DNSSEC Trial Testbed

As part of our exploration of DNSSEC, Dyn
Inc. has set up a small public testbed: an
authoritative server with a signed zone, and
a recursive resolver containing its trusted
key. A number of other trusted keys have
been added to the resolver, allowing you to
test some other public implementations of
DNSSEC as well. (For more information on
DNSSEC, see our Dynamic Discourse post here.)

To try out our testbed, you can perform
DNS queries against our resolver with dig
@recursive.dyn-dnssec.com domain
+dnssec. Our test domain,
dyn-dnssec.com, contains the
following test zones:

• dyn-dnssec.com
• goodzone.dyn-dnssec.com
• top.goodzone.dyn-dnssec.com
• child.dyn-dnssec.com

The following domains and
TLDs have also been added to this
resolver's list of trusted keys:

• .se (e.g. nic.se)
• .br (e.g. nic.br)
• .bg (e.g. nic.bg)
• .pr (e.g. nic.pr)
• .cz (e.g. nic.cz)
• .gov (e.g. dnsops.gov)
• .museum
• dnssec.comcast.net
• uk-dnssec.nic.uk
• All domains listed in the Interim Trust Anchor Repository (updated daily)

Here is sample output from a dig
query using our own dyn-dnssec.com
test authoritative server:

dig dyn-dnssec.com +dnssec @recursive.dyn-dnssec.com

; <<>> DiG 9.5.0-P2 <<>> dyn-dnssec.com +dnssec
; @recursive.dyn-dnssec.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56321
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3,
;; ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dyn-dnssec.com.                        IN      A

;; ANSWER SECTION:
dyn-dnssec.com.         3600    IN      A       216.146.46.9
dyn-dnssec.com.         3600    IN      RRSIG   A 3 2 3600 20090206022046
20090107022046 38267 dyn-dnssec.com.
BIXWOJuG/Xc4h+ELEb7XSUyGFQUEjR6TeoNMGNUmn+B2HXQShCYgwQw=

;; AUTHORITY SECTION:
dyn-dnssec.com.         72308   IN      NS      ns2.dyn-dnssec.com.
dyn-dnssec.com.         72308   IN      NS      ns1.dyn-dnssec.com.
dyn-dnssec.com.         86400   IN      RRSIG   NS 3 2 86400 20090206022046
20090107022046 38267 dyn-dnssec.com.
BGQFiLzJe8lFaQIX+I0hUA02byPKAb3X+BDU07SfMsgrr3Me/q4GBok=

;; ADDITIONAL SECTION:
ns1.dyn-dnssec.com.     72308   IN      A       216.146.46.9
ns2.dyn-dnssec.com.     72308   IN      A       216.146.46.9
ns1.dyn-dnssec.com.     86400   IN      RRSIG   A 3 3 86400 20090206022046
20090107022046 38267 dyn-dnssec.com.
BCnRQX7nSwRWlVJmDs4L7/iV8NJGwDpQJiWyaoUPDBh++FbhaBWFfMo=
ns2.dyn-dnssec.com.     86400   IN      RRSIG   A 3 3 86400 20090206022046
20090107022046 38267 dyn-dnssec.com.
BAu4EKrtErfzVOuhVdvCLPeTcKAhs+4Oii9Zmf5/Dokqmv8x4gWo1p8=

See the "flags: ad" portion of the above query, which indicates the response has been validated ("Authenticated Data"). Compare this with the signed zone
badzone.dyn-dnssec.com, which has been signed but not with the trusted key. (Please note that zones which are properly signed but whose keys are not included in this resolver's trusted-keys entry will not display the "ad" flag.)

If you are running Bind as a recursive resolver and would like to try this yourself, add the following entry to your
named.conf.options file and you will be able to validate the data yourself:

trusted-key {
	"dyn-dnssec.com." 257 3 3 "
		BJ9NniAhi5H4VWYjr2Spz+duFKlr+73p+jfROJk5kIM1ctHQCJi39/y/
		g7ufBMBjGvBZ+Ic9812jaoUnKQF5zZy0wWXqqFaZgVrPr/8nmkjUYoiP
		uoVgVuE7etEUzdJwPrbaKxAeCk//DKYK/psdYu4IcJwTCSp0kBeTPs8Q
		uinNBlynbC2QW1441p8AxgyPyuDK2x6PHvHWUryQpLEfJd0QlKz8VoN+
		ohn96AXQsyhBohW8u2FVEh97OY1WrLC8+K0a3StWse3DJo2DteqKT1Bp
		gll/nPOVrVhA+6XyAtrUE9fY0wK7+mzxKMrpSP2MnomNdtEcymYBAqNl
		Ww5qAy7rEyL3ElLzhZa78b5c/7swe9shK5ErRH7CtbDXsVFVAgRnSE14
		NBBKog/IP/bFOeHQp7Ci
	";
}

You should be able to perform dig dyn-dnssec.com +dnssec and receive the "ad" flag, showing the data as
valid. (Note that direct queries to ns1.dyn-dnssec.com or ns2.dyn-dnssec.com will return the Authoritative Answer flag of "aa" instead of "ad", since you
specifically asked the authoritative nameserver instead of recursively resolving the answer.)