DNSSEC Validator — Check DNSSEC Online

This tool checks the presence and validity of DNSSEC for any domain via Google DNS-over-HTTPS (DoH) with the DO (DNSSEC OK) flag. It verifies DNSKEY, DS records, RRSIG signatures, and the AD flag in the response.

What is DNSSEC?

DNSSEC (DNS Security Extensions) is a set of DNS extensions that add cryptographic signatures to DNS records. This protects against DNS response forgery (DNS cache poisoning and man-in-the-middle attacks).

DNSSEC Components

• DNSKEY — the zone's public key for verifying signatures;
• DS — a hash of DNSKEY in the parent zone, forming the chain of trust;
• RRSIG — a digital signature for each set of DNS records;
• AD (Authenticated Data) — a flag in the DNS response indicating successful validation.

Chain of Trust

DNSSEC uses a hierarchical chain: from the root zone (.) through the TLD (.com, .io) down to the domain's DNS zone. If any link in the chain is missing, DNSSEC validation fails.

Why DNSSEC Matters

• Protection against DNS response spoofing and redirects to phishing sites;
• Increased trust in the domain's infrastructure;
• Required by regulators for government and critical services.