I am doing a research project on The Domain Name System Security Extensions (DNSSEC).
I have a SOA, Stub resolver and a client as well as a attack machine.
My question is this. Is there a way to test the validity of the record, after a DNS poisoning attack on a Linux client. This check needs to be done from a command line interface.
I verified that the DNSSEC records are set.
According to http://backreference.org/2010/11/17/dnssec-verification-with-dig/:
Obtain root keys. You can do this with dig on an unpoisoned machine:
dig . DNSKEY | grep -Ev '^($|;)' > root.keys
Verify your target dns record:
dig +sigchase +trusted-key=./root.keys www.eurid.eu. A | cat -n
The other alternative is to set up a validating DNS resolver like unbound. I use it to provide DNSSEC security on desktop machines. It's easily available in Fedora 17. Or BIND in Debian 7.0. I forget whether there are debian packages which set up unbound for you, but it's not hard to do manually either.
Then run dig against your secure resolver, and it will show a flat error (SERVFAIL, I think) if there are invalid results. You can also configure unbound to log details about each validation failure.
