DNSviz, provided by Sandia National Laboratories, is a great tool in validating the chain of trust for DNSSEC. Check them out if you need DNSSEC validation or other insight in DNS troubleshooting.
Back story:
For any public-facing domains that I setup, I configure DNSSEC about 24 hours after the domain is purchased and configured in Cloudflare. From personal experience, if you enable DNSSEC too soon after registering a domain, you run the risk of resolution problems. I saw this recently after I configured a brand new (less than 1 hour old) domain for a friend. The domain was purchased, I configured Cloudflare, I enabled DNSSEC in Cloudflare, then I updated the registar’s records for DNSSEC. Two days later and their domain wouldn’t resolve properly. You can feel the pain of others here: https://www.google.com/search?q=public+DNSSEC+propagation+fail.
I started using DNSChecker.org for domain validation prior to enabling DNSSEC. Once I get green checks using DNSChecker, I feel confident that the domain name is resolving correctly globally and it is time to enable DNSSEC. After the DNSSEC entries are made in Cloudflare and to the registrar, I then use DNSChecker again to validate the propagation. I usually see a few red “X” marks after the switch then it levels out in a matter of hours.
If you enable public-facing DNSSEC (as opposed to internal using something like Windows DNS), DNSviz can help troubleshoot and validate the chain of trust.
Here is an example of my domain using DNSSEC:
Here is an example of a domain not using DNSSEC:
