Is my network ready for DNSSEC?

In order to check if your network is prepared to DNSSEC, get acquainted with this guide and carry out recommended tests. For tests, please use command dig from BIND packet, available to download also for Windows systems at www.isc.org.

A basic test may be carried out by executing the following command:

$ dig +short rs.dns-oarc.net txt

rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net.
"127.0.0.1 sent EDNS buffer size 4096"
"127.0.0.1 DNS reply size limit is at least 3843"
"Tested at 2012-04-03 10:48:03 UTC"

Thanks to OARC servers you will learn what is the maximum size of DNS UDP packets reaching a resolver. Operational functions are provided here.

Complete set of tests with descriptions:

  1. Basic test

    To be sure that delivered results of successive tests are correct, please check if basic DNS queries are operating properly. For this purpose, query one of root servers for NS records for root zones:

    more

    $ dig +nodnssec +norec +ignore ns . @L.ROOT-SERVERS.NET
    
    ; <<>> DiG <<>> +nodnssec +norec +ignore ns . @L.ROOT-SERVERS.NET
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4246
    ;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 15
    
    ;; QUESTION SECTION:
    ;.                              IN      NS
    
    ;; ANSWER SECTION:
    .                       518400  IN      NS      a.root-servers.net.
    .                       518400  IN      NS      b.root-servers.net.
    .                       518400  IN      NS      c.root-servers.net.
    .                       518400  IN      NS      d.root-servers.net.
    .                       518400  IN      NS      e.root-servers.net.
    .                       518400  IN      NS      f.root-servers.net.
    .                       518400  IN      NS      g.root-servers.net.
    .                       518400  IN      NS      h.root-servers.net.
    .                       518400  IN      NS      i.root-servers.net.
    .                       518400  IN      NS      j.root-servers.net.
    .                       518400  IN      NS      k.root-servers.net.
    .                       518400  IN      NS      l.root-servers.net.
    .                       518400  IN      NS      m.root-servers.net.
    
    ;; ADDITIONAL SECTION:
    a.root-servers.net.     518400  IN      A       198.41.0.4
    b.root-servers.net.     518400  IN      A       192.228.79.201
    c.root-servers.net.     518400  IN      A       192.33.4.12
    d.root-servers.net.     518400  IN      A       128.8.10.90
    e.root-servers.net.     518400  IN      A       192.203.230.10
    f.root-servers.net.     518400  IN      A       192.5.5.241
    g.root-servers.net.     518400  IN      A       192.112.36.4
    h.root-servers.net.     518400  IN      A       128.63.2.53
    i.root-servers.net.     518400  IN      A       192.36.148.17
    j.root-servers.net.     518400  IN      A       192.58.128.30
    k.root-servers.net.     518400  IN      A       193.0.14.129
    l.root-servers.net.     518400  IN      A       199.7.83.42
    m.root-servers.net.     518400  IN      A       202.12.27.33
    a.root-servers.net.     518400  IN      AAAA    2001:503:ba3e::2:30
    d.root-servers.net.     518400  IN      AAAA    2001:500:2d::d
    
    ;; Query time: 52 msec
    ;; SERVER: 199.7.83.42#53(199.7.83.42)
    ;; WHEN: Tue Apr  3 13:10:16 2012
    ;; MSG SIZE  rcvd: 492
    
  2. Test of UDP packet size

    Check if your system accepts UDP responses larger than 512 bites. Thus, you will know if a firewall blocks on the way UDP packets containing more than 512 bites. Most of signed responses are small enough to fit into a 1500 bite message and will be sent to you as one not fragmented UDP packet. To check it, query one of root servers for a signed response:

    more

    $ dig +dnssec +norec +ignore +multi ns . @L.ROOT-SERVERS.NET
    
    ; <<>> DiG <<>> +dnssec +norec +ignore +multi ns . @L.ROOT-SERVERS.NET
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41274
    ;; flags: qr aa; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 23
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;.                      IN NS
    
    ;; ANSWER SECTION:
    .                       518400 IN NS a.root-servers.net.
    .                       518400 IN NS b.root-servers.net.
    .                       518400 IN NS c.root-servers.net.
    .                       518400 IN NS d.root-servers.net.
    .                       518400 IN NS e.root-servers.net.
    .                       518400 IN NS f.root-servers.net.
    .                       518400 IN NS g.root-servers.net.
    .                       518400 IN NS h.root-servers.net.
    .                       518400 IN NS i.root-servers.net.
    .                       518400 IN NS j.root-servers.net.
    .                       518400 IN NS k.root-servers.net.
    .                       518400 IN NS l.root-servers.net.
    .                       518400 IN NS m.root-servers.net.
    .                       518400 IN RRSIG NS 8 0 518400 20120410000000 (
                              20120402230000 56158 .
                              VaRaHoE9vshFaOZeFUfnWFQ8CZxbjaCWlviT6vQEDL26
                              RYrR27A3ErimjJy6HMEA98VSbPIuQxsdYD8S9TVMBz89
                              PBEPZj9lgJiiPb4LkAV96dWBtsbzzX1e8adcEAsBGrtK
                              WSXs6uu4TTQRzkmham5fR+xCRWJq2Nroj4gTFWc= )
    
    ;; ADDITIONAL SECTION:
    a.root-servers.net.     518400 IN A 198.41.0.4
    b.root-servers.net.     518400 IN A 192.228.79.201
    c.root-servers.net.     518400 IN A 192.33.4.12
    d.root-servers.net.     518400 IN A 128.8.10.90
    e.root-servers.net.     518400 IN A 192.203.230.10
    f.root-servers.net.     518400 IN A 192.5.5.241
    g.root-servers.net.     518400 IN A 192.112.36.4
    h.root-servers.net.     518400 IN A 128.63.2.53
    i.root-servers.net.     518400 IN A 192.36.148.17
    j.root-servers.net.     518400 IN A 192.58.128.30
    k.root-servers.net.     518400 IN A 193.0.14.129
    l.root-servers.net.     518400 IN A 199.7.83.42
    m.root-servers.net.     518400 IN A 202.12.27.33
    a.root-servers.net.     518400 IN AAAA 2001:503:ba3e::2:30
    d.root-servers.net.     518400 IN AAAA 2001:500:2d::d
    f.root-servers.net.     518400 IN AAAA 2001:500:2f::f
    h.root-servers.net.     518400 IN AAAA 2001:500:1::803f:235
    i.root-servers.net.     518400 IN AAAA 2001:7fe::53
    j.root-servers.net.     518400 IN AAAA 2001:503:c27::2:30
    k.root-servers.net.     518400 IN AAAA 2001:7fd::1
    l.root-servers.net.     518400 IN AAAA 2001:500:3::42
    m.root-servers.net.     518400 IN AAAA 2001:dc3::35
    
    ;; Query time: 38 msec
    ;; SERVER: 199.7.83.42#53(199.7.83.42)
    ;; WHEN: Tue Apr  3 13:12:28 2012
    ;; MSG SIZE  rcvd: 857
    
  3. Fragmentation test

    A next step is to check if your system accepts UDP packets larger than 1500 bites. Such packets, due to network settings, may be fragmented, which in turn, may result in blocking the traffic by a firewall. A query for ANY record will be responded with a packet of more than 1500 bites.

    more

    $ dig +dnssec +norec +ignore +multi any . @L.ROOT-SERVERS.NET
    
    ; <<>> DiG <<>> +dnssec +norec +ignore +multi any . @L.ROOT-SERVERS.NET
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64562
    ;; flags: qr aa; QUERY: 1, ANSWER: 22, AUTHORITY: 0, ADDITIONAL: 23
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;.                      IN ANY
    
    ;; ANSWER SECTION:
    .            518400 IN NS a.root-servers.net.
    .            518400 IN NS b.root-servers.net.
    .            518400 IN NS c.root-servers.net.
    .            518400 IN NS d.root-servers.net.
    .            518400 IN NS e.root-servers.net.
    .            518400 IN NS f.root-servers.net.
    .            518400 IN NS g.root-servers.net.
    .            518400 IN NS h.root-servers.net.
    .            518400 IN NS i.root-servers.net.
    .            518400 IN NS j.root-servers.net.
    .            518400 IN NS k.root-servers.net.
    .            518400 IN NS l.root-servers.net.
    .            518400 IN NS m.root-servers.net.
    .            518400 IN RRSIG NS 8 0 518400 20120410000000 (
                     20120402230000 56158 .
                     VaRaHoE9vshFaOZeFUfnWFQ8CZxbjaCWlviT6vQEDL26
                     RYrR27A3ErimjJy6HMEA98VSbPIuQxsdYD8S9TVMBz89
                     PBEPZj9lgJiiPb4LkAV96dWBtsbzzX1e8adcEAsBGrtK
                     WSXs6uu4TTQRzkmham5fR+xCRWJq2Nroj4gTFWc= )
    .            172800 IN DNSKEY 256 3 8 (
                     AwEAAZ/NErKzyMlImJ+2HTmK9qeH2sLUywlsF+mJbTP5
                     GKoYFHoU2vn2Zqr261Lk7a6jfBKYny5GX7BDRJcVvig3
                     6TgOinE9QP5KVS0RxdrOl98gKLwFMORfNf/wjCwjPdEl
                     1GgaGYl0npJ4c+x+o6aa/xmDKJo9zUlpvb7BLxbJ7HwF
                     ) ; key id = 51201
    .            172800 IN DNSKEY 256 3 8 (
                     AwEAAbd0IPTQdvyndWSX6HHcB+JycMl1aCGTHSJUBs/y
                     9S93el05VvXg1VqSF4vveB9rEuAZ1z8RNWZ9ac+rlaK7
                     PrI5RlCIyKKPbtHbpgQGkwai8O6BZ4J/ch7DGuhGJfvo
                     ECcWjsucs683WFRtmfLx5WNdPxxi30Czt1zPqMWfY6YJ
                     ) ; key id = 56158
    .            172800 IN DNSKEY 257 3 8 (
                     AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
                     bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
                     /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
                     JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
                     oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
                     LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
                     Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
                     LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
                     ) ; key id = 19036
    .            172800 IN RRSIG DNSKEY 8 0 172800 20120415235959 (
                     20120401000000 19036 .
                     ly6pyLFGPrPjLaG4nNttLQsbczbF/TFAtyU305vIMJth
                     W2Afx1OHwWCFT8zGf/g7WiqaLSEdK8M0H6tf5pf9lCFD
                     j0H9nLBlYTiRrZ+7BE8/lUP99hUiSxa9KakTkBUYH0Cw
                     /DnQ+h0Dl8ew/+QsaO4SKTJL+c1KdV3xjkYGjr6O9RUx
                     SIMmgA39DSNM7hzNdRU4O4iujJ6ZI8zrHjnkX3GmRlEr
                     dRyMb33CMcvC2DvIvZmkwYED/T1IVuQQhiqOAYyfMpVx
                     NnbZVlsxPkeHtE5v1DDcTXGY7cREd2D7Uu1gOrR7AlQG
                     5CITlNisjAc5U/Yp1fzA0wbmJnWCtCSYgA== )
    .            86400 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY
    .            86400 IN RRSIG NSEC 8 0 86400 20120410000000 (
                     20120402230000 56158 .
                     HFihpTQxqsMwZnADbG9pFtW+V/0D8Idx+uvyQm5OoPfC
                     KKs7KdvP9p80LZdsRglnD5HbpvNjsyuyEz5XnZ+wa5wR
                     iCeLpOPsez8bt3tq1A+wbSSttKiwPjJHwKVVBE87HRQZ
                     NXBP9elrahYHZJziXi6bwBBwD+fto62Ph3D7bIc= )
    .            86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. (
                     2012040300 ; serial
                     1800       ; refresh (30 minutes)
                     900        ; retry (15 minutes)
                     604800     ; expire (1 week)
                     86400      ; minimum (1 day)
                     )
    .            86400 IN RRSIG SOA 8 0 86400 20120410000000 (
                     20120402230000 56158 .
                     nWwym1VLQxy87p6vVpQ0n1diSbpiWI0Zmc5TwT0hMFso
                     v3iNdJxaTfjcA/HBlsNaHkD7xK71TNYqyCCqU+rNRATv
                     N7SSiKS5Q15Ka4Dbv2NYv1HGkzXPCtuK54bH5B3URpLD
                     qh6X4Ga6t2Dw88OEu2T+nW4nVtyYvn8h56tOZoE= )
    
    ;; ADDITIONAL SECTION:
    a.root-servers.net.     518400 IN A 198.41.0.4
    b.root-servers.net.     518400 IN A 192.228.79.201
    c.root-servers.net.     518400 IN A 192.33.4.12
    d.root-servers.net.     518400 IN A 128.8.10.90
    e.root-servers.net.     518400 IN A 192.203.230.10
    f.root-servers.net.     518400 IN A 192.5.5.241
    g.root-servers.net.     518400 IN A 192.112.36.4
    h.root-servers.net.     518400 IN A 128.63.2.53
    i.root-servers.net.     518400 IN A 192.36.148.17
    j.root-servers.net.     518400 IN A 192.58.128.30
    k.root-servers.net.     518400 IN A 193.0.14.129
    l.root-servers.net.     518400 IN A 199.7.83.42
    m.root-servers.net.     518400 IN A 202.12.27.33
    a.root-servers.net.     518400 IN AAAA 2001:503:ba3e::2:30
    d.root-servers.net.     518400 IN AAAA 2001:500:2d::d
    f.root-servers.net.     518400 IN AAAA 2001:500:2f::f
    h.root-servers.net.     518400 IN AAAA 2001:500:1::803f:235
    i.root-servers.net.     518400 IN AAAA 2001:7fe::53
    j.root-servers.net.     518400 IN AAAA 2001:503:c27::2:30
    k.root-servers.net.     518400 IN AAAA 2001:7fd::1
    l.root-servers.net.     518400 IN AAAA 2001:500:3::42
    m.root-servers.net.     518400 IN AAAA 2001:dc3::35
    
    ;; Query time: 48 msec
    ;; SERVER: 199.7.83.42#53(199.7.83.42)
    ;; WHEN: Tue Apr  3 13:14:08 2012
    ;; MSG SIZE  rcvd: 2109
    
  4. TCP packet test

    The last step is to check if your system is able to establish a TCP connection if its UDP counterpart fails. A DNS response to that query will look the same as to the query, referred to in par. 3, the only difference being the time of response.

    more

    $ dig +dnssec +norec +vc +multi any . @L.ROOT-SERVERS.NET
    
    ; <<>> DiG <<>> +dnssec +norec +vc +multi any . @L.ROOT-SERVERS.NET
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16156
    ;; flags: qr aa; QUERY: 1, ANSWER: 22, AUTHORITY: 0, ADDITIONAL: 23
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;.                      IN ANY
    
    ;; ANSWER SECTION:
    .            518400 IN NS a.root-servers.net.
    .            518400 IN NS b.root-servers.net.
    .            518400 IN NS c.root-servers.net.
    .            518400 IN NS d.root-servers.net.
    .            518400 IN NS e.root-servers.net.
    .            518400 IN NS f.root-servers.net.
    .            518400 IN NS g.root-servers.net.
    .            518400 IN NS h.root-servers.net.
    .            518400 IN NS i.root-servers.net.
    .            518400 IN NS j.root-servers.net.
    .            518400 IN NS k.root-servers.net.
    .            518400 IN NS l.root-servers.net.
    .            518400 IN NS m.root-servers.net.
    .            518400 IN RRSIG NS 8 0 518400 20120410000000 (
                         20120402230000 56158 .
                         VaRaHoE9vshFaOZeFUfnWFQ8CZxbjaCWlviT6vQEDL26
                         RYrR27A3ErimjJy6HMEA98VSbPIuQxsdYD8S9TVMBz89
                         PBEPZj9lgJiiPb4LkAV96dWBtsbzzX1e8adcEAsBGrtK
                         WSXs6uu4TTQRzkmham5fR+xCRWJq2Nroj4gTFWc= )
    .            172800 IN DNSKEY 256 3 8 (
                         AwEAAZ/NErKzyMlImJ+2HTmK9qeH2sLUywlsF+mJbTP5
                         GKoYFHoU2vn2Zqr261Lk7a6jfBKYny5GX7BDRJcVvig3
                         6TgOinE9QP5KVS0RxdrOl98gKLwFMORfNf/wjCwjPdEl
                         1GgaGYl0npJ4c+x+o6aa/xmDKJo9zUlpvb7BLxbJ7HwF
                         ) ; key id = 51201
    .            172800 IN DNSKEY 256 3 8 (
                         AwEAAbd0IPTQdvyndWSX6HHcB+JycMl1aCGTHSJUBs/y
                         9S93el05VvXg1VqSF4vveB9rEuAZ1z8RNWZ9ac+rlaK7
                         PrI5RlCIyKKPbtHbpgQGkwai8O6BZ4J/ch7DGuhGJfvo
                         ECcWjsucs683WFRtmfLx5WNdPxxi30Czt1zPqMWfY6YJ
                         ) ; key id = 56158
    .            172800 IN DNSKEY 257 3 8 (
                         AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
                         bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
                         /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
                         JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
                         oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
                         LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
                         Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
                         LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
                         ) ; key id = 19036
    .            172800 IN RRSIG DNSKEY 8 0 172800 20120415235959 (
                         20120401000000 19036 .
                         ly6pyLFGPrPjLaG4nNttLQsbczbF/TFAtyU305vIMJth
                         W2Afx1OHwWCFT8zGf/g7WiqaLSEdK8M0H6tf5pf9lCFD
                         j0H9nLBlYTiRrZ+7BE8/lUP99hUiSxa9KakTkBUYH0Cw
                         /DnQ+h0Dl8ew/+QsaO4SKTJL+c1KdV3xjkYGjr6O9RUx
                         SIMmgA39DSNM7hzNdRU4O4iujJ6ZI8zrHjnkX3GmRlEr
                         dRyMb33CMcvC2DvIvZmkwYED/T1IVuQQhiqOAYyfMpVx
                         NnbZVlsxPkeHtE5v1DDcTXGY7cREd2D7Uu1gOrR7AlQG
                         5CITlNisjAc5U/Yp1fzA0wbmJnWCtCSYgA== )
    .            86400 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY
    .            86400 IN RRSIG NSEC 8 0 86400 20120410000000 (
                         20120402230000 56158 .
                         HFihpTQxqsMwZnADbG9pFtW+V/0D8Idx+uvyQm5OoPfC
                         KKs7KdvP9p80LZdsRglnD5HbpvNjsyuyEz5XnZ+wa5wR
                         iCeLpOPsez8bt3tq1A+wbSSttKiwPjJHwKVVBE87HRQZ
                         NXBP9elrahYHZJziXi6bwBBwD+fto62Ph3D7bIc= )
    .            86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. (
                                  2012040300 ; serial
                                  1800       ; refresh (30 minutes)
                                  900        ; retry (15 minutes)
                                  604800     ; expire (1 week)
                                  86400      ; minimum (1 day)
                                  )
    .            86400 IN RRSIG SOA 8 0 86400 20120410000000 (
                         20120402230000 56158 .
                         nWwym1VLQxy87p6vVpQ0n1diSbpiWI0Zmc5TwT0hMFso
                         v3iNdJxaTfjcA/HBlsNaHkD7xK71TNYqyCCqU+rNRATv
                         N7SSiKS5Q15Ka4Dbv2NYv1HGkzXPCtuK54bH5B3URpLD
                         qh6X4Ga6t2Dw88OEu2T+nW4nVtyYvn8h56tOZoE= )
    
    ;; ADDITIONAL SECTION:
    a.root-servers.net.     518400 IN A 198.41.0.4
    b.root-servers.net.     518400 IN A 192.228.79.201
    c.root-servers.net.     518400 IN A 192.33.4.12
    d.root-servers.net.     518400 IN A 128.8.10.90
    e.root-servers.net.     518400 IN A 192.203.230.10
    f.root-servers.net.     518400 IN A 192.5.5.241
    g.root-servers.net.     518400 IN A 192.112.36.4
    h.root-servers.net.     518400 IN A 128.63.2.53
    i.root-servers.net.     518400 IN A 192.36.148.17
    j.root-servers.net.     518400 IN A 192.58.128.30
    k.root-servers.net.     518400 IN A 193.0.14.129
    l.root-servers.net.     518400 IN A 199.7.83.42
    m.root-servers.net.     518400 IN A 202.12.27.33
    a.root-servers.net.     518400 IN AAAA 2001:503:ba3e::2:30
    d.root-servers.net.     518400 IN AAAA 2001:500:2d::d
    f.root-servers.net.     518400 IN AAAA 2001:500:2f::f
    h.root-servers.net.     518400 IN AAAA 2001:500:1::803f:235
    i.root-servers.net.     518400 IN AAAA 2001:7fe::53
    j.root-servers.net.     518400 IN AAAA 2001:503:c27::2:30
    k.root-servers.net.     518400 IN AAAA 2001:7fd::1
    l.root-servers.net.     518400 IN AAAA 2001:500:3::42
    m.root-servers.net.     518400 IN AAAA 2001:dc3::35
    
    ;; Query time: 107 msec
    ;; SERVER: 199.7.83.42#53(199.7.83.42)
    ;; WHEN: Tue Apr  3 13:15:11 2012
    ;; MSG SIZE  rcvd: 2109
    

If one of the above tests fails, you have no guarantee that you will be able to use all the functionalities offered by DNSSEC. In this situation, please contact your Internet service provider.