How Well Do Your Resolvers Support DNSSEC?


You probably use multiple DNS resolvers on multiple devices through the course of the day, as you wander to and from home, work, coffee shops, etc.  Your desktop uses them. Your laptop uses them. Even your cellphone and tablets use them.  But how well prepared are all of these resolvers for DNSSEC?  Can they assist your applications in determining which DNS records have been secured or not?

The DNSSEC-Check Utility
By using the DNSSEC-Check tool from the DNSSEC-Tools project, you can find out!  This handy utility will test your neighboring resolvers, and any additional ones you provide it, for their support of critical DNSSEC required protocol features.  After testing is done, it will even provide you with a letter grade for each resolver.  Ideally, every resolver should have an A grade (indicating that not only does it support DNSSEC queries, but is a DNSSEC validating resolver itself).  But if not, the colored bubbles will quickly let you know exactly which features a resolver might be missing to be fully DNSSEC compliant.

Additionally, the DNSSEC-Check utility lets you submit your anonymized results to a results collection server.  These collected results let the DNSSEC-Tools project track the state of world deployment over time.  So, once you find out your local resolvers are not “quite up to the task”, then you can keep checking over time to see if they’ve been updated (or better yet, update them yourself if you can!). Then resubmit the results once things have changed!  The results of this collection engine can be found on the DNSSEC-Check Results page. Submitting data is entirely optional, so thanks in advance if you are willing to help us out!

Comments are closed.