Most people will experience a negative test result (no DNSSEC validation) – that's ok and no reason to panic.
Few operating systems support DNSSEC validation out of the box. You can install Dnssec-Trigger to run your own validating resolver (more information). Keep in mind that web browsers do not distinguish between DNSSEC validation failures and general DNS failures (there is no security warning like with SSL/TLS errors).
To re-run the above test, you also need to:
If you're running a recursive DNS cache, follow these steps to enable DNSSEC validation on BIND or Unbound.
Since BIND 9.8, you can activate DNSSEC validation with the following lines in the options section of your named.conf:
If you're running an older BIND version, you should update.
dig sigok.verteiltesysteme.net @127.0.0.1(should return A record)
dig sigfail.verteiltesysteme.net @127.0.0.1(should return SERVFAIL)
If DNSSEC validation does not seem to work, check whether you're using more than one DNS resolver and whether each of them has DNSSEC validation enabled. The most common configuration error is to use a secondary DNS resolver without DNSSEC validation. Upon validation error, the operating system will fall back to the secondary resolver and the security checks of the primary resolver will be moot.
Map shows ratio of validating clients per country, collected from October 2014 to March 2015. Some older result sets of the measurement (anonymized) are available for public download.
These tests use slightly different mechanics. Most users should get the same result on all tests, but in some cases there may be discrepancies. If you get different results, drop us a note with your IP address and we'll be glad to analyze our logs.
Thanks to Jan-Piet, Zekah and Stefan for providing valuable feedback.
Matthäus Wander <matthaeus.wander(at)uni-due.de>