DNSSEC Checker
Check whether any domain has DNSSEC enabled in seconds. FetchWhois reads the RDAP registration record to show delegation-signing status, DS records and key-tag data — the authoritative DNSSEC delegation as registered at the TLD registry.
How to check DNSSEC for a domain
DNSSEC delegation status from the live registry record.
Enter the domain name
Type the domain name into the search box. DNSSEC is configured at the apex-domain level in the registry, so enter the root domain (e.g., example.com).
FetchWhois reads the secureDNS section
We query the authoritative RDAP server and parse the secureDNS block from the response, which contains delegation-signing status, DS records and key-tag data.
View DNSSEC status and DS records
The results show whether the domain's zone is signed and whether the DS record has been published at the registry level — with key tag, algorithm and digest details when available.
What is DNSSEC and why should you check it?
DNSSEC (Domain Name System Security Extensions) is a suite of IETF specifications that adds cryptographic authentication to DNS responses. Without DNSSEC, an attacker who can intercept or spoof DNS traffic could redirect visitors from a legitimate domain to a malicious server — a technique called DNS cache poisoning or DNS hijacking. DNSSEC prevents this by allowing DNS resolvers to verify that the response they receive was actually issued by the domain's authoritative nameserver and has not been tampered with.
To enable DNSSEC, the domain owner signs their DNS zone with a cryptographic key and publishes a DS (Delegation Signer) record at the parent TLD registry. This DS record is what FetchWhois reads from the RDAP response — it confirms that the registry has recorded a cryptographic delegation from the domain. If delegationSigned is true and DS records are present, DNSSEC is properly configured end to end.
DNSSEC adoption is important for high-security domains such as banking, government and healthcare websites. Many modern registrars and DNS providers make DNSSEC setup straightforward. If the FetchWhois checker shows your domain as unsigned, ask your DNS provider or registrar whether they support DNSSEC signing — most major providers including Cloudflare, AWS Route 53 and Google Cloud DNS offer it.
DNSSEC Checker — Frequently Asked Questions
Everything you need to know about WHOIS, ICANN and RDAP domain lookups.