DNSSEC Debugger

Domain Name:

Time: 2025-12-23 13:01:37 UTC

Analyzing DNSSEC problems for irs.gov

DS=20326/SHA-256 is now in the chain-of-trust

	Checking DS between Trust Anchor and .
	`. IN DS ( 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d )`
	Query to a.root-servers.net for ./DNSKEY
	Received 1414 bytes from 198.41.0.4
	;; Response received from [198.41.0.4] 1414 octets ;; HEADER SECTION ;; id = 58426 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 5 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; . IN DNSKEY ;; ANSWER SECTION (5 records) . 172800 IN DNSKEY ( 256 3 8 AwEAAeuS7hMRZ7muj1c/ew2DoavxkBw3jUG5R79pKVDI39fxvlD1HfJYGJERnXuV4SrQfUPzWw/l t5Axb0EqXL/sQ2ZyntVmwQwoSXi2l9smlIKh2UrkTmmozRCPe7GS4fZTE4Ew7AV4YprTLgVmxiGP 4unRuXkYOgQJXCIBpVCmEdUli6X2sm0i5ZilU/Q+rX3RDw+eYPP7K0cJnJ+ZnvQDy14+BFtreWl9 enNQljgGpBp26lEp1z7AbvUfzkQNVCVGaM8jEaCSALXiROlwCQMOdj+tpLXFf99kdJnTQw2cpEr1 uGs/yENAJpoGhbjZAoIkXzDUBSlfFeYz7FWzH6gIe7M= ) ; keytag 61809 . 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326 . 172800 IN DNSKEY ( 256 3 8 AwEAAbNTVC2+pry4pc37pZI9Oj6b8FHxT3VGrvSPKLE1Tjyfe2kUZUtVX5xrv6AV4BVO+ygrYjGZ MNgEnbLU4zknnlnhI2e0g6iTza1aZh0dRZXGH16C1NUNq1CxBkUhIYQhQDeIOtLacx+RmFTc+hSH JJ2MJ79IS00kA7eKi6mofQ7SPJmdJVjI+JAx791y0f5QaB+iHGANU53FwiYXNUQjfAzCrtOaSevG sx8SO8BTaXLAjFq5eewOtwScVwfVDhEXlvpE6e+mIncwhNKaMRD9IPuHENqCNPI5MjxfAMVS6cEY 8eEozIkv/vHc+0Auu3n+Fcx6F2Js4KPXaHEShAXugfU= ) ; keytag 21831 . 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696 . 172800 IN RRSIG ( DNSKEY 8 0 172800 20260110000000 20251220000000 20326 . RZO5FQjtg6Yk0Dara521nCUfYnQxCLAVdbC+buKQVAKlHsZ6srxXHNAL8DMoHohT+PyIlPFAQMb5 fBZatrDaqxpZZ/YbC0A2zxGxOwuOPb1xRbqi6E3zSKfilTRuAux5jN0KYbZZhFxda62e9Hv+2GJs MLixTpiV3RVXtxENI2GPRA8mRRJPBDR7XVQF/2Pz+vjcAW07dp27CrNmQPyZtVjSgw49Jz1rSsAm +EEKO6C7KLG5hmENQr165D3YjMWCs93YhTY8bhWYVqeDtsB1BwoEWkMqSFs4I4+uMd14BHvO6mlq zOZyWC+3kXYTpoAlE0kFhKNv1i54wgHRB+paqw== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 4 DNSKEY records for .
	`. 172800 IN DNSKEY ( 256 3 8 AwEAAeuS7hMRZ7muj1c/ew2DoavxkBw3jUG5R79pKVDI39fxvlD1HfJYGJERnXuV4SrQfUPzWw/l t5Axb0EqXL/sQ2ZyntVmwQwoSXi2l9smlIKh2UrkTmmozRCPe7GS4fZTE4Ew7AV4YprTLgVmxiGP 4unRuXkYOgQJXCIBpVCmEdUli6X2sm0i5ZilU/Q+rX3RDw+eYPP7K0cJnJ+ZnvQDy14+BFtreWl9 enNQljgGpBp26lEp1z7AbvUfzkQNVCVGaM8jEaCSALXiROlwCQMOdj+tpLXFf99kdJnTQw2cpEr1 uGs/yENAJpoGhbjZAoIkXzDUBSlfFeYz7FWzH6gIe7M= ) ; keytag 61809`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326`
	`. 172800 IN DNSKEY ( 256 3 8 AwEAAbNTVC2+pry4pc37pZI9Oj6b8FHxT3VGrvSPKLE1Tjyfe2kUZUtVX5xrv6AV4BVO+ygrYjGZ MNgEnbLU4zknnlnhI2e0g6iTza1aZh0dRZXGH16C1NUNq1CxBkUhIYQhQDeIOtLacx+RmFTc+hSH JJ2MJ79IS00kA7eKi6mofQ7SPJmdJVjI+JAx791y0f5QaB+iHGANU53FwiYXNUQjfAzCrtOaSevG sx8SO8BTaXLAjFq5eewOtwScVwfVDhEXlvpE6e+mIncwhNKaMRD9IPuHENqCNPI5MjxfAMVS6cEY 8eEozIkv/vHc+0Auu3n+Fcx6F2Js4KPXaHEShAXugfU= ) ; keytag 21831`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696`
	DNSKEY=20326/SEP is now in the chain-of-trust
	DS=20326/SHA-256 verifies DNSKEY=20326/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`. 172800 IN RRSIG ( DNSKEY 8 0 172800 20260110000000 20251220000000 20326 . RZO5FQjtg6Yk0Dara521nCUfYnQxCLAVdbC+buKQVAKlHsZ6srxXHNAL8DMoHohT+PyIlPFAQMb5 fBZatrDaqxpZZ/YbC0A2zxGxOwuOPb1xRbqi6E3zSKfilTRuAux5jN0KYbZZhFxda62e9Hv+2GJs MLixTpiV3RVXtxENI2GPRA8mRRJPBDR7XVQF/2Pz+vjcAW07dp27CrNmQPyZtVjSgw49Jz1rSsAm +EEKO6C7KLG5hmENQr165D3YjMWCs93YhTY8bhWYVqeDtsB1BwoEWkMqSFs4I4+uMd14BHvO6mlq zOZyWC+3kXYTpoAlE0kFhKNv1i54wgHRB+paqw== )`
	RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset
	DNSKEY=61809 is now in the chain-of-trust
	DNSKEY=21831 is now in the chain-of-trust
	DNSKEY=38696/SEP is now in the chain-of-trust
	Query to d.root-servers.net for irs.gov/A
	Received 614 bytes from 199.7.91.13
	;; Response received from [199.7.91.13] 614 octets ;; HEADER SECTION ;; id = 6040 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 9 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1450, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) gov. 172800 IN NS a.ns.gov. gov. 172800 IN NS b.ns.gov. gov. 172800 IN NS c.ns.gov. gov. 172800 IN NS d.ns.gov. gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20260105050000 20251223040000 61809 . xtxX7e550bkc/GaxnXvuocwpJD4QRWO6Zie+5vH3lEPCa1MOYrNpfN6uRBYVJJvxCbxiMyuRVj4j bdEuIo+U8t/1D7KUE8sXf/N30DTWT+ctrkYanR7rqh6XCT48Z4xlNwB24ec9cNH5Hf+SxetivSy3 yx+Upl3EmGGcQveAXSp4vxDS1YQDjaxGwheeVgN9RJDuDoDjLSv9qC66hxJSeTlgjzEqME54GLTn N4/J6po6nDN/s8UW3eVM/dqa/WjRR1J+EdOAePe+ztChIkYFQpZDIpby6Ggls25zP/LK5oBOIyRT HNUHDTHrFX9tyk33PR7jHcM7DlV2S7boXOkHtQ== ) ;; ADDITIONAL SECTION (9 records) a.ns.gov. 172800 IN A 199.33.230.1 b.ns.gov. 172800 IN A 199.33.231.1 c.ns.gov. 172800 IN A 199.33.232.1 d.ns.gov. 172800 IN A 199.33.233.1 a.ns.gov. 172800 IN AAAA 2001:503:ff40::1 b.ns.gov. 172800 IN AAAA 2001:503:ff41::1 c.ns.gov. 172800 IN AAAA 2001:503:ff42::1 d.ns.gov. 172800 IN AAAA 2001:503:ff43::1 ;; { "EDNS-VERSION": 0 }
	Query to b.root-servers.net for gov/DNSKEY
	Received 610 bytes from 170.247.170.2
	;; Response received from [170.247.170.2] 610 octets ;; HEADER SECTION ;; id = 36643 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 9 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) gov. 172800 IN NS a.ns.gov. gov. 172800 IN NS b.ns.gov. gov. 172800 IN NS c.ns.gov. gov. 172800 IN NS d.ns.gov. gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20260105050000 20251223040000 61809 . xtxX7e550bkc/GaxnXvuocwpJD4QRWO6Zie+5vH3lEPCa1MOYrNpfN6uRBYVJJvxCbxiMyuRVj4j bdEuIo+U8t/1D7KUE8sXf/N30DTWT+ctrkYanR7rqh6XCT48Z4xlNwB24ec9cNH5Hf+SxetivSy3 yx+Upl3EmGGcQveAXSp4vxDS1YQDjaxGwheeVgN9RJDuDoDjLSv9qC66hxJSeTlgjzEqME54GLTn N4/J6po6nDN/s8UW3eVM/dqa/WjRR1J+EdOAePe+ztChIkYFQpZDIpby6Ggls25zP/LK5oBOIyRT HNUHDTHrFX9tyk33PR7jHcM7DlV2S7boXOkHtQ== ) ;; ADDITIONAL SECTION (9 records) a.ns.gov. 172800 IN A 199.33.230.1 a.ns.gov. 172800 IN AAAA 2001:503:ff40::1 b.ns.gov. 172800 IN A 199.33.231.1 b.ns.gov. 172800 IN AAAA 2001:503:ff41::1 c.ns.gov. 172800 IN A 199.33.232.1 c.ns.gov. 172800 IN AAAA 2001:503:ff42::1 d.ns.gov. 172800 IN A 199.33.233.1 d.ns.gov. 172800 IN AAAA 2001:503:ff43::1 ;; { "EDNS-VERSION": 0 }
	Found child zone gov

gov

	Checking DS between . and gov
	Query to j.root-servers.net for gov/DS
	Received 367 bytes from 192.58.128.30
	;; Response received from [192.58.128.30] 367 octets ;; HEADER SECTION ;; id = 60943 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1472, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DS ;; ANSWER SECTION (2 records) gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20260105050000 20251223040000 61809 . xtxX7e550bkc/GaxnXvuocwpJD4QRWO6Zie+5vH3lEPCa1MOYrNpfN6uRBYVJJvxCbxiMyuRVj4j bdEuIo+U8t/1D7KUE8sXf/N30DTWT+ctrkYanR7rqh6XCT48Z4xlNwB24ec9cNH5Hf+SxetivSy3 yx+Upl3EmGGcQveAXSp4vxDS1YQDjaxGwheeVgN9RJDuDoDjLSv9qC66hxJSeTlgjzEqME54GLTn N4/J6po6nDN/s8UW3eVM/dqa/WjRR1J+EdOAePe+ztChIkYFQpZDIpby6Ggls25zP/LK5oBOIyRT HNUHDTHrFX9tyk33PR7jHcM7DlV2S7boXOkHtQ== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for gov in the . zone
	DS=2536/SHA-256 has algorithm ECDSAP256SHA256
	Found 1 RRSIGs over DS RRset
	`gov. 86400 IN RRSIG ( DS 8 1 86400 20260105050000 20251223040000 61809 . xtxX7e550bkc/GaxnXvuocwpJD4QRWO6Zie+5vH3lEPCa1MOYrNpfN6uRBYVJJvxCbxiMyuRVj4j bdEuIo+U8t/1D7KUE8sXf/N30DTWT+ctrkYanR7rqh6XCT48Z4xlNwB24ec9cNH5Hf+SxetivSy3 yx+Upl3EmGGcQveAXSp4vxDS1YQDjaxGwheeVgN9RJDuDoDjLSv9qC66hxJSeTlgjzEqME54GLTn N4/J6po6nDN/s8UW3eVM/dqa/WjRR1J+EdOAePe+ztChIkYFQpZDIpby6Ggls25zP/LK5oBOIyRT HNUHDTHrFX9tyk33PR7jHcM7DlV2S7boXOkHtQ== )`
	RRSIG=61809 and DNSKEY=61809 verifies the DS RRset
	DS=2536/SHA-256 is now in the chain-of-trust
	`gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 )`
	Query to d.ns.gov for gov/DNSKEY
	Received 291 bytes from 199.33.233.1
	;; Response received from [199.33.233.1] 291 octets ;; HEADER SECTION ;; id = 22512 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DNSKEY ;; ANSWER SECTION (3 records) gov. 3600 IN DNSKEY ( 257 3 13 D6ZhJTObQw3+kcewWf5iTHbzD3uTdbs5xf0kQfP/VXZcDovWJd0DUgHlp2VC002aLDCwhLoPPVN2 VfyoPnjCqg== ) ; keytag 2536 gov. 3600 IN DNSKEY ( 256 3 13 Of5kU9k4XfdcPwCK9k/zRJNu+Xspnw/BDd+1V6ZpDXRIpHe35BnHTZUBJN9gd6++HkiGXx2YnTji iO7/q+Yamg== ) ; keytag 35496 gov. 3600 IN RRSIG ( DNSKEY 13 1 3600 20260205110617 20251206110617 2536 gov. nZHIPZZ3z80AAkg8IDRVDprfpie4C0q93y05w0bzGd/fdwD8ocNWH6iMFuJ1B13pIaERw0TJTBOo cbM9gLWhNQ== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for gov
	`gov. 3600 IN DNSKEY ( 257 3 13 D6ZhJTObQw3+kcewWf5iTHbzD3uTdbs5xf0kQfP/VXZcDovWJd0DUgHlp2VC002aLDCwhLoPPVN2 VfyoPnjCqg== ) ; keytag 2536`
	`gov. 3600 IN DNSKEY ( 256 3 13 Of5kU9k4XfdcPwCK9k/zRJNu+Xspnw/BDd+1V6ZpDXRIpHe35BnHTZUBJN9gd6++HkiGXx2YnTji iO7/q+Yamg== ) ; keytag 35496`
	DNSKEY=2536/SEP is now in the chain-of-trust
	DS=2536/SHA-256 verifies DNSKEY=2536/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`gov. 3600 IN RRSIG ( DNSKEY 13 1 3600 20260205110617 20251206110617 2536 gov. nZHIPZZ3z80AAkg8IDRVDprfpie4C0q93y05w0bzGd/fdwD8ocNWH6iMFuJ1B13pIaERw0TJTBOo cbM9gLWhNQ== )`
	RRSIG=2536 and DNSKEY=2536/SEP verifies the DNSKEY RRset
	DNSKEY=35496 is now in the chain-of-trust
	Query to d.ns.gov for irs.gov/A
	Received 249 bytes from 199.33.233.1
	;; Response received from [199.33.233.1] 249 octets ;; HEADER SECTION ;; id = 19008 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) irs.gov. 10800 IN NS ns0022.secondary.cloudflare.com. irs.gov. 10800 IN NS ns0227.secondary.cloudflare.com. irs.gov. 3600 IN DS ( 10226 8 2 c94f81e17566ebb0aca0227e07297e9b3236b9dcafc018bbe72ce0c9229630bb ) irs.gov. 3600 IN RRSIG ( DS 13 2 3600 20251224140138 20251222120138 35496 gov. EQDnOsXqDhNMGrqCj19Y5NejODIUj40qvsgCrrWVXDe3LoCpbOQ4FY0XsIsG7L2ZR+ztRWwIuyF4 5Ea0iSNLEQ== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to d.ns.gov for irs.gov/DNSKEY
	Received 249 bytes from 199.33.233.1
	;; Response received from [199.33.233.1] 249 octets ;; HEADER SECTION ;; id = 48042 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) irs.gov. 10800 IN NS ns0022.secondary.cloudflare.com. irs.gov. 10800 IN NS ns0227.secondary.cloudflare.com. irs.gov. 3600 IN DS ( 10226 8 2 c94f81e17566ebb0aca0227e07297e9b3236b9dcafc018bbe72ce0c9229630bb ) irs.gov. 3600 IN RRSIG ( DS 13 2 3600 20251224140138 20251222120138 35496 gov. wpRSK0TcxnLuW8YV7v7lcSHfSps2tfEU9UIBvJoimibBeyKwpKRl44DJdGqlkCk6hvqnVEOWVALS c+lKw0HPUQ== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found child zone irs.gov

irs.gov

	Checking DS between gov and irs.gov
	Query to b.ns.gov for irs.gov/DS
	Received 183 bytes from 199.33.231.1
	;; Response received from [199.33.231.1] 183 octets ;; HEADER SECTION ;; id = 25228 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN DS ;; ANSWER SECTION (2 records) irs.gov. 3600 IN DS ( 10226 8 2 c94f81e17566ebb0aca0227e07297e9b3236b9dcafc018bbe72ce0c9229630bb ) irs.gov. 3600 IN RRSIG ( DS 13 2 3600 20251224140138 20251222120138 35496 gov. pOGS39RATmxpJNFSnTdJUjTmi/2s/Hyy1mwBjFnSm+F6nI2hzbk1AeeUADXVwg9wxO88bdf3YBby eKKZh647Pg== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for irs.gov in the gov zone
	DS=10226/SHA-256 has algorithm RSASHA256
	Found 1 RRSIGs over DS RRset
	`irs.gov. 3600 IN RRSIG ( DS 13 2 3600 20251224140138 20251222120138 35496 gov. pOGS39RATmxpJNFSnTdJUjTmi/2s/Hyy1mwBjFnSm+F6nI2hzbk1AeeUADXVwg9wxO88bdf3YBby eKKZh647Pg== )`
	RRSIG=35496 and DNSKEY=35496 verifies the DS RRset
	DS=10226/SHA-256 is now in the chain-of-trust
	`irs.gov. 3600 IN DS ( 10226 8 2 c94f81e17566ebb0aca0227e07297e9b3236b9dcafc018bbe72ce0c9229630bb )`
	Query to ns0022.secondary.cloudflare.com for irs.gov/DNSKEY
	Received 883 bytes from 162.159.32.23
	;; Response received from [162.159.32.23] 883 octets ;; HEADER SECTION ;; id = 12512 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN DNSKEY ;; ANSWER SECTION (3 records) irs.gov. 10800 IN DNSKEY ( 256 3 8 AwEAAZE6tEb3Bj2oWa6OKDYzdBYs8pRo3KicquctuLFVpEHVZlXVj4VZW4RqAab0rXYn0gHw9Ngs KifHKdIxko8NMVKvHWORREKTT1HE2EsG5+ZKolK1M2JKgnzHnYSibecKqndi6S8KCudmfHHl3F8s 5jc2r8BLSJHCyLaeN3sxTL3iGJSi3z90WJPkKgu6VFbl+w8N3dnw2aqM/tmuJJjFr+MwE0z1IIbg 1FurOxQ9pdefzsKDdwP0z09gYjESCJ3UUIY6/5OdxKoyPospjaai/qTx2wqVMKZSwL0jfab9IT0t eK6tPqKla+FAh+/r7UROUH/6MHXOngwB90FHsFpMBZk= ) ; keytag 8004 irs.gov. 10800 IN DNSKEY ( 257 3 8 AwEAAdyBXX4YQk/F+GRZr0fnahrki3+8fXT4xgbeKjhBqtYm4YIaOCYVP2Ld0HOimw2oYC9Hm51w +EPxwVp3Y3Yvb3ldpLnxUmHhzh7cAwxeRbBEoj1s6vxdwhLFrbabhtkB+ZATbBLccRhJSa9hcgLJ HMG+RQ4Q9pXzfJktjS/vutdcXPma0zWUjMk/VEg9o9RQG1BNNYRFJVBWbi6eHbNQc16Skz53jSiU 4dSm5xFK71tAz6gB5YGwlSL/05moLUgTE9PkfZZFhRidK02TDOXof/sxjSTafNXn44NjB4caZfko bDRQHRKlrQNd7MqGtEq5cWTQHJwOdjIEU7Vayefv4Z0= ) ; keytag 10226 irs.gov. 10800 IN RRSIG ( DNSKEY 8 2 10800 20260104055854 20251221042854 10226 irs.gov. F7rrCHmQ9G9ziUIocq1hHHJFzfaZWF7k2JyGndLEMvze5XvD8ry9WGEvtVHqXjjSfpT5qaNsaOuo 57llDvDQg5vmqb8z9P+6OvPt9RakCjzf2621tAZLsC572EIyxDQU1CubVK0bbuwivseKsqlYE5w1 rY/7Z+Sg0tnuAGh4E+WZEmcqSIgXRPrDX5bdxA9EylbfKabfIXPs0mPjZgtVQwc2GrxJOM2qawa7 4S4aR6DGashhw/WiFHWIpPQHMIVvAvYH1ju4D8iNki/W1Pz0i/6jHlQH/Ctn4duN/74KofmMDZbE 3tJijGE5qNhSliDC+aymve1qRmowD4lKDVd+fg== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for irs.gov
	`irs.gov. 10800 IN DNSKEY ( 256 3 8 AwEAAZE6tEb3Bj2oWa6OKDYzdBYs8pRo3KicquctuLFVpEHVZlXVj4VZW4RqAab0rXYn0gHw9Ngs KifHKdIxko8NMVKvHWORREKTT1HE2EsG5+ZKolK1M2JKgnzHnYSibecKqndi6S8KCudmfHHl3F8s 5jc2r8BLSJHCyLaeN3sxTL3iGJSi3z90WJPkKgu6VFbl+w8N3dnw2aqM/tmuJJjFr+MwE0z1IIbg 1FurOxQ9pdefzsKDdwP0z09gYjESCJ3UUIY6/5OdxKoyPospjaai/qTx2wqVMKZSwL0jfab9IT0t eK6tPqKla+FAh+/r7UROUH/6MHXOngwB90FHsFpMBZk= ) ; keytag 8004`
	`irs.gov. 10800 IN DNSKEY ( 257 3 8 AwEAAdyBXX4YQk/F+GRZr0fnahrki3+8fXT4xgbeKjhBqtYm4YIaOCYVP2Ld0HOimw2oYC9Hm51w +EPxwVp3Y3Yvb3ldpLnxUmHhzh7cAwxeRbBEoj1s6vxdwhLFrbabhtkB+ZATbBLccRhJSa9hcgLJ HMG+RQ4Q9pXzfJktjS/vutdcXPma0zWUjMk/VEg9o9RQG1BNNYRFJVBWbi6eHbNQc16Skz53jSiU 4dSm5xFK71tAz6gB5YGwlSL/05moLUgTE9PkfZZFhRidK02TDOXof/sxjSTafNXn44NjB4caZfko bDRQHRKlrQNd7MqGtEq5cWTQHJwOdjIEU7Vayefv4Z0= ) ; keytag 10226`
	DNSKEY=10226/SEP is now in the chain-of-trust
	DS=10226/SHA-256 verifies DNSKEY=10226/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`irs.gov. 10800 IN RRSIG ( DNSKEY 8 2 10800 20260104055854 20251221042854 10226 irs.gov. F7rrCHmQ9G9ziUIocq1hHHJFzfaZWF7k2JyGndLEMvze5XvD8ry9WGEvtVHqXjjSfpT5qaNsaOuo 57llDvDQg5vmqb8z9P+6OvPt9RakCjzf2621tAZLsC572EIyxDQU1CubVK0bbuwivseKsqlYE5w1 rY/7Z+Sg0tnuAGh4E+WZEmcqSIgXRPrDX5bdxA9EylbfKabfIXPs0mPjZgtVQwc2GrxJOM2qawa7 4S4aR6DGashhw/WiFHWIpPQHMIVvAvYH1ju4D8iNki/W1Pz0i/6jHlQH/Ctn4duN/74KofmMDZbE 3tJijGE5qNhSliDC+aymve1qRmowD4lKDVd+fg== )`
	RRSIG=10226 and DNSKEY=10226/SEP verifies the DNSKEY RRset
	DNSKEY=8004 is now in the chain-of-trust
	Query to ns0022.secondary.cloudflare.com for irs.gov/A
	Received 363 bytes from 162.159.32.23
	;; Response received from [162.159.32.23] 363 octets ;; HEADER SECTION ;; id = 47900 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (3 records) irs.gov. 10800 IN A 152.216.11.110 irs.gov. 10800 IN A 152.216.7.110 irs.gov. 10800 IN RRSIG ( A 8 2 10800 20260104015853 20251221002853 8004 irs.gov. YOTpk0Hsd//x9eU0uYTwwkCgD2Vi9+oWkfvyI2dmxVY3JOz+yNLaIlL81zaW3RyKcHSgVJaJE3tF /kXEGpQeCz3UHo8yznqPaznoNrgxA3BUw5nHxqFSRykMh+J/G/2CXogIdkND3+QjtxLQHOmV6pTD tbqAY4csiXAHKkSIrlVb9vMrO0F7eRCRHaKHRnHidY9GOHI3flH+ZnRcKCfxeQzEfb6GFYWw67oR Jpqz2Zf+o3Cadqtrgm6ouO6zBcAhpeP13tPP5pNLeFCjWZGsFqtiICQ2EeW9ZOIdPnjXfwHpMXz4 ij9f+Mst1wB3zm1xmwSF3Wfrx9rnS2yYdZKJ5w== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	ns0022.secondary.cloudflare.com is authoritative for irs.gov
	Found RRSIG signed by irs.gov zone
	Query to ns0227.secondary.cloudflare.com for irs.gov/SOA
	Received 401 bytes from 162.159.33.102
	;; Response received from [162.159.33.102] 401 octets ;; HEADER SECTION ;; id = 14065 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN SOA ;; ANSWER SECTION (2 records) irs.gov. 900 IN SOA ( ns1.irs.gov. it\.aciouns\.external\.dns\.admin.irs.gov. 2010093007 ;serial 3600 ;refresh 1800 ;retry 2419200 ;expire 900 ;minimum ) irs.gov. 900 IN RRSIG ( SOA 8 2 10800 20260105105819 20251222092819 8004 irs.gov. DnpxwTB60aDOytuWYruUPsmzKhAFfyntxBMBXsiWR+BuH6IErCsMDpnOq8nrLkLr/kDMY0uN2cfQ bNZncubQjTsKgnLfSv2IKJXjgFVm4uMHT59aXrbCWSlnhhMg03xPlfFAsQB2zKpZXRaAwBAp3iho aXyouJ0hWxPdkwfSUkq9I8BTC6YtCghM1MOcMUzk4lECif386tJKBSfHKiWTY6DSTNjOgWcXfbW3 5T3VSKkH4w0h7FGjIFiiarz7Oyb79z7UN/hfNkESNkrLaPB70kYrSuuvVPLS9V13B3RDFARy/bgb Bf4nP+JqBX4s5vtQEOfgV2XZPbq+F3vZh/Oo+Q== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to ns0022.secondary.cloudflare.com for irs.gov/A
	Received 363 bytes from 162.159.32.23
	;; Response received from [162.159.32.23] 363 octets ;; HEADER SECTION ;; id = 14242 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (3 records) irs.gov. 10800 IN A 152.216.7.110 irs.gov. 10800 IN A 152.216.11.110 irs.gov. 10800 IN RRSIG ( A 8 2 10800 20260104015853 20251221002853 8004 irs.gov. YOTpk0Hsd//x9eU0uYTwwkCgD2Vi9+oWkfvyI2dmxVY3JOz+yNLaIlL81zaW3RyKcHSgVJaJE3tF /kXEGpQeCz3UHo8yznqPaznoNrgxA3BUw5nHxqFSRykMh+J/G/2CXogIdkND3+QjtxLQHOmV6pTD tbqAY4csiXAHKkSIrlVb9vMrO0F7eRCRHaKHRnHidY9GOHI3flH+ZnRcKCfxeQzEfb6GFYWw67oR Jpqz2Zf+o3Cadqtrgm6ouO6zBcAhpeP13tPP5pNLeFCjWZGsFqtiICQ2EeW9ZOIdPnjXfwHpMXz4 ij9f+Mst1wB3zm1xmwSF3Wfrx9rnS2yYdZKJ5w== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	irs.gov A RR has value 152.216.7.110
	irs.gov A RR has value 152.216.11.110
	Found 1 RRSIGs over A RRset
	`irs.gov. 10800 IN RRSIG ( A 8 2 10800 20260104015853 20251221002853 8004 irs.gov. YOTpk0Hsd//x9eU0uYTwwkCgD2Vi9+oWkfvyI2dmxVY3JOz+yNLaIlL81zaW3RyKcHSgVJaJE3tF /kXEGpQeCz3UHo8yznqPaznoNrgxA3BUw5nHxqFSRykMh+J/G/2CXogIdkND3+QjtxLQHOmV6pTD tbqAY4csiXAHKkSIrlVb9vMrO0F7eRCRHaKHRnHidY9GOHI3flH+ZnRcKCfxeQzEfb6GFYWw67oR Jpqz2Zf+o3Cadqtrgm6ouO6zBcAhpeP13tPP5pNLeFCjWZGsFqtiICQ2EeW9ZOIdPnjXfwHpMXz4 ij9f+Mst1wB3zm1xmwSF3Wfrx9rnS2yYdZKJ5w== )`
	RRSIG=8004 and DNSKEY=8004 verifies the A RRset

irs.gov

	Query to ns0227.secondary.cloudflare.com for irs.gov/A
	Received 363 bytes from 162.159.33.102
	;; Response received from [162.159.33.102] 363 octets ;; HEADER SECTION ;; id = 15360 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (3 records) irs.gov. 10800 IN A 152.216.7.110 irs.gov. 10800 IN A 152.216.11.110 irs.gov. 10800 IN RRSIG ( A 8 2 10800 20260104015853 20251221002853 8004 irs.gov. YOTpk0Hsd//x9eU0uYTwwkCgD2Vi9+oWkfvyI2dmxVY3JOz+yNLaIlL81zaW3RyKcHSgVJaJE3tF /kXEGpQeCz3UHo8yznqPaznoNrgxA3BUw5nHxqFSRykMh+J/G/2CXogIdkND3+QjtxLQHOmV6pTD tbqAY4csiXAHKkSIrlVb9vMrO0F7eRCRHaKHRnHidY9GOHI3flH+ZnRcKCfxeQzEfb6GFYWw67oR Jpqz2Zf+o3Cadqtrgm6ouO6zBcAhpeP13tPP5pNLeFCjWZGsFqtiICQ2EeW9ZOIdPnjXfwHpMXz4 ij9f+Mst1wB3zm1xmwSF3Wfrx9rnS2yYdZKJ5w== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	ns0227.secondary.cloudflare.com is authoritative for irs.gov
	Found RRSIG signed by irs.gov zone
	Query to ns0227.secondary.cloudflare.com for irs.gov/A
	Received 363 bytes from 162.159.33.102
	;; Response received from [162.159.33.102] 363 octets ;; HEADER SECTION ;; id = 53432 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (3 records) irs.gov. 10800 IN A 152.216.7.110 irs.gov. 10800 IN A 152.216.11.110 irs.gov. 10800 IN RRSIG ( A 8 2 10800 20260104015853 20251221002853 8004 irs.gov. YOTpk0Hsd//x9eU0uYTwwkCgD2Vi9+oWkfvyI2dmxVY3JOz+yNLaIlL81zaW3RyKcHSgVJaJE3tF /kXEGpQeCz3UHo8yznqPaznoNrgxA3BUw5nHxqFSRykMh+J/G/2CXogIdkND3+QjtxLQHOmV6pTD tbqAY4csiXAHKkSIrlVb9vMrO0F7eRCRHaKHRnHidY9GOHI3flH+ZnRcKCfxeQzEfb6GFYWw67oR Jpqz2Zf+o3Cadqtrgm6ouO6zBcAhpeP13tPP5pNLeFCjWZGsFqtiICQ2EeW9ZOIdPnjXfwHpMXz4 ij9f+Mst1wB3zm1xmwSF3Wfrx9rnS2yYdZKJ5w== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	irs.gov A RR has value 152.216.7.110
	irs.gov A RR has value 152.216.11.110
	Found 1 RRSIGs over A RRset
	`irs.gov. 10800 IN RRSIG ( A 8 2 10800 20260104015853 20251221002853 8004 irs.gov. YOTpk0Hsd//x9eU0uYTwwkCgD2Vi9+oWkfvyI2dmxVY3JOz+yNLaIlL81zaW3RyKcHSgVJaJE3tF /kXEGpQeCz3UHo8yznqPaznoNrgxA3BUw5nHxqFSRykMh+J/G/2CXogIdkND3+QjtxLQHOmV6pTD tbqAY4csiXAHKkSIrlVb9vMrO0F7eRCRHaKHRnHidY9GOHI3flH+ZnRcKCfxeQzEfb6GFYWw67oR Jpqz2Zf+o3Cadqtrgm6ouO6zBcAhpeP13tPP5pNLeFCjWZGsFqtiICQ2EeW9ZOIdPnjXfwHpMXz4 ij9f+Mst1wB3zm1xmwSF3Wfrx9rnS2yYdZKJ5w== )`
	RRSIG=8004 and DNSKEY=8004 verifies the A RRset

Move your mouse over any or symbols for remediation hints.

Want a second opinion? Test irs.gov at dnsviz.net.

DNSSEC Debugger

↓ Advanced options ↑ Advanced options

Trust Anchor:
Name Servers: