Back to Verisign Labs Tools

Identifying DNSSEC Validators

Our validator search project is an attempt to quantify the number of DNSSEC-validating resolvers in use on the Internet. In particular, we want to identify recursive name servers which have configured the root zone trust anchor. We find this data a useful metric for DNSSEC adoption and especially helpful for informing discussions about key rollovers for the root zone.


We identify DNSSEC validators by observing the behavior of recursive name servers when they send queries to our zone We elicit retry behavior from validators by omitting signature records from an initial response. Subsequent responses contain the signatures necessary for validation. A recursive name server that retries within a short period of time is marked as a validator.

You Can Help

In order for our our measurements to be meaningful, we need to receive queries from a wide variety of recursive name servers. To achieve this goal we ask members of the DNS and networking communities to assist by adding the following single line of HTML code to web pages:

<a href=""></a>

This HTML snippet should have no visible impact on a rendered page. Since nearly all web browsers now implement DNS prefetching, the code above results in a DNS query for the name shown and allows us to characterize the recursive name server that the query goes through. Alternatively, you could also use this technique if you are allowed to insert text into the HEAD section of your HTML page:

<link rel="prefetch" href="" />

Please note that we are not interested in identifying individual users who have loaded the web page. The name above points to the localhost IP address ( so even if someone does manage to "click" on it, that request does not reach us.

Preliminary Results

Percentage of resolvers doing DNSSEC validation Validation consistency DNSSEC validation at AS level