How to Check If a Domain Uses DNSSEC

Verifying DNSSEC status is essential when enabling DNSSEC, troubleshooting issues, or auditing domain security. Here are multiple methods from quick online checks to detailed command-line analysis.

Method 1: Online Tools (Easiest)

DNSViz

The most comprehensive visual DNSSEC analyzer:

1. Visit dnsviz.net
2. Enter the domain name
3. Click "Analyze"

DNSViz shows the complete chain of trust with color coding: green means properly signed and validated.

Verisign DNSSEC Analyzer

1. Visit dnssec-analyzer.verisignlabs.com
2. Enter the domain
3. Review the detailed report

Shows each step of validation with pass/fail status.

Google Admin Toolbox

Visit toolbox.googleapps.com/apps/dig and query DNSKEY or DS records.

Method 2: Command Line

Check for DS Record

dig DS example.com +short

If this returns data, DNSSEC is configured at the registrar level:

2371 13 2 E4F8D8D8...

Empty result means no DS record—DNSSEC not fully enabled.

Check for DNSKEY

dig DNSKEY example.com +short

Shows the zone's public keys. If present but DS is missing, zone is signed but not linked to parent.

Verify Validation

dig example.com +dnssec

Look for the ad flag (authenticated data) in the response:

;; flags: qr rd ra ad

The ad flag confirms the resolver validated the response.

Method 3: Check Your DNS Provider

Log in to your DNS provider's dashboard:

• Cloudflare: DNS → Settings → DNSSEC shows "Active" or "Pending"
• Route 53: Hosted Zones → DNSSEC signing tab shows status
• GoDaddy: DNS Management → DNSSEC toggle

Understanding the Results

What to Do Based on Results

• Not enabled but want it: See our implementation guides
• Partially configured: Add DS record at your registrar
• Orphaned DS: Remove DS or re-enable zone signing
• Validation failing: See troubleshooting guide

Related Articles

• DNSSEC Lookup Commands Explained
• Understanding DNSSEC Test Results
• What is DNSSEC?