Back to Verisign Labs Tools
Domain Name: Detail: more(+) / less(-) Time: 2024-02-29 06:07:50 UTC

Analyzing DNSSEC problems for bogus.d1a5n1.rootcanary.net

.
Found 2 DNSKEY records for .
DS=20326/SHA-256 verifies DNSKEY=20326/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset
net
Found 1 DS records for net in the . zone
DS=37331/SHA-256 has algorithm ECDSAP256SHA256
Found 1 RRSIGs over DS RRset
RRSIG=30903 and DNSKEY=30903 verifies the DS RRset
Found 2 DNSKEY records for net
DS=37331/SHA-256 verifies DNSKEY=37331/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=37331 and DNSKEY=37331/SEP verifies the DNSKEY RRset
rootcanary.net
Found 1 DS records for rootcanary.net in the net zone
DS=64786/SHA-256 has algorithm RSASHA256
Found 1 RRSIGs over DS RRset
RRSIG=34730 and DNSKEY=34730 verifies the DS RRset
Found 2 DNSKEY records for rootcanary.net
DS=64786/SHA-256 verifies DNSKEY=64786/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=64786 and DNSKEY=64786/SEP verifies the DNSKEY RRset
ns1.zurich.surf.net is authoritative for bogus.d1a5n1.rootcanary.net
d1a5n1.rootcanary.net
Found 1 DS records for d1a5n1.rootcanary.net in the rootcanary.net zone
DS=14998/SHA-1 uses a deprecated digest algorithm
DS=14998/SHA-1 has algorithm RSASHA1
Found 1 RRSIGs over DS RRset
RRSIG=25188 and DNSKEY=25188 verifies the DS RRset
Found 1 DNSKEY records for d1a5n1.rootcanary.net
DS=14998/SHA-1 verifies DNSKEY=14998/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=14998 and DNSKEY=14998/SEP verifies the DNSKEY RRset
sec2.rcode0.net is authoritative for bogus.d1a5n1.rootcanary.net
bogus.d1a5n1.rootcanary.net A RR has value 145.97.20.20
Found 1 RRSIGs over A RRset
RRSIG=14998 and DNSKEY=14998/SEP does not verify the A RRset (signature verification failed)
None of the 1 RRSIG and 1 DNSKEY records validate the A RRset
The A RRset was not signed by any trusted keys
d1a5n1.rootcanary.net
sec1.rcode0.net is authoritative for bogus.d1a5n1.rootcanary.net
bogus.d1a5n1.rootcanary.net A RR has value 145.97.20.20
Found 1 RRSIGs over A RRset
RRSIG=14998 and DNSKEY=14998/SEP does not verify the A RRset (signature verification failed)
None of the 1 RRSIG and 1 DNSKEY records validate the A RRset

Move your mouse over any or symbols for remediation hints.

Want a second opinion? Test bogus.d1a5n1.rootcanary.net at dnsviz.net.

DNSSEC Debugger

↓ Advanced options