Signing and validation

Validate a DNSSEC chain of trust

Confirm a domain is DNSSEC-signed, that a validating resolver authenticates it (the AD flag), and that the chain of trust is complete from the TLD down to the domain.

When to use it

Use this when

  • You enabled DNSSEC and want to confirm the chain validates end to end.
  • Resolution fails with SERVFAIL and you suspect a broken signature or a missing DS record at the parent.

Steps

Do this

  1. Check the domainOpen DNSSEC and enter the domain. dnsbin queries with DNSSEC requested and reports whether the answer is Authenticated (AD).
  2. Walk the chainEach signed zone from the TLD down to the domain is shown with its DS and DNSKEY presence, so you can see exactly where the chain holds or breaks.
  3. Confirm against a known-badCompare a signed domain with a deliberately broken one to see the difference in the verdict.

Examples

Copyable commands

REST — signed
curl 'https://dnsbin.ca/api/v1/dnssec?name=cloudflare.com'
REST — broken chain
curl 'https://dnsbin.ca/api/v1/dnssec?name=dnssec-failed.org'

Operational notes

Keep in mind

  • AD=true means the validating resolver cryptographically authenticated the answer — not merely that signatures exist.
  • A signed zone still fails to validate if the parent has no matching DS record, which is the most common DNSSEC outage.