DnsEditor
Multi-Provider DNS Zone Editor. Manage your DNS zones across Cloudflare, AWS Route 53, Google Cloud DNS, and BIND9 servers — all from a single native app on your Mac, iPhone, or iPad.
Designed for system administrators, DevOps engineers, and anyone who manages DNS across multiple providers.
Connect to Cloudflare, AWS Route 53, Google Cloud DNS, or your own BIND9 servers — all from one app.
Create and edit A, AAAA, CNAME, DS, MX, TLS, TXT, SRV, SSHFP, NS, PTR, and CAA records with intuitive type-specific editors.
View DNSSEC status at a glance, inspect DS and DNSKEY records, and verify delegation signer configurations.
Generate and verify TLSA/SSHFP records for DANE and ssh by fetching certificates directly from your servers.
Validate DS records against published DNSKEY records to ensure proper DNSSEC delegation.
Auto-hides complex DNSSEC chain records (RRSIG, NSEC) while displaying the records you need to manage.
Configure multiple DNS providers and switch between them effortlessly. Mix cloud and self-hosted DNS.
Manage your zones from anywhere — with a clean interface designed for Apple platforms.
DS chain validation now shows which DNSKEY signs each zone's SOA record, including the key tag, algorithm, and signature validity window. If the signing key is a ZSK, the KSK(s) that signed the DNSKEY RRset are also displayed — giving you a complete view of the trust path from DS through KSK to ZSK to signed records.
A new "New KSK Published" indicator appears when a KSK is present in the DNSKEY set but has no matching DS record in the parent zone. This catches the earliest phase of a key rollover — before the CDS record is updated — so you can track the full rollover lifecycle from start to finish.
DS, CDS, DNSKEY, and CDNSKEY records in the chain validation view and export report now display their TTL values. This helps identify TTL mismatches across nameservers and verify that caching behaviour is consistent throughout the delegation chain.
Metadata records like _443._tcp.host, _dmarc.host, and _domainkey.host are now sorted next to their parent host record instead of being grouped at the top of the zone. This makes it much easier to see all records related to a particular host at a glance.
RFC 2136 updates now include prerequisite checks that guard against race conditions with DHCPD, ACME clients, and other dynamic DNS updaters. If a record was changed on the server since you loaded the zone, the update is rejected with a clear error instead of silently overwriting the change. This uses the RFC 2136 prerequisite mechanism — the server evaluates the check atomically while holding the zone lock.
Bulk delete entries in the undo history can now be expanded inline to see all individual records without leaving the list. Tap the disclosure chevron to expand, and the record count is shown alongside the timestamp. The full-screen detail sheet is still available from the context menu.
When a DNS update fails due to a prerequisite check, the error now reads "Record was modified or deleted by another client — reload the zone and try again" instead of a cryptic RFC code. This makes it immediately clear what happened and what to do next.
A comprehensive zone cleanup scanner identifies dangling PTR records, missing PTR records, and incorrect forward/reverse mappings across all your managed zones. View all issues in one organized report with severity indicators and one-click fixes.
Delete all dangling PTR records at once with a single button. The operation is optimized for performance, batching deletions per zone and creating a single consolidated undo entry for easy restoration if needed.
Bulk operations across multiple reverse zones now create one consolidated undo entry instead of multiple scattered entries. When restoring, records are automatically grouped by zone and restored to their correct locations — including IPv6 reverse zones.
Right-click (or long-press) on bulk undo entries to view all records included in the operation. See exactly what was deleted before deciding whether to restore, with full details including record names, types, values, and TTLs.
Zone reloads during bulk operations are now batched per zone, reducing reload operations by up to 90%. Deleting 100 PTR records now triggers only a handful of zone reloads instead of hundreds, dramatically improving responsiveness.
Generate plain-text reports of zone cleanup findings, including counts of forward and reverse issues, severity levels, and full details for each problem. Share or save reports for documentation or team collaboration.
A/AAAA records now show their reverse DNS (PTR) result inline, color-coded: green when the PTR matches, red for mismatches, and orange when no PTR exists. PTR records show the same for their forward lookup. For non-routable networks (RFC 1918), the app queries your BIND9 provider's nameserver directly instead of public resolvers.
When a PTR or forward record is missing and the target zone is managed by the app, a "Fix" button appears next to the warning. Tap it to instantly create the missing record in the correct zone — no need to navigate away from the current view.
When deleting an A/AAAA or PTR record that has a confirmed bidirectional match in a managed zone, the app offers a "Delete Both" option to remove the counterpart record at the same time, keeping your forward and reverse zones in sync.
Enable automatic background scanning for KSK rollovers on your BIND9 providers. The app periodically checks all zones for pending DS updates and sends a local notification when action is needed. Configure per-provider with daily or weekly intervals in the provider settings.
Tapping a DS update notification opens the app directly to the scan results — no need to manually navigate to the scanner and re-run. On macOS, the notification brings the main window to the front. On iOS, it opens the results sheet immediately.
A spinning indicator appears in the zone list while a background scan is in progress. When DS updates are detected, the indicator turns red with a warning message. Tap it to view the full scan results. Dismissing the results clears the indicator.
Provider configuration changes — including background scan settings, zone lists, and active provider selection — now sync across devices via iCloud in real time. Changes made on your Mac are immediately reflected on your iPhone and iPad, and vice versa.
Scan all zones in a BIND9 provider to detect KSK rollovers that need DS updates at the registrar. The scanner compares parent DS records with child CDS records and reports which zones need action. A pre-scan configuration screen lets you exclude zones under TLDs that support automated CDS scanning (e.g., .cz, .se, .ch). Results include a shareable plain-text report.
When a zone's parent is also served by the same BIND9 provider (e.g., test.a02.au under a02.au), the scanner offers to apply the DS update directly via RFC 2136. Updates use a safe two-phase approach: the new DS is added first, then the old DS is removed, ensuring the chain of trust is never broken.
DNSKEY and CDNSKEY records now show the computed keytag in parentheses next to the record value, calculated using the RFC 4034 Appendix B algorithm. This makes it easy to identify keys at a glance without having to cross-reference DS records manually.
When creating or editing A/AAAA records, DnsEditor automatically detects matching reverse zones in your provider and offers to create PTR records. Sibling A and AAAA records for the same hostname are cross-matched, with toggles to select which reverse mappings to create. Existing PTR records are checked and shown in green if already correct.
If a reverse PTR record already points to a different hostname that has a matching forward A/AAAA record, the IP is flagged as "in use" with a red warning and the toggle is disabled. This prevents accidentally overwriting active reverse mappings when reusing or mistyping IP addresses.
When editing PTR records in reverse zones, an IP address field lets you enter a normal IPv4 or IPv6 address instead of manually constructing the reversed record name. The record name is generated automatically. Editing an existing PTR record back-derives and displays the IP address.
PTR records in reverse zones now show the unreversed IP address in parentheses next to the hostname, making it easy to see which IP each PTR record maps to. IPv6 addresses are displayed in compressed notation.
TLSA record verification and generation now supports STARTTLS for email protocols. Fetch certificates from SMTP (ports 25, 587), IMAP (port 143), and POP3 (port 110) servers that require a plaintext-to-TLS upgrade handshake. Direct TLS ports (443, 465, 993, 995) continue to work as before.
The TLSA scanner now includes a port picker in the toolbar, letting you scan all hosts in a zone for any common TLSA port: 443 (HTTPS), 25 (SMTP), 587 (Submission), 465 (SMTPS), 143 (IMAP), 993 (IMAPS), 110 (POP3), or 995 (POP3S). TLSA record names are generated with the correct port prefix (e.g. _25._tcp. for SMTP).
Verify that all your public nameservers are serving identical records. The sanity check queries each authoritative nameserver directly (non-recursive) and compares NS delegation, SOA serials, and every record in the zone. Differences are grouped by record with a list of affected nameservers, making it easy to spot synchronisation issues.
The zone sanity check automatically retries queries over TCP when a UDP response is truncated. This ensures accurate comparison of large records like DKIM TXT entries that exceed UDP response limits.
Share or save sanity check results as a plain-text report. The report includes NS delegation status, SOA serial consistency, and all record differences with affected nameservers. Use the share button in the toolbar after a check completes.
After entering your TSIG credentials, tap "Test Key" to send a signed query to the server and verify the key is accepted — before saving the provider. The app validates Base64 format and key length against the selected algorithm in real time.
The TSIG authentication section now provides dedicated fields for key name, algorithm, and secret, making it easier to enter credentials directly. Import from a BIND key file is still available via a disclosure group.
All editor sheets on macOS are now presented as resizable panel windows. Resize the provider editor, record editor, DS chain validation, and scanner windows to suit your workflow.
The LOC record editor now features a "Fuzz" button to randomise coordinates within a configurable radius, and a live map preview that updates as you edit.
Scan all A/AAAA hosts in a zone for TLS certificates and generate or update TLSA records (DANE-EE 3 1 1). Review results before applying, with automatic detection of new, changed, and unchanged records.
Scan all hosts for SSH keys and manage SSHFP records across the entire zone. Detects new keys, orphaned records for removed hosts, and fingerprint changes with man-in-the-middle warnings requiring explicit confirmation.
The LOC record editor now includes a "Current Location" button to auto-fill coordinates from your device. The QuickLook viewer shows a map preview with the location pinned.
Zone scanners, DS chain validation, undo history, and refresh are consolidated into a single overflow menu on iOS, keeping the toolbar clean on smaller screens.
Preview read-only records without leaving the record list. On macOS, a floating panel keeps keyboard focus on the main window. On iPad, use arrow keys or toolbar buttons. On iPhone, use the navigation buttons.
View a KSK DNSKEY record and copy a ready-to-use DS record (SHA-256) to the clipboard for pasting into your registrar's control panel.
All records now show a "View" option in the context menu (long press or right-click), making it easy to preview any record in QuickLook mode.
The record type filter menu is now sorted alphabetically, making it easier to find specific record types like AAAA right after A.
Full IDN support with Punycode encoding. Domains like "høsteng.no" display in Unicode while automatically encoding to "xn--hsteng-bya.no" for DNS operations.
Improved record management using Google's Changes API for more reliable create, update, and delete operations.
AAAA records now display IPv6 addresses in compressed format (e.g., ::1 instead of 0:0:0:0:0:0:0:1) for easier reading.
DNSSEC-signed zones hosted on Cloudflare, Route 53, and Google Cloud DNS are now correctly detected and display the DNSSEC badge.
Toolbar buttons on iPad now display directly in the toolbar without requiring an overflow menu.