How can I check if a domain uses DNSSEC?

security dns certificate domain-name
18,464

Solution 1

dig [zone] dnskey

That will show you if there is the required DNSKEY RRset in the zone that will be used to validate the RRsets in the zone.

If you want to see if your recursive server is validating the zone,

dig +dnssec [zone] dnskey

This will set the DO (dnssec OK) bit on the outbound query and cause the upstream resolver to set the AD (authenticated data) bit on the return packet if the data is validated and also provide you with the related RRSIGs (if the zone in question is signed) even if it is not able to validate the response.

You might want to take a look at the last group of slides in my "DNSSEC in 6 Minutes" presentation (lots about debugging DNSSEC). That presentation is a bit long in the tooth about deploying DNSSEC (you should really look at BIND 9.7 for the good stuff), but debugging has changed little.

There is also a presentation I gave at NANOG 50 about BIND 9.7 DNSSEC deployment.

Solution 2

I don't believe it is currently shown in the browser.

There is an extension to firefox which might do what you want:

alternatively, maybe one of these tools?

Share:
18,464

Related videos on Youtube

Jonas
Author by

Jonas

I'm a Computer Science student.

Updated on September 17, 2022

Comments

  • Jonas
    Jonas over 1 year

    DNSSEC has been deployed on some topdomains now. But how could I see if a site/domain is using DNSSEC? Is it shown in the browser? or is there any windows or linux command to see it? or a tool for it?

  • Knobee
    Knobee over 13 years
    I've been asked over on serverfault to admit that I actually work for ISC, the maintainers of BIND and ISC DHCP. I'm more than happy to help anyone that has issues with either one (time allowing).
  • e40
    e40 almost 11 years
    Your slides for "DNSSEC in 6 minutes" give a 404 now. Is there a new URL?
  • e40
    e40 almost 11 years
  • bertieb
    bertieb almost 5 years
    Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
  • Nitin J Mutkawoa
    Nitin J Mutkawoa almost 5 years
    I updated the answer as requested. Thanks
  • John Greene
    John Greene over 4 years
    No mention of dig giving a response flag of AD?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

java.security.cert.CertificateParsingException
Error while creating self-signed SSL certificate
How do I register a domain with special symbols or characters?
Trying to set up a .ka domain name
How do you check if a domain name exists?
How to acess jvm default KeyStore?
What Can Be Done To Secure Ubuntu Server?
How to find domain registrar and DNS hosting with good DNSSEC support?
BIND can't resolve a domain name
DNS poisoned nslookup returns wrong ip address