DNSSEC Validator
Determine if DNS Security Extensions (DNSSEC) are enabled, auditing DNSKEY and DS records to prevent DNS hijacking.
This interactive client-side tool is part of the NervLink Cybersecurity Suite. All analysis is verified entirely inside the local browser sandbox for maximum safety and data privacy compliance.
How It Works
- Enter a target domain.
- The tool queries for DNSKEY and DS records on the target zone.
- The cryptographic key algorithms, flags, and signature validation metrics are displayed to verify DNS trust integrity.
Primary Use Cases
- Checking if a domain is protected against DNS cache poisoning and spoofing.
- Auditing DS (Delegation Signer) records published at parent top-level domain registries.
- Confirming registrar DNSSEC integration status.
Common Security Pitfalls
- Enabling DNSSEC on your registrar without configuring correct DS records at your DNS host, causing complete domain name resolution failure.
- Using weak/deprecated hashing algorithms (like SHA-1) in signature keys.
Frequently Asked Questions
- How does DNSSEC protect my website?
- DNSSEC signs DNS records cryptographically. When a browser resolves your site, it validates the signature chain, preventing middleman attacks from redirecting users to fake servers.
- Does DNSSEC encrypt my DNS traffic?
- No. DNSSEC only validates signatures and authenticity. It does not encrypt DNS queries; for encryption, use DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT).
References & Standards