DNSSEC Implementation Checks

# Test DNSSEC validation using a known DNSSEC-enabled domain:

dig +dnssec cloudflare.com

# Other reliable DNSSEC test domains:

dig +dnssec internetsociety.org

# Run against a specific resolver address:

dig @<your-resolver-ip/hostname> +dnssec cloudflare.com

# What to look for in the output:

# - 'ad' flag in the response header = your resolver validates DNSSEC successfully

# - 'RRSIG' records in the answer section = DNSSEC records are being returned

# - status: SERVFAIL = your resolver is failing DNSSEC validation

# If these tests pass, your environment is ready for Contrast's DNSSEC implementation.

# If you see SERVFAIL on these domains, contact your IT/network team.

dig @8.8.8.8 +dnssec cloudflare.com

; <<>> DiG 9.10.6 <<>> @8.8.8.8 +dnssec cloudflare.com

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55057

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 512

;; QUESTION SECTION:

;cloudflare.com.            IN    A

;; ANSWER SECTION:

cloudflare.com.        292    IN    A    104.16.132.229

cloudflare.com.        292    IN    A    104.16.133.229

cloudflare.com.        292    IN    RRSIG    A 13 2 300 20260328172858 20260326152858 34505 cloudflare.com. thH2TP4JUqxqaCMehIBnwhwArlnEyVxs2XAE95IBCU08TjPubl6Dn7e/ NXKNm8R11iTsUWm/SVhjumO3Ltp0qA==

;; Query time: 39 msec

;; SERVER: 8.8.8.8#53(8.8.8.8)

;; WHEN: Fri Mar 27 16:29:15 GMT 2026

;; MSG SIZE  rcvd: 185

ℹ️  Why cloudflare.com?

cloudflare.com and internetsociety.org both have DNSSEC fully enabled and are reliably maintained. If your resolver can validate DNSSEC on these domains, it will be ready for Contrast's implementation after Phase 1. 

# Run from affected host:

nslookup [customer-env].contrastsecurity.com

# Healthy output: Returns IP address(es)

# Unhealthy: Returns SERVFAIL or NXDOMAIN

# Run from affected host:

dig +dnssec [customer-env].contrastsecurity.com

# Look for in the output:

# - 'ad' flag in the response header = DNSSEC validated successfully

# - 'RRSIG' records present = zone is signed

# - status: SERVFAIL = DNSSEC validation failure

# - status: NOERROR = DNS is working

⚠️ Restricted network environments may not allow resolving via other DNS servers

Some network environments may restrict access to other DNS resolvers

# Test against public resolvers to isolate the issue:

dig @8.8.8.8 [customer-env].contrastsecurity.com

dig @1.1.1.1 [customer-env].contrastsecurity.com

# If public resolvers work but internal does not:

# → Issue is with customer's internal DNS infrastructure

# → Customer needs to review resolver/forwarder DNSSEC config

# If public resolvers also fail:

# → Possible issue with Contrast's DNSSEC signing chain

# → Escalate to CloudSecurity immediately

# Customer runs this against their internal resolver:

dig @<internal-resolver-ip> contrastsecurity.com +dnssec

# Look for: 'ad' flag = resolver validates DNSSEC

# Missing 'ad' flag = resolver is not DNSSEC-aware

# Alternative — check DO bit support:

dig @<internal-resolver-ip> . DNSKEY +dnssec

# Windows (run as Administrator):

ipconfig /flushdns

# macOS:

sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

# Linux (systemd-resolved):

sudo resolvectl flush-caches

# Linux (nscd):

sudo systemctl restart nscd

# After flushing,  retry immediately