DNSKEY Record Propagation CheckerConfirm DNSSEC public keys are consistent across global DNS resolvers
- 7 independent networks
- Records + DNS flags
- No ads, no sign-up
Independent networks
7 public DNS networks, queried in parallel
Every test query is answered by these unaffiliated resolvers on separate networks and infrastructure. When they agree, you can trust the result.
- 8.8.8.8
Google Public DNS
Google LLC · North America
- 1.1.1.1
Cloudflare
Cloudflare, Inc. · Global Anycast
- 94.140.14.14
AdGuard DNS
AdGuard Software Ltd. · Europe
- 45.90.28.0
NextDNS
NextDNS, Inc. · Global Anycast
- 185.222.222.222
DNS.SB
xTom / Layer0 · Europe
- 223.5.5.5
Alibaba DNS
Alibaba Cloud · Asia
- 119.29.29.29
DNSPod
Tencent Cloud · Asia
How it works
A test query for flag propagation check, done right
Most checkers query a single resolver or a set of geographically labelled servers behind the same anycast network. isPropagated queries genuinely independent DNS operators and compares both their records and their response flags.
Enter a domain and run the test query
Type any domain, pick a record type (A, AAAA, CNAME, MX, TXT, NS and more), then run a single test query that fans out to every network at once.
We query independent global networks
Instead of asking one resolver, we ask several unaffiliated public DNS networks in parallel — across North America, Europe and Asia — so no single cache can mislead you.
Compare records and DNS flags
Each network returns its answer plus the DNS response flags (AD, CD, RA, RD, TC). We check that both the records and the flags agree before calling a domain propagated.
Read the propagation verdict
A clear consensus score shows how many networks resolved the record and whether their answers match — so you know the moment a change is live everywhere.
What is a DNSKEY record and when does propagation matter?
DNSKEY records publish the public keys used to sign a DNSSEC-protected DNS zone. Every DNSSEC zone has at least one Zone Signing Key (ZSK) that signs individual resource records, and a Key Signing Key (KSK) that signs the ZSK and is hashed to create the DS record in the parent zone. Together they form the chain of trust from the root down to your zone.
DNSKEY propagation matters most during a key rollover — when a zone transitions from an old signing key to a new one. During the rollover window, both old and new DNSKEY records should be present in the zone so that resolvers caching the old DS record can still validate. If the old DNSKEY is removed before all resolvers have fetched the new DS record from the parent TLD, validation will fail for those resolvers.
Modern DNS providers handle DNSKEY rollovers automatically, but if you manage your own DNSSEC infrastructure, checking that both keys are live during the transition is critical.
Reading DNSKEY propagation results
Select DNSKEY from the record type dropdown and enter your domain. Each resolver card shows the DNSKEY records currently in the zone. Consistent DNSKEY records across all resolvers means the zone is in sync. Check the AD flag as well — a validating resolver will set AD=true once it has verified the complete chain including the DNSKEY.
During a key rollover, you should see both old and new DNSKEY records on all resolvers until the parent DS record has been updated and propagated to point to the new KSK.
FAQ
Common questions about dnskey record propagation checker
How do I verify a DNSSEC key rollover is safe to complete?
Use this tool to confirm the new DNSKEY is present on all resolvers alongside the old key. Then check that the new DS record has propagated in the parent zone using the DS record type. Only after both are confirmed live everywhere should you remove the old key.
What flags appear in DNSKEY records?
DNSKEY records contain flag bits: flag 256 indicates a Zone Signing Key (ZSK); flag 257 indicates a Key Signing Key (KSK). The KSK is the key that corresponds to the DS record in the parent zone.
How long does DNSKEY propagation take?
DNSKEY records are published in your own zone, so they propagate on their own TTL (often 3600 seconds). However, the DNSSEC chain of trust also depends on the DS record in the parent TLD zone, which has a longer propagation window (up to 24 hours).