DNSSEC Validation

What This Check Does

The DNSSEC Validation check is an enterprise-level verification that validates the complete DNSSEC chain of trust for your domain. It verifies the presence and correctness of DNSKEY records, DS (Delegation Signer) records at the parent zone, and RRSIG (Resource Record Signature) records. Together, these ensure that DNS responses for your domain are cryptographically authenticated.

DNS Spy queries for DNSKEY, DS, and RRSIG records, then validates the chain of trust from the root zone through your domain's delegation to ensure end-to-end DNSSEC integrity.

Why It Matters

DNSSEC prevents DNS cache poisoning and man-in-the-middle attacks by cryptographically signing DNS records. Without DNSSEC, attackers can forge DNS responses to redirect your users to malicious servers. However, simply enabling DNSSEC is not enough — the entire chain of trust must be valid. A broken chain (missing DS record, expired signatures, or mismatched keys) can cause worse problems than no DNSSEC at all, potentially making your domain unresolvable for DNSSEC-validating resolvers.

NIST SP 800-81, Section 4, is entirely dedicated to DNSSEC deployment and emphasizes the critical importance of maintaining a valid chain of trust. DNS Spy helps ensure your DNSSEC implementation remains intact and functional.

NIST SP 800-81 Compliance

Section 4 of the NIST Secure DNS Deployment Guide provides comprehensive guidance on DNSSEC deployment, including key management, signature lifecycle, and chain of trust validation. This enterprise check directly validates compliance with NIST Section 4 requirements by verifying all components of the DNSSEC chain. DNS Spy's continuous monitoring is essential for meeting NIST's recommendation for ongoing DNSSEC validation.

Good vs. Bad Configuration

Bad Configuration

DNSKEY records exist but the DS record at the parent zone references an old key that has been rolled. DNSSEC-validating resolvers return SERVFAIL for your domain, causing complete resolution failure for a significant portion of the internet.

Good Configuration

DNSKEY records are present with valid key tags, DS records at the parent zone match the current KSK (Key Signing Key), and RRSIG records are present with signatures that are not expired. The complete chain of trust validates from root to your zone.

How DNS Spy Monitors This

DNS Spy's enterprise monitoring performs full DNSSEC chain of trust validation during each cycle. It checks DNSKEY records, verifies DS records at the parent zone match your keys, validates RRSIG signatures and expiration dates, and tests the complete chain from root. Any break in the chain triggers an immediate alert with specific details about what failed and how to fix it.