DNSSEC has been deployed on some topdomains now. But how could I see if a site/domain is using DNSSEC? Is it shown in the browser? or is there any windows or linux command to see it? or a tool for it?
Answer
dig [zone] dnskey
That will show you if there is the required DNSKEY RRset in the zone that will be used to validate the RRsets in the zone.
If you want to see if your recursive server is validating the zone,
dig +dnssec [zone] dnskey
This will set the DO (dnssec OK) bit on the outbound query and cause the upstream resolver to set the AD (authenticated data) bit on the return packet if the data is validated and also provide you with the related RRSIGs (if the zone in question is signed) even if it is not able to validate the response.
You might want to take a look at the last group of slides in my "DNSSEC in 6 Minutes" presentation (lots about debugging DNSSEC). That presentation is a bit long in the tooth about deploying DNSSEC (you should really look at BIND 9.7 for the good stuff), but debugging has changed little.
There is also a presentation I gave at NANOG 50 about BIND 9.7 DNSSEC deployment.
No comments:
Post a Comment