DNSSEC Lookup Tool

Check DNSSEC records instantly across global resolvers to validate your cryptographic signatures and Chain of Trust.

How to troubleshoot DNSSEC and SERVFAIL errors

If your website suddenly drops off the internet for users on major ISPs (like Google DNS or Cloudflare), but works fine for others, you likely have a broken DNSSEC configuration. Enter your domain name above to query its DNSSEC status. This tool helps you verify if your cryptographic signatures match the parent zone.

Interpreting your DNSSEC results

  • The Dreaded SERVFAIL: If a validating resolver (like 8.8.8.8) detects that your DNSSEC signatures are invalid or expired, it will completely block access to your domain and return a SERVFAIL status to protect users from potential hijacking.
  • Domain Transfers: The #1 cause of DNSSEC outages is transferring a domain to a new host without removing the old DS (Delegation Signer) record at your registrar first. The parent zone will still expect the old host's cryptographic keys, causing a mismatch.
  • Missing DS Records: If the lookup shows DNSKEYs but no DS record at the parent TLD, your zone is signed, but the "Chain of Trust" is incomplete. DNSSEC is effectively inactive until you upload the DS record to your registrar.

Related tools

SSL/PKI DNS check lookup CAA record check tool TLSA record validator SOA record DNS lookup