This tool is being set up. Backend processing coming soon. In the meantime, review the reference guide below and use the CLI equivalent.
How DNSSEC Chain of Trust Works
DNSSEC adds cryptographic signatures to DNS records, allowing resolvers to verify answers came from the authoritative source. The chain of trust starts at the root zone (.), flows through TLDs (.com), and ends at your domain. Each level signs the level below using DS (Delegation Signer) records.
Key record types: RRSIG (signature over a record set), DNSKEY (public zone-signing and key-signing keys), DS (hash of a DNSKEY, published at the parent zone), NSEC/NSEC3 (authenticated denial of existence — proves a record does NOT exist without revealing zone contents).
DNSSEC Algorithm Reference
| Algorithm | Number | Status |
|---|---|---|
| RSA/MD5 | 1 | Deprecated — do not use |
| RSA/SHA-1 | 5 | Deprecated — SHA-1 collision risk |
| RSA/SHA-256 | 8 | Recommended (2048+ bit keys) |
| RSA/SHA-512 | 10 | Recommended |
| ECDSA P-256/SHA-256 | 13 | Recommended (fast, small signatures) |
| Ed25519 | 15 | Recommended (modern, fast, compact) |
Common DNSSEC Failure Modes
1. Missing DS at parent: DNSKEY exists but no DS record at registrar. Chain of trust is broken — validating resolvers treat the zone as unsigned.
2. Expired RRSIG: Signatures have an expiration date. If not refreshed in time, validating resolvers return SERVFAIL for all records.
3. Wrong algorithm: Weak algorithms (RSA/SHA-1, algorithm 5) may be rejected by modern resolvers configured to require strong cryptography.
4. NSEC zone walking: NSEC records allow enumerating all names in a zone. Use NSEC3 with opt-out for privacy-sensitive zones.
CLI Equivalent
dig +dnssec example.com SOA delv example.com dig +short example.com DNSKEY dig +short example.com DS