How can I check if a domain uses DNSSEC?
Solution 1
dig [zone] dnskey
That will show you if there is the required DNSKEY RRset in the zone that will be used to validate the RRsets in the zone.
If you want to see if your recursive server is validating the zone,
dig +dnssec [zone] dnskey
This will set the DO (dnssec OK) bit on the outbound query and cause the upstream resolver to set the AD (authenticated data) bit on the return packet if the data is validated and also provide you with the related RRSIGs (if the zone in question is signed) even if it is not able to validate the response.
You might want to take a look at the last group of slides in my "DNSSEC in 6 Minutes" presentation (lots about debugging DNSSEC). That presentation is a bit long in the tooth about deploying DNSSEC (you should really look at BIND 9.7 for the good stuff), but debugging has changed little.
There is also a presentation I gave at NANOG 50 about BIND 9.7 DNSSEC deployment.
Solution 2
I don't believe it is currently shown in the browser.
There is an extension to firefox which might do what you want:
alternatively, maybe one of these tools?
Related videos on Youtube
Comments
-
Jonas over 1 year
DNSSEC has been deployed on some topdomains now. But how could I see if a site/domain is using DNSSEC? Is it shown in the browser? or is there any windows or linux command to see it? or a tool for it?
-
Knobee over 13 yearsI've been asked over on serverfault to admit that I actually work for ISC, the maintainers of BIND and ISC DHCP. I'm more than happy to help anyone that has issues with either one (time allowing).
-
e40 almost 11 yearsYour slides for "DNSSEC in 6 minutes" give a 404 now. Is there a new URL?
-
e40 almost 11 yearsThe new URL appears to be: kb.isc.org/article/AA-00820/0/DNSSEC-in-6-minutes.html
-
bertieb almost 5 yearsWhilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
-
Nitin J Mutkawoa almost 5 yearsI updated the answer as requested. Thanks
-
John Greene over 4 yearsNo mention of
dig
giving a response flag ofAD
?