DNSViz is a tool for visualizing the status of a DNS zone. It was designed as a resource for understanding and troubleshooting deployment of the DNS Security Extensions (DNSSEC). It provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, and it lists configuration errors detected by the tool.

Self-Serve Open Resolver Scanning

Open DNS Resolvers have been implicated in recent large-scale DDoS attacks. Many networks are unwitting homes to open resolvers, with some groups estimating as many as 20 million on the Internet. Using Verisign's self-service scanning tool, network operators can identify and monitor their address space for open resolvers at their convenience.


DNSharness is a framework for funcational testing of multiple name server implementations. To use DNSharness you'll need an Intel-based server capable of supporting a few virtual machines. DNSharness is built using Ubuntu, Debian, VirtualBox, and Python and available under an open-source license.


SecSpider is a utility that was developed during the evolution of the DNSSEC deployment. Since early 2005, SecSpider has captured historical information about various zones and operated as a distributed key lookup service. The information maintained in this utility will aid people's understanding of the size, scope, and trends of the global rollout of DNSSEC. The list of zones monitored are a combination of zones submitted by users, crawled from list of over 2.5 million zones, and those walked via NSEC walking. SecSpider classifies zones as "secure" or not based on certain data and behaviors. Secure classification of a zone means that the zone:

The polling system is globally distributed and crawls its list of secure zones once every day. Its pollers (UCLA, NL Net Labs, Colorado State University, Tsinghua University, Cable Modem in Los Angeles, Toshiba Corp., Switch, Telx, and NIC.br) are dispersed in order to confirm that data is consistent from diverse locations and is robust against any local network effects or phenomenon.

DNSSEC Debugger

The DNSSEC Debugger is a Web-based tool for ensuring that the "chain of trust" is intact for a particular DNSSEC enabled domain name. The tool shows a step-by-step validation of a given domain name and highlights any problems found. The tool begins with a query to a root nameserver. It then follows the referrals to the authoritative nameserver, validating DNSSEC keys and signatures as it goes. Each step in the process is given either a good (green), warning (yellow), or error (red) status code. You can move your mouse over the warning and error icons to view a longer explanation. Press the plus (+) and minus (-) keys to increase or decrease debugging. At the highest debugging level you can see the full, raw DNS messages for almost all of the queries.


TLD-Mon is a monitoring system that continuously performs several specific checks of each Top Level Domain, focusing especially on DNSSEC compliance. The tool checks for EDNS0 and PMTU problems, secondary nameserver synchronization, signature validity periods, and more.

DNSSEC Scoreboard

The DNSSEC Scoreboard shows the number of domains secured in the com, net, and edu zones.

Yet Another Zone Validation Script

YAZVS is a Perl script designed to perform DNSSEC validations on candidate signed zones before they are published. It verifies signatures and reports on differences between the current and candidate zones. Due to its implementation, this script is not suitable for very large zones.

Transitive Trust Checker

The Transititive Trust Checker produces trust-relationship graphs for one or more given DNS zones. The graphs show how the zones are related based on names, addresses, and AS numbers.

Key Tool

Keytool is a simple Web form designed to assist with manipulation of DNSKEY data. It can re-format DNS key records, generate DS records, and generate lines suitable for pasting into a named.conf file.

DANE Test Pages

Our DANE test site contains links to demonstrate and test The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol (TLSA). DANE provides a way to authenticate TLS (X.509) certificates using DNSSEC.

Contact Us

Please write to tools at verisignlabs.com to report bugs, problems, or provide any feedback with these tools.