Frequently asked questions


1. What is Zonemaster?

Zonemaster is a program designed to help people control, measure and hopefully better understand how the domain name system, DNS, works. Zonemaster is made up of three main parts:

  1. The engine (all code that implements all tests)
  2. Command line interface (CLI)
  3. Web interface

When a domain (also called zone) is sent to Zonemaster, the program investigates the state of the domain by going through DNS from the root (.) to the TLD (top-level domain, for example, .net), and then finally through the DNS servers that contain information about the specified domain (for example, Zonemaster also performs many other tests. All of these are documented here: Test Requirements document.

2. Who developed Zonemaster?

Zonemaster is a collaborative project between IIS (registry for the TLDs .se and .nu) and AFNIC (registry for the TLD .fr and the smaller TLDs belonging to France).

3. How can Zonemaster help me?

Zonemaster is designed for two types of people:

  1. People who know how the DNS protocol works.
  2. People who just want to know that their domain is set up correctly and will not have problems in the future.

Those of you who belong in the latter category should contact those in the first category to troubleshoot your domains or if you get results you do not understand or are not happy with. This is easily done by sending the link to your test when you contact your DNS operator or registrar.

4. Zonemaster shows “Error”/“Warning” when I test my domain. What does that mean?

It depends on which test is being performed. In most cases, you can click on the error/warning message to get more information about the problem.

For example, what does it mean if we test the domain “” and get an error message that says “DNS server ( is not responding to calls over UDP”? After that, we click on the message to get more detailed information. In this case: “The DNS server did not respond to calls over UDP. This is probably due to the DNS server not being correctly set up or a misconfigured firewall.” Fortunately, this was just an example because this error in reality means that a DNS server is unavailable, so it’s not exactly a harmless error.

5. How can Zonemaster judge what’s right and wrong?

No one can give a definitive, final statement on a domain’s health. This is important to note. IIS, AFNIC, and the people behind Zonemaster do not claim that Zonemaster is always completely right. In some cases, opinions are divided, especially between different countries. Sometimes even locally. Together, through cooperation, we have done our best to produce as good a policy as possible for how various errors are judged before they are presented to you as the user of the tool.

An advantage for you as a user, however, is that it is easy to create your own policy for how serious certain errors may be. Using the CLI tool, you can directly point to your own policy.

6. Can Zonemaster handle IPv6?

Yes, all tests made over IPv4 can also be done over IPv6 if Zonemaster is configured to do that.

7. Can Zonemaster handle DNSSEC?

Yes. If a domain tested by Zonemaster has DNSSEC configured, it will be tested automatically.

8. What separates Zonemaster from other software that tests domains?

First and foremost, Zonemaster saves all test history. This means that you can go back and look at a test you did a week ago and compare it to a test you just ran.

Zonemaster also tries to explain errors and warnings in a clear way, even if these messages can be difficult to understand for those who are non-technical.

Zonemaster can also test non-published/undelegated domains (more on this in FAQ question 12).

There is an “advanced” tab available for those technicians who prefer more detailed test information.

Zonemaster also has an open source code and is modular. You can, in other words, reuse parts of the code in your own system if you want.

9. Zonemaster and integrity

Because Zonemaster is accessible for everyone, it is also possible for anyone to check your domain and also to see the test history for your domain. However, there is no way to see who has done a test since the only thing that is logged is the time the test was performed.

10. Why can’t I test my domain?

Assuming that the domain you are trying to test actually exists, then there are two things that can cause this:

  1. To prevent multiple tests made simultaneously in the same zone from the same IP address, there is a forced delay of five minutes between identical tests. This means that you can not test a domain more often than every five minutes. If you test your domain again before five minutes have passed, you will be shown the most recently saved result.
  2. Since Zonemaster is designed to test domains (like and not the host name of a domain (like, the Zonemaster website checks the domain you typed before sending it to the Zonemaster test engine to see if it is actually a domain. This check may fail in some rare cases (and the zone will not be approved). The only time we have seen this happen is in the case where the DNS servers of the zone you are trying to test are very broken. Let us know if this happens to you so we can get more information on how we can correct the way this test of the domain is performed.

11. Which type of DNS questions does Zonemaster generate?

This is a difficult question to answer because Zonemaster will generate different types of calls depending on how your DNS servers answer. The simplest way to see exactly what Zonemaster is testing is to run the CLI command “zonemaster-cli”. The result will provide fundamental information about what is happening during the test. However, it should be mentioned that the output from the CLI tool is very technically challenging. If you don’t like bits and bytes, you may want to avoid it.

12. What is a pre-delegated domain test?

An pre-delegated domain test is a test performed on a domain that can (but need not) be fully published in DNS. This can be very useful if you are considering moving your domain from one registrar to another. Let us take, for example, the domain being moved from the name server ‘’ to the name server ‘’. In this case, you could run an undelegated domain test on the domain ( with the name server you are moving to ( BEFORE you go through with the move. When the test shows green, you can be fairly certain that your domain’s new home is able to answer questions about your domain. However, there may still be errors in the zone data that this test does not know.

13. How can I test a domain that is a reverse lookup domain?

Zonemaster can be used to test various technical criteria before a zone is published in DNS. It can also be used to test a reverse lookup zone. To do this with an IPv4 address, you must first determine the network address for your system (this almost always ends with an ‘0’). When you have found this, take away the last ‘0’ and then reverse the orders of the numbers and add the suffix: This gives you a “reverse lookup zone.”

To do the same things with an IPv6 site, just do the same as for an IPv4 address; reverse the order and add the suffix Example 1 – Reverse lookup for an IPv4 net: we have, for example, the address, which gives us the reverse zone of “”. This zone can then be tested by Zonemaster.

Example 2 – Reverse lookup for an IPv6 site: we have, for example, the address 2001:660:3003::0, which gives us the reverse zone “”. This zone can then be tested by Zonemaster.

Zonemaster all lights