Loading...
WebShield Audit
DNSSEC Checker
Follow the chain of trust from the root down to your zone.
Hands off to the full WebShield scanner, which covers this check alongside every other header, DNS and email auth probe.
DNSSEC turns DNS from 'whatever the resolver told me' into 'signed by a chain of trust rooted at the KSK at IANA.' When it works, cache-poisoning is dead and your DS records at the parent prove your zone's keys. When it breaks, validating resolvers return SERVFAIL and users see 'This site can't be reached.' WebShield walks the whole chain, flags each link's status and gives you a fix for the one that's wrong.
What this tool checks
- DS record present at the parent zone
- DNSKEY record set at the zone apex (KSK and ZSK)
- DS algorithm / digest matches a DNSKEY hash
- RRSIG over DNSKEY and over queried RRsets
- Signature validity window (inception and expiration)
- NSEC or NSEC3 proof of non-existence
- Algorithm is modern (ECDSA P-256, Ed25519; not RSA-SHA1)
- Chain of trust terminates at the root trust anchor
Why it matters
Unsigned DNS is still plaintext - a resolver-path adversary can forge answers and redirect traffic. DNSSEC closes that. It's also a hard prerequisite for several adjacent protocols (DANE for SMTP, SSHFP for SSH host keys, TLSA for any DNS-pinned TLS cert). Getting it right once means cache-poisoning attacks against your domain become implausible.
How WebShield tests this
The scanner performs iterative DNSSEC validation: fetches DS from the parent, resolves DNSKEY at the zone, matches the DS digest to a DNSKEY, verifies RRSIG over the DNSKEY set, then verifies RRSIG over any queried records. Expired or not-yet-valid signatures are flagged. NSEC/NSEC3 proofs of non-existence are validated where applicable.
Paste-ready fixes
Cloudflare
1. Dashboard → DNS → Settings → DNSSEC → Enable
2. Cloudflare shows you a DS record
3. Copy the DS record (algorithm, key tag, digest type, digest)
4. Paste it at your registrar's parent-zone DNSSEC form
5. Wait for the parent to publish; validation starts within minutes to an hourRoute 53
1. Route 53 → Hosted zones → your zone → DNSSEC signing → Enable
2. AWS creates a KMS-backed KSK
3. "View information to create DS record" → copy the DS record
4. Paste at your registrar's DNSSEC form
5. Route 53 now signs every change automaticallyBIND 9 (inline signing)
zone "example.com" {
type master;
file "/var/named/example.com.zone";
dnssec-policy default; # modern BIND handles key rollover
inline-signing yes;
};PowerDNS (pdnsutil)
pdnsutil secure-zone example.com
pdnsutil set-meta example.com SOA-EDIT-DNSSEC default
pdnsutil export-zone-ds example.com
# copy the DS line to your registrarFrequently asked
Why does my zone show SERVFAIL after enabling DNSSEC?
Almost always: DS at the parent does not match any DNSKEY at the zone (common after a key rollover that did not update the registrar), or RRSIGs have expired (signer offline too long). Re-sync DS at the registrar or re-sign the zone.
Is DNSSEC the same as DoH/DoT?
No - they solve different problems. DoH and DoT encrypt the DNS transport between your resolver and a server. DNSSEC authenticates the DNS answer regardless of transport. They compose: DoH means the ISP can't see the queries; DNSSEC means the answer can't be forged.
What algorithms should I use?
ECDSA P-256 (algorithm 13) is the modern baseline - small signatures, universal validator support. Ed25519 (algorithm 15) is even smaller, supported by recent resolvers. Avoid RSA-SHA1 (5) and NSEC3-RSA-SHA1 (7) - both deprecated.
Does DNSSEC slow down DNS?
Not meaningfully. Signatures add a few hundred bytes per response, which matters only on slow links. Resolver caching absorbs most of the cost. ECDSA P-256 and Ed25519 signatures are small enough to fit in a single UDP response in most cases.
Related
Knowledge base
Missing DNSSEC
Medium severity · DNS
Knowledge base
Missing CAA Record
Low severity · DNS
Knowledge base
Missing DMARC Policy
High severity · Email
Deep guide
DMARC: From p=none to p=reject, Safely
The alignment work between p=none and p=reject is the real DMARC project.
Tool
MTA-STS Checker
Check your SMTP TLS policy the way receiving MTAs do.
Tool
TLS-RPT Checker
See the TLS failures your mail server never tells you about.
Tool
HSTS Preload Checker
Test HSTS before you preload - because you only get to do it wrong once.