DNS & DNSSEC — nameservers and zone signing
The DNS category has two checks. One confirms the domain has nameservers — without them the whole zone is broken. The other checks DNSSEC, the cryptographic signing of the zone. Both are graded gently: a missing DNSSEC signature is only a warning, and a lookup that can't reach our resolver degrades to not-applicable rather than penalizing the domain.
The nameserver check (“Nameservers”) is the foundation. It passes when the domain has at least one NS record. It fails when there are no NS records — a domain with no nameservers is broken or undelegated, and nothing else about it will work. If the lookup itself fails, it's recorded as an error rather than a fail, so a transient DNS hiccup doesn't masquerade as a broken zone.
The DNSSEC check (“DNSSEC”) runs over DNS-over-HTTPS and looks for a DNSKEY record, which indicates the zone is signed. It passes when a DNSKEY is present. It warns when the zone is confirmed unsigned (a NOERROR response with no DNSKEY) — sub-optimal, but not broken. If the DoH service doesn't respond, the check is marked not-applicable — we don't penalize a domain for a hiccup in our own infrastructure — so it never fails.
Missing DNSSEC is only a warning. Plenty of perfectly healthy domains legitimately don't sign their zones, so an unsigned zone earns a warning rather than a fail — it's a hardening opportunity, not a defect.
If the DNSSEC lookup can't reach the DNS-over-HTTPS service, the check degrades to not-applicable, not fail. A problem on our side of the lookup never counts against your domain's grade.
Frequently asked questions
What do the DNS checks cover?
Two things: “Nameservers” confirms the domain has NS records (without them the zone is broken or undelegated), and “DNSSEC” checks whether the zone is cryptographically signed. They're the smaller-weighted checks in the grade but catch fundamental delegation problems.
Is missing DNSSEC a problem?
It's only a warning. Many healthy domains legitimately don't sign their zones, so an unsigned zone is treated as a hardening opportunity, not a fail. A confirmed-unsigned zone (a clean response with no DNSKEY) warns; a present DNSKEY passes.
Why does DNSSEC sometimes show as not-applicable?
The DNSSEC check runs over a DNS-over-HTTPS service. If that service doesn't respond, the check degrades to not-applicable rather than failing — we don't penalize your domain for a hiccup in our own lookup infrastructure.
When does the nameserver check fail?
When the domain has no NS records at all, which means the zone is broken or undelegated. If the lookup itself fails, it's recorded as an error rather than a fail, so a transient hiccup doesn't look like a broken zone.