DNSSEC Status Monitor

Two live DNS lookups against the zone:

• DNSKEY records at the zone apex — these contain the public keys used to sign the zone. We verify at least one Key Signing Key (a DNSKEY with the flags=257 bit set) is published.
• DS record at the parent zone — published by the registry/registrar and used by resolvers to anchor the zone's keys to the global trust hierarchy.

Algorithms are checked against RFC 8624. Deprecated algorithms (RSAMD5, DSA/SHA1, RSA/SHA1, GOST) fail the check; SHA-1 digest types on DS records produce a warning.

A zone that publishes DNSKEY records but lacks a DS record at the parent is signing answers nobody can validate — the cryptographic work happens but resolvers have no anchor to trust it. The reverse (DS at parent, no DNSKEY at zone) actively breaks resolution for DNSSEC-validating resolvers, because they expect signatures and find nothing.

Deprecated algorithms are accepted by some validators and rejected by others — a foot-gun where the zone "mostly" resolves but fails for security-conscious resolvers.

Most managed DNS providers offer a one-click DNSSEC toggle that handles the keys and DS automatically — Cloudflare, Route 53, Google Cloud DNS, and others. The catch is that publishing the DS record at the parent has to happen at the registrar, not the DNS host, so a one-click setup at the DNS host alone leaves the chain broken.

If you see a "DNSKEY published but no DS" failure, the keys exist but the registrar hasn't published the DS. Get the DS values from your DNS provider and add them at the registrar.

For algorithm warnings, key rollover is the path forward — generate keys with a modern algorithm (RSA/SHA-256 or ECDSA P-256), wait the appropriate TTL, then retire the old keys.