How to Check DNSSEC (Step-by-Step Guide)

A practical DNSSEC check begins by verifying both DNSKEY records in the zone and DS records at the parent level.

These two record types form the foundation of DNSSEC validation and the chain of trust.

You can check both record types by querying DNSKEY and DS directly.

• DNSSEC Checker

If both records exist and align correctly, that is a strong indicator that DNSSEC may be properly configured.

DNSKEY records publish the public keys used to verify DNSSEC signatures within a zone.

Their presence indicates that the zone is DNSSEC-enabled and capable of signing its records.

A zone without DNSKEY records is not DNSSEC-signed.

However, simply having DNSKEY records does not guarantee correct configuration, because they must match the DS record at the parent.

DS (Delegation Signer) records are published in the parent zone and link the child zone's DNSKEY into the chain of trust.

They act as a cryptographic reference to the child zone's key.

If a DNSKEY exists but no DS record is present at the parent, DNSSEC validation will not complete successfully.

If a DS record exists but does not match the DNSKEY, validation will fail and can cause resolution issues.

DNSSEC works by creating a chain of trust from the root zone down to the domain being queried.

Each level in the chain, from root to TLD to domain, must correctly reference the next using DS and DNSKEY records.

If any link in this chain is broken or mismatched, DNSSEC validation will fail.

This is why both the parent DS record and the child DNSKEY record must be reviewed together during troubleshooting.

• Query the domain for DNSKEY records
• Confirm DNSKEY records are present and appear valid
• Query the parent zone for DS records
• Verify the DS record matches the DNSKEY key tag and digest
• Check that the domain resolves correctly with DNSSEC-enabled resolvers
• Use a DNS tool such as DNS Pro to validate responses and compare results

• DNSKEY present and DS present and matching: DNSSEC is likely correctly configured
• DNSKEY present but no DS: DNSSEC is not fully established and there is no complete chain of trust
• DS present but no DNSKEY: broken configuration likely to cause validation failure
• DNSKEY and DS present but mismatched: DNSSEC validation failure and high-impact issue
• No DNSKEY and no DS: DNSSEC is not enabled

• Publishing DNSKEY without adding DS at the parent
• Incorrect DS record after key rotation
• Partial configuration leading to broken validation
• Assuming DNSSEC is working without testing validation
• Forgetting that parent and child zones must both be correct

DNSSEC misconfiguration can cause domains to fail resolution entirely for validating resolvers.

This is more severe than typical DNS issues, as affected users may be unable to access services at all.

Failures often appear intermittent depending on resolver behaviour, which can make troubleshooting more difficult.

If DNSSEC issues are suspected, they should be prioritised and resolved quickly.

• DNSSEC Checker

DNSSEC is only one part of a healthy DNS configuration.

You should also review overall delegation and resolution behaviour, especially if issues persist.

• Common glue record problems
• How to check DNS propagation

Looking at the full DNS picture helps avoid misdiagnosing issues as DNSSEC-related when they are not.

If you want to validate this topic in practice, these DNS Pro tools are the fastest next step.

• DNSSEC Checker
• Delegation Checker
• Record Lookup