DnsEditor
Multi-Provider DNS Zone Editor. Manage your DNS zones across Cloudflare, AWS Route 53, Google Cloud DNS, and BIND9 servers — all from a single native app on your Mac, iPhone, or iPad.
Designed for system administrators, DevOps engineers, and anyone who manages DNS across multiple providers.
Connect to Cloudflare, AWS Route 53, Google Cloud DNS, or your own BIND9 servers — all from one app.
Create and edit A, AAAA, CNAME, DS, MX, TLS, TXT, SRV, SSHFP, NS, PTR, and CAA records with intuitive type-specific editors.
View DNSSEC status at a glance, inspect DS and DNSKEY records, and verify delegation signer configurations.
Generate and verify TLSA/SSHFP records for DANE and ssh by fetching certificates directly from your servers.
Validate DS records against published DNSKEY records to ensure proper DNSSEC delegation.
Auto-hides complex DNSSEC chain records (RRSIG, NSEC) while displaying the records you need to manage.
Configure multiple DNS providers and switch between them effortlessly. Mix cloud and self-hosted DNS.
Create and remove zones directly from the app with automatic DNSSEC signing, parent delegation, and secondary nameserver propagation via the dnseditd daemon.
Manage your zones from anywhere — with a clean interface designed for Apple platforms.
A lightweight daemon that runs on your BIND9 nameserver, enabling the app to create and remove zones remotely with full DNSSEC automation and secondary nameserver propagation.
Self-extracting installer scripts that include the binary, create the system user, set permissions, and install the systemd service.
Requires Linux with BIND9 installed. Works on Debian, Ubuntu, RHEL, Alpine, and any other Linux distribution.
# Download and run the installer (as root) chmod +x dnseditd-installer-amd64.sh sudo ./dnseditd-installer-amd64.sh # Edit the configuration sudo nano /etc/dnseditd/config.toml # Set the registration password dnseditd --hash-password # Copy the output into config.toml # Configure TLS (required for the app to connect) # Add your certificate paths to config.toml # Start the daemon sudo systemctl start dnseditd # In the app: edit your RFC2136 provider, enter the daemon URL # (e.g. https://nameserver.example.com:8443), click Connect, then Register
See the full documentation for detailed setup instructions including DNSSEC, secondary nameservers, and security configuration.
Convert any zone into a BIND split-horizon zone with a single click. A multi-step wizard handles infrastructure setup, DNSSEC key generation for the internal view, DS publishing to the parent, and record population — all with the existing signed chain kept intact for public clients. A Copy All Records shortcut mirrors the zone into both views so you can prune the internal view afterwards.
Change your mind? Merge a split-horizon zone back into a single global zone with five strategies: keep external only, keep internal only, merge with external or internal winning on conflicts, or manual per-hostname resolution. DNSSEC chain is preserved — the merged zone keeps the established KSK so no DS update at the registrar is needed.
Provider-wide scanner that finds zones where the primary's SOA serial is behind its secondaries — the classic "primary got rolled back to a snapshot" situation — and fixes them in one click. Also available as a per-zone Fix button in the Zone Sanity Check for targeted repairs.
The DS chain validator now queries the authoritative NS for the specific view being validated (hidden primary for internal, public secondaries for external). For split-horizon zones, DS records belonging to the other view are labeled "used in view" instead of being flagged as orphaned.
The split-horizon conversion populates the internal view by sending DNS UPDATE messages directly to BIND using the internal TSIG key. BIND's inline-signing handles each record correctly through its normal update path, avoiding the inline-signing diff failures that plague bulk file modifications.
The documentation now includes a clear feature-by-feature comparison of what works with plain RFC 2136 versus what requires the dnseditd daemon. Decide whether you need the daemon based on which features you actually want, and avoid running a third-party binary on your nameserver if the basic feature set is enough.
Right-click any zone to enable or disable DNSSEC signing. Enabling applies a DNSSEC policy, generates keys, and automatically adds NS and DS delegation records to the parent zone. Disabling safely removes signing with full secondary propagation — includes DS safety checks against authoritative nameservers and public resolvers (1.1.1.1, 8.8.8.8, 9.9.9.9).
A Key History view parses BIND's DNSSEC logs to show an annotated timeline of every key lifecycle event. Rollover summary with phase-by-phase timing. Predictions estimate when pending transitions will complete. Auto-discovers the log path from named.conf.options.
Scan all DNSSEC zones to detect incorrect parental agent configuration. Automatically migrates inline IP lists to named parental-agents blocks in a shared config file. Detects local parent zones and uses their NS records for DS verification.
When adding a DS record, the editor checks for missing NS delegation and offers to add NS records automatically. The chain validator now distinguishes between "not delegated" (no NS) and "delegated but unsigned" (no DS). DNSSEC queries use authoritative servers instead of public resolvers to avoid stale cache data.
DNSSEC policies stored in separate files with auto-migration from inline format. Background DS TTL checker keeps policies up to date weekly. Daemon version API with app-side version warnings. Installer detects upgrades and auto-restarts the service.
Request body size limits. Debug log redaction of sensitive fields. DS safety checks before unsigning query both authoritative nameservers and public resolvers. Force override available with explicit acknowledgement.
Create and remove zones directly from the app via the dnseditd daemon. Automated DNSSEC signing, parent delegation, and secondary nameserver propagation.
Viewing or editing a TLSA record auto-checks the server certificate with fingerprint match, validity dates, and SAN highlighting.
Full FCrDNS validation for PTR lookups — verifies the circular chain before flagging mismatches.
Pinned bottom bar with search, select, and record count — always accessible regardless of scroll position.
DS chain validation now shows which DNSKEY signs each zone's SOA record, including the key tag, algorithm, and signature validity window.
A new "New KSK Published" indicator appears when a KSK is present in the DNSKEY set but has no matching DS record in the parent zone.
DS, CDS, DNSKEY, and CDNSKEY records in the chain validation view now display their TTL values.
Metadata records are now sorted next to their parent host record instead of being grouped at the top of the zone.
RFC 2136 updates now include prerequisite checks that guard against race conditions with DHCPD, ACME clients, and other dynamic DNS updaters. If a record was changed on the server since you loaded the zone, the update is rejected with a clear error instead of silently overwriting the change. This uses the RFC 2136 prerequisite mechanism — the server evaluates the check atomically while holding the zone lock.
Bulk delete entries in the undo history can now be expanded inline to see all individual records without leaving the list. Tap the disclosure chevron to expand, and the record count is shown alongside the timestamp. The full-screen detail sheet is still available from the context menu.
When a DNS update fails due to a prerequisite check, the error now reads "Record was modified or deleted by another client — reload the zone and try again" instead of a cryptic RFC code. This makes it immediately clear what happened and what to do next.
A comprehensive zone cleanup scanner identifies dangling PTR records, missing PTR records, and incorrect forward/reverse mappings across all your managed zones. View all issues in one organized report with severity indicators and one-click fixes.
Delete all dangling PTR records at once with a single button. The operation is optimized for performance, batching deletions per zone and creating a single consolidated undo entry for easy restoration if needed.
Bulk operations across multiple reverse zones now create one consolidated undo entry instead of multiple scattered entries. When restoring, records are automatically grouped by zone and restored to their correct locations — including IPv6 reverse zones.
Right-click (or long-press) on bulk undo entries to view all records included in the operation. See exactly what was deleted before deciding whether to restore, with full details including record names, types, values, and TTLs.
Zone reloads during bulk operations are now batched per zone, reducing reload operations by up to 90%. Deleting 100 PTR records now triggers only a handful of zone reloads instead of hundreds, dramatically improving responsiveness.
Generate plain-text reports of zone cleanup findings, including counts of forward and reverse issues, severity levels, and full details for each problem. Share or save reports for documentation or team collaboration.
A/AAAA records now show their reverse DNS (PTR) result inline, color-coded: green when the PTR matches, red for mismatches, and orange when no PTR exists. PTR records show the same for their forward lookup. For non-routable networks (RFC 1918), the app queries your BIND9 provider's nameserver directly instead of public resolvers.
When a PTR or forward record is missing and the target zone is managed by the app, a "Fix" button appears next to the warning. Tap it to instantly create the missing record in the correct zone — no need to navigate away from the current view.
When deleting an A/AAAA or PTR record that has a confirmed bidirectional match in a managed zone, the app offers a "Delete Both" option to remove the counterpart record at the same time, keeping your forward and reverse zones in sync.
Enable automatic background scanning for KSK rollovers on your BIND9 providers. The app periodically checks all zones for pending DS updates and sends a local notification when action is needed. Configure per-provider with daily or weekly intervals in the provider settings.
Tapping a DS update notification opens the app directly to the scan results — no need to manually navigate to the scanner and re-run. On macOS, the notification brings the main window to the front. On iOS, it opens the results sheet immediately.
A spinning indicator appears in the zone list while a background scan is in progress. When DS updates are detected, the indicator turns red with a warning message. Tap it to view the full scan results. Dismissing the results clears the indicator.
Provider configuration changes — including background scan settings, zone lists, and active provider selection — now sync across devices via iCloud in real time. Changes made on your Mac are immediately reflected on your iPhone and iPad, and vice versa.
Scan all zones in a BIND9 provider to detect KSK rollovers that need DS updates at the registrar. The scanner compares parent DS records with child CDS records and reports which zones need action. A pre-scan configuration screen lets you exclude zones under TLDs that support automated CDS scanning (e.g., .cz, .se, .ch). Results include a shareable plain-text report.
When a zone's parent is also served by the same BIND9 provider (e.g., test.a02.au under a02.au), the scanner offers to apply the DS update directly via RFC 2136. Updates use a safe two-phase approach: the new DS is added first, then the old DS is removed, ensuring the chain of trust is never broken.
DNSKEY and CDNSKEY records now show the computed keytag in parentheses next to the record value, calculated using the RFC 4034 Appendix B algorithm. This makes it easy to identify keys at a glance without having to cross-reference DS records manually.
When creating or editing A/AAAA records, DnsEditor automatically detects matching reverse zones in your provider and offers to create PTR records. Sibling A and AAAA records for the same hostname are cross-matched, with toggles to select which reverse mappings to create. Existing PTR records are checked and shown in green if already correct.
If a reverse PTR record already points to a different hostname that has a matching forward A/AAAA record, the IP is flagged as "in use" with a red warning and the toggle is disabled. This prevents accidentally overwriting active reverse mappings when reusing or mistyping IP addresses.
When editing PTR records in reverse zones, an IP address field lets you enter a normal IPv4 or IPv6 address instead of manually constructing the reversed record name. The record name is generated automatically. Editing an existing PTR record back-derives and displays the IP address.
PTR records in reverse zones now show the unreversed IP address in parentheses next to the hostname, making it easy to see which IP each PTR record maps to. IPv6 addresses are displayed in compressed notation.
TLSA record verification and generation now supports STARTTLS for email protocols. Fetch certificates from SMTP (ports 25, 587), IMAP (port 143), and POP3 (port 110) servers that require a plaintext-to-TLS upgrade handshake. Direct TLS ports (443, 465, 993, 995) continue to work as before.
The TLSA scanner now includes a port picker in the toolbar, letting you scan all hosts in a zone for any common TLSA port: 443 (HTTPS), 25 (SMTP), 587 (Submission), 465 (SMTPS), 143 (IMAP), 993 (IMAPS), 110 (POP3), or 995 (POP3S). TLSA record names are generated with the correct port prefix (e.g. _25._tcp. for SMTP).
Verify that all your public nameservers are serving identical records. The sanity check queries each authoritative nameserver directly (non-recursive) and compares NS delegation, SOA serials, and every record in the zone. Differences are grouped by record with a list of affected nameservers, making it easy to spot synchronisation issues.
The zone sanity check automatically retries queries over TCP when a UDP response is truncated. This ensures accurate comparison of large records like DKIM TXT entries that exceed UDP response limits.
Share or save sanity check results as a plain-text report. The report includes NS delegation status, SOA serial consistency, and all record differences with affected nameservers. Use the share button in the toolbar after a check completes.
After entering your TSIG credentials, tap "Test Key" to send a signed query to the server and verify the key is accepted — before saving the provider. The app validates Base64 format and key length against the selected algorithm in real time.
The TSIG authentication section now provides dedicated fields for key name, algorithm, and secret, making it easier to enter credentials directly. Import from a BIND key file is still available via a disclosure group.
All editor sheets on macOS are now presented as resizable panel windows. Resize the provider editor, record editor, DS chain validation, and scanner windows to suit your workflow.
The LOC record editor now features a "Fuzz" button to randomise coordinates within a configurable radius, and a live map preview that updates as you edit.
Scan all A/AAAA hosts in a zone for TLS certificates and generate or update TLSA records (DANE-EE 3 1 1). Review results before applying, with automatic detection of new, changed, and unchanged records.
Scan all hosts for SSH keys and manage SSHFP records across the entire zone. Detects new keys, orphaned records for removed hosts, and fingerprint changes with man-in-the-middle warnings requiring explicit confirmation.
The LOC record editor now includes a "Current Location" button to auto-fill coordinates from your device. The QuickLook viewer shows a map preview with the location pinned.
Zone scanners, DS chain validation, undo history, and refresh are consolidated into a single overflow menu on iOS, keeping the toolbar clean on smaller screens.
Preview read-only records without leaving the record list. On macOS, a floating panel keeps keyboard focus on the main window. On iPad, use arrow keys or toolbar buttons. On iPhone, use the navigation buttons.
View a KSK DNSKEY record and copy a ready-to-use DS record (SHA-256) to the clipboard for pasting into your registrar's control panel.
All records now show a "View" option in the context menu (long press or right-click), making it easy to preview any record in QuickLook mode.
The record type filter menu is now sorted alphabetically, making it easier to find specific record types like AAAA right after A.
Full IDN support with Punycode encoding. Domains like "høsteng.no" display in Unicode while automatically encoding to "xn--hsteng-bya.no" for DNS operations.
Improved record management using Google's Changes API for more reliable create, update, and delete operations.
AAAA records now display IPv6 addresses in compressed format (e.g., ::1 instead of 0:0:0:0:0:0:0:1) for easier reading.
DNSSEC-signed zones hosted on Cloudflare, Route 53, and Google Cloud DNS are now correctly detected and display the DNSSEC badge.
Toolbar buttons on iPad now display directly in the toolbar without requiring an overflow menu.