DNSSEC (DNS Security Extensions) adds a cryptographic signature to every DNS answer so a resolver can prove the record came from the real zone owner and wasn't rewritten by a hijacked router or hostile Wi-Fi. To check whether a domain is signed, open Zro7 DNSSEC Check, type the domain, and Zro7 fetches the DNSKEY, RRSIG, and parent DS in your browser.
The three records that matter
- DNSKEY — the public key(s) the zone signs with. Usually two: a Key Signing Key (KSK) and a Zone Signing Key (ZSK).
- RRSIG — the signature over a record set (e.g. the signature covering the A records). Every signed answer ships one.
- DS — a hash of the KSK, published in the parent zone (.com for example.com). This is what chains trust back to the root.
How the chain of trust works
The root zone signs the TLD's DS. The TLD signs your domain's DS. Your domain's DNSKEY (KSK) matches that DS. Your DNSKEY (ZSK) signs your A/AAAA/MX/TXT records via RRSIG. Break any link and validating resolvers return SERVFAIL — the domain becomes unreachable for anyone using 1.1.1.1, 8.8.8.8, or Quad9.
Why you should care
- Cache poisoning — without DNSSEC a Kaminsky-style attack can steer users to a fake IP. Signed answers make that provably impossible.
- DANE / TLSA — pinning TLS certs in DNS only works over DNSSEC.
- Email (MTA-STS, SMTP DANE) — modern SMTP hardening leans on signed records.
Common failure modes
- DS at registrar doesn't match DNSKEY at DNS host — usually after a KSK roll. Fix: update the DS at the registrar.
- Expired RRSIG — ZSK signatures are short-lived (often 7–30 days). If auto-signing breaks, the zone goes dark.
- Algorithm mismatch — DS uses SHA-256 (algorithm 8 or 13) but the zone still ships SHA-1. Modern validators reject.
Steps
- Open DNSSEC Check.
- Type the domain (e.g.
cloudflare.com). - Zro7 fetches DNSKEY + RRSIG + parent DS via DoH and reports signed/insecure/bogus.
- Cross-reference with DNS Lookup if a specific record is failing.
Zro7