(includes unbound)

(includes unbound)

source tarball hash
sha1: 36fd7c2aefaf7b5f066ad993bdc948126f3bf21f
sha256: 32d88f44791c540079e5fbfbe96e686e82563d0fd34d9cbc0756773658554e47
setup exe hash
sha1: 9b2b65ea04e4dcca6ee12b662ac13c2df3ded466
sha256: 3f1297aa93a8755d591ae6890d0e1f8966f53cde988fdd20b1f57de84667a021

->commandline, ->screenshots, ->changelog.


Dnssec-trigger reconfigures the local unbound DNS server. This unbound DNS server performs DNSSEC validation, but dnssec-trigger will signal it to to use the DHCP obtained forwarders if possible, and fallback to doing its own AUTH queries if that fails, and if that fails prompt the user via dnssec-trigger-applet the option to go with insecure DNS only.

This software is experimental at this time.

The software is open source, and uses the BSD license, it is in the tarball.

Subscribe to the mailing list.

Manpage for dnssec-trigger. The windows manual.

The development version can be seen in the subversion repository trunk.

The software is experimental. It is of interest to see if DNSSEC validation can be deployed currently, and how that must be done. DNSSEC validation can benefit from better network-management, better OS-integration (with network connection management), and better application support.

Feature list

  • IP4 and IP6 support,
  • Uses Unbound for validation,
  • OSX, Windows (XP, Vista, 7), Linux support,
  • small size,
  • Tries to assist infrastructure,
  • Fallbacks and last resort for DNSSEC,
  • Software update is prompted
  • Manual page and online documentation.

Known issues

There used to be a race condition between dnssec-trigger and the system but this was fixed in 0.6, with a 'system preferences' override on OSX and Windows, and chattr immutable on Linux and BSD.

In case of trouble it is possible to manually override. With the command 'hotspot signon' from the menu, insecure mode can be entered. It is left when you select 'reprobe' later (and it detects a secure network).


For Linux, try using your package manager (there are RPMs, there is a specfile to build packages from), you need to also install unbound. If you compile from source, it can support NetworkManager and Netconfig. For OSX, use the dmg download (download, doubleclick to open diskimage, doubleclick installer). For Windows, run installer. The software compiles on BSD and Solaris, but DHCP and wifi hooks are not something we can test.

See the INSTALL file in the source.

How does it work

It uses unbound which is running on localhost ( as a validating (caching) local resolver. Often unbound is pointed at another cache, and forwards all queries there (but performs DNSSEC validation itself). There is a dnssec-triggerd daemon running that catches changes in the network, DHCP events, and probes what unbound should do to get DNSSEC.

Probe sequence

The probe sequence uses normal DNSSEC queries, and checks if the answer contains RRSIGs and proper DNSSEC information. The probe:

  1. Check the DHCP provided DNS caches. If they work they have a hot cache, and lessen load on infrastructure, and provide fast answers.
  2. Check authority servers directly. If that works, full resolver mode is used to get DNSSEC.
  3. Check open resolver on TCP port 80(www port). If that works, unbound is told to use (plain) DNS over TCP to port 80 to an open (DNSSEC capable) resolver.
  4. Check open resolver over SSL port 443(https port). If that works, unbound is told to use SSL encapsulated DNS over port 443 to an open (DNSSEC capable) resolver.

The list is tried in order to lessen network load on servers down the list.

If no servers work then the user is informed, and can select to disconnect (DNS is blackholed) or connect insecurely (the DHCP provided DNS servers are used). In this case, timer-based reprobes are attempted.

The last SSL-port-443 attempt is because, if https is going to work then traffic over port-443 works on this internet-hotspot. And then SSL encapsulated DNS over SSL-port-443 also works. If something bad happens to that traffic then neither DNSSEC nor https can work.

The dnssec-trigger.conf config file is shipped by default with an open resolver at NLnet Labs that serves port 80 and 443 (it runs unbound). You can disable it or add others if you want.

Hotspot detection

During the probe sequence, also a potential active hotspot is detected. These are those devices that require a user to interact with some webpage before you can enter the network. They are detected by trying to download a known, fixed webpage, and checking if the result is correct. If the result is correct, then the connection to the internet is open and nothing needs to be done. If the result is not correct, a hotspot is likely needed, and the user is prompted if this is the case, a webbrowser is opened to a random web page (this page) which should then show the hotspot-page. Meanwhile, every 10 seconds it retries to enable DNSSEC.

It picks a random server from a number of configured servers, and for IPv4 and IPv6 attempts to access the page. Only one needs to work. It cycles through addresses provided, that it looks up via the cache-DNS (because that may be intercepted by the hotspot).

Commandline test

It is possible to test the software from the commandline. The dnssec-trigger-control utility can be used to test and connect to the daemon.

With dnssec-trigger-control status you can see the probe results from the commandline.

With dnssec-trigger-control reprobe trigger a reprobe (just like the item from the tray icon menu).

With dnssec-trigger-control hotspot_signon go to insecure, forced. Use reprobe when signed on to resume dnssec protection efforts.

With dnssec-trigger-control submit you can pretend that DHCP gave the DNS server IPs (IP4 and IP6 separated by spaces).

With dnssec-trigger-control skip_http you can skip the http hotspot test, it'll assume the network is accessible and continue to set up DNSSEC for you.

With dnssec-trigger-control unsafe you can pretend that DNSSEC does not work. It takes a couple seconds while it probes useless 127.0.0.x IPs. Note that if you press insecure on the dialog an automated reprobe after 10 seconds in the background is likely to enable DNSSEC again and stop the insecure test. You have to be fast to see resolv.conf change to the insecure DNS servers (or the fake ones used in this test).

With dnssec-trigger-control test_tcp you can pretend that DHCP cache and authority direct does not work, and it attempts to use TCP-port-80/443. This requires unbound 1.4.13 or later. The test_ssl command is similar.

With dnssec-trigger-control test_http you can pretend that the http probe fails to fetch the correct contents (as if there is a hotspot).


With this software most happens automatically in the background. It tries to not interact with the user when not necessary, so the user can get on.

If a hotspot is detected it asks the user if this is really a hotspot, if so, a browser window is opened, otherwise, we disconnect.

When a software update is detected, it is asked if the user wants to update. For windows and OSX, on unix this is disabled by default (use package manager or ports tree).

When it all goes wrong, DNSSEC fails and the user is prompted.

If the user selects insecure, the tray icon gets a red ! (exclamation mark). When the situation becomes secure again, the tray icon silently changes back.

The normal state is this user menu. Geeks can click and see the detailed technical results (and complain to the network operator).


There is a mailing list for the dnssec-trigger discussion, click the link to subscribe or view archives.



  • annotate switch fallthrough for gcc 7.2.
  • Fix #1673: Fix SSL_OP_NO_SSLv2 logic for setting the option.


  • Fix osx installer to detect 10.12 (Sierra) so that icon is displayed correctly after reinstall.
  • For windows, include the libgcc_s_sjlj-1.dll and libwinpthread-1.dll
  • Allow strings longer than 2 characters for the HTTP probe. Patch from Tomas Hozza.
  • Fix no NSEC3 in nodata reply: always fails to validate, uses instead.
  • updated root servers list.
  • Fix OSX install to exclude var and not set tar timestamps.
  • Fix compile warning on gcc 7.2.
  • Fix for openssl 1.1 and ldns 1.7.
  • Fix keygen.exe for openssl 1.1 API.


  • Updated acx_nlnetlabs.m4 for openssl-1.1.0 compatibility.
  • Patch for openssl-1.1.0 compilation.
  • Tomas Hozza (3): dnssec-trigger-script: Use ducktaping when restarting NM, instead of checking the sysfs dnssec-trigger-script: Silence the calls to chattr Improved text in the panel GUI when insecure mode is forced
  • Remove kickstarts of daemons because daemon died for test user.
  • Fixup compile on OSX with static SSL for makedist mac build.
  • OSX hide unbound user from login screen.
  • Attempt to stop panels and kickstart daemons on OSX.
  • Remove stuff from osx installer that logs out the user.
  • Fixup osx gui panel start code for new osx. installer talks about new locations and set permissions on key files and add to the path the /usr/local/sbin directory during install. Do not link RiggerStatusItem to /usr/local/opt/openssl/lib.
  • chmod key files for unbound, dnssec-trigger control and ldns in /usr/local. For OSX.
  • Fixup installer for creation of missing keys, and also start panel in osx userspace.
  • Fix Makefile for use of /Library, which seems okay for new OSX.
  • makedist prints checksums on OSX.
  • new acx_nlnetlabs.m4 version and it has the libdl fix.
  • Fix lint warnings about int and size_t conversion.
  • Fixes to make the installer work on OSX-ElCapitan.
  • Patch for preliminary Mac OSX 10.11 support (from Philip Paeps).
  • Move plists into uidir on OSX (/usr/local/share), and set usr/local in makedist for OSX.
  • default keysize for control is 3072 on windows.
  • Changed windows setup compression to be more transparent.
  • Patches from Tomas Hozza for systemd service files: Set PIDFile in the dnssec-triggerd.service file. Remove restorecon call in dnssec-triggerd-keygen.service.
  • Patches from Tomas Hozza for dnssec-trigger-script: Use one import on one line as defined by PEP8. Use path to DEVNULL from os module. Move the main functionality into main() function to enable testing. Use existing API in NM for distinguishing VPN connections. Construct NMClient as advised by the documentation. Forbid Python from searching local dirs and using env variables. Set low max negative cache TTL to prevent possible user issues. Send SIGHUP to NM if it is new enough instead of restarting it. Set the required version in GI before importing NMClient.
  • Fix #618: create sha1 and sha256 hashes for created binaries, fixed in
  • Renamed 'open resolvers' to 'relay resolvers' in the explanatory text what dnssec-trigger is doing. Resolvers from DHCP can also be public resolvers, so the term relay resolver is used for an open resolver that performs transport layer adjustment.
  • Patches from Tomas Hozza for dnssec-trigger-script: Add newlines between classes to conform with PEP-8 and increase readability. Add/remove local zones in Unbound when configuring reverse addr forward zones.
  • Patch from Tomas Hozza: dnssec-trigger-script: Don't configure RFC1918 zones if there are no global forwarders.
  • Patches from Tomas Hozza (7): dnssec-trigger-script: Fix wrong default value in configuration dnssec-trigger-script: Fix formatting errors dnssec-trigger-script: Remove unused class Allow to select the default Python interpretter during build Fix 01-dnssec-trigger NOT to hardcode shell path dnssec-trigger-script: Fix typo when adding search domains dnssec-trigger-control-setup: Use 3072 bit keys
  • Patches from Pavel Simerda: dnssec-trigger-script: check for paths, not files dnssec-trigger-script: fix secure/insecure forward zone switching dnssec.conf: clean up the dnssec.conf comments dnssec-trigger-script: log dnssec-trigger-control and unbound-control calls dnssec-trigger-script: use a global config object dnssec-trigger-script: add option to set search domains in /etc/resolv.conf dnssec-trigger-script: add (undocumented) option to avoid flushing positive answers dnssec-trigger-script: use private address ranges
  • Patches from Pavel Simerda: dnssec-trigger-script: clean up servers as well, for restart dnssec-trigger-script: prefer VPN nameservers over default ones
  • Update OSX resolvehook to flush dns caches for new OSX release with "discoveryutil udnsflushcaches" and "discoveryutil mdnsflushcache".
  • Patches from Pavel Simerda: dnssec-trigger-script: The accepted version of NetworkManager patch uses `resolv.conf` instead of `resolv.conf.default`, dnssec-trigger-script: Leaking file descriptors is bad, especially when selinux or similar tool is used. dnssec-trigger-script: Use a regular file unless use_resolv_secure_conf_symlink is set. Always install /var/run/dnssec-trigger/resolv.conf for comparison. Guard all of those regular files using immutable attribute. dnssec-trigger-script: fix desktop file paths.
  • Patches from Pavel Simerda: dnssec-trigger-script: lock --update-* methods only The original locking was a bit too broad for future development. dnssec-trigger-script: improve /etc/dnssec.conf handling Minor changes that make future /etc/dnssec.conf extensions easier. dnssec-trigger-script: support 'debug' option in /etc/dnssec.conf With that you can get the debugging output even for instances run by systemd, dnssec-triggerd and NetworkManager dispatcher. dnssec-trigger-script: clean up resolv.conf backup and restore Clean up the code a bit so that later additions dont turn it into a mess. dnssec-trigger-script: use /var/run/NetworkManager/resolv.conf.default Avoid restarting NetworkManager just to restore /etc/resolv.conf when a simple symlink would do. This is only done when the NetworkManager's private resolv.conf actually exists. allow the resolv.conf hooks be handled by dnssec-trigger-script dnssec-trigger-script: handle resolv.conf events from the daemon The new implementation doesn't write directly to /etc/resolv.conf and instead it writes a temporary file and then replaces the /etc/resolv.conf using POSIX `rename()`. dnssec-trigger-script: support /etc/resolv.conf and /etc/resolv-secure.conf symlinks This is an experimental feature and is turned off by default. You need to put the following to /etc/dnssec.conf to activate it: use_resolv_conf_symlink=yes probe: use wildcard probing domains This change might need to be revisited to see whether we need to check both known wildcard and known non-wildcard domains.
  • Fix #629: bad if test in net_help for ctx_load_verify_locations.
  • Patch from Pavel Simerda: improve dnssec-trigger-script locking and avoid a dependency.
  • Fix NetworkManager script fails t parse nmcli version as of, patch from Gerald Turner.
  • Patches from Ondrej Sury (from the Debian package): Remove some ugly bashisms from the script. Fixes static paths that right be mismatched (f.e. on multiarch system). Fix IndexError in dnssec-trigger-script, when there less then 4 resolvers since you use 3xfields.pop(0) before that. Fix release date in makedist manpage to be more stable. Do substitutions in makefile, more autoconf'y Fixup dnssec-triggerd.service from
  • Better fix for pidof that sets PATH for networkmanager dispatcher script (from Ondrej Sury).
  • Add --with-pidof=/usr/sbin/pidof where you can set the location of the pidof command to use in the Networkmanager script, /usr/bin/pidof or /usr/sbin/pidof (depending no your distribution).
  • Patches from Pavel Simerda: improve systemctl call. serialize script instances.
  • Patches from Pavel Simerda: Fixup for python2. fix a race condition with NetworkManager restart. don't fail on empty connection list. move legacy connection handling to the cleanup phase. don't block on systemctl restart NetworkManager.
  • Patches from Pavel Simerda: fix bug that prevents calling dnssec-trigger-control submit ( avoid dependency on pidof handle missing resolv.conf backup gracefully upgrade zone cache format at startup ( always log to stderr
  • Patch from Pavel Simerda. This, among other things, allows to restart unbound and/or dnssec-trigger without restarting NetworkManager when it's configured not to touch the DNS. And, avoid Filenotfounderror not available in python 2, And fix unbound output parser
  • updated authority server addresses builtin to dnssec-trigger for d root server (ipv4) and c root server (ipv6) for its tests.


  • log correct type in timeout for TXT.
  • restart panels on install on OSX.
  • Fix OSX user panel stop and start in reinstall, also fix for double popups during reinstall.
  • Fix crash on read of ssl443 entry without a hash.
  • Squelch address family not supported errors (on low verbosity).
  • Fix networkmanager hook to detect if it has to use the new commandline syntax of networkmanager 0.9.4.
  • Fixup uniqueid for Mountain Lion OSX 10.8 release, you have to run the installer again (upgrade or uninstall-reinstall).
  • bug 489: removed Application deprecated keyword from .desktop file.
  • OSX wake listener implementation.
  • patch for OSX that passes all domains from search to the OS (from Phil Pennock).
  • Fixup snprintf return value usage.
  • Fixup OSX backquote backslashes. Removed wrong OSX version from its installer text.
  • Let system dealloc feed and feed_lock on OSX and Linux/BSD.
  • Fixup new glib deprecated calls.
  • Patch from Tomas Hozza to improve the networkmanager connect script for VPN connections. It adds forward zones for the VPN over the VPN connection.
  • Fix#522: Errors found by static analysis of source from Tomas Hozza.
  • Fix NM dispatcher script to work with NM >= (Thanks Tomas Hozza).
  • Patch from Tomas Hozza that improves text in dialogs (on linux).
  • Added fedora/ from Tomas Hozza, that will backup and restore resolv.conf for use in systemd.service scripts and networkmanager scripts.
  • Added contrib networkmanager dispatcher script from Tomas Hozza.
  • Added patch to networkmanager dispatcher script and also an example dnssec.conf file from Tomas Hozza.
  • Fix #551: Change Regents to Copyright holder in License.
  • Patches from Tomass Hozza; Explicitly-use-Python2-interpreter, Fix-situation-when-connection-is-going-down, resolv.conf-backup-script-restart-NM-to-handle-resolv.conf, Update-systemd-service-files-to-latest-version-used.
  • Patch from Pavel Simerda: better integration with NetworkManager and distributions, added in contrib.
  • Removed files obsoleted by patch from Pavel Simerda: contrib/01-dnssec-trigger-hook-new_nm (replaced with dnssec-trigger-script and 01-dnssec-trigger) fedora/dnssec-triggerd.service (new version in contrib) fedora/dnssec-triggerd-resolvconf-handle.service (handled by dnssec-triggerd.service directly) fedora/dnssec-trigger.spec (spec files are maintained separately) fedora/dnssec-triggerd-keygen.service (new version in contrib) fedora/ (handled by dnssec-trigger-script directly) fedora/dnssec-triggerd.init (only used in epel6 which hasn't been updated for ages)
  • Renamed 01-dnssec-trigger-hook to 01-dnssec-trigger with the networkmanager naming scheme. (From Pavel Simerda).
  • Patch from Pavel Simerda that incorporates contrib items into the build install system. Systemd scripts, dnssec-trigger-script, dnssec.conf.
  • Patch for --async flag from Pavel Simerda, stops dnssec-trigger-script to block on networkmanager, which is good in cases when networkmanager blocks on the script.
  • Change the ip-address of tcp and ssl service from to (we changed netblocks). The new ip address and new certificate fingerprint (because of ssl heartbleed vuln) are in the example.conf file. The cert was only used for transport and not for authentication, so its change was low priority.
  • Updated to distinguish secure and insecure zones, and to flush the unbound cache on DNS server list changes. (from Pavel Simerda).


  • This release has selfupdate enabled for Windows and OSX. There is no implementation for Unix (it downloads the tarball to /tmp for you if enabled).
  • This release detects hotspots and shows a login prompt, opens a web browser for you and in the background retries to enable dnssec every 10 seconds.
  • Fix Fedora bug with no DNS servers in resolv.conf with absolute path in networkmanager hook script.
  • The .desktop entry name without 'panel'.
  • fedora package files updated.
  • http check is performed, nonblocking. Lookup of addres(es), A, AAAA to the (up to 5) DHCP DNS resolvers. 3 urls are checked, until one connects, then it checks content. IP4 and IP6, until first works.
  • url for and added in default config.
  • absolute sbindir in netconfig hooks.
  • ssl can list multiple hashes (for certificate rollover).
  • probe logic that keeps track of http_insecure mode.
  • skip_http control command.
  • raise dialog to top on GTK.
  • gui for hot spot sign on. opens web browser if user wants to sign on.
  • OSX update dnssec-trigger.conf with new url settings.
  • OSX fix the double-window shown bug, bug in NSWindow deminiaturize func.
  • configure windows detects GetAdaptersAdresses (XP and later).
  • Fix compatibility with VirtualBox on Windows, that messes with the network adapters. Solution works on windows XP and later (detected by configure).
  • Fix trayicon on windows high DPI settings to look better.
  • silence connect() http errors, unless verbosity 2.
  • stop other download if one succeeds (happy eyeballs) on selfupdate.
  • fix exit of panel and threads
  • fix read multiple persist actions in one SSL packet frame.
  • Fix FIONBIO error on windows.
  • improved printout of SSL_ERROR_SYSCALL errors.
  • do not print interface-unknown and conn-reset errors upon system restart for windows, only printed on high verbosity.
  • windows dnssectrigger depends on unbound for boot invocation, this fixes an error where it cannot tell unbound what to do.
  • linebuffer for dnssec-trigger-control stdout, for results printout.
  • Fix windows upgrade to preserve config files and to preserve the installed (or not-installed) startmenu links.
  • fix osx comma in multiple DNS servers.
  • fix OSX unbound to be able to write root.key from the chroot.


  • truncate pidfile (just like NSD fix, in case directory not owned).
  • If hotspot-signon, set override servers right away on a network change, so the user does not have to wait for 10 seconds after a change of the wifi.
  • Attempt to add DHCPv6 support for windows.
  • Use Processes.dll code (can be freely used, source provided) for kill process in windows NSIS installer. Compiled to 6kb (not 50kb). Processes.dll was made by Andrei Ciubotaru.
  • show version number in add-removeprograms configpanel (windows).
  • install script removes leftover trayicons using direct windows API.
  • dnssec-trigger-control uses registry config location (for windows).
  • fix dnssec-trigger-control error printout if SSL files fail.
  • show package version in probe results dialog.
  • updated acx.nlnetlabs.m4 for gcc 4.6 compat for portability tests.
  • Do not show the insecure and hotspot windows at the same time.
  • Fix for OSX to show the popups on top of the other windows.
  • alert icon easier to read.


  • unbound in binary packages is upgraded to 1.4.14.
  • Set hook throttleinterval to 1 second, this reduces the osx wakeup and bootup wrong probes because the hook was throttled for 10 seconds.
  • stoppanels waits for the connection of the panel to close, this may remove re-install race conditions.
  • detailprints in windows installer and uninstaller.
  • attempt to fix endless loop on windows (reported by Alan Clegg).
  • windows installer waits for services to come to a full stop.


  • macinstall, launch unbound-anchor at boot (update if offline months)
  • echo in Makefile and newline if no probe performed.
  • do not log errors for unclean ssl close.
  • probe ssl servers (nlnetlabs default server configured).
  • check ssl fingerprint of servers.
  • remove error dialog at end of osx install.
  • on OSX update config if old (no ssl443)
  • more detailed logging at verbosity 4 (prints wire and dig output)
  • fixed the OSX installer problem, launchd does not load userspace agents without hacks, and has side-effects that enables boot-start.
  • config for new open resolver (port 80 TCP, port 443 SSL). No more probe plain tcp on port 443.
  • the test_tcp and test_ssl command do not have the 20-sec tcpretry once timer, so that the test can try unbound.
  • Fix that if network down (nothing pings) then it picks disconnect, for slow bootup where the machine has the previous network settings.
  • control unsafe shows the dialog popup again.
  • Fix bug where no IPv6 causes wrong test results, notably SSL, due to the error report code.
  • Fix where race condition could cause blacklist of open resolver.
  • Fix to flush_infra and flush_requestlist when we use open resolver, the proxy that causes this to be used as fallback has polluted those entries (possibly).
  • sigHUP reloads config and reopens logfile for log rotation support.
  • Fix apple OS failure by installer, because of tarfile inclusion of extended attributes that overwrote system dir extended attributes.


  • fix that setup hint is not printed on a reinstall.
  • stop executables before re-install of dnssec-trigger.
  • tested to work on winXP (thanks Jan-Piet Mens).
  • fix printout of 1970 date, instead that no probe was performed.
  • fix unknown options for dnssec-trigger-panel, prints version too.
  • dmg installer for MacOS X, donated by Carsten Strotmann.
  • for caches, also test if NSEC3 is present for QTYPE=NULL nodata.


  • detect transparent proxies and avoid them.
  • Fix insecure mode after dnstcp443 has been probed.
  • Fix race condition between system and dnssec-trigger where briefly the DHCP insecure response was dominant. On OSX and Windows a system preference (like from the control panel) is created. On Linux chattr immutable, on BSD chflag immutable. On exit, it enters even if in insecure mode, so that a later reboot will be secure. The override is removed on uninstall.
  • windows package work, tested Vista.
  • the dnssec-trigger-panel (gtk2 without libappindicator) works on the XFCE desktop.
  • libappindicator support, for Ubuntu Unity desktop GUI. Just install libappindicator-dev and build and a Unity GUI tray icon is produced.
  • can build outside of sourcedir.
  • Manpage fixes
  • Add @ to echo in Makefile.
  • print error on control unknown command, and exit status 1.


  • The windows installer includes unbound and is much improved. untested.
  • There is a GUI for Hotspot Signon (menu item). Use it to go without DNSSEC to sign into the hotel hotspot.
  • windows README is a proper .txt files for dos
  • windows loop bug is fixed.
  • new IP6 address for the open resolver service at nlnetlabs. ip4 is .42 and ip6 has ::42.


  • dnssec-trigger-control reprobe command from the commandline.
  • dnssec-trigger-control hotspot_signon, forces insecure mode for a sign-on. The reprobe command can be used to stop forced_insecure.
  • added probe tcp80 and tcp443 as last resort.
  • retry for insecure and disconnect cases with exponential backoff, start 10 seconds, max 24h.
  • tcp retry after 20 seconds, in case more opens up or it was slow.
  • ignore UDP without QR flag: some DNS caches send echoes of the query back initially. If we ignore them we catch a (100 msec later) correct answer later. (or timeout if no answer comes).
  • if probe is in progress it prints that in status.
  • if no DNS servers via DHCP it prints that in status.
  • antialiased fonts in windows native gui.
  • fix configure --with-gui, it did not change the gui but hooks.
  • refactor GUI panel SSL feed to be more portable.
  • fix stop command.
  • status 'dark' is now called 'nodnssec'.
  • fix so that if it cannot bind socket the server fails to start.
  • fix so that on OSX no zombie process remains.
  • kill -HUP performs a reload on UNIX. It only reload the strings and that config, it keeps the running probe results and open sockets to panels and certificates.
  • added fedora spec and init script.
  • fix OSX get of DHCP options to use ipconfig API instead of faulty awk parse.


  • Fixes makefile dependencies.
  • stoppanels control command for installers to update that panel exe.


  • pick up SSID (for windows, OSX) to filter trigger with, so an SSID change from the wlan triggers a reprobe.
  • set windres resource files, icons, log-format, useradmpermission and setup.exe script with NSIS, it includes dlls.
  • fix fd leaked every second by panel if the daemon was down.
  • print time of probe with results.
  • windows and osx probe and hooks.
  • gtk and cocoa GUI


  • First version. networkmanager hooks. GTK gui.


Dnssec trigger enables the end-host (laptop or desktop computer) to use DNSSEC protection for the DNS traffic. DNS translates names of computers into IP-addresses used to contact them.

It probes for DNSSEC capable servers and instructs a validator on localhost to use that. If it fails, the user can opt to go insecure.

This means a browser can (often) get DNSSEC capable results. It may trust results from with the ADflag. Or it can do DNSSEC validation itself. This can enable DANE (IETF wg).

One of the last resorts of dnssec-trigger is to use SSL port 443 for DNSSEC. If that fails, it is unlikely that DANE (https, also SSL port 443) can work. Thus, logically, this service is very likely to provide DNSSEC when DANE must have it.

This software is Open Source licensed and it works on a variety of platforms.


mailing list
dnssec-trigger manpage
windows manual

Wed Dec 6 2017

© Stichting NLnet Labs

Science Park 400, 1098 XH Amsterdam, The Netherlands, subsidised by NLnet and SIDN.