Check DNS service with DNSSEC validation


Checking DNS against recursive DNS servers does not test whether or not DNSSEC validation is working.

Feature Description

Similar to the “Expect Authoritative DNS Server” checkbox at the Check DNS service an “Expect DNSSEC validated answer” could be used. Technically, the DNS response from a DNS server has the “ad” flag set if the answer is “authentic data”, ref: Domain Name System (DNS) Parameters. (Similar to the “aa” flag which is set for an authoritative answer.)

Sample with dig, querying a signed DNS records from a DNSSEC-validating recursive server. Watch out for the “flags: … … … ad” line:

weberjoh@nuc01-cmk:~$ dig @

; <<>> DiG 9.16.1-Ubuntu <<>> @
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33400
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1472
;    IN      A

;; ANSWER SECTION: 60  IN      A

;; Query time: 44 msec
;; WHEN: Wed Nov 17 11:43:59 UTC 2021
;; MSG SIZE  rcvd: 71

This check could be used in two scenarios:

  • check if the own recursive DNS server is still able to validate DNSSEC by querying something that’s signed for sure like
  • check through public recursive DNS servers (such as or if your own signed zones are still signed correctly :wink:

(Furthermore, an “Expect DNSSEC failure” could be used to explicitly test falsified DNSSEC signatures such as delivers. The recursive DNS server returns a status code of “SERVFAIL” in this case. With that test, you could verify that your recursive DNS server is working correctly in that way as well. :smiley: )