Now that the Root DNS nameservers and .org TLD have both been signed, you can validate DNS server responses are legitimate.
In an attempt to learn better how this all hangs together, I thought I’d first try and validate some requests.
My first difficulty was figuring out what the root nameserver key is, what format it needs to be in, where you store it, and how to use it with dig to validate. Of course, the keys themselves are stored in DNS, you can query them in the format DIG needs to read them back with the command:
dig +nocomments +nostats +nocmd +noquestion -t dnskey . > trusted-key.key
This can be placed in /etc/trusted-key.key if desired for site-wide dig use, or else it will search the current directory for it.
If the file cannot be parsed, dig when you try to use it in dnssec mode will print:
No trusted keys present or ;; No trusted key, +sigchase option is disabled
To test out a full chain of validation from the root, you can now try to resolve www.isc.org
dig +topdown +sigchase +multiline -ta www.isc.org -- snip -- ;; OK a DS valids a DNSKEY in the RRset ;; Now verify that this DNSKEY validates the DNSKEY RRset ;; VERIFYING DNSKEY RRset for isc.org. with DNSKEY:12892: success ;; VERIFYING A RRset for www.isc.org. with DNSKEY:7617: success ;; The Answer: www.isc.org. 600 IN A 149.20.64.42 ;; FINISH : we have validate the DNSSEC chain of trust: SUCCESS
Hooray, we have validation.
Odd, when I try with http://www.isc.org and with my own DNSSEC secured domain, I get
;; RRSIG of DNSKEY is missing to continue validation: FAILED
But both pass with http://dnssec-debugger.verisignlabs.com