On the captured packet, perform the following simple verification:
- Check if the DNS query sent from the client is set with the DNSSEC option. This will be included in the additional records field of the DNS query packet:
In the preceding screenshot, it can be seen that the additional record field is set with a flag that indicates that the client accepts DNSSEC security resource records.
- The DNS server, upon receiving the request, will reply with a DNS response that carries the relevant details of the requested record (for example, an IP address for an A record) carrying a Resource Record Signature (RRSIG). These are digital signatures associated with the resource record:
In the preceding screenshot, it can be seen that the DNS response from the server will be replied with RRSIG.
- The DNS client now requests DNSKEY for the domain name as follows:
- The DNS server replies with the public key that is used to sign the resource record:
- The client uses the details to validate the integrity of the resource record received from the DNS server.