DNSSEC
DNSSEC validation, trust chain inspection, key management concepts, and troubleshooting broken chains.
DNSSEC Concepts
DNSSEC adds cryptographic signatures to DNS records. It proves that the answer came from the authoritative source and was not modified in transit. It does not encrypt queries — it only provides authentication and integrity.
The chain of trust: Root (.) signs the KSK for .com, which signs the KSK for example.com, which signs the zone’s records. Each link is a DS record in the parent zone pointing to the child’s DNSKEY.
Querying DNSSEC Records
dig example.com +dnssec +noall +answerRRSIG records appear alongside the actual records. Their presence means the zone is signed.
dig example.com +dnssec | grep -i "flags"The ad (Authenticated Data) flag means the recursive resolver validated the entire DNSSEC chain from root to answer. If ad is absent, the resolver either did not validate or validation failed.
dig example.com +cdThe +cd (Checking Disabled) flag tells the resolver to return the answer without validating DNSSEC. Use this to distinguish between "DNSSEC is broken" and "the domain doesn’t exist."
dig example.com DNSKEY +shortReturns the KSK (Key Signing Key, flag 257) and ZSK (Zone Signing Key, flag 256). The KSK signs the DNSKEY RRset; the ZSK signs everything else.
dig example.com DS +shortThe DS (Delegation Signer) record is published in the parent zone. It contains a hash of the child’s KSK, forming the chain of trust link.
dig example.com RRSIG +noall +answerEach RRSIG covers one RRset (e.g., all A records at a name). Shows the algorithm, labels, original TTL, expiration, inception, key tag, and signer name.
dig nonexistent.example.com +dnssec +noall +authorityNSEC or NSEC3 records prove a name does not exist without revealing the full zone contents. NSEC3 uses hashed names to prevent zone walking.
Validating a DNSSEC Chain
dig example.com +trace +dnssecShows DNSKEY and DS records at each delegation point. Follow the chain: root DNSKEY → TLD DS → TLD DNSKEY → domain DS → domain DNSKEY → RRSIG on the answer.
dig example.com DS +short
dig example.com DNSKEY +shortThe DS record in the parent is a hash of the KSK (flag 257) in the child. If they don’t match, the chain is broken and validation fails.
DNSSEC-Aware BIND Configuration
options {
dnssec-validation auto;
};auto uses the built-in root trust anchors (managed by managed-keys or trust-anchors). This is the default in modern BIND.
sudo rndc validation-statussudo rndc flush
sudo rndc secrootssecroots dumps the current trust anchors to the log. Useful for debugging why validation fails for a specific zone.
Troubleshooting DNSSEC Failures
# With validation (fails if DNSSEC is broken)
dig example.com A
# Without validation (succeeds if record exists)
dig example.com A +cdIf +cd returns an answer but the normal query returns SERVFAIL, the DNSSEC chain is broken. The zone owner needs to fix their signing.
dig example.com RRSIG +noall +answer | awk '{print $9, $10}'RRSIG records have inception and expiration timestamps. Expired signatures cause validation failure. Zone operators must re-sign before expiration.
delv example.com Adelv performs full DNSSEC validation and reports whether the answer is fully validated, unsigned, or broken chain. More informative than dig for DNSSEC debugging.
See Also
-
dig — DNSSEC query flags (+dnssec, +cd)
-
Troubleshooting — SERVFAIL from DNSSEC failures
-
TLS — transport encryption (DNSSEC is authentication, not encryption)