Checking DNS against recursive DNS servers does not test whether or not DNSSEC validation is working.
Similar to the “Expect Authoritative DNS Server” checkbox at the Check DNS service an “Expect DNSSEC validated answer” could be used. Technically, the DNS response from a DNS server has the “ad” flag set if the answer is “authentic data”, ref: Domain Name System (DNS) Parameters. (Similar to the “aa” flag which is set for an authoritative answer.)
Sample with dig, querying a signed DNS records from a DNSSEC-validating recursive server. Watch out for the “flags: … … … ad” line:
weberjoh@nuc01-cmk:~$ dig @192.168.7.53 sigok.verteiltesysteme.net ; <<>> DiG 9.16.1-Ubuntu <<>> @192.168.7.53 sigok.verteiltesysteme.net ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33400 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1472 ;; QUESTION SECTION: ;sigok.verteiltesysteme.net. IN A ;; ANSWER SECTION: sigok.verteiltesysteme.net. 60 IN A 188.8.131.52 ;; Query time: 44 msec ;; SERVER: 192.168.7.53#53(192.168.7.53) ;; WHEN: Wed Nov 17 11:43:59 UTC 2021 ;; MSG SIZE rcvd: 71
This check could be used in two scenarios:
- check if the own recursive DNS server is still able to validate DNSSEC by querying something that’s signed for sure like sigok.verteiltesysteme.net
- check through public recursive DNS servers (such as 184.108.40.206 or 220.127.116.11) if your own signed zones are still signed correctly
(Furthermore, an “Expect DNSSEC failure” could be used to explicitly test falsified DNSSEC signatures such as sigfail.verteiltesysteme.net delivers. The recursive DNS server returns a status code of “SERVFAIL” in this case. With that test, you could verify that your recursive DNS server is working correctly in that way as well. )