What is DNSSEC?

DNS Security Extensions (DNSSEC) adds cryptographic authentication to DNS responses, protecting against DNS spoofing and cache poisoning attacks by ensuring response integrity.

The AD (Authenticated Data) Flag

The AD bit in DNS responses indicates that the resolver has successfully validated the response using DNSSEC. When set, you can trust the response hasn't been tampered with.

Why Use DoH for DNSSEC?

DNS-over-HTTPS preserves DNSSEC validation status in the AD flag, while traditional DNS queries may not expose this information clearly to clients.

Interpreting Results

• AD Set: Response is cryptographically verified
• AD Not Set: Domain unsigned, validation failed, or resolver doesn't validate
• CD Set: Validation was disabled for this query
• SERVFAIL: May indicate DNSSEC validation failure