Understanding DNSSEC Test Results

Analysis Guide • Updated December 2024

DNSSEC analyzers provide detailed reports about your domain's security configuration. This guide explains how to interpret results from popular tools.

DNSViz Results

DNSViz provides a visual representation of your DNSSEC chain of trust.

Color Coding

  • Green: Properly signed and validated—no action needed
  • Yellow/Orange: Warnings—works but may have issues
  • Red: Errors—validation fails, requires immediate attention
  • Gray: Unsigned or insecure—no DNSSEC present

Common DNSViz Messages

Message Meaning Action
DNSKEY verified Keys are valid None required
DS references valid DNSKEY Chain of trust intact None required
No valid DS referral DS record missing or wrong Add/fix DS at registrar
RRSIG expired Signatures are out of date Re-sign zone
Algorithm not supported Using obsolete algorithm Migrate to Algorithm 13 or 8

Verisign DNSSEC Analyzer

Verisign Labs provides a hierarchical text report showing each validation step.

Understanding the Hierarchy

Results show the chain from root to your domain:

. (root zone) → .com → example.com

Each level shows whether DS and DNSKEY records are correct.

Status Indicators

  • ✓ (checkmark): Step passed
  • ✗ (X): Step failed—this is where the problem is
  • ⚠ (warning): Non-critical issue

dig Command Output

Success Indicators

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2

The ad flag (authenticated data) means DNSSEC validation succeeded.

Failure Indicators

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL

SERVFAIL with a signed domain usually indicates DNSSEC validation failure.

Cloudflare DNSSEC Status

In Cloudflare dashboard, DNSSEC shows these statuses:

  • Active: DNSSEC enabled and DS record detected at parent
  • Pending: Enabled, waiting for DS record at registrar
  • Disabled: Not configured
  • Error: Misconfiguration detected

Common Test Results and Fixes

"Insecure" Status

Meaning: No DNSSEC is configured (zone not signed, or no DS record).

Action: Enable DNSSEC if desired—see our implementation guides.

"Bogus" or "Invalid"

Meaning: DNSSEC is configured but validation fails.

Action: Immediate attention required. See validation troubleshooting.

"Secure" with Warnings

Meaning: DNSSEC works but configuration could be improved.

Common warnings:

  • Using SHA-1 digest (migrate to SHA-256)
  • Weak algorithm (migrate to ECDSA or RSA with 2048+ bits)
  • Signature expiring soon (check automatic re-signing)

Related Articles