How can you test DNSSEC deployment?
DNSSEC testing tools and methods:
Online validators:
Verisign DNSSEC Analyzer: dnssec-debugger.verisignlabs.com
DNSViz: dnsviz.net - visual chain analysis
DNSSEC-Tools: dnssec-tools.org
Command line:
dig +dnssec TXT yourdomain.com
Look for RRSIG records in response
dig +sigchase (trace signature chain)
What to verify:
All records have valid signatures
DS record at registrar matches DNSKEY
No expired signatures
Chain validates to root
Test regularly and after any DNS or DNSSEC changes.
Verify your seal system is properly configured and all documents are properly sealed.
Was this answer helpful?
Thanks for your feedback!