The option +short
outputs the result only.
Learn more about how to troubleshoot issues with DNSSEC.
Dig
is a command-line tool to query a nameserver for DNS records.
For instance, dig
can ask a DNS resolver for the IP address of www.cloudflare.com
:
The option +short
outputs the result only.
Use +dnssec
to verify that the DNS records are signed:
In this example, the last line of output is the RRSIG
record. RRSIG
is the DNSSEC signature attached to the record. With the RRSIG
, a DNS resolver determines whether a DNS response is trusted.
Dig
can also retrieve the public key used to verify the DNS record, DNSKEY
:
A domain's DNS records are all signed with the same public key. Therefore, query for the apex domain (cloudflare.com
) public key, not the subdomain (www.cloudflare.com
) public key.
The DNS response includes two records:
DNSKEY
record 256 is the public key called zone signing key (ZSK). ZSKs are used to verify the DNS record signatures for A
, MX
, CNAME
, SRV
, etc.DNSKEY
record 257 is called the key signing key (KSK). KSKs are used to verify the signatures of the DNSKEY
, CDS
, and CDNSKEY
records.When not using the +short
option with dig
, a DNS response is DNSSEC authenticated if the ad
flag appears in the response header:
To visualize and discover potential issues with DNSSEC:
Below is an example of how dnsviz.net will display incorrect delegation when no valid DNSKEY records are provided by the authoritative nameserver to match the DS record published by the TLD nameserver:
Full verification of domain signatures (for example, cloudflare.com
) involves verifying the key signing key at the top-level domain (for example, .com
).
Similar verification is then performed by checking the key-signing key of .com
at the root server level. DNSSEC root keys are distributed to DNS clients to complete the chain of trust.
When DNSSEC is enabled, a DS
record is required at the registrar's DNS. The DS
record contains a hash of the public key signing key as well as metadata about the key.
Use dig
to find a DS
record:
When using the +trace
option, dig
confirms whether an answer is returned by the nameserver for cloudflare.com
or the nameserver for .com
. In this example, the DS
record for cloudflare.com
is returned by e.gtld-servers.net
:
An easier alternative to manually running the steps above is to use the third-party tool DNSViz.
Issues occur if authoritative DNS providers are changed without updating or removing old DNSSEC records at the registrar:
Confirm whether a SERVFAIL
response is related to DNSSEC by running dig
with the +cd
option. The +cd
option provides DNS results without any DNSSEC validation in place.
In this example, DNSSEC is misconfigured if a proper DNS response is received when using the +cd
option but queries using DNSSEC return a SERVFAIL
response. This issue often happens when authoritative nameservers are changed but DS
records are not updated. The issue can also occur if an attacker attempts to forge a response to a query.
If a problem is discovered with DNSSEC implementation, contact the domain's registrar and confirm the DS
record matches what the authoritative DNS provider has specified. If Cloudflare is the authoritative DNS provider, follow the instructions for configuring DNSSEC with Cloudflare.