DNSSEC Examples

Save PDF

Last Updated: October 8, 2024
2 minute read

LoadMaster
LoadMaster GA
Documentation

DNSSEC only works when a zone name is defined and it only works for the FQDNs that belong to the zone. FQDNs that do not belong to a defined zone will provide an answer without the DNSSEC signature.

Case 1: FQDN does not belong to a Zone Name

$ dig A foo.example.com +dnssec @3.83.34.12

; <<>> DiG 9.10.3-P4-Ubuntu <<>> A foo.example.com +dnssec @3.83.34.12

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24329

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 4096

;; QUESTION SECTION:

;foo.example.com.               IN      A

;; ANSWER SECTION:

foo.example.com.        10      IN      A       1.1.1.1

;; AUTHORITY SECTION:

foo.example.com.        10      IN      NS      soa.ZoneNameExample.com.

;; Query time: 224 msec

;; SERVER: 3.83.34.12#53(3.83.34.12)

;; WHEN: Tue Oct 08 11:15:51 IST 2019

;; MSG SIZE  rcvd: 94

Case 2: FQDN belongs to a Zone Name

$ dig A fqdn.ZoneNameExample.com +dnssec @3.83.34.12

; <<>> DiG 9.10.3-P4-Ubuntu <<>> A fqdn.ZoneNameExample.com +dnssec @3.83.34.12

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25994

;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 4096

;; QUESTION SECTION:

;fqdn.ZoneNameExample.com.      IN      A

;; ANSWER SECTION:

fqdn.ZoneNameExample.com. 10    IN      A       1.1.1.1

fqdn.ZoneNameExample.com. 10    IN      RRSIG   A 8 3 10 20191107054647 20191008044647 22641 zonenameexample.com. ZnBg0vsjOLK37x5ZH3o82o8Id5nCBT/IFP2rQTajtjF/zOV4UHHp5KBs 7CDFdFkyfyQ1vT3ZFyXaxFJ1GcxmOizzkgfwP4CqOdwQwMzWbvk9dlQ+ M33drzO7MzGQjQS3Mg8ptow9FLoNY3unc8+KgDJGxhJzIHY+okzJITZN cvM=

;; AUTHORITY SECTION:

ZoneNameExample.com.    10      IN      NS      soa.ZoneNameExample.com.

ZoneNameExample.com.    10      IN      RRSIG   NS 8 2 10 20191107050733 20191008044631 22641 zonenameexample.com. N0QLBBM55+TCVCQfk4cbYk5IY7L3jgp7O/Dv4yss1dqlO4z4EGhwbqul jsr4BzhZzqYnJvsZaTl+roEKdJAS8fgx24uXQpeDsBjiukJYsR5ZjDuT fhGnf9By7CdkEWr4rdU+Q7eDPmdigXWDvru2K6ui8Inzy1kEkCB5zYhU YJ8=

;; ADDITIONAL SECTION:

soa.ZoneNameExample.com. 10     IN      A       172.16.1.192

soa.ZoneNameExample.com. 10     IN      RRSIG   A 8 3 10 20191107050733 20191008044631 22641 zonenameexample.com. N0RW69lu/7IWPY/Z9DufZlZuDVE0KmY8AgzLvo1JneicHF27wElKKVUa 0lSVD15yypeSD96T0hZIkqVhKrgv43UKTYu3khR7I+wl53gYie3qaLnA 0HmBG/GD1tmW8Pky7B7hCGz7DbpI+fqenZHzyCGdu7alYy0PhoQNcFRZ xlA=

;; Query time: 229 msec

;; SERVER: 3.83.34.12#53(3.83.34.12)

;; WHEN: Tue Oct 08 11:17:19 IST 2019

;; MSG SIZE  rcvd: 640

Case 3: Zone name defined, FQDN that belongs to the zone but is not defined in GEO

In this case, GEO answers NXDOMAIN.

dig @172.16.0.65 A notexisting.fab.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-3.P2.fc27 <<>> @172.16.0.65 A notexisting.fab.com

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44488

;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;notexisting.fab.com.   IN A

;; AUTHORITY SECTION:

fab.com.  10 IN SOA nameserver.fab.com. hostmaster.fab.com. 29 86400 7200 2419200 10

;; Query time: 1 msec

;; SERVER: 172.16.0.65#53(172.16.0.65)

;; WHEN: Tue Oct 08 08:32:16 EDT 2019

;; MSG SIZE  rcvd: 97

Feature Description GEO

DNSSEC Examples

Table of Contents

DNSSEC Examples