DNSSEC/TLSA Validator is a web browser add-on which allows you to check the existence and validity of DNSSEC and TLSA records related to domain names.


End of Support

Tue 16 October 2018

After struggling and failing to implement the DNSSEC/TLSA Validator extension for Firefox Quantum (57+) we've decided to stop the development and support of the extension.

Firefox 56 was the last version which provided necessary APIs that enabled the DNSSEC/TLSA Validator to check DNS records and certificates for all …


Wed 22 February 2017

A new version has been released for Firefox.

New Features:

  • DNSSEC Lookaside Validation has been disabled.


  • ldns 1.7.0.
  • OpenSSL 1.0.2k.

Version: 2.2.0

Thu 04 September 2014

New Features:

  • New js-ctypes-based implementation for Firefox.
  • New validator implementation for Chromium/Chrome/Opera based on Native Messaging.
  • Added new state notification about entering a non-existent (according to DNSSEC) web site.
  • Polish localisation.


  • Updated prefixes for DOM nodes in Firefox js-ctypes extension.
  • Fixed bug in type 2 TLSA record …

End of Development

We're sorry but the add-on is no loger actively developped and supported. It was getting excessively difficult to cope with the changes in web browsers and other required software to maintain the functionality in all of the previously supported browsers. Currently we don't know about any mainstream browser that would provide APIs which are necessary for the full functionality of the extension (as it was in Firefox 56 and its earlier versions).

The add-on is not available for Firefox 57 and above. Firefox 57 dropped the support for various APIs, which the add-on has been using, without providing adequate replacement. As we don't want to sacrifice any of the currently provided functionality we've decided to stop the support and development of the add-on.

You may also experience problems in other previously supported browsers. This is because during the past years the browsers have been dropping the support of old APIs in favour of their more secure (and more restrictive) counterparts. This new APIs don't allow us the access to all functions that would have been needed to implement the Validator extension in its full functionality.


DNSSEC/TLSA Validator is a web browser add-on which allows you to check the existence and validity of DNS Security Extensions (DNSSEC) records and Transport Layer Security Association (TLSA) records related to domain names. Results of these checks are displayed by using icons and information texts in the page’s address-bar or browser tool-bar. In the past, Internet Explorer (IE), Mozilla Firefox (MF), Google Chrome/Chromium (GC), Apple Safari (AS) were supported.


DNSSEC/TLSA Validator allows you to check the existence and validity of DNSSEC signed DNS records. DNSSEC Validator shows whether the domain name is DNSSEC-signed. It also checks whether the browser is connecting to the correct IP address assigned for this domain name. If a valid DNSSEC chain related to the domain is found the plug-in will also check for the existence of TLSA records. TLSA records store hashes of remote server TLS/SSL certificates. The authenticity of a TLS/SSL certificate for a domain name is verified by DANE protocol (RFC 6698). DNSSEC and TLSA validation results are displayer by using several icons. Additional explanatory texts are shown in the page’s address bar (MF, GC and OP), in a separate tool bar (IE) or toolbar buttons (AS). Clicking on a given icon symbol reveals more detailed information.

Key features

  • DNSSEC Validator checks the existence and validity of DNSSEC-signed DNS records for domain names and it also checks whether the browser is connecting to the correct IP addresses assigned for these domain names.
  • TLSA Validator attempts to perform a validation of TLSA/PKI pair according to the DANE protocol.
  • TLSA Validator can interrupt HTTPS request when the server certificate doesn't correspond with obtained TLSA records (MF only in synchronous mode, AS).
  • DNSSEC/TLSA Validator is not dependent on an external validating resolver for its function.
  • Both validator cores (DNSSEC and TLSA) are based on libunbound.
  • Encompasses a shared DNS cache accessible from all browser windows and tabs to improve performance.
  • Coloured icons display the status of DNSSEC/TLSA validation.
  • English, German, Czech and Polish localization (AS only Engilsh).
  • Open source project released under the GNU GPL.

GUI and interface

  • Coloured key icons and information texts present DNSSEC validation states.
  • Coloured padlock icons and information texts display TLSA validation states.
  • Screen-shots are available here.

Supported platforms

  • Distributed in binary form for Linux, Mac OS X/macOS and MS Windows.
  • Supports 32-bit and 64-bit operating system.
  • Can be compiled from sources for other UNIX-like systems (e.g BSD; although minor modifications might be required).

Known limitations

  • IE and GC/OP versions may not work correctly in cooperation with proxies (DNSSEC Validator only).
  • Plug-in cores can lose DNSSEC information when packets are fragmented (typically on WiFi).
  • Usage of DNSSEC unaware or non-compliant resolvers or exotic resolver configurations cause validation problems.