ESC
🔒

DNSSEC Validator

Validate a domain's DNSSEC configuration and chain of trust.

GET /v1/dnssec 
curl "https://dns.toolkitapi.io/v1/dnssec?domain=cloudflare.com"

import httpx

resp = httpx.get(
    "https://dns.toolkitapi.io/v1/dnssec?domain=cloudflare.com",
)
print(resp.json())
const resp = await fetch("https://dns.toolkitapi.io/v1/dnssec?domain=cloudflare.com", {
});
const data = await resp.json();
console.log(data);
# See curl example
Response 200 OK 
{
  "domain": "cloudflare.com",
  "signed": true,
  "valid": true,
  "checks": [
    {"check": "DNSKEY Record", "status": "pass", "detail": "DNSKEY record found with algorithm RSASHA256"},
    {"check": "DS Record", "status": "pass", "detail": "DS record found at parent zone"},
    {"check": "Signature Validation", "status": "pass", "detail": "RRSIG validates correctly"}
  ],
  "query_time_ms": 78.4
}

Try It Live

Live Demo

Description

Validate a domain's DNSSEC configuration and chain of trust.

How to Use

1

1. Pass the domain in the `domain` parameter. 2. Check `signed` (whether DNSSEC is deployed) and `valid` (whether it validates correctly). 3. Review `checks` for specific issues if validation fails.

About This Tool

DNSSEC Validator checks a domain's DNSSEC configuration by looking for DS, DNSKEY, RRSIG, and NSEC/NSEC3 records, then validates the chain of trust via a DNSSEC-aware resolver (Quad9). It tells you whether DNSSEC is deployed, properly configured, and actually validating.

Why Use This Tool

Frequently Asked Questions

What does "signed but not valid" mean?
The domain has DNSSEC records but the chain of trust is broken — usually a DS/DNSKEY mismatch or expired signatures.
Which resolver is used for validation?
Quad9 (9.9.9.9), which has DNSSEC validation enabled by default.

Start using DNSSEC Validator now

Get your free API key and make your first request in under a minute.

Get Free API Key View Docs