Chain of Trust Verifier

About Chain of Trust

The DNSSEC chain of trust is a hierarchical validation path that creates an unbroken cryptographic link from the root zone down to your domain. Each level of the DNS hierarchy signs the next level down using DS (Delegation Signer) records, creating a verifiable path of trust that resolvers can follow to validate DNS responses.

The chain starts with the root zone, which serves as the trust anchor that everyone trusts. The root zone's public key is hardcoded into DNS resolvers and browsers. From there, the root zone signs the top-level domain (TLD) zones like .com, .org, etc., using DS records. The TLD then signs your domain using another DS record, completing the chain.

For DNSSEC validation to succeed, the entire chain must be unbroken: Root → TLD → Domain. Each link must have valid DNSKEY records in the child zone and corresponding DS records in the parent zone. If any link in the chain is missing or invalid, DNSSEC validation will fail, and resolvers will refuse to return the DNS data to protect users.

This verifier checks each component of the chain to help you identify where the chain might be broken. For more information, see our Getting Started Guideor DNSSEC Info.