DNSSEC Test

DNSSEC (Domain Name System Security Extensions) is a suite of extensions that adds security to the Domain Name System (DNS). A DNSSEC test typically involves verifying that DNSSEC is properly configured and functioning correctly for a given domain. Here’s a breakdown of what this entails in technical terms:

Validation of DNS Responses: DNSSEC adds a layer of security by enabling DNS responses to be validated. When you conduct a DNSSEC test, you’re essentially checking to see whether the digital signatures attached to DNS data are valid. These signatures help ensure that the data has not been tampered with in transit.
Checking the Chain of Trust: DNSSEC operates on a system of trust anchors and a chain of trust, extending from the root DNS zone down to the individual domain. Each link in this chain must have the correct cryptographic signatures, and a DNSSEC test will often involve verifying that each element in the chain correctly validates against its parent.
DNS Key Management: DNSSEC relies on public key cryptography. The test might involve checking that the public keys retrieved from DNS queries match the keys held by the domain and that they are correctly published in DNS records. This includes verifying the DS (Delegation Signer) records and DNSKEY records.
RRSIG Records: These are DNS Resource Records that contain the cryptographic signature for a set of DNS records. A DNSSEC test will check the validity of these signatures, ensuring they correctly authenticate the associated DNS records.
Handling of SERVFAIL Responses: DNSSEC-aware resolvers will return a SERVFAIL error if they cannot successfully validate a DNS response. Part of DNSSEC testing can involve ensuring that such responses are handled correctly by the DNS infrastructure, to indicate potential issues or attacks.
Testing Software and Configuration: This includes verifying that the DNS servers (both authoritative and recursive) are configured to support DNSSEC, including proper configuration of validators and signing mechanisms.

Which DNSSEC Records should you test?

When using a DNS Checker with a DNSSEC Test, you typically want to look for specific DNS record types that are relevant to DNSSEC as well as the basic DNS records. These are some of the key DNS record types to check:

DNSKEY Record: This record holds the public keys used to sign zones in the DNSSEC system. Checking the DNSKEY records is crucial to ensure that the public keys are properly published and accessible for DNSSEC validation.
DS Record (Delegation Signer): DS records are used to establish a chain of trust between the parent zone and the child zone. They contain a hash of a DNSKEY record that a resolver uses to verify the authenticity of the DNSKEYs in the child zone. Verifying DS records is essential to confirm the integrity of the chain of trust in DNSSEC.
RRSIG (Resource Record Signature): RRSIG records contain the cryptographic signatures that protect the DNS data. Each RRSIG record is associated with another DNS record type (like A, AAAA, MX, etc.), verifying the authenticity of that record set. Checking RRSIG records helps ensure that DNS data has not been tampered with.
SOA Record (Start of Authority): While not specific to DNSSEC, the SOA record can be important as it often includes an RRSIG signature that can be checked for validity. The SOA record also provides administrative information about the zone.
NSEC/NSEC3 Record: These records provide proof of non-existence for a DNS record and are used to secure DNS responses, indicating that certain DNS records do not exist in the zone. They also have accompanying RRSIG records, which need to be verified.
A, AAAA, MX, etc.: While these standard DNS records (A for IP addresses, AAAA for IPv6, MX for mail exchanges, etc.) are not specific to DNSSEC, they often come with RRSIG records in a DNSSEC-secured domain. Testing these records alongside their signatures is crucial to ensure overall DNS integrity.

When performing a DNSSEC test using a DNS Checker, you can typically enter the domain name and select which type of DNS record you want to query. The tool will then return the DNS record data along with any DNSSEC-specific data, such as the RRSIG signatures and the status of the DNSSEC validation (valid, invalid, or indeterminate). This helps in confirming that DNSSEC is correctly implemented and functioning as expected for the domain.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

DNSSEC Test

Which DNSSEC Records should you test?

Quick Links

DNS Tools

Webmaster Tools

Calculators