DNSSEC Check: Verify Your Domain's Security Status

Verification Guide • Updated December 2024

Want to know if a domain has DNSSEC enabled? This guide shows you multiple ways to check DNSSEC status—from quick command-line checks to comprehensive online analyzers.

Quick DNSSEC Check with dig

The fastest way to check DNSSEC status is using the dig command. Open your terminal and run:

Check for DS Record (at parent zone)

dig example.com DS +short

If DNSSEC is enabled: You'll see output like:

2371 13 2 ABC123DEF456...

If DNSSEC is NOT enabled: No output (empty response).

Check for DNSKEY Record

dig example.com DNSKEY +short

This shows the signing keys. DNSSEC-enabled domains return 256 (ZSK) and 257 (KSK) key records.

Check for Signatures (RRSIG)

dig example.com +dnssec

Look for RRSIG records in the response. These are the digital signatures that prove authenticity.

Online DNSSEC Checkers

These free online tools provide detailed DNSSEC analysis:

DNSViz (dnsviz.net)

DNSViz provides a visual diagram of the DNSSEC chain of trust. It shows:

  • Complete chain from root to your domain
  • All signing keys and signatures
  • Any errors or warnings in the chain
  • Signature expiration dates

Verisign DNSSEC Debugger

Verisign DNSSEC Analyzer provides:

  • Step-by-step validation results
  • Clear pass/fail indicators
  • Detailed error messages

Google Public DNS Check

Use Google's DNS-over-HTTPS API for quick checks:

https://dns.google/resolve?name=example.com&type=DS

Interpreting DNSSEC Check Results

Result Meaning Action
DS + DNSKEY + RRSIG present DNSSEC fully configured Verify signatures are valid
No DS record DNSSEC not enabled Enable DNSSEC at DNS provider
DS exists, no DNSKEY Broken configuration Zone not signed; remove DS
SERVFAIL response Validation failing Check DS/DNSKEY match

Check Popular Domains

Here are some examples of DNSSEC status for major domains:

  • google.com: DNSSEC enabled
  • cloudflare.com: DNSSEC enabled
  • paypal.com: DNSSEC enabled
  • gov domains: Required to have DNSSEC

What to Do After Checking

If DNSSEC is NOT enabled:

Consider enabling DNSSEC to protect your domain from DNS spoofing attacks:

If DNSSEC validation is failing:

Your domain may be unreachable from DNSSEC-validating resolvers:

Related Guides