While performing some testing / transferring of a site from one server to another I added an entry in the hosts file to bypass DNS. The plugin was intelligent enough to detect the anomaly and provided a red DNSSEC symbol.
The DNSSEC browser plugin for Firefox was provided by:
Presently this Domain is registered with NameCheap (A registrar that does not have any support for DNSSEC or DS records).
I have initiated a transfer to Godaddy who does provide DNSSEC support via DS records using custom name servers as well through their name servers if you go the Premium route.
The transfer status page says it should take between 5-7 days for the transfer to complete.
The new nameservers are up and ready to go once the transfer is complete.
I will be moving from Hurricane Electric DNS Servers to custom DNS servers running on Virtual Private Servers.
Update: The Domain is now with Godaddy and DNSSEC is enabled.
C:>dig mnathani.com
Notice the ad flag in the dig header:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | ; <<>> DiG 9.9.1-P3 <<>> mnathani.com +noadditional +noauthority;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19088;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;mnathani.com. IN A;; ANSWER SECTION:mnathani.com. 3341 IN A 67.20.55.29;; Query time: 8 msec;; SERVER: 192.168.4.20#53(192.168.4.20);; WHEN: Wed Oct 10 21:39:30 2012;; MSG SIZE rcvd: 223 |
Also renewed till 2017:
Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: MNATHANI.COM
Created on: 24-Nov-05
Expires on: 24-Nov-17
Last Updated on: 10-Oct-12
https://labs.nic.cz/odvr/
Open DNSSEC Validating DNS Resolvers:
217.31.204.130
193.29.206.206
2001:1488:800:400::130
2001:678:1::206
https://www.dns-oarc.net/oarc/services/odvr
OARC’s Open DNSSEC Validating Resolver
BIND 9:
149.20.64.20
2001:4f8:3:2bc:1::64:20
Unbound:
149.20.64.21
2001:4f8:3:2bc:1::64:21
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | [root@onion bind-9.9.2]# dig @localhost version.bind chaos txt; <<>> DiG 9.9.2 <<>> @localhost version.bind chaos txt; (2 servers found);; global options: +cmd;; Got answer:;; ->>HEADER<;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1;; WARNING: recursion requested but not available;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;version.bind. CH TXT;; ANSWER SECTION:version.bind. 0 CH TXT "9.9.2";; AUTHORITY SECTION:version.bind. 0 CH NS version.bind.;; Query time: 0 msec;; SERVER: 127.0.0.1#53(127.0.0.1);; WHEN: Tue Oct 9 18:17:19 2012;; MSG SIZE rcvd: 73 |
When performing the following dig query, if you get SERVFAIL, then you know DNSSEC validation is working the way it should.
root@ubuntu:~# dig www.dnssec-failed.org @localhost
; <<>> DiG 9.9.1-P3 <<>> www.dnssec-failed.org @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53418
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A
;; Query time: 47 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 4 02:59:20 2012
;; MSG SIZE rcvd: 50
However, if you get NOERROR then something has gone wrong and DNSSEC validation is not working the way it should.
root@ubuntu:~# dig www.dnssec-failed.org @8.8.8.8
; <<>> DiG 9.9.1-P3 <<>> www.dnssec-failed.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43692
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A
;; ANSWER SECTION:
www.dnssec-failed.org. 4750 IN A 69.252.216.215
www.dnssec-failed.org. 4750 IN A 69.252.208.135
;; Query time: 38 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Oct 4 03:00:45 2012
;; MSG SIZE rcvd: 82
After going through a somewhat frustrating chain of troubleshooting steps to determine why a few Slave nameservers were not updating a specific zone, it turned out to be simply due to the fact that the serial number had not been changed after the update.
Goal: Write a BASH Script that traverses the DNS Tree and validates responses from Name Servers at the same level are providing the same response.
DNSStuff.com provides this service for their paid offerings, however it should be fairly straightforward to script.
Once the BASH script has been written, it would be really cool to have a tool visualize the output in a web browser using some kind of Javascript.
Update: I started writing a set of DNS tools in PHP with calls to dig and they are available at http://dns.winvive.com
This BASH Script looks up all the authoritative name server for the .COM zone and queries each one to test if an update to “example.com” domain in this case, has been applied to each instance (a through m).
Even though this tests all 13 authoritative .COM name servers, be aware that there may be almost 100 if not more instances distributed globally using BGP Anycast routing.
#!/bin/bash
SERVERS=$(dig com. ns +short)
for f in $SERVERS
do
dig example.com @$f
done
Here is some sample output: (total output is over 300 lines so it might be best to redirect the output to a file)
; <<>> DiG 9.9.1-P3 <<>> example.com @f.gtld-servers.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 5
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com. IN A
;; AUTHORITY SECTION:
example.com. 172800 IN NS a.iana-servers.net.
example.com. 172800 IN NS b.iana-servers.net.
;; ADDITIONAL SECTION:
a.iana-servers.net. 172800 IN A 199.43.132.53
a.iana-servers.net. 172800 IN AAAA 2001:500:8c::53
b.iana-servers.net. 172800 IN A 199.43.133.53
b.iana-servers.net. 172800 IN AAAA 2001:500:8d::53
;; Query time: 83 msec
;; SERVER: 192.35.51.30#53(192.35.51.30)
;; WHEN: Tue Sep 25 02:50:32 2012
;; MSG SIZE rcvd: 176
In order to run the latest version. Setup a few nodes to be authoritative for a domain as well as a node providing recursive lookups for the local LAN.
Experiment with various options for logging as well as primary master / slave setup.