DS records
Type Value TTL
No DS records returned.
DNSSEC Check
Validate whether a domain’s DNSSEC chain of trust looks complete.
Use this DNSSEC check to inspect parent-side DS records, child-zone DNSKEY records, and common validation outcomes so you can tell whether a zone is unsigned, signed correctly, or broken in a way that can cause SERVFAIL.
Validate DNSSEC before assuming a DNS record problem is the real cause of failed resolution.
Check result
example.com
NOERROR
DNSKEY records
Type Value TTL
No DNSKEY records returned.
What this DNSSEC tool does
DNSSEC Check looks for parent-side DS records and child-zone DNSKEY records so you can evaluate whether the chain of trust appears complete.
Use it to tell the difference between an unsigned zone, a signed zone that is missing DS linkage, and a potentially broken DNSSEC configuration that can cause validating resolvers to fail.
It does not replace record-level troubleshooting. After DNSSEC is confirmed, you usually continue with DNS Lookup, NS Lookup, or propagation checks.
When to use this tool
A domain returns SERVFAIL and you need to confirm whether DNSSEC validation is the reason.
You enabled DNSSEC recently and want to check whether the chain of trust is complete.
A DS record was added at the registrar and you need to confirm the zone is signed correctly.
Different resolvers show different behavior and you suspect a validation failure rather than a record issue.
Resolution stopped working after a registrar or DNS provider migration.
You need to decide whether to inspect DS records, DNSKEY records, nameservers, or record-level answers next.
How to use DNSSEC Check
- Enter the root domain you want to validate.
- Run the DNSSEC check and review the DS and DNSKEY sections.
- Confirm whether the zone appears unsigned, signed, or potentially broken.
- Compare the returned validation state with what you expect from the registrar and DNS provider.
- If the chain looks broken, check DS, DNSKEY, and nameserver state before changing regular records.
How to interpret DNSSEC results
DNSSEC chain present
Likely meaning: The check returned DS and DNSKEY data and the domain appears signed with a linked chain of trust.
Common causes: This usually means the zone is signed and the parent-side DS record matches an active child-zone signing state.
Next action: If users still have issues, continue to DNS Lookup, nameserver checks, or application-level diagnostics.
Unsigned zone
Likely meaning: No DS and no DNSKEY records were returned.
Common causes: The domain may simply be unsigned, which is normal when DNSSEC is not enabled.
Next action: If you expected DNSSEC, verify registrar DS configuration and whether the zone is actually signed.
DNSKEY only
Likely meaning: The zone appears signed, but no DS record was returned from the parent side.
Common causes: This commonly means signing was enabled in the DNS provider but the registrar trust link was never completed.
Next action: Check the registrar DS record and confirm it matches the active signing keys.
DS only
Likely meaning: A DS record exists, but no DNSKEY records were returned successfully.
Common causes: This can indicate a broken chain of trust and often leads to validation failures.
Next action: Verify DNSKEY publication, signing state, and whether a stale DS record is still published.
SERVFAIL
Likely meaning: The recursive resolver could not validate the domain successfully.
Common causes: Broken signatures, DS or DNSKEY mismatches, expired keys, or delegation issues are common causes.
Next action: Check DS, DNSKEY, and nameserver health before changing unrelated records.
NXDOMAIN
Likely meaning: The queried domain does not exist in DNS.
Common causes: The domain may be misspelled, inactive, or the wrong zone may be under investigation.
Next action: Confirm the exact domain first, then troubleshoot DNSSEC only after the base zone exists.
Common DNS issues this tool helps uncover
DS record published at the registrar but not matched by the active DNSKEY set
Zone is signed at the DNS provider, but no DS record exists in the parent zone
Old DS records remain after a DNS provider migration
DNSSEC validation causes SERVFAIL even though base records look correct
Authoritative nameservers are inconsistent after key rollover or signing changes
Resolvers differ because some validate the chain while others still serve older cached state
A domain appears online in one place but fails for validating resolvers elsewhere
DNS changes are blamed when the real issue is a broken chain of trust
Next steps after DNSSEC Check
Check DNS Lookup
If DNSSEC looks healthy, inspect the live A, AAAA, MX, TXT, or NS answers next.
Verify nameservers
Broken delegation can amplify DNSSEC problems, especially after migrations or registrar changes.
Check DNS propagation
Use this after DS or nameserver changes when recursive resolvers may still hold older state.
Move to service checks
If DNSSEC and record-level DNS both look healthy, continue to website, email, or network checks.
Related tools
DNS Lookup
Query A, AAAA, CNAME, TXT, and other DNS records for a domain.
NS Lookup
Check authoritative name servers and delegation for a domain.
DNS Propagation Check
Verify whether recent DNS changes are visible across resolvers.
HTTP Check
Review HTTP response status, headers, and redirect behavior.
MX Lookup
Inspect mail exchange records and delivery destinations for a domain.
DNSSEC Check FAQ
What does DNSSEC Check verify?
It checks whether DS and DNSKEY signals are present and whether the domain appears unsigned, signed correctly, or potentially broken from a validation perspective.
What input should I enter?
Enter the root domain, such as example.com. DNSSEC checks are most meaningful at the zone level rather than for full URLs.
Why does DNSSEC cause SERVFAIL?
SERVFAIL often appears when validating resolvers cannot complete the chain of trust, usually because DS and DNSKEY data do not match or the signed zone is broken.
What should I check after DNSSEC Check?
Usually nameserver delegation, DNS Lookup, and the DS/DNSKEY relationship if the zone should be signed.
How is DNSSEC Check different from DNS Lookup?
DNS Lookup checks the records being served. DNSSEC Check focuses on whether the signed chain of trust looks valid and complete.