DNSSEC Resolver Test

This test determines whether your DNS resolver validates DNSSEC signatures. For this test you need JavaScript turned on.

derp

Most people will experience a negative test result (no DNSSEC validation) – that's ok and no reason to panic.

Help Us

Point your friends to this webpage to help us measure the spread of DNSSEC validation.

If you are operating a website and would like to help us, consider adding our hidden DNSSEC test.

DNSSEC for Users

Few operating systems support DNSSEC validation out of the box. You can install Dnssec-Trigger to run your own validating resolver (more information). Keep in mind that web browsers do not distinguish between DNSSEC validation failures and general DNS failures (there is no security warning like with SSL/TLS errors).

To re-run the above test, you also need to:

DNSSEC for DNS Cache Operators

If you're running a recursive DNS cache, follow these steps to enable DNSSEC validation on BIND or Unbound.

BIND

  1. Add to options section in your named.conf:
  2. Add root KSK as trust anchor (outside options sections):
  3. If you're using forwarders, either remove them or make sure they support EDNS0 and DNSSEC (validation can remain disabled on them)
  4. rndc reload

Unbound

  1. Add root KSK as trust-anchor:
  2. chown unbound.unbound /etc/unbound/root.key
  3. Add to unbound.conf: auto-trust-anchor-file "/etc/unbound/root.key"
  4. If you're using forwarders, either remove them or make sure they support EDNS0 and DNSSEC (validation can remain disabled on them)
  5. unbound-control reload

Test validation

DNSSEC is prone to administration errors (see e.g. nasa.gov incident), thus you should observe your resolver log for validation failures of well-known domain names.

Results

Map shows ratio of validating clients per country, collected from May 2012 to March 2013. The result set of the measurements (anonymized) is available for public download.

Other Tests

These tests use slightly different mechanics. Most users should get the same result on all tests, but in some cases there may be discrepancies. If you get different results, drop us a note with your IP address and we'll be glad to analyze our logs.

Acknowledgements

Thanks to Jan-Piet, Zekah and Stefan for providing valuable feedback.

Contact

Matthäus Wander and Torben Weis <dnssec@vs.uni-due.de>