Validating a DNSSEC installation

Mark Andrews marka at isc.org
Fri Jun 12 02:08:24 UTC 2009 

In message <4A3177C1.5040101 at lotspeich.org>, Erik Lotspeich writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> Although I'm not new to DNS, I'm new to DNSSEC.  I have read
> documentation and howtos regarding DNSSEC.
> 
> I believe that I have it configured and working for my domain,
> lotspeich.org.  I have registered with the ISC's DLV registry.

> I am
> having trouble finding the best way for me to validate that my setup is
> working and that my zone validates.  I've looked into drill and
> dnssec-tools, but it isn't clear to me how to use these tools with ISC's
> DLV.
> 
> Any help would be greatly appreciated.
> 
> Regards,
> 
> Erik.

	The simplest way is to configure a caching only server to 
	use dlv and run queries against it.

	dig +adflag soa <zone>
	dig +dnssec soa <zone>

	and look for the "ad" flag in the response.

e.g.

; <<>> DiG 9.3.6-P1 <<>> +adflag isc.org soa
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41624
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;isc.org.			IN	SOA

;; ANSWER SECTION:
isc.org.		7030	IN	SOA	ns-int.isc.org. hostmaster.isc.org. 2009061200 7200 3600 24796800 3600

;; AUTHORITY SECTION:
isc.org.		35695	IN	NS	ns-ext.nrt1.isc.org.
isc.org.		35695	IN	NS	ams.sns-pb.isc.org.
isc.org.		35695	IN	NS	ord.sns-pb.isc.org.
isc.org.		35695	IN	NS	sfba.sns-pb.isc.org.

;; ADDITIONAL SECTION:
ams.sns-pb.isc.org.	35695	IN	A	199.6.1.30
ord.sns-pb.isc.org.	35695	IN	A	199.6.0.30
sfba.sns-pb.isc.org.	35695	IN	A	149.20.64.3
sfba.sns-pb.isc.org.	35693	IN	AAAA	2001:4f8:0:2::19

;; Query time: 180 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 12 12:07:03 2009
;; MSG SIZE  rcvd: 243

	Note the DLV record for lotspeich.org is not currently being
	published.  When you look at "Managed Zones" you should see
	as green tick and "Good" for the records to be published.
	If you don't see this then look at "Help" to what is being
	reported.   If you can't address the problem use the
	"Contact Us" link.


; <<>> DiG 9.3.6-P1 <<>> dlv lotspeich.org.dlv.isc.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25701
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;lotspeich.org.dlv.isc.org.	IN	DLV

;; AUTHORITY SECTION:
dlv.isc.org.		3440	IN	SOA	ns-int.isc.org. hostmaster.isc.org. 2009060800 7200 3600 2419200 3600

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 12 12:00:30 2009
;; MSG SIZE  rcvd: 97

	Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list