← Back to Tools
// Tool

DNSSEC Chain of Trust Validator

Walk the complete DNSSEC chain of trust for any domain — from the root zone down to the target record — and cryptographically verify each link right in your browser. Every level shows its DNSKEY set, DS records, and RRSIG signatures, with a real signature-verification verdict (ECDSA & RSA) computed via WebCrypto. Hover any check for details.

Records resolved with the DO bit set via Google DoH (returns RRSIGs in JSON). Signatures verified locally in your browser; the AD-flag cross-check uses Cloudflare 1.1.1.1.

Frequently Asked Questions

Does this tool actually verify the DNSSEC signatures?
Yes. With cryptographic verification enabled, the tool recomputes the DS digest from each DNSKEY and verifies the RRSIG signatures over the DNSKEY, DS, and leaf RRsets directly in your browser using the WebCrypto API. It supports ECDSA P-256 (algorithm 13), ECDSA P-384 (14), and RSA/SHA-256 and RSA/SHA-512 (8 and 10). A padlock marks each signature it has cryptographically confirmed.
What does it do for algorithms WebCrypto cannot verify?
Ed25519 and Ed448 (algorithms 15 and 16) and the deprecated RSA/SHA-1 family are not verifiable with the browser WebCrypto API, so the tool clearly labels them as not independently verified rather than showing a false pass. The presence checks and the validating-resolver AD-flag cross-check still apply to those zones.
How does in-browser verification differ from the AD flag?
The AD (Authenticated Data) flag is a validating resolver telling you it verified the chain. In-browser verification recomputes the signatures yourself from the published keys and records, so you are not trusting the resolver. The tool shows both: a local cryptographic verdict per signature plus the resolver AD flag as an independent cross-check.
What is a keytag and why does it matter?
A keytag is a short fingerprint computed from a DNSKEY. It lets you match a DS record at the parent to the specific KSK in the child zone, and match an RRSIG to the key that produced it. When the DS keytag matches the KSK keytag and the signature verifies, the link in the chain is proven intact.
Why does my zone show signed but not validated?
That usually means the zone publishes DNSKEYs and signs its records, but the parent zone has no matching DS record, so resolvers cannot anchor the chain. Add a DS record at your registrar or parent zone that matches one of your KSK DNSKEYs.