1.How to verify if DNSSEC settings are effective?
Check the domain's DS records. DNSSEC uses DS (Delegation Signer) records to propagate key information for the zone to the upper-level domain. You can use online tools or DNS query tools to check if the domain's DS records are correct. DS records contain public key information used to verify the domain.
Check the domain's DNSKEY records. DNSKEY records contain public keys used for verifying digital signatures. You can use DNS query tools to check the domain's DNSKEY records and ensure they exist and are correct. You can use the dig command to check: dig dnssec example.com or use third-party online tools to check the DNSSEC chain, such as https://dnsviz.net.
2.Can DNSSEC prevent domain hijacking and contamination?
DNSSEC can prevent domain hijacking, leading to users accessing forged phishing websites. Resolvers can verify the authenticity and integrity of response results by querying DS records. However, for domains that have already been hijacked, DNSSEC cannot restore normal resolution. If a domain is blacklisted by certain countries or regional operators, DNSSEC also cannot restore normal resolution.
3.Are there any drawbacks to DNSSEC?
Due to the introduction of digital signatures and other encryption mechanisms, DNS responses become larger, which may result in increased network bandwidth requirements and latency.
Although DNSSEC is a standard of the Internet Engineering Task Force (IETF), some old devices or software may not support DNSSEC. This may result in the inability to resolve DNSSEC-protected domains in certain situations.
4.What are the consequences of arbitrarily modifying DS record parameters?
Failing DS record verification may render the website inaccessible, and DNS resolution may fail. Ensure that the DS records are set with the latest parameters obtained from the DNS server provider, and avoid making arbitrary modifications.