DNSSEC are the security extensions for the Domain Name System (DNS). In order to test a validating DNS stub-resolver or a validating recursive caching name server we have created the following DNS records that you may test with (e.g. with dig, nslookup or the host command).
|DNS name||Expected result||status-flag||Description|
|sigok.dnssectest.dk||NOERROR||sigok is a subzone to dnssectest.dk where DNSSEC is correctly configured.|
|unsignedok.dnssectest.dk||NOERROR||unsignedok is a subzone to dnssectest.dk where DNSSEC is not enabled.|
|wrongds.dnssectest.dk||SERVFAIL||wrongds is a subzone to dnssectest.dk where DNSSEC is enabled but the DS pointing to the subzone contains a wrong hash.|
olds is a subzone to dnssectest.dk which contains DNSSEC records but the signatures are outdated (and the SOA RR has a different serialnumber).