Child pages
  • Home
Skip to end of metadata
Go to start of metadata

DNSSEC are the security extensions for the Domain Name System (DNS). In order to test a validating DNS stub-resolver or a validating recursive caching name server we have created the following DNS records that you may test with (e.g. with dig, nslookup or the host command).

DNS nameExpected resultstatus-flagDescription is a subzone to where DNSSEC is correctly configured. is a subzone to where DNSSEC is not enabled. is a subzone to where DNSSEC is enabled but the DS pointing to the subzone contains a wrong hash.

olds is a subzone to which contains DNSSEC records but the signatures are outdated (and the SOA RR has a different serialnumber).


This site is run by Netic. We love DNS and within this field we provide consultancy services and a network and DNS management system (TidyDNS) that seamlessly integrates with DNSSEC.