DS Record Propagation CheckerVerify DNSSEC delegation signer records are live across global DNS networks

  • 7 independent networks
  • Records + DNS flags
  • No ads, no sign-up

DSDNSSEC delegation signer

Independent networks

7 public DNS networks, queried in parallel

Every test query is answered by these unaffiliated resolvers on separate networks and infrastructure. When they agree, you can trust the result.

  • Google Public DNS

    Google LLC · North America

    8.8.8.8
  • Cloudflare

    Cloudflare, Inc. · Global Anycast

    1.1.1.1
  • AdGuard DNS

    AdGuard Software Ltd. · Europe

    94.140.14.14
  • NextDNS

    NextDNS, Inc. · Global Anycast

    45.90.28.0
  • DNS.SB

    xTom / Layer0 · Europe

    185.222.222.222
  • Alibaba DNS

    Alibaba Cloud · Asia

    223.5.5.5
  • DNSPod

    Tencent Cloud · Asia

    119.29.29.29

How it works

A test query for flag propagation check, done right

Most checkers query a single resolver or a set of geographically labelled servers behind the same anycast network. isPropagated queries genuinely independent DNS operators and compares both their records and their response flags.

01

Enter a domain and run the test query

Type any domain, pick a record type (A, AAAA, CNAME, MX, TXT, NS and more), then run a single test query that fans out to every network at once.

02

We query independent global networks

Instead of asking one resolver, we ask several unaffiliated public DNS networks in parallel — across North America, Europe and Asia — so no single cache can mislead you.

03

Compare records and DNS flags

Each network returns its answer plus the DNS response flags (AD, CD, RA, RD, TC). We check that both the records and the flags agree before calling a domain propagated.

04

Read the propagation verdict

A clear consensus score shows how many networks resolved the record and whether their answers match — so you know the moment a change is live everywhere.

What is a DS record and why does DNSSEC propagation matter?

A DS (Delegation Signer) record is a DNSSEC record that links a child DNS zone to its parent. When you enable DNSSEC for a domain, your DNS provider generates key-signing keys (KSKs) and publishes DNSKEY records in your zone. The DS record is a hashed reference to your zone's KSK, and it is published in the parent TLD zone (e.g., .com) — usually through your registrar.

Until the DS record is live in the parent zone and has propagated to all global resolvers, the DNSSEC chain of trust for your domain is incomplete. DNSSEC-validating resolvers checking for a trusted chain will fail to validate your records, potentially causing resolution failures for users on resolvers with strict DNSSEC validation.

Conversely, removing a DS record (when disabling DNSSEC) requires careful timing. Removing the DS before removing the DNSSEC signatures from your zone will cause validation failures. The DS record must be removed and propagated first; then DNSSEC signatures can be removed from the zone.

Checking DS record propagation after enabling DNSSEC

Enter your domain name, select DS from the record type dropdown, and run the test. Each resolver should return the DS record(s) published by the parent TLD. When all resolvers agree and the AD flag (Authenticated Data) is set consistently, the DNSSEC chain of trust is established.

This tool also checks the AD flag across all 7 resolvers. Disagreement on the AD flag is a direct signal that DNSSEC propagation is incomplete — some resolvers have established the chain, others have not yet seen the DS record from the TLD.

FAQ

Common questions about ds record propagation checker

How long does DS record propagation take after enabling DNSSEC?

After you submit the DS record through your registrar, the TLD zone is updated within minutes. However, resolvers cache the parent zone's NS and DS records for their TTL (usually 86400 seconds for TLD zones). In practice, most resolvers see the DS record within 30 minutes to a few hours.

Why do I see the AD flag on some resolvers but not others?

The AD flag is set by a validating resolver when it has verified the complete DNSSEC chain. If the DS record has propagated to some TLD caches but not others, resolvers with the new DS will validate and set AD=true; resolvers with stale caches will not. Wait for the DS to propagate fully.

What should I check before disabling DNSSEC?

Remove the DS record at your registrar first, confirm it has propagated with this checker (DS record returns NXDOMAIN on all resolvers), then remove DNSSEC signatures from your zone. If you remove zone signatures before the DS is gone, validating resolvers will reject your records entirely.

What is the difference between a DS record and a DNSKEY record?

DNSKEY records are published in the zone itself and contain the public keys used to sign zone records. DS records are published in the parent zone and contain a hash of the child zone's key-signing key (KSK). The chain of trust goes: root zone DNSKEY → TLD DS → TLD DNSKEY → your zone DS → your zone DNSKEY.