DNS Tech Support Training Courses DNSSEC Consulting DNS Monitoring System Audit Customer Portal
The DNS Institute
Documentation Implementations Research DNS History Free DNS Tools
Chapter 3. Validation
Prev DNSSEC Guide Next

DNSSEC Guide : Chapter 3. Validation

Table of Contents

Easy Start Guide for Recursive Servers
How To Test Recursive Server (So You Think You Are Validating)
Using Web-based Tools to Verify
Using dig to Verify
Using delv to Verify
Verifying Protection from Bad Domain Names
How Do I know I Have a Validation Problem?
Validation Easy Start Explained
dnssec-validation
How Does DNSSEC Change DNS Lookup (Revisited)?
How are Answers Verified?
Trust Anchors
How Trust Anchors are Used
Trusted Keys and Managed Keys
What's EDNS All About (And Why Should I Care)?
EDNS Overview
EDNS on DNS Servers
Support for Large Packets on Network Equipment
Wait... DNS Uses TCP?

Easy Start Guide for Recursive Servers

This section provides the minimum amount of information to setup a working DNSSEC-aware recursive server, also known as a validating resolver. A validating resolver performs validation for each remote response received, following the chain of trust to verify the answers it receives are legitimate through the use of public key cryptography and hashing functions.

Once DNSSEC validation is enabled, any DNS response that does not pass the validation checks will result in the domain name not getting resolved (often a SERVFAIL status seen by the client). What this means for the DNS administrator is, if there is a DNSSEC configuration issue (sometimes outside of the administrator's control), a specific name, or sometimes entire domains, may "disappear" from DNS, in that it becomes unreachable through that resolver. What this means for the end user is, name resolution is slow or fails altogether, or some parts of a URL will not load, or web browser will display some error message indicating the page cannot be displayed at all.

For example, if root name servers were misconfigured with the wrong information about .org, it could cause all validation for .org domains to fail. To the end users, it would appear that no one could get to any .org web sites.

You may not need to reconfigure your name server at all, since recent versions of BIND packages and distributions have been shipped with DNSSEC validation enabled by default. Before making any configuration changes, check whether or not you already have DNSSEC validation by following steps described in the section called “How To Test Recursive Server (So You Think You Are Validating)”.

Enabling DNSSEC validation on a BIND 9 recursive name server is easy, you only need one line of configuration in your configuration file: 

options {
    dnssec-validation auto;
};

Restart named or use rndc reconfig, and your recursive server is now happily validating each DNS response. If this does not work for you, and you have already verified DNSSEC support as described in the section called “DNSSEC Support in BIND”, you most likely have some other network-related configurations that need to be adjusted, take a look at the section called “Network Requirements” to make sure your network is ready for DNSSEC.

DNSSEC is enabled by default for BIND, but this line enables automatic trust anchor configuration. To learn more about this configuration, please refer to the section called “Validation Easy Start Explained”.

Prev Next
Operational Requirements DNSSEC Guide
Table of Contents
(License)		 How To Test Recursive Server (So You Think You Are Validating)
Contact Us | About | Site Map |  Gab |  Twitter