Any53 DNSSEC Validator

About this tool

Any53 DNSSEC Validator performs iterative DNSSEC validation from the root zone down to your target domain. Unlike a recursive resolver that simply gives you a pass/fail, this tool shows you exactly what's happening at each step:

Zone discovery - Identifies actual zone cuts (delegation points) in the DNS hierarchy
DNSKEY verification - Fetches and cryptographically verifies DNSKEY records at each zone
DS chain validation - Verifies that each zone's KSK matches the DS record in its parent zone
Signature validation - Checks RRSIG validity periods and cryptographic signatures
RDAP verification - Compares DS records from DNS against the registry database via RDAP
CNAME following - Automatically validates CNAME target chains

Validation results: secure (full chain verified), insecure (zone not signed), bogus (validation failed), indeterminate (could not determine).

JSON API

Queries authoritative nameservers directly using IANA root trust anchors.

api/validate?domain=example.com - Validate a domain (JSON response)
api/anchors - View current root trust anchors

curl -s 'https://www.any53.com/dnssec/api/validate?domain=www.any53.com' | jq '.result, .chain[].zone'