DNSSEC/TLSA Validator is a web browser add-on which allows you to check the existence and validity of DNSSEC and TLSA records related to domain names.



Wed 22 February 2017

A new version has been released for Firefox.

New Features:

  • DNSSEC Lookaside Validation has been disabled.


  • ldns 1.7.0.
  • OpenSSL 1.0.2k.

Version: 2.2.0

Thu 04 September 2014

New Features:

  • New js-ctypes-based implementation for Firefox.
  • New validator implementation for Chromium/Chrome/Opera based on Native Messaging.
  • Added new state notification about entering a non-existent (according to DNSSEC) web site.
  • Polish localisation.


  • Updated prefixes for DOM nodes in Firefox js-ctypes extension.
  • Fixed bug in type 2 TLSA record …

Version: 2.1.1

Fri 14 March 2014

New Features:

  • Ported DNSSEC/TLSA validator to Apple Safari.
  • MF: Added new TLSA-validator option. The plug-in can now download the certificate chain by itself. See issue #31.


  • Fixed SSL bug. Certificate chain was not checked when SSL connection was rejected by host.
  • TLSA add-on bug fix: Certificate chain was …


DNSSEC/TLSA Validator is a web browser add-on which allows you to check the existence and validity of DNS Security Extensions (DNSSEC) records and Transport Layer Security Association (TLSA) records related to domain names. Results of these checks are displayed by using icons and information texts in the page’s address-bar or browser tool-bar. Currently, Internet Explorer (IE), Mozilla Firefox (MF), Google Chrome/Chromium (GC), Apple Safari (AS) are supported.

The add-on is not supported for Firefox 57 and above. Firefox 57 drops the support for various APIs, which the add-on has been using, without providing adequate replacement. As we don't want to sacrifice any of the currently provided functionality we've decided to stop the support and development of the add-on for the moment.


DNSSEC/TLSA Validator allows you to check the existence and validity of DNSSEC signed DNS records. DNSSEC Validator shows whether the domain name is DNSSEC-signed. It also checks whether the browser is connecting to the correct IP address assigned for this domain name. If a valid DNSSEC chain related to the domain is found the plug-in will also check for the existence of TLSA records. TLSA records store hashes of remote server TLS/SSL certificates. The authenticity of a TLS/SSL certificate for a domain name is verified by DANE protocol (RFC 6698). DNSSEC and TLSA validation results are displayer by using several icons. Additional explanatory texts are shown in the page’s address bar (MF, GC and OP), in a separate tool bar (IE) or toolbar buttons (AS). Clicking on a given icon symbol reveals more detailed information.

Key features

  • DNSSEC Validator checks the existence and validity of DNSSEC-signed DNS records for domain names and it also checks whether the browser is connecting to the correct IP addresses assigned for these domain names.
  • TLSA Validator attempts to perform a validation of TLSA/PKI pair according to the DANE protocol.
  • TLSA Validator can interrupt HTTPS request when the server certificate doesn't correspond with obtained TLSA records (MF only in synchronous mode, AS).
  • DNSSEC/TLSA Validator is not dependent on an external validating resolver for its function.
  • Both validator cores (DNSSEC and TLSA) are based on libunbound.
  • Encompasses a shared DNS cache accessible from all browser windows and tabs to improve performance.
  • Coloured icons display the status of DNSSEC/TLSA validation.
  • English, German, Czech and Polish localization (AS only Engilsh).
  • Open source project released under the GNU GPL.

GUI and interface

  • Coloured key icons and information texts present DNSSEC validation states.
  • Coloured padlock icons and information texts display TLSA validation states.
  • Screen-shots are available here.

Supported platforms

  • all major UNIX-like systems (Linux, Mac OS X, BSD, ...)
  • MS Windows
  • 32-bit and 64-bit architectures are supported.

Known limitations

  • IE and GC/OP versions may not work correctly in cooperation with proxies (DNSSEC Validator only).
  • Plug-in cores can lose DNSSEC information when packets are fragmented (typically on WiFi).
  • Usage of DNSSEC unaware or non-compliant resolvers or exotic resolver configurations cause validation problems.