Querying and verifying dnssec

domain-name-system dig dnssec
12,861

The dig command is simple:

% dig +dnssec www.isoc.org.

; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec www.isoc.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49304
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.isoc.org.          IN  A

;; ANSWER SECTION:
www.isoc.org.       86382   IN  A   212.110.167.157
www.isoc.org.       86382   IN  RRSIG   A 7 3 86400 20100706205007 20100622205007 56495 isoc.org. ETERh/blyD1LvW+hCeET9Zy/XTdTewilU8nhA5HCGtNoccdjPN/4pBg6 Vv2S/nJTZfQu7S1KwFJpijSg0n81A8Fpr1rjlS4AfKZgiSA6ureGDOzZ J4MImGFb9h1lG7qBrJ3Psmzs292obZfA98oJstsTzd4tNwFQf5bp5pDJ KoU=

Note two things:

  1. The +dnssec flag - this asks your DNS server to validate the zone data.
  2. The ad entry in the flags line of the response. This confirms that the zone data is correct.

[if the zone data was incorrect the server would have returned a SERVFAIL error instead]

However, your DNS server won't actually return that ad flag unless it has been configured to perform DNSSEC validation itself. Mine has, of course.

You can enable DNSSEC in your recursive BIND server by adding the following lines to your named.conf file:

    dnssec-enable yes;
    dnssec-validation yes;

and a copy of the root zone's public key. Other domain names can then be validated by following the chain of signatures through the DNS hierarchy.

You'll also need a fairly recent version of your DNS software - only the newer versions support the RSA/SHA-256 encryption algorithm that'll be used to sign the root. That means BIND 9.6.2+, or Unbound 1.4.0+

Share:
12,861

Related videos on Youtube

hendry
Author by

hendry

Linux, Mobile &amp; Web. They'll get big one day I swear! Subscribe to my Youtube channel: https://www.youtube.com/user/kaihendry

Updated on September 17, 2022

Comments

  • hendry
    hendry almost 2 years

    I hear http://www.isoc.org/ has Domain Name System Security Extensions on its DNS records.

    How do I see and verify the DNS using the tool dig?

    • bortzmeyer
      bortzmeyer about 14 years
      Your question includes an URL when it should be a domain name. An URL is not "signed"...
  • hendry
    hendry about 14 years
    yes I don't see that "ad" flag. Is there a DNS server I can publicly query? I see Google's does not support DNSsec either. dig +dnssec www.isoc.org @8.8.8.8.
  • Alnitak
    Alnitak about 14 years
    DNS OARC has some: dns-oarc.net/oarc/services/odvr
  • nealmcb
    nealmcb about 9 years
    @hendry: Google's does dnssec validation now, via 8.8.8.8

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to block domains using Bind / Named for local protection?
dig @8.8.8.8 not working
Yum PYCURL ERROR 6 - "Couldn't resolve host 'mirrorlist.centos.org'"
DIG connection times out DNS
SERVFAIL on ANY query
Can't seem to resolve domain, but can dig it
Why don't DNS root servers answer?
Performing DNS queries starting with one of the root servers using dig command
BIND9 recursion on slave servers for a delegated zone - not working
BIND9 as a cache-only nameserver doesn't work