This tool checks the presence and validity of DNSSEC for any domain via Google DNS-over-HTTPS (DoH) with the DO (DNSSEC OK) flag. It verifies DNSKEY, DS records, RRSIG signatures, and the AD flag in the response.
DNSSEC (DNS Security Extensions) is a set of DNS extensions that add cryptographic signatures to DNS records. This protects against DNS response forgery (DNS cache poisoning and man-in-the-middle attacks).
DNSSEC uses a hierarchical chain: from the root zone (.) through the TLD (.com, .io) down to the domain's DNS zone. If any link in the chain is missing, DNSSEC validation fails.
DNSSEC (DNS Security Extensions) is an extension of the DNS protocol that adds cryptographic signatures to DNS responses to protect them from forgery. Without DNSSEC, an attacker can intercept a DNS response and redirect users to a fake site (DNS spoofing). DNSSEC lets you verify the authenticity and integrity of DNS data.
The AD (Authenticated Data) flag in a DNS response means the resolver has verified and confirmed the authenticity of the data using DNSSEC. When the AD flag is set, it signals that the data has not been tampered with and the chain of trust from the root zone to the domain has been validated.
DNSKEY is the zone's public key used to verify signatures. DS (Delegation Signer) is a hash of the child zone's key stored in the parent zone to form the chain of trust. RRSIG is a digital signature for a set of DNS records. The presence of all three elements indicates a complete DNSSEC setup.