We are committed to making the Internet a safe and reliable place for people to do business and interact.
USING INTERNET SECURITY TOOLS TO CREATE A STRONGER WEB
We are constantly creating and testing new tools to improve the Internet. Select and use a host of top DNS tools developed by one of the most trusted names in Internet Security for free.
The DNSSEC Debugger is a Web-based tool for ensuring that the "chain of trust" is intact for a particular DNSSEC enabled domain name. The tool shows a step-by-step validation of a given domain name and highlights any problems found. The tool begins with a query to a root nameserver. It then follows the referrals to the authoritative nameserver, validating DNSSEC keys and signatures as it goes. Each step in the process is given a good (green), warning (yellow), or error (red) status code. You can move your mouse over the warning and error icons to view a longer explanation. Press the plus (+) and minus (-) keys to increase or decrease debugging. At the highest debugging level you can see the full, raw DNS messages for almost all of the queries.
Our DANE test site contains links to demonstrate and test The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol (TLSA). DANE provides a way to authenticate TLS (X.509) certificates using DNSSEC.
TLD-Mon is a monitoring system that continuously performs several specific checks of each top-level domain, focusing especially on DNSSEC compliance. The tool checks for EDNS0 and PMTU problems, secondary nameserver synchronization, signature validity periods and more.
YAZVS is a Perl script designed to perform DNSSEC validations on candidate signed zones before they are published. It verifies signatures and reports on differences between the current and candidate zones. Due to its implementation, this script is not suitable for very large zones.
DNSViz is a tool for visualizing the status of a DNS zone. It was designed as a resource for understanding and troubleshooting deployment of the DNS Security Extensions (DNSSEC). It provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, and it lists configuration errors detected by the tool.
Open DNS Resolvers have been implicated in recent large-scale DDoS attacks. Many networks are unwitting homes to open resolvers, with some groups estimating as many as 20 million on the Internet. Using Verisign's self-service scanning tool, network operators can identify and monitor their address space for open resolvers at their convenience.
SecSpider is a utility to aid people's understanding of the size, scope, and trends of the global rollout of DNSSEC. Since early 2005, SecSpider has captured historical information about various zones and operated as a distributed key lookup service. The list of zones monitored are a combination of zones submitted by users, crawled from a list of over 2.5 million zones, and those walked via NSEC walking. For SecSpider to classify a zone as "secure," the zone must support EDNS0, have RRSIG records attached to resource record sets (RRsets), not have a CNAME for the zone's domain name, and provide NSEC records for denial of existence.