Tools for testing whether DNSSEC is correctly implemented for your domain:

Tools for using DNSSEC on your local system:

To test what will happen if your DNSSEC validation indicator in your browser finds a site where DNSSEC is broken, you can visit either of these sites where DNSSEC has been deliberately mis-configured:

Tools for setting up your own DNS servers:

Tools for testing your DANE implementation

Tools for Web Developers

Other DNSSEC Tools Sites

The DNSSEC-Tools project contains a variety of tools relating to various aspects of using DNSSEC. Check out this video from DNSSEC-Tools by Wes Hardaker which provides a good introduction to their tools. Including how to use them for establishing, verifying and troubleshooting your DNSSEC configuration.

Verisign Labs also maintains a tools page listing a variety of DNSSEC-related tools.

You can see the list of all tool resources in the Deploy360 site.

Do you know of additional tools we should consider adding here? If so, please send them to us.

January 4th, 2012 by | Posted in | 7 Comments

7 Responses to DNSSEC Tools

  1. Simon Leinen says:

    Funnily, (www.) rhybar.cz currently cannot be resolved because of a DNSSEC error – http://dnssec-debugger.verisignlabs.com/rhybar.cz tells me that some of the signatures have expired. I guess this just shows how important such tools are!

  2. Dan York says:


    That site, rhybar.cz, is deliberately broken! If you cannot resolve that site that is a GOOD thing and means you are protected via DNSSEC!


  3. Simon Leinen says:

    Thanks for the quick reply! Stupid me, I should read the text before clicking on random links! I was looking for a validator to check on a broken customer domain – and I did find one that confirmed my suspicion that that was indeed due to DNSSEC (failed to update DS in parent zone after key rollover – probably a common failure mode for DNSSEC-enabled domains!)

    • Dan York says:

      Glad you figured out the problem! And yes, the DS update problem is indeed one of the biggest challenges right now. It’s bitten me personally when I missed emails telling me my DNS hosting provider had generated a new KSK and I needed to update my DS record at my registrar.

      There are several proposals for automating this – but none are available quite yet.

Leave a Reply

Your email address will not be published. Required fields are marked *