𧱠Building DNS Security Solutions, One Brick at a Time π
A professional-grade web-based DNSSEC validation tool that validates the complete chain of trust from root servers down to your domain. Similar to Verisign's DNSSEC Debugger but with modern architecture, Docker support, and comprehensive monitoring.
- β Complete Chain of Trust - Validates from root (.) β TLD β domain
- β Visual Web Interface - Clean UI with color-coded validation status
- β RESTful API - Programmatic access for automation
- β Docker Ready - Easy deployment with official Docker images
- β Smart Input - Accepts domains or URLs with automatic parsing
- β Health Monitoring - Built-in health checks for orchestration
- β Rate Limiting - Configurable limits for production use
- β Analytics - Optional InfluxDB integration for request logging
- β Google Analytics - Optional GA4 tracking with GDPR-compliant cookie consent
Try it now: https://dnssec-validator.bondit.dk
# Run with Docker
docker run -p 8080:8080 maboni82/dnssec-validator:latest
# Open browser
open http://localhost:8080That's it! The validator is now running.
- Navigate to
http://localhost:8080 - Enter a domain (e.g.,
bondit.dk) - Click "Validate DNSSEC"
- View detailed validation results
# Validate a domain
curl http://localhost:8080/api/validate/bondit.dk
# Response includes chain of trust and DNSSEC records# Pull and run latest version
docker pull maboni82/dnssec-validator:latest
docker run -d -p 8080:8080 --name dnssec-validator maboni82/dnssec-validator:latest# Clone repository
git clone https://github.com/BondIT-ApS/dnssec-validator.git
cd dnssec-validator
# Start with compose
docker-compose up -d# Requires Python 3.13+
git clone https://github.com/BondIT-ApS/dnssec-validator.git
cd dnssec-validator
pip install -r requirements.txt
python app/app.pyπ See Installation Guide for detailed options
Configuration is managed via environment variables in the .env file:
# 1. Copy the template
cp .env.template .env
# 2. Edit .env with your values
nano .envKey Configuration Options:
# Flask Environment
FLASK_ENV=development # or production
# Rate Limiting
RATE_LIMIT_GLOBAL_DAY=5000
RATE_LIMIT_API_MINUTE=200
# Health Checks
HEALTH_CHECK_ENABLED=true
# InfluxDB Analytics (optional)
REQUEST_LOGGING_ENABLED=true
INFLUX_URL=http://influxdb:8086
# Google Analytics (optional, disabled by default)
GA_ENABLED=false
GA_TRACKING_ID=G-XXXXXXXXXXSee .env.template for all available configuration options and detailed documentation.
Optional Google Analytics 4 tracking with GDPR-compliant cookie consent:
# Enable Google Analytics
GA_ENABLED=true
GA_TRACKING_ID=G-XXXXXXXXXX # Your GA4 tracking IDFeatures:
- β GDPR-compliant cookie consent banner
- β Only loads GA after user accepts tracking
- β User can decline tracking
- β Consent preference saved in local storage
- β Privacy-first approach with IP anonymization
- β Disabled by default
- β Automatically logs error if enabled without tracking ID
Note: GA is disabled by default. The application will log an error if GA_ENABLED=true but GA_TRACKING_ID is missing.
π See Configuration Reference for all options
Comprehensive documentation is available in the documentation/ folder:
- Getting Started Guide - Quick start and basic usage
- Installation Guide - All installation methods
- Configuration Reference - Environment variables
- Container Orchestration - Docker, Kubernetes, Swarm
- Health Monitoring - Health checks and monitoring
- Rate Limiting - Configuration and best practices
- API Reference - Complete API documentation
- Architecture - System design and validation process
- Development Guide - Contributing and development setup
- Database & Analytics - InfluxDB integration
DNSSEC Validator validates the complete chain of trust:
Root (.) β TLD (.dk) β Domain (bondit.dk)
β β β
DNSKEY β DS Record β DNSKEY + RRSIG
Each step is cryptographically verified using DNSSEC signatures.
π See Architecture Guide for details
# 1. Configure environment
cp .env.template .env
nano .env # Update with production values
# 2. Deploy with compose
docker-compose up -dFor advanced deployments with Docker Swarm, Kubernetes, or Portainer, see the Container Orchestration Guide which includes:
- Docker Swarm stack configurations
- Kubernetes deployment manifests
- Portainer templates
- Health check integration
- Load balancer configurations
All deployments include health check endpoints:
/health- Detailed JSON status/health/simple- Simple text response
π See Container Orchestration Guide for complete examples
We welcome contributions! To contribute:
- Fork the repository
- Create a feature branch:
git checkout -b feature-name - Make your changes and add tests
- Run quality checks:
black,pylint,pytest - Submit a pull request
See CONTRIBUTING.md and Development Guide for details.
DNSSEC Validator uses semantic versioning with YY.M.PATCH format:
26.1.0- January 2026, first release26.1.3- January 2026, patch 326.2.0- February 2026, first release
Docker tags:
latest- Most recent release26.1.0- First stable release for January 202626.1- Latest patch for January 202626.1.3- Specific version
View all releases on the Releases page.
- CAA record validation
- TLSA/DANE validation β
- Batch validation API
- InfluxDB analytics β
- Response caching
- IDN support
- Domain requests are logged for analytics (configurable retention)
- Only IP addresses and domains are stored
- Rate limiting prevents abuse
- Regular security scans with Bandit and Safety CLI
- Weekly CodeQL analysis
Report security issues via GitHub Security Advisories.
This project is licensed under the MIT License - see the LICENSE file for details.
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- Documentation: Full documentation
- API Docs: Available at
/api/docs/when running
This project is maintained by BondIT ApS, a Danish IT consultancy. Like our fellow Danish company LEGO, we believe in building things methodically - except our bricks are lines of code, and you won't step on them barefoot at 3 AM! π§±π»
Made with β€οΈ, β, and 𧱠by BondIT ApS