This test determines whether your DNS resolver validates DNSSEC signatures. For this test you need JavaScript turned on.
Most people will experience a negative test result (no DNSSEC validation) – that's ok and no reason to panic.
Point your friends to this webpage to help us measure the spread of DNSSEC validation.
If you are operating a website and would like to help us, consider adding our hidden DNSSEC test.
Few operating systems support DNSSEC validation out of the box. You can install Dnssec-Trigger to run your own validating resolver (more information). Keep in mind that web browsers do not distinguish between DNSSEC validation failures and general DNS failures (there is no security warning like with SSL/TLS errors).
To re-run the above test, you also need to:
ipconfig /flushdns
)If you're running a recursive DNS cache, follow these steps to enable DNSSEC validation on BIND or Unbound.
dnssec-enable yes;
dnssec-validation auto;
dnssec-enable yes;
dnssec-validation yes;
managed-keys { "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; };
trusted-keys { "." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; };
rndc reload
unbound-anchor -a /etc/unbound/root.key
echo ". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5" > /etc/unbound/root.key
chown unbound.unbound /etc/unbound/root.key
auto-trust-anchor-file "/etc/unbound/root.key"
unbound-control reload
dig sigok.verteiltesysteme.net @127.0.0.1
(should return A record)dig sigfail.verteiltesysteme.net @127.0.0.1
(should return SERVFAIL)Map shows ratio of validating clients per country, collected from October 2014 to March 2015. Some older result sets of the measurement (anonymized) are available for public download.
These tests use slightly different mechanics. Most users should get the same result on all tests, but in some cases there may be discrepancies. If you get different results, drop us a note with your IP address and we'll be glad to analyze our logs.
Thanks to Jan-Piet, Zekah and Stefan for providing valuable feedback.
Matthäus Wander <matthaeus.wander(at)uni-due.de>