How do I check if a domain has DNSSEC enabled?

Query the DS record at the parent and the DNSKEY record at the zone. With dig, run dig +dnssec example.com and look for an ad flag and signatures, or run dig DS example.com to see whether the parent publishes a delegation signer record.

What does the ad flag mean in a dig result?

The ad flag stands for authenticated data. When a validating resolver returns it, the answer was successfully validated against the DNSSEC chain of trust, which tells you the zone is signed and validation is working for that lookup.

What does it mean if DNSSEC is broken?

A broken DNSSEC chain means the signatures or the DS record do not line up, often after a key change or a registrar update that was not completed. Validating resolvers then refuse to return any answer, which can make the domain unreachable until it is fixed.

Home
/
Help
/
How to Check DNSSEC Status

How to Check DNSSEC Status

DNSSEC adds cryptographic signatures to DNS so resolvers can detect tampered answers, but only if it is set up correctly. Checking DNSSEC status tells you whether a domain is signed, unsigned, or broken in a way that could take it offline. This guide shows how to check with dig, with online validators, and how to read the result.

What DNSSEC status means

DNSSEC signs a zone's records so a validating resolver can confirm the answer it received was not altered in transit. A domain's DNSSEC status is essentially one of three states: unsigned (no DNSSEC), signed and valid (the chain of trust checks out), or broken (signatures or the delegation do not match). A broken chain is the dangerous case, because validating resolvers will refuse the answer entirely. For background, see what is DNSSEC.

Check with dig

The +dnssec flag asks for DNSSEC data alongside the answer:

dig +dnssec example.com

In the output, an ad flag (authenticated data) from a validating resolver means the answer was validated successfully. You can also inspect the two records that make up the chain. The DS record lives at the parent zone and links it to your keys, while the DNSKEY record holds the keys themselves:

dig +short DS example.com
dig +short DNSKEY example.com

If the parent publishes a DS record and the zone publishes matching DNSKEYs, the domain is signed.

Online validators

If you would rather not parse dig output, online DNSSEC validators walk the entire chain of trust from the root down to your domain and present it visually, flagging exactly where a break occurs. They are the easiest way to get a clear signed or broken verdict and to pinpoint a misconfiguration without reading raw records.

Reading the result

Interpret what you find against these three outcomes:

Signed — a DS record exists at the parent, DNSKEYs are published, and validating resolvers return the ad flag. DNSSEC is working.
Unsigned — no DS record and no DNSKEYs. The domain simply does not use DNSSEC, which is valid but unprotected.
Broken — a DS record exists but the signatures or keys do not match it. Validating resolvers will return SERVFAIL and the domain can become unreachable until it is corrected.

Monitoring it continuously

DNSSEC problems are easy to miss because the domain often works fine for non-validating resolvers, so a broken chain can go unnoticed until users on validating networks cannot reach you. Key rollovers and registrar changes are the usual culprits, and they happen without warning.

ZoneWatcher's DNSSEC status monitor checks the chain of trust on a schedule and alerts you the moment it breaks or is unexpectedly disabled, so you find out before your visitors do.

What DNSSEC status means

Check with dig

Online validators

Reading the result

Monitoring it continuously

Never miss a DNS change again.Start monitoring in minutes.

Never miss a DNS change again.
Start monitoring in minutes.