// Tool

DNSSEC Zone Checker

Enter any domain or subdomain to verify its DNSSEC configuration — DS records at the parent, DNSKEY publication, RRSIG signatures, and full chain validation via Cloudflare's 1.1.1.1 resolver. Useful for verifying a zone before or after adding a DS record to the parent.

// Enter Zone to Check

Checks performed: DS record at parent · DNSKEY publication · RRSIG on A records · AD flag (chain validation) via 1.1.1.1

When to use this tool

Before adding a DS record to the parent

Confirm the child zone is correctly signing. If this shows "Zone Signed, No DS" — you're ready to add the DS record.

After enabling DNSSEC on a new zone

Verify the chain is fully validated. Look for the AD flag and "Chain Valid" status.

Troubleshooting SERVFAIL errors

A SERVFAIL from a validating resolver usually means broken DNSSEC. This tool shows you exactly which component is failing.

Need to check all child zones at once? Use the DNSSEC Chain Checker →

DNSSEC Zone Checker

When to use this tool

Verifying your browser