SIDN Labs DNS Workbench - Main menu

× Hi!
We switched to the new (2019 release) of the DNS workbench. It should work like before, probably even better, although we still see a number of issues. If you spot additional irregularities, please do not hesitate to let us know. Thank you and enjoy!

The SIDN Labs DNS workbench is a set of different nameservers that run a known set of configurations and zones; In general the goal is to be able to send a specific query to different implementations and see the difference in their responses, if any.

The idea behind the workbench is that, without having to set up an entire infrastructure yourself, you can quickly find answers to questions such as 'How does NSD4 respond to an ANY query for a wildcard name in an NSEC3 opt-out zone?' It can also be used to test different (validating) resolvers on their behaviour in certain circumstances.

Note: This is a work in progress. Server names, zone names and contents may change in the near future. If you see something you don't expect, always check these pages first.

At this moment, there are 5 name servers in the workbench, a number of different zones (currently, all servers are serving all zones, provided that we are able to load them into the name server).

Note that the zone names may change in the near future, as the naming conventions might be modified while we are adding scenarios.

If you see any problems with the workbench, or have any suggestions, please contact us ( The workbench is available on GitHub.


The following servers, all open source, are currently running (for now all as Ubuntu 18.04 packages):
  • (BIND 9.11.3)
    • IPv4:
    • IPv6: 2a00:d78::712:94:198:159:39
  • (Knot 2.6.5)
    • IPv4:
    • IPv6: 2a00:d78::712:94:198:159:27
  • (NSD 4.1.17)
    • IPv4:
    • IPv6: 2a00:d78::712:94:198:159:33
  • (PowerDNS 4.1.1 with SQLite3 backend)
    • IPv4:
    • IPv6: 2a00:d78::712:94:198:159:26
  • (Yadifa 2.3.7)
    • IPv4:
    • IPv6: 2a00:d78::712:94:198:159:28

At this time, there are three 'classes' of setups:

RR types: Different RRtypes, including obsolete and exotic ones.
Validator testing: A tree with deliberate errors in the DNSSEC chain(s), to test validators.
Delegations: A tree with delegations.
Transfers and TSIG: Transfering and using/testing TSIG support.
There are also a few other zones:, and that don't fit in any of the categories and where added as per request.


We intend to continually expand the workbench with different scenarios as we come up with them. A few short-term goals:
  • Add delegations between the different servers
  • Add zones (or names) with other 'things' than rr types (wildcards, empty non-terminals, etc.)
  • Add more scenarios to the deliberately broken DNSSEC zones
  • Add zones with different signing parameters
  • Add zones signed with different signers

The biggest challenge here is not to set them up, but to make them consistent, predictable, and easily maintainable, currently we are looking into that.

Known issues

We are aware of a number of issues and hope to work on them soon. If you find more, just let us know.
types[-signed] won't AXFR from PowerDNS Could be a bug in PowerDNS - will investigate further.
Yadifa parses zonefile incorrectly; the TTL is 60 (as in the RRSIG), not 3600 TTL is 60, not 3600 (look carefully at dig +dnssec SOA to reproduce
Yadifa leaves out NSEC in reply Reproduce with: dig +dnssec A
Yadifa tends to crash occasionally A systemd drop-in now automatically restarts it, but this doesn't solve the underlying problem, which we are still investigating. If you don't mind, we wont share info on how to reproduce this, although it shouldn't be too hard to figure out yourself. has some DNSviz errors Related to Yadifa crashes.
No TSIG's on PowerDNS and Yadifa Not a bug, but a known issue and a 'todo'. Have to find some time for it.
types[-signed] might have to be updated Not a bug either. Some newer RRtypes might have been defined, since we created that zone. Have to incorporate some of these new types maybe. Will look into that soon.
Your issue here? Just let us know!


This is a beta service. This service is explicitely not supported by SIDN, but by SIDN Labs. Its setup can change at any moment, without any warning, so it is not advisable to depend on this service for any other (automated) service or system. If there are any problems with the software or service, please contact SIDN Labs. We would also be very much interested if you have used the workbench, or if you are still missing something that would make it useful for you. So please let us know!