Validating DNSSEC signed domains

syntax:

dig @ +dnssec +multi

validating a proper DNSSEC signed domains

look out for Authenticated Data (AD) set in FLAGS.
Requesting DNSSEC signed DNS domain with the DO Flag set (which is DNSSEC OK) should provide an Authenticated answer (AD) flag set in the header.

$ dig +dnssec +multi whitehouse.gov

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> +dnssec +multi whitehouse.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 8407="" id:="" noerror="" o:p="" opcode:="" query="" status:="">
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;whitehouse.gov.                     IN A

;; ANSWER SECTION:
whitehouse.gov.                      20 IN A            23.200.94.83
whitehouse.gov.                      20 IN RRSIG A 7 2 20 20160923132441 (
                                                20160920122441 24695 whitehouse.gov.
                                                I5nNZV8jXvWdMt6/MrctYMjL6e0sRWI+LGwkkafKrHS9
                                                ++Pum0CQTucJy8Y1BUVhw83ahrNsivkQar3LGA1kZMHp
                                                HbkRWHwtRzhCkO2SOASJjv+j/mblYgSJznu8t2pqq6vs
                                                Q/3cq93exrK8Zy/izs7nEbhOOnhs7ji4xV5ljTw= )

;; Query time: 2 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Wed Sep 21 02:18:12 2016
;; MSG SIZE  rcvd: 233

Validate broken DNSSEC or misconfigured domains
domain which has DNSSEC issues should return SERVFAIL as return code in the header.
$ dig dnssec-or-not.org +dnssec +multi
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> @10.180.8.1 dnssec-or-not.org +dnssec +multi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode:="" query="" span="" status:="">SERVFAIL, id: 23634
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssec-or-not.org. IN A
;; Query time: 334 msec
;; SERVER: 10.180.8.115#53(10.180.8.115)
;; WHEN: Thu Nov 14 16:46:32 2013
;; MSG SIZE rcvd: 46

Validate non-DNSSEC signed domains
domain that is not DNSSEC signed, should resolve normally.
$ dig +dnssec +multi google.com   

; <<>> DiG 9.8.3-P1 <<>> +dnssec +multi google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 51197="" id:="" noerror="" o:p="" opcode:="" query="" status:="">
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;google.com.               IN A

;; ANSWER SECTION:
google.com.                300 IN A 216.58.196.206

;; AUTHORITY SECTION:
google.com.                131822 IN NS ns3.google.com.
google.com.                131822 IN NS ns1.google.com.
google.com.                131822 IN NS ns4.google.com.
google.com.                131822 IN NS ns2.google.com.

;; ADDITIONAL SECTION:
ns2.google.com.                     301984 IN A 216.239.34.10
ns1.google.com.                     301984 IN A 216.239.32.10
ns3.google.com.                     301984 IN A 216.239.36.10
ns4.google.com.                     301984 IN A 216.239.38.10

;; Query time: 305 msec
;; SERVER: 172.28.2.5#53(172.28.2.5)
;; WHEN: Wed Sep 21 13:54:04 2016
;; MSG SIZE  rcvd: 191


No comments: