DnsManager icon DnsManager
Version 5.0.0 • macOS / iOS / iPadOS

DnsManager

DNS Management Platform. A complete management system for self-hosted BIND9 nameservers — DNSSEC lifecycle, split-horizon views, zone provisioning, secondary distribution — with a built-in record editor that also speaks Cloudflare, AWS Route 53, and Google Cloud DNS. From your Mac, iPhone, or iPad.

Download on App Store See features What's new Support: support@dnsedit.au

One app for all your DNS providers

Designed for system administrators, DevOps engineers, and anyone who manages DNS across multiple providers.

CloudflareAWS Route 53Google Cloud DNSBIND9 DNSSEC

Features

Multi-Provider Support

Connect to Cloudflare, AWS Route 53, Google Cloud DNS, or your own BIND9 servers — all from one app.

Full Record Support

Create and edit A, AAAA, CNAME, DS, MX, TLS, TXT, SRV, SSHFP, NS, PTR, and CAA records with intuitive type-specific editors.

DNSSEC Aware

View DNSSEC status at a glance, inspect DS and DNSKEY records, and verify delegation signer configurations.

TLSA/SSHFP Validation

Generate and verify TLSA/SSHFP records for DANE and ssh by fetching certificates directly from your servers.

DS Record Verification

Validate DS records against published DNSKEY records to ensure proper DNSSEC delegation.

Clean Interface

Auto-hides complex DNSSEC chain records (RRSIG, NSEC) while displaying the records you need to manage.

Multiple Providers

Configure multiple DNS providers and switch between them effortlessly. Mix cloud and self-hosted DNS.

Zone Provisioning

Create and remove zones directly from the app with automatic DNSSEC signing, parent delegation, and secondary nameserver propagation via the dnseditd daemon.

Mac, iPhone, iPad

Manage your zones from anywhere — with a clean interface designed for Apple platforms.

dnseditd — Zone Management Daemon

A lightweight daemon that runs on your BIND9 nameserver, providing DNSSEC lifecycle automation, split-horizon view management, zone provisioning, and secondary propagation. Source-available on GitHub at github.com/ivahos/dnseditd — review the code, build the installer yourself, run binaries you trust.

Features

  • One-click BIND9 conversion: scan named.conf, mint TSIG keys, rewrite named.conf.local, reload
  • Bootstrap wizard with self-signed channel, then optional Let's Encrypt cert with autonomous renewal
  • Create and remove zones via HTTPS API
  • Automatic DNSSEC policy generation per TLD
  • Auto-discovery of TLD parental agents
  • NS delegation and DS records added to parent zones
  • Secondary provisioning over SSH for BIND9 and PowerDNS (mixed fleets supported)
  • Privilege-separated secondaries: per-server AXFR-only TSIG keys
  • Challenge-response authentication (password never transmitted)
  • JWT tokens with persistent refresh tokens
  • Runs as dedicated non-root user with ACLs
  • Single static binary — zero dependencies

Download

Self-extracting installer scripts that include the binary, create the system user, set permissions, and install the systemd service.

Download for Intel/AMD (x86_64) Download for ARM (aarch64)

Requires Linux with BIND9 installed. Works on Debian, Ubuntu, RHEL, Alpine, and any other Linux distribution.

Quick Start

# Download and run the installer (as root)
chmod +x dnseditd-installer-amd64.sh
sudo ./dnseditd-installer-amd64.sh

# Edit the configuration
sudo nano /etc/dnseditd/config.toml

# Set the registration password
dnseditd --hash-password
# Copy the output into config.toml

# Configure TLS (required for the app to connect)
# Add your certificate paths to config.toml

# Start the daemon
sudo systemctl start dnseditd

# In the app: edit your RFC2136 provider, enter the daemon URL
# (e.g. https://nameserver.example.com:8443), click Connect, then Register

See the full documentation for detailed setup instructions including DNSSEC, secondary nameservers, and security configuration.

DnsQuery — Free Companion App

A free DNS debugger companion app. Handy when you want to inspect DNS responses without a full zone editor in front of you.

No installation, no account — just open it in your browser.

Open DnsQuery

What's New in 5.0

Open Source Daemon

The dnseditd daemon source is now public at github.com/ivahos/dnseditd under a source-available license. Clone the repository, audit the code, and build your own installer with ./scripts/make-installer.sh — the same script that produces the official binaries. The daemon holds DNSSEC private keys and dynamic-update credentials for your zones; everyone running it on production infrastructure can now verify exactly what it does. Trust the daemon you actually built, not a binary blob.

Renamed to DnsManager

What started as a record editor has grown into a complete DNS management platform: DNSSEC key lifecycle orchestration, split-horizon view management, zone provisioning with parent-delegation automation, secondary nameserver distribution, autonomous Let's Encrypt issuance for the daemon's own hostname. The new name reflects what the product actually does. The record editor is still here — it's one panel of many.

Shared-Key Split-Horizon

Both internal and external views of a split-horizon zone now share a single KSK by default. One key, one DS at the registrar, one rollover to coordinate — instead of two parallel DNSSEC chains. The shared-key setup is the new default for fresh splits and substantially reduces the operational complexity of running both views together.

Split-Horizon Hygiene

Splitting a zone with child delegations now correctly copies non-apex NS, DS, and in-bailiwick glue into the new internal view (previously the internal view had no NS/DS for delegated children, so internal clients couldn't resolve them). View-sync markers moved to a signable layout (<name>._sync.<zone>) that survives child delegations. New "records in the wrong zone" detection flags records that became occluded by a later delegation, with one-click migrate-to-child or remove-as-orphaned resolution.

Merge Split Zones Back to Single

The flip side of split-horizon conversion: collapse a split-horizon zone back into a single global zone with five merge strategies — keep external only, keep internal only, merge with external winning on conflicts, merge with internal winning, or manual per-hostname resolution. The merged zone preserves the established KSK so no DS update at the registrar is needed.

Type-Scoped Sync Markers

View-sync between split-horizon views can now scope to specific record types — "sync just the DS", "sync only LOC and A" — instead of blanket-per-name. The marker stores the type set, and toggling sync for a record updates the scope in place. NS records are deliberately never syncable: a split child's per-view NS structure must differ to keep internal clients from being referred to public nameservers (which would defeat the purpose of split-horizon).

Delegation-Teardown Delete Guard

Deleting the NS records of a child delegation now surfaces a warning in the bulk-delete confirmation: removing the last NS dissolves the delegation, and BIND will drop the orphaned DS as a side effect. The proper way to re-point a delegation is add-new-NS-first then delete-old, never delete-all-then-readd. Catches the footgun before it costs you a DNSSEC trust anchor.

Live Zone Refresh

Viewing a zone now watches its SOA serial in the background and auto-refreshes when the upstream changes — useful when a co-administrator is making edits or when external tooling bumps the zone. Refresh interval is configurable in settings; default 30 seconds. Toggle off entirely if you'd rather drive every refresh manually.

Global TLSA Scanner

The per-zone TLSA scanner now has a provider-wide counterpart that walks every zone in a configured provider in one pass. Foreground mode produces a consolidated report — every TLSA record across every zone, verified against the live cert at the host:port it pins. Background mode runs the same check on a schedule and surfaces drift via local notifications, so an auto-renewer that rotated a cert without also updating its TLSA record gets caught before resolvers start rejecting connections.

DS Scanner Improvements

The DS update scanner gained a Configure button on the results screen — jump back to zone selection without dismissing the sheet. Zone exclusion toggles now push to the daemon so its background scanner respects the same exclusions the app does; Done applies them. Mid-rollover classification was reworked so zones with pending DS publication no longer false-flag as "complete."

External-View checkds Stall Fix

Resolves a sticky bug where DNSKEY-PUBLICATION on split-horizon zones would stall forever. The daemon used to emit an explicit parental-agents block for every zone, but for split-view children with a sibling-view DS already at the parent, this caused BIND's checkds confirmation to fail repeatedly. The daemon now relies on BIND's implicit checkds (using the parent NS list directly) for split-view zones, which handles the union case correctly.

Per-View Key History

The DNSSEC Key History display now filters events by view at the daemon, so the internal view's history no longer leaks events from the external view (or vice versa). The mid-rollover classifier also reads lifecycle state more carefully — a zone with a freshly-published KSK that hasn't been confirmed at the parent is now correctly shown as "rollover in progress" instead of "complete."

Sheet UX Consistency

Twelve sheets across the app got their bottom-bar button placement standardized: the dismiss action (Done / Close) sits rightmost, and every other toolbar button clusters to its left. Predictable visual hierarchy across every sheet — no more hunting for the right button on a sheet you haven't opened in a while.

Previous: What's New in 4.6

Per-Record DNSSEC Validation

Every record in a DNSSEC-signed zone now shows an inline status badge — green checkmark when the RRSIG verifies cryptographically against the zone's own DNSKEY, red Bad signature when it doesn't, orange Missing signature when no RRSIG covers the RRset, yellow Expires in 18h when the signature is within the 48-hour warning window. Records that fail validation are lifted to a "DNSSEC failures" section at the top of the zone with a tinted row background so a single broken record can't hide in a long zone. Catches the kind of silent corruption that resolvers reject as bogus but most editors render as if nothing's wrong.

Bidirectional Split-Horizon Sync

Sync between split-horizon views can now flow in either direction. The marker's location encodes the source: marker in the internal view means internal is canonical and edits propagate outward to external (the original 4.0 behavior); marker in the external view means external is canonical and edits propagate inward to internal — useful when most records are managed via the external view and the internal view just overrides a handful for LAN-specific addresses. The convert wizard's populate dialog gets a three-way picker: Don't sync / Internal → External / External → Internal. Per-record direction is editable later from the record editor.

Hardened Split-Horizon Convert Flow

Three failure modes from the original convert flow are now closed: the daemon preserves real match-clients throughout the procedure (no more brief window where LAN clients lose access to the internal view, which previously could break the editor's own DNS resolution mid-conversion), wipes any stale internal zone artifacts before writing fresh ones (no more "journal out of sync with zone" after a botched retry), and AXFR-verifies the new internal view is a clean skeleton before letting populate run (catches pollution from rolled-back attempts).

RRSIG Expiring-Soon Early Warning

Auto-signing zones should never let an RRSIG approach expiration — but when the signer stalls (cron paused, key file perms changed during a server move, signing key past its scheduled validity) the existing signatures keep serving until the cliff. A yellow clock badge with Expires in Xh label appears 48 hours before any RRSIG's expiration so the operator sees the problem with two business days of runway. Manually-signed zones reach this state on their own as the signing window runs down.

Adaptive Two-Pane on iPhone Pro Max Landscape

iPhone 17 Pro Max in landscape now renders a Podcasts-style two-pane layout — zone sidebar on the left, zone records on the right — instead of the modal navigation stack used on smaller iPhones. Switching zones stays in split-view; rotating to portrait collapses to the single-pane stack automatically; rotating back restores the split. Other iPhones and iPad behave as before.

Serial Sync Scanner Per-View

The provider-wide SOA serial sync scanner now scans each loaded view of a split-horizon zone separately, and only when that view has multiple NS records to compare against. Eliminates a class of false positives where internal-only split zones (whose only NS is the hidden primary) used to flap between "in sync" and "fixed" because the scanner was comparing the daemon's external view against its own internal view as if they were primary/secondary.

Previous: What's New in 4.5

One-Click BIND9 Conversion

Point the bootstrap wizard at an existing BIND9 server and the daemon will scan named.conf, mint two TSIG keys (internal + external), rewrite named.conf.local as an includes-only stub, and run rndc reconfig — all atomically. The original config is renamed to a .pre-dnseditor.bak sibling and the entire BIND directory is snapshotted for disaster recovery before anything is touched. On rndc reconfig failure, the daemon rolls back automatically.

Bootstrap Setup Wizard

A guided wizard replaces the manual provider/daemon configuration. Test probes the daemon's TLS — when the cert is already CA-trusted (e.g. a managed Let's Encrypt cert), the fingerprint field disappears entirely; with a self-signed cert, the SPKI hash is captured for pinning. Scan reads named.conf read-only and shows a per-zone plan; Convert applies it; the app then auto-creates a ProviderConfiguration populated from the daemon's response — no manual key copy/paste.

Let's Encrypt Auto-Issuance & Renewal

The daemon mints its own Let's Encrypt certificate via DNS-01, signed with a stable ECDSA P-256 key (so any TLSA selector=1 record pinned to the SubjectPublicKeyInfo survives every renewal). The cross-provider case is handled too: when the daemon's hostname lives in a zone managed by a different DnsManager provider, the app proxies the DNS-01 challenge into the right provider transparently. A daily renewer runs autonomously.

Privilege-Separated Secondaries

Each secondary nameserver gets its own AXFR-only TSIG key (dnseditor-axfr-<short>) — the app's update keys never leave the primary, and a compromised secondary can't write to the zone. An embedded Python helper deploys itself over SSH on first contact, with idempotent commands for adding zones, installing keys, migrating from a legacy slave config, and reloading.

BIND9 + PowerDNS Mixed Fleets

Run secondaries on whichever backend you have. PowerDNS slaves are configured with gsqlite3-dnssec=yes and set-presigned to avoid the silent-RRSIG-strip footgun, and fresh slave zones get a pdns_control purge to skip the cache TTL wait. BIND9 secondaries get rndc addzone with the AXFR-only key.

Action-Aware DS Update Reports

The DS update scanner classifies every record in its report as keep, remove, add, or already in parent, with a one-line Action: summary at the top of each zone (e.g. "remove DS 53049, 26682; add DS 30327"). The classifier reads DS lifecycle state directly from the daemon's dnssec -status when available, so split-horizon zones whose two parent DS records correctly match the two views' KSKs no longer false-flag.

Previous: What's New in 4.0.0

Split-Horizon Views

Convert any zone into a BIND split-horizon zone with a single click. A multi-step wizard handles infrastructure setup, DNSSEC key generation for the internal view, DS publishing to the parent, and record population — all with the existing signed chain kept intact for public clients.

Merge Views Back to Single Zone

Merge a split-horizon zone back into a single global zone with five strategies: keep external only, keep internal only, merge with external or internal winning on conflicts, or manual per-hostname resolution. DNSSEC chain is preserved — the merged zone keeps the established KSK so no DS update at the registrar is needed.

Serial Sync Scanner

Provider-wide scanner that finds zones where the primary's SOA serial is behind its secondaries — the classic "primary got rolled back to a snapshot" situation — and fixes them in one click. Also available as a per-zone Fix button in the Zone Sanity Check.

View-Aware DS Chain Validator

The DS chain validator queries the authoritative NS for the specific view being validated (hidden primary for internal, public secondaries for external). For split-horizon zones, DS records belonging to the other view are labeled "used in view" instead of being flagged as orphaned.

App-Side DNS UPDATE Populate

Split-horizon conversion populates the internal view by sending DNS UPDATE messages directly to BIND using the internal TSIG key. BIND's inline-signing handles each record correctly through its normal update path, avoiding the inline-signing diff failures that plague bulk file modifications.

Daemon Capabilities Matrix

The documentation includes a clear feature-by-feature comparison of what works with plain RFC 2136 versus what requires the dnseditd daemon. Decide whether you need the daemon based on which features you actually want.

Previous: What's New in 3.1.5

DNSSEC Enable/Disable

Right-click any zone to enable or disable DNSSEC signing. Enabling applies a DNSSEC policy, generates keys, and automatically adds NS and DS delegation records to the parent zone. Disabling safely removes signing with full secondary propagation — includes DS safety checks against authoritative nameservers and public resolvers (1.1.1.1, 8.8.8.8, 9.9.9.9).

DNSSEC Key History

A Key History view parses BIND's DNSSEC logs to show an annotated timeline of every key lifecycle event. Rollover summary with phase-by-phase timing. Predictions estimate when pending transitions will complete. Auto-discovers the log path from named.conf.options.

Parental Agents Scanner

Scan all DNSSEC zones to detect incorrect parental agent configuration. Automatically migrates inline IP lists to named parental-agents blocks in a shared config file. Detects local parent zones and uses their NS records for DS verification.

DS Record Delegation

When adding a DS record, the editor checks for missing NS delegation and offers to add NS records automatically. The chain validator now distinguishes between "not delegated" (no NS) and "delegated but unsigned" (no DS). DNSSEC queries use authoritative servers instead of public resolvers to avoid stale cache data.

Daemon Improvements

DNSSEC policies stored in separate files with auto-migration from inline format. Background DS TTL checker keeps policies up to date weekly. Daemon version API with app-side version warnings. Installer detects upgrades and auto-restarts the service.

Security Hardening

Request body size limits. Debug log redaction of sensitive fields. DS safety checks before unsigning query both authoritative nameservers and public resolvers. Force override available with explicit acknowledgement.

Previous: What's New in 3.0.0

Zone Management Daemon

Create and remove zones directly from the app via the dnseditd daemon. Automated DNSSEC signing, parent delegation, and secondary nameserver propagation.

TLSA Certificate Verification

Viewing or editing a TLSA record auto-checks the server certificate with fingerprint match, validity dates, and SAN highlighting.

Forward-Confirmed Reverse DNS

Full FCrDNS validation for PTR lookups — verifies the circular chain before flagging mismatches.

iOS Bottom Bar

Pinned bottom bar with search, select, and record count — always accessible regardless of scroll position.

Previous: What's New in 2.5.0

SOA Signing Key Display

DS chain validation now shows which DNSKEY signs each zone's SOA record, including the key tag, algorithm, and signature validity window.

Early KSK Rollover Detection

A new "New KSK Published" indicator appears when a KSK is present in the DNSKEY set but has no matching DS record in the parent zone.

Record TTLs in Chain Validation

DS, CDS, DNSKEY, and CDNSKEY records in the chain validation view now display their TTL values.

Improved Record Sorting

Metadata records are now sorted next to their parent host record instead of being grouped at the top of the zone.

Previous: What's New in 2.4.0

Concurrent Update Protection (BIND9)

RFC 2136 updates now include prerequisite checks that guard against race conditions with DHCPD, ACME clients, and other dynamic DNS updaters. If a record was changed on the server since you loaded the zone, the update is rejected with a clear error instead of silently overwriting the change. This uses the RFC 2136 prerequisite mechanism — the server evaluates the check atomically while holding the zone lock.

Expandable Bulk Undo Entries

Bulk delete entries in the undo history can now be expanded inline to see all individual records without leaving the list. Tap the disclosure chevron to expand, and the record count is shown alongside the timestamp. The full-screen detail sheet is still available from the context menu.

Improved Error Messages

When a DNS update fails due to a prerequisite check, the error now reads "Record was modified or deleted by another client — reload the zone and try again" instead of a cryptic RFC code. This makes it immediately clear what happened and what to do next.

Previous: What's New in 2.3.0

Zone Cleanup Tool

A comprehensive zone cleanup scanner identifies dangling PTR records, missing PTR records, and incorrect forward/reverse mappings across all your managed zones. View all issues in one organized report with severity indicators and one-click fixes.

Bulk PTR Deletion

Delete all dangling PTR records at once with a single button. The operation is optimized for performance, batching deletions per zone and creating a single consolidated undo entry for easy restoration if needed.

Multi-Zone Undo Support

Bulk operations across multiple reverse zones now create one consolidated undo entry instead of multiple scattered entries. When restoring, records are automatically grouped by zone and restored to their correct locations — including IPv6 reverse zones.

Bulk Record Viewer

Right-click (or long-press) on bulk undo entries to view all records included in the operation. See exactly what was deleted before deciding whether to restore, with full details including record names, types, values, and TTLs.

Performance Improvements

Zone reloads during bulk operations are now batched per zone, reducing reload operations by up to 90%. Deleting 100 PTR records now triggers only a handful of zone reloads instead of hundreds, dramatically improving responsiveness.

Exportable Cleanup Reports

Generate plain-text reports of zone cleanup findings, including counts of forward and reverse issues, severity levels, and full details for each problem. Share or save reports for documentation or team collaboration.

Previous: What's New in 2.2.5

Reverse/Forward DNS Verification

A/AAAA records now show their reverse DNS (PTR) result inline, color-coded: green when the PTR matches, red for mismatches, and orange when no PTR exists. PTR records show the same for their forward lookup. For non-routable networks (RFC 1918), the app queries your BIND9 provider's nameserver directly instead of public resolvers.

One-Tap Fix for Missing Records

When a PTR or forward record is missing and the target zone is managed by the app, a "Fix" button appears next to the warning. Tap it to instantly create the missing record in the correct zone — no need to navigate away from the current view.

Paired Record Deletion

When deleting an A/AAAA or PTR record that has a confirmed bidirectional match in a managed zone, the app offers a "Delete Both" option to remove the counterpart record at the same time, keeping your forward and reverse zones in sync.

Background DS Scanning

Enable automatic background scanning for KSK rollovers on your BIND9 providers. The app periodically checks all zones for pending DS updates and sends a local notification when action is needed. Configure per-provider with daily or weekly intervals in the provider settings.

Notification-Driven Workflow

Tapping a DS update notification opens the app directly to the scan results — no need to manually navigate to the scanner and re-run. On macOS, the notification brings the main window to the front. On iOS, it opens the results sheet immediately.

Live Scan Status in Zone List

A spinning indicator appears in the zone list while a background scan is in progress. When DS updates are detected, the indicator turns red with a warning message. Tap it to view the full scan results. Dismissing the results clears the indicator.

Cross-Device iCloud Sync

Provider configuration changes — including background scan settings, zone lists, and active provider selection — now sync across devices via iCloud in real time. Changes made on your Mac are immediately reflected on your iPhone and iPad, and vice versa.

Previous: What's New in 2.2.0

DS Update Scanner

Scan all zones in a BIND9 provider to detect KSK rollovers that need DS updates at the registrar. The scanner compares parent DS records with child CDS records and reports which zones need action. A pre-scan configuration screen lets you exclude zones under TLDs that support automated CDS scanning (e.g., .cz, .se, .ch). Results include a shareable plain-text report.

Direct DS Updates

When a zone's parent is also served by the same BIND9 provider (e.g., test.a02.au under a02.au), the scanner offers to apply the DS update directly via RFC 2136. Updates use a safe two-phase approach: the new DS is added first, then the old DS is removed, ensuring the chain of trust is never broken.

DNSKEY Keytag Display

DNSKEY and CDNSKEY records now show the computed keytag in parentheses next to the record value, calculated using the RFC 4034 Appendix B algorithm. This makes it easy to identify keys at a glance without having to cross-reference DS records manually.

Previous: What's New in 2.1.3

Automatic Reverse DNS

When creating or editing A/AAAA records, DnsManager automatically detects matching reverse zones in your provider and offers to create PTR records. Sibling A and AAAA records for the same hostname are cross-matched, with toggles to select which reverse mappings to create. Existing PTR records are checked and shown in green if already correct.

IP Conflict Detection

If a reverse PTR record already points to a different hostname that has a matching forward A/AAAA record, the IP is flagged as "in use" with a red warning and the toggle is disabled. This prevents accidentally overwriting active reverse mappings when reusing or mistyping IP addresses.

PTR Editor IP Input

When editing PTR records in reverse zones, an IP address field lets you enter a normal IPv4 or IPv6 address instead of manually constructing the reversed record name. The record name is generated automatically. Editing an existing PTR record back-derives and displays the IP address.

Reverse Zone IP Display

PTR records in reverse zones now show the unreversed IP address in parentheses next to the hostname, making it easy to see which IP each PTR record maps to. IPv6 addresses are displayed in compressed notation.

Previous: What's New in 2.1.2

STARTTLS Support for TLSA

TLSA record verification and generation now supports STARTTLS for email protocols. Fetch certificates from SMTP (ports 25, 587), IMAP (port 143), and POP3 (port 110) servers that require a plaintext-to-TLS upgrade handshake. Direct TLS ports (443, 465, 993, 995) continue to work as before.

TLSA Scanner Port Selection

The TLSA scanner now includes a port picker in the toolbar, letting you scan all hosts in a zone for any common TLSA port: 443 (HTTPS), 25 (SMTP), 587 (Submission), 465 (SMTPS), 143 (IMAP), 993 (IMAPS), 110 (POP3), or 995 (POP3S). TLSA record names are generated with the correct port prefix (e.g. _25._tcp. for SMTP).

Previous: What's New in 2.1.0

Zone Sanity Check

Verify that all your public nameservers are serving identical records. The sanity check queries each authoritative nameserver directly (non-recursive) and compares NS delegation, SOA serials, and every record in the zone. Differences are grouped by record with a list of affected nameservers, making it easy to spot synchronisation issues.

TCP Fallback for Large Records

The zone sanity check automatically retries queries over TCP when a UDP response is truncated. This ensures accurate comparison of large records like DKIM TXT entries that exceed UDP response limits.

Export Sanity Check Report

Share or save sanity check results as a plain-text report. The report includes NS delegation status, SOA serial consistency, and all record differences with affected nameservers. Use the share button in the toolbar after a check completes.

Previous: What's New in 2.0.7

TSIG Key Testing

After entering your TSIG credentials, tap "Test Key" to send a signed query to the server and verify the key is accepted — before saving the provider. The app validates Base64 format and key length against the selected algorithm in real time.

Redesigned TSIG Editor

The TSIG authentication section now provides dedicated fields for key name, algorithm, and secret, making it easier to enter credentials directly. Import from a BIND key file is still available via a disclosure group.

Resizable Windows (macOS)

All editor sheets on macOS are now presented as resizable panel windows. Resize the provider editor, record editor, DS chain validation, and scanner windows to suit your workflow.

LOC Editor Redesign

The LOC record editor now features a "Fuzz" button to randomise coordinates within a configurable radius, and a live map preview that updates as you edit.

Previous: What's New in 2.0.3

Zone-Wide TLSA Scanner

Scan all A/AAAA hosts in a zone for TLS certificates and generate or update TLSA records (DANE-EE 3 1 1). Review results before applying, with automatic detection of new, changed, and unchanged records.

Zone-Wide SSHFP Scanner

Scan all hosts for SSH keys and manage SSHFP records across the entire zone. Detects new keys, orphaned records for removed hosts, and fingerprint changes with man-in-the-middle warnings requiring explicit confirmation.

LOC Record Enhancements

The LOC record editor now includes a "Current Location" button to auto-fill coordinates from your device. The QuickLook viewer shows a map preview with the location pinned.

Streamlined iOS Toolbar

Zone scanners, DS chain validation, undo history, and refresh are consolidated into a single overflow menu on iOS, keeping the toolbar clean on smaller screens.

Previous: What's New in 2.0.2

QuickLook Record Preview

Preview read-only records without leaving the record list. On macOS, a floating panel keeps keyboard focus on the main window. On iPad, use arrow keys or toolbar buttons. On iPhone, use the navigation buttons.

DS Record Generation from DNSKEY

View a KSK DNSKEY record and copy a ready-to-use DS record (SHA-256) to the clipboard for pasting into your registrar's control panel.

Context Menu Improvements

All records now show a "View" option in the context menu (long press or right-click), making it easy to preview any record in QuickLook mode.

Alphabetical Filter Sorting

The record type filter menu is now sorted alphabetically, making it easier to find specific record types like AAAA right after A.

Previous: What's New in 2.0.1

Internationalized Domain Names

Full IDN support with Punycode encoding. Domains like "høsteng.no" display in Unicode while automatically encoding to "xn--hsteng-bya.no" for DNS operations.

Google Cloud DNS Improvements

Improved record management using Google's Changes API for more reliable create, update, and delete operations.

IPv6 Address Display

AAAA records now display IPv6 addresses in compressed format (e.g., ::1 instead of 0:0:0:0:0:0:0:1) for easier reading.

Cloud Provider DNSSEC Detection

DNSSEC-signed zones hosted on Cloudflare, Route 53, and Google Cloud DNS are now correctly detected and display the DNSSEC badge.

iPad Interface Improvements

Toolbar buttons on iPad now display directly in the toolbar without requiring an overflow menu.