====== DNSSEC ======

  * https://dnsinstitute.com/documentation/dnssec-guide/dnssec-guide.html
  * https://www.cloudflare.com/de-de/dns/dnssec/how-dnssec-works/
  * [[https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj200221(v=ws.11)|Overview of DNSSEC]]
  * https://metebalci.com/blog/a-short-practical-tutorial-of-dig-dns-and-dnssec/
  * https://www.denic.de/wissen/dnssec
  * <code bash>
dig example.com. +multiline +dnssec # get A and RESIG Record for domain
dig @1.1.1.1 example.com. +multiline +dnssec +trace # trace funktioniert nicht mehr mit 8.8.8.8
</code>

===== Testing =====

==== Domain: ====

  * https://dnsviz.net/ -- Visualisiert den (DNSSEC)-Status einer Domain
  * https://dnssec-debugger.verisignlabs.com/
  * https://internet.nl/connection
  * Überprüfung von DS und DNSKEY einer Domain:<code bash>
dig @8.8.8.8 example.com. DS  # KSK key-id must match between DS and DNSKEY
dig @8.8.8.8 example.com. DNSKEY +dnssec +cd +multiline  # multiline prints key algorithm and id
</code>

==== Resolver: ====
  * https://wander.science/projects/dns/dnssec-resolver-test/
  * https://cmdns.dev.dns-oarc.net/
  * <code bash>dig sigok.ippacket.stream #should return an A-Record
dig sigfail.ippacket.stream # should return a SERVFAIL
dig sigfail.ippacket.stream +cd #(check disabled - should return an A-Record)</code>

Infos zum Testen:

  * https://developers.cloudflare.com/dns/dnssec/troubleshooting/
  * [[https://www.cyberciti.biz/faq/unix-linux-test-and-validate-dnssec-using-dig-command-line/|How to test and validate DNSSEC using dig]] 
  * https://serverfault.com/questions/154016/querying-and-verifying-dnssec
  * https://dnsinstitute.com/documentation/dnssec-guide/ch03s02.html
  * https://learn.microsoft.com/en-us/windows-server/networking/dns/validate-dnssec-responses

===== Betrieb: =====
  * https://kb.isc.org/docs/aa-00994 -- Using Response Rate Limiting
  * [[https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Reaktion/CERT-Bund/CERT-Bund-Reports/HowTo/Offene-DNS-Resolver/Offene-DNS-Resolver.html|BSI - Offene Resolver]]
  * https://www.cymru.com/Documents/secure-bind-template.html
  * https://hackviser.com/tactics/hardening/bind9

===== Troubleshooting =====

  * https://dnsinstitute.com/documentation/dnssec-guide/ch05s04.html
  * https://developers.cloudflare.com/dns/dnssec/troubleshooting/