Continuous monitoring

Get paged when your zone goes unsigned.

A signed DNS zone can silently go unsigned in a botched migration — stripping origin-authentication from every answer, with no visible outage. Merlonix re-checks your DNSSEC and DANE/TLSA posture on a schedule and alerts you the moment that happens.

How it works

01

Turn it on for an asset

Enable DNS-security monitoring on any monitored asset. It is a $0 deterministic DNS lookup on your existing cadence — no AI, no third-party API.

02

We re-check your signing posture

On the asset’s cadence Merlonix re-queries whether the zone is DNSSEC-signed and authenticated, counts the DNSKEYs, and records whether DANE/TLSA records are present — building a posture history over time.

03

We watch for a downgrade

The dangerous change is a zone that was signed going unsigned — a botched nameserver migration, a dropped DS record at the registrar, a provider change that didn’t re-sign. That definitive signed→unsigned transition is a genuine regression.

04

You get an alert

A signed→unsigned downgrade pages you with a warning; when the zone is re-signed you get an info recovery. A resolver failure records an “unknown” and never alerts, so a transient DNS blip is never misread as a downgrade.

What we watch

Signing posture, re-checked on a schedule.

We record the same DNS-layer authentication signals a good scanner reads — then keep reading them, so a zone that quietly loses its signature becomes an alert instead of a silent gap.

DNSSEC signingis the zone signed — DNSKEY present and the chain authenticated?
DNSKEY counthow many signing keys are published (a KSK/ZSK rollover leaves a trail)
DANE / TLSAare TLSA records published to pin your certificate at the DNS layer?
Downgrade alerta signed zone going unsigned — the silent, high-impact regression

Why continuous beats a one-time test

Catch the migration that dropped your DS record

DNSSEC breaks most often not from an attack but from an operations change — a nameserver move where the DS record never made it to the registrar, or a provider swap that didn’t re-sign the zone. A one-time check at setup can’t see that; a scheduled re-check does.

Protect origin-authentication for your DNS answers

DNSSEC is what lets resolvers prove a DNS answer really came from you and wasn’t forged in transit. When a signed zone silently goes unsigned, that guarantee disappears for everyone resolving your domain — quietly, with no visible outage.

One panel with the rest of your posture

DNSSEC downgrades land in the same alert stream and asset detail as your SSL expiry, DNS drift, security headers, and uptime — so the person who owns the domain hears about it the same way as everything else.

What we promise — and what we don’t

We watch your signing posture. We don’t run your DNS.

Merlonix re-checks whether your zone is DNSSEC-signed on your asset’s cadence and alerts you when a signed zone goes unsigned. It is informational — the posture is not folded into a pass/fail score, and a resolver failure is recorded as unknown, never an alert. We tell you, continuously and precisely, when your zone downgrades; the fix — re-signing at your DNS provider and restoring the DS record at your registrar — lives on your side. No fabricated posture, no guarantees beyond what the DNS records themselves say.

Common questions

What does DNSSEC monitoring actually check?

On your asset’s cadence, Merlonix re-checks whether your DNS zone is DNSSEC-signed and its chain authenticated, how many DNSKEYs are published, and whether DANE/TLSA records exist. It records that posture over time and alerts you when a signed zone goes unsigned.

When does it alert me?

When the zone goes from DNSSEC-signed to unsigned between two definitive checks, you get a warning — that downgrade strips origin-authentication from your DNS answers. When the zone is re-signed you get an info recovery alert. If a resolver fails or the answer is indeterminate, the check is recorded as “unknown” and never alerts.

How is this different from a one-time DNSSEC test?

A one-time test (including our own free /tools/domain-health scan) tells you your signing posture at the moment you run it. Continuous monitoring re-checks on your schedule and catches the silent downgrade a later migration introduces — which a check you ran at setup can never see.

Does the DNSSEC posture affect a pass/fail score?

No. DNS-security monitoring is informational: the alerts stand on their own and are not folded into any aggregate health or compliance score. That keeps it consistent with the free scanner and the audit report, which also keep it out of scoring.

What is DANE/TLSA and why show it?

DANE (via TLSA records) lets you pin your TLS certificate at the DNS layer, so a resolver can verify your cert independently of the public CA system — but only when the zone is DNSSEC-signed. We report whether TLSA records are present so you can see your full DNS-layer authentication posture in one place.

Don’t let a migration silently un-sign your zone.

Turn on DNSSEC monitoring and get paged the moment a signed zone goes unsigned. Start the full-workspace trial — 14 days, no card.