One of the most useful DNS and DNSSEC debugging utilities I am aware of is DNSViz – a tool for visualizing the status of a DNS zone:

it provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, and it lists configuration errors detected by the tool

It has enabled me to to “see” issues with domains which are otherwise very difficult to determine, and it is a site I strongly recommend in DNS/DNSSEC courses.

a small portion of a domain visualization

DNSViz presents a domain on a Web page and I can hover over individual elements to see details about them, as the example above demonstrates. (See the full output here.) Domains are typically visualized from the root down to the domain I wish to test. DNSViz keeps a history (which was unavailable for a long time) so I can “walk back” in time looking at previous analyses.

DNSViz is also exciting to use on your own DNSSEC-signed domains, and note that this excitement extends to a possible requirement for smelling salts: will the page display portions in red (i.e. bogus or kaputt)?

That was not a joke. :-)

I wanted to try DNSViz in a self-hosted environment, as the software is open source, and opted for the easiest mechanism: a docker image.

I also cloned the dnsviz/dnsviz repository as I later discovered the program can produce the “HTML format”, i.e. exactly the view we see on at DNSViz, and I copied the required CSS and JS files into their own directory:

$ ls -1 web/

Then I assembled the commands (probe, graph) needed to produce the PNG, and HTML (SVG is also possible), and massaged the HTML to use the assets from the web/ directory:

#!/usr/bin/env bash

docker run --network host -v "$PWD:/data:rw" dnsviz/dnsviz \
	probe -A -a . --nsid --pretty-output -o $z.json $z

docker run -v "$PWD:/data:rw" dnsviz/dnsviz \
	graph -r $z.json -T png -O

docker run -v "$PWD:/data:rw" dnsviz/dnsviz \
	graph -r $z.json -T html -O --rr-types SOA,NS

sed -I "" -e 's,file:///usr/share/dnsviz/css,web,' \
	  -e 's,file:///usr/share/dnsviz/js,web,' $z.html

And I have the program generate the visualization:

$ ./
Analyzing .
Analyzing net

The resulting PNG and HTML differ here, because for the HTML I’ve limited the RR types to SOA and NS, but otherwise they contain the same information. The probe phase produces a JSON file containing serialized responses to queries for the specified domain.

I can specify my own resolvers, ask the program to query authoritative servers only, and use the “print” subcommand to assess specified domain names based on the content in the JSON file. If need be, I can also use an alternate trust anchor, permitting the tool to be used in private roots as well.

I thought interesting what Guillaume-Jean Herbiet mentioned to me: they use a self-hosted version of DNSViz to test the semantic validity of signed zones before publication.

I then install the program so that I no longer need docker.

$ brew install dnsviz graphviz

Peter DeVries points out that the tool also has a “query” command which gives textual results which are relatively easy to understand. In the following example I query for a domain and we see then chain of trust from the root (.) down through (net) to the zone I’m interested in:

$ dnsviz query
. [.]
  [.]  DNSKEY: 8/951/256 [.], 8/18733/256 [.], 8/20326/257 [.]
  [.]    RRSIG: ./Algorithm.RSASHA256/20326 (2022-12-20 - 2023-01-10) [.]
net [.] [.]
  [.]  DS: 8/35886/2 [.]
  [.]    RRSIG: ./Algorithm.RSASHA256/18733 (2022-12-22 - 2023-01-04) [.]
  [.]  DNSKEY: 8/57635/256 [.], 8/35886/257 [.]
  [.]    RRSIG: net/Algorithm.RSASHA256/35886 (2022-12-20 - 2023-01-04) [.] [.] [.]
  [.]  DS: 13/37440/2 [.]
  [.]    RRSIG: net/Algorithm.RSASHA256/57635 (2022-12-19 - 2022-12-26) [.]
  [.]  DNSKEY: 13/17125/256 [.], 13/37440/257 [.]
  [.]    RRSIG: (2022-12-15 - 2023-01-14) [.]
  [.]  A:
  [.]    RRSIG: (2022-12-10 - 2023-01-09) [.]

Did I mention DNSViz is a brilliant tool?