fetchwhois
Powered by the official IANA RDAP protocol

DNSSEC Checker

Check whether any domain has DNSSEC enabled in seconds. FetchWhois reads the RDAP registration record to show delegation-signing status, DS records and key-tag data — the authoritative DNSSEC delegation as registered at the TLD registry.

Try:

Instant results

Real-time WHOIS domain lookups resolved directly from authoritative RDAP servers — no queues, no waiting.

ICANN-grade accuracy

Every ICANN lookup pulls structured data straight from the registry and registrar, following the official RDAP standard.

Hundreds of TLDs

From .com and .org to .io, .dev and country-code domains — powered by the IANA bootstrap registry.

Private & simple

No sign-up and no domain upsells. Just clean, trustworthy WHOIS results every time.

How to check DNSSEC for a domain

DNSSEC delegation status from the live registry record.

1Step 1

Enter the domain name

Type the domain name into the search box. DNSSEC is configured at the apex-domain level in the registry, so enter the root domain (e.g., example.com).

2Step 2

FetchWhois reads the secureDNS section

We query the authoritative RDAP server and parse the secureDNS block from the response, which contains delegation-signing status, DS records and key-tag data.

3Step 3

View DNSSEC status and DS records

The results show whether the domain's zone is signed and whether the DS record has been published at the registry level — with key tag, algorithm and digest details when available.

What is DNSSEC and why should you check it?

DNSSEC (Domain Name System Security Extensions) is a suite of IETF specifications that adds cryptographic authentication to DNS responses. Without DNSSEC, an attacker who can intercept or spoof DNS traffic could redirect visitors from a legitimate domain to a malicious server — a technique called DNS cache poisoning or DNS hijacking. DNSSEC prevents this by allowing DNS resolvers to verify that the response they receive was actually issued by the domain's authoritative nameserver and has not been tampered with.

To enable DNSSEC, the domain owner signs their DNS zone with a cryptographic key and publishes a DS (Delegation Signer) record at the parent TLD registry. This DS record is what FetchWhois reads from the RDAP response — it confirms that the registry has recorded a cryptographic delegation from the domain. If delegationSigned is true and DS records are present, DNSSEC is properly configured end to end.

DNSSEC adoption is important for high-security domains such as banking, government and healthcare websites. Many modern registrars and DNS providers make DNSSEC setup straightforward. If the FetchWhois checker shows your domain as unsigned, ask your DNS provider or registrar whether they support DNSSEC signing — most major providers including Cloudflare, AWS Route 53 and Google Cloud DNS offer it.

DNSSEC Checker — Frequently Asked Questions

Everything you need to know about WHOIS, ICANN and RDAP domain lookups.