JavaScript is needed for tests to work. Wait a few seconds before examining the results. Tests 1-3 uses this random URL string: . Browser cache should be clean for tests 4 and 5 to work correctly.

Test Result
1. DNSSEC secure
*.wilda.rhybar.0skar.cz
Failure.
You are not protected by DNSSEC. Therefore, other tests here does not make any sense.
Success.
You cannot access sites with broken DNSSEC signature.
Testing in progress…
2a. NSEC zone with an A record
*.wilda.nsec.0skar.cz
Failure.
Your DNS server cannot correctly validate an A record, created by expanding a wildcard on a NSEC zone.
Success.
Your DNS server can correctly validate an A record, created by expanding a wildcard on a NSEC zone.
Testing in progress…
2b. NSEC zone with a CNAME record
*.wild.nsec.0skar.cz
Failure.
Your DNS server cannot correctly validate a CNAME record, created by expanding a wildcard on a NSEC zone.
Success.
Your DNS server can correctly validate a CNAME record, created by expanding a wildcard on a NSEC zone.
Testing in progress…
3a. NSEC3 zone with an A record
*.wilda.0skar.cz
Failure.
Your DNS server cannot correctly validate an A record, created by expanding a wildcard on a NSEC3 zone.
Success.
Your DNS server can correctly validate an A record, created by expanding a wildcard on a NSEC3 zone.
Testing in progress…
3b. NSEC3 zone with a CNAME record
*.wild.0skar.cz
Failure.
Your DNS server cannot correctly validate a CNAME record, created by expanding a wildcard on a NSEC3 zone.
Success.
Your DNS server can correctly validate a CNAME record, created by expanding a wildcard on a NSEC3 zone.
Testing in progress…
4. Extra record inside a wildcard on a NSEC zone
www.wilda.nsec.0skar.cz
Failure.
Your DNS server cannot correctly validate a CNAME record, surrounded by wildcard A records on a NSEC zone.
Success.
Your DNS server can correctly validate a CNAME record, surrounded by wildcard A records on a NSEC zone.
Testing in progress…
5. Extra record inside a wildcard on a NSEC3 zone
www.wilda.0skar.cz
Failure.
Your DNS server cannot correctly validate a CNAME record, surrounded by wildcard A records on a NSEC3 zone.
Success.
Your DNS server can correctly validate a CNAME record, surrounded by wildcard A records on a NSEC3 zone.
Testing in progress…
6. ECDSA signature validation
*.wilda.rhybar.ecdsa.0skar.cz
Failure.
Your validatior does not validate ECDSA signatures. Update it ASAP!
Success.
You cannot reach server with deliberately broken ECDSA signature.
Testing in progress…

Details

Some DNSSEC-validating DNS resolvers fails to validate correctly so-called wildcard DNS records. Problem is getting worse when more resolvers are chained one to another.

Until version 9.9.0, the most widespread DNS server BIND cannot correctly validate wilcard records in a zone with NSEC3 records (tests 3a, 3b), hosted at an authoritative server other than BIND (source). When this server is prepended to any other DNSSEC validator, the validator cannot validate even wildcard records in zones with NSEC records (tests 2a, 2b).

Alternative DNS server Unbound validates all tests correctly, if whole recursion is done by it. Versions 1.4.6 and newer were tested.