Difference between revisions of "DNSSEC"

From dankwiki
(Created page with "==Tools== <tt>drill</tt> from the [http://packages.debian.org/sid/ldnsutils ldnsutils] package.")
 
 
Line 1: Line 1:
 
==Tools==
 
==Tools==
<tt>drill</tt> from the [http://packages.debian.org/sid/ldnsutils ldnsutils] package.
+
===drill===
 +
From the [http://packages.debian.org/sid/ldnsutils ldnsutils] package.
 +
* drill -S ''domain'' will chase any signatures found in domain.
 +
* drill -TD ''FQDN'' will perform a top-down DNSSEC trace on FQDN.
 +
* drill -s dnskey ''domain'' shows all DNSSEC (DS) records for domain.
 +
===dig===
 +
From the [http://packages.debian.org/sid/dnsutils dnsutils] package.
 +
* The <tt>+dnssec</tt> flag will set the DNSSEC OK (DO) bit in the OPT section of the query.
 +
* The <tt>+sigchase</tt> flag will chase signature chains.
 +
** The <tt>+topdown</tt> flag can be used to force a top-down validation.
 +
* The <tt>+trusted-key=</tt> flag specifies a file containing trusted keys. Each key must be on its own line.
 +
** By default, /etc/trusted-key.key followed by ./trusted-key.key are used.

Latest revision as of 00:48, 16 December 2011

Tools

drill

From the ldnsutils package.

  • drill -S domain will chase any signatures found in domain.
  • drill -TD FQDN will perform a top-down DNSSEC trace on FQDN.
  • drill -s dnskey domain shows all DNSSEC (DS) records for domain.

dig

From the dnsutils package.

  • The +dnssec flag will set the DNSSEC OK (DO) bit in the OPT section of the query.
  • The +sigchase flag will chase signature chains.
    • The +topdown flag can be used to force a top-down validation.
  • The +trusted-key= flag specifies a file containing trusted keys. Each key must be on its own line.
    • By default, /etc/trusted-key.key followed by ./trusted-key.key are used.