Tools for testing whether DNSSEC is correctly implemented for your domain:
- DNSSEC Analyzer from Verisign Labs
- DNSViz – A DNS Visualization Tool from Sandia National Laboratories
Tools for using DNSSEC on your local system:
- DNSSEC-Trigger – local DNSSEC resolver for Windows, Mac OS X or Linux
- DNSSEC Validator Add-on for Firefox
- DNSSEC Validator Extension for Google Chrome
To test what will happen if your DNSSEC validation indicator in your browser finds a site where DNSSEC is broken, you can visit either of these sites where DNSSEC has been deliberately mis-configured:
Tools for setting up your own DNS servers:
Tools for testing your DANE implementation
Tools for Web Developers
- DNSSEC Client Check — Tests if website visitors DNSSEC validate
Other DNSSEC Tools Sites
The DNSSEC-Tools project contains a variety of tools relating to various aspects of using DNSSEC. Check out this video from DNSSEC-Tools by Wes Hardaker which provides a good introduction to their tools. Including how to use them for establishing, verifying and troubleshooting your DNSSEC configuration.
Verisign Labs also maintains a tools page listing a variety of DNSSEC-related tools.
You can see the list of all tool resources in the Deploy360 site.
Do you know of additional tools we should consider adding here? If so, please send them to us.
[…] Tools […]
Funnily, (www.) rhybar.cz currently cannot be resolved because of a DNSSEC error – https://dnssec-debugger.verisignlabs.com/rhybar.cz tells me that some of the signatures have expired. I guess this just shows how important such tools are!
Simon,
That site, rhybar.cz, is deliberately broken! If you cannot resolve that site that is a GOOD thing and means you are protected via DNSSEC!
Dan
Thanks for the quick reply! Stupid me, I should read the text before clicking on random links! I was looking for a validator to check on a broken customer domain – and I did find one that confirmed my suspicion that that was indeed due to DNSSEC (failed to update DS in parent zone after key rollover – probably a common failure mode for DNSSEC-enabled domains!)
Glad you figured out the problem! And yes, the DS update problem is indeed one of the biggest challenges right now. It’s bitten me personally when I missed emails telling me my DNS hosting provider had generated a new KSK and I needed to update my DS record at my registrar.
There are several proposals for automating this – but none are available quite yet.
[…] Tools […]