Introducing PostScale -- email API for transactional, inbound, and masked addresses. PostScale

    Free DNS tools

    DNSSEC chain validator

    Walk the DS → DNSKEY chain of trust from any zone up to the root. See which link is signed, which is broken, which is a plain trust gap.

    Frequently asked

    What does it mean when a link is marked broken?

    A broken link means the DS at the parent and the DNSKEY at the zone don't hash-match, or one of the two is missing when the other is present. Resolvers validating the chain will return SERVFAIL and your zone stops resolving on validators (which includes most large ISPs today).

    Why does the tool say 'not validated' when my zone shows DNSKEY records?

    Publishing DNSKEY without a matching DS at your parent zone means resolvers never verify your signatures. The records exist, but they are ignored by validators. Adding the DS at the registrar completes the chain.

    Does this tool verify RRSIG signatures?

    No — this is a structural chain walk. It hash-matches DS to DNSKEY at every link, which catches the overwhelming majority of real-world DNSSEC outages. Full RRSIG verification requires checking signature validity over each record set; not implemented in v1.

    What's KSK / ZSK / revoked mean in the key listing?

    KSK (Key Signing Key) signs only the DNSKEY set itself; it's the key whose hash goes into the parent's DS. ZSK (Zone Signing Key) signs all the other records. A key with the revoke flag has been marked invalid and should be rotated out.

    Enable DNSSEC with one click

    Built and operated in the EU. The same anycast network that powers this tool serves every DNScale-hosted zone.

    Enable DNSSEC with one click

    Related