Skip to main content
Skip table of contents

1601 - Recognizing signed domains


Your organization has recently adopted DNSSEC, a valuable security measure that aligns with the latest recommendations for DNS security. As part of your responsibilities, you have been assigned the task of testing the resolution of your organization's DNSSEC-enabled zones, ensuring they can be accessed by the public while being properly signed.

To refresh your DNSSEC knowledge, you decided to validate a selection of public domains. These domains include some that are DNSSEC signed and others that are not.

Estimate Completion Time

  • 15 to 20 Minutes

Course References

  • 0301: Information Security Fundamentals
  • 1204: DNSSEC Fundamentals


Task 1: Recognize Signed Domains

In this task, we determine whether or not a particular domain name has been signed by DNSSEC, through querying for the SOA record of the domain and requesting additional DNSSEC information manually.

  1. Using the name server, determine which of the following domain names have been signed

    Domain NameStatus
  2. Which, if any, of the secure domains is bogus?


Task 1: Recognize Signed Domains

  1. Using dig with the name server, we determined that

    Domain Name

    www.fbi.govsecureDNSSEC is implemented properly is not implemented at all
    www.infoblox.cominsecureDNSSEC is enabled on but not it's alias
    www.ietf.orgsecureDNSSEC is implemented properly
    www.hawaii.eduinsecureDNSSEC is not implemented at all
    www.dnssec-failed.orgbogusWe cannot be sure just by doing this step

    You can follow the following syntax to validate each of the entries in the table:
    dig @ [domain-name] SOA +dnssec +multi

  2. is bogus and we can validate that by the SERVFAIL error response message.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.