Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


The following servers are configured to support TLS on port 853 and STARTTLS on port 53 for testing purposes.

Public Test resolver

  • Hosted by the getdns API implementation project at (Unbound 1.5.6):

  • IP address: and 2a04:b900:0:100::38
  • Note this server does not support UDP without DNS Cookies (RFC7873)Also note the server does not yet support EDNS0 TCP Keepalive (RFC7828) or out-of-order response processing  concurrent processing or TCP queries (RFC7766)

Authoritative test server hosted by Verisign Labs:


The zone is named and it has A, AAAA, and TXT records for names from 'L001' to 'L100'. 


The IP address of the server is currently



The zone is signed


Server typeHosted byIP addressesServer keyHostname for TLS authenticationSPKI pin for TLS authentication (RFC7858)
Public Test


 getdnsapi.netfoxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S=AuthoritativeVerisign Labs173.255.254.151nsd.key [Note that this

is a self-signed certificate so does not pass

authentication by default.]




How to Decode TLS packets in Wireshark