DNSSEC analyzer

Walks the trust chain from root to leaf, validates every signature.

DNSSEC: UNSIGNED
No DS or DNSKEY records found for github.com
Awaiting validation
Parent delegation is not signed

Chain of trust

Each step's DS hash must match the child's DNSKEY. All signatures must validate.

DS at parent → github.com
No DS record at parent (unsigned delegation)
VALID
github.com → DNSKEY
No DNSKEY records
VALID
github.com → RRSIG
No RRSIG records
VALID
DS records
0
DNSKEY records
0
RRSIG records
0