How To Add DNSSEC Support To Mozilla Firefox

DNSSEC provides a method to authenticate that you are in fact communicating with the site you think you are. It uses a “chain of trust” and digital signatures to check the validity of the information your computer receives from DNS.

But how can you as an end-user see whether the DNS information is correct?

If you are a user of the Mozilla Firefox browser, the good news is that the team at CZ.NIC Labs have created a “DNSSEC Validator” add-on for Firefox available at:

NOTE: The add-on is now available through the Mozilla Add-On Directory at:

The original site can still be found at:

Note that when you visit the site you may need to click the “en” at the top of the page to read the page in English.

UPDATE: A similar extension is now available for Google Chrome.

After installation and a restart of Firefox, you’ll now see a green “key” icon whenever you browse to a website with DNSSEC enable, such as and this Deploy360 site:

Deploy360 dnssec

Sadly, the reality is that most of the Web is not using DNSSEC, so right now you’ll primarily see this symbol:

Google no dnssec 1

However, we’re hoping to change that!

Installing the Add-on

NOTE: The CZ.NIC Labs team still considers this an “alpha” add-on, meaning that it is still in development. Please be aware that use of it is at your own risk. (Having said that, a member of our team has been using it for a while and has not seen any issue using it.)

Installation is very straightforward. You can either click the installation link on the CZ.NIC page or select the “Add to Firefox” button on the DNSSEC Validator page in the Firefox Add-ons gallery:

DNSSECValidator addon

You’ll then begin the typical process of downloading the add-on:


And approving the installation:

Firefox 1

You’ll next get the message that you need to restart Firefox:

Firefox restart

After which you should be good to go!

In the best case, you should now just be able to go to a site like and see a nice green key in your address bar:

Deploy360 dnssec

If, so, congratulations! You can now start browsing the web and Firefox will show you the DNSSEC status of any sites you visit.

If you don’t see a green key icon, read on…

Using a DNSSEC-aware DNS Resolver

Many of you may be seeing instead a key icon with a yellow triangle containing an exclamation mark:

Deploy360 dnssecerror

The issue here is that your local DNS resolver does not support DNSSEC. When your browser wants to connect to a website, it uses your local DNS resolver to retrieve the information. However, that DNS resolver needs to understand DNSSEC in order to pass back to the browser the information needed for this Add-on to work.

You have a couple of options here. If you are more technically-inclined, you might want to consider installing a new local DNS resolver such as DNSSEC-Trigger to use on your system.

However, if you just want this Add-on to start working without having to install additional software, the folks at CZnic Labs nicely provided a way to tell the Firefox Add-on to use another DNS resolver.

In Firefox, go to the Tools menu and choose Add-ons. You’ll then see the “Add-ons Manager” and next to the entry for the DNSSEC Validator you’ll see a “Preferences” button:

Add onsManager

After clicking on the button, you should see a window indicating that you are using your system settings:

ValidatorPreferences default

You can then choose the second choice of using CZ.NIC’s DNSSEC validating resolvers:

ValidatorPreferences cznic

After making this choice, you should now be able to refresh the window that had the Deploy360 site in it and you should now see the green key icon:

Deploy360 dnssec

Congratulations! You can now browse the web and see any sites that are DNSSEC-enabled. (And, unfortunately, see all the sites that are not DNSSEC-enabled.)

Note that the third Preferences choice of “Custom” is what you would use if you wanted to point to another DNSSEC-aware resolver, including one that you might install on your own system

Other Address Bar Icons

Now ideally you’ll just be browsing around the web seeing these “green key” icons indicating that domains are properly secured – or seeing the icon with the red circle indicating that the site does not use DNSSEC. Note, too, that you can click on the green key icon in your address bar to get more information:

DNSSEC moredetail

However, you may also see a number of other icons indicating various states of DNSSEC status. The DNSSEC-Validator page shows the list of possible states:

DNSSEC Validator States

Obviously the icon you do NOT want to see is the red key indicating that there is a problem. But that, again, is really the point of DNSSEC – protecting you from attackers who might hijack a site’s DNS entries to point you to a malicious site of their own.

You can test this yourself by connecting to, a site that CZ.NIC Labs has set up deliberately with a broken DNSSEC signature:

CZ NIC brokendnssec

Getting More Information

This DNSSEC-Validator Add-on for Firefox is a product of CZ.NIC Labs and they maintain a technical page about the add-on at:

Note again that you may need to click on “English” if you are don’t read Czech and your language isn’t auto-detected.

There is a mailing list for those wanting to ask questions or report bugs and feature requests. For those wanting the actual source code there is a git repository from which you can pull the source code.

Kudos to the CZ.NIC Labs team for creating this add-on and making it so easy to use DNSSEC with Firefox. We look forward to seeing similar functionality in other browsers.

NOTE: If you know of similar DNSSEC functionality either directly in other web browsers or available as an add-on/plugin/extension, please contact us as we would like to create similar tutorial documents for those browsers/add-ons. Thank you!

January 6th, 2012 by | Posted in DNSSEC, Tools | 4 Comments

4 Responses to How To Add DNSSEC Support To Mozilla Firefox

  1. russell says:

    You need to update the DNSSEC validator link to reflect the new version 2.0.1 which is available for Firefox, Internet Explorer and Google Chrome

    It would be useful if on Unix/Linux systems the /etc/resolv.conf could be enhanced to support the following options, so that all client DNS queries can DNSSEC authenticated

    dnssec-enable { yes | no }
    dnssec-validation { strict | warn | ignore }

Leave a Reply

Your email address will not be published. Required fields are marked *