DNSSEC Checker

Check whether a domain is protected by DNSSEC by inspecting the authentication flag and its DS and DNSKEY records.

Beta

Check DNSSEC

Enter a domain to see whether a validating resolver authenticates it, and whether DS and DNSKEY records are in place.

Results will appear here.

Beta: we read a validating resolver's verdict plus DS/DNSKEY presence, rather than verifying the full chain ourselves.

How this DNSSEC check works

DNSSEC signs DNS answers so they can be verified, closing the door on forged records and cache poisoning. This tool runs three live queries over DNS-over-HTTPS. First it asks a validating resolver for the domain's address with DNSSEC checking on and reads the AD (Authenticated Data) flag. Then it looks for DS records in the parent zone and DNSKEY records in the zone itself. Together these tell you whether DNSSEC is deployed and currently validating.

How to read the result

Verdict	What it means
Validated	AD flag set and DS/DNSKEY present — DNSSEC is working.
Signed, not authenticated	Keys exist but the resolver did not set AD — possible misconfiguration.
Not signed	No DS record — the domain does not use DNSSEC.

A "not signed" result is common and not a vulnerability on its own — many domains run without DNSSEC. A "signed, not authenticated" result is the one worth investigating, since it can mean a broken chain that strict resolvers will refuse to resolve.

Frequently asked questions

What is DNSSEC?

DNSSEC adds cryptographic signatures to DNS so resolvers can verify that an answer really came from the domain's owner and was not tampered with in transit. It protects against cache poisoning and spoofed records.

What does the AD flag mean?

AD stands for Authenticated Data. When a validating resolver sets it, the answer's DNSSEC chain checked out. This tool reads the AD flag from a validating public resolver, so a green result means that resolver successfully validated the signatures.

What are DS and DNSKEY records?

DNSKEY records hold the public keys that sign a zone. The DS record sits in the parent zone and fingerprints the child's key, linking the chain of trust. If a domain has DS and DNSKEY records and validates, DNSSEC is properly deployed.

How thorough is this check?

It is a practical indicator, not a full validator. We rely on a validating resolver's verdict and on the presence of DS and DNSKEY records, rather than walking and verifying the entire chain ourselves. For formal audits, use a dedicated DNSSEC analyzer.

Securing a domain end to end?

DNSSEC is one piece. Check the rest of the picture — speed, DNS resolution and latency — with the full check-up, and get a clear verdict on what to harden next.

Run a full diagnosis

What is speedtest.doctor?

DNSSEC Checker is part of speedtest.doctor — a next-generation speed test with real connection diagnostics on self-hosted api.speedtest.doctor servers. Check whether a domain is protected by DNSSEC by inspecting the authentication flag and its DS and DNSKEY records.

How it works

Self-hosted measurement servers

Speed tests hit our own CORS-enabled endpoints at api.speedtest.doctor/down and /up — real throughput and latency, not simulated or inflated results.
Full diagnostic toolbox

Beyond bandwidth: ping, DNS lookup, port scan, SSL check, traceroute, WHOIS, headers and the Connection Doctor — 40+ tools in one suite.
API & embeddable widgets

Developers embed white-label testers on any site or call the REST API. Free tier: 100 calls; Starter €9/10k; Pro €29/50k.

Why different from other speed tests

Self-hosted api.speedtest.doctor infrastructure — measurements are real, not faked
Diagnosis layer: verdict, likely causes and fixes — not just Mbps
Embeddable widgets and developer API for ISPs, apps and support teams
Static, fast pages with honest methodology documented on /method

Run diagnosis All network tools Developer API