diff --git a/quickstart.go b/quickstart.go
index 1276b50..b90ae83 100644
--- a/quickstart.go
+++ b/quickstart.go
@@ -162,8 +162,9 @@ logging in with IMAP.
 	resolveCtx, resolveCancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer resolveCancel()
 
+	// Some DNSSEC-verifying resolvers return unauthentic data for ".", so we check "com".
 	fmt.Printf("Checking if DNS resolvers are DNSSEC-verifying...")
-	_, resolverDNSSECResult, err := resolver.LookupNS(resolveCtx, ".")
+	_, resolverDNSSECResult, err := resolver.LookupNS(resolveCtx, "com.")
 	if err != nil {
 		fmt.Println("")
 		fatalf("checking dnssec support in resolver: %v", err)
diff --git a/webadmin/admin.go b/webadmin/admin.go
index 46a2119..213a6da 100644
--- a/webadmin/admin.go
+++ b/webadmin/admin.go
@@ -529,7 +529,8 @@ func checkDomain(ctx context.Context, resolver dns.Resolver, dialer *net.Dialer,
 		defer logPanic(ctx)
 		defer wg.Done()
 
-		_, result, err := resolver.LookupNS(ctx, ".")
+		// Some DNSSEC-verifying resolvers return unauthentic data for ".", so we check "com".
+		_, result, err := resolver.LookupNS(ctx, "com.")
 		if err != nil {
 			addf(&r.DNSSEC.Errors, "Looking up NS for DNS root (.) to check support in resolver for DNSSEC-verification: %s", err)
 		} else if !result.Authentic {