This is a DNSSEC enabled domain name
This is one of the three example domain names setup by HKIRC for testing the effect of DNSSEC validation. The three domain names are:
Depending on the DNS resolver that you are using, the expected results of accessing these example domain names will be different. They are illustrated in the table below.
| disabled.dnssec.hkirc.hk | enabled.dnssec.hkirc.hk | failed.dnssec.hkirc.hk | |
|---|---|---|---|
| DNSSEC validating resolver | OK |
OK |
Not OK |
| Resolver not perform dnssec validation (or misconfigured validating resolver) |
OK |
OK |
OK |
You can see this page because:
- Your DNS resolver is a DNSSEC validating resolver, or
- Your DNS resolver is not a DNSSEC validating resolver.
What's happening under the hood:
As either DNSSEC validating or non-validating resolver will return records, webpage will remain reachable. Becuase:
When dig this domain name from any dnssec validating resolver, response will come with AD (Authentic Data) flag which indicate that this answer should be authoritative.
When dig this domain name from resolvers which do not perform dnssec validation, response will still returned but with no AD flag which indicate that this answer is not authoritative (cannot tell whether its spoofing resposne or not)
