DNSSEC Validator

Verify the complete DNSSEC chain of trust — direct queries, no third-party APIs.

Resolver for AD bit verification
IPv4 or IPv6 resolver address

What We Verify

6 checks per domain

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, protecting against DNS spoofing and cache poisoning attacks. Enter any domain above to run a full chain-of-trust validation.

DNSKEY
Public cryptographic signing keys published in the zone, used to verify all signed DNS records.
DS Record
Delegation Signer record in the parent zone (TLD). Creates a verifiable trust link from parent to child zone.
RRSIG Signatures
Cryptographic signatures on each DNS record set, proving records have not been tampered with in transit.
NSEC / NSEC3
Authenticated denial of existence. Proves a name or record type does not exist, blocking forged negative answers.
Chain of Trust
An unbroken cryptographic chain from the DNS root → TLD → your domain. Every link must be verified.
AD Bit
Authenticated Data flag set by a validating resolver, confirming all signatures in the response were successfully verified.