danetool - Linux


danetool is a command-line utility for managing and verifying Domain Name System Security Extensions (DNSSEC) and TLS (Transport Layer Security) records. It enables users to securely exchange data between clients and servers by validating digital signatures in DNSSEC and TLS protocols.


danetool [-a] [-f FILENAME] [-k KEYNAME] [-l] [-o OUTPUTFILE] [-s TYPE] [-t TYPE] [-v] [-w]


  • -a: Perform all available checks.
  • -f FILENAME: Specify a file containing the input data (e.g., a DNS zone file or TLS certificate).
  • -k KEYNAME: Verify the signature using the specified key.
  • -l: Output in a human-readable format.
  • -o OUTPUTFILE: Write the output to the specified file.
  • -s TYPE: Specify the input type (e.g., "dnssec" or "tls").
  • -t TYPE: Specify the verification type (e.g., "verify" or "generate").
  • -v: Enable verbose logging.
  • -w: Output in a machine-readable format.


Verifying a DNSSEC record:

danetool -s dnssec -t verify -f zonefile.txt

Generating a TLS certificate chain:

danetool -s tls -t generate -k example.com

Common Issues

  • Missing or invalid input: Ensure the ‘-f’ option points to a valid file containing the required data.
  • Invalid signature: Verify that the specified key matches the signature in the record.
  • Verification failures: Check the system logs for detailed error messages.


danetool can be integrated with other tools for advanced DNS management tasks:

  • dig: Use ‘dig’ to extract DNS records and pipe them into ‘danetool’ for verification.
  • openssl: Generate and manage TLS certificates and RSA keys for use with ‘danetool’.

Related Commands

  • dig
  • openssl
  • dnssec-keygen
  • dnssec-signzone