How can I check if a name server supports DNSSEC?

5

1

My Advanced Tomato Router uses the local ISP DNS servers. How can I see if those name servers support DNSSEC?

Similar to How can I check if a domain uses DNSSEC? but not domain.

enter image description here

Ivanov

Posted 2016-11-12T14:23:10.917

Reputation: 517

Answers

9

On BSD/Linux, use dig to send a DNS query with the do (request DNSSEC) flag set. (This needs a domain that's DNSSEC-signed.) For example:

dig +dnssec isc.org @8.8.8.8

If the nameserver supports DNSSEC, it'll automatically include "RRSIG" records in the reply:

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;isc.org.           IN  A

;; ANSWER SECTION:
isc.org.        29  IN  A       149.20.64.69
isc.org.        29  IN  RRSIG   A 5 2 60 20161207234041 20161107234041 13953 isc.org. [omitted]

If the server doesn't understand do, the "Answer" section will only include what was requested:

;; QUESTION SECTION:
;isc.org.           IN  A

;; ANSWER SECTION:
isc.org.        60  IN  A   149.20.64.69

user1686

Posted 2016-11-12T14:23:10.917

Reputation: 283 655

Asked: 2016-11-12T14:23:10.917

Viewed: 2 041 times

Active: 2018-08-26T17:47:09.513