Steps to check and verify if DNS records are correctly signed

To check and verify if your DNS records are correctly signed and that the chain of trust is intact for DNSSEC, you can follow these steps:

Steps to Verify DNSSEC Configuration

Check DNS Records:

  • Use a DNS lookup tool (like dig) to check the DNS records for your domain.
  • Command example:
    dig +dnssec nitewall.com

Check for DNSKEY Records:

  • Verify that the DNSKEY records are present and include both the KSK and ZSK.
  • Command example:
    dig +dnssec nitewall.com DNSKEY

Check for DS Record:

  • Ensure that the DS record in the parent zone (Domain Registrar) points to the correct KSK.
  • You can verify this in the parent zone’s DNS settings or use:
    dig +dnssec nitewall.com DS

Validate DNSSEC Signature:

  • Use the dig command to check the signature of the DNS records.
  • Command example:
    dig +dnssec nitewall.com A
  • Look for the RRSIG record in the response, which indicates that the records are signed.

Check Chain of Trust:

  • Use a DNSSEC validation tool or online service (like Verisign’s DNSSEC Debugger) to validate the chain of trust.
  • These tools will check if the DS record in the parent zone matches the KSK in your zone.

Review the Output:

  • Ensure that:
    • The DNSKEY records are present.
    • The DS record matches the KSK.
    • The RRSIG records are present for the resources you are querying.
    • There are no validation errors in the output.

Example Commands

Here’s how you might run these commands in a terminal:

# Check DNS records with DNSSEC
dig +dnssec nitewall.com

# Check DNSKEY records
dig +dnssec nitewall.com DNSKEY

# Check DS records
dig +dnssec nitewall.com DS

# Validate specific record (e.g., A record)
dig +dnssec nitewall.com A

Below are the dig commands example result, along with the expected outputs for each command.

Example Commands and Expected Results for nitewall.com

  1. Check DNS Records with DNSSEC
   dig +dnssec nitewall.com

Expected Output:

   ; <<>> DiG 9.10.6 <<>> +dnssec nitewall.com
   ;; global options: +cmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345
   ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

   ;; QUESTION SECTION:
   ;nitewall.com.            IN  A

   ;; ANSWER SECTION:
   nitewall.com.        3600    IN  A   93.184.216.34
   nitewall.com.        3600    IN  RRSIG   A 8 2 3600 2023-12-31 2023-12-01 12345 nitewall.com. ABCDEFGHIJKLMNOPQRSTUVWXYZ

   ;; Query time: 20 msec
   ;; SERVER: 8.8.8.8#53(8.8.8.8)
   ;; WHEN: Mon Dec 04 10:00:00 UTC 2023
   ;; MSG SIZE  rcvd: 140
  1. Check DNSKEY Records
   dig +dnssec nitewall.com DNSKEY

Expected Output:

   ; <<>> DiG 9.10.6 <<>> +dnssec nitewall.com DNSKEY
   ;; global options: +cmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12346
   ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

   ;; QUESTION SECTION:
   ;nitewall.com.            IN  DNSKEY

   ;; ANSWER SECTION:
   nitewall.com.        3600    IN  DNSKEY  257 3 8 AwEAA... (KSK)
   nitewall.com.        3600    IN  DNSKEY  256 3 8 AwEAA... (ZSK)

   ;; Query time: 25 msec
   ;; SERVER: 8.8.8.8#53(8.8.8.8)
   ;; WHEN: Mon Dec 04 10:00:00 UTC 2023
   ;; MSG SIZE  rcvd: 200
  1. Check DS Records
   dig +dnssec nitewall.com DS

Expected Output:

   ; <<>> DiG 9.10.6 <<>> +dnssec nitewall.com DS
   ;; global options: +cmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12347
   ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

   ;; QUESTION SECTION:
   ;nitewall.com.            IN  DS

   ;; ANSWER SECTION:
   nitewall.com.        3600    IN  DS  12345 8 2 ABCDEFGHIJKLMNOPQRSTUVWXYZ

   ;; Query time: 30 msec
   ;; SERVER: 8.8.8.8#53(8.8.8.8)
   ;; WHEN: Mon Dec 04 10:00:00 UTC 2023
   ;; MSG SIZE  rcvd: 100
  1. Validate Specific Record (e.g., A Record)
   dig +dnssec nitewall.com A

Expected Output:

   ; <<>> DiG 9.10.6 <<>> +dnssec nitewall.com A
   ;; global options: +cmd
   ;; Got answer:
   ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12348
   ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

   ;; QUESTION SECTION:
   ;nitewall.com.            IN  A

   ;; ANSWER SECTION:
   nitewall.com.        3600    IN  A   93.184.216.34
   nitewall.com.        3600    IN  RRSIG   A 257 3 3600 2023-12-31 2023-12-01 12345 nitewall.com. ABCDEFGHIJKLMNOPQRSTUVWXYZ

   ;; Query time: 15 msec
   ;; SERVER: 8.8.8.8#53(8.8.8.8)
   ;; WHEN: Mon Dec 04 10:00:00 UTC 2023
   ;; MSG SIZE  rcvd: 180

Summary of Results for nitewall.com

  • RRSIG: The presence of the RRSIG record indicates that the records are signed.
  • DNSKEY Records: Both KSK and ZSK should be present.
  • DS Record: The DS record should match the KSK.
  • Query Status: The status should be NOERROR, indicating successful queries.

By executing these commands and checking their outputs, you can confirm whether your DNS records for nitewall.com are correctly signed and if the DNSSEC chain of trust is intact.

Replace ‘nitewall.com’ with your domain name to verify your domain’s DNSSEC configuration.

Read More:

  1. DNS Zone Transfers: AXFR/IN
  2. DNS Query Flags and Their Meanings
  3. Why Browsers Show Warnings for Self-Signed Certificates
  4. Bypassing Warnings for Self-Signed Certificates
  5. Generating Your Own Self-Signed Certificate
  6. Installing Your Self-Signed Certificate on a Web Server
  7. When Your Smart Ring Won’t Pair: Next Steps to Consider
  8. Proper Grounding of a Rotary Phase Converter: Essential Steps for Safety and Performance
  9. Forwarding DNS Queries to Google Public DNS Using BIND

Comments

Share
Copy Link
×
Scroll to Top