Skip to main content

How can you test DNSSEC deployment?

DNSSEC testing tools and methods:

Online validators:

Verisign DNSSEC Analyzer: dnssec-debugger.verisignlabs.com

DNSViz: dnsviz.net - visual chain analysis

DNSSEC-Tools: dnssec-tools.org

Command line:

dig +dnssec TXT yourdomain.com

Look for RRSIG records in response

dig +sigchase (trace signature chain)

What to verify:

All records have valid signatures

DS record at registrar matches DNSKEY

No expired signatures

Chain validates to root

Test regularly and after any DNS or DNSSEC changes.

Verify your seal system is properly configured and all documents are properly sealed.