Here is what browsing to a domain by modifying the hosts file looks like when using DNSSEC

While performing some testing / transferring of a site from one server to another I added an entry in the hosts file to bypass DNS. The plugin was intelligent enough to detect the anomaly and provided a red DNSSEC symbol.

The DNSSEC browser plugin for Firefox was provided by:

CZ.NIC Labs  and is available at https://addons.mozilla.org/en-us/firefox/addon/dnssec-validator/

Quest to DNSSEC enable this domain / website

Presently this Domain is registered with NameCheap (A registrar that does not have any support for DNSSEC or DS records).

I have initiated a transfer to Godaddy who does provide DNSSEC support via DS records using custom name servers as well through their name servers if you go the Premium route.

The transfer status page says it should take between 5-7 days for the transfer to complete.

The new nameservers are up and ready to go once the transfer is complete.

I will be moving from Hurricane Electric DNS Servers to custom DNS servers running on Virtual Private Servers.

Update: The Domain is now with Godaddy and DNSSEC is enabled.

C:\>dig mnathani.com

Notice the ad flag in the dig header:

; <<>> DiG 9.9.1-P3 <<>> mnathani.com +noadditional +noauthority
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19088
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mnathani.com.                  IN      A

;; ANSWER SECTION:
mnathani.com.           3341    IN      A       67.20.55.29

;; Query time: 8 msec
;; SERVER: 192.168.4.20#53(192.168.4.20)
;; WHEN: Wed Oct 10 21:39:30 2012
;; MSG SIZE  rcvd: 223

Also renewed till 2017:

Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: MNATHANI.COM
Created on: 24-Nov-05
Expires on: 24-Nov-17
Last Updated on: 10-Oct-12

Same dig queries for Download.microsoft.com with different results

DiG 9.9.2:

C:\>dig download.microsoft.com @ns1.msft.net

; <<>> DiG 9.9.2 <<>> download.microsoft.com @ns1.msft.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 46932
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;download.microsoft.com.                IN      A

;; Query time: 78 msec
;; SERVER: 2a01:111:2005::1:1#53(2a01:111:2005::1:1)
;; WHEN: Wed Oct 10 03:49:59 2012
;; MSG SIZE  rcvd: 51

DiG 9.3.2:

C:\>dig download.microsoft.com @ns1.msft.net

; <<>> DiG 9.3.2 <<>> download.microsoft.com @ns1.msft.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1780
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;download.microsoft.com.                IN      A

;; ANSWER SECTION:
download.microsoft.com. 0       IN      CNAME   download.microsoft.com.nsatc.net.

;; Query time: 93 msec
;; SERVER: 65.55.37.62#53(65.55.37.62)
;; WHEN: Wed Oct 10 03:51:41 2012
;; MSG SIZE  rcvd: 86

Bind 9.9.2 is out


[root@onion bind-9.9.2]# dig @localhost version.bind chaos txt

; <<>> DiG 9.9.2 <<>> @localhost version.bind chaos txt
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;version.bind.                  CH      TXT

;; ANSWER SECTION:
version.bind.           0       CH      TXT     "9.9.2"

;; AUTHORITY SECTION:
version.bind.           0       CH      NS      version.bind.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct  9 18:17:19 2012
;; MSG SIZE  rcvd: 73

Dig command to test if DNSSEC is working

When performing the following dig query, if you get SERVFAIL, then you know DNSSEC validation is working the way it should.

root@ubuntu:~# dig www.dnssec-failed.org @localhost

; <<>> DiG 9.9.1-P3 <<>> www.dnssec-failed.org @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53418
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A

;; Query time: 47 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 4 02:59:20 2012
;; MSG SIZE rcvd: 50

However, if you get NOERROR then something has gone wrong and DNSSEC validation is not working the way it should.

root@ubuntu:~# dig www.dnssec-failed.org @8.8.8.8

; <<>> DiG 9.9.1-P3 <<>> www.dnssec-failed.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43692
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A

;; ANSWER SECTION:
www.dnssec-failed.org. 4750 IN A 69.252.216.215
www.dnssec-failed.org. 4750 IN A 69.252.208.135

;; Query time: 38 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Oct 4 03:00:45 2012
;; MSG SIZE rcvd: 82