Verify DNSSEC chain of trust for any domain.
DNSSEC adds cryptographic signatures to DNS so clients can verify that answers have not been tampered with. Validation follows a chain from the root through TLD to your domain. This tool checks whether a domain is signed, whether the chain validates, and whether the resolver you use is doing validation. Use it to confirm your zone is correctly signed after enabling DNSSEC at your registrar or DNS provider, to debug validation failures (e.g. expired keys, broken chain), or to see which algorithms and key sizes are in use. Broken DNSSEC can cause resolution failures for validating resolvers.
The chain is broken: missing DS at parent, key mismatch, expired key, or misconfigured signing. Fix at the point of failure.
Not required, but recommended for security. Your registrar or DNS host can enable it; you may need to add DS records at the registrar.
Delegation Signer records at the parent (e.g. .com) that point to your zone's public key. Required for the chain to validate.
Often the DS record at the registrar is wrong or missing. Use this validator to see where the chain breaks.
Yes. The CDN or your DNS provider must sign the zone and you publish the correct DS at the registrar.