How to validate DNSSEC signed record with dig?

Spain, Dr. Jeffry A. spainj at
Sun Feb 5 20:35:03 UTC 2012

> I am trying to validate DNSSEC signature on ns record using dig.
> Domain is properly signed using DNSSEC. 
> I am trying to validate it as dicribed here:
> $ dig +nocomments +nostats +nocmd +noquestion -t dnskey . > trusted-key.key $ dig +topdown +sigchase
> but it gives me ";; DSset is missing to continue validation: FAILED" error while processing the whole hierarchy of zones.

> $ cat /etc/resolv.conf
> # Generated by NetworkManager
> domain router
> search router
> nameserver
> nameserver

Checking your two name servers, ( doesn't appear to offer DNSSEC validation, and ( doesn't respond to my query at all.

A known-good publicly accessible DNSEC-validating recursive resolver is available at If I run "dig +dnssec", I get an AD (authenticated data) flag returned for the A record with IPv4 address This is a prima facie indication that DNSSEC is working for The "+topdown" option isn't available to me (bind 9.9.0rc2 version of dig).

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

More information about the bind-users mailing list