Zonemaster is a program designed to help people control, measure and hopefully better understand how the domain name system, DNS, works. Zonemaster is made up of three main parts:
When a domain (also called zone) is sent to Zonemaster, the program investigates the state of the domain by going through DNS from the root (.) to the TLD (top-level domain, for example, .net), and then finally through the DNS servers that contain information about the specified domain (for example, zonemaster.se). Zonemaster also performs many other tests. All of these are documented here: Test Requirements document.
Zonemaster is a collaborative project between IIS (registry for the TLDs .se and .nu) and AFNIC (registry for the TLD .fr and the smaller TLDs belonging to France).
Zonemaster is designed for two types of people:
Those of you who belong in the latter category should contact those in the first category to troubleshoot your domains or if you get results you do not understand or are not happy with. This is easily done by sending the link to your test when you contact your DNS operator or registrar.
It depends on which test is being performed. In most cases, you can click on the error/warning message to get more information about the problem.
For example, what does it mean if we test the domain “iis.se” and get an error message that says “DNS server ns.nic.se (212.247.7.228) is not responding to calls over UDP”? After that, we click on the message to get more detailed information. In this case: “The DNS server did not respond to calls over UDP. This is probably due to the DNS server not being correctly set up or a misconfigured firewall.” Fortunately, this was just an example because this error in reality means that a DNS server is unavailable, so it’s not exactly a harmless error.
No one can give a definitive, final statement on a domain’s health. This is important to note. IIS, AFNIC, and the people behind Zonemaster do not claim that Zonemaster is always completely right. In some cases, opinions are divided, especially between different countries. Sometimes even locally. Together, through cooperation, we have done our best to produce as good a policy as possible for how various errors are judged before they are presented to you as the user of the tool.
An advantage for you as a user, however, is that it is easy to create your own policy for how serious certain errors may be. Using the CLI tool, you can directly point to your own policy.
Yes, all tests made over IPv4 can also be done over IPv6 if Zonemaster is configured to do that.
Yes. If a domain tested by Zonemaster has DNSSEC configured, it will be tested automatically.
First and foremost, Zonemaster saves all test history. This means that you can go back and look at a test you did a week ago and compare it to a test you just ran.
Zonemaster also tries to explain errors and warnings in a clear way, even if these messages can be difficult to understand for those who are non-technical.
Zonemaster can also test non-published/undelegated domains (more on this in FAQ question 12).
There is an “advanced” tab available for those technicians who prefer more detailed test information.
Zonemaster also has an open source code and is modular. You can, in other words, reuse parts of the code in your own system if you want.
Because Zonemaster is accessible for everyone, it is also possible for anyone to check your domain and also to see the test history for your domain. However, there is no way to see who has done a test since the only thing that is logged is the time the test was performed.
Assuming that the domain you are trying to test actually exists, then there are two things that can cause this:
This is a difficult question to answer because Zonemaster will generate different types of calls depending on how your DNS servers answer. The simplest way to see exactly what Zonemaster is testing is to run the CLI command “zonemaster-cli”. The result will provide fundamental information about what is happening during the test. However, it should be mentioned that the output from the CLI tool is very technically challenging. If you don’t like bits and bytes, you may want to avoid it.
An pre-delegated domain test is a test performed on a domain that can (but need not) be fully published in DNS. This can be very useful if you are considering moving your domain from one registrar to another. Let us take, for example, the domain example.se being moved from the name server ‘ns.nic.se’ to the name server ‘ns.iis.se’. In this case, you could run an undelegated domain test on the domain (example.se) with the name server you are moving to (ns.iis.se) BEFORE you go through with the move. When the test shows green, you can be fairly certain that your domain’s new home is able to answer questions about your domain. However, there may still be errors in the zone data that this test does not know.
Zonemaster can be used to test various technical criteria before a zone is published in DNS. It can also be used to test a reverse lookup zone. To do this with an IPv4 address, you must first determine the network address for your system (this almost always ends with an ‘0’). When you have found this, take away the last ‘0’ and then reverse the orders of the numbers and add the suffix: in-addr.arpa. This gives you a “reverse lookup zone.”
To do the same things with an IPv6 site, just do the same as for an IPv4 address; reverse the order and add the suffix ip6.arpa. Example 1 – Reverse lookup for an IPv4 net: we have, for example, the address 194.98.30.0, which gives us the reverse zone of “30.98.194.in-addr.arpa”. This zone can then be tested by Zonemaster.
Example 2 – Reverse lookup for an IPv6 site: we have, for example, the address 2001:660:3003::0, which gives us the reverse zone “3.0.0.3.0.6.6.0.1.0.0.2.ip6.arpa”. This zone can then be tested by Zonemaster.
Internetstiftelsen verkar för ett internet som bidrar positivt till människan och samhället. Vi är en oberoende organisation som säkerställer en stark och säker infrastruktur för internet i Sverige. Vårt mål är att alla ska våga och kunna använda internet. Vi finns i Sverige och ansvarar för den svenska toppdomänen .se och driften av toppdomänen .nu.
