Disclaimer: This test page has been created around 2012 and has not received many updates ever since. If the test is reporting failures, chances are those are problems of the test, not your setup. HTTPS support is still experimental.
JavaScript is needed for tests to work. Wait a few seconds before
examining the results. Tests 1-3 uses this random URL string:
. Browser cache should be clean for
tests 4 and 5 to work correctly.
Test | Result | |
---|---|---|
1. | DNSSEC secure
*.wilda.rhybar.0skar.cz |
Failure.
You are not protected by DNSSEC. Therefore,
other tests here does not make any sense.
Success.
You cannot access sites with broken DNSSEC
signature.
Testing in progress…
|
2a. | NSEC zone with an A record
*.wilda.nsec.0skar.cz |
Failure.
Your DNS server cannot correctly validate an
A record, created by expanding a wildcard
on a NSEC zone.
Success.
Your DNS server can correctly validate an
A record, created by expanding a wildcard
on a NSEC zone.
Testing in progress…
|
2b. | NSEC zone with a CNAME record
*.wild.nsec.0skar.cz |
Failure.
Your DNS server cannot correctly validate a
CNAME record, created by expanding a wildcard
on a NSEC zone.
Success.
Your DNS server can correctly validate a
CNAME record, created by expanding a wildcard
on a NSEC zone.
Testing in progress…
|
3a. | NSEC3 zone with an A record
*.wilda.0skar.cz |
Failure.
Your DNS server cannot correctly validate an
A record, created by expanding a wildcard
on a NSEC3 zone.
Success.
Your DNS server can correctly validate an
A record, created by expanding a wildcard
on a NSEC3 zone.
Testing in progress…
|
3b. | NSEC3 zone with a CNAME record
*.wild.0skar.cz |
Failure.
Your DNS server cannot correctly validate a
CNAME record, created by expanding a wildcard
on a NSEC3 zone.
Success.
Your DNS server can correctly validate a
CNAME record, created by expanding a wildcard
on a NSEC3 zone.
Testing in progress…
|
4. | Extra record inside a wildcard on a NSEC zone
www.wilda.nsec.0skar.cz |
Failure.
Your DNS server cannot correctly validate a
CNAME record, surrounded by wildcard
A records on a NSEC zone.
Success.
Your DNS server can correctly validate a
CNAME record, surrounded by wildcard
A records on a NSEC zone.
Testing in progress…
|
5. | Extra record inside a wildcard on a NSEC3 zone
www.wilda.0skar.cz |
Failure.
Your DNS server cannot correctly validate a
CNAME record, surrounded by wildcard
A records on a NSEC3 zone.
Success.
Your DNS server can correctly validate a
CNAME record, surrounded by wildcard
A records on a NSEC3 zone.
Testing in progress…
|
Some DNSSEC-validating DNS resolvers fails to validate correctly so-called wildcard DNS records. Problem is getting worse when more resolvers are chained one to another.
Until version 9.9.0, the most widespread DNS server BIND cannot correctly validate wilcard records in a zone with NSEC3 records (tests 3a, 3b), hosted at an authoritative server other than BIND (source). When this server is prepended to any other DNSSEC validator, the validator cannot validate even wildcard records in zones with NSEC records (tests 2a, 2b).
Alternative DNS server Unbound validates all tests correctly, if whole recursion is done by it. Versions 1.4.6 and newer were tested.