Add-on for Google Chrome/Chromium is not working?

Add-on for Google Chrome and Chromium communicates with an external binary application through the Native Messaging interface. The binary application is required for correct working of the add-on. The binary can be downloaded here. Keep in mind that the version of the binary and of the extension must match.

What is DNS?

DNS (Domain Name System) works like a telephone directory but for internet IP addresses. It allows you to assign a specific symbolic name, i.e. the domain name, to a numerical IP address. Domain names can be remembered more easily and can be entered into a browser more intuitively. ('I know this international company which is called XY. I’ll type www.XY.com into the browser.'). The browser, like using a telephone book, looks at the 'directory', finds the correct entry and automatically connects to the IP address corresponding to the domain name and displays the website to the user. You can find more information about DNS on the website About domains and DNS.

What is DNSSEC?

DNSSEC is an extension of the domain name system (DNS) which increases its security. DNSSEC assures that the DNS information has been provided by correct source, is complete and its integrity has not been breached during transmission. DNSSEC ensures the credibility of the data obtained from DNS. You can find more information about DNSSEC technology on the website How does DNSSEC work?

Where can I check whether the add-on is working properly?

You can verify the function of the add-on on the website www.dnssec-validator.cz. The DNS entry is signed with a valid signature - a green key should be displayed. If you enter the address www.rhybar.cz into your browser, a red key should be displayed - the domain name www.rhybar.cz is intentionally signed with an invalid signature.

Windows Firewall has blocked some features of plugin container or the browser. Allow access?

YES. DNSSEC validator add-on uses its own validating recursive and caching resolver built on libunbound http://www.unbound.net/. Using own validating resolver is the only way to ensure proper DNSSEC validation on systems with a broken system resolver or a resolver that doesn't support DNSSEC. Unbound communicates over UDP and TCP. Due to the stateless nature of UDP, the plug-in container opens an UDP port in order to receive UDP DNS responses. You must allow access, otherwise the DNSSEC Validator add-on will not work correctly.

Validator shows a pop-up that the current DNS server or resolver doesn't support DNSSEC. What can I do?

Typically this behaviour can occur when using a wireless connection when the user moves between several WiFi connections without restarting his browser. In such situations, you should change the validator settings. Set a custom resolver which supports DNSSEC data forwarding (e.g.,,, or you can use the 'Without resolver' choice. Latter value will provide correct behaviour of the validation process on most internet connections.

Validator shows a red key. IP addresses obtained by browser and the add-on are different. Why?

This situation can occur when using a proxy/cache server. In this case, the browser connects to the proxy server whereas the validator add-on obtains the IP address of the original page.