Validating DNSSEC records with DNSViz

DNSviz, provided by Sandia National Laboratories, is a great tool in validating the chain of trust for DNSSEC. Check them out if you need DNSSEC validation or other insight in DNS troubleshooting.

Back story:

For any public-facing domains that I setup, I configure DNSSEC about 24 hours after the domain is purchased and configured in Cloudflare. From personal experience, if you enable DNSSEC too soon after registering a domain, you run the risk of resolution problems. I saw this recently after I configured a brand new (less than 1 hour old) domain for a friend. The domain was purchased, I configured Cloudflare, I enabled DNSSEC in Cloudflare, then I updated the registar’s records for DNSSEC. Two days later and their domain wouldn’t resolve properly. You can feel the pain of others here:

I started using for domain validation prior to enabling DNSSEC. Once I get green checks using DNSChecker, I feel confident that the domain name is resolving correctly globally and it is time to enable DNSSEC. After the DNSSEC entries are made in Cloudflare and to the registrar, I then use DNSChecker again to validate the propagation. I usually see a few red “X” marks after the switch then it levels out in a matter of hours.
If you enable public-facing DNSSEC (as opposed to internal using something like Windows DNS), DNSviz can help troubleshoot and validate the chain of trust.

Here is an example of my domain using DNSSEC:

Here is an example of a domain not using DNSSEC:

Leave a Reply

Your email address will not be published. Required fields are marked *