Validate DNSSEC for a list of domains. You'll get status and diagnostics for each.
Help & About
What is ChainCheck?
ChainCheck validates DNSSEC for domain names. DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records so resolvers can verify that responses haven't been tampered with. This tool checks whether domains are properly signed and reports validation status and diagnostics.
How to use
Enter fully qualified domain names (e.g. example.com or sub.example.com), one per line or comma-separated. Click Validate. You'll be taken to a results page showing the validation status for each domain. For domains that fail validation, additional diagnostics are available in the DNSViz details section.
Status meanings
- secure — DNSSEC validation succeeded; the domain's DNS records are properly signed and verified.
- insecure — The domain is not signed with DNSSEC, or the resolver couldn't verify it (e.g. no AD bit).
- bogus — DNSSEC validation failed; do not trust the response. Possible causes: expired signatures, chain breaks, misconfigured keys.
- error — A query or resolver error occurred (timeout, NXDOMAIN, etc.).
Results
Download the full results as JSON. For domains that fail validation, expand "DNSViz details" and use "Download raw JSON" to save the full diagnostic output.
Learn more
- DNSSEC on Wikipedia
- RFC 4033 — DNSSEC Introduction and Requirements
- RFC 4034 — Resource Records for DNSSEC
- RFC 4035 — Protocol Modifications for DNSSEC
Ballot SC-085v2
The CA/Browser Forum ballot SC-085v2 (Require Validation of DNSSEC for CAA and DCV Lookups) mandates that Certificate Authorities validate DNSSEC when present when retrieving CAA records and performing DNS-based Domain Control Validation (DCV). This reduces risk from DNS spoofing and BGP hijacking. The ballot is effective 15 March 2026. Domain owners who enable DNSSEC can better harden their DCV process.