Mr.Carsten Strotmann, one of Men & Mice Experts has created a list of tools that can help in verifying a DNSSEC signed zone.
Symptom: A newly DNSSEC signed zone should be monitored to detect potential DNSSEC validation issues before the zone goes public.
Problem: A DNSSEC signed zone is much more vulnerable to software errors and operational errors, a small misconfiguration can render the whole zone invalid.
Solution: Below is a list of tools that can help verifying a DNSSEC signed zone. DNSSEC verification can be done in different stages of DNSSEC zone deployment.
jdnssec-verifyzone: This is a tool to verify a signed zone for DNSSEC correctness. This tool verifies that a zone was correctly signed. It checks that all signatures are valid, all expected signatures exist, all expected NSEC or NSEC3 records exist and are correctly formed, and that the NSEC/NSEC3 chain is correctly formed.
a generic DNS zone checker, include some DNSSEC checks
can be augmented with other tools
delivers a solid framework for DNS checks
.SE dnssec-monitora small set of DNSSEC related tools .SE use for monitor DNSSEC-signed zones
SurfNet DNSSEC Checkerthe DNSSEC Checker is a script that uses ubound-host and dnspython to verify DNSSEC information
python-based / unbound based
YAZVS — Yet Another Zone Validation Scriptyazvs.pl is one of the utilities that VeriSign uses daily to validate new versions of the root and arpa zones before they are published to the distribution masters.
Vantages D-Sync"D-Sync" monitors the secure delegation state between a child zone's DNSKEY(s) and the parent zone's DS record(s) for that child. D-Sync uses a state-engine to track consistency during DNSKEY rollovers and DS record updates and alerts operators to various events.
NlNetLabs ldns-verify-zone (part of ldns)
ldns-verify-zone reads a DNS zone file and verifies it. RRSIG resource records are checked against the DNSKEY set at the zone apex. Each name is checked for an NSEC(3), if appropriateC-based
nagvalnagval - Nagios/Icinga plugin to check validity of one or more DNSSEC domains
KeycheckerMonitor and analyze DNSSEC key rollovers
OpenDNSSEC auditorThe OpenDNSSEC DNSSEC automation suite contains a module (the auditor) that checks the DNSSEC signed zone created by the OpenDNSSEC signer. The list of checks done by the auditor can be found at
This project contains tools to monitor a DNSSEC-signed zone,
including a NAGIOS plug-in.