1

I know that DNSSEC has been widely implemented since 2010. For Authority name servers, it depends on the admin whether he wants to support DNSSEC or not. However, I would like to know whether or not all root name servers, and all TLD servers support DNSSEC?

How can I use tool like dnspython or dig to check DNSSEC support at root name servers, and TLD servers, or I do not need to check because all of them support DNSSEC already?

weefwefwqg3
  • 961
  • 10
  • 23

1 Answers1

3

All root servers? Yes.

All TLD servers? No. All new gTLDs (the ones introduced since 2013) must have DNSSEC, but there is no such guarantee for ccTLDs.

One way to check if a particular server handles DNSSEC is to send it a query with the DO flag set asking for the DNSKEY RRset for a domain for which the server is authoritative. If the response includes RRSIG records, the server handles DNSSEC appropriately. See here if you want details and/or Perl code implementing the test.

Calle Dybedahl
  • 5,228
  • 2
  • 18
  • 22
  • Is it correct that a name server supports DNSSEC if I can see these 2 line in the DNS response message "edns 0" and "eflags DO"? Also, do you have any references how to use dnspython to test whether a server supports DNSSEC and validate the responsed message with its public key? – weefwefwqg3 Feb 10 '17 at 17:28
  • No, that is not correct. If they _aren't_ there, the server does _not_ support DNSSEC, but unfortunately it doesn't go the other way. You have to look at the server behaviour as described. And all my DNS code has been in Perl, C, Erlang or Go, but never Python. So I know nothing about dnspython. – Calle Dybedahl Feb 11 '17 at 08:09
  • Another possible way: query for `DS` records on the TLD name in the root servers. But whatever query you do testing for such or such DNS records does not fully prove DNSSEC works. The only way to prove it is to do a full query validating it, for example with `delv` that specifically will test you if DNSSEC is fully validated or not, so better than `dig` for that. Or use `dnsviz.net` online for a nice graphical display of the equivalent test. – Patrick Mevzek Nov 17 '21 at 03:11