{"id":2615,"date":"2019-10-22T17:26:21","date_gmt":"2019-10-22T09:26:21","guid":{"rendered":"https:\/\/www.mondoze.com\/guide\/?post_type=kb&#038;p=2615"},"modified":"2022-10-05T08:02:44","modified_gmt":"2022-10-05T00:02:44","slug":"troubleshooting-dnssec","status":"publish","type":"kb","link":"https:\/\/www.mondoze.com\/guide\/kb\/troubleshooting-dnssec","title":{"rendered":"Troubleshooting DNSSEC"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"2615\" class=\"elementor elementor-2615\" data-elementor-settings=\"[]\">\n\t\t\t\t\t\t<div class=\"elementor-inner\">\n\t\t\t\t\t\t\t<div class=\"elementor-section-wrap\">\n\t\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-22cc18a4 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"22cc18a4\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t\t\t<div class=\"elementor-row\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3796632b\" data-id=\"3796632b\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-column-wrap elementor-element-populated\">\n\t\t\t\t\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-c6c446f elementor-widget elementor-widget-heading\" data-id=\"c6c446f\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Troubleshooting DNSSEC<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-62077b9f elementor-widget elementor-widget-text-editor\" data-id=\"62077b9f\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t<div class=\"elementor-text-editor elementor-clearfix\">\n\t\t\t\t<h3><strong>Testing DNSSEC with Dig<\/strong><\/h3><p><em>Dig<\/em>\u00a0is a command-line tool to query a nameserver for DNS records. For instance,\u00a0<em>dig\u00a0<\/em>can ask a DNS resolver for the IP address of\u00a0<em>www.cloudflare.com\u00a0<\/em>(The option\u00a0<em>+short<\/em>\u00a0outputs the result only)<em>:<\/em><\/p><pre>$\u00a0dig www.cloudflare.com +short 198.41.215.162 198.41.214.162<\/pre><p>Use\u00a0<em>dig<\/em>\u00a0to verify DNSSEC records. \u00a0In the example below, t<span data-ref=\"feea3476-06c4-419b-a194-db823e11e1dc\">he last line of output is the\u00a0<em>RRSIG\u00a0record<\/em>. \u00a0<em>RRSIG<\/em> is the DNSSEC signature attach to the record. With the <em>RRSIG<\/em>, a DNS resolver determines whether a DNS response is trust.<\/span><\/p><pre>$\u00a0dig www.cloudflare.com +dnssec +short 198.41.214.162 198.41.215.162 A 13 3 300 20180927180434 20180925160434 35273 cloudflare.com. DYYZ\/bhHSAIlpvu\/HEUsxlzkC9NsswbCQ7dcfcuiNBrbhYV7k3AI8t46 QMnOlfhwT6jqsfN7ePV6Fwpym3B0pg==<\/pre><p><span data-ref=\"feea3476-06c4-419b-a194-db823e11e1dc\"><em>Dig<\/em> also retrieves the public key use to verify the DNS record. \u00a0A domain&#8217;s DNS records are all signed with the same public key. Therefore,<\/span>\u00a0query for the root domain&#8217;s public key, not the subdomain&#8217;s public key:<\/p><pre>$\u00a0dig\u00a0DNSKEY cloudflare.com +short 257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ== 256 3 13 koPbw9wmYZ7ggcjnQ6ayHyhHaDNMYELKTqT+qRGrZpWSccr\/lBcrm10Z\u00a01PuQHB3Azhii+sb0PYFkH1ruxLhe5g==<\/pre><p>The DNS response includes two records:<\/p><ul><li><em>DNSKEY record<\/em>\u00a0<strong>256<\/strong> is the public key call Zone-signing-key, use to verify the DNS record signatures for <em>A, MX, CNAME, SRV<\/em>, etc.<\/li><li><span data-ref=\"24cfe87f-e841-405a-885e-30f24ca1a609\"><em>DNSKEY record<\/em>\u00a0<strong>257<\/strong> is call the Key-Signing Key, use to verify the signatures of the <em>DNSKEY, CDS, and CDNSKEY records<\/em>.<\/span><\/li><\/ul><p>Details on how to verify the signatures with the public key are beyond the scope of this article.<\/p><p>When not using the\u00a0<em>+short<\/em>\u00a0option with\u00a0<em>dig<\/em>, a DNS response is DNSSEC authenticated if the\u00a0<strong>ad<\/strong>\u00a0flag appears in the response header:<\/p><pre>$\u00a0dig\u00a0www.cloudflare.com [...] ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: NOERROR,\u00a0id: 65326\n;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 [...] ;; QUESTION SECTION: ;www.cloudflare.com.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0 A [...] ;; ANSWER SECTION: www.cloudflare.com. 15\u00a0 IN\u00a0 A\u00a0\u00a0 198.41.215.162 www.cloudflare.com. 15\u00a0 IN\u00a0 A\u00a0\u00a0 198.41.214.162<\/pre><hr \/><h3><strong>Viewing the DNSSEC Chain of Trust with Dig<\/strong><\/h3><p>Full verification of domain signatures (for example:\u00a0<em>cloudflare.com<\/em>) involves verifying the key-signing key at the top-level-domain (for example:\u00a0<em>.com<\/em>). \u00a0Similar verification is\u00a0<span data-ref=\"40babf11-78cb-4596-ae24-d082e906b41e\">then performed by checking the key-signing\u00a0<\/span><span data-ref=\"40babf11-78cb-4596-ae24-d082e906b41e\">key of\u00a0<em>.com<\/em>\u00a0at the root server level. DNSSEC root keys are distributed to DNS clients to complete the trust chain.<\/span><\/p><p>When DNSSEC is enabled, a\u00a0<em>DS record<\/em>\u00a0is required at the registrar&#8217;s DNS. The\u00a0<em>DS record<\/em>\u00a0contains a hash of the public key-signing key as well as metadata about the key.<\/p><p>Use\u00a0<em>dig<\/em>\u00a0to find a\u00a0<em>DS record<\/em>:<\/p><pre>$\u00a0dig\u00a0+short DS cloudflare.com 2371 13 2 32996839A6D808AFE3EB4A795A0E6A7A39A76FC52FF228B22B76F6D6 3826F2B9<\/pre><p><span data-ref=\"c8cd566c-f30c-4cd8-abc7-5e0fdf987b99\">When using the\u00a0<\/span><em><span data-ref=\"c8cd566c-f30c-4cd8-abc7-5e0fdf987b99\">+trace\u00a0<\/span><\/em><span data-ref=\"c8cd566c-f30c-4cd8-abc7-5e0fdf987b99\">option<\/span><span data-ref=\"c8cd566c-f30c-4cd8-abc7-5e0fdf987b99\">,<\/span><em>\u00a0dig<\/em>\u00a0confirms whether an answer is<span data-ref=\"c8cd566c-f30c-4cd8-abc7-5e0fdf987b99\">\u00a0returned by the nameserver for\u00a0<\/span><span data-ref=\"c8cd566c-f30c-4cd8-abc7-5e0fdf987b99\"><em>cloudflare.com<\/em>\u00a0<\/span><span data-ref=\"c8cd566c-f30c-4cd8-abc7-5e0fdf987b99\">or the nameserver for\u00a0<em>.com<\/em>. \u00a0In this example, the\u00a0<em>DS record<\/em>\u00a0for\u00a0<em>cloudflare.com<\/em> is return by e.gtld-servers.net:<\/span><\/p><pre>$ dig\u00a0DS cloudflare.com +trace [...] cloudflare.com.\u00a0\u00a0\u00a0\u00a0 86400\u00a0\u00a0 IN\u00a0 DS\u00a0 2371 13 2 32996839A6D808AFE3EB4A795A0E6A7A39A76FC52FF228B22B76F6D6 3826F2B9 [...] com.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 172800\u00a0 IN\u00a0 NS\u00a0 e.gtld-servers.net. [...] ;; Received 1213 bytes from 2001:502:1ca1::30#53(e.gtld-servers.net) in 37 ms<\/pre><p>An easy alternative to manually running all the steps above is to use the DNSViz online tool. See further details on troubleshooting DNSSEC Validation using DNSViz or an example of DNSSEC results of cloudflare.com via DNSViz.<\/p><hr \/><h3><strong>Troubleshooting DNSSEC Validation with Dig<\/strong><\/h3><p>Issues occur if authoritative DNS providers are changed without updating or removing old DNSSEC records at the registrar:<\/p><div data-hasbody=\"true\" data-macro-name=\"code\"><pre>$\u00a0dig\u00a0A brokendnssec.net @1.0.0.1 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: SERVFAIL,\u00a0id: 10663<\/pre><p>Confirm whether a\u00a0<em>SERVFAIL<\/em>\u00a0response is related to DNSSEC by running\u00a0<em>dig<\/em>\u00a0with the\u00a0<em>+cd<\/em>\u00a0option. The\u00a0<em>+cd<\/em>\u00a0option provides DNS results without any DNSSEC validation in place.<\/p><pre>$ dig\u00a0A brokendnssec.net @1.0.0.1 +dnssec +cd\u00a0+short 104.20.49.61 104.20.48.61<\/pre><p>In the above example, DNSSEC is misconfigure if a proper DNS response is receive when using the <em>+cd<\/em>\u00a0option but queries using DNSSEC return a\u00a0<em>SERVFAIL<\/em>\u00a0response<em>.<\/em> This issue often happens when authoritative nameservers are change but\u00a0<em>DS records<\/em> are not update. \u00a0The issue can also occur if an attacker attempts to forge a response to a query.<\/p><hr \/><h3><strong>Troubleshooting DNSSEC Validation using DNSViz<\/strong><\/h3><ol><li>Browse to\u00a0http:\/\/dnsviz.net\/<\/li><li>Enter a domain name in the text field that appears.<\/li><li>If DNSViz has never analyzed the site before, click the\u00a0<strong>Analyze<\/strong>\u00a0button that appears.<\/li><li>If the site has been analyze by DNSViz before, click the <strong>Update Now<\/strong>\u00a0button that appears.<\/li><\/ol><h4><strong>Example without DNSSEC<\/strong><\/h4><p>Below is an example of a working domain without DNSSEC as diagrammed by dnsviz.net:<\/p><p><span style=\"color: #333333; font-family: Roboto, sans-serif; font-size: 14px;\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-medium wp-image-2617\" src=\"https:\/\/www.mondoze.com\/guide\/wp-content\/uploads\/2021\/03\/dn1-300x256.png\" alt=\"\" width=\"300\" height=\"256\" \/> \u00a0<\/span><\/p><h4><strong>Example with correct DNSSEC<\/strong><\/h4><p>Below is an example of a domain with functioning DNSSEC records between the TLD nameservers and the authoritative nameservers for cloudflare.com:<\/p><p><span style=\"color: #333333; font-family: Roboto, sans-serif; font-size: 14px;\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-medium wp-image-2620\" src=\"https:\/\/www.mondoze.com\/guide\/wp-content\/uploads\/2021\/03\/dn2-292x300.png\" alt=\"\" width=\"292\" height=\"300\" \/><\/span><\/p><h4><strong>Example with missing or incorrect RRSIG record on authoritative nameserver<\/strong><\/h4><p>Below is an example of how dnsviz.net. It will display incorrect delegation when no valid DNSKEY records are provide by the authoritative nameserver. To match the DS record published by the TLD nameserver:<\/p><p><span style=\"color: #333333; font-family: Roboto, sans-serif; font-size: 14px;\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-medium wp-image-2622\" src=\"https:\/\/www.mondoze.com\/guide\/wp-content\/uploads\/2021\/03\/dn3-300x295.png\" alt=\"\" width=\"300\" height=\"295\" \/><\/span><\/p><hr \/><h3><strong>Next steps<\/strong><\/h3><p>If a problem is discover with DNSSEC implementation, contact the domain&#8217;s registrar and confirm the <em>DS record<\/em> matches what the authoritative DNS provider has specify. If Cloudflare is the authoritative DNS provider, follow the instructions for configuring DNSSEC with Cloudflare.<\/p><\/div>\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Troubleshooting DNSSEC Testing DNSSEC with Dig Dig\u00a0is a command-line tool to query a nameserver for DNS records. For instance,\u00a0dig\u00a0can ask a DNS resolver for the IP address of\u00a0www.cloudflare.com\u00a0(The option\u00a0+short\u00a0outputs the result only): $\u00a0dig www.cloudflare.com +short 198.41.215.162 198.41.214.162 Use\u00a0dig\u00a0to verify DNSSEC records. \u00a0In the example below, the last line of output is the\u00a0RRSIG\u00a0record. \u00a0RRSIG is the &hellip;<\/p>\n<p class=\"read-more\"> <a class=\"\" href=\"https:\/\/www.mondoze.com\/guide\/kb\/troubleshooting-dnssec\"> <span class=\"screen-reader-text\">Troubleshooting DNSSEC<\/span> Read More \u00bb<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}}},"kbtopic":[53],"kbtag":[110],"mkb_version":[],"_links":{"self":[{"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kb\/2615"}],"collection":[{"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/comments?post=2615"}],"version-history":[{"count":9,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kb\/2615\/revisions"}],"predecessor-version":[{"id":18323,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kb\/2615\/revisions\/18323"}],"wp:attachment":[{"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/media?parent=2615"}],"wp:term":[{"taxonomy":"kbtopic","embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kbtopic?post=2615"},{"taxonomy":"kbtag","embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kbtag?post=2615"},{"taxonomy":"mkb_version","embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/mkb_version?post=2615"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}