How to test and validate DNSSEC using dig command line

last updated in Categories , , ,

How do I test and validate DNSSEC using the dig command line under Linux, macOS, *BSD, and Unix-like systems?

The DNSSEC is an acronym for Domain Name System Security Extensions. It is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS). Dig is a DNS lookup tool to query dns servers for DNS records. For instance, dig can tell you the IP address of the mail server or website using a DNS resolver. One can use DNSSEC to mitigate security risk and helps prevent malicious motions like cache poisoning, pharming, and man-in-the-middle attacks. With DNSSEC, one can verify and authentication of DNS data and DNS integrity. This page explains how to test and validate DNSSEC issues that affect DNS resolution using the dig command.

ADVERTISEMENTS


How to test and validate DNSSEC using dig

  1. Open the terminal application on your Linux/Unix/macOS desktop
  2. Use dig to verify DNSSEC record, run: dig YOUR-DOMAIN-NAME +dnssec +short
  3. Grab the public key used to verify the DNS record, execute: dig DNSKEY YOUR-DOMAIN-NAME +short
  4. Show the DNSSEC chain of trust with dig command: dig DS YOUR-DOMAIN-NAME +trace
  5. Do DNSSEC verification with dig, running the following two commands:
    dig . DNSKEY | grep -Ev '^($|;)' > keys
    dig +sigchase +trusted-key=./keys YOUR-DOMAIN-NAME. A | less
    dig +sigchase +trusted-key=./keys YOUR-DOMAIN-NAME. A | grep -i validation

Let us see all commands and examples in details.

Is DNSSEC enabled for given domain name?

A Delegation of Signing (DS) record provides information about a signed zone file when DNSSEC enabled. Let us print DS record for domain using dig:
dig DS {domain-name}
dig DS google.com
dig DS cyberciti.biz +short

A DNSKEY is nothing but a record that holds a public key that DNS resolvers can use to verify DNSSEC signatures. To show DNSKEY, run:
dig DNSKEY {domain-name}
dig DNSKEY google.com
dig DNSKEY cyberciti.biz +short

Is DNSSEC enabled for given domain name
The DNSKEY record contains a public signing key, and the DS record contains a hash of a DNSKEY record if DNSSEC enabled

Please note that google.com has no DS and DNSKEY defined. In other words, that domain is not enabled for DNSSEC.

Validate dnssec using dig

Next we will query and verify DNSSEC. The syntax is pretty easy:
dig +dnssec {domain-name}.
dig +dnssec www.cyberciti.biz. +short
dig +dnssec www.cyberciti.biz.

Validate dnssec using dig on Linux
First, you need to pass the +dnssc flag to dig into validating the zone data. Second, watch out for ad in output that confirmed that the zone data is correct as my resolver configured to perform DNSSEC validation itself. Third look for RRSIG line of the response. The ad flag means authenticated answer and do flag must set indicating that DNSSEC was OK:
dig cyberciti.biz +dnssec +multi
Sample outputs:

; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> cyberciti.biz +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53272
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;cyberciti.biz.		IN A

;; ANSWER SECTION:
cyberciti.biz.		135 IN A 104.20.187.5
cyberciti.biz.		135 IN A 104.20.186.5
cyberciti.biz.		135 IN RRSIG A 13 2 300 (
				20191212194711 20191210174711 34505 cyberciti.biz.
				meJ8aERJ6AddCA3Fbno7ixH63hRQTal0wXCnaJG8de4z
				yhXDJRMXYJshPnKR6ucKONa/R6SO4rivCxSiqSfcsw== )

;; Query time: 0 msec
;; SERVER: 192.168.2.254#53(192.168.2.254)
;; WHEN: Thu Dec 12 00:19:55 IST 2019
;; MSG SIZE  rcvd: 183

An example of failed DNSSEC validation

Run the following dig command:
dig www.dnssec-failed.org
dig www.brokendnssec.net +dnssec

; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> www.brokendnssec.net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22087
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.brokendnssec.net.		IN	A

;; Query time: 1378 msec
;; SERVER: 192.168.2.254#53(192.168.2.254)
;; WHEN: Thu Dec 12 00:08:50 IST 2019
;; MSG SIZE  rcvd: 49

The above dig command returned a SERVFAIL error as zone data was incorrect.

Test dnssec using dig

We can display the DNSSEC chain of trust with dig command. All you have to do is pass the +trace option to the dig as follows:
dig DS {your-domain.} +trace
dig DS google.com +trace @8.8.4.4
dig DS google.com +trace @1.1.1.1
dig DS cyberciti.biz +trace
dig DS cyberciti.biz +trace @8.8.8.8

How to test DNSSEC validation

Complete example

Let us see how to test the validity of DNSSEC from a Linux or Unix/macOS command line. First, grab root key from root server, run the following dig command along with grep command
dig . DNSKEY | grep -Ev '^($|;)' > keys
Use the cat command to see keys:
cat keys
Sample outputs:

.			49440	IN	DNSKEY	256 3 8 AwEAAbPwrxwtOMENWvblQbUFwBllR7ZtXsu9rg/LdyklKs9gU2GQTeOc 59XjhuAPZ4WrT09z6YPL+vzIIJqnG3Hiru7hFUQ4pH0qsLNxrsuZrZYm XAKoVa9SXL1Ap0LygwrIugEk1G4v7Rk/Alt1jLUIE+ZymGtSEhIuGQdX rEmj3ffzXY13H42X4Ja3vJTn/WIQOXY7vwHXGDypSh9j0Tt0hknF1yVJ CrIpfkhFWihMKNdMzMprD4bV+PDLRA5YSn3OPIeUnRn9qBUCN11LXQKb +W3Jg+m/5xQRQJzJ/qXgDh1+aN+Mc9AstP29Y/ZLFmF6cKtL2zoUMN5I 5QymeSkJJzc=
.			49440	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=

Finally do DNSSEC verification with dig as follows:
dig +sigchase +trusted-key=./keys www.cyberciti.biz. A | more
dig +sigchase +trusted-key=./keys www.cyberciti.biz. A | grep -i validation

Sample outputs from last command:

;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; WE HAVE MATERIAL, WE NOW DO VALIDATION
;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

Can I request a domain that is not DNSSEC signed and should just give a normal DNS answer?

Yes, fallback is a feature. Here is how to do it for apple.com
dig www.apple.com +dnssec
Sample outputs:

   <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> www.apple.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4032
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.apple.com.			IN	A

;; ANSWER SECTION:
www.apple.com.		806	IN	CNAME	www.apple.com.edgekey.net.
www.apple.com.edgekey.net. 3592	IN	CNAME	www.apple.com.edgekey.net.globalredir.akadns.net.
www.apple.com.edgekey.net.globalredir.akadns.net. 2182 IN CNAME	e6858.dsce9.akamaiedge.net.
e6858.dsce9.akamaiedge.net. 20	IN	A	23.66.255.148

;; Query time: 360 msec
;; SERVER: 192.168.2.254#53(192.168.2.254)
;; WHEN: Thu Dec 12 00:24:42 IST 2019
;; MSG SIZE  rcvd: 193

Troubleshooting DNSSEC when dig not installed or unsupported on your OS/mobile device

Try the following online tools (enter your domain name):

Conclusion

You learned how to use the dig command for DNSSEC verification under Linux, macOS, *BSD, and Unix-like systems. Please see this page here and here for more info.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.


ADVERTISEMENTS