Querying and verifying dnssec

The dig command is simple:

% dig +dnssec www.isoc.org.

; <<>> DiG 9.6.0-APPLE-P2 <<>> +dnssec www.isoc.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49304
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.isoc.org.          IN  A

;; ANSWER SECTION:
www.isoc.org.       86382   IN  A   212.110.167.157
www.isoc.org.       86382   IN  RRSIG   A 7 3 86400 20100706205007 20100622205007 56495 isoc.org. ETERh/blyD1LvW+hCeET9Zy/XTdTewilU8nhA5HCGtNoccdjPN/4pBg6 Vv2S/nJTZfQu7S1KwFJpijSg0n81A8Fpr1rjlS4AfKZgiSA6ureGDOzZ J4MImGFb9h1lG7qBrJ3Psmzs292obZfA98oJstsTzd4tNwFQf5bp5pDJ KoU=

Note two things:

1. The +dnssec flag - this asks your DNS server to validate the zone data.
2. The ad entry in the flags line of the response. This confirms that the zone data is correct.

[if the zone data was incorrect the server would have returned a SERVFAIL error instead]

However, your DNS server won't actually return that ad flag unless it has been configured to perform DNSSEC validation itself. Mine has, of course.

You can enable DNSSEC in your recursive BIND server by adding the following lines to your named.conf file:

    dnssec-enable yes;
    dnssec-validation yes;

and a copy of the root zone's public key. Other domain names can then be validated by following the chain of signatures through the DNS hierarchy.

You'll also need a fairly recent version of your DNS software - only the newer versions support the RSA/SHA-256 encryption algorithm that'll be used to sign the root. That means BIND 9.6.2+, or Unbound 1.4.0+