DNSSEC Check
free/v1/dns/dnssecValidates DNSSEC (Domain Name System Security Extensions) configuration including DS records, DNSKEY records, and the chain of trust. Validates against RFC 8624 algorithm recommendations, flagging deprecated algorithms (RSA/SHA-1, DSA) and recommending ECDSA P-256 or Ed25519.
What It Does
Performs comprehensive DNSSEC validation by checking DS records at the parent zone, retrieving DNSKEY records, validating key algorithms and sizes, and verifying the chain of trust. Reports validation status as secure, insecure, bogus, or indeterminate per RFC 4035 semantics. Identifies common outage causes including expired RRSIG signatures, broken DS-to-DNSKEY chains, and key rollover failures.
Why It's Useful
DNSSEC protects against DNS spoofing and cache poisoning attacks but adoption is still only ~5% for .com domains. Proper DNSSEC configuration is required by many government and financial regulations. This endpoint helps identify whether DNSSEC is properly implemented or actively causing resolution failures.
Use Cases
Security Compliance Check
Verify DNSSEC is properly configured for domains as required by security policies or regulations.
Ensure DNS-level protection against spoofing attacks for compliant infrastructure.
DNSSEC Troubleshooting
Diagnose DNSSEC validation failures reported by users or monitoring systems.
Quickly identify the root cause of DNSSEC failures — expired signatures, algorithm mismatches, missing DS records, or broken chain of trust — reducing mean-time-to-resolution.
Pre-Migration Validation
Before DNS migration, document DNSSEC configuration to ensure it's correctly replicated.
Prevent DNSSEC-related outages during DNS provider migrations.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
domain | string | Required | The domain to validate DNSSEC forExample: cloudflare.com |
Response Fields
| Field | Type | Description |
|---|---|---|
domain | string | The queried domain |
status | string | Validation status: secure (valid chain, includes weak algorithm warnings), insecure (no DNSSEC), bogus (broken chain/orphaned RRSIGs), or indeterminate (inconclusive) |
has_dnssec | boolean | Whether DNSSEC is enabled |
has_valid_chain | boolean | Whether the DS-to-DNSKEY chain of trust is valid |
keys | array | DNSKEY records with key_tag, algorithm, KSK/ZSK flags, and security status |
ds_records | array | DS records at parent zone with key_tag, algorithm, and digest type |
rrsig_records | array | RRSIG signatures with type covered, expiration, inception, is_expired, is_not_yet_valid, and expiry warnings |
issues | array | List of configuration issues found |
recommendations | array | Actionable recommendations for improving DNSSEC configuration |
Code Examples
curl "https://api.edgedns.dev/v1/dns/dnssec" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "domain=cloudflare.com"const response = await fetch(
'https://api.edgedns.dev/v1/dns/dnssec?domain=cloudflare.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/dns/dnssec',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'domain': 'cloudflare.com'
}
)
data = response.json()
print(data)Read the full DNSSEC Check guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the DNSSEC Check endpoint live in the playground.