DNSSEC Drill: Extension for Firefox

« Back to the Drill Project page

Drill Extension

This extension performs DNSSEC lookups for the main hostname of the current page in firefox. It uses Drill to chase the signatures up to a trusted key. The user can specify trusted keys by putting them in a directory of his choice (see usage).

If you run it now, you'll get insecure on almost all websites, because since the DNS root is not signed, there is no way to verify that a result is verifiably insecure.


This extension is just a small proof of concept for visualising DNSSEC.
  • It needs drill from ldns present on the system
  • It does NOT use the same stub resolver as firefox itself, which is unreachable through the current extension API.
  • It could even need to use a different caching forwarder, because that has to be DNSSEC-aware.
  • Therefore, it does NOT provide actual security.


The current release is 0.7.1, for firefox 3.0.x, is here: drill-0.7.1.xpi.

For firefox 2.x and before, please use 0.7: drill-0.7.xpi.

Don't forget to install drill, from the ldns library. It needs that to do the actual verification.


After installing the extension, the statusbar shows a new icon: normally, for unverified pages, the icon will be:

Drill Extension Icon for insecurehosts

If the hostname record in the DNS is signed and can be traced up to a trusted key, the icon will look like this:

Drill Extension Icon for securehosts

By clicking on preferences in the extension menu, or just clicking on the icon, you will get to the preferences dialog:

Drill Extension preferences dialog

The first entry is the location of the drill executable (full path). The second entry is the address or hostname of a DNSSEC enable caching forwarder. For instance BIND 9 with the dnssec-enable option set to yes. The last entry is a directory on your filesystem that contains public key files. The name of these files must end with ".key" and they must be of the following form:

jelte.nlnetlabs.nl. IN DNSKEY 256 3 5
You can put any number of keys in this directory. They will be used if their filename ends with '.key'.

With the key from the example you can try and visit http://www.jelte.nlnetlabs.nl. If all is well, the icon should switch to 'verified' after the page has been loaded.


  • Matching the IP-address of the chase to that of the internal resolver of Firefox
  • Find some way to signal 'unsigned, no trusted parent'.
  • Support for multiple tabs (it shows last result on all tabs at this moment).


  • 0.7 - 0.7.1
    • Compatibility with Firefox 3.0.x
  • 0.6 - 0.7
    • Compatibility with Firefox 1.5+
  • 0.3 - 0.5
    • Can now temporarily be turned off
    • Nicer options screen
  • 0.2.1 - 0.3
    • Extended options screen
    • Default
  • 0.2 - 0.2.1
    • Moved order of command line arguments for BSD compatibility
  • 0.1 - 0.2
    • Added text for empty key directory and pages without a host
  • 0.0 - 0.1
    • Initial version
    • Only simple call to drill -S, not a lot of error handling

Wed Sep 25 2013

© Stichting NLnet Labs

Science Park 400, 1098 XH Amsterdam, The Netherlands

labs@nlnetlabs.nl, subsidised by NLnet and SIDN.