NO / EN

Norid AS

Abels gt. 5, Teknobyen

Phone +47 73 55 73 55

Good lookup tools are necessary for looking up detailed data for domain names in DNS and troubleshooting if something stops working.

A wide range of applications and tools can be used to look up DNS and DNSSEC data for a domain name. Below, we describe the ones presumed to be most useful for operation and troubleshooting. All of these tools are free and openly available.

Command-line tools (dig, drill, whois)

These tools can be installed locally where you need them, so that they can be used on both internal and external networks.

dig

Provider: ISC

Functionality 

Look up DNS and DNSSEC data for domain names and zones. A flexible tool with a lot of functionality, popular for troubleshooting DNS problems. 

Documentation

Installation

  • *nix-version: From the distribution’s apt archive, or download BIND package
  • Mac/iOS version: Same as for *nix.
  • Windows version: dig.exe is included in the Windows version of the BIND package.

drill

Contractor: NLnet Labs. See Idns project.

Functionality 

Look up DNS and DNSSEC data for domain names and zones. The tool was developed specifically for use with DNSSEC.

Documentation

Installation

  • *nix-version: Install the package ldnsutils from the distribution’s apt archive, or download the ldns package
  • Mac/iOS version: Same as for *nix.
  • Windows version: Not found
  • Web version: Not found

whois

Provider: many providers

Functionality 

Look up whois information (against Norid’s whois service). Combine the use of dig and drill with data from whois, as whois can also be used to look up DNSSEC information registered for a domain name in Norid’s database.

Documentation

Run whois –help and man whois
See whois.

Installation

  • *nix-version: Install the package whois from the distribution’s apt archive
  • Mac/iOS version: Same as for *nix.
  • Windows version: Download here.

Web-based services (Zonemaster, DNSViz, dig and others)

Pure web-based services are easy to use and may provide a good status update. The downside to this type of service is that they are entirely online and may therefore only access and analyze the open parts of the networks/DNS. They are therefore not immediately suitable for lab setups. Their use is relatively self-explanatory, but we recommend practising on some lookups to become familiar with how they work.

DNS check from Norid

Provider: Norid

Go to the DNS check service

Functionality 

Can be used to check whether a domain name has been correctly set up in DNS, including DNSSEC.

This service is available to anyone who wants to check the DNS setup for their zones.

Registrars should check their name server setup before submitting changes over the EPP interface against the registration system for .no. If the check returns an error, the EPP operation will likely also fail, so this is a good check to perform before making any EPP changes that affect the name server setup.


Zonemaster from .se

Provider: .SE

Provider: .SE

Go to Zonemaster

See FAQ page.


Norid’s domain lookup service

Provider: Norid

Go to the domain lookup service

This is a web service that can be used to look up data on a domain name or organization, and that presents results in a user-friendly way. The data presented is limited by relevant privacy legislation.


DNSViz

Go to DNSVIZ

Looks up, analyzes and presents DNS and DNSSEC data in a user-friendly way.

For DNSSEC, the tool shows and verifies the DNSSEC chain of trust in a user-friendly way, with a graphic presentation.


DNSSEC Analyzer

Provider: Verisign Labs

Go to DNSSEC Analyzer

This tool was developed specifically to check DNSSEC status.

Looks up, analyzes and presents DNSSEC status in a user-friendly way.
Shows and verifies the DNSSEC chain of trust.
Click more(+) and less(-) links to zoom in and out for more or less detail.


Web-based dig

Provider: Yajun

Go to web-based dig

The functionality is identical to the command-line-based dig, but this makes it available to anyone, even those who cannot install dig.


DNSSEC Validator addon for Firefox

Go to DNSSEC Validator add-on for Firefox

A plug-in/add-on for Firefox. It adds a status icon for DNSSEC to the browser’s address field.

The DNSSEC icon is green if the domain name is DNSSEC-secured and red if it is not secured.

See Norid’s website for examples of websites that have DNSSEC and should have a green DNS icon.


Examples of how to use tools

Below are some examples of how to use some of these tools.

How to check if a zone is DNSSEC-secured

How do you check to see if a zone or domain is DNSSEC-secured, i.e. how do you verify the chain of trust? This varies from tool to tool. The examples below use norid.no as the test zone, as it is secured. First, dig is used to create a trusted key file, then the lookup is performed.

dig

  1. dig produces a lot of output, and only some of it is shown below:
% dig +dnssec +multiline SOA norid.no +sigchase 
% No trusted keys present 

In this case, the trusted key for root must be saved to a local file first:

% dig DNSKEY .|grep 257 > ./trusted-key.key 
<br>% dig +dnssec +multiline SOA norid.no +sigchase 

;; RRset to chase: 
norid.no.               3428 IN SOA ns.uninett.no. hostmaster.uninett.no. (
                        2014112501 ; serial 
                        14400      ; refresh (4 hours) 
                        3600       ; retry   (1 hour) 
                        1814400    ; expire  (3 weeks) 
                        900        ; minimum (15 minutes) 
                        ) 

;; RRSIG of the RRset to chase: 
norid.no.               3428 IN RRSIG SOA 8 2 3600 20141216043352 (
                        20141125070437 31923 norid.no.
                        YPfPCb26i1hu0vuiR6vTdKjRtgHGch+HH1A6UgXmeKtf                           
                        tyd+K1jmtGDk8R/uAKPozpK6nnKFIiE7QQIqN4ED4YQW                         
                        HsXQ5PZVpErZwX2ka9FMIUT2UnNAynGWgidjDJjXh2kO                         
                        56xX9uhNqlCLE8Dryo+2GX1wGN96bXMc8Dm6IzA= ) 

Launch a query to find a RRset of type DNSKEY for zone: norid.no. 
: 
: 
...a lot of results have been removed here...
:
: 
;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

The zone is secure if the last line shows ...ok: SUCCESS. An error message will appear if it is not secured or if it is not secured well enough.

drill

In this case, too, you must create a trusted key file first. See above under dig for how to do that.

% drill -S SOA norid.no -k ./trusted-key.key

;; Number of trusted keys: 1
;; Chasing: norid.no. SOA 

DNSSEC Trust tree: 
norid.no. (SOA) 
|---norid.no. (DNSKEY keytag: 31923 alg: 8 flags: 256)    
  |---norid.no. (DNSKEY keytag: 62984 alg: 8 flags: 257)    
  |---norid.no. (DS keytag: 62984 digest type: 2)        
    |---no. (DNSKEY keytag: 60990 alg: 8 flags: 256)        
    |---no. (DNSKEY keytag: 29471 alg: 8 flags: 257)            
      |---no. (DS keytag: 29471 digest type: 2)               
        |---. (DNSKEY keytag: 22603 alg: 8 flags: 256)                    
          |---. (DNSKEY keytag: 19036 alg: 8 flags: 257)
;; Chase successful

The zone is secure if the last line shows Chase successful. An error message will appear if it is not secured or if it is not secured well enough.

DNSViz

Run the check in the tool. The graphic results can be inspected on screen. You can also download a PNG file with the results. Direct link to run: http://dnsviz.net/d/norid.no/dnssec/ When the DNSSEC status is OK, the results are consistently presented in green. If something is wrong, other colours and line types will be used, see full legend for a description of how errors are indicated.

DNSSEC Analyzer

Run the check in the tool. The graphic results can be inspected on screen. Direct link to run: https://dnssec-analyzer.verisignlabs.com/norid.no Links for more(+) and less(-) can be used to zoom in and out, which may be useful for any errors. When the DNSSEC status is OK, the results (icons) are green. If something is wrong, the icons will be yellow or red, and you can hover your cursor above the icons to read more about the problem.

Other tools for testing and troubleshooting

Examples of domain names with defects or errors

There are some test domains permanently configured in DNS with permanent and known defects or errors. These can be used to practice using the tools to find various errors. These domains include:

  • dnssec-or-not.org (DNSViz) http://dnssec-or-not.org dnssec-or-not.net (DNSViz) http://dnssec-or-not.net These have various defects.
  • dnssec-failed.org (DNSViz) rhybar.cz (DNSViz) dnssec.fail (DNSViz) These domains have purposely been set up with various errors, including errors or expired DNSSEC signatures. DNSViz will show the various error messages and associated details. Drill shows a lot of data, including the message Bogus DNSSEC signature. Please note that the websites for these need neither to exist or be loaded in a browser for the DNS lookup to fail. If you are still able to get websites up for any of these domain names, DNSSEC is either turned off or incorrectly configured, and you should contact your internet service provider and ask them to turn on DNSSEC validation. Alternatively, you can use Google’s name servers instead. See below for more information.

How to check if zones with wildcard records validate correctly

BIND is a popular type of name server software. Some older BIND versions, versions 9.7.4 and 9.8.1, have a serious error where they are unable to validate wildcard records signed with NSEC3. This error has been fixed in versions 9.7.5, 9.8.2, and 9.9.x. Unfortunately, some Norwegian ISPs still use these old versions and have turned on DNSSEC validation. In these cases, the validation will fail. To test whether you are using a resolver with this wildcard error, you can go to the following website: http://0skar.cz/dns/en. If the test reports an error in your resolver, you can switch to one of the other resolving name servers. See tip below for how to do this. 


Can’t validate a domain name that should be secured?

If you find that you can’t validate a domain name you know should be secured, or the opposite: that you gain access to a website you know has an error in its DNSSEC configuration, the cause may be that the name servers you use have not activated DNSSEC validation. In this case, you can ask your provider to activate validation. Alternatively, you can switch to a different provider who offers correctly validating name servers, such as Google’s free service Google Public DNS.


Statistics for DNSSEC validating name servers

In order for DNSSEC to work, the resolving name servers DNS uses must be configured to validate DNSSEC. There are many name servers around the world that have not yet activated this feature, and it is important to get it done. It must be done by the party running the name service. There is an interesting webpage at APNIC, which shows maps and various statistics for the expansion of DNSSEC validating name servers worldwide, including the status for Norway. The main page is here. Smaller regions or individual countries can be selected using links further down the page.

Published: 17 June 2020
Updated: 31 October 2022