python - Do all DNS root servers and top-level-domain servers (TLD) support DNSSEC?

Question

I know that DNSSEC has been widely implemented since 2010. For Authority name servers, it depends on the admin whether he wants to support DNSSEC or not. However, I would like to know whether or not all root name servers, and all TLD servers support DNSSEC?

How can I use tool like dnspython or dig to check DNSSEC support at root name servers, and TLD servers, or I do not need to check because all of them support DNSSEC already?

Answer 1

所有根服务器？是的。

所有 TLD 服务器？不可以。所有新gTLD（自 2013 年以来推出的）都必须具有 DNSSEC，但 ccTLD 没有这样的保证。

检查特定服务器是否处理 DNSSEC 的一种方法是向其发送一个带有DO标志集的查询，请求DNSKEY该服务器对其具有权威性的域的 RRset。如果响应包含RRSIG记录，则服务器会适当地处理 DNSSEC。如果您想要实现测试的详细信息和/或 Perl 代码，请参见此处。