DNSSEC checker

Validate your domain's chain of trust and spot broken signatures.

Create a free SJ Monitor account to watch your domains' uptime, DNS, and SSL around the clock and get alerted when something breaks. Start free →

This DNSSEC checker walks your domain's chain of trust from the root zone through the TLD to your own DNSKEY and RRSIG records, confirming each signature links correctly to the next. It reports whether DNSSEC is enabled, whether the DS record at your registrar matches your published keys, and whether any signature has expired. A broken chain can make your entire domain unresolvable for validating resolvers, so catching it early avoids a hard outage. Signatures expire on a schedule, which is exactly why SJ Monitor's DNS monitoring keeps validating the chain for you.

Frequently asked questions

What does a broken DNSSEC chain cause?

Validating resolvers will refuse to return answers, so users behind them simply cannot reach your domain. It often looks like a total outage even though your servers are fine.

Why do DNSSEC signatures expire?

RRSIG records have a built-in validity window and must be re-signed periodically. SJ Monitor's continuous DNS monitoring checks the chain on a schedule and warns you before signatures lapse.

What is a DS record mismatch?

It means the delegation signer record at your registrar no longer matches your zone's keys, usually after a key rollover. Until it is corrected the chain cannot be validated.

What's the difference between a KSK and a ZSK?

The Key Signing Key signs your DNSKEY set and is what the DS record at the registrar points to; the Zone Signing Key signs the actual records. Splitting roles lets you rotate the ZSK frequently without touching the registrar.

How do I enable DNSSEC?

Sign your zone at your DNS provider (most do this with one toggle), then publish the resulting DS record at your registrar. Both steps are required — signing without the DS record means resolvers can't verify the chain.

Does DNSSEC encrypt my DNS traffic?

No. DNSSEC authenticates answers so they can't be forged or tampered with, but it does not encrypt them. Encryption of DNS queries is a separate concern handled by DNS-over-HTTPS or DNS-over-TLS.

More DNS tools tools

CAA record lookup DNS lookup DNS propagation checker Nameserver lookup Reverse DNS (PTR) SOA record lookup
All DNS tools tools → · Browse every tool →

Want this checked automatically and around the clock? Create a free SJ Monitor account and we'll alert you the moment something changes.

Share this tool: X LinkedIn Facebook Reddit Email

We use essential cookies to run SJ Monitor (sign-in, security). See our privacy policy.