DNSSEC analyzer

Walks the trust chain from root to leaf, validates every signature.

DNSSEC: SIGNED

Chain data found for github.com

Demo chain preview

DS / DNSKEY data available

Each step's DS hash must match the child's DNSKEY. All signatures must validate.

Root zone (.)

DNSKEY · KSK 20326 · 4096-bit RSA · published 2017-10-11

VALID

.com TLD

DS 30909 · ECDSAP256SHA256 · matches root signature

VALID

github.com → DNSKEY

3 DNSKEY records observed

VALID

github.com → RRSIG (A, MX, TXT...)

11 RRSIG records observed

VALID

NSEC3 denial-of-existence

Salt: AB9F · 1 iteration · opt-out off

VALID

DS records

DNSKEY records

RRSIG records

Sig expires

6d 14h