DNSSEC Test
Welcome to my DNSSEC test page. You can verify if you have a working DNSSEC setup here. You may have arrived here through different hostnames but the important two are these:
bogussig.test.jelte.nlnetlabs.nl
on most systems, both these links should work, but if you use DNSSEC with [jelte.]nlnetlabs.nl as dnssec-must-be-secure, and this key as a trusted key, the first one should work, but the second should not.
if you use the NLnetLabs DNSSEC firefox extension with that key, the icon should appear green on the first link and red on the second.
Test Tree
I also created a complete tree to test your chaser/tracer/verifier/whatever with. At the moment it goes down 5 levels from test.jelte.nlnetlabs.nl.
Every zone has 6 subzones:
- ok these are signed correctly.
- nods A zone without the DS RR for the child zones
- bogussig the RRSIGs of zones starting with this name contain bad signature data.
- sigexpired the RRSIGs of zones starting with this name have an expiration date in the past.
- signotincepted the RRSIGs of zones starting with this name have an inception date in the future.
-
unknownalgorithm
the RRSIGS of zones starting with this name are signed correctly (with a known algorithm), but have the algorithm field set to another value.
The result is that you can test your programs with a range of domains, for example:
- ok.ok.ok.test.jelte.nlnetlabs.nl
- ok.ok.nods.ok.test.jelte.nlnetlabs.nl
- bogussig.ok.test.jelte.nlnetlabs.nl
- ok.bogussig.ok.ok.test.jelte.nlnetlabs.nl
- ok.unknownalgorithm.ok.sigexpired.ok.test.jelte.nlnetlabs.nl
- signotincepted.bogussig.sigexpired.bogussig.test.jelte.nlnetlabs.nl
- bogussig.test.jelte.nlnetlabs.nl
- sigexpired.test.jelte.nlnetlabs.nl
- signotincepted.test.jelte.nlnetlabs.nl
- unknownalgorithm.test.jelte.nlnetlabs.nl