A DNSSEC checker that tests the whole chain of trust
DNSSEC protects DNS from tampering by cryptographically signing records, so a resolver can prove an answer really came from the domain owner. But it only works if the chain of trust links all the way from the root zone down to your domain — and the most common failure is a chain that's signed but not properly connected to the parent. This DNSSEC checker tells you, in plain terms, whether a domain's DNSSEC is enabled, whether it's actually validating, and if it's broken, why.
Is DNSSEC enabled — and is it actually working?
Those are two different questions, and this tool answers both. A domain can publish signing keys (so DNSSEC looks "enabled") while the parent zone has no matching DS record — which means validating resolvers treat it as unsigned. Worse, a domain can have a DS record that no longer matches its keys, which makes validating resolvers return SERVFAIL and refuse to load the site for a large share of users. When you want to know if DNSSEC is enabled and correct, this checks the live chain rather than just a yes/no flag.
How we test the DNSSEC signature
Here's the honest part about method. The heavy cryptographic work — verifying every signature back to the root — is performed by DNSSEC-validating resolvers (Cloudflare and Google). We read their verdict: if a validating resolver returns the Authenticated Data flag, the chain verified; if it returns SERVFAIL while the domain resolves fine with validation disabled, the chain is broken. On top of that we independently recompute the DS digest from the domain's DNSKEY and compare it to the DS record at the parent, giving you a second, direct check of the parent-to-child link. We don't hand-roll full signature cryptography, because a validating resolver does it correctly and a subtly-wrong homegrown verdict would be worse than none.
Reading the records
Below the verdict we show the actual records: the DNSKEY entries (with their algorithm and whether each is a key-signing or zone-signing key), and the DS records at the parent (with key tag, algorithm, and digest type). Together these are the pieces a network engineer needs to troubleshoot a delegation — for example, spotting that the DS at the registrar references an algorithm or key tag that no longer exists in the current DNSKEY set, which is the classic cause of a broken chain after a key rollover.