Verifying the DNSSEC function is working

Edit online

You can use the DIG(domain information groper) tool to verify if the DNSSEC function is working correctly.

Suppose you have a signed zone named example.com on your DNS server and inside that zone there is an A record 192.168.1.101 for host1.example.com.

To verify DNSSEC function with DIG, follow these steps:

  1. At the command line, type DIG HOSTNAME(host1.example.com) DMNNAMSVR('127.0.0.1') DNSSEC(*YES).

    The DNS server is responding correctly if the status code is NOERROR and there are A and RRSIG records in the ANSWER section like following:

       ;; global options:   +cmd                                              
       ;; Got answer:                                                        
       ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64408              
       ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDI-TIONAL: 1

       ;; OPT PSEUDOSECTION:                                                  
       ; EDNS: version: 0, flags: do; udp: 4096                              
       ;; QUESTION SECTION:                                                  
       ;host1.example.com.             IN      A                              
                                                                              
       ;; ANSWER SECTION:                                                    
       host1.example.com.      172800  IN      A       192.168.1.101          
       host1.example.com.      172800  IN      RRSIG   A 5 3 172800 20131116055306 20131017055306 11643
    example.com. i4xLG5ZIc+ifzvdUe91jjPlys2tjM3f1KFSa6H/iDnQfcUNWAS6aEDPY Tpr5ir6xs72mqJYepK5uaWarxDZAZ
    a86yf7QjRI+9ab7t36O+Og9DRGT qS3G/8JfyZIFeck1QSYT6Hm3JCdaWMWPEfT+l/sYfS3H1YDdN9RxrXMN 5I0=
                                                    
       ;; AUTHORITY SECTION:
       example.com.            172800  IN      NS      ...
       example.com.            172800  IN      RRSIG   NS ...
         …
  2. Press Enter to quit the session.