USING «DRILL» FOR TESTING RESOLVERS AND DNS-SERVERS SUPPORTING DNSSEC
drill is a tool for querying Domain Name System (DNS) name
servers for any desired DNS records.
drill is a part of the LDNS project by NLnet Labs.
Drill is an analogue of the dig program from BIND DNS-server project by ISC.
Invoke drill with full path or add its location to the PATH
environment variable in the proper way.
$ drill -D @xx.xx.xx.xx www.m-system.net
xx.xx.xx.xx is an IP address of your resolver meant to support
After this command execution the answer should contain the 'ad' flag
— authenticated data.
If the 'ad' flag is absent while you request existing address from
domain in trust chain or domain which key has been added to trusted
keys, something is wrong.
The answer 'SERVFAIL' in common cases means that the signature is absent or wrong.
$ drill -D -o cd @xx.xx.xx.xx www.m-system.net
xx.xx.xx.xx is an IP address of your resolver which should support GOST.
This command screens data anyway (wrong signature or another errors).
Hints to test DNSSEC
A query asked for valid data from any recursor will provide the RRset in response
A query asked for non-signed data from any recursor will provide the RRset in response
A query asked of a validating recursor for modified or invalid data will return SERVFAIL
Applications (and users) will see this as domains that
A header bit (CD) will allow invalid data to be passed anyway