1. Home
  2. Linux
  3. How to Test and Validate DNSSEC using dig and Web Tools?

How to Test and Validate DNSSEC using dig and Web Tools?

Have you enabled DNSSEC on DNS Server? If not, learn how to enable DNSSEC on Bind based DNS Server. Once you have installed and configured DNSSEC validating secure DNS server, make sure you test it properly. As an administrator, here are the basic testing that you should do after setting up DNSSEC enabled DNS Server. Ensure that the DNS domains that are DNSSEC signed are validated correctly by reporting Authenticated Data (AD) flag and the DNS domains with broken DNSSEC are not validated with SERVFAIL. However, the resolver should resolve non-DNSSEC domains as normally. We’ll see how to validate DNSSEC using both the command and web service.

How to validate DNSSEC signed domains using dig?

dig @<dnsserver> <dnssec-signed-domain> +dnssec +multi

Lets test a DNSSEC signed domain now!

$ dig dnssectest.sidn.nl +dnssec +multi
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @10.180.8.1 dnssectest.sidn.nl +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44295
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssectest.sidn.nl. IN A
;; ANSWER SECTION:
dnssectest.sidn.nl. 21600 IN CNAME www.sidn.nl.
dnssectest.sidn.nl. 21600 IN RRSIG CNAME 8 3 86400 20131214071501 (
 20131114071501 42033 sidn.nl.
 oN/P1jg9Zcx4+2XK+dZXw4OhlsGJAEK14kcIv4VQsxM0
 CZoyvwGsd23CpfY3k1tPXBDOy/oE+gjO0FDq+5eXXERt
 lTA+5Mu9tjnM5TDW66IFgOgtRN5Hw79BjAHpIR06igjX
 O+hk9ZqKOWCMVjyJvDgRB3PbkRIe6PNmjmgA5Y8= )
www.sidn.nl. 10466 IN A 213.136.31.220
www.sidn.nl. 10466 IN RRSIG A 8 3 86400 20131213071501 (
 20131113071501 42033 sidn.nl.
 QKN3pfWJ5S0i97zRtczt1wSUQhKAO3rFfxxZs/JY/hK4
 p6QXTQO6znVJ2niut644CO2IT5pBYhgNjYlsbUxh1WJs
 Qdyxkf5YgOwlRY/MD6rqMaF45LFHy6JurCXTPL+t593d
 9WZDr5DmXrVIsm0VClo0W/beIkEsHfE6j/Yeq1Y= )
;; Query time: 1610 msec
;; SERVER: 10.180.8.115#53(10.180.8.115)
;; WHEN: Thu Nov 14 16:43:14 2013
;; MSG SIZE rcvd: 415

In the above output, look out for Authenticated Data (AD) set in FLAGS. Requesting DNSSEC signed DNS domain with the DO Flag set (which is DNSSEC OK) should provide an Authenticated answer (AD) flag set in the header.

Validating broken or misconfigured DNSSEC domain

$ dig dnssec-or-not.org +dnssec +multi
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @10.180.8.1 dnssec-or-not.org +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23634
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec-or-not.org. IN A
;; Query time: 334 msec
;; SERVER: 10.180.8.115#53(10.180.8.115)
;; WHEN: Thu Nov 14 16:46:32 2013
;; MSG SIZE rcvd: 46

Trying to resolve a domain which has DNSSEC issues should return SERVFAIL as return code in the header. Lookout for SERVFAIL from the above output.

Validating non-DNSSEC signed domain, should resolve Normally

$ dig espncricinfo.com +dnssec +multi
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @10.180.8.1 espncricinfo.com +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46851
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;espncricinfo.com. IN A
;; ANSWER SECTION:
espncricinfo.com. 102 IN A 80.168.92.141
;; Query time: 431 msec
;; SERVER: 10.180.8.115#53(10.180.8.115)
;; WHEN: Thu Nov 14 16:51:12 2013
;; MSG SIZE rcvd: 61

Trying to resolve a domain that is not DNSSEC signed, should resolve normally. Why espncricinfo.com? Well, I was watching Sachin Tendulkar’s Last and 200th Test match against West Indies. What a legend!

Few Web Services for DNSSEC Testing

DNSVIZ

It’s a web service to visualize the status of a DNS zone. It helps you to understand and troubleshoot the DNSSEC deployment issues by providing visual analysis of the DNSSEC authentication chain and its resolving path. The tool is capable of listing the configuration errors during the validation process.

DNSVIZ DNSSEC Validation Tool

 

Checkout DNSVIZ.

ZoneCheck

ZoneCheck is a simple tool that allows you to find out and solve DNS misconfigurations. It checks zone for incorrect configurations or inconsistencies (due to latency of the application) and generates a report.

Check DNS Zones for errors
Check DNS Zones for errors
Check ZoneCheck.

Verisign’s SecSpider

SecSpider monitors deployment metrics of DNSSEC, Availability metrics, Verifiability metrics, Validation metrics etc…

SecSpider DNSSEC Deployment tracker
SecSpider DNSSEC Deployment tracker

Check SecSpider.

And more…

* Verisign Labs developed “DNSSEC or not?” validator. Checkout here.

* SIDN developed “Are you a protected DNSSEC?” – Checkout here.

* ICSI Netalyzer, a network testing tool, which includes DNSSEC validation as well – Checkout here.

* A Similar one from  University Duesseldorf, Germany – Checkout here.

READ: Beginners guide to DNSSEC

READ: How to setup DNSSEC on Bind?

Updated on September 3, 2017

Was this article helpful?

Related Articles

Leave a Comment