Best way IMHO to test dnssec is to look at the flags you get from a dig response. You can use asuswrt.lostrealm.ca for testing - my domain is DNSSEC-signed. This is a working dnssec:
This is a NON-working one:
The difference is on the flags line. the "ad" flag indicates the reply was authenticated by dnssec.
Code:
merlin@ubuntu-dev:~$ dig asuswrt.lostrealm.ca @8.8.8.8
; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> asuswrt.lostrealm.ca @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 204
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;asuswrt.lostrealm.ca. IN A
;; ANSWER SECTION:
asuswrt.lostrealm.ca. 299 IN A 72.55.186.51
;; Query time: 40 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Oct 05 14:09:56 EDT 2018
;; MSG SIZE rcvd: 65
This is a NON-working one:
Code:
merlin@ubuntu-dev:~$ dig asuswrt.lostrealm.ca @208.67.222.222
; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> asuswrt.lostrealm.ca @208.67.222.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20738
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;asuswrt.lostrealm.ca. IN A
;; ANSWER SECTION:
asuswrt.lostrealm.ca. 300 IN A 72.55.186.51
;; Query time: 15 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Oct 05 14:08:37 EDT 2018
;; MSG SIZE rcvd: 65
The difference is on the flags line. the "ad" flag indicates the reply was authenticated by dnssec.