DNS Security Reference
Comprehensive DNSSEC and DNS security best practices reference including record types, attacks, and DoH vs DoT comparison.
DnsSecurityReference.dnssecTitle
DnsSecurityReference.dnssecDesc
DNSKEYContains the public key used to verify signatures in the zone.
RRSIGResource Record Signature — cryptographic signature over a DNS record set.
DSDelegation Signer — links a child zone's DNSKEY to the parent zone.
NSECNext Secure — proves non-existence of a DNS record (authenticated denial).
NSEC3Hashed version of NSEC — prevents zone walking by hashing owner names.
CDSChild DS — child zone signals key changes to parent for automated rollover.
Frequently Asked Questions
Code Implementation
import subprocess
# Query DNSSEC records using dig
def check_dnssec(domain: str) -> None:
print(f"Checking DNSSEC for: {domain}")
# Check DNSKEY record
result = subprocess.run(
["dig", "+dnssec", "DNSKEY", domain],
capture_output=True, text=True
)
if "DNSKEY" in result.stdout:
print(f" ✓ DNSKEY record found")
else:
print(f" ✗ No DNSKEY record")
# Check DS record at parent
result = subprocess.run(
["dig", "+dnssec", "DS", domain],
capture_output=True, text=True
)
if "DS" in result.stdout:
print(f" ✓ DS record found (DNSSEC enabled)")
else:
print(f" ✗ No DS record (DNSSEC not fully configured)")
# Check RRSIG
result = subprocess.run(
["dig", "+dnssec", "A", domain],
capture_output=True, text=True
)
if "RRSIG" in result.stdout:
print(f" ✓ RRSIG present (records are signed)")
else:
print(f" ✗ No RRSIG (records not signed)")
check_dnssec("cloudflare.com")Comments & Feedback
Comments are powered by Giscus. Sign in with GitHub to leave a comment.