How can I check if a domain uses DNSSEC?

dig [zone] dnskey

That will show you if there is the required DNSKEY RRset in the zone that will be used to validate the RRsets in the zone.

If you want to see if your recursive server is validating the zone,

dig +dnssec [zone] dnskey

This will set the DO (dnssec OK) bit on the outbound query and cause the upstream resolver to set the AD (authenticated data) bit on the return packet if the data is validated and also provide you with the related RRSIGs (if the zone in question is signed) even if it is not able to validate the response.

You might want to take a look at the last group of slides in my "DNSSEC in 6 Minutes" presentation (lots about debugging DNSSEC). That presentation is a bit long in the tooth about deploying DNSSEC (you should really look at BIND 9.7 for the good stuff), but debugging has changed little.

There is also a presentation I gave at NANOG 50 about BIND 9.7 DNSSEC deployment.

I don't believe it is currently shown in the browser.

There is an extension to firefox which might do what you want:

• http://www.nlnetlabs.nl/projects/drill/drill_extension.html

alternatively, maybe one of these tools?

• http://www.dnssec.net/software