Re: Validating a DNSSEC installation

Mark Andrews Thu, 11 Jun 2009 19:08:53 -0700

In message <4a3177c1.5040...@lotspeich.org>, Erik Lotspeich writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> Although I'm not new to DNS, I'm new to DNSSEC.  I have read
> documentation and howtos regarding DNSSEC.
> 
> I believe that I have it configured and working for my domain,
> lotspeich.org.  I have registered with the ISC's DLV registry.


> I am
> having trouble finding the best way for me to validate that my setup is
> working and that my zone validates.  I've looked into drill and
> dnssec-tools, but it isn't clear to me how to use these tools with ISC's
> DLV.
> 
> Any help would be greatly appreciated.
> 
> Regards,
> 
> Erik.

        The simplest way is to configure a caching only server to 
        use dlv and run queries against it.

        dig +adflag soa <zone>
        dig +dnssec soa <zone>

        and look for the "ad" flag in the response.

e.g.

; <<>> DiG 9.3.6-P1 <<>> +adflag isc.org soa
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41624
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;isc.org.                       IN      SOA

;; ANSWER SECTION:
isc.org.                7030    IN      SOA     ns-int.isc.org. 
hostmaster.isc.org. 2009061200 7200 3600 24796800 3600

;; AUTHORITY SECTION:
isc.org.                35695   IN      NS      ns-ext.nrt1.isc.org.
isc.org.                35695   IN      NS      ams.sns-pb.isc.org.
isc.org.                35695   IN      NS      ord.sns-pb.isc.org.
isc.org.                35695   IN      NS      sfba.sns-pb.isc.org.

;; ADDITIONAL SECTION:
ams.sns-pb.isc.org.     35695   IN      A       199.6.1.30
ord.sns-pb.isc.org.     35695   IN      A       199.6.0.30
sfba.sns-pb.isc.org.    35695   IN      A       149.20.64.3
sfba.sns-pb.isc.org.    35693   IN      AAAA    2001:4f8:0:2::19

;; Query time: 180 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 12 12:07:03 2009
;; MSG SIZE  rcvd: 243

        Note the DLV record for lotspeich.org is not currently being
        published.  When you look at "Managed Zones" you should see
        as green tick and "Good" for the records to be published.
        If you don't see this then look at "Help" to what is being
        reported.   If you can't address the problem use the
        "Contact Us" link.


; <<>> DiG 9.3.6-P1 <<>> dlv lotspeich.org.dlv.isc.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25701
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;lotspeich.org.dlv.isc.org.     IN      DLV

;; AUTHORITY SECTION:
dlv.isc.org.            3440    IN      SOA     ns-int.isc.org. 
hostmaster.isc.org. 2009060800 7200 3600 2419200 3600

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 12 12:00:30 2009
;; MSG SIZE  rcvd: 97

        Mark

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Validating a DNSSEC installation

Reply via email to