Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


The following servers are configured to support TLS on port 853 and STARTTLS on port 53 for testing purposes.

Public Test resolver

  • Hosted by the getdns API implementation project at (Unbound 1.5.6):

  • IP address: and 2a04:b900:0:100::38
  • Note this server does not support UDP without DNS Cookies (RFC7873)Also note the server does not yet support EDNS0 TCP Keepalive (RFC7828) or out-of-order response processing (RFC7766)

Authoritative test server hosted by Verisign Labs:

  • Verisign Labs are kindly hosting a test zone on a server (running a patched version of NSD):
    • The zone is named and it has A, AAAA, and TXT records for names from 'L001' to 'L100'. 

    • The IP address of the server is currently

    • Server key file is available to download here: nsd.key

    • The zone is signed

    • This server also supports TCP fast open


  •  concurrent processing or TCP queries (RFC7766)
Server typeHosted byIP addressesServer keyHostname for TLS authenticationSPKI pin for TLS authentication (RFC7858)
Public Test



getdnsapi.netfoxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S=AuthoritativeVerisign Labs173.255.254.151nsd.key [Note that this

is a self-signed certificate so does not pass

authentication by default.]




How to Decode TLS packets in Wireshark