DNS & Domain Security
120 points total
Evaluates the security posture of your domain's DNS configuration — DNSSEC, SPF/DMARC presence at the DNS layer, CAA records, name-server delegation consistency, zone transfer protections, and wildcard exposure.
Checks
| Check | Weight | What it measures |
|---|---|---|
DNSSEC Validation dns_dnssec_validation | 20 pts | Verifies that DNSSEC is properly configured with a valid DS → DNSKEY → RRSIG chain. |
CAA Record Presence dns_caa_record_presence | 20 pts | Checks for Certificate Authority Authorization records restricting which CAs can issue certificates for your domain. |
NS Delegation Consistency dns_ns_delegation_consistency | 15 pts | Compares the NS records at the parent zone with those at the authoritative zone to detect delegation mismatches. |
Zone Transfer (AXFR) Check dns_zone_transfer_axfr_check | 15 pts | Attempts an AXFR zone transfer against each authoritative nameserver to detect open transfers. |
SPF Record Check dns_spf_record_check | 15 pts | Verifies that an SPF TXT record exists on the root domain. |
DMARC Record Check dns_dmarc_record_check | 15 pts | Verifies that a DMARC TXT record exists at _dmarc.<domain>. |
Wildcard Detection dns_wildcard_detection | 10 pts | Tests whether the domain resolves wildcard queries (*.domain), which can mask subdomain takeover risks. |
MX Record Check dns_mx_record_check | 10 pts | Checks for the presence and validity of MX records for mail delivery. |
Pass / Warn / Fail Logic
DNSSEC Validation
Pass if full chain validates; warn if signatures detected but inconclusive; fail if DS record exists without valid signatures or DNSSEC is absent.
CAA Record Presence
Pass if CAA records are published; fail if absent.
NS Delegation Consistency
Pass if parent and authoritative NS sets match; warn/fail on mismatch.
Zone Transfer (AXFR) Check
Pass if all nameservers refuse AXFR; fail if any allows it.
SPF Record Check
Pass if valid SPF record is present; fail if missing.
DMARC Record Check
Pass if valid DMARC record is present; fail if missing.
Wildcard Detection
Pass if no wildcard resolution; warn if wildcard detected.
MX Record Check
Pass if valid MX records or null MX (0 .) present; fail if missing.
Findings & How to Fix Them
These are the specific findings RedScore may report for this category, along with remediation guidance.
dnssec_brokenEnable and validate DNSSEC at your DNS provider; ensure DS and RRSIG/DNSKEY chain is consistent.
dnssec_missingEnable and validate DNSSEC at your DNS provider; ensure DS and RRSIG/DNSKEY chain is consistent.
dnssec_partialDNSSEC signatures were detected but full chain validation was inconclusive. Verify the DS → DNSKEY → RRSIG chain with your registrar.