DNSSEC Debugger

Domain Name:

Time: 2025-10-21 01:39:46 UTC

Analyzing DNSSEC problems for irs.gov

DS=20326/SHA-256 is now in the chain-of-trust

	Checking DS between Trust Anchor and .
	`. IN DS ( 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d )`
	Query to d.root-servers.net for ./DNSKEY
	Received 1139 bytes from 199.7.91.13
	;; Response received from [199.7.91.13] 1139 octets ;; HEADER SECTION ;; id = 7883 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 4 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1450, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; . IN DNSKEY ;; ANSWER SECTION (4 records) . 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326 . 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696 . 172800 IN DNSKEY ( 256 3 8 AwEAAeuS7hMRZ7muj1c/ew2DoavxkBw3jUG5R79pKVDI39fxvlD1HfJYGJERnXuV4SrQfUPzWw/l t5Axb0EqXL/sQ2ZyntVmwQwoSXi2l9smlIKh2UrkTmmozRCPe7GS4fZTE4Ew7AV4YprTLgVmxiGP 4unRuXkYOgQJXCIBpVCmEdUli6X2sm0i5ZilU/Q+rX3RDw+eYPP7K0cJnJ+ZnvQDy14+BFtreWl9 enNQljgGpBp26lEp1z7AbvUfzkQNVCVGaM8jEaCSALXiROlwCQMOdj+tpLXFf99kdJnTQw2cpEr1 uGs/yENAJpoGhbjZAoIkXzDUBSlfFeYz7FWzH6gIe7M= ) ; keytag 61809 . 172800 IN RRSIG ( DNSKEY 8 0 172800 20251101000000 20251011000000 20326 . HBzw8cFD6K0/BBO1rLi2ifcFatkMvobiLzZgaMOb9hMqRuMKM0jVSVif5LpAb0OOTQOcSzZMOF17 Ps7BkxWqTGOAQQH5wrS0aLJ/Hn4UAIC/ZK+JbeGo9c1ZhcA8LUyvv32ACT0in2oY7RyTG1+MLpUo rMdUNUII2PAaYuU+Svu8/1HJhuONGl9IqokaWK6yFCm9rz+azS04kq2GPMGHXqJVX7jbZO4tq4fg VKYvW5wJpRM9VE4VOGmHzQUe0OJsDGViys65RNtzzR8MefC9jZGGKO8s8G0n24VmT9Kg2/4y4Qen knUytutLNIMFFmiUsJjx8gcakkkiIvwGed+/cg== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 3 DNSKEY records for .
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696`
	`. 172800 IN DNSKEY ( 256 3 8 AwEAAeuS7hMRZ7muj1c/ew2DoavxkBw3jUG5R79pKVDI39fxvlD1HfJYGJERnXuV4SrQfUPzWw/l t5Axb0EqXL/sQ2ZyntVmwQwoSXi2l9smlIKh2UrkTmmozRCPe7GS4fZTE4Ew7AV4YprTLgVmxiGP 4unRuXkYOgQJXCIBpVCmEdUli6X2sm0i5ZilU/Q+rX3RDw+eYPP7K0cJnJ+ZnvQDy14+BFtreWl9 enNQljgGpBp26lEp1z7AbvUfzkQNVCVGaM8jEaCSALXiROlwCQMOdj+tpLXFf99kdJnTQw2cpEr1 uGs/yENAJpoGhbjZAoIkXzDUBSlfFeYz7FWzH6gIe7M= ) ; keytag 61809`
	DNSKEY=20326/SEP is now in the chain-of-trust
	DS=20326/SHA-256 verifies DNSKEY=20326/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`. 172800 IN RRSIG ( DNSKEY 8 0 172800 20251101000000 20251011000000 20326 . HBzw8cFD6K0/BBO1rLi2ifcFatkMvobiLzZgaMOb9hMqRuMKM0jVSVif5LpAb0OOTQOcSzZMOF17 Ps7BkxWqTGOAQQH5wrS0aLJ/Hn4UAIC/ZK+JbeGo9c1ZhcA8LUyvv32ACT0in2oY7RyTG1+MLpUo rMdUNUII2PAaYuU+Svu8/1HJhuONGl9IqokaWK6yFCm9rz+azS04kq2GPMGHXqJVX7jbZO4tq4fg VKYvW5wJpRM9VE4VOGmHzQUe0OJsDGViys65RNtzzR8MefC9jZGGKO8s8G0n24VmT9Kg2/4y4Qen knUytutLNIMFFmiUsJjx8gcakkkiIvwGed+/cg== )`
	RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset
	DNSKEY=38696/SEP is now in the chain-of-trust
	DNSKEY=61809 is now in the chain-of-trust
	Query to b.root-servers.net for irs.gov/A
	Received 614 bytes from 170.247.170.2
	;; Response received from [170.247.170.2] 614 octets ;; HEADER SECTION ;; id = 15055 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 9 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) gov. 172800 IN NS a.ns.gov. gov. 172800 IN NS b.ns.gov. gov. 172800 IN NS c.ns.gov. gov. 172800 IN NS d.ns.gov. gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20251102170000 20251020160000 61809 . jU3CBt/28PsB5m18u05Im9SPk+UmHC/ZAIMfe/VAPjYQYjgtr37BiExD4S2aO67kvRzXIrMvXIKX mclIrEE6gZWCwHhji6aAaJDwWrXVJXFU9yVj8FIcipSva6UylpfyObrphJURYNfIo4/aIxyXNgr9 6gf6WjIh/QL2qX0hOXr78ggukuB1sGeX8Mt1dBOEv6KMoPGBYlvp0vxEm3eQ/6JqIsvSS9sLx4wF uajfaOxF8igeF544MauXzza/1fWIUlxx+jPS4Iopopci/WZvep+JtFLyzIYCvtcGpg948ABdH5fu 6WJApcay9lDRIbkQ+BM9fRgdSr++QmmIMrsTUQ== ) ;; ADDITIONAL SECTION (9 records) a.ns.gov. 172800 IN A 199.33.230.1 a.ns.gov. 172800 IN AAAA 2001:503:ff40::1 b.ns.gov. 172800 IN A 199.33.231.1 b.ns.gov. 172800 IN AAAA 2001:503:ff41::1 c.ns.gov. 172800 IN A 199.33.232.1 c.ns.gov. 172800 IN AAAA 2001:503:ff42::1 d.ns.gov. 172800 IN A 199.33.233.1 d.ns.gov. 172800 IN AAAA 2001:503:ff43::1 ;; { "EDNS-VERSION": 0 }
	Query to d.root-servers.net for gov/DNSKEY
	Received 610 bytes from 199.7.91.13
	;; Response received from [199.7.91.13] 610 octets ;; HEADER SECTION ;; id = 6871 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 9 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1450, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) gov. 172800 IN NS a.ns.gov. gov. 172800 IN NS b.ns.gov. gov. 172800 IN NS c.ns.gov. gov. 172800 IN NS d.ns.gov. gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20251102170000 20251020160000 61809 . jU3CBt/28PsB5m18u05Im9SPk+UmHC/ZAIMfe/VAPjYQYjgtr37BiExD4S2aO67kvRzXIrMvXIKX mclIrEE6gZWCwHhji6aAaJDwWrXVJXFU9yVj8FIcipSva6UylpfyObrphJURYNfIo4/aIxyXNgr9 6gf6WjIh/QL2qX0hOXr78ggukuB1sGeX8Mt1dBOEv6KMoPGBYlvp0vxEm3eQ/6JqIsvSS9sLx4wF uajfaOxF8igeF544MauXzza/1fWIUlxx+jPS4Iopopci/WZvep+JtFLyzIYCvtcGpg948ABdH5fu 6WJApcay9lDRIbkQ+BM9fRgdSr++QmmIMrsTUQ== ) ;; ADDITIONAL SECTION (9 records) a.ns.gov. 172800 IN A 199.33.230.1 b.ns.gov. 172800 IN A 199.33.231.1 c.ns.gov. 172800 IN A 199.33.232.1 d.ns.gov. 172800 IN A 199.33.233.1 a.ns.gov. 172800 IN AAAA 2001:503:ff40::1 b.ns.gov. 172800 IN AAAA 2001:503:ff41::1 c.ns.gov. 172800 IN AAAA 2001:503:ff42::1 d.ns.gov. 172800 IN AAAA 2001:503:ff43::1 ;; { "EDNS-VERSION": 0 }
	Found child zone gov

gov

	Checking DS between . and gov
	Query to l.root-servers.net for gov/DS
	Received 367 bytes from 199.7.83.42
	;; Response received from [199.7.83.42] 367 octets ;; HEADER SECTION ;; id = 33308 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DS ;; ANSWER SECTION (2 records) gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20251102170000 20251020160000 61809 . jU3CBt/28PsB5m18u05Im9SPk+UmHC/ZAIMfe/VAPjYQYjgtr37BiExD4S2aO67kvRzXIrMvXIKX mclIrEE6gZWCwHhji6aAaJDwWrXVJXFU9yVj8FIcipSva6UylpfyObrphJURYNfIo4/aIxyXNgr9 6gf6WjIh/QL2qX0hOXr78ggukuB1sGeX8Mt1dBOEv6KMoPGBYlvp0vxEm3eQ/6JqIsvSS9sLx4wF uajfaOxF8igeF544MauXzza/1fWIUlxx+jPS4Iopopci/WZvep+JtFLyzIYCvtcGpg948ABdH5fu 6WJApcay9lDRIbkQ+BM9fRgdSr++QmmIMrsTUQ== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for gov in the . zone
	DS=2536/SHA-256 has algorithm ECDSAP256SHA256
	Found 1 RRSIGs over DS RRset
	`gov. 86400 IN RRSIG ( DS 8 1 86400 20251102170000 20251020160000 61809 . jU3CBt/28PsB5m18u05Im9SPk+UmHC/ZAIMfe/VAPjYQYjgtr37BiExD4S2aO67kvRzXIrMvXIKX mclIrEE6gZWCwHhji6aAaJDwWrXVJXFU9yVj8FIcipSva6UylpfyObrphJURYNfIo4/aIxyXNgr9 6gf6WjIh/QL2qX0hOXr78ggukuB1sGeX8Mt1dBOEv6KMoPGBYlvp0vxEm3eQ/6JqIsvSS9sLx4wF uajfaOxF8igeF544MauXzza/1fWIUlxx+jPS4Iopopci/WZvep+JtFLyzIYCvtcGpg948ABdH5fu 6WJApcay9lDRIbkQ+BM9fRgdSr++QmmIMrsTUQ== )`
	RRSIG=61809 and DNSKEY=61809 verifies the DS RRset
	DS=2536/SHA-256 is now in the chain-of-trust
	`gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 )`
	Query to d.ns.gov for gov/DNSKEY
	Received 291 bytes from 199.33.233.1
	;; Response received from [199.33.233.1] 291 octets ;; HEADER SECTION ;; id = 54062 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DNSKEY ;; ANSWER SECTION (3 records) gov. 3600 IN DNSKEY ( 257 3 13 D6ZhJTObQw3+kcewWf5iTHbzD3uTdbs5xf0kQfP/VXZcDovWJd0DUgHlp2VC002aLDCwhLoPPVN2 VfyoPnjCqg== ) ; keytag 2536 gov. 3600 IN DNSKEY ( 256 3 13 Of5kU9k4XfdcPwCK9k/zRJNu+Xspnw/BDd+1V6ZpDXRIpHe35BnHTZUBJN9gd6++HkiGXx2YnTji iO7/q+Yamg== ) ; keytag 35496 gov. 3600 IN RRSIG ( DNSKEY 13 1 3600 20251219110613 20251019110613 2536 gov. j3FRDkQ+/qhx8n7XWgDk7DC6YuMd0K42x1BaoJP4SEm+WtzI5LbaxO7OS3rDz3G0nG4HtRwBe8wW 1w4LNc5mNA== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for gov
	`gov. 3600 IN DNSKEY ( 257 3 13 D6ZhJTObQw3+kcewWf5iTHbzD3uTdbs5xf0kQfP/VXZcDovWJd0DUgHlp2VC002aLDCwhLoPPVN2 VfyoPnjCqg== ) ; keytag 2536`
	`gov. 3600 IN DNSKEY ( 256 3 13 Of5kU9k4XfdcPwCK9k/zRJNu+Xspnw/BDd+1V6ZpDXRIpHe35BnHTZUBJN9gd6++HkiGXx2YnTji iO7/q+Yamg== ) ; keytag 35496`
	DNSKEY=2536/SEP is now in the chain-of-trust
	DS=2536/SHA-256 verifies DNSKEY=2536/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`gov. 3600 IN RRSIG ( DNSKEY 13 1 3600 20251219110613 20251019110613 2536 gov. j3FRDkQ+/qhx8n7XWgDk7DC6YuMd0K42x1BaoJP4SEm+WtzI5LbaxO7OS3rDz3G0nG4HtRwBe8wW 1w4LNc5mNA== )`
	RRSIG=2536 and DNSKEY=2536/SEP verifies the DNSKEY RRset
	DNSKEY=35496 is now in the chain-of-trust
	Query to d.ns.gov for irs.gov/A
	Received 249 bytes from 199.33.233.1
	;; Response received from [199.33.233.1] 249 octets ;; HEADER SECTION ;; id = 49758 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) irs.gov. 10800 IN NS ns0022.secondary.cloudflare.com. irs.gov. 10800 IN NS ns0227.secondary.cloudflare.com. irs.gov. 3600 IN DS ( 10226 8 2 c94f81e17566ebb0aca0227e07297e9b3236b9dcafc018bbe72ce0c9229630bb ) irs.gov. 3600 IN RRSIG ( DS 13 2 3600 20251022023946 20251020003946 35496 gov. Lzmcm1R4tOPRPnBR+K9PUSkI4ZH+lPW8b8qpkOXXOIK1oUom7okdMKkm1G+d5vtKYFbdBzE/HBaD ZCfYJH7IEw== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to c.ns.gov for irs.gov/DNSKEY
	Received 249 bytes from 199.33.232.1
	;; Response received from [199.33.232.1] 249 octets ;; HEADER SECTION ;; id = 48674 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) irs.gov. 10800 IN NS ns0022.secondary.cloudflare.com. irs.gov. 10800 IN NS ns0227.secondary.cloudflare.com. irs.gov. 3600 IN DS ( 10226 8 2 c94f81e17566ebb0aca0227e07297e9b3236b9dcafc018bbe72ce0c9229630bb ) irs.gov. 3600 IN RRSIG ( DS 13 2 3600 20251022023946 20251020003946 35496 gov. eIKiPY2BuWuhHS3f4o2gIHR+p+rFrrySNC1/0922O+7sHy77gQEALAIiKJVnzfqnewFK34YUnamD tpDct1tKyQ== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found child zone irs.gov

irs.gov

	Checking DS between gov and irs.gov
	Query to a.ns.gov for irs.gov/DS
	Received 183 bytes from 199.33.230.1
	;; Response received from [199.33.230.1] 183 octets ;; HEADER SECTION ;; id = 12869 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN DS ;; ANSWER SECTION (2 records) irs.gov. 3600 IN DS ( 10226 8 2 c94f81e17566ebb0aca0227e07297e9b3236b9dcafc018bbe72ce0c9229630bb ) irs.gov. 3600 IN RRSIG ( DS 13 2 3600 20251022023946 20251020003946 35496 gov. ep4VDr1g1L5STn+Y9HGWGDZLvgZHVLMUJccghwvJSb7ObsSPz2RjhDyo6D1+kdJFvsczBvyQhndQ AIprkpT55g== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for irs.gov in the gov zone
	DS=10226/SHA-256 has algorithm RSASHA256
	Found 1 RRSIGs over DS RRset
	`irs.gov. 3600 IN RRSIG ( DS 13 2 3600 20251022023946 20251020003946 35496 gov. ep4VDr1g1L5STn+Y9HGWGDZLvgZHVLMUJccghwvJSb7ObsSPz2RjhDyo6D1+kdJFvsczBvyQhndQ AIprkpT55g== )`
	RRSIG=35496 and DNSKEY=35496 verifies the DS RRset
	DS=10226/SHA-256 is now in the chain-of-trust
	`irs.gov. 3600 IN DS ( 10226 8 2 c94f81e17566ebb0aca0227e07297e9b3236b9dcafc018bbe72ce0c9229630bb )`
	Query to ns0227.secondary.cloudflare.com for irs.gov/DNSKEY
	Received 883 bytes from 162.159.33.102
	;; Response received from [162.159.33.102] 883 octets ;; HEADER SECTION ;; id = 31576 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN DNSKEY ;; ANSWER SECTION (3 records) irs.gov. 10800 IN DNSKEY ( 256 3 8 AwEAAZ2VqyyXQ854U+JDAG18AxbYb0tO6unkeDJ/LvMczamPmLvpqFpYobSxF7A30Mi/6UNh0ESG sdv02ioNMv73GBIuLWqvBwtikhmepOfKPYeCSKA5rVO5UREdlE1yqGK2Ul1GtqgLwurnKkGHsEnp ld1EeSyMhWhMWj7GftfZlSqNnQgfMQofcCMDkVADqf2sItLo7+U25nIP80fvyv0zKqWeJml8jIec srNKoMZU5OT8stjSurLbBnIqdugykUhLyJRgGTZLh3FdZLOxRFaA1ffGmLckQwMMX2XNhBMg75gH DgxWEwE2TSLTJ4/yyyPozQLqWIzvUuWDxHZ72XIZ0jE= ) ; keytag 16671 irs.gov. 10800 IN DNSKEY ( 257 3 8 AwEAAdyBXX4YQk/F+GRZr0fnahrki3+8fXT4xgbeKjhBqtYm4YIaOCYVP2Ld0HOimw2oYC9Hm51w +EPxwVp3Y3Yvb3ldpLnxUmHhzh7cAwxeRbBEoj1s6vxdwhLFrbabhtkB+ZATbBLccRhJSa9hcgLJ HMG+RQ4Q9pXzfJktjS/vutdcXPma0zWUjMk/VEg9o9RQG1BNNYRFJVBWbi6eHbNQc16Skz53jSiU 4dSm5xFK71tAz6gB5YGwlSL/05moLUgTE9PkfZZFhRidK02TDOXof/sxjSTafNXn44NjB4caZfko bDRQHRKlrQNd7MqGtEq5cWTQHJwOdjIEU7Vayefv4Z0= ) ; keytag 10226 irs.gov. 10800 IN RRSIG ( DNSKEY 8 2 10800 20251102175848 20251019162848 10226 irs.gov. Y2RoeL+LlnTW4Ratdr+O66SDJDNjG1et9INoUYFCHyIQO6uTHZBbacI2PMTt7Luvo+g3+KNH10ca YM8IJVLXr0ydb0xqtRjmqw2F8i8IQH8ejIIOcCNDooeCahPL51FsrTceVSMzKZl52ZgfZ2LsUleC ha/jViJ5Xin443a+WpylAPHfPZEjjL/KIwtovkbHyzngWimMUPjesizPGM52Sbecxl5fAwpfWL5U UkoCTnfLJ3zgZ/d1y5whRGis6Tgwn5kenBntI4rD+awIz8H9niMjrpkvrv1rFpDXL+ptwbcnneU8 3LiEMj8tDf0gOIukwSifmMGFwymmQNhmlcFhSg== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for irs.gov
	`irs.gov. 10800 IN DNSKEY ( 256 3 8 AwEAAZ2VqyyXQ854U+JDAG18AxbYb0tO6unkeDJ/LvMczamPmLvpqFpYobSxF7A30Mi/6UNh0ESG sdv02ioNMv73GBIuLWqvBwtikhmepOfKPYeCSKA5rVO5UREdlE1yqGK2Ul1GtqgLwurnKkGHsEnp ld1EeSyMhWhMWj7GftfZlSqNnQgfMQofcCMDkVADqf2sItLo7+U25nIP80fvyv0zKqWeJml8jIec srNKoMZU5OT8stjSurLbBnIqdugykUhLyJRgGTZLh3FdZLOxRFaA1ffGmLckQwMMX2XNhBMg75gH DgxWEwE2TSLTJ4/yyyPozQLqWIzvUuWDxHZ72XIZ0jE= ) ; keytag 16671`
	`irs.gov. 10800 IN DNSKEY ( 257 3 8 AwEAAdyBXX4YQk/F+GRZr0fnahrki3+8fXT4xgbeKjhBqtYm4YIaOCYVP2Ld0HOimw2oYC9Hm51w +EPxwVp3Y3Yvb3ldpLnxUmHhzh7cAwxeRbBEoj1s6vxdwhLFrbabhtkB+ZATbBLccRhJSa9hcgLJ HMG+RQ4Q9pXzfJktjS/vutdcXPma0zWUjMk/VEg9o9RQG1BNNYRFJVBWbi6eHbNQc16Skz53jSiU 4dSm5xFK71tAz6gB5YGwlSL/05moLUgTE9PkfZZFhRidK02TDOXof/sxjSTafNXn44NjB4caZfko bDRQHRKlrQNd7MqGtEq5cWTQHJwOdjIEU7Vayefv4Z0= ) ; keytag 10226`
	DNSKEY=10226/SEP is now in the chain-of-trust
	DS=10226/SHA-256 verifies DNSKEY=10226/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`irs.gov. 10800 IN RRSIG ( DNSKEY 8 2 10800 20251102175848 20251019162848 10226 irs.gov. Y2RoeL+LlnTW4Ratdr+O66SDJDNjG1et9INoUYFCHyIQO6uTHZBbacI2PMTt7Luvo+g3+KNH10ca YM8IJVLXr0ydb0xqtRjmqw2F8i8IQH8ejIIOcCNDooeCahPL51FsrTceVSMzKZl52ZgfZ2LsUleC ha/jViJ5Xin443a+WpylAPHfPZEjjL/KIwtovkbHyzngWimMUPjesizPGM52Sbecxl5fAwpfWL5U UkoCTnfLJ3zgZ/d1y5whRGis6Tgwn5kenBntI4rD+awIz8H9niMjrpkvrv1rFpDXL+ptwbcnneU8 3LiEMj8tDf0gOIukwSifmMGFwymmQNhmlcFhSg== )`
	RRSIG=10226 and DNSKEY=10226/SEP verifies the DNSKEY RRset
	DNSKEY=16671 is now in the chain-of-trust
	Query to ns0227.secondary.cloudflare.com for irs.gov/A
	Received 363 bytes from 162.159.33.102
	;; Response received from [162.159.33.102] 363 octets ;; HEADER SECTION ;; id = 1899 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (3 records) irs.gov. 10800 IN A 152.216.7.110 irs.gov. 10800 IN A 152.216.11.110 irs.gov. 10800 IN RRSIG ( A 8 2 10800 20251102135848 20251019122848 16671 irs.gov. dHZ97GqUWyyBhhffUGXBnm15tI9tgdN62yY/27rbfwnMfCf80OE8pzPS/ptqxsKa+bBmyfjiY4N3 gH2Zn7A1FNc7B7svRxLH15LNulkyjVT/pcEUI0v1BMY7FU4NhkrQkEVkdbYron7f6ul5c4g+3Yyj SCj+CGKwghZhN78g8rL6o8lt9HQ8lcLNGRM+Xepl0Qq3rSD2GkLqCbrfO0Q9VHyAsleqOT3uN2bi msEXshSIv/PnCg4uCq04EXeCVbvyFG6hbhvTqOqhfhYSvYzqG0vBN1PbuUplrtJL9Xi3C5uhCljU cIS6A8YI27iKWAQeBi91w0aqXzgEBtem3PvOLA== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	ns0227.secondary.cloudflare.com is authoritative for irs.gov
	Found RRSIG signed by irs.gov zone
	Query to ns0022.secondary.cloudflare.com for irs.gov/SOA
	Received 401 bytes from 162.159.32.23
	;; Response received from [162.159.32.23] 401 octets ;; HEADER SECTION ;; id = 50110 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN SOA ;; ANSWER SECTION (2 records) irs.gov. 900 IN SOA ( ns1.irs.gov. it\.aciouns\.external\.dns\.admin.irs.gov. 2010092946 ;serial 3600 ;refresh 1800 ;retry 2419200 ;expire 900 ;minimum ) irs.gov. 900 IN RRSIG ( SOA 8 2 10800 20251102192307 20251019175307 16671 irs.gov. CrTvKiFXZ3i5i4QyI+4D4xV8P5nk3GqPOpw33d+NcxeH5Os1QtbvDor1yChf6r0T3mFs0dG+0QS5 E370+K05ZL2UHfOMvIgD1uqLSTq/ndLei6Q2uYntqfjCU9Xnzk+yEDz93pX0E8PvRi9khmjc9NBA oQ/fs5ouGjwFwjD3PpAbu0RhggPot9QbuPDSbpozFzUfEN47MeGPUlD6Vp81zLQHCbcUPDJJuZcm QP9iwB3Dc3Xrm8uiq0QppMLOjxI1LF+pbT+sAtnAD0n+lxtgqvUbHT8KjWpfKPpUeaQP2qx6K6Eb hGe9N1Bo2xkDOyHvJ8rQ9LOg7/Wws83aGVZRoQ== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to ns0227.secondary.cloudflare.com for irs.gov/A
	Received 363 bytes from 162.159.33.102
	;; Response received from [162.159.33.102] 363 octets ;; HEADER SECTION ;; id = 4411 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (3 records) irs.gov. 10800 IN A 152.216.11.110 irs.gov. 10800 IN A 152.216.7.110 irs.gov. 10800 IN RRSIG ( A 8 2 10800 20251102135848 20251019122848 16671 irs.gov. dHZ97GqUWyyBhhffUGXBnm15tI9tgdN62yY/27rbfwnMfCf80OE8pzPS/ptqxsKa+bBmyfjiY4N3 gH2Zn7A1FNc7B7svRxLH15LNulkyjVT/pcEUI0v1BMY7FU4NhkrQkEVkdbYron7f6ul5c4g+3Yyj SCj+CGKwghZhN78g8rL6o8lt9HQ8lcLNGRM+Xepl0Qq3rSD2GkLqCbrfO0Q9VHyAsleqOT3uN2bi msEXshSIv/PnCg4uCq04EXeCVbvyFG6hbhvTqOqhfhYSvYzqG0vBN1PbuUplrtJL9Xi3C5uhCljU cIS6A8YI27iKWAQeBi91w0aqXzgEBtem3PvOLA== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	irs.gov A RR has value 152.216.11.110
	irs.gov A RR has value 152.216.7.110
	Found 1 RRSIGs over A RRset
	`irs.gov. 10800 IN RRSIG ( A 8 2 10800 20251102135848 20251019122848 16671 irs.gov. dHZ97GqUWyyBhhffUGXBnm15tI9tgdN62yY/27rbfwnMfCf80OE8pzPS/ptqxsKa+bBmyfjiY4N3 gH2Zn7A1FNc7B7svRxLH15LNulkyjVT/pcEUI0v1BMY7FU4NhkrQkEVkdbYron7f6ul5c4g+3Yyj SCj+CGKwghZhN78g8rL6o8lt9HQ8lcLNGRM+Xepl0Qq3rSD2GkLqCbrfO0Q9VHyAsleqOT3uN2bi msEXshSIv/PnCg4uCq04EXeCVbvyFG6hbhvTqOqhfhYSvYzqG0vBN1PbuUplrtJL9Xi3C5uhCljU cIS6A8YI27iKWAQeBi91w0aqXzgEBtem3PvOLA== )`
	RRSIG=16671 and DNSKEY=16671 verifies the A RRset

irs.gov

	Query to ns0022.secondary.cloudflare.com for irs.gov/A
	Received 363 bytes from 162.159.32.23
	;; Response received from [162.159.32.23] 363 octets ;; HEADER SECTION ;; id = 59322 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (3 records) irs.gov. 10800 IN A 152.216.11.110 irs.gov. 10800 IN A 152.216.7.110 irs.gov. 10800 IN RRSIG ( A 8 2 10800 20251102135848 20251019122848 16671 irs.gov. dHZ97GqUWyyBhhffUGXBnm15tI9tgdN62yY/27rbfwnMfCf80OE8pzPS/ptqxsKa+bBmyfjiY4N3 gH2Zn7A1FNc7B7svRxLH15LNulkyjVT/pcEUI0v1BMY7FU4NhkrQkEVkdbYron7f6ul5c4g+3Yyj SCj+CGKwghZhN78g8rL6o8lt9HQ8lcLNGRM+Xepl0Qq3rSD2GkLqCbrfO0Q9VHyAsleqOT3uN2bi msEXshSIv/PnCg4uCq04EXeCVbvyFG6hbhvTqOqhfhYSvYzqG0vBN1PbuUplrtJL9Xi3C5uhCljU cIS6A8YI27iKWAQeBi91w0aqXzgEBtem3PvOLA== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	ns0022.secondary.cloudflare.com is authoritative for irs.gov
	Found RRSIG signed by irs.gov zone
	Query to ns0022.secondary.cloudflare.com for irs.gov/A
	Received 363 bytes from 162.159.32.23
	;; Response received from [162.159.32.23] 363 octets ;; HEADER SECTION ;; id = 14190 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (3 records) irs.gov. 10800 IN A 152.216.11.110 irs.gov. 10800 IN A 152.216.7.110 irs.gov. 10800 IN RRSIG ( A 8 2 10800 20251102135848 20251019122848 16671 irs.gov. dHZ97GqUWyyBhhffUGXBnm15tI9tgdN62yY/27rbfwnMfCf80OE8pzPS/ptqxsKa+bBmyfjiY4N3 gH2Zn7A1FNc7B7svRxLH15LNulkyjVT/pcEUI0v1BMY7FU4NhkrQkEVkdbYron7f6ul5c4g+3Yyj SCj+CGKwghZhN78g8rL6o8lt9HQ8lcLNGRM+Xepl0Qq3rSD2GkLqCbrfO0Q9VHyAsleqOT3uN2bi msEXshSIv/PnCg4uCq04EXeCVbvyFG6hbhvTqOqhfhYSvYzqG0vBN1PbuUplrtJL9Xi3C5uhCljU cIS6A8YI27iKWAQeBi91w0aqXzgEBtem3PvOLA== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	irs.gov A RR has value 152.216.11.110
	irs.gov A RR has value 152.216.7.110
	Found 1 RRSIGs over A RRset
	`irs.gov. 10800 IN RRSIG ( A 8 2 10800 20251102135848 20251019122848 16671 irs.gov. dHZ97GqUWyyBhhffUGXBnm15tI9tgdN62yY/27rbfwnMfCf80OE8pzPS/ptqxsKa+bBmyfjiY4N3 gH2Zn7A1FNc7B7svRxLH15LNulkyjVT/pcEUI0v1BMY7FU4NhkrQkEVkdbYron7f6ul5c4g+3Yyj SCj+CGKwghZhN78g8rL6o8lt9HQ8lcLNGRM+Xepl0Qq3rSD2GkLqCbrfO0Q9VHyAsleqOT3uN2bi msEXshSIv/PnCg4uCq04EXeCVbvyFG6hbhvTqOqhfhYSvYzqG0vBN1PbuUplrtJL9Xi3C5uhCljU cIS6A8YI27iKWAQeBi91w0aqXzgEBtem3PvOLA== )`
	RRSIG=16671 and DNSKEY=16671 verifies the A RRset

Move your mouse over any or symbols for remediation hints.

Want a second opinion? Test irs.gov at dnsviz.net.

DNSSEC Debugger

↓ Advanced options ↑ Advanced options

Trust Anchor:
Name Servers: