DNSSEC chain validator

Per RFC 4034 + RFC 8624

Checks the DNSSEC trust chain of a zone: DS records in the parent, DNSKEY in the zone, AD bit and DS<->KSK algorithm match.

What is this, and when do I need it?

What is this?

DNSSEC binds a zone's records to a chain of cryptographic signatures, rooted in the IANA trust anchor. A validating resolver (like Cloudflare 1.1.1.1) verifies the chain and sets the AD bit in its answer. If the chain is broken or missing, the AD bit stays off and downstream protocols that rely on DNSSEC - DANE/TLSA, SVCB, secure delegations - fall back to plain DNS.

This tool queries DS records (parent zone) and DNSKEY records (zone itself), plus an A-record probe to read the AD bit. It then evaluates whether the chain is technically closed: DS algorithm matches a KSK in the zone (RFC 6840 § 5.2), no deprecated algorithms or digest types (RFC 8624), at least one KSK present.

When do I need it?

Run before publishing TLSA records (DANE only works on signed zones), after a registrar key rotation, when the AD bit suddenly drops out of resolver answers, or as a yearly sanity check that no deprecated SHA-1/RSAMD5 has crept in.

Server path: we query DS, DNSKEY and A for the domain via DNS-over-HTTPS at Cloudflare 1.1.1.1 (with DNSSEC-OK flag). We log neither domain nor result. At most 12 requests per minute per IP subnet.

Examples: · ·