If you have a new application or service where you want to test how DNSSEC validation works, the sites listed below are ones you can use. If you want to test validation of the DANE protocol, please see our separate page of DANE test sites.
Note that the sites below are domain names and websites with either good or deliberately mis-configured DNSSEC signatures. If you are looking for web sites offering tools or services where you can test the status of DNSSEC, please see our list of DNSSEC tools.
Sites With Good DNSSEC Signatures
Today there are millions of domain names out there with valid DNSSEC signatures and so you have many, many options. Two of the domains you can use to obtain valid signatures are:
- internetsociety.org
- dnssec-tools.org
- dnssec-deployment.org
If you are testing web validation, the addresses are:
Sites With Bad DNSSEC Signatures
The more interesting tests to perform are with domains that are bad and will generate an error in your application or service. The following sites have been deliberately mis-configured with bad DNSSEC signatures:
- dnssec-failed.org (operated by Comcast)
- rhybar.cz (operated by CZ.NIC)
On the web, they are:
The DNSSEC Tools site at http://www.dnssec-tools.org/ also provides a test in that if you connect to the site and do not perform DNSSEC validation you will see an image appear on the page telling you that you are connecting insecurely.
Adding More Sites
If you have a site with an interesting DNSSEC configuration you think would be useful for others to use in testing, please contact us so that we can consider adding it to this list.
Please note that our list of DANE test sites includes sites and domains that are also signed with DNSSEC.