На главную страницу  
О компании Продукты Демо-версии Купить Цены Контакты Решения
КриптоПакет
OpenVPN-ГОСТ
КриптоТуннель
"Вьюга"

MAGPRO DNS.

USING «DIG» FOR TESTING THE RESOLVERS AND DNS-SERVERS SUPPORTING DNSSEC

Dig is a tool for querying Domain Name System (DNS) name servers for any desired DNS records.
Dig is a part of the BIND domain name server software suite. Dig replaces older tools such as nslookup and the host program.

$ dig all @xx.xx.xx.xx www.m-system.net +dnssec 

xx.xx.xx.xx is an IP address of a resolver or DNS-server meant to support GOST.
After this command execution the answer should contain the 'ad' flag — authenticated data.
If the 'ad' flag is absent while you request existing address from a domain in trust chain or a domain which key has been added to trusted keys, something is wrong.
The answer 'SERVFAIL' in common cases means that the signature is absent or wrong.

$ dig all @xx.xx.xx.xx www.m-system.net +dnssec +cd 

xx.xx.xx.xx is an IP address of a resolver or DNS-server which should support GOST.
This command screens data anyway (wrong signature or another errors).


Hints to test DNSSEC

A query asked for valid data from any recursor will provide the RRset in response
A query asked for non-signed data from any recursor will provide the RRset in response
A query asked of a validating recursor for modified or invalid data will return SERVFAIL
Applications (and users) will see this as domains that «vanish»
A header bit (CD) will allow invalid data to be passed anyway


MagPro DNS

Installing and configuring OpenSSL 1.0.0

Installing and using BIND with DNSSEC and GOST support

Signing a zone with «dnssec-signzone»

Checking DNSSEC with the «dig» utility

Installing and using Unbound+LDNS+NSD with DNSSEC and GOST support

Signing a zone with «ldns-signzone»

Checking DNSSEC with the «drill» utility

DNSSEC FAQ

 
Copyright © ООО "Криптоком". 2001-2016. All Rights Reserved.