21
5
DNSSEC has been deployed on some topdomains now. But how could I see if a site/domain is using DNSSEC? Is it shown in the browser? or is there any windows or linux command to see it? or a tool for it?
21
5
DNSSEC has been deployed on some topdomains now. But how could I see if a site/domain is using DNSSEC? Is it shown in the browser? or is there any windows or linux command to see it? or a tool for it?
20
dig [zone] dnskey
That will show you if there is the required DNSKEY RRset in the zone that will be used to validate the RRsets in the zone.
If you want to see if your recursive server is validating the zone,
dig +dnssec [zone] dnskey
This will set the DO (dnssec OK) bit on the outbound query and cause the upstream resolver to set the AD (authenticated data) bit on the return packet if the data is validated and also provide you with the related RRSIGs (if the zone in question is signed) even if it is not able to validate the response.
You might want to take a look at the last group of slides in my "DNSSEC in 6 Minutes" presentation (lots about debugging DNSSEC). That presentation is a bit long in the tooth about deploying DNSSEC (you should really look at BIND 9.7 for the good stuff), but debugging has changed little.
There is also a presentation I gave at NANOG 50 about BIND 9.7 DNSSEC deployment.
5
I don't believe it is currently shown in the browser.
There is an extension to firefox which might do what you want:
alternatively, maybe one of these tools?
-1
On Terminal: dig tunnelix.com +dnssec
You need to find the RRSIG (RRset Signature) that points to a DNSSEC signature.
Answer from Example1: tunnelix.com. 300 IN RRSIG A 13 2 300 20190515200903 20190513180903 34505 tunnelix.com. Bqc6weQYQyCi8rB3wmYxMxDqlkpOzt2wWTMC58QGy6BbX8y+jWxDIFwH DUCJ2Gy0dLFLPDNfVdZ9RmPRlbNvQw==
Otherwise, validate your DNSSEC through online free DNSSEC checker. https://dnssec-debugger.verisignlabs.com
For more information refer to these links which might be useful:
2
Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
– bertieb – 2019-04-30T17:13:42.447I updated the answer as requested. Thanks – Nitin J Mutkawoa – 2019-05-14T19:21:42.577
2I've been asked over on serverfault to admit that I actually work for ISC, the maintainers of BIND and ISC DHCP. I'm more than happy to help anyone that has issues with either one (time allowing). – Knobee – 2010-11-06T01:17:54.507
No mention of
dig
giving a response flag ofAD
? – John Greene – 2020-01-20T19:28:55.053Your slides for "DNSSEC in 6 minutes" give a 404 now. Is there a new URL? – e40 – 2013-07-13T16:46:58.073
The new URL appears to be: https://kb.isc.org/article/AA-00820/0/DNSSEC-in-6-minutes.html
– e40 – 2013-07-13T16:56:20.357