DNSSEC-Tools being migrated -- expect broken links.
The process to convert older wiki pages to our new site is not yet complete; please be patient while we work through the moving process. -- 2018-08-11

Recursive Server

This is a brief description of the parts of DNSSEC-Tools an administrator for a DNSSEC aware recursive name server could find useful. The server could operate on a small scale (a single machine or small network where DNSSEC validation of DNS queries is desired) or it could be an a large scale (an enterprise or ISP that wants to have a DNS server supporting DNSSEC look-ups). The DNS resolver will be configured with a list of zones that DNS results are checked for DNSSEC compliance (which could be every zone). It would do this by comparing the DNS answers and the digital signatures that accompanied it. The validating resolver will continuing validating results up the DNS chain until it gets to an associated Trust Anchor (TA). Only after the answers have been properly validated will the server return the results to its client.

Recursive Server Administrator

Recursive Server Administrator. DNSSEC-Tools has several tools to help manage a validating recursive server. See dnssec-deployment.org and dnssec.net for information on obtaining recursive servers that support DNSSEC. Most DNS server software (and all the major ones) support DNSSEC. Setting up a DNS server itself is out of scope of this document. The DNSSEC-Tools software components trustman and the logwatch patch are most helpful with Bind software in particular. The current version of logwatch has incorperated this patch and will scan for BIND/DNSSEC output from a Bind server. Trustman can manage Bind's named.conf file's Trust Anchors (TAs).


Logwatch. The logwatch update patch included within the DNSSEC-Tools release is now included in current versions of Logwatch so you shouldn't need it if you are running a recent version of logwatch. It parses DNSSEC information out of Bind's output and adds it to logwatch's output summary information.

Getting started with logwatch

    Getting started with logwatch.
  • Obtain a version of logwatch that is at least version 7.1 or higher.
  • When using it, these types of summary messages should appear in your logwatch messages if you are running BIND as a validating resolver:


Dnspktflow. Dnspktflow is a tool that parses a tcpdump file and graphically displays the DNS and DNSSEC specific network traffic. It can be used to check DNSSEC traffic at a server in order to track down or check for errors.

Getting Started With Dnspktflow

    Getting Started With Dnspktflow.
  • Given a tcpdump file called tcpdump.out with DNS traffic in it.
  • The command line arguments above add extra information to the picture (type, query, answers, authoritative and extra information), while reducing the data to DNS packets involving hosts with 'dnssec-tools' in their names. See the dnspktflow manual page for further details.

General Error Checking Tools

General Error Checking Tools. For more DNSSEC error checking and debugging tools, check out the DNSSEC error checking tools summary below. It includes general DNSSEC error checking tools as well as tools that error check for a specific type of use or user. Some of the tools may be useful to debugging validating DNSSEC servers.

Software Summary