Check DNSSEC domain name server security
Validate your domain security with this checker tool. This tool performs a full check of all (slave) domain name servers for your domain.
The original design of the Domain Name System (DNS) did not include security; instead it was designed to be a scalable distributed system. The Domain Name System Security Extensions (DNSSEC) attempts to add security, while maintaining backwards compatibility. RFC 3833 documents some of the known threats to the DNS and how DNSSEC responds to those threats.
DNSSEC was designed to protect applications (and caching resolvers serving those applications) from using forged or manipulated DNS data, such as that created by DNS cache poisoning. All answers from DNSSEC protected zones are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (i.e. unmodified and complete) to the information published by the zone owner and served on an authoritative DNS server. While protecting IP addresses is the immediate concern for many users, DNSSEC can protect any data published in the DNS, including text records (TXT), mail exchange records (MX), and can be used to bootstrap other security systems that publish references to cryptographic certificates stored in the DNS such as Certificate Records (CERT records, RFC 4398), SSH fingerprints (SSHFP, RFC 4255), IPSec public keys (IPSECKEY, RFC 4025), and TLS Trust Anchors (TLSA, RFC 6698).
DNSSEC does not provide confidentiality of data; in particular, all DNSSEC responses are authenticated but not encrypted. DNSSEC does not protect against DoS attacks directly, though it indirectly provides some benefit (because signature checking allows the use of potentially untrustworthy parties).
Other standards (not DNSSEC) are used to secure bulk data (such as a DNS zone transfer) sent between DNS servers. As documented in IETF RFC 4367, some users and developers make false assumptions about DNS names, such as assuming that a company's common name plus ".com" is always its domain name. DNSSEC cannot protect against false assumptions; it can only authenticate that the data is truly from or not available from the domain owner.
The DNSSEC specifications (called DNSSEC-bis) describe the current DNSSEC protocol in great detail. See RFC 4033, RFC 4034, and RFC 4035. With the publication of these new RFCs (March 2005), an earlier RFC, RFC 2535 has become obsolete.
Securing the DNS is critically important for securing the Internet as a whole, but deployment of DNSSEC specifically has been hampered (As of 22 January 2010) by several difficulties:
- The need to design a backward-compatible standard that can scale to the size of the Internet
- Prevention of "zone enumeration" (see below) where desired
- Deployment of DNSSEC implementations across a wide variety of DNS servers and resolvers (clients)
- Disagreement among implementers over who should own the top-level domain root keys
- Overcoming the perceived complexity of DNSSEC and DNSSEC deployment
Microsoft Windows uses a stub resolver, and Windows 7 and beyond in particular use a non-validating (but DNSSEC-aware) stub resolver. For the non-validating stub resolver to place any real reliance on DNSSEC services, the stub resolver must trust both the recursive name servers in question (which is usually controlled by the Internet Service Provider) and the communication channels between itself and those name servers, using methods such as IPsec, SIG(0), or TSIG. The use of IPsec is not yet widespread.
Link to this page: “DNSSEC test”
You can link to this tool using this HTML code. Simply copy and paste it into your page:
<a href="http://manytools.org/network/validate-dnssec-domain-name-server-security/">Lookup & verify DNSSEC domain name server config online</a>
If you have any problems using this Check DNSSEC domain name server security, please contact me.