Check DNSSEC Signatures tool

"Check DNSSEC Signatures" is a free tool which looks up and verifies the DNSSEC signature(s) for the specified record set using the public key found in the related DNSKEY-record(s).
It DOES NOT not verify the DNSKEY against any trust anchors or secure delegations / DS-records (we may add this in a future version).
It supports RSA and DSA signatures, and SHA-1 hashing only (recommend and most common).

We created this tool in order to test our new DNSSEC signing functions in Simple DNS Plus v. 5.2 - mostly because we couldn't find any existing DNSSEC testing tools for Windows.
99% of the program code in this tool comes from Simple DNS Plus, so how do we know that either is working correctly? Simple - we tested the tool against a bunch of DNSSEC signed zones around the Internet, and since this was successful, the signing function in Simple DNS Plus must be working too.

Download (269 KB) (v. 1.0 build 1)

System requirements: Windows 98/2000 or later + .NET Framework 2.0 or later.

This zip file contains both a Windows GUI version (ChkSigW.exe) and a command line version (ChkSigC.exe) of the same tool.
The command line version returns an exit code 1 if it encounters any problems, so this could be used as part of some automated script to periodically check your zones.

Windows GUI version:


Command line version:


...also works in PowerShell:


Release Notes

Version 1.0 build 1 - July 14th 2009
- Fixed: Errors importing DNSKEY-record data were not caught and caused program crash.

Version 1.0 build 0 - January 24th 2009
- First release.

For more information, please see the following knowledge base articles:

KB Article How to DNSSEC sign a zone with Simple DNS Plus
KB Article Managing DNSSEC keys with Simple DNS Plus

16 May 2016 21:55 UTC
Scott Thompson
Does DNSSEC prevent the use of other SimpleDNS plugins like fixed ip address?
JH Software
25 May 2016 16:41 UTC
JH Software
Generally you should not use dynamically generated DNS records (such as those generated by plug-ins) with DNSSEC signed zones as such records will not be signed - and therefore will fail DNSSEC validation.
However, Simple DNS Plus will not prevent you from doing so.
(Never published. Used for replies and to show your Gravatar icon. Never used for any other purpose.)