To make the result clearer, find a domain name with DNSSEC signature (paypal.com), a DNS server supporting DNSSEC (4.2.2.4) and a DNS server not supporting DNSSEC (114.6438+014.338+06538+0438).
The query results of 4.2.2.4 supporting DNSSEC are as follows.
root@OpenWrt:~#? Dig? paypal.com? +dnssec? @4.2.2.4
; ? & lt& lt& gt& gt? Dig? 9.9.4? & lt& lt& gt& gt? paypal.com? +dnssec? @4.2.2.4
; ; ? Global? Options:? +cmd
; ; ? Understand? Answer:
; ; ? -& gt; & gt title & lt& lt-? Opcode:? Inquiry,? Status:? That's right. id:? 48979
; ; ? Flag:? qr? rd? ra; ? Query:? 1,? Answer:? 3,? Authority:? 0,? Additional:? 1
; ; ? OPT? Pseudo-section:
; ? EDNS:? Version:? 0,? Flag:? Do; ? udp:? 4096
; ; ? Question? Part:
; paypal.com.IN? A
; ; ? Answer? Part:
paypal.com? 293? Are you online? a 66.2 1 1. 169.3
paypal.com? 293? Are you online? a 66.2 1 1. 169.66
paypal.com? 293? Are you online? RRSIGA? 5? 2? 300? 20 140728 175 1 19? 20 140628 172604? 1 18 1 1? paypal.com? ka 3j 7 cslbuizirh 7 ytkj 7 eubzpace 7 jmr 6 m2 wursncq/dfjb 9 JL 0 18OZ? 6 i3 bzzsyqss 2 jw 9 tmvzmkxrlh 3 CMT 5 JC 1 bni 6 q 9 ub 46 dlpjjoamxq 1 rq? ss 37 MB 4 blk 8 DD 4 rxljmehh 19+kg 8 xxxe 8 igywlm 7 tkyayijvdxbt 80 te? vgg=
; ; ? Inquiry? Time:? 224? Millisecond (millisecond)
; ; ? Server:? 4.2.2.4#53(4.2.2.4)
; ; ? When:? Tuesday? July? 15? 2 1:49:25? CST? 20 14
; ; ? MSG? Size? rcvd:? 24 1 uses114.16.5438+04.16.5438, and the query results are as follows:
root@OpenWrt:~#? Dig? paypal.com? +dnssec? @ 1 14. 1 14. 1 14. 1 14
; ? & lt& lt& gt& gt? Dig? 9.9.4? & lt& lt& gt& gt? paypal.com? +dnssec? @ 1 14. 1 14. 1 14. 1 14
; ; ? Global? Options:? +cmd
; ; ? Understand? Answer:
; ; ? -& gt; & gt title & lt& lt-? Opcode:? Inquiry,? Status:? That's right. id:? 127 17
; ; ? Flag:? qr? rd? ra; ? Query:? 1,? Answer:? 2,? Authority:? 0,? Additional:? 0
; ; ? Question? Part:
; paypal.com.IN? A
; ; ? Answer? Part:
paypal.com? 300? Are you online? a 66.2 1 1. 169.3
paypal.com? 300? Are you online? a 66.2 1 1. 169.66
; ; ? Inquiry? Time:? 577? Millisecond (millisecond)
; ; ? Server:? 1 14. 1 14. 1 14. 1 14#53( 1 14. 1 14. 1 14. 1 14)
; ; ? When:? Tuesday? July? 15? 2 1:49:57? CST? 20 14
; ; ? MSG? Size? rcvd:? As you can see, the server supporting DNSSEC returned a long string of RRSIG (resource record signature), which is a very important data signature of DNSSEC.
Servers that don't support DNSSEC don't return this information at all, so it's easy to tell whether a DNS server supports DNSSEC.
However, at present, there are very few domain names with DNSSEC signatures. Generally, some foreign government domain names are available, of course, paypal is also available, and it is rare in China.
If the domain name itself is not configured with dnssec signature, then no matter what kind of DNS server you use to query DNSSEC data, the result is the same.