Validating and Exploring DNSSEC with dig

Now that the Root DNS nameservers and .org TLD have both been signed, you can validate DNS server responses are legitimate.

In an attempt to learn better how this all hangs together, I thought I’d first try and validate some requests.

My first difficulty was figuring out what the root nameserver key is, what format it needs to be in, where you store it, and how to use it with dig to validate. Of course, the keys themselves are stored in DNS, you can query them in the format DIG needs to read them back with the command:

dig +nocomments +nostats +nocmd +noquestion -t dnskey . > trusted-key.key

This can be placed in /etc/trusted-key.key if desired for site-wide dig use, or else it will search the current directory for it.

If the file cannot be parsed, dig when you try to use it in dnssec mode will print:

No trusted keys present
or
;; No trusted key, +sigchase option is disabled

To test out a full chain of validation from the root, you can now try to resolve www.isc.org

dig +topdown +sigchase +multiline -ta www.isc.org

-- snip --

;; OK a DS valids a DNSKEY in the RRset
;; Now verify that this DNSKEY validates the DNSKEY RRset
;; VERIFYING DNSKEY RRset for isc.org. with DNSKEY:12892: success
;; VERIFYING A RRset for www.isc.org. with DNSKEY:7617: success
;; The Answer:
www.isc.org.		600 IN A 149.20.64.42

;; FINISH : we have validate the DNSSEC chain of trust: SUCCESS

Hooray, we have validation.