What's the difference between Bogus and Insecure?

Insecure means the zone isn't signed at all — no DNSKEY, no DS — and resolvers accept answers without validation. It's the default for most domains and it's fine. Bogus means the zone IS signed but validation fails — DS says 'this zone is signed' but the signatures don't check out. Bogus is a production outage: validating resolvers return SERVFAIL instead of your records, so every user on those resolvers can't reach you. Always fix Bogus urgently.

Why does my DNSKEY query return empty on a Bogus zone?

Cloudflare's 1.1.1.1 is a validating resolver. When DNSSEC validation fails, it refuses to return the signed records to you — that's the whole point of DNSSEC. So on a Bogus zone, DNSKEY appears as 0 answers even though the authoritative server is serving them. PingThat detects this by combining Status=2 (SERVFAIL) on the A query with DS presence at the parent, which is the exact fingerprint of a Bogus zone.

Should I enable DNSSEC?

Most hosting setups don't strictly need it — HTTPS already authenticates the server, so DNS tampering is caught at the TLS layer. DNSSEC matters more for DANE-based email, DoT/DoH authentication, and some government compliance. And crucially: enabling DNSSEC adds a failure mode (Bogus) that can take your domain offline if keys expire or mis-sign. If you turn it on, monitor it continuously.

What algorithms should I use?

ECDSA P-256/SHA-256 (algorithm 13) or Ed25519 (algorithm 15) for new zones. Both are small, fast, and broadly supported. Avoid RSA/SHA-1 (algorithm 5 or 7) — it's deprecated. Most modern DNS providers (Cloudflare, Google Cloud DNS, Route 53) use algorithm 13 or 14 by default. PingThat shows the algorithm name in the DS and DNSKEY tables so you can verify.

DNSSEC Validator Online Free

About this tool

Enter a domain to check DNSSEC. The tool fetches DNSKEY records at the zone, DS records at the parent, and asks Cloudflare 1.1.1.1 whether the chain validates (AD flag). Detects the three states that actually matter in production: Secure, Bogus (broken signing), and Insecure.

How to check DNSSEC validation

Enter a domain name.
The tool queries the domain with DNSSEC validation enabled and reports the chain of trust.
Review each step — DS record at the parent, DNSKEY at the zone, and RRSIG signatures on individual records.
A broken chain means clients that validate DNSSEC (some resolvers, Tor) cannot verify the domain's records.

Common use cases

Confirming DNSSEC is correctly deployed on a domain after enabling it at the registrar.
Troubleshooting resolver errors where some users cannot reach a domain because their resolver validates DNSSEC and the chain is broken.
Auditing the DNSSEC posture of dependencies (login providers, APIs) before relying on them for security.
Checking that a key rollover did not break the validation chain during the overlap period.

Frequently asked questions

Is DNSSEC worth the complexity?

For high-trust domains (banks, government) DNSSEC is standard. For general sites it is optional but guards against DNS poisoning when paired with validating resolvers. The tradeoff is a small performance cost and operational complexity.

What happens if DNSSEC is broken?

Validating resolvers (Cloudflare's 1.1.1.1, some ISPs, Tor) return SERVFAIL. Non-validating resolvers still resolve normally, masking the issue from most users — until you hit a validating one.

Do I need DNSSEC for a CDN?

CDNs handle DNSSEC differently. Cloudflare provides a simple toggle; others require coordination between registrar and CDN. Check with your provider's docs.

Is my query logged?

No. Validation runs through the browser and results are not stored.

Why DNSSEC matters

DNSSEC cryptographically signs DNS records so resolvers can detect tampering and cache poisoning. The critical failure mode is not missing DNSSEC — it is broken DNSSEC (Bogus), which takes your domain offline for every user whose resolver validates. This tool surfaces that state explicitly instead of just showing DNSKEY presence.

DNSKEY records at the apex
DS records at the parent zone
Resolver validation (AD flag)
Bogus (broken signing) detection
Algorithm names for DS/DNSKEY entries

Free. No signup. Browser tools (subnet, JWT, password strength) run locally; lookup tools query public APIs (Cloudflare DoH, RDAP, certificate logs). Full per-tool breakdown at /methodology/.

Sources (2)

Arends, R., Austein, R., Larson, M., Massey, D., & Rose, S. (2005). Resource Records for the DNS Security Extensions. RFC 4034, IETF.
Arends, R., Austein, R., Larson, M., Massey, D., & Rose, S. (2005). Protocol Modifications for the DNS Security Extensions. RFC 4035, IETF.

These are the IETF RFCs, NIST publications, and W3C standards the tool implements or queries. Locate them on the IETF Datatracker (datatracker.ietf.org) or the official standards body.

Related guides

By Marco B. · Last verified June 2026 — runs in your browser