What is this?
DNSSEC binds a zone's records to a chain of cryptographic signatures, rooted in the IANA
trust anchor. A validating resolver (like Cloudflare 1.1.1.1) verifies the chain and sets
the AD bit in its answer. If the chain is broken or missing, the AD bit stays off and downstream protocols that rely on DNSSEC - DANE/TLSA, SVCB, secure delegations - fall back to
plain DNS.
This tool queries DS records (parent zone) and DNSKEY records (zone itself), plus an
A-record probe to read the AD bit. It then evaluates whether the chain is technically
closed: DS algorithm matches a KSK in the zone (RFC 6840 § 5.2), no deprecated algorithms or digest
types (RFC 8624), at least one KSK present.
When do I need it?
Run before publishing TLSA records (DANE only works on signed zones), after a registrar key rotation, when the AD bit suddenly drops out of resolver answers, or as a yearly sanity check that no deprecated SHA-1/RSAMD5 has crept in.