Skip to content

Verify the authenticity of DNS records with DNSSEC resolver delv

homepage-banner

DNSSEC

DNS Security Extensions (DNSSEC) is a security protocol created to mitigate this problem. DNSSEC protects against attacks by digitally signing data to help ensure its validity. In order to ensure a secure lookup, the signing must happen at every level in the DNS lookup process.

  • DNSKEY record - The DNS Key Record contains a public key used to verify Domain Name System Security Extension (DNSSEC) signatures.

How to verify

Usage

delv @dns-server-name domain-name-here

Example

delv @1.1.1.1 google.com
delv @8.8.8.8 cloudflare.com

Validated answer

; fully validated
cloudflare.com.         300     IN      A       104.16.132.229
cloudflare.com.         300     IN      A       104.16.133.229
cloudflare.com.         300     IN      RRSIG   A 13 2 300 20230504045136 20230502025136 34505 cloudflare.com. oh/bCApFIy3DKwHGJFGJnTPQ2UDjKx2Ei3tJAeVDax+WMh1pj6LArIc0 CPyezZDsEy2cyh39saUykyzw5/MLOA==

Unsigned answer

; unsigned answer
google.com.             300     IN      A       142.251.10.100
google.com.             300     IN      A       142.251.10.101
google.com.             300     IN      A       142.251.10.102
google.com.             300     IN      A       142.251.10.113
google.com.             300     IN      A       142.251.10.138
google.com.             300     IN      A       142.251.10.139

Reference

  • https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
  • https://cloud.google.com/dns/docs/dnssec
  • https://www.akamai.com/blog/trends/dnssec-how-it-works-key-considerations
  • https://www.cloudflare.com/learning/dns/dns-records/
  • https://www.cloudflare.com/learning/dns/dns-records/dnskey-ds-records/
Feedback







Disclaimer
  • Welcome to visit the knowledge base of SRE and DevOps!
  • License under CC BY-NC 4.0
  • Made with Material for MkDocs and improve writing by generative AI tools
  • Copyright issue feedback me#imzye.com, replace # with @