Editing DNS Security (section)

= Testing DNSSEC =

== Browser Tests ==

* https://wander.science/projects/dns/dnssec-resolver-test/

* https://www.cloudflare.com/ssl/encrypted-sni/

​

== DNSKEY Test ==

'''1.''' Learn how to interpret the results.

​

See the following '''A)''' vs '''B)'''.

​

'''A)''' Something similar to the following would be showed if the system resolver does <u>not</u> have DNSSEC support.

​

<pre>

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +multiline . DNSKEY

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 42982

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

​

;; WARNING: EDNS query returned status NOTIMP - retry with '+noedns'

​

;; QUESTION SECTION:

;.          IN DNSKEY

​

;; Query time: 0 msec

;; SERVER: 10.139.1.1#53(10.139.1.1)

;; WHEN: Wed Jul 17 17:41:33 UTC 2019

;; MSG SIZE  rcvd: 17

</pre>

​

'''B)''' Something similar to the following would be showed if the system resolver <u>has</u> DNSSEC support.

​

<pre>

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> +multiline . DNSKEY

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63055

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

​

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 1252

;; QUESTION SECTION:

;.          IN DNSKEY

​

;; ANSWER SECTION:

.           8461 IN DNSKEY 256 3 8 (

                AwEAAcTQyaIe6nt3xSPOG2L/YfwBkOVTJN6mlnZ249O5

                Rtt3ZSRQHxQSW61AODYw6bvgxrrGq8eeOuenFjcSYgNA

                McBYoEYYmKDW6e9EryW4ZaT/MCq+8Am06oR40xAA3fCl

                OM6QjRcT85tP41Go946AicBGP8XOP/Aj1aI/oPRGzRnb

                oUPUok/AzTNnW5npBU69+BuiIwYE7mQOiNBFePyvjQBd

                oiuYbmuD3Py0IyjlBxzZUXbqLsRL9gYFkCqeTY29Ik7u

                suzMTa+JRSLz6KGS5RSJ7CTSMjZg8aNaUbN2dvGhakJP

                h92HnLvMA3TefFgbKJphFNPA3BWSKLZ02cRWXqM=

                ) ; ZSK; alg = RSASHA256 ; key id = 59944

.           8461 IN DNSKEY 257 3 8 (

                AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO

                iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN

                7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5

                LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8

                efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7

                pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY

                A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws

                9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=

                ) ; KSK; alg = RSASHA256 ; key id = 20326

​

;; Query time: 0 msec

;; SERVER: 127.0.2.1#53(127.0.2.1)

;; WHEN: Wed Jul 17 17:43:09 UTC 2019

;; MSG SIZE  rcvd: 578

</pre>

​

'''2.''' Run the following command.

​

{{CodeSelect|code=

dig +multiline . DNSKEY

}}

​

'''3.''' Internet the result.

​

'''4.''' Done.

​

DNSSEC DNSKEY test has been completed.

​

== dig +dnssec Test ==

Test with dig.

​

{{CodeSelect|code=

dig +dnssec nic.cz @localhost

}}

​

Please refer to upstream documentation on how to interpret the DNSSEC test results.

​