Understanding how to query and interpret DNSSEC records is essential for configuration and troubleshooting. This guide covers dig commands and explains each DNSSEC record type.
Essential dig Commands
Basic DNSSEC Query
dig example.com +dnssecReturns standard records plus RRSIG (signatures). Look for the ad flag indicating
validated data.
Query Specific DNSSEC Records
# Get zone's public keys
dig DNSKEY example.com
# Get DS record from parent
dig DS example.com
# Get signatures for A records
dig A example.com +dnssec
# Get NSEC3 for denial of existence
dig NSEC3PARAM example.comDisable Validation
dig example.com +cdThe +cd (checking disabled) flag tells the resolver to skip validation. Useful for
diagnosing whether DNSSEC is causing failures.
Trace the Chain
dig example.com +trace +dnssecShows the complete resolution path from root, including all DNSSEC records at each level.
DNSSEC Record Types Explained
DNSKEY Record
Contains the zone's public signing keys.
example.com. 3600 IN DNSKEY 257 3 13 mdsswU...- 257: Key flags (257 = KSK, 256 = ZSK)
- 3: Protocol (always 3 for DNSSEC)
- 13: Algorithm (13 = ECDSAP256SHA256)
- mdsswU...: Base64-encoded public key
DS Record
Delegation Signer—hash of child zone's KSK, stored in parent zone.
example.com. 3600 IN DS 2371 13 2 E4F7B1C...- 2371: Key tag (identifies the DNSKEY)
- 13: Algorithm of the referenced DNSKEY
- 2: Digest type (2 = SHA-256)
- E4F7B1C...: Hash of the DNSKEY
RRSIG Record
Signature covering a set of records.
example.com. 300 IN RRSIG A 13 2 300 20241231235959 20241201000000 12345 example.com. kBr2...- A: Type of record being signed
- 13: Algorithm
- 2: Labels in the owner name
- 300: Original TTL
- 20241231235959: Signature expiration
- 20241201000000: Signature inception
- 12345: Key tag of signing key
- kBr2...: The signature data
NSEC/NSEC3 Records
Prove that a queried name doesn't exist (authenticated denial).
# NSEC - reveals zone contents
example.com. IN NSEC mail.example.com. A NS SOA MX RRSIG NSEC DNSKEY
# NSEC3 - hashed, prevents zone walking
A1B2C3... IN NSEC3 1 0 10 AABB A1B2C4... A NS SOA MX RRSIGCommon dig Flags Reference
| Flag | Purpose |
|---|---|
| +dnssec | Request DNSSEC records (RRSIG, etc.) |
| +cd | Disable DNSSEC validation |
| +trace | Follow delegation from root |
| +short | Show only answer data |
| +multi | Multi-line output for readability |
| @server | Query specific resolver |
Real-World Examples
Verify DNSSEC is Working
dig cloudflare.com +dnssec @8.8.8.8 | grep "flags"
;; flags: qr rd ra ad;The ad flag confirms successful validation.
Check Signature Expiration
dig RRSIG example.com +short | head -1
A 13 2 300 20241231235959 20241201000000 12345 example.com. kBr2...Fifth field is expiration date (YYYYMMDDHHMMSS format).