Question
How do I know if DNSSEC is enabled on a domain?
Answer
You can use the whois
command to check if DNSSEC is enabled at the registrar.
whois domain.tld | egrep -i "DNSSEC|signed"
DNSSEC: signedDelegation
DNSSEC DS Data: 17775 8 2 E{REDACTED}6A
You can check if DNSSEC is configured on the authoritative nameserver with the delv
command.
[root@server ~]cPs# delv +vtrace domain.tld
;; fetch: domain.tld/A
;; validating domain.tld/A: starting
;; validating domain.tld/A: attempting positive response validation
;; fetch: domain.tld/DNSKEY
;; validating domain.tld/DNSKEY: starting
;; validating domain.tld/DNSKEY: attempting positive response validation
;; fetch: domain.tld/DS
;; validating domain.tld/DS: starting
;; validating domain.tld/DS: attempting positive response validation
;; fetch: com/DNSKEY
;; validating com/DNSKEY: starting
;; validating com/DNSKEY: attempting positive response validation
;; fetch: com/DS
;; validating com/DS: starting
;; validating com/DS: attempting positive response validation
;; fetch: ./DNSKEY
;; validating ./DNSKEY: starting
;; validating ./DNSKEY: attempting positive response validation
;; validating ./DNSKEY: verify rdataset (keyid=12345): success
;; validating ./DNSKEY: signed by trusted key; marking as secure
;; validating com/DS: in fetch_callback_validator
;; validating com/DS: keyset with trust secure
;; validating com/DS: resuming validate
;; validating com/DS: verify rdataset (keyid=12345): success
;; validating com/DS: marking as secure, noqname proof not needed
;; validating com/DNSKEY: in dsfetched
;; validating com/DNSKEY: dsset with trust secure
;; validating com/DNSKEY: verify rdataset (keyid=1345): success
;; validating com/DNSKEY: marking as secure (DS)
;; validating domain.tld/DS: in fetch_callback_validator
;; validating domain.tld/DS: keyset with trust secure
;; validating domain.tld/DS: resuming validate
;; validating domain.tld/DS: verify rdataset (keyid=54321): success
;; validating domain.tld/DS: marking as secure, noqname proof not needed
;; validating domain.tld/DNSKEY: in dsfetched
;; validating domain.tld/DNSKEY: dsset with trust secure
;; validating domain.tld/DNSKEY: no DNSKEY matching DS
;; validating domain.tld/DNSKEY: no DNSKEY matching DS
;; validating domain.tld/DNSKEY: no valid signature found (DS)
;; no valid RRSIG resolving 'domain.tld/DNSKEY/IN': 192.0.2.2#53
;; validating domain.tld/A: in fetch_callback_validator
;; validating domain.tld/A: fetch_callback_validator: got SERVFAIL
;; broken trust chain resolving 'domain.tld/A/IN': 192.0.2.2#53
;; resolution failed: broken trust chain
Please note that DNSSEC must be enabled at the registrar and on the authoritative nameservers for DNSSEC to work.