A list of tools that can help in verifying a DNSSEC signed zone.
May 16th, 2011
Symptom: A newly DNSSEC signed zone should be monitored to detect potential DNSSEC validation issues before the zone goes public.
Problem: A DNSSEC signed zone is much more vulnerable to software errors and operational errors, a small misconfiguration can render the whole zone invalid.
Solution: Below is a list of tools that can help verifying a DNSSEC signed zone. DNSSEC verification can be done in different stages of DNSSEC zone deployment.
jdnssec-verifyzone: This is a tool to verify a signed zone for DNSSEC correctness. This tool verifies that a zone was correctly signed. It checks that all signatures are valid, all expected signatures exist, all expected NSEC or NSEC3 records exist and are correctly formed, and that the NSEC/NSEC3 chain is correctly formed.
a generic DNS zone checker, include some DNSSEC checks
can be augmented with other tools
delivers a solid framework for DNS checks
a small set of DNSSEC related tools .SE use for monitor DNSSEC-signed zones
the DNSSEC Checker is a script that uses ubound-host and dnspython to verify DNSSEC information
python-based / unbound based
yazvs.pl is one of the utilities that VeriSign uses daily to validate new versions of the root and arpa zones before they are published to the distribution masters.
"D-Sync" monitors the secure delegation state between a child zone's DNSKEY(s) and the parent zone's DS record(s) for that child. D-Sync uses a state-engine to track consistency during DNSKEY rollovers and DS record updates and alerts operators to various events.
ldns-verify-zone reads a DNS zone file and verifies it. RRSIG resource records are checked against the DNSKEY set at the zone apex. Each name is checked for an NSEC(3), if appropriate
nagval - Nagios/Icinga plugin to check validity of one or more DNSSEC domains
Monitor and analyze DNSSEC key rollovers
The OpenDNSSEC DNSSEC automation suite contains a module (the auditor) that checks the DNSSEC signed zone created by the OpenDNSSEC signer. The list of checks done by the auditor can be found at
This project contains tools to monitor a DNSSEC-signed zone,
including a NAGIOS plug-in.