DNSSEC for Users
Few operating systems support DNSSEC validation out of the box. You can install Dnssec-Trigger to run your own validating resolver (more information). Keep in mind that web browsers do not distinguish between DNSSEC validation failures and general DNS failures (there is no security warning like with SSL/TLS errors).To re-run the above test, you also need to:
- Flush the DNS cache of your OS (Windows:
ipconfig /flushdns
) - Restart browser or clear browser cache
DNSSEC for DNS Cache Operators
If you're running a recursive DNS cache, follow these steps to enable DNSSEC validation on BIND or Unbound.BIND
Since BIND 9.8, you can activate DNSSEC validation with the following lines in the options section of your named.conf:dnssec-enable yes;
dnssec-validation auto;
rndc reload
If you're running an older BIND version, you should update.
Unbound
- Update the root KSK:
unbound-anchor
- Make sure your unbound.conf contains the following line:
auto-trust-anchor-file "/var/lib/unbound/root.key"
unbound-control reload
Test validation
dig sigok.verteiltesysteme.net @127.0.0.1
(should return A record)dig sigfail.verteiltesysteme.net @127.0.0.1
(should return SERVFAIL)
Results
- [2013-03-19] Presentation (HTML5), PDF (2.3 MB), Passive and Active Measurement Conference (PAM), Hong Kong.
- [2012-12-17] Paper (PDF), published in the Proceedings of the 2013 Passive and Active Measurement Conference (PAM).
- [2012-10-14] Presentation (HTML5), PDF (1.4 MB), DNS-OARC Workshop, Toronto.
Map shows ratio of validating clients per country, collected from October 2014 to March 2015. Some older result sets of the measurement (anonymized) are available for public download.
Other Tests
These tests use slightly different mechanics. Most users should get the same result on all tests, but in some cases there may be discrepancies. If you get different results, drop us a note with your IP address and we'll be glad to analyze our logs.- www.dnssec-or-not.com: online test by VeriSign (no JavaScript required)
- validator-search.verisignlabs.com: hidden test by VeriSign with statistics
- dnssectest.sidn.nl: online test by SIDN (with JavaScript)
- www.dnssec-failed.org: webpage with bogus signature by Comcast (will not open at all if you are using DNSSEC)
No comments:
Post a Comment