USING «DIG» FOR TESTING THE RESOLVERS AND DNS-SERVERS
SUPPORTING DNSSEC
Dig is a tool for querying Domain Name System (DNS) name servers for any desired DNS records.
Dig is a part of the BIND domain name server software suite. Dig
replaces older tools such as nslookup and the host program.
$ dig all @xx.xx.xx.xx www.m-system.net +dnssec
xx.xx.xx.xx is an IP address of a resolver or DNS-server meant to support GOST.
After this command execution the answer should contain the 'ad' flag
— authenticated data.
If the 'ad' flag is absent while you request existing address from a
domain in trust chain or a domain which key has been added to trusted
keys, something is wrong.
The answer 'SERVFAIL' in common cases means that the signature is absent or wrong.
$ dig all @xx.xx.xx.xx www.m-system.net +dnssec +cd
xx.xx.xx.xx is an IP address of a resolver or DNS-server which should support GOST.
This command screens data anyway (wrong signature or another errors).
Hints to test DNSSEC
A query asked for valid data from any recursor will provide the RRset in response
A query asked for non-signed data from any recursor will provide the RRset in response
A query asked of a validating recursor for modified or invalid data will return SERVFAIL
Applications (and users) will see this as domains that
«vanish»
A header bit (CD) will allow invalid data to be passed anyway
