DNSSEC-Trigger is experimental software that enables your computer to use DNSSEC protection for the DNS traffic.

DNSSEC-Trigger relies on the Unbound DNS resolver running locally on your system, which performs DNSSEC validation. It reconfigures Unbound in such a way that it will signal it to to use the DHCP obtained forwarders if possible, fallback to doing its own AUTH queries if that fails, and if that fails it will prompt the user with the option to go with insecure DNS only. The software is open source and uses the BSD license.

Feature List

  • DNSSEC support
  • IPv4 and IPv6 support
  • Uses Unbound for validation
  • OSX, Windows and Linux support
  • small size
  • Tries to assist infrastructure
  • Fallbacks and last resort for DNSSEC
  • Software update is prompted
  • Manual page and online documentation

Known issues

There used to be a race condition between dnssec-trigger and the system but this was fixed in 0.6, with a 'system preferences' override on OSX and Windows, and chattr immutable on Linux and BSD.

In case of trouble it is possible to manually override. With the command 'hotspot signon' from the menu, insecure mode can be entered. It is left when you select 'reprobe' later (and it detects a secure network).


For Linux, try using your package manager (there are RPMs, there is a specfile to build packages from), you need to also install unbound. If you compile from source, it can support NetworkManager and Netconfig. For OSX, use the dmg download (download, doubleclick to open diskimage, doubleclick installer). For Windows, run installer. The software compiles on BSD and Solaris, but DHCP and wifi hooks are not something we can test.

See the INSTALL file in the source.