What Are DNSSEC Records and How to Verify Them

DNSSEC Validation

DNSSEC (Domain Name System Security Extensions) adds a layer of trust to DNS by cryptographically signing records. Without it, DNS responses can be spoofed — an attacker can redirect your users to a malicious server without anyone noticing.

How DNSSEC Works

DNSSEC creates a chain of trust from the root zone down to individual domain records. Each level signs the keys of the level below it:

  • RRSIG records — cryptographic signatures for each DNS record set
  • DNSKEY records — the public keys used to verify RRSIG signatures
  • DS records — delegation signer records that link a child zone's DNSKEY to the parent zone
  • NSEC/NSEC3 records — prove that a domain name does not exist (authenticated denial of existence)

Why DNSSEC Matters

Without DNSSEC, DNS is vulnerable to:

  • Cache poisoning — injecting false records into resolver caches
  • Man-in-the-middle attacks — intercepting and modifying DNS responses
  • DNS spoofing — redirecting traffic to attacker-controlled servers

DNSSEC is increasingly required for compliance in government and financial sectors. Many TLDs now fully support it, and major resolvers like Google (8.8.8.8) and Cloudflare (1.1.1.1) validate DNSSEC by default.

Verifying DNSSEC with the API

You can validate DNSSEC for any domain using a single API call:

curl -H "X-API-Key: YOUR_KEY" \
  "https://api.dnstoolkit.io/dns/dnssec?domain=example.com"

The response tells you whether DNSSEC is enabled, whether the chain of trust is valid, and details about each record in the chain. If there's a problem — a missing DS record, an expired signature, or a broken chain — the API flags exactly what's wrong.

Common DNSSEC Issues

  • Expired RRSIG signatures — signatures have a validity period; failure to re-sign causes validation failures
  • Missing DS records at the registrar — DS records must be published in the parent zone via your domain registrar
  • Key rollover problems — rotating DNSSEC keys requires careful coordination between the zone and the parent
  • Algorithm mismatches — all records in the chain must use compatible cryptographic algorithms

Automating DNSSEC Monitoring

DNSSEC validation isn't a one-time check. Signatures expire, keys rotate, and misconfigurations can appear at any time. Set up automated monitoring to catch issues before they cause resolution failures for your users.

The DNS Toolkit DNSSEC Validation endpoint gives you everything you need to build this into your monitoring pipeline — check it on a schedule and alert when the chain of trust breaks.

Try DNSSEC Validation

Check DNSSEC signing and validation status.

View Tool →
← All Posts

More from the Blog

MX Record Lookup: Troubleshooting Email Delivery

MX records determine where email for your domain gets delivered. Learn how to look up, interpret, and troubleshoot MX records using the DNS Toolkit API.

How to Detect Open DNS Resolvers

Open DNS resolvers are a security risk and a tool for DDoS amplification attacks. Learn how to detect them on your network and why it matters.

IP Geolocation for Developer Applications

Learn how IP geolocation works, its accuracy limitations, and how to integrate it into your applications using the DNS Toolkit Reverse DNS API.