How to test and validate DNSSEC using dig command line

ADVERTISEMENTS



How to test and validate DNSSEC using dig

Open the terminal application on your Linux/Unix/macOS desktop Use dig to verify DNSSEC record, run: dig YOUR-DOMAIN-NAME +dnssec +short Grab the public key used to verify the DNS record, execute: dig DNSKEY YOUR-DOMAIN-NAME +short Show the DNSSEC chain of trust with dig command: dig DS YOUR-DOMAIN-NAME +trace Do DNSSEC verification with dig, running the following two commands:

dig . DNSKEY | grep -Ev '^($|;)' > keys

dig +sigchase +trusted-key=./keys YOUR-DOMAIN-NAME. A | less

dig +sigchase +trusted-key=./keys YOUR-DOMAIN-NAME. A | grep -i validation

How do I test and validate DNSSEC using the dig command line under Linux, macOS, *BSD, and Unix-like systems?The DNSSEC is an acronym for Domain Name System Security Extensions. It is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS). Dig is a DNS lookup tool to query dns servers for DNS records. For instance, dig can tell you the IP address of the mail server or website using a DNS resolver. One can use DNSSEC to mitigate security risk and helps prevent malicious motions like cache poisoning, pharming, and man-in-the-middle attacks. With DNSSEC, one can verify and authentication of DNS data and DNS integrity. This page explains how to test and validate DNSSEC issues that affect DNS resolution using the dig command

Let us see all commands and examples in details.

Is DNSSEC enabled for given domain name?

A Delegation of Signing (DS) record provides information about a signed zone file when DNSSEC enabled. Let us print DS record for domain using dig:

dig DS {domain-name}

dig DS google.com

dig DS cyberciti.biz +short

A DNSKEY is nothing but a record that holds a public key that DNS resolvers can use to verify DNSSEC signatures. To show DNSKEY, run:

dig DNSKEY {domain-name}

dig DNSKEY google.com

dig DNSKEY cyberciti.biz +short

Please note that google.com has no DS and DNSKEY defined. In other words, that domain is not enabled for DNSSEC.

Validate dnssec using dig

Next we will query and verify DNSSEC. The syntax is pretty easy:

dig +dnssec {domain-name}.

dig +dnssec www.cyberciti.biz. +short

dig +dnssec www.cyberciti.biz.



First, you need to pass the +dnssc flag to dig into validating the zone data. Second, watch out for ad in output that confirmed that the zone data is correct as my resolver configured to perform DNSSEC validation itself. Third look for RRSIG line of the response. The ad flag means authenticated answer and do flag must set indicating that DNSSEC was OK:

dig cyberciti.biz +dnssec +multi

Sample outputs:

; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> cyberciti.biz +dnssec +multi ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53272 ;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do ; udp: 4096 ;; QUESTION SECTION: ;cyberciti.biz. IN A ;; ANSWER SECTION: cyberciti.biz. 135 IN A 104.20.187.5 cyberciti.biz. 135 IN A 104.20.186.5 cyberciti.biz. 135 IN RRSIG A 13 2 300 ( 20191212194711 20191210174711 34505 cyberciti.biz. meJ8aERJ6AddCA3Fbno7ixH63hRQTal0wXCnaJG8de4z yhXDJRMXYJshPnKR6ucKONa/R6SO4rivCxSiqSfcsw== ) ;; Query time: 0 msec ;; SERVER: 192.168.2.254#53(192.168.2.254) ;; WHEN: Thu Dec 12 00:19:55 IST 2019 ;; MSG SIZE rcvd: 183

An example of failed DNSSEC validation

Run the following dig command:

dig www.dnssec-failed.org

dig www.brokendnssec.net +dnssec

; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> www.brokendnssec.net +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL , id: 22087 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.brokendnssec.net. IN A ;; Query time: 1378 msec ;; SERVER: 192.168.2.254#53(192.168.2.254) ;; WHEN: Thu Dec 12 00:08:50 IST 2019 ;; MSG SIZE rcvd: 49

The above dig command returned a SERVFAIL error as zone data was incorrect.

Test dnssec using dig

We can display the DNSSEC chain of trust with dig command. All you have to do is pass the +trace option to the dig as follows:

dig DS {your-domain.} +trace

dig DS google.com +trace @8.8.4.4

dig DS google.com +trace @1.1.1.1

dig DS cyberciti.biz +trace

dig DS cyberciti.biz +trace @8.8.8.8



Complete example

Let us see how to test the validity of DNSSEC from a Linux or Unix/macOS command line. First, grab root key from root server, run the following dig command along with grep command dig . DNSKEY | grep -Ev '^($|;)' > keys

Use the cat command to see keys:

cat keys

Sample outputs:

. 49440 IN DNSKEY 256 3 8 AwEAAbPwrxwtOMENWvblQbUFwBllR7ZtXsu9rg/LdyklKs9gU2GQTeOc 59XjhuAPZ4WrT09z6YPL+vzIIJqnG3Hiru7hFUQ4pH0qsLNxrsuZrZYm XAKoVa9SXL1Ap0LygwrIugEk1G4v7Rk/Alt1jLUIE+ZymGtSEhIuGQdX rEmj3ffzXY13H42X4Ja3vJTn/WIQOXY7vwHXGDypSh9j0Tt0hknF1yVJ CrIpfkhFWihMKNdMzMprD4bV+PDLRA5YSn3OPIeUnRn9qBUCN11LXQKb +W3Jg+m/5xQRQJzJ/qXgDh1+aN+Mc9AstP29Y/ZLFmF6cKtL2zoUMN5I 5QymeSkJJzc= . 49440 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=

Finally do DNSSEC verification with dig as follows:

dig +sigchase +trusted-key=./keys www.cyberciti.biz. A | more

dig +sigchase +trusted-key=./keys www.cyberciti.biz. A | grep -i validation

Sample outputs from last command:

;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

Can I request a domain that is not DNSSEC signed and should just give a normal DNS answer?

Yes, fallback is a feature. Here is how to do it for apple.com

dig www.apple.com +dnssec

Sample outputs:

<<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> www.apple.com +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4032 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.apple.com. IN A ;; ANSWER SECTION: www.apple.com. 806 IN CNAME www.apple.com.edgekey.net. www.apple.com.edgekey.net. 3592 IN CNAME www.apple.com.edgekey.net.globalredir.akadns.net. www.apple.com.edgekey.net.globalredir.akadns.net. 2182 IN CNAME e6858.dsce9.akamaiedge.net. e6858.dsce9.akamaiedge.net. 20 IN A 23.66.255.148 ;; Query time: 360 msec ;; SERVER: 192.168.2.254#53(192.168.2.254) ;; WHEN: Thu Dec 12 00:24:42 IST 2019 ;; MSG SIZE rcvd: 193

Troubleshooting DNSSEC when dig not installed or unsupported on your OS/mobile device

Try the following online tools (enter your domain name):

Conclusion

You learned how to use the dig command for DNSSEC verification under Linux, macOS, *BSD, and Unix-like systems. Please see this page here and here for more info.