useful for verifying a zone before or after adding a DS record to the parent.

// Enter Zone to Check

Checks performed: DS record at parent · DNSKEY publication · RRSIG on A records · AD flag (chain validation) via 1.1.1.1

When to use this tool

Before adding a DS record to the parent
Confirm the child zone is correctly signing. If this shows "Zone Signed, No DS" — you're ready to add the DS record.
After enabling DNSSEC on a new zone
Verify the chain is fully validated. Look for the AD flag and "Chain Valid" status.
Troubleshooting SERVFAIL errors
A SERVFAIL from a validating resolver usually means broken DNSSEC. This tool shows you exactly which component is failing.

Need to check all child zones at once? Use the DNSSEC Chain Checker →

Frequently Asked Questions

What does this DNSSEC checker validate?
It retrieves and validates the DNSSEC chain for a zone — the DS record at the parent, the DNSKEY records in the zone, and the RRSIG signatures — confirming each link is present and correctly signed before you trust the chain.
What is the difference between a KSK and a ZSK?
The Key Signing Key (KSK) signs the DNSKEY record set and is the key referenced by the parent zone’s DS record. The Zone Signing Key (ZSK) signs the actual records in the zone. Splitting the roles lets you roll the ZSK without touching the DS at the parent.
Should I run this before adding a DS record?
Yes. Publish and verify your DNSKEY and signatures first and confirm the zone validates on its own, then add the DS at your parent or registrar. Adding a DS that does not match a working chain will break resolution with SERVFAIL.
What causes a DNSSEC SERVFAIL?
When a validating resolver cannot verify the chain — a missing or expired RRSIG, or a DS/DNSKEY mismatch — it returns SERVFAIL instead of the record, making the name unreachable for validating clients even though the data exists.