do DNSSEC validation with dig

Here’s an explanation of how to validate DNSSEC with dig.

To do DNSSEC validation with dig , it is required that dig has been compiled with -DDIG_SIGCHASE option
dig command including recent Linux distributions seems to be compile with -DDIG_SIGCHASE option.

# cat /etc/fedora-release Fedora release 16 (Verne) # dig -v DiG 9.8.2rc2-RedHat-9.8.2-0.4.rc2.fc16

# dig -h | grep sigchase                 +[no]sigchase       (Chase DNSSEC signatures)

prepare root servers KSK.

# dig . dnskey | grep 257 > root.keys

# dig +sigchase +trusted-key=./root.keys www.isc.org a ;; RRset to chase: www.isc.org.            598     IN      A       149.20.64.42 ;; RRSIG of the RRset to chase: www.isc.org.            598     IN      RRSIG   A 5 3 600 20120523233239 20120423233239 4442 isc.org. WpjJWgqMLMyDbrJSMW3C9HReM+Fl29L6B7nsk7b4w/f7k0PWf1s6sh+y /d2feSndFeJyWOn7tkX/v7LIHf6MfftV4VKuZbiIShemc4h1lM50h+/x cJjTcyGlrDwM5K6sfrGKVnfZRPzJHrI0Bvq0pamTPAPkNuPw1YMNSNYO R9k= Launch a query to find a RRset of type DNSKEY for zone: isc.org. ;; DNSKEYset that signs the RRset to chase: isc.org.                6653    IN      DNSKEY  257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd isc.org.                6653    IN      DNSKEY  256 3 5 BQEAAAAB2F1v2HWzCCE9vNsKfk0K8vd4EBwizNT9KO6WYXj0oxEL4eOJ aXbax/BzPFx+3qO8B8pu8E/JjkWH0oaYz4guUyTVmT5Eelg44Vb1kssy q8W27oQ+9qNiP8Jv6zdOj0uCB/N0fxfVL3371xbednFqoECfSFDZa6Hw jU1qzveSsW0= ;; RRSIG of the DNSKEYset that signs the RRset to chase: isc.org.                6653    IN      RRSIG   DNSKEY 5 2 7200 20120523230125 20120423230125 4442 isc.org. SwS2MA1kWhH+BcJiwSE/cnOUoe8bvO8PKSVuZzmSOteaWVrCIBuB0xDt EBTJB9DFLeFUAN5I1JWaJtmc4g+7Fb1pyXY5oNa/3BFLxI2Rzyvl+wCR PodQoZTEVr4KpMggA+YZfM1DTczlIt7VP2qSHs1V0lE8W8yDemsHREvV LQw= isc.org.                6653    IN      RRSIG   DNSKEY 5 2 7200 20120523230125 20120423230125 12892 isc.org. BNAbrS5Mu1ozP+e2g7fSMIXnHf9zhOu1uX7UBa6ja81wTUqozKTdHiJC JHPBGpQd5BVmylgi55lxGGUBFV8mpmy98yUd23ds0vn2T2za78vEyCVI 04tAe6f1jhd9pj5HdIpsNWDv/Ehozx9z1DcsN85l18rWzTq4ynPj0pmE VvYOCqcwwnvJmrdFbG0OIxdrdSfdthZa2LjAjU/RlZFH1B7MJTvx4DEb Dt26XdlOO8tVkv+VSD9YUykjihFOK70Kk8FLga+D+aswTo9U5kEvzmHx ymwANwsqsAT2YKjsNWVFZFVvPSSys6LOTTdlzq5Ftoj+ISEnFFy6h1dm UJwcMw== <snip> ;; WE HAVE MATERIAL, WE NOW DO VALIDATION ;; VERIFYING DS RRset for org. with DNSKEY:56158: success ;; OK We found DNSKEY (or more) to validate the RRset ;; Ok, find a Trusted Key in the DNSKEY RRset: 19036 ;; VERIFYING DNSKEY RRset for . with DNSKEY:19036: success ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

You can do DNSSEC validation from top to down ( in this case , . -> org -> isc ) mode like this:

$ dig -h | grep topdown                 +[no]topdown        (Do DNSSEC validation top down mode)

# dig +sigchase +topdown +trusted-key=./root.keys www.isc.org a Launch a query to find a RRset of type A for zone: www.isc.org with nameservers: .                       517971  IN      NS      m.root-servers.net. .                       517971  IN      NS      l.root-servers.net. .                       517971  IN      NS      h.root-servers.net. .                       517971  IN      NS      i.root-servers.net. .                       517971  IN      NS      b.root-servers.net. .                       517971  IN      NS      a.root-servers.net. .                       517971  IN      NS      d.root-servers.net. .                       517971  IN      NS      c.root-servers.net. .                       517971  IN      NS      j.root-servers.net. .                       517971  IN      NS      k.root-servers.net. .                       517971  IN      NS      e.root-servers.net. .                       517971  IN      NS      g.root-servers.net. .                       517971  IN      NS      f.root-servers.net. Launch a query to find a RRset of type DNSKEY for zone: . ;; DNSKEYset: .                       172371  IN      DNSKEY  257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0= .                       172371  IN      DNSKEY  256 3 8 AwEAAbd0IPTQdvyndWSX6HHcB+JycMl1aCGTHSJUBs/y9S93el05VvXg 1VqSF4vveB9rEuAZ1z8RNWZ9ac+rlaK7PrI5RlCIyKKPbtHbpgQGkwai 8O6BZ4J/ch7DGuhGJfvoECcWjsucs683WFRtmfLx5WNdPxxi30Czt1zP qMWfY6YJ ;; RRSIG of the DNSKEYset: .                       172371  IN      RRSIG   DNSKEY 8 0 172800 20120505235959 20120421000000 19036 . l8lWJzAY23yZggtOrz1662Z4uWibt4CYpmrnRN9uvxyRAbumpYo/Uc5e FTBScaxsk1iTUVP9cQEU2zbllRBysKqNnFeJUCIZtnqSp34E52COjuK5 J/3Jf955asEWvSfVTU6rBw5TtYhzO3LFdIzBk8tTWw49V6zzZYtPMlHx B75aLSmNamk4WzmdyE119LoPRqnwF0sQ6mezUfHNQKbyIL3UiSZIdrCj x6QEiRWp37ZiyNvEWKsuqPdAAOG43fs8Liu6tVKsDI/QFVhv52rNP7lf Sp/wIbMKnr8nFunSh4CNfQQKKdYX8SJZ1xsQRmQLJc7cF2W3IQapV9uG zVEt6g== <snip>