To test and validate DNSSEC using the dig command line, you can use the +dnssec option to check the DNSSEC status of a domain. Here’s an example:
dig +dnssec example.com
This will return the DNS record for the domain example.com along with the DNSSEC-related information such as the RRSIG, DNSKEY, and DS records.
To validate the DNSSEC signature, you can use the +sigchase option. This will recursively check all DNSSEC signatures of all records in the response and validate them.
dig +sigchase example.com
You can also use the +multi option to check multiple DNS servers for DNSSEC validation.
dig +dnssec +multi +sigchase example.com @8.8.8.8
You should see a status of “secure” or “insecure” in the dig output, indicating the DNSSEC validation status. If the query fails to validate, the status will be “bogus”.
Note: you may need to install dnsutils package in some distributions to use the dig command.