DNSSEC Debugger - bogus.d1a8n3.rootcanary.net

Domain Name:

Time: 2025-12-25 08:55:59 UTC

Analyzing DNSSEC problems for bogus.d1a8n3.rootcanary.net

DS=20326/SHA-256 is now in the chain-of-trust

	Checking DS between Trust Anchor and .
	`. IN DS ( 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d )`
	Query to g.root-servers.net for ./DNSKEY
	Received 1417 bytes from 192.112.36.4
	;; Response received from [192.112.36.4] 1417 octets ;; HEADER SECTION ;; id = 12023 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 5 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; . IN DNSKEY ;; ANSWER SECTION (5 records) . 172800 IN DNSKEY ( 256 3 8 AwEAAbNTVC2+pry4pc37pZI9Oj6b8FHxT3VGrvSPKLE1Tjyfe2kUZUtVX5xrv6AV4BVO+ygrYjGZ MNgEnbLU4zknnlnhI2e0g6iTza1aZh0dRZXGH16C1NUNq1CxBkUhIYQhQDeIOtLacx+RmFTc+hSH JJ2MJ79IS00kA7eKi6mofQ7SPJmdJVjI+JAx791y0f5QaB+iHGANU53FwiYXNUQjfAzCrtOaSevG sx8SO8BTaXLAjFq5eewOtwScVwfVDhEXlvpE6e+mIncwhNKaMRD9IPuHENqCNPI5MjxfAMVS6cEY 8eEozIkv/vHc+0Auu3n+Fcx6F2Js4KPXaHEShAXugfU= ) ; keytag 21831 . 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696 . 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326 . 172800 IN DNSKEY ( 256 3 8 AwEAAeuS7hMRZ7muj1c/ew2DoavxkBw3jUG5R79pKVDI39fxvlD1HfJYGJERnXuV4SrQfUPzWw/l t5Axb0EqXL/sQ2ZyntVmwQwoSXi2l9smlIKh2UrkTmmozRCPe7GS4fZTE4Ew7AV4YprTLgVmxiGP 4unRuXkYOgQJXCIBpVCmEdUli6X2sm0i5ZilU/Q+rX3RDw+eYPP7K0cJnJ+ZnvQDy14+BFtreWl9 enNQljgGpBp26lEp1z7AbvUfzkQNVCVGaM8jEaCSALXiROlwCQMOdj+tpLXFf99kdJnTQw2cpEr1 uGs/yENAJpoGhbjZAoIkXzDUBSlfFeYz7FWzH6gIe7M= ) ; keytag 61809 . 172800 IN RRSIG ( DNSKEY 8 0 172800 20260110000000 20251220000000 20326 . RZO5FQjtg6Yk0Dara521nCUfYnQxCLAVdbC+buKQVAKlHsZ6srxXHNAL8DMoHohT+PyIlPFAQMb5 fBZatrDaqxpZZ/YbC0A2zxGxOwuOPb1xRbqi6E3zSKfilTRuAux5jN0KYbZZhFxda62e9Hv+2GJs MLixTpiV3RVXtxENI2GPRA8mRRJPBDR7XVQF/2Pz+vjcAW07dp27CrNmQPyZtVjSgw49Jz1rSsAm +EEKO6C7KLG5hmENQr165D3YjMWCs93YhTY8bhWYVqeDtsB1BwoEWkMqSFs4I4+uMd14BHvO6mlq zOZyWC+3kXYTpoAlE0kFhKNv1i54wgHRB+paqw== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 4 DNSKEY records for .
	`. 172800 IN DNSKEY ( 256 3 8 AwEAAbNTVC2+pry4pc37pZI9Oj6b8FHxT3VGrvSPKLE1Tjyfe2kUZUtVX5xrv6AV4BVO+ygrYjGZ MNgEnbLU4zknnlnhI2e0g6iTza1aZh0dRZXGH16C1NUNq1CxBkUhIYQhQDeIOtLacx+RmFTc+hSH JJ2MJ79IS00kA7eKi6mofQ7SPJmdJVjI+JAx791y0f5QaB+iHGANU53FwiYXNUQjfAzCrtOaSevG sx8SO8BTaXLAjFq5eewOtwScVwfVDhEXlvpE6e+mIncwhNKaMRD9IPuHENqCNPI5MjxfAMVS6cEY 8eEozIkv/vHc+0Auu3n+Fcx6F2Js4KPXaHEShAXugfU= ) ; keytag 21831`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326`
	`. 172800 IN DNSKEY ( 256 3 8 AwEAAeuS7hMRZ7muj1c/ew2DoavxkBw3jUG5R79pKVDI39fxvlD1HfJYGJERnXuV4SrQfUPzWw/l t5Axb0EqXL/sQ2ZyntVmwQwoSXi2l9smlIKh2UrkTmmozRCPe7GS4fZTE4Ew7AV4YprTLgVmxiGP 4unRuXkYOgQJXCIBpVCmEdUli6X2sm0i5ZilU/Q+rX3RDw+eYPP7K0cJnJ+ZnvQDy14+BFtreWl9 enNQljgGpBp26lEp1z7AbvUfzkQNVCVGaM8jEaCSALXiROlwCQMOdj+tpLXFf99kdJnTQw2cpEr1 uGs/yENAJpoGhbjZAoIkXzDUBSlfFeYz7FWzH6gIe7M= ) ; keytag 61809`
	DNSKEY=20326/SEP is now in the chain-of-trust
	DS=20326/SHA-256 verifies DNSKEY=20326/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`. 172800 IN RRSIG ( DNSKEY 8 0 172800 20260110000000 20251220000000 20326 . RZO5FQjtg6Yk0Dara521nCUfYnQxCLAVdbC+buKQVAKlHsZ6srxXHNAL8DMoHohT+PyIlPFAQMb5 fBZatrDaqxpZZ/YbC0A2zxGxOwuOPb1xRbqi6E3zSKfilTRuAux5jN0KYbZZhFxda62e9Hv+2GJs MLixTpiV3RVXtxENI2GPRA8mRRJPBDR7XVQF/2Pz+vjcAW07dp27CrNmQPyZtVjSgw49Jz1rSsAm +EEKO6C7KLG5hmENQr165D3YjMWCs93YhTY8bhWYVqeDtsB1BwoEWkMqSFs4I4+uMd14BHvO6mlq zOZyWC+3kXYTpoAlE0kFhKNv1i54wgHRB+paqw== )`
	RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset
	DNSKEY=21831 is now in the chain-of-trust
	DNSKEY=38696/SEP is now in the chain-of-trust
	DNSKEY=61809 is now in the chain-of-trust
	Query to b.root-servers.net for bogus.d1a8n3.rootcanary.net/A
	Received 1184 bytes from 170.247.170.2
	;; Response received from [170.247.170.2] 1184 octets ;; HEADER SECTION ;; id = 40067 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 15 arcount = 27 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d1a8n3.rootcanary.net. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (15 records) net. 172800 IN NS a.gtld-servers.net. net. 172800 IN NS b.gtld-servers.net. net. 172800 IN NS c.gtld-servers.net. net. 172800 IN NS d.gtld-servers.net. net. 172800 IN NS e.gtld-servers.net. net. 172800 IN NS f.gtld-servers.net. net. 172800 IN NS g.gtld-servers.net. net. 172800 IN NS h.gtld-servers.net. net. 172800 IN NS i.gtld-servers.net. net. 172800 IN NS j.gtld-servers.net. net. 172800 IN NS k.gtld-servers.net. net. 172800 IN NS l.gtld-servers.net. net. 172800 IN NS m.gtld-servers.net. net. 86400 IN DS ( 37331 13 2 2f0bec2d6f79dfbd1d08fd21a3af92d0e39a4b9ef1e3f4111fff282490da453b ) net. 86400 IN RRSIG ( DS 8 1 86400 20260107050000 20251225040000 61809 . H5t6QVRDK4uUNqeKgkp6xqGDYIVq1q6kDMKVO9OtqpIcHWPmk9ysmLv6AFO04D+nVPWqYwy8Lhmf TfScrrZ0VFREOfjDskv17FZk6aPF6y+Xg7hjAZwG/yF76XztMpLwZTOHkEJhzB4aX2NIbgbsi8JR Cnb3vWahyt0CoIzP3SBZJCzrr6aoddWOqyaKkXXroTwqVI7aR/ek0WA3tS+iNw8Aoc7Ci+l1ynLm NFpUo4Drx/HTflmNAejdIiLxaHLgTPN5SrvC0bHc9rtSvXpIevqimo6TI7sEWi5rtCwNojgBL4O4 xjX0PIcP+UMAqPOq6PosFih+9suSzA5bFiragQ== ) ;; ADDITIONAL SECTION (27 records) a.gtld-servers.net. 172800 IN A 192.5.6.30 a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 b.gtld-servers.net. 172800 IN A 192.33.14.30 b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30 c.gtld-servers.net. 172800 IN A 192.26.92.30 c.gtld-servers.net. 172800 IN AAAA 2001:503:83eb::30 d.gtld-servers.net. 172800 IN A 192.31.80.30 d.gtld-servers.net. 172800 IN AAAA 2001:500:856e::30 e.gtld-servers.net. 172800 IN A 192.12.94.30 e.gtld-servers.net. 172800 IN AAAA 2001:502:1ca1::30 f.gtld-servers.net. 172800 IN A 192.35.51.30 f.gtld-servers.net. 172800 IN AAAA 2001:503:d414::30 g.gtld-servers.net. 172800 IN A 192.42.93.30 g.gtld-servers.net. 172800 IN AAAA 2001:503:eea3::30 h.gtld-servers.net. 172800 IN A 192.54.112.30 h.gtld-servers.net. 172800 IN AAAA 2001:502:8cc::30 i.gtld-servers.net. 172800 IN A 192.43.172.30 i.gtld-servers.net. 172800 IN AAAA 2001:503:39c1::30 j.gtld-servers.net. 172800 IN A 192.48.79.30 j.gtld-servers.net. 172800 IN AAAA 2001:502:7094::30 k.gtld-servers.net. 172800 IN A 192.52.178.30 k.gtld-servers.net. 172800 IN AAAA 2001:503:d2d::30 l.gtld-servers.net. 172800 IN A 192.41.162.30 l.gtld-servers.net. 172800 IN AAAA 2001:500:d937::30 m.gtld-servers.net. 172800 IN A 192.55.83.30 m.gtld-servers.net. 172800 IN AAAA 2001:501:b1f9::30 ;; { "EDNS-VERSION": 0 }
	Query to f.root-servers.net for net/DNSKEY
	Received 1160 bytes from 192.5.5.241
	;; Response received from [192.5.5.241] 1160 octets ;; HEADER SECTION ;; id = 49452 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 15 arcount = 27 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1472, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; net. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (15 records) net. 172800 IN NS a.gtld-servers.net. net. 172800 IN NS b.gtld-servers.net. net. 172800 IN NS c.gtld-servers.net. net. 172800 IN NS d.gtld-servers.net. net. 172800 IN NS e.gtld-servers.net. net. 172800 IN NS f.gtld-servers.net. net. 172800 IN NS g.gtld-servers.net. net. 172800 IN NS h.gtld-servers.net. net. 172800 IN NS i.gtld-servers.net. net. 172800 IN NS j.gtld-servers.net. net. 172800 IN NS k.gtld-servers.net. net. 172800 IN NS l.gtld-servers.net. net. 172800 IN NS m.gtld-servers.net. net. 86400 IN DS ( 37331 13 2 2f0bec2d6f79dfbd1d08fd21a3af92d0e39a4b9ef1e3f4111fff282490da453b ) net. 86400 IN RRSIG ( DS 8 1 86400 20260107050000 20251225040000 61809 . H5t6QVRDK4uUNqeKgkp6xqGDYIVq1q6kDMKVO9OtqpIcHWPmk9ysmLv6AFO04D+nVPWqYwy8Lhmf TfScrrZ0VFREOfjDskv17FZk6aPF6y+Xg7hjAZwG/yF76XztMpLwZTOHkEJhzB4aX2NIbgbsi8JR Cnb3vWahyt0CoIzP3SBZJCzrr6aoddWOqyaKkXXroTwqVI7aR/ek0WA3tS+iNw8Aoc7Ci+l1ynLm NFpUo4Drx/HTflmNAejdIiLxaHLgTPN5SrvC0bHc9rtSvXpIevqimo6TI7sEWi5rtCwNojgBL4O4 xjX0PIcP+UMAqPOq6PosFih+9suSzA5bFiragQ== ) ;; ADDITIONAL SECTION (27 records) a.gtld-servers.net. 172800 IN A 192.5.6.30 a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 b.gtld-servers.net. 172800 IN A 192.33.14.30 b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30 c.gtld-servers.net. 172800 IN A 192.26.92.30 c.gtld-servers.net. 172800 IN AAAA 2001:503:83eb::30 d.gtld-servers.net. 172800 IN A 192.31.80.30 d.gtld-servers.net. 172800 IN AAAA 2001:500:856e::30 e.gtld-servers.net. 172800 IN A 192.12.94.30 e.gtld-servers.net. 172800 IN AAAA 2001:502:1ca1::30 f.gtld-servers.net. 172800 IN A 192.35.51.30 f.gtld-servers.net. 172800 IN AAAA 2001:503:d414::30 g.gtld-servers.net. 172800 IN A 192.42.93.30 g.gtld-servers.net. 172800 IN AAAA 2001:503:eea3::30 h.gtld-servers.net. 172800 IN A 192.54.112.30 h.gtld-servers.net. 172800 IN AAAA 2001:502:8cc::30 i.gtld-servers.net. 172800 IN A 192.43.172.30 i.gtld-servers.net. 172800 IN AAAA 2001:503:39c1::30 j.gtld-servers.net. 172800 IN A 192.48.79.30 j.gtld-servers.net. 172800 IN AAAA 2001:502:7094::30 k.gtld-servers.net. 172800 IN A 192.52.178.30 k.gtld-servers.net. 172800 IN AAAA 2001:503:d2d::30 l.gtld-servers.net. 172800 IN A 192.41.162.30 l.gtld-servers.net. 172800 IN AAAA 2001:500:d937::30 m.gtld-servers.net. 172800 IN A 192.55.83.30 m.gtld-servers.net. 172800 IN AAAA 2001:501:b1f9::30 ;; { "EDNS-VERSION": 0 }
	Found child zone net

net

	Checking DS between . and net
	Query to b.root-servers.net for net/DS
	Received 367 bytes from 170.247.170.2
	;; Response received from [170.247.170.2] 367 octets ;; HEADER SECTION ;; id = 8173 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; net. IN DS ;; ANSWER SECTION (2 records) net. 86400 IN DS ( 37331 13 2 2f0bec2d6f79dfbd1d08fd21a3af92d0e39a4b9ef1e3f4111fff282490da453b ) net. 86400 IN RRSIG ( DS 8 1 86400 20260107050000 20251225040000 61809 . H5t6QVRDK4uUNqeKgkp6xqGDYIVq1q6kDMKVO9OtqpIcHWPmk9ysmLv6AFO04D+nVPWqYwy8Lhmf TfScrrZ0VFREOfjDskv17FZk6aPF6y+Xg7hjAZwG/yF76XztMpLwZTOHkEJhzB4aX2NIbgbsi8JR Cnb3vWahyt0CoIzP3SBZJCzrr6aoddWOqyaKkXXroTwqVI7aR/ek0WA3tS+iNw8Aoc7Ci+l1ynLm NFpUo4Drx/HTflmNAejdIiLxaHLgTPN5SrvC0bHc9rtSvXpIevqimo6TI7sEWi5rtCwNojgBL4O4 xjX0PIcP+UMAqPOq6PosFih+9suSzA5bFiragQ== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for net in the . zone
	DS=37331/SHA-256 has algorithm ECDSAP256SHA256
	Found 1 RRSIGs over DS RRset
	`net. 86400 IN RRSIG ( DS 8 1 86400 20260107050000 20251225040000 61809 . H5t6QVRDK4uUNqeKgkp6xqGDYIVq1q6kDMKVO9OtqpIcHWPmk9ysmLv6AFO04D+nVPWqYwy8Lhmf TfScrrZ0VFREOfjDskv17FZk6aPF6y+Xg7hjAZwG/yF76XztMpLwZTOHkEJhzB4aX2NIbgbsi8JR Cnb3vWahyt0CoIzP3SBZJCzrr6aoddWOqyaKkXXroTwqVI7aR/ek0WA3tS+iNw8Aoc7Ci+l1ynLm NFpUo4Drx/HTflmNAejdIiLxaHLgTPN5SrvC0bHc9rtSvXpIevqimo6TI7sEWi5rtCwNojgBL4O4 xjX0PIcP+UMAqPOq6PosFih+9suSzA5bFiragQ== )`
	RRSIG=61809 and DNSKEY=61809 verifies the DS RRset
	DS=37331/SHA-256 is now in the chain-of-trust
	`net. 86400 IN DS ( 37331 13 2 2f0bec2d6f79dfbd1d08fd21a3af92d0e39a4b9ef1e3f4111fff282490da453b )`
	Query to h.gtld-servers.net for net/DNSKEY
	Received 291 bytes from 192.54.112.30
	;; Response received from [192.54.112.30] 291 octets ;; HEADER SECTION ;; id = 52309 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; net. IN DNSKEY ;; ANSWER SECTION (3 records) net. 86400 IN DNSKEY ( 257 3 13 HiBoGpzDRAgrDmUXXTSnl7jCX6Hx5bzkU2jSxMbVI01yS+13EyOghnCidBXU0bH2gi2w9GhYGacp U6CrtwoFNg== ) ; keytag 37331 net. 86400 IN DNSKEY ( 256 3 13 n1/xo9dFf3KM3jYGnOXOzhVK5LsgTqM4BnTeyBLml4GNNYgs/Wmr3YA8pvodMthc1wD4nH7wL5vY Tag4cROQJg== ) ; keytag 17133 net. 86400 IN RRSIG ( DNSKEY 13 1 86400 20260102151035 20251218150535 37331 net. ucIy1dlZW4mK5Trwaax95zIcx2AtX82RAKNzwabeynxr7qKRqMk9gvuUjIkMQfyZ6CWvRtFU86RO xUMocDWs4g== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for net
	`net. 86400 IN DNSKEY ( 257 3 13 HiBoGpzDRAgrDmUXXTSnl7jCX6Hx5bzkU2jSxMbVI01yS+13EyOghnCidBXU0bH2gi2w9GhYGacp U6CrtwoFNg== ) ; keytag 37331`
	`net. 86400 IN DNSKEY ( 256 3 13 n1/xo9dFf3KM3jYGnOXOzhVK5LsgTqM4BnTeyBLml4GNNYgs/Wmr3YA8pvodMthc1wD4nH7wL5vY Tag4cROQJg== ) ; keytag 17133`
	DNSKEY=37331/SEP is now in the chain-of-trust
	DS=37331/SHA-256 verifies DNSKEY=37331/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`net. 86400 IN RRSIG ( DNSKEY 13 1 86400 20260102151035 20251218150535 37331 net. ucIy1dlZW4mK5Trwaax95zIcx2AtX82RAKNzwabeynxr7qKRqMk9gvuUjIkMQfyZ6CWvRtFU86RO xUMocDWs4g== )`
	RRSIG=37331 and DNSKEY=37331/SEP verifies the DNSKEY RRset
	DNSKEY=17133 is now in the chain-of-trust
	Query to a.gtld-servers.net for bogus.d1a8n3.rootcanary.net/A
	Received 551 bytes from 192.5.6.30
	;; Response received from [192.5.6.30] 551 octets ;; HEADER SECTION ;; id = 25441 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 8 arcount = 3 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d1a8n3.rootcanary.net. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (8 records) rootcanary.net. 172800 IN NS ns1.surfnet.nl. rootcanary.net. 172800 IN NS ns2.surfnet.nl. rootcanary.net. 172800 IN NS ns3.surfnet.nl. rootcanary.net. 172800 IN NS ns1.zurich.surf.net. A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 900 IN NSEC3 ( 1 1 0 - a1rtlnpgulogn7b9a62shje1u3ttp8dr NS SOA RRSIG DNSKEY NSEC3PARAM ) A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 900 IN RRSIG ( NSEC3 13 2 900 20251229032639 20251222021639 17133 net. 6te1ZXQgmUMKUmlg4ubv/ti4nh+6DBWExwefyoNN9qnaKhLfYkKN/CovQJjCTYwVxtiClzd5PeIZ FvZrf7NCdg== ) CQ5HTP0ME4P4MO7NNICV2270QIRKGH9T.net. 900 IN NSEC3 ( 1 1 0 - cq5j9mfqo7euvgh7flggm8tfo3fdsn4g NS DS RRSIG ) CQ5HTP0ME4P4MO7NNICV2270QIRKGH9T.net. 900 IN RRSIG ( NSEC3 13 2 900 20260101031436 20251225020436 17133 net. +1/zuxz0eCYk66wYQskgvQMfrYneW61CeI8I/cCO9zEiLP3quAzMOt7vcxDoBqMCbVGCTQejjYqg MM+GnAaAhQ== ) ;; ADDITIONAL SECTION (3 records) ns1.zurich.surf.net. 172800 IN A 195.176.255.9 ns1.zurich.surf.net. 172800 IN AAAA 2001:620:0:9::1103 ;; { "EDNS-VERSION": 0 }
	Query to m.gtld-servers.net for rootcanary.net/DNSKEY
	Received 538 bytes from 192.55.83.30
	;; Response received from [192.55.83.30] 538 octets ;; HEADER SECTION ;; id = 40598 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 8 arcount = 3 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; rootcanary.net. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (8 records) rootcanary.net. 172800 IN NS ns1.surfnet.nl. rootcanary.net. 172800 IN NS ns2.surfnet.nl. rootcanary.net. 172800 IN NS ns3.surfnet.nl. rootcanary.net. 172800 IN NS ns1.zurich.surf.net. A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 900 IN NSEC3 ( 1 1 0 - a1rtlnpgulogn7b9a62shje1u3ttp8dr NS SOA RRSIG DNSKEY NSEC3PARAM ) A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 900 IN RRSIG ( NSEC3 13 2 900 20251229032639 20251222021639 17133 net. 6te1ZXQgmUMKUmlg4ubv/ti4nh+6DBWExwefyoNN9qnaKhLfYkKN/CovQJjCTYwVxtiClzd5PeIZ FvZrf7NCdg== ) CQ5HTP0ME4P4MO7NNICV2270QIRKGH9T.net. 900 IN NSEC3 ( 1 1 0 - cq5j9mfqo7euvgh7flggm8tfo3fdsn4g NS DS RRSIG ) CQ5HTP0ME4P4MO7NNICV2270QIRKGH9T.net. 900 IN RRSIG ( NSEC3 13 2 900 20260101031436 20251225020436 17133 net. +1/zuxz0eCYk66wYQskgvQMfrYneW61CeI8I/cCO9zEiLP3quAzMOt7vcxDoBqMCbVGCTQejjYqg MM+GnAaAhQ== ) ;; ADDITIONAL SECTION (3 records) ns1.zurich.surf.net. 172800 IN A 195.176.255.9 ns1.zurich.surf.net. 172800 IN AAAA 2001:620:0:9::1103 ;; { "EDNS-VERSION": 0 }
	Found child zone rootcanary.net

rootcanary.net

	Checking DS between net and rootcanary.net
	Query to h.gtld-servers.net for rootcanary.net/DS
	Received 572 bytes from 192.54.112.30
	;; Response received from [192.54.112.30] 572 octets ;; HEADER SECTION ;; id = 5714 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; rootcanary.net. IN DS ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 900 IN NSEC3 ( 1 1 0 - a1rtlnpgulogn7b9a62shje1u3ttp8dr NS SOA RRSIG DNSKEY NSEC3PARAM ) A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. 900 IN RRSIG ( NSEC3 13 2 900 20251229032639 20251222021639 17133 net. 6te1ZXQgmUMKUmlg4ubv/ti4nh+6DBWExwefyoNN9qnaKhLfYkKN/CovQJjCTYwVxtiClzd5PeIZ FvZrf7NCdg== ) net. 900 IN SOA ( a.gtld-servers.net. nstld.verisign-grs.com. 1766652949 ;serial 1800 ;refresh 900 ;retry 604800 ;expire 900 ;minimum ) net. 900 IN RRSIG ( SOA 13 1 900 20260101085549 20251225074549 17133 net. wWB5OZtI2Zp59LFpdtScDhGml7gmYwkGYoRV+MvY32SZBY/mk8M1Gx0be/RWeWq7uXLBdOfVRWYl GgWILi3fAA== ) CQ5HTP0ME4P4MO7NNICV2270QIRKGH9T.net. 900 IN NSEC3 ( 1 1 0 - cq5j9mfqo7euvgh7flggm8tfo3fdsn4g NS DS RRSIG ) CQ5HTP0ME4P4MO7NNICV2270QIRKGH9T.net. 900 IN RRSIG ( NSEC3 13 2 900 20260101031436 20251225020436 17133 net. +1/zuxz0eCYk66wYQskgvQMfrYneW61CeI8I/cCO9zEiLP3quAzMOt7vcxDoBqMCbVGCTQejjYqg MM+GnAaAhQ== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	No DS records found for rootcanary.net in the net zone
	Query to ns1.zurich.surf.net for rootcanary.net/DNSKEY
	Received 513 bytes from 195.176.255.9
	;; Response received from [195.176.255.9] 513 octets ;; HEADER SECTION ;; id = 4412 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; rootcanary.net. IN DNSKEY ;; ANSWER SECTION (3 records) rootcanary.net. 60 IN DNSKEY ( 257 3 8 AwEAAdDk0xPx74/+J4BFAtodd6j2yTDoX9D+paSjzxVl+jMQmrsrQprdBxX3fale9f62j4oo7scf U+wabBXl56lehbw/wds6oVqDNun9ORQisXhIq9H+u3a9WtTAF+OQyPoSirRLYdNR7+wWvb88L27w 88+jL0gkFb8klGzr03EFrq6r ) ; keytag 64786 rootcanary.net. 60 IN DNSKEY ( 256 3 8 AwEAAbTt2EpLNxL2BJh6zgrhiEBK1sfxYPvEQgQkM1O53+lnT+c8W+9lYMhI1m2mLwecKvq7ePok 5d1XO11UKUXV5pRD9d66qXLwDxMJ4krEMlOvmMS/HWskybkREtMdPdcv5eNdtuT8VeCPTGZuoNe2 oEK4NFSUU5eG0pkWo27Kl3oV ) ; keytag 25188 rootcanary.net. 60 IN RRSIG ( DNSKEY 8 2 60 20260207073705 20251223073705 64786 rootcanary.net. snYBOESZwMQeQ60JeyBYy1aL+rYQvQ08BUAKyIGkhY4Qvj3V+7f/tXMBEcyPe0bPQWk1bDNB69uB 1dYNAaZaMJnHqiFGkRjJLbHG/+Cs48P5x9mw3ux940xRvT25N+0O1Xt/hGS7pPQXUQuRNnRtsUpa 9QF7t4jgQHSWTCFzjZs= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for rootcanary.net
	`rootcanary.net. 60 IN DNSKEY ( 257 3 8 AwEAAdDk0xPx74/+J4BFAtodd6j2yTDoX9D+paSjzxVl+jMQmrsrQprdBxX3fale9f62j4oo7scf U+wabBXl56lehbw/wds6oVqDNun9ORQisXhIq9H+u3a9WtTAF+OQyPoSirRLYdNR7+wWvb88L27w 88+jL0gkFb8klGzr03EFrq6r ) ; keytag 64786`
	`rootcanary.net. 60 IN DNSKEY ( 256 3 8 AwEAAbTt2EpLNxL2BJh6zgrhiEBK1sfxYPvEQgQkM1O53+lnT+c8W+9lYMhI1m2mLwecKvq7ePok 5d1XO11UKUXV5pRD9d66qXLwDxMJ4krEMlOvmMS/HWskybkREtMdPdcv5eNdtuT8VeCPTGZuoNe2 oEK4NFSUU5eG0pkWo27Kl3oV ) ; keytag 25188`
	Found 1 RRSIGs over DNSKEY RRset
	`rootcanary.net. 60 IN RRSIG ( DNSKEY 8 2 60 20260207073705 20251223073705 64786 rootcanary.net. snYBOESZwMQeQ60JeyBYy1aL+rYQvQ08BUAKyIGkhY4Qvj3V+7f/tXMBEcyPe0bPQWk1bDNB69uB 1dYNAaZaMJnHqiFGkRjJLbHG/+Cs48P5x9mw3ux940xRvT25N+0O1Xt/hGS7pPQXUQuRNnRtsUpa 9QF7t4jgQHSWTCFzjZs= )`
	RRSIG=64786 and DNSKEY=64786/SEP verifies the DNSKEY RRset
	Query to ns2.surfnet.nl for bogus.d1a8n3.rootcanary.net/A
	Received 253 bytes from 192.87.36.2
	;; Response received from [192.87.36.2] 253 octets ;; HEADER SECTION ;; id = 46794 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d1a8n3.rootcanary.net. IN A ;; ANSWER SECTION (2 records) bogus.d1a8n3.rootcanary.net. 60 IN A 145.97.20.20 bogus.d1a8n3.rootcanary.net. 60 IN RRSIG ( A 8 4 60 20260207073705 20251223073705 29230 d1a8n3.rootcanary.net. qNCvW8a2EVN60t9AR5GaR7FM+EfS/zcgmU1jAb2SkkHQXKLDu+zbmz1jqTVIa1+1UpJ732SS1Kvv jmnc0m7eeWd70ze1MqAI7nJwcsoi4i8TVBqVSVQqvrsEPHjmkUMhO/n9ufTkCULiFbwYeckhbR+T 4KlukNVjN7WnzAhNKNc= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	ns2.surfnet.nl is authoritative for bogus.d1a8n3.rootcanary.net
	Query to ns3.surfnet.nl for d1a8n3.rootcanary.net/DNSKEY
	Received 379 bytes from 195.169.124.71
	;; Response received from [195.169.124.71] 379 octets ;; HEADER SECTION ;; id = 49746 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; d1a8n3.rootcanary.net. IN DNSKEY ;; ANSWER SECTION (2 records) d1a8n3.rootcanary.net. 60 IN DNSKEY ( 257 3 8 AwEAAbVGNyLCx4rjLBSg5mmtf9jsZNliMZnaynGCZCNDet/XxKvGnIi/3LHAhXznX3Xl6SWa9EAB 4QNV/MNH/uHJXRs34grBHYmJ6U9Xk5/PWrFcopxYSl4t3FFVpVHdg0t9Aalso5OBlMedERX3QYq7 dseUoO62nnx8VnB9mmPMSVjP ) ; keytag 29230 d1a8n3.rootcanary.net. 60 IN RRSIG ( DNSKEY 8 3 60 20260207073705 20251223073705 29230 d1a8n3.rootcanary.net. M3PPMgsiQF8qaO6YFOayeGyT9vVPh+7FOP9Zi4VtoTiiPDiJz1MONc3lJ/b9rZXXP5NVyRA1T04v wUGCrB5LNpL1coJzGkNsk29EdB7SwnwfOYmRDlyRzdsabWDaL2rveWdEtiBnZTjgPBydHo6x3YuI q8ytin5/Afuzs5cpWmI= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found child zone d1a8n3.rootcanary.net
	Attempting to learn nameservers for d1a8n3.rootcanary.net
	Query to ns1.zurich.surf.net for d1a8n3.rootcanary.net/NS
	Received 279 bytes from 195.176.255.9
	;; Response received from [195.176.255.9] 279 octets ;; HEADER SECTION ;; id = 31297 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; d1a8n3.rootcanary.net. IN NS ;; ANSWER SECTION (3 records) d1a8n3.rootcanary.net. 60 IN NS sec1.rcode0.net. d1a8n3.rootcanary.net. 60 IN NS sec2.rcode0.net. d1a8n3.rootcanary.net. 60 IN RRSIG ( NS 8 3 60 20260207073705 20251223073705 29230 d1a8n3.rootcanary.net. HycZpotZfetBxgfrbuN3kKTT2ZOyT9d8bhxLo/ujlfVuxr01lGVqXmAS/Zdodt90Gw2aQgy5sEFJ 4sowkeiRLXOL/vMfPmM9tP7fSE732zUG0ijZOl/I8iIlr4A/KU84g3Mc7H6yXuQtxdm0hrpYeY+n Gxi/SWxgu3tECASRIz4= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found d1a8n3.rootcanary.net nameservers: sec1.rcode0.net, sec2.rcode0.net

d1a8n3.rootcanary.net

	Checking DS between rootcanary.net and d1a8n3.rootcanary.net
	Query to ns1.zurich.surf.net for d1a8n3.rootcanary.net/DS
	Received 260 bytes from 195.176.255.9
	;; Response received from [195.176.255.9] 260 octets ;; HEADER SECTION ;; id = 15838 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; d1a8n3.rootcanary.net. IN DS ;; ANSWER SECTION (2 records) d1a8n3.rootcanary.net. 60 IN DS ( 29230 8 1 77a32079c4d287b1437c2a8128b1269d486bd241 ) d1a8n3.rootcanary.net. 60 IN RRSIG ( DS 8 3 60 20260207073705 20251223073705 25188 rootcanary.net. MIrdYVc8HDhFwn6ZfZbuwR04dkOkLacGm8pVCeTgXQCM931juGuXR94Pv1LZC7gx+yxjXmSdZvth LGNw8A+sAp3g9qkar0fC7D6QlQquBn80Zf1r6Svzha0kIeZF4FK2qcizywq6ZfvcIP+HWXGvo5tP qOjWJQC2tt4h2YPbcQ4= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for d1a8n3.rootcanary.net in the rootcanary.net zone
	DS=29230/SHA-1 uses a deprecated digest algorithm
	DS=29230/SHA-1 has algorithm RSASHA256
	Found 1 RRSIGs over DS RRset
	`d1a8n3.rootcanary.net. 60 IN RRSIG ( DS 8 3 60 20260207073705 20251223073705 25188 rootcanary.net. MIrdYVc8HDhFwn6ZfZbuwR04dkOkLacGm8pVCeTgXQCM931juGuXR94Pv1LZC7gx+yxjXmSdZvth LGNw8A+sAp3g9qkar0fC7D6QlQquBn80Zf1r6Svzha0kIeZF4FK2qcizywq6ZfvcIP+HWXGvo5tP qOjWJQC2tt4h2YPbcQ4= )`
	RRSIG=25188 and DNSKEY=25188 verifies the DS RRset
	`d1a8n3.rootcanary.net. 60 IN DS ( 29230 8 1 77a32079c4d287b1437c2a8128b1269d486bd241 )`
	Query to sec2.rcode0.net for d1a8n3.rootcanary.net/DNSKEY
	Received 379 bytes from 176.97.158.100
	;; Response received from [176.97.158.100] 379 octets ;; HEADER SECTION ;; id = 51942 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; d1a8n3.rootcanary.net. IN DNSKEY ;; ANSWER SECTION (2 records) d1a8n3.rootcanary.net. 60 IN RRSIG ( DNSKEY 8 3 60 20260207073705 20251223073705 29230 d1a8n3.rootcanary.net. M3PPMgsiQF8qaO6YFOayeGyT9vVPh+7FOP9Zi4VtoTiiPDiJz1MONc3lJ/b9rZXXP5NVyRA1T04v wUGCrB5LNpL1coJzGkNsk29EdB7SwnwfOYmRDlyRzdsabWDaL2rveWdEtiBnZTjgPBydHo6x3YuI q8ytin5/Afuzs5cpWmI= ) d1a8n3.rootcanary.net. 60 IN DNSKEY ( 257 3 8 AwEAAbVGNyLCx4rjLBSg5mmtf9jsZNliMZnaynGCZCNDet/XxKvGnIi/3LHAhXznX3Xl6SWa9EAB 4QNV/MNH/uHJXRs34grBHYmJ6U9Xk5/PWrFcopxYSl4t3FFVpVHdg0t9Aalso5OBlMedERX3QYq7 dseUoO62nnx8VnB9mmPMSVjP ) ; keytag 29230 ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DNSKEY records for d1a8n3.rootcanary.net
	`d1a8n3.rootcanary.net. 60 IN DNSKEY ( 257 3 8 AwEAAbVGNyLCx4rjLBSg5mmtf9jsZNliMZnaynGCZCNDet/XxKvGnIi/3LHAhXznX3Xl6SWa9EAB 4QNV/MNH/uHJXRs34grBHYmJ6U9Xk5/PWrFcopxYSl4t3FFVpVHdg0t9Aalso5OBlMedERX3QYq7 dseUoO62nnx8VnB9mmPMSVjP ) ; keytag 29230`
	DS=29230/SHA-1 verifies DNSKEY=29230/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`d1a8n3.rootcanary.net. 60 IN RRSIG ( DNSKEY 8 3 60 20260207073705 20251223073705 29230 d1a8n3.rootcanary.net. M3PPMgsiQF8qaO6YFOayeGyT9vVPh+7FOP9Zi4VtoTiiPDiJz1MONc3lJ/b9rZXXP5NVyRA1T04v wUGCrB5LNpL1coJzGkNsk29EdB7SwnwfOYmRDlyRzdsabWDaL2rveWdEtiBnZTjgPBydHo6x3YuI q8ytin5/Afuzs5cpWmI= )`
	RRSIG=29230 and DNSKEY=29230/SEP verifies the DNSKEY RRset
	Query to sec1.rcode0.net for bogus.d1a8n3.rootcanary.net/A
	Received 253 bytes from 192.174.68.100
	;; Response received from [192.174.68.100] 253 octets ;; HEADER SECTION ;; id = 47387 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d1a8n3.rootcanary.net. IN A ;; ANSWER SECTION (2 records) bogus.d1a8n3.rootcanary.net. 60 IN A 145.97.20.20 bogus.d1a8n3.rootcanary.net. 60 IN RRSIG ( A 8 4 60 20260207073705 20251223073705 29230 d1a8n3.rootcanary.net. qNCvW8a2EVN60t9AR5GaR7FM+EfS/zcgmU1jAb2SkkHQXKLDu+zbmz1jqTVIa1+1UpJ732SS1Kvv jmnc0m7eeWd70ze1MqAI7nJwcsoi4i8TVBqVSVQqvrsEPHjmkUMhO/n9ufTkCULiFbwYeckhbR+T 4KlukNVjN7WnzAhNKNc= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	sec1.rcode0.net is authoritative for bogus.d1a8n3.rootcanary.net
	Query to sec1.rcode0.net for bogus.d1a8n3.rootcanary.net/DNSKEY
	Received 558 bytes from 192.174.68.100
	;; Response received from [192.174.68.100] 558 octets ;; HEADER SECTION ;; id = 64093 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d1a8n3.rootcanary.net. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) d1a8n3.rootcanary.net. 60 IN SOA ( ns1.surfnet.nl. dns-beheer.surfnet.nl. 2025122406 ;serial 10800 ;refresh 3600 ;retry 604800 ;expire 86400 ;minimum ) d1a8n3.rootcanary.net. 60 IN RRSIG ( SOA 8 3 60 20260207073705 20251223073705 29230 d1a8n3.rootcanary.net. iFJGMBj7FsGWj5Gz4ZYCRL3h2YyWl8CKj4hrQg+BKlpm2OQp7vaBLDCrRLVJzUwcUJVapXxQEtgZ NbOsefghiBnKzYdBu6Tg18t/KCNY/uGU3S0WGN4PJgFmV4W9FJUjtXr5knYe46NRS8zVdJd40Qx+ xUtQvsG20+l0JRxpK2Y= ) qkr6mvl7ugqkf3nftsdnhfsk12om0aer.d1a8n3.rootcanary.net. 60 IN NSEC3 ( 1 0 1 - usv8njc8ut47o1la1a0v6eb832u3na29 A AAAA RRSIG ) qkr6mvl7ugqkf3nftsdnhfsk12om0aer.d1a8n3.rootcanary.net. 60 IN RRSIG ( NSEC3 8 4 86400 20260207073705 20251223073705 29230 d1a8n3.rootcanary.net. GgWBgKaK6OhtEdyEAtk5Fdfhc/N/teiRsE+04qxGwczelnoHx/450Xw0bubdTgBKAO8GQ3yNLB9x WCyOn6SfgdL2RC7Pi1rsDFGHBFfrZiKtIU1SCbVjwVLJTUFK6AKl/rv3ec1fDbs2hSamqLoT9BgK aPgvt4BkEK5FypyWgPQ= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found RRSIG signed by d1a8n3.rootcanary.net zone
	Query to sec2.rcode0.net for d1a8n3.rootcanary.net/SOA
	Received 292 bytes from 176.97.158.100
	;; Response received from [176.97.158.100] 292 octets ;; HEADER SECTION ;; id = 56473 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; d1a8n3.rootcanary.net. IN SOA ;; ANSWER SECTION (2 records) d1a8n3.rootcanary.net. 60 IN SOA ( ns1.surfnet.nl. dns-beheer.surfnet.nl. 2025122406 ;serial 10800 ;refresh 3600 ;retry 604800 ;expire 86400 ;minimum ) d1a8n3.rootcanary.net. 60 IN RRSIG ( SOA 8 3 60 20260207073705 20251223073705 29230 d1a8n3.rootcanary.net. iFJGMBj7FsGWj5Gz4ZYCRL3h2YyWl8CKj4hrQg+BKlpm2OQp7vaBLDCrRLVJzUwcUJVapXxQEtgZ NbOsefghiBnKzYdBu6Tg18t/KCNY/uGU3S0WGN4PJgFmV4W9FJUjtXr5knYe46NRS8zVdJd40Qx+ xUtQvsG20+l0JRxpK2Y= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to sec1.rcode0.net for bogus.d1a8n3.rootcanary.net/A
	Received 253 bytes from 192.174.68.100
	;; Response received from [192.174.68.100] 253 octets ;; HEADER SECTION ;; id = 64734 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d1a8n3.rootcanary.net. IN A ;; ANSWER SECTION (2 records) bogus.d1a8n3.rootcanary.net. 60 IN A 145.97.20.20 bogus.d1a8n3.rootcanary.net. 60 IN RRSIG ( A 8 4 60 20260207073705 20251223073705 29230 d1a8n3.rootcanary.net. qNCvW8a2EVN60t9AR5GaR7FM+EfS/zcgmU1jAb2SkkHQXKLDu+zbmz1jqTVIa1+1UpJ732SS1Kvv jmnc0m7eeWd70ze1MqAI7nJwcsoi4i8TVBqVSVQqvrsEPHjmkUMhO/n9ufTkCULiFbwYeckhbR+T 4KlukNVjN7WnzAhNKNc= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	bogus.d1a8n3.rootcanary.net A RR has value 145.97.20.20
	Found 1 RRSIGs over A RRset
	`bogus.d1a8n3.rootcanary.net. 60 IN RRSIG ( A 8 4 60 20260207073705 20251223073705 29230 d1a8n3.rootcanary.net. qNCvW8a2EVN60t9AR5GaR7FM+EfS/zcgmU1jAb2SkkHQXKLDu+zbmz1jqTVIa1+1UpJ732SS1Kvv jmnc0m7eeWd70ze1MqAI7nJwcsoi4i8TVBqVSVQqvrsEPHjmkUMhO/n9ufTkCULiFbwYeckhbR+T 4KlukNVjN7WnzAhNKNc= )`
	RRSIG=29230 and DNSKEY=29230/SEP does not verify the A RRset (signature verification failed)
	None of the 1 RRSIG and 1 DNSKEY records validate the A RRset

d1a8n3.rootcanary.net

	Query to sec2.rcode0.net for bogus.d1a8n3.rootcanary.net/A
	Received 253 bytes from 176.97.158.100
	;; Response received from [176.97.158.100] 253 octets ;; HEADER SECTION ;; id = 45961 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d1a8n3.rootcanary.net. IN A ;; ANSWER SECTION (2 records) bogus.d1a8n3.rootcanary.net. 60 IN A 145.97.20.20 bogus.d1a8n3.rootcanary.net. 60 IN RRSIG ( A 8 4 60 20260207073705 20251223073705 29230 d1a8n3.rootcanary.net. qNCvW8a2EVN60t9AR5GaR7FM+EfS/zcgmU1jAb2SkkHQXKLDu+zbmz1jqTVIa1+1UpJ732SS1Kvv jmnc0m7eeWd70ze1MqAI7nJwcsoi4i8TVBqVSVQqvrsEPHjmkUMhO/n9ufTkCULiFbwYeckhbR+T 4KlukNVjN7WnzAhNKNc= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	sec2.rcode0.net is authoritative for bogus.d1a8n3.rootcanary.net
	Query to sec2.rcode0.net for bogus.d1a8n3.rootcanary.net/DNSKEY
	Received 558 bytes from 176.97.158.100
	;; Response received from [176.97.158.100] 558 octets ;; HEADER SECTION ;; id = 49225 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d1a8n3.rootcanary.net. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) d1a8n3.rootcanary.net. 60 IN SOA ( ns1.surfnet.nl. dns-beheer.surfnet.nl. 2025122406 ;serial 10800 ;refresh 3600 ;retry 604800 ;expire 86400 ;minimum ) d1a8n3.rootcanary.net. 60 IN RRSIG ( SOA 8 3 60 20260207073705 20251223073705 29230 d1a8n3.rootcanary.net. iFJGMBj7FsGWj5Gz4ZYCRL3h2YyWl8CKj4hrQg+BKlpm2OQp7vaBLDCrRLVJzUwcUJVapXxQEtgZ NbOsefghiBnKzYdBu6Tg18t/KCNY/uGU3S0WGN4PJgFmV4W9FJUjtXr5knYe46NRS8zVdJd40Qx+ xUtQvsG20+l0JRxpK2Y= ) qkr6mvl7ugqkf3nftsdnhfsk12om0aer.d1a8n3.rootcanary.net. 60 IN NSEC3 ( 1 0 1 - usv8njc8ut47o1la1a0v6eb832u3na29 A AAAA RRSIG ) qkr6mvl7ugqkf3nftsdnhfsk12om0aer.d1a8n3.rootcanary.net. 60 IN RRSIG ( NSEC3 8 4 86400 20260207073705 20251223073705 29230 d1a8n3.rootcanary.net. GgWBgKaK6OhtEdyEAtk5Fdfhc/N/teiRsE+04qxGwczelnoHx/450Xw0bubdTgBKAO8GQ3yNLB9x WCyOn6SfgdL2RC7Pi1rsDFGHBFfrZiKtIU1SCbVjwVLJTUFK6AKl/rv3ec1fDbs2hSamqLoT9BgK aPgvt4BkEK5FypyWgPQ= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found RRSIG signed by d1a8n3.rootcanary.net zone
	Query to sec2.rcode0.net for bogus.d1a8n3.rootcanary.net/A
	Received 253 bytes from 176.97.158.100
	;; Response received from [176.97.158.100] 253 octets ;; HEADER SECTION ;; id = 26518 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1400, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; bogus.d1a8n3.rootcanary.net. IN A ;; ANSWER SECTION (2 records) bogus.d1a8n3.rootcanary.net. 60 IN A 145.97.20.20 bogus.d1a8n3.rootcanary.net. 60 IN RRSIG ( A 8 4 60 20260207073705 20251223073705 29230 d1a8n3.rootcanary.net. qNCvW8a2EVN60t9AR5GaR7FM+EfS/zcgmU1jAb2SkkHQXKLDu+zbmz1jqTVIa1+1UpJ732SS1Kvv jmnc0m7eeWd70ze1MqAI7nJwcsoi4i8TVBqVSVQqvrsEPHjmkUMhO/n9ufTkCULiFbwYeckhbR+T 4KlukNVjN7WnzAhNKNc= ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	bogus.d1a8n3.rootcanary.net A RR has value 145.97.20.20
	Found 1 RRSIGs over A RRset
	`bogus.d1a8n3.rootcanary.net. 60 IN RRSIG ( A 8 4 60 20260207073705 20251223073705 29230 d1a8n3.rootcanary.net. qNCvW8a2EVN60t9AR5GaR7FM+EfS/zcgmU1jAb2SkkHQXKLDu+zbmz1jqTVIa1+1UpJ732SS1Kvv jmnc0m7eeWd70ze1MqAI7nJwcsoi4i8TVBqVSVQqvrsEPHjmkUMhO/n9ufTkCULiFbwYeckhbR+T 4KlukNVjN7WnzAhNKNc= )`
	RRSIG=29230 and DNSKEY=29230/SEP does not verify the A RRset (signature verification failed)
	None of the 1 RRSIG and 1 DNSKEY records validate the A RRset

Move your mouse over any or symbols for remediation hints.

Want a second opinion? Test bogus.d1a8n3.rootcanary.net at dnsviz.net.

DNSSEC Debugger

↓ Advanced options ↑ Advanced options

Trust Anchor:
Name Servers: