DNSSEC Debugger - bogus.d1a8n3.rootcanary.net

Domain Name:

Time: 2026-03-25 12:09:29 UTC

Analyzing DNSSEC problems for bogus.d1a8n3.rootcanary.net

DS=20326/SHA-256 is now in the chain-of-trust

	Checking DS between Trust Anchor and .
	`. IN DS ( 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d )`
	Query to a.root-servers.net for ./DNSKEY
	Received 1414 bytes from 198.41.0.4
	;; Response received from [198.41.0.4] 1414 octets ;; HEADER SECTION ;; id = 8261 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 5 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; . IN DNSKEY ;; ANSWER SECTION (5 records) . 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326 . 172800 IN DNSKEY ( 256 3 8 AwEAAb5dDYffpgAJ8VUGLwQtWXPlQWsjIFJtCM00/XaKU+8ln+ofah3q2KxEIjvzQg+nqdxRj+8e mtPne1mtYcbFWP4Q9E+DniOJLK09R05FuzvGbrG7DDdRDUX/cedFdV7O8pFEAYpJqYNR9BCTIAV9 73DO2biauKSA31b7I2lK/woxoR1tf5cqJ4SMbJUviuHicAEoUi2ATswloZNWd5T5thmEFZnxFx7D 5UgKCY7oflS7+GU7dNJwEtmFnWYVETHN0kHXVz6aguouaAZp706YXNIoR/iTgQhmsR7XX+wL0Z8Q M2LxQIyU6vRZ06IyuJMGRMiwkSuGElbumyBt12JZbrU= ) ; keytag 54393 . 172800 IN DNSKEY ( 256 3 8 AwEAAbNTVC2+pry4pc37pZI9Oj6b8FHxT3VGrvSPKLE1Tjyfe2kUZUtVX5xrv6AV4BVO+ygrYjGZ MNgEnbLU4zknnlnhI2e0g6iTza1aZh0dRZXGH16C1NUNq1CxBkUhIYQhQDeIOtLacx+RmFTc+hSH JJ2MJ79IS00kA7eKi6mofQ7SPJmdJVjI+JAx791y0f5QaB+iHGANU53FwiYXNUQjfAzCrtOaSevG sx8SO8BTaXLAjFq5eewOtwScVwfVDhEXlvpE6e+mIncwhNKaMRD9IPuHENqCNPI5MjxfAMVS6cEY 8eEozIkv/vHc+0Auu3n+Fcx6F2Js4KPXaHEShAXugfU= ) ; keytag 21831 . 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696 . 172800 IN RRSIG ( DNSKEY 8 0 172800 20260412000000 20260322000000 20326 . YJgCBpeAL7jQEYIpS6icQm/XxIy+DU5PNrAT61ive9t9bpx8YsZgKf13hlkg48EvTMjINiG0r8PJ j1SiVDpZizGDdz+7+ipByzsLS7qHj6DviI4GYErjVnXZs3LESvZE/LhSFxyafLjNs9M9elLqEY10 fB4e+L3dDwu0hFR/fTOcYq4euNXE9X46/PANxFWple8XU1L53cnxD0VtQvlkG12thsIKmvMAJ0PH CoWuuYVGS/OSbDxsAHqHEBfqDLD3qjOp5mXA7wguiePv/lPBF963xkfWwpkdFVa/LxlUFu2P/q9G 9lDQ/XvTqfghEQU4v8NBbmrA10HTVs6pVNiGLw== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 4 DNSKEY records for .
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326`
	`. 172800 IN DNSKEY ( 256 3 8 AwEAAb5dDYffpgAJ8VUGLwQtWXPlQWsjIFJtCM00/XaKU+8ln+ofah3q2KxEIjvzQg+nqdxRj+8e mtPne1mtYcbFWP4Q9E+DniOJLK09R05FuzvGbrG7DDdRDUX/cedFdV7O8pFEAYpJqYNR9BCTIAV9 73DO2biauKSA31b7I2lK/woxoR1tf5cqJ4SMbJUviuHicAEoUi2ATswloZNWd5T5thmEFZnxFx7D 5UgKCY7oflS7+GU7dNJwEtmFnWYVETHN0kHXVz6aguouaAZp706YXNIoR/iTgQhmsR7XX+wL0Z8Q M2LxQIyU6vRZ06IyuJMGRMiwkSuGElbumyBt12JZbrU= ) ; keytag 54393`
	`. 172800 IN DNSKEY ( 256 3 8 AwEAAbNTVC2+pry4pc37pZI9Oj6b8FHxT3VGrvSPKLE1Tjyfe2kUZUtVX5xrv6AV4BVO+ygrYjGZ MNgEnbLU4zknnlnhI2e0g6iTza1aZh0dRZXGH16C1NUNq1CxBkUhIYQhQDeIOtLacx+RmFTc+hSH JJ2MJ79IS00kA7eKi6mofQ7SPJmdJVjI+JAx791y0f5QaB+iHGANU53FwiYXNUQjfAzCrtOaSevG sx8SO8BTaXLAjFq5eewOtwScVwfVDhEXlvpE6e+mIncwhNKaMRD9IPuHENqCNPI5MjxfAMVS6cEY 8eEozIkv/vHc+0Auu3n+Fcx6F2Js4KPXaHEShAXugfU= ) ; keytag 21831`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696`
	DNSKEY=20326/SEP is now in the chain-of-trust
	DS=20326/SHA-256 verifies DNSKEY=20326/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`. 172800 IN RRSIG ( DNSKEY 8 0 172800 20260412000000 20260322000000 20326 . YJgCBpeAL7jQEYIpS6icQm/XxIy+DU5PNrAT61ive9t9bpx8YsZgKf13hlkg48EvTMjINiG0r8PJ j1SiVDpZizGDdz+7+ipByzsLS7qHj6DviI4GYErjVnXZs3LESvZE/LhSFxyafLjNs9M9elLqEY10 fB4e+L3dDwu0hFR/fTOcYq4euNXE9X46/PANxFWple8XU1L53cnxD0VtQvlkG12thsIKmvMAJ0PH CoWuuYVGS/OSbDxsAHqHEBfqDLD3qjOp5mXA7wguiePv/lPBF963xkfWwpkdFVa/LxlUFu2P/q9G 9lDQ/XvTqfghEQU4v8NBbmrA10HTVs6pVNiGLw== )`
	RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset
	DNSKEY=54393 is now in the chain-of-trust
	DNSKEY=21831 is now in the chain-of-trust
	DNSKEY=38696/SEP is now in the chain-of-trust
	Query to a.root-servers.net for bogus.d1a8n3.rootcanary.net/A
	Received 1184 bytes from 198.41.0.4
	;; Response received from [198.41.0.4] 1184 octets ;; HEADER SECTION ;; id = 63002 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 15 arcount = 27 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d1a8n3.rootcanary.net. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (15 records) net. 172800 IN NS m.gtld-servers.net. net. 172800 IN NS k.gtld-servers.net. net. 172800 IN NS b.gtld-servers.net. net. 172800 IN NS f.gtld-servers.net. net. 172800 IN NS d.gtld-servers.net. net. 172800 IN NS h.gtld-servers.net. net. 172800 IN NS j.gtld-servers.net. net. 172800 IN NS l.gtld-servers.net. net. 172800 IN NS a.gtld-servers.net. net. 172800 IN NS e.gtld-servers.net. net. 172800 IN NS c.gtld-servers.net. net. 172800 IN NS g.gtld-servers.net. net. 172800 IN NS i.gtld-servers.net. net. 86400 IN DS ( 37331 13 2 2f0bec2d6f79dfbd1d08fd21a3af92d0e39a4b9ef1e3f4111fff282490da453b ) net. 86400 IN RRSIG ( DS 8 1 86400 20260407050000 20260325040000 21831 . UJHsnZ0PSZ34JWO+0gqFzATMxonFr3QmmQw9DyUhxNon30USoCw1RZcEka90ZKeMMoShBNagHg4J 1c/uEpA4e41Eo2Y58ogdi+6yBtFiRxxvGb5HTAzYsimSXmOBfaCuEiU1QeA8IkZnhB45cZFYfmWZ d7ibuTLdeAGLpD65VoD6XopXbCiFHPfDaLx8G5X7aPcPvE54SnqSbFvm3naefBH1LU7OC8nHHPn2 MxXHuQve6pxtaDLxOQEyBdOIvuGvYbNAsch7cHlmx4/5+DSP9m+01ggvZHWaMoOabmDopFovOjKS 3+TV2+xb/2CBZkQ2iRlOqGHzNfkU/x3S4L4zaQ== ) ;; ADDITIONAL SECTION (27 records) m.gtld-servers.net. 172800 IN A 192.55.83.30 m.gtld-servers.net. 172800 IN AAAA 2001:501:b1f9::30 k.gtld-servers.net. 172800 IN A 192.52.178.30 k.gtld-servers.net. 172800 IN AAAA 2001:503:d2d::30 b.gtld-servers.net. 172800 IN A 192.33.14.30 b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30 f.gtld-servers.net. 172800 IN A 192.35.51.30 f.gtld-servers.net. 172800 IN AAAA 2001:503:d414::30 d.gtld-servers.net. 172800 IN A 192.31.80.30 d.gtld-servers.net. 172800 IN AAAA 2001:500:856e::30 h.gtld-servers.net. 172800 IN A 192.54.112.30 h.gtld-servers.net. 172800 IN AAAA 2001:502:8cc::30 j.gtld-servers.net. 172800 IN A 192.48.79.30 j.gtld-servers.net. 172800 IN AAAA 2001:502:7094::30 l.gtld-servers.net. 172800 IN A 192.41.162.30 l.gtld-servers.net. 172800 IN AAAA 2001:500:d937::30 a.gtld-servers.net. 172800 IN A 192.5.6.30 a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 e.gtld-servers.net. 172800 IN A 192.12.94.30 e.gtld-servers.net. 172800 IN AAAA 2001:502:1ca1::30 c.gtld-servers.net. 172800 IN A 192.26.92.30 c.gtld-servers.net. 172800 IN AAAA 2001:503:83eb::30 g.gtld-servers.net. 172800 IN A 192.42.93.30 g.gtld-servers.net. 172800 IN AAAA 2001:503:eea3::30 i.gtld-servers.net. 172800 IN A 192.43.172.30 i.gtld-servers.net. 172800 IN AAAA 2001:503:39c1::30 ;; { "EDNS-VERSION": 0 }
	Query to e.root-servers.net for net/DNSKEY
	Received 1160 bytes from 192.203.230.10
	;; Response received from [192.203.230.10] 1160 octets ;; HEADER SECTION ;; id = 46752 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 15 arcount = 27 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1472, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; net. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (15 records) net. 172800 IN NS a.gtld-servers.net. net. 172800 IN NS b.gtld-servers.net. net. 172800 IN NS c.gtld-servers.net. net. 172800 IN NS d.gtld-servers.net. net. 172800 IN NS e.gtld-servers.net. net. 172800 IN NS f.gtld-servers.net. net. 172800 IN NS g.gtld-servers.net. net. 172800 IN NS h.gtld-servers.net. net. 172800 IN NS i.gtld-servers.net. net. 172800 IN NS j.gtld-servers.net. net. 172800 IN NS k.gtld-servers.net. net. 172800 IN NS l.gtld-servers.net. net. 172800 IN NS m.gtld-servers.net. net. 86400 IN DS ( 37331 13 2 2f0bec2d6f79dfbd1d08fd21a3af92d0e39a4b9ef1e3f4111fff282490da453b ) net. 86400 IN RRSIG ( DS 8 1 86400 20260407050000 20260325040000 21831 . UJHsnZ0PSZ34JWO+0gqFzATMxonFr3QmmQw9DyUhxNon30USoCw1RZcEka90ZKeMMoShBNagHg4J 1c/uEpA4e41Eo2Y58ogdi+6yBtFiRxxvGb5HTAzYsimSXmOBfaCuEiU1QeA8IkZnhB45cZFYfmWZ d7ibuTLdeAGLpD65VoD6XopXbCiFHPfDaLx8G5X7aPcPvE54SnqSbFvm3naefBH1LU7OC8nHHPn2 MxXHuQve6pxtaDLxOQEyBdOIvuGvYbNAsch7cHlmx4/5+DSP9m+01ggvZHWaMoOabmDopFovOjKS 3+TV2+xb/2CBZkQ2iRlOqGHzNfkU/x3S4L4zaQ== ) ;; ADDITIONAL SECTION (27 records) a.gtld-servers.net. 172800 IN A 192.5.6.30 a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 b.gtld-servers.net. 172800 IN A 192.33.14.30 b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30 c.gtld-servers.net. 172800 IN A 192.26.92.30 c.gtld-servers.net. 172800 IN AAAA 2001:503:83eb::30 d.gtld-servers.net. 172800 IN A 192.31.80.30 d.gtld-servers.net. 172800 IN AAAA 2001:500:856e::30 e.gtld-servers.net. 172800 IN A 192.12.94.30 e.gtld-servers.net. 172800 IN AAAA 2001:502:1ca1::30 f.gtld-servers.net. 172800 IN A 192.35.51.30 f.gtld-servers.net. 172800 IN AAAA 2001:503:d414::30 g.gtld-servers.net. 172800 IN A 192.42.93.30 g.gtld-servers.net. 172800 IN AAAA 2001:503:eea3::30 h.gtld-servers.net. 172800 IN A 192.54.112.30 h.gtld-servers.net. 172800 IN AAAA 2001:502:8cc::30 i.gtld-servers.net. 172800 IN A 192.43.172.30 i.gtld-servers.net. 172800 IN AAAA 2001:503:39c1::30 j.gtld-servers.net. 172800 IN A 192.48.79.30 j.gtld-servers.net. 172800 IN AAAA 2001:502:7094::30 k.gtld-servers.net. 172800 IN A 192.52.178.30 k.gtld-servers.net. 172800 IN AAAA 2001:503:d2d::30 l.gtld-servers.net. 172800 IN A 192.41.162.30 l.gtld-servers.net. 172800 IN AAAA 2001:500:d937::30 m.gtld-servers.net. 172800 IN A 192.55.83.30 m.gtld-servers.net. 172800 IN AAAA 2001:501:b1f9::30 ;; { "EDNS-VERSION": 0 }
	Found child zone net

net

	Checking DS between . and net
	Query to e.root-servers.net for net/DS
	Received 367 bytes from 192.203.230.10
	;; Response received from [192.203.230.10] 367 octets ;; HEADER SECTION ;; id = 20248 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1472, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; net. IN DS ;; ANSWER SECTION (2 records) net. 86400 IN DS ( 37331 13 2 2f0bec2d6f79dfbd1d08fd21a3af92d0e39a4b9ef1e3f4111fff282490da453b ) net. 86400 IN RRSIG ( DS 8 1 86400 20260407050000 20260325040000 21831 . UJHsnZ0PSZ34JWO+0gqFzATMxonFr3QmmQw9DyUhxNon30USoCw1RZcEka90ZKeMMoShBNagHg4J 1c/uEpA4e41Eo2Y58ogdi+6yBtFiRxxvGb5HTAzYsimSXmOBfaCuEiU1QeA8IkZnhB45cZFYfmWZ d7ibuTLdeAGLpD65VoD6XopXbCiFHPfDaLx8G5X7aPcPvE54SnqSbFvm3naefBH1LU7OC8nHHPn2 MxXHuQve6pxtaDLxOQEyBdOIvuGvYbNAsch7cHlmx4/5+DSP9m+01ggvZHWaMoOabmDopFovOjKS 3+TV2+xb/2CBZkQ2iRlOqGHzNfkU/x3S4L4zaQ== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for net in the . zone
	DS=37331/SHA-256 has algorithm ECDSAP256SHA256
	Found 1 RRSIGs over DS RRset
	`net. 86400 IN RRSIG ( DS 8 1 86400 20260407050000 20260325040000 21831 . UJHsnZ0PSZ34JWO+0gqFzATMxonFr3QmmQw9DyUhxNon30USoCw1RZcEka90ZKeMMoShBNagHg4J 1c/uEpA4e41Eo2Y58ogdi+6yBtFiRxxvGb5HTAzYsimSXmOBfaCuEiU1QeA8IkZnhB45cZFYfmWZ d7ibuTLdeAGLpD65VoD6XopXbCiFHPfDaLx8G5X7aPcPvE54SnqSbFvm3naefBH1LU7OC8nHHPn2 MxXHuQve6pxtaDLxOQEyBdOIvuGvYbNAsch7cHlmx4/5+DSP9m+01ggvZHWaMoOabmDopFovOjKS 3+TV2+xb/2CBZkQ2iRlOqGHzNfkU/x3S4L4zaQ== )`
	RRSIG=21831 and DNSKEY=21831 verifies the DS RRset
	DS=37331/SHA-256 is now in the chain-of-trust
	`net. 86400 IN DS ( 37331 13 2 2f0bec2d6f79dfbd1d08fd21a3af92d0e39a4b9ef1e3f4111fff282490da453b )`
	Query to g.gtld-servers.net for net/DNSKEY
	Received 291 bytes from 192.42.93.30
	;; Response received from [192.42.93.30] 291 octets ;; HEADER SECTION ;; id = 25463 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; net. IN DNSKEY ;; ANSWER SECTION (3 records) net. 86400 IN DNSKEY ( 257 3 13 HiBoGpzDRAgrDmUXXTSnl7jCX6Hx5bzkU2jSxMbVI01yS+13EyOghnCidBXU0bH2gi2w9GhYGacp U6CrtwoFNg== ) ; keytag 37331 net. 86400 IN DNSKEY ( 256 3 13 BN7nE5EGXvYfX/r9qihm5MU9BR6KTHLb/TcRXIXZcCwDj24ftYx+nRW6ca9/wHZ3NnOZ5uSG/GRE drzpVVepUg== ) ; keytag 44109 net. 86400 IN RRSIG ( DNSKEY 13 1 86400 20260402141035 20260318140535 37331 net. ER1v/gYlILSRiGiC54DSsqPiEbZRU0mcyf1AZ4ACM2pWGT+W+IJiBx3eac29o6wYfOKt0bwSABkY PTetvx1rgA== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for net
	`net. 86400 IN DNSKEY ( 257 3 13 HiBoGpzDRAgrDmUXXTSnl7jCX6Hx5bzkU2jSxMbVI01yS+13EyOghnCidBXU0bH2gi2w9GhYGacp U6CrtwoFNg== ) ; keytag 37331`
	`net. 86400 IN DNSKEY ( 256 3 13 BN7nE5EGXvYfX/r9qihm5MU9BR6KTHLb/TcRXIXZcCwDj24ftYx+nRW6ca9/wHZ3NnOZ5uSG/GRE drzpVVepUg== ) ; keytag 44109`
	DNSKEY=37331/SEP is now in the chain-of-trust
	DS=37331/SHA-256 verifies DNSKEY=37331/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`net. 86400 IN RRSIG ( DNSKEY 13 1 86400 20260402141035 20260318140535 37331 net. ER1v/gYlILSRiGiC54DSsqPiEbZRU0mcyf1AZ4ACM2pWGT+W+IJiBx3eac29o6wYfOKt0bwSABkY PTetvx1rgA== )`
	RRSIG=37331 and DNSKEY=37331/SEP verifies the DNSKEY RRset
	DNSKEY=44109 is now in the chain-of-trust
	Query to e.gtld-servers.net for bogus.d1a8n3.rootcanary.net/A
	Received 341 bytes from 192.12.94.30
	;; Response received from [192.12.94.30] 341 octets ;; HEADER SECTION ;; id = 11094 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 3 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d1a8n3.rootcanary.net. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) rootcanary.net. 172800 IN NS ns1.surfnet.nl. rootcanary.net. 172800 IN NS ns2.surfnet.nl. rootcanary.net. 172800 IN NS ns3.surfnet.nl. rootcanary.net. 172800 IN NS ns1.zurich.surf.net. rootcanary.net. 86400 IN DS ( 64786 8 2 5cd8f125f5487708121a497bd0b1079406add42002b3c195ee0669d2aeb763c9 ) rootcanary.net. 86400 IN RRSIG ( DS 13 2 86400 20260331032320 20260324021320 44109 net. QqFPBrLr0rvBoBwxs/njmW7PQARefq6xsSIRPmtfwzoRaLEaYDpdFO0zw7ss1OUK6UaqzQ1Tkbx3 LwrO4vOWtw== ) ;; ADDITIONAL SECTION (3 records) ns1.zurich.surf.net. 172800 IN A 195.176.255.9 ns1.zurich.surf.net. 172800 IN AAAA 2001:620:0:9::1103 ;; { "EDNS-VERSION": 0 }
	Query to e.gtld-servers.net for rootcanary.net/DNSKEY
	Received 328 bytes from 192.12.94.30
	;; Response received from [192.12.94.30] 328 octets ;; HEADER SECTION ;; id = 8124 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 3 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; rootcanary.net. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) rootcanary.net. 172800 IN NS ns1.surfnet.nl. rootcanary.net. 172800 IN NS ns2.surfnet.nl. rootcanary.net. 172800 IN NS ns3.surfnet.nl. rootcanary.net. 172800 IN NS ns1.zurich.surf.net. rootcanary.net. 86400 IN DS ( 64786 8 2 5cd8f125f5487708121a497bd0b1079406add42002b3c195ee0669d2aeb763c9 ) rootcanary.net. 86400 IN RRSIG ( DS 13 2 86400 20260331032320 20260324021320 44109 net. QqFPBrLr0rvBoBwxs/njmW7PQARefq6xsSIRPmtfwzoRaLEaYDpdFO0zw7ss1OUK6UaqzQ1Tkbx3 LwrO4vOWtw== ) ;; ADDITIONAL SECTION (3 records) ns1.zurich.surf.net. 172800 IN A 195.176.255.9 ns1.zurich.surf.net. 172800 IN AAAA 2001:620:0:9::1103 ;; { "EDNS-VERSION": 0 }
	Found child zone rootcanary.net

rootcanary.net

	Checking DS between net and rootcanary.net
	Query to l.gtld-servers.net for rootcanary.net/DS
	Received 1082 bytes from 192.41.162.30
	;; Response received from [192.41.162.30] 1082 octets ;; HEADER SECTION ;; id = 9771 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 14 arcount = 27 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; rootcanary.net. IN DS ;; ANSWER SECTION (2 records) rootcanary.net. 86400 IN DS ( 64786 8 2 5cd8f125f5487708121a497bd0b1079406add42002b3c195ee0669d2aeb763c9 ) rootcanary.net. 86400 IN RRSIG ( DS 13 2 86400 20260331032320 20260324021320 44109 net. QqFPBrLr0rvBoBwxs/njmW7PQARefq6xsSIRPmtfwzoRaLEaYDpdFO0zw7ss1OUK6UaqzQ1Tkbx3 LwrO4vOWtw== ) ;; AUTHORITY SECTION (14 records) net. 172800 IN NS k.gtld-servers.net. net. 172800 IN NS h.gtld-servers.net. net. 172800 IN NS g.gtld-servers.net. net. 172800 IN NS a.gtld-servers.net. net. 172800 IN NS i.gtld-servers.net. net. 172800 IN NS d.gtld-servers.net. net. 172800 IN NS l.gtld-servers.net. net. 172800 IN NS f.gtld-servers.net. net. 172800 IN NS b.gtld-servers.net. net. 172800 IN NS e.gtld-servers.net. net. 172800 IN NS m.gtld-servers.net. net. 172800 IN NS c.gtld-servers.net. net. 172800 IN NS j.gtld-servers.net. net. 172800 IN RRSIG ( NS 13 1 172800 20260329045829 20260322034829 44109 net. nzAdLvZ6qpPh34vDpsMQht54fuI11lm6bLfrgYT4y3OgAMwJbo3ESLMyiZ4OFQVSBD9irnHRce3e Glv8oXnbog== ) ;; ADDITIONAL SECTION (27 records) k.gtld-servers.net. 172800 IN A 192.52.178.30 k.gtld-servers.net. 172800 IN AAAA 2001:503:d2d::30 h.gtld-servers.net. 172800 IN A 192.54.112.30 h.gtld-servers.net. 172800 IN AAAA 2001:502:8cc::30 g.gtld-servers.net. 172800 IN A 192.42.93.30 g.gtld-servers.net. 172800 IN AAAA 2001:503:eea3::30 a.gtld-servers.net. 172800 IN A 192.5.6.30 a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 i.gtld-servers.net. 172800 IN A 192.43.172.30 i.gtld-servers.net. 172800 IN AAAA 2001:503:39c1::30 d.gtld-servers.net. 172800 IN A 192.31.80.30 d.gtld-servers.net. 172800 IN AAAA 2001:500:856e::30 l.gtld-servers.net. 172800 IN A 192.41.162.30 l.gtld-servers.net. 172800 IN AAAA 2001:500:d937::30 f.gtld-servers.net. 172800 IN A 192.35.51.30 f.gtld-servers.net. 172800 IN AAAA 2001:503:d414::30 b.gtld-servers.net. 172800 IN A 192.33.14.30 b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30 e.gtld-servers.net. 172800 IN A 192.12.94.30 e.gtld-servers.net. 172800 IN AAAA 2001:502:1ca1::30 m.gtld-servers.net. 172800 IN A 192.55.83.30 m.gtld-servers.net. 172800 IN AAAA 2001:501:b1f9::30 c.gtld-servers.net. 172800 IN A 192.26.92.30 c.gtld-servers.net. 172800 IN AAAA 2001:503:83eb::30 j.gtld-servers.net. 172800 IN A 192.48.79.30 j.gtld-servers.net. 172800 IN AAAA 2001:502:7094::30 ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for rootcanary.net in the net zone
	DS=64786/SHA-256 has algorithm RSASHA256
	Found 1 RRSIGs over DS RRset
	`rootcanary.net. 86400 IN RRSIG ( DS 13 2 86400 20260331032320 20260324021320 44109 net. QqFPBrLr0rvBoBwxs/njmW7PQARefq6xsSIRPmtfwzoRaLEaYDpdFO0zw7ss1OUK6UaqzQ1Tkbx3 LwrO4vOWtw== )`
	RRSIG=44109 and DNSKEY=44109 verifies the DS RRset
	DS=64786/SHA-256 is now in the chain-of-trust
	`rootcanary.net. 86400 IN DS ( 64786 8 2 5cd8f125f5487708121a497bd0b1079406add42002b3c195ee0669d2aeb763c9 )`
	Query to ns1.surfnet.nl for rootcanary.net/DNSKEY
	Received 513 bytes from 192.87.106.101
	;; Response received from [192.87.106.101] 513 octets ;; HEADER SECTION ;; id = 49264 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; rootcanary.net. IN DNSKEY ;; ANSWER SECTION (3 records) rootcanary.net. 60 IN DNSKEY ( 257 3 8 AwEAAdDk0xPx74/+J4BFAtodd6j2yTDoX9D+paSjzxVl+jMQmrsrQprdBxX3fale9f62j4oo7scf U+wabBXl56lehbw/wds6oVqDNun9ORQisXhIq9H+u3a9WtTAF+OQyPoSirRLYdNR7+wWvb88L27w 88+jL0gkFb8klGzr03EFrq6r ) ; keytag 64786 rootcanary.net. 60 IN DNSKEY ( 256 3 8 AwEAAbTt2EpLNxL2BJh6zgrhiEBK1sfxYPvEQgQkM1O53+lnT+c8W+9lYMhI1m2mLwecKvq7ePok 5d1XO11UKUXV5pRD9d66qXLwDxMJ4krEMlOvmMS/HWskybkREtMdPdcv5eNdtuT8VeCPTGZuoNe2 oEK4NFSUU5eG0pkWo27Kl3oV ) ; keytag 25188 rootcanary.net. 60 IN RRSIG ( DNSKEY 8 2 60 20260509073704 20260324073704 64786 rootcanary.net. FlEt7fOmo4YBlYDX/6yRD8DcKYUkUj54Vk4yRow2I3DTYrC++GZQP8DCETHghsa1GC3mdEZJk7iw GaCWHhKi+hwIvU5BivB7VdY4IflB0LXU+DGYsB6DrdhVV8qb8+rSRn8dFpHnJWU/R2RN5c+AMnyy PtDcKHNLueXqSeW1pxU= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for rootcanary.net
	`rootcanary.net. 60 IN DNSKEY ( 257 3 8 AwEAAdDk0xPx74/+J4BFAtodd6j2yTDoX9D+paSjzxVl+jMQmrsrQprdBxX3fale9f62j4oo7scf U+wabBXl56lehbw/wds6oVqDNun9ORQisXhIq9H+u3a9WtTAF+OQyPoSirRLYdNR7+wWvb88L27w 88+jL0gkFb8klGzr03EFrq6r ) ; keytag 64786`
	`rootcanary.net. 60 IN DNSKEY ( 256 3 8 AwEAAbTt2EpLNxL2BJh6zgrhiEBK1sfxYPvEQgQkM1O53+lnT+c8W+9lYMhI1m2mLwecKvq7ePok 5d1XO11UKUXV5pRD9d66qXLwDxMJ4krEMlOvmMS/HWskybkREtMdPdcv5eNdtuT8VeCPTGZuoNe2 oEK4NFSUU5eG0pkWo27Kl3oV ) ; keytag 25188`
	DNSKEY=64786/SEP is now in the chain-of-trust
	DS=64786/SHA-256 verifies DNSKEY=64786/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`rootcanary.net. 60 IN RRSIG ( DNSKEY 8 2 60 20260509073704 20260324073704 64786 rootcanary.net. FlEt7fOmo4YBlYDX/6yRD8DcKYUkUj54Vk4yRow2I3DTYrC++GZQP8DCETHghsa1GC3mdEZJk7iw GaCWHhKi+hwIvU5BivB7VdY4IflB0LXU+DGYsB6DrdhVV8qb8+rSRn8dFpHnJWU/R2RN5c+AMnyy PtDcKHNLueXqSeW1pxU= )`
	RRSIG=64786 and DNSKEY=64786/SEP verifies the DNSKEY RRset
	DNSKEY=25188 is now in the chain-of-trust
	Query to ns3.surfnet.nl for bogus.d1a8n3.rootcanary.net/A
	Received 253 bytes from 195.169.124.71
	;; Response received from [195.169.124.71] 253 octets ;; HEADER SECTION ;; id = 29586 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d1a8n3.rootcanary.net. IN A ;; ANSWER SECTION (2 records) bogus.d1a8n3.rootcanary.net. 60 IN A 145.97.20.20 bogus.d1a8n3.rootcanary.net. 60 IN RRSIG ( A 8 4 60 20260509073704 20260324073704 29230 d1a8n3.rootcanary.net. evya9suoo1bvQntvF9RE/+IPONdmEJFgwt/bvagT3/utEIXc3TfIoieqWhpFvl9wppvAWaHBTkuI IdUERTpVs13ua0gZzPIhtTe/tUL6IKCA/VhrRpGletc8I7qnMd/UAMPXVOHHOjRjgh1lbDyIiu9N IFhylKTQjjKlUZ/aQhk= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	ns3.surfnet.nl is authoritative for bogus.d1a8n3.rootcanary.net
	Query to ns3.surfnet.nl for d1a8n3.rootcanary.net/DNSKEY
	Received 379 bytes from 195.169.124.71
	;; Response received from [195.169.124.71] 379 octets ;; HEADER SECTION ;; id = 23999 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; d1a8n3.rootcanary.net. IN DNSKEY ;; ANSWER SECTION (2 records) d1a8n3.rootcanary.net. 60 IN DNSKEY ( 257 3 8 AwEAAbVGNyLCx4rjLBSg5mmtf9jsZNliMZnaynGCZCNDet/XxKvGnIi/3LHAhXznX3Xl6SWa9EAB 4QNV/MNH/uHJXRs34grBHYmJ6U9Xk5/PWrFcopxYSl4t3FFVpVHdg0t9Aalso5OBlMedERX3QYq7 dseUoO62nnx8VnB9mmPMSVjP ) ; keytag 29230 d1a8n3.rootcanary.net. 60 IN RRSIG ( DNSKEY 8 3 60 20260509073704 20260324073704 29230 d1a8n3.rootcanary.net. k88PPPxPJ6V97TEcRdtgIPPShBdX37NVEi9U8NEgDcUBhAFL5oM7wFRrbTRPRSCM0WpwNmlZfs2c 5aQCnzj+hxQk0MQqPSE73/ivv4EXUzspN4k48Bi4NTGnWUwspNMEQDESiNqpK6LZtzhS2IcwqJDh RKPJKAmimtuXdTCORWc= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found child zone d1a8n3.rootcanary.net
	Attempting to learn nameservers for d1a8n3.rootcanary.net
	Query to ns2.surfnet.nl for d1a8n3.rootcanary.net/NS
	Received 279 bytes from 192.87.36.2
	;; Response received from [192.87.36.2] 279 octets ;; HEADER SECTION ;; id = 43543 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; d1a8n3.rootcanary.net. IN NS ;; ANSWER SECTION (3 records) d1a8n3.rootcanary.net. 60 IN NS sec2.rcode0.net. d1a8n3.rootcanary.net. 60 IN NS sec1.rcode0.net. d1a8n3.rootcanary.net. 60 IN RRSIG ( NS 8 3 60 20260509073704 20260324073704 29230 d1a8n3.rootcanary.net. A2tJftt/vPNj5PFKjC5omnz7rS+tSDpQZMWWxBsFMlvh2al3RZ/cFCdEqaoI4Ldb2bUa7J2Qd1QE H1SgW2UHdnSzNW+cLfZAWoGLZlSsAdDBMgmWNOtNw0at6IMPivXiLtzpcVXiIsbnoa9b7i6+Xmbg I6dr2K2qRBFgnLvxgQQ= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found d1a8n3.rootcanary.net nameservers: sec2.rcode0.net, sec1.rcode0.net

d1a8n3.rootcanary.net

	Checking DS between rootcanary.net and d1a8n3.rootcanary.net
	Query to ns1.surfnet.nl for d1a8n3.rootcanary.net/DS
	Received 260 bytes from 192.87.106.101
	;; Response received from [192.87.106.101] 260 octets ;; HEADER SECTION ;; id = 47059 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; d1a8n3.rootcanary.net. IN DS ;; ANSWER SECTION (2 records) d1a8n3.rootcanary.net. 60 IN DS ( 29230 8 1 77a32079c4d287b1437c2a8128b1269d486bd241 ) d1a8n3.rootcanary.net. 60 IN RRSIG ( DS 8 3 60 20260509073704 20260324073704 25188 rootcanary.net. LXkN/Qyn+8R0ytcUBr7l+I/IMyJQrSj1hUKfBr0INY74p/ChLGaMng9Q4d8GMzaKnnUDz0zNjuAN u4ezjtBul3TYPIs5t8RDLXfde2PZ/I+OD9JZ2l/u45fYLemYIgaFhIq88eKq4sLWrqyzyi2sS6+2 mlhYsw5A918Utz9/wV0= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for d1a8n3.rootcanary.net in the rootcanary.net zone
	DS=29230/SHA-1 uses a deprecated digest algorithm
	DS=29230/SHA-1 has algorithm RSASHA256
	Found 1 RRSIGs over DS RRset
	`d1a8n3.rootcanary.net. 60 IN RRSIG ( DS 8 3 60 20260509073704 20260324073704 25188 rootcanary.net. LXkN/Qyn+8R0ytcUBr7l+I/IMyJQrSj1hUKfBr0INY74p/ChLGaMng9Q4d8GMzaKnnUDz0zNjuAN u4ezjtBul3TYPIs5t8RDLXfde2PZ/I+OD9JZ2l/u45fYLemYIgaFhIq88eKq4sLWrqyzyi2sS6+2 mlhYsw5A918Utz9/wV0= )`
	RRSIG=25188 and DNSKEY=25188 verifies the DS RRset
	DS=29230/SHA-1 is now in the chain-of-trust
	`d1a8n3.rootcanary.net. 60 IN DS ( 29230 8 1 77a32079c4d287b1437c2a8128b1269d486bd241 )`
	Query to sec1.rcode0.net for d1a8n3.rootcanary.net/DNSKEY
	Received 379 bytes from 192.174.68.100
	;; Response received from [192.174.68.100] 379 octets ;; HEADER SECTION ;; id = 21483 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; d1a8n3.rootcanary.net. IN DNSKEY ;; ANSWER SECTION (2 records) d1a8n3.rootcanary.net. 60 IN DNSKEY ( 257 3 8 AwEAAbVGNyLCx4rjLBSg5mmtf9jsZNliMZnaynGCZCNDet/XxKvGnIi/3LHAhXznX3Xl6SWa9EAB 4QNV/MNH/uHJXRs34grBHYmJ6U9Xk5/PWrFcopxYSl4t3FFVpVHdg0t9Aalso5OBlMedERX3QYq7 dseUoO62nnx8VnB9mmPMSVjP ) ; keytag 29230 d1a8n3.rootcanary.net. 60 IN RRSIG ( DNSKEY 8 3 60 20260509073704 20260324073704 29230 d1a8n3.rootcanary.net. k88PPPxPJ6V97TEcRdtgIPPShBdX37NVEi9U8NEgDcUBhAFL5oM7wFRrbTRPRSCM0WpwNmlZfs2c 5aQCnzj+hxQk0MQqPSE73/ivv4EXUzspN4k48Bi4NTGnWUwspNMEQDESiNqpK6LZtzhS2IcwqJDh RKPJKAmimtuXdTCORWc= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DNSKEY records for d1a8n3.rootcanary.net
	`d1a8n3.rootcanary.net. 60 IN DNSKEY ( 257 3 8 AwEAAbVGNyLCx4rjLBSg5mmtf9jsZNliMZnaynGCZCNDet/XxKvGnIi/3LHAhXznX3Xl6SWa9EAB 4QNV/MNH/uHJXRs34grBHYmJ6U9Xk5/PWrFcopxYSl4t3FFVpVHdg0t9Aalso5OBlMedERX3QYq7 dseUoO62nnx8VnB9mmPMSVjP ) ; keytag 29230`
	DNSKEY=29230/SEP is now in the chain-of-trust
	DS=29230/SHA-1 verifies DNSKEY=29230/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`d1a8n3.rootcanary.net. 60 IN RRSIG ( DNSKEY 8 3 60 20260509073704 20260324073704 29230 d1a8n3.rootcanary.net. k88PPPxPJ6V97TEcRdtgIPPShBdX37NVEi9U8NEgDcUBhAFL5oM7wFRrbTRPRSCM0WpwNmlZfs2c 5aQCnzj+hxQk0MQqPSE73/ivv4EXUzspN4k48Bi4NTGnWUwspNMEQDESiNqpK6LZtzhS2IcwqJDh RKPJKAmimtuXdTCORWc= )`
	RRSIG=29230 and DNSKEY=29230/SEP verifies the DNSKEY RRset
	Query to sec1.rcode0.net for bogus.d1a8n3.rootcanary.net/A
	Received 253 bytes from 192.174.68.100
	;; Response received from [192.174.68.100] 253 octets ;; HEADER SECTION ;; id = 30515 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d1a8n3.rootcanary.net. IN A ;; ANSWER SECTION (2 records) bogus.d1a8n3.rootcanary.net. 60 IN A 145.97.20.20 bogus.d1a8n3.rootcanary.net. 60 IN RRSIG ( A 8 4 60 20260509073704 20260324073704 29230 d1a8n3.rootcanary.net. evya9suoo1bvQntvF9RE/+IPONdmEJFgwt/bvagT3/utEIXc3TfIoieqWhpFvl9wppvAWaHBTkuI IdUERTpVs13ua0gZzPIhtTe/tUL6IKCA/VhrRpGletc8I7qnMd/UAMPXVOHHOjRjgh1lbDyIiu9N IFhylKTQjjKlUZ/aQhk= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	sec1.rcode0.net is authoritative for bogus.d1a8n3.rootcanary.net
	Query to sec2.rcode0.net for bogus.d1a8n3.rootcanary.net/DNSKEY
	Received 558 bytes from 176.97.158.100
	;; Response received from [176.97.158.100] 558 octets ;; HEADER SECTION ;; id = 13953 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d1a8n3.rootcanary.net. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) d1a8n3.rootcanary.net. 60 IN SOA ( ns1.surfnet.nl. dns-beheer.surfnet.nl. 2026032506 ;serial 10800 ;refresh 3600 ;retry 604800 ;expire 86400 ;minimum ) d1a8n3.rootcanary.net. 60 IN RRSIG ( SOA 8 3 60 20260509073704 20260324073704 29230 d1a8n3.rootcanary.net. tBXUKAXcAjJp+sx6l/yYYvs9eMk3w9tOjNKRAz2bQCvk0SRhP2W31k2lISMao6d+6htEWLGiPdRV 9YW7OygwdGjGfUten7QFnO8TAR3vPSKgmw9OG2yjNxvVa4IIO53nFs6pbUYqHqwSNTF1abI5TUUj PqqospJFr87F/9kqbko= ) qkr6mvl7ugqkf3nftsdnhfsk12om0aer.d1a8n3.rootcanary.net. 60 IN NSEC3 ( 1 0 1 - usv8njc8ut47o1la1a0v6eb832u3na29 A AAAA RRSIG ) qkr6mvl7ugqkf3nftsdnhfsk12om0aer.d1a8n3.rootcanary.net. 60 IN RRSIG ( NSEC3 8 4 86400 20260509073704 20260324073704 29230 d1a8n3.rootcanary.net. c/6wqUl5/W0azGGjRyRDnLdP4SaqyUfE5Y5da0OA0VFgt08j3L6KRgRbXqapRXYbX8a5eYxFgNDP l1z1Z/CIfMxSr3hIfWGiYgXGlXNVdtvKzbdLEYRov376V5iIrfHqqdrOqPYNbOtbcHMq+c674E9h 2T3daKJUAG3MayP6wNs= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found RRSIG signed by d1a8n3.rootcanary.net zone
	Query to sec2.rcode0.net for d1a8n3.rootcanary.net/SOA
	Received 292 bytes from 176.97.158.100
	;; Response received from [176.97.158.100] 292 octets ;; HEADER SECTION ;; id = 52584 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; d1a8n3.rootcanary.net. IN SOA ;; ANSWER SECTION (2 records) d1a8n3.rootcanary.net. 60 IN SOA ( ns1.surfnet.nl. dns-beheer.surfnet.nl. 2026032506 ;serial 10800 ;refresh 3600 ;retry 604800 ;expire 86400 ;minimum ) d1a8n3.rootcanary.net. 60 IN RRSIG ( SOA 8 3 60 20260509073704 20260324073704 29230 d1a8n3.rootcanary.net. tBXUKAXcAjJp+sx6l/yYYvs9eMk3w9tOjNKRAz2bQCvk0SRhP2W31k2lISMao6d+6htEWLGiPdRV 9YW7OygwdGjGfUten7QFnO8TAR3vPSKgmw9OG2yjNxvVa4IIO53nFs6pbUYqHqwSNTF1abI5TUUj PqqospJFr87F/9kqbko= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to sec1.rcode0.net for bogus.d1a8n3.rootcanary.net/A
	Received 253 bytes from 192.174.68.100
	;; Response received from [192.174.68.100] 253 octets ;; HEADER SECTION ;; id = 13539 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d1a8n3.rootcanary.net. IN A ;; ANSWER SECTION (2 records) bogus.d1a8n3.rootcanary.net. 60 IN A 145.97.20.20 bogus.d1a8n3.rootcanary.net. 60 IN RRSIG ( A 8 4 60 20260509073704 20260324073704 29230 d1a8n3.rootcanary.net. evya9suoo1bvQntvF9RE/+IPONdmEJFgwt/bvagT3/utEIXc3TfIoieqWhpFvl9wppvAWaHBTkuI IdUERTpVs13ua0gZzPIhtTe/tUL6IKCA/VhrRpGletc8I7qnMd/UAMPXVOHHOjRjgh1lbDyIiu9N IFhylKTQjjKlUZ/aQhk= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	bogus.d1a8n3.rootcanary.net A RR has value 145.97.20.20
	Found 1 RRSIGs over A RRset
	`bogus.d1a8n3.rootcanary.net. 60 IN RRSIG ( A 8 4 60 20260509073704 20260324073704 29230 d1a8n3.rootcanary.net. evya9suoo1bvQntvF9RE/+IPONdmEJFgwt/bvagT3/utEIXc3TfIoieqWhpFvl9wppvAWaHBTkuI IdUERTpVs13ua0gZzPIhtTe/tUL6IKCA/VhrRpGletc8I7qnMd/UAMPXVOHHOjRjgh1lbDyIiu9N IFhylKTQjjKlUZ/aQhk= )`
	RRSIG=29230 and DNSKEY=29230/SEP does not verify the A RRset (signature verification failed)
	None of the 1 RRSIG and 1 DNSKEY records validate the A RRset
	The A RRset was not signed by any trusted keys

d1a8n3.rootcanary.net

	Query to sec2.rcode0.net for bogus.d1a8n3.rootcanary.net/A
	Received 253 bytes from 176.97.158.100
	;; Response received from [176.97.158.100] 253 octets ;; HEADER SECTION ;; id = 32122 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d1a8n3.rootcanary.net. IN A ;; ANSWER SECTION (2 records) bogus.d1a8n3.rootcanary.net. 60 IN A 145.97.20.20 bogus.d1a8n3.rootcanary.net. 60 IN RRSIG ( A 8 4 60 20260509073704 20260324073704 29230 d1a8n3.rootcanary.net. evya9suoo1bvQntvF9RE/+IPONdmEJFgwt/bvagT3/utEIXc3TfIoieqWhpFvl9wppvAWaHBTkuI IdUERTpVs13ua0gZzPIhtTe/tUL6IKCA/VhrRpGletc8I7qnMd/UAMPXVOHHOjRjgh1lbDyIiu9N IFhylKTQjjKlUZ/aQhk= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	sec2.rcode0.net is authoritative for bogus.d1a8n3.rootcanary.net
	Query to sec2.rcode0.net for bogus.d1a8n3.rootcanary.net/DNSKEY
	Received 558 bytes from 176.97.158.100
	;; Response received from [176.97.158.100] 558 octets ;; HEADER SECTION ;; id = 7605 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d1a8n3.rootcanary.net. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) d1a8n3.rootcanary.net. 60 IN SOA ( ns1.surfnet.nl. dns-beheer.surfnet.nl. 2026032506 ;serial 10800 ;refresh 3600 ;retry 604800 ;expire 86400 ;minimum ) d1a8n3.rootcanary.net. 60 IN RRSIG ( SOA 8 3 60 20260509073704 20260324073704 29230 d1a8n3.rootcanary.net. tBXUKAXcAjJp+sx6l/yYYvs9eMk3w9tOjNKRAz2bQCvk0SRhP2W31k2lISMao6d+6htEWLGiPdRV 9YW7OygwdGjGfUten7QFnO8TAR3vPSKgmw9OG2yjNxvVa4IIO53nFs6pbUYqHqwSNTF1abI5TUUj PqqospJFr87F/9kqbko= ) qkr6mvl7ugqkf3nftsdnhfsk12om0aer.d1a8n3.rootcanary.net. 60 IN NSEC3 ( 1 0 1 - usv8njc8ut47o1la1a0v6eb832u3na29 A AAAA RRSIG ) qkr6mvl7ugqkf3nftsdnhfsk12om0aer.d1a8n3.rootcanary.net. 60 IN RRSIG ( NSEC3 8 4 86400 20260509073704 20260324073704 29230 d1a8n3.rootcanary.net. c/6wqUl5/W0azGGjRyRDnLdP4SaqyUfE5Y5da0OA0VFgt08j3L6KRgRbXqapRXYbX8a5eYxFgNDP l1z1Z/CIfMxSr3hIfWGiYgXGlXNVdtvKzbdLEYRov376V5iIrfHqqdrOqPYNbOtbcHMq+c674E9h 2T3daKJUAG3MayP6wNs= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found RRSIG signed by d1a8n3.rootcanary.net zone
	Query to sec2.rcode0.net for bogus.d1a8n3.rootcanary.net/A
	Received 253 bytes from 176.97.158.100
	;; Response received from [176.97.158.100] 253 octets ;; HEADER SECTION ;; id = 11885 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d1a8n3.rootcanary.net. IN A ;; ANSWER SECTION (2 records) bogus.d1a8n3.rootcanary.net. 60 IN A 145.97.20.20 bogus.d1a8n3.rootcanary.net. 60 IN RRSIG ( A 8 4 60 20260509073704 20260324073704 29230 d1a8n3.rootcanary.net. evya9suoo1bvQntvF9RE/+IPONdmEJFgwt/bvagT3/utEIXc3TfIoieqWhpFvl9wppvAWaHBTkuI IdUERTpVs13ua0gZzPIhtTe/tUL6IKCA/VhrRpGletc8I7qnMd/UAMPXVOHHOjRjgh1lbDyIiu9N IFhylKTQjjKlUZ/aQhk= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	bogus.d1a8n3.rootcanary.net A RR has value 145.97.20.20
	Found 1 RRSIGs over A RRset
	`bogus.d1a8n3.rootcanary.net. 60 IN RRSIG ( A 8 4 60 20260509073704 20260324073704 29230 d1a8n3.rootcanary.net. evya9suoo1bvQntvF9RE/+IPONdmEJFgwt/bvagT3/utEIXc3TfIoieqWhpFvl9wppvAWaHBTkuI IdUERTpVs13ua0gZzPIhtTe/tUL6IKCA/VhrRpGletc8I7qnMd/UAMPXVOHHOjRjgh1lbDyIiu9N IFhylKTQjjKlUZ/aQhk= )`
	RRSIG=29230 and DNSKEY=29230/SEP does not verify the A RRset (signature verification failed)
	None of the 1 RRSIG and 1 DNSKEY records validate the A RRset

Move your mouse over any or symbols for remediation hints.

Want a second opinion? Test bogus.d1a8n3.rootcanary.net at dnsviz.net.

DNSSEC Debugger

↓ Advanced options ↑ Advanced options

Trust Anchor:
Name Servers: