testing DNSSEC

gistfile1.txt

Validating a broken DNSSEC domain:
trying to resolve a domain that has DNSSEC issues should only return a SERVFAIL returncode without any DNS data:
~  dig www.dnssec-failed.org              

; <<>> DiG 9.7.2-P2 <<>> www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17692
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dnssec-failed.org.        IN    A

;; Query time: 108 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Fri Nov 19 16:08:29 2010
;; MSG SIZE  rcvd: 39
Requesting a domain that is not DNSSEC signed should just return a normal DNS answer:
~  dig www.google.com +dnssec      

; <<>> DiG 9.7.2-P2 <<>> www.google.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50839
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.google.com.            IN    A

;; ANSWER SECTION:
www.google.com.        520764    IN    CNAME    www.l.google.com.
www.l.google.com.    300    IN    A    74.125.77.99
www.l.google.com.    300    IN    A    74.125.77.104
www.l.google.com.    300    IN    A    74.125.77.147

;; Query time: 37 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Fri Nov 19 16:10:06 2010
;; MSG SIZE  rcvd: 111