Skip to end of metadata
Go to start of metadata

Symptom:

After installing and configuring a DNSSEC validating secure DNS server, the administrator should test that
  1. DNS domains that are DNSSEC signed are validated correct (AD flag)
  2. DNS domain with broken DNSSEC are not validated (SERVFAIL)
  3. non-DNSSEC domains are resolved normally
There are also web-based tools available that can help checking a DNSSEV validator. Please checkout our list at list of Where to find webbased DNSSEC testing tools.


Solution

Validating a DNSSEC signed domain

requesting a DNSSEC singed DNS domain with the DO-Flag set (DNSSEC OK) should return an answer including the AD-Flag (Authenticated answer) set in the header:
~ dig pir.org +dnssec +multi

; <<>> DiG 9.8.0 <<>> pir.org +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29196
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org.  IN A

;; ANSWER SECTION:
pir.org.  300 IN A 173.201.238.128
pir.org.  300 IN RRSIG A 5 2 300 20110419085021 (
    20110405085021 11342 pir.org.
    KOPkf7cbufTtAxotksChA3vh5YKCs3s+68N81ZH5hIaU
    EUsWhR01mCAeyqmYnT7Oj9LXqENSJIVQUfHSzCEXcYRZ
    joJCxHhjLD8D/pVRPcPvV6d92T7IZa9rfjf6VyYjyJld
    pF19zAeQQm13Trgc0JtqGs2hM5OOBXsDtMjeuzg= )

;; AUTHORITY SECTION:
pir.org.  300 IN NS ns1.yyz1.afilias-nst.info.
pir.org.  300 IN NS ns1.sea1.afilias-nst.info.
pir.org.  300 IN NS ns1.mia1.afilias-nst.info.
pir.org.  300 IN NS ns1.ams1.afilias-nst.info.
pir.org.  300 IN RRSIG NS 5 2 300 20110419085021 (
    20110405085021 11342 pir.org.
    wV3PUz9oCmdXq1GYzkoAXk7HskW4TMMCoyaoQjHVI8J5
    vMFvWnQYEfiiJQOxHZl9xt/jrDoSkO/Xn0wnGboyMq4c
    J6tzXGAPRWIWYoaRlti1HDk3YR1o8fm9utk4a2XgiOSR
    olhUaumUnQF+wjfIMdtjWCsBxGAydjQ6nNYoHxE= )

;; Query time: 476 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Tue Apr  5 18:11:22 2011
;; MSG SIZE  rcvd: 494

Validating a broken DNSSEC domain:

trying to resolve a domain that has DNSSEC issues should only return a SERVFAIL returncode without any DNS data:
~  dig www.dnssec-failed.org              

; <<>> DiG 9.7.2-P2 <<>> www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17692
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dnssec-failed.org.        IN    A

;; Query time: 108 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Fri Nov 19 16:08:29 2010
;; MSG SIZE  rcvd: 39

Requesting a domain that is not DNSSEC signed should just return a normal DNS answer:

~  dig www.google.com +dnssec      

; <<>> DiG 9.7.2-P2 <<>> www.google.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50839
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.google.com.            IN    A

;; ANSWER SECTION:
www.google.com.        520764    IN    CNAME    www.l.google.com.
www.l.google.com.    300    IN    A    74.125.77.99
www.l.google.com.    300    IN    A    74.125.77.104
www.l.google.com.    300    IN    A    74.125.77.147

;; Query time: 37 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Fri Nov 19 16:10:06 2010
;; MSG SIZE  rcvd: 111