// LookupDNSSEC sends the provided DNS message to a randomly chosen server (see // ExchangeOne) with DNSSEC enabled. If the lookup fails, this method sends a // clarification query to determine if it's because DNSSEC was invalid or just // a run-of-the-mill error. If it's because of DNSSEC, it returns ErrorDNSSEC. func (dnsResolver *DNSResolver) LookupDNSSEC(m *dns.Msg) (*dns.Msg, time.Duration, error) { // Set DNSSEC OK bit m.SetEdns0(4096, true) r, rtt, err := dnsResolver.ExchangeOne(m) if err != nil { return r, rtt, err } if r.Rcode != dns.RcodeSuccess && r.Rcode != dns.RcodeNameError && r.Rcode != dns.RcodeNXRrset { if r.Rcode == dns.RcodeServerFailure { // Re-send query with +cd to see if SERVFAIL was caused by DNSSEC // validation failure at the resolver m.CheckingDisabled = true checkR, _, err := dnsResolver.ExchangeOne(m) if err != nil { return r, rtt, err } if checkR.Rcode != dns.RcodeServerFailure { // DNSSEC error, so we return the testable object. err = DNSSECError{} return r, rtt, err } } err = fmt.Errorf("Invalid response code: %d-%s", r.Rcode, dns.RcodeToString[r.Rcode]) return r, rtt, err } return r, rtt, err }