Querying and verifying dnssec
The dig
command is simple:
% dig +dnssec www.isoc.org.
; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec www.isoc.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49304
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.isoc.org. IN A
;; ANSWER SECTION:
www.isoc.org. 86382 IN A 212.110.167.157
www.isoc.org. 86382 IN RRSIG A 7 3 86400 20100706205007 20100622205007 56495 isoc.org. ETERh/blyD1LvW+hCeET9Zy/XTdTewilU8nhA5HCGtNoccdjPN/4pBg6 Vv2S/nJTZfQu7S1KwFJpijSg0n81A8Fpr1rjlS4AfKZgiSA6ureGDOzZ J4MImGFb9h1lG7qBrJ3Psmzs292obZfA98oJstsTzd4tNwFQf5bp5pDJ KoU=
Note two things:
- The
+dnssec
flag - this asks your DNS server to validate the zone data. - The
ad
entry in theflags
line of the response. This confirms that the zone data is correct.
[if the zone data was incorrect the server would have returned a SERVFAIL
error instead]
However, your DNS server won't actually return that ad
flag unless it has been configured to perform DNSSEC validation itself. Mine has, of course.
You can enable DNSSEC in your recursive BIND server by adding the following lines to your named.conf
file:
dnssec-enable yes;
dnssec-validation yes;
and a copy of the root zone's public key. Other domain names can then be validated by following the chain of signatures through the DNS hierarchy.
You'll also need a fairly recent version of your DNS software - only the newer versions support the RSA/SHA-256 encryption algorithm that'll be used to sign the root. That means BIND 9.6.2+, or Unbound 1.4.0+
Related videos on Youtube
hendry
Linux, Mobile & Web. They'll get big one day I swear! Subscribe to my Youtube channel: https://www.youtube.com/user/kaihendry
Updated on September 17, 2022Comments
-
hendry almost 2 years
I hear http://www.isoc.org/ has Domain Name System Security Extensions on its DNS records.
How do I see and verify the DNS using the tool
dig
?-
bortzmeyer about 14 yearsYour question includes an URL when it should be a domain name. An URL is not "signed"...
-
-
hendry about 14 yearsyes I don't see that "ad" flag. Is there a DNS server I can publicly query? I see Google's does not support DNSsec either.
dig +dnssec www.isoc.org @8.8.8.8
. -
Alnitak about 14 yearsDNS OARC has some: dns-oarc.net/oarc/services/odvr
-
nealmcb about 9 years@hendry: Google's does dnssec validation now, via 8.8.8.8