Validate the cryptographic chain of trust for DNSSEC-enabled domains, ensuring DNS responses are authentic and have not been tampered with. Cloudmon monitors DNSSEC signature validity, the trust tree structure, and DS record linkage at every delegation level.
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that responses are genuine and have not been modified in transit. Cloudmon DNSSEC monitoring periodically validates the full chain of trust for configured domains and alerts when signatures are invalid, expired, or missing.
A Validity value of 1 indicates the DNSSEC chain of trust was validated successfully. A value of 0 may indicate either an invalid or expired signature, or a domain that has not implemented DNSSEC at all. These are distinct conditions: invalid signatures indicate a misconfiguration or security issue that needs immediate investigation, while unsigned domains simply have not deployed DNSSEC and will consistently return 0 without representing an active failure. Navigate to Synthetic → DNS → DNSSEC to view all configured monitors.
Navigate to Synthetic → DNS → DNSSEC and click the + Add button. Fill in the fields as follows:
| Field | Description |
| Probe | The probe that will perform the DNSSEC validation check. Choose a probe with internet access to reach the authoritative nameservers for the domain. |
| Name | A display name for this DNSSEC monitor, such as "iana.org DNSSEC" or "Company Domain DNSSEC". |
| Domain | The domain whose DNSSEC signatures will be validated, for example iana.org or your organisation's domain. |
| Port | Port for DNS communication. Default is 53. |
| Record Type | DNS record type to validate. Default is A (Address Record). |
| Interval | How often the DNSSEC check runs, for example every 5 minutes. |
| Alert Rule | An alert rule to trigger on DNSSEC validation failures. |
| Depends On | Suppresses alerts for this monitor if a linked upstream dependency is already down. |
| Groups and Tags | Assign to logical groups and add custom labels for filtering and management. |
Click Save to add the monitor.
Clicking into any DNSSEC monitor opens its detail page. The Metrics Panel shows Availability as the percentage of intervals in which DNSSEC validation was successful, Downtime as the total duration the monitor was in a Down or failed state, and Alarms for any active alarms on this monitor.
Two visualisations provide deeper insight into the DNSSEC configuration. The Trust Tree displays the full DNSSEC delegation chain showing each level's DNSKEY keytag, algorithm, and flags from the queried domain up to the root, making it easy to spot a broken link in the chain of trust. The Data Chain shows the DS (Delegation Signer) record linkage at each level of the chain, confirming that each zone's signing keys are correctly referenced by the parent zone.
A Validity time-series chart shows the DNSSEC validity state over the selected time range with green indicating valid and red indicating failed validation. The Log Report tab provides a per-poll log of each validation check including the validity result, timestamp, and any detected signature issues. The Outages tab lists all periods during which DNSSEC validation failed including timestamps and duration.
Cloudmon can alert your team whenever DNSSEC validation fails for a configured domain. Each alarm is built around a simple IF/THEN model, where you select a metric, set a threshold, and define what happens when it is breached. Learn more.
| Issue | What to check |
| Validity consistently shows 0 but domain is expected to have DNSSEC | A persistent 0 may mean DNSSEC has not actually been deployed on this domain, or that the DS record at the parent zone has not been published. Check the Trust Tree view to identify where the chain breaks. Verify the DS record is present at the registrar by querying the parent zone directly. |
| Validity dropped from 1 to 0 after a DNS change | A DNSSEC failure after a DNS change almost always means the zone was re-signed with new keys but the DS record at the registrar was not updated to reference the new DNSKEY. This breaks the chain of trust. Update the DS record at the registrar with the new DNSKEY digest to restore validation. |
| Intermittent validation failures with no obvious pattern | Check the signature expiry dates in the Trust Tree. DNSSEC signatures have a validity window and must be refreshed before they expire. Intermittent failures near the end of a signature validity window indicate the automated signing process is not refreshing signatures in time. Review the zone signing schedule on your DNS provider or authoritative nameserver. |
| Monitor added for an unsigned domain and shows constant failure | A domain without DNSSEC will always return Validity 0. This is not a misconfiguration in Cloudmon. If monitoring unsigned domains is intentional, set the alert threshold accordingly so that a 0 value does not trigger a false alarm. Only configure DNSSEC monitors for domains that have DNSSEC deployed. |