SEC-05 / SECURITY
DNSSEC Checker
Check whether a domain is protected by DNSSEC, which cryptographically signs DNS records to prevent spoofing and cache poisoning.
About the DNSSEC Checker
DNSSEC adds cryptographic signatures to your DNS records so resolvers can verify the answers they receive haven't been forged. Without it, attackers can poison DNS caches and redirect your visitors or mail. This tool checks whether a domain has a working DNSSEC chain of trust.
What this tool checks
It queries the domain's DS and DNSKEY records and checks the authenticated-data flag from a validating resolver, confirming whether the zone is signed and the chain of trust is intact.
Why DNSSEC matters
DNSSEC prevents DNS spoofing and cache-poisoning attacks that can silently redirect traffic or intercept email. It's the foundation for other technologies like DANE.
Frequently asked questions
What is DNSSEC?
DNSSEC (DNS Security Extensions) cryptographically signs DNS records so resolvers can verify answers are authentic and unmodified, protecting against spoofing and cache poisoning.
How do I enable DNSSEC?
Enable signing at your DNS provider, then publish the resulting DS record at your registrar. Both steps are required for the chain of trust to validate.
Does DNSSEC slow down DNS?
The overhead is minimal. Signature validation adds a small amount of processing, but for virtually all sites the security benefit far outweighs the negligible performance cost.