DNSSEC Debugger

Domain Name:

Time: 2025-07-12 06:59:00 UTC

Analyzing DNSSEC problems for irs.gov

DS=20326/SHA-256 is now in the chain-of-trust

	Checking DS between Trust Anchor and .
	`. IN DS ( 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d )`
	Query to l.root-servers.net for ./DNSKEY
	Received 1414 bytes from 199.7.83.42
	;; Response received from [199.7.83.42] 1414 octets ;; HEADER SECTION ;; id = 12878 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 5 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; . IN DNSKEY ;; ANSWER SECTION (5 records) . 172800 IN DNSKEY ( 256 3 8 AwEAAbEbGCpGTDrcZTWqWWE72nphyshpRcILdzCVlBGU9Ln1Fui9kkseUOP+g5GLUeVFKdTloeRT A9+EYiQdXgWXmXmuW/nGxZjAikluF/O9NzLVrr5iZnth2xu+F48nrJlAgWWiMNau54NI5sZ3iVQf hFsq2pZmf43RauRPniYMShOLO7EBWWXr5glDSgZGS9fSm6xHwwF+g8D4m8oanjvdCBNxXzSEKS31 ibxjLifTfvwCg3y4XXcNW9U6Nu3JmoKUdxqpPPIkBvVQbIz4UO2FwaR13uXC03ALP1Yx2QNSS4SZ lcIMtAftQR9wtCiuPWQnFv4jkzWqlhp1Lmf7bcoL9yk= ) ; keytag 53148 . 172800 IN DNSKEY ( 256 3 8 AwEAAbauxLSFZ+KSWi2cT6TJbm3d+GIVqb2N1XnDjMsRme0b6JlGp/cvwmM5CaJ5LQ7tG1r7LuTH jYZadtbNk2nZmclq9r4KInS48ungoAZb0gJXVw8IvBTBb1YWQmiBqD285pJuORwTii7DF++nNJJk 3i55HJt9SmBI7m7t8nvx7OOY/w0inxg3fLH2uY0SKO8he4FGwMc4Ubiab8N8Yhyhh+FkKKdD/+oA cuGF75PjlSXO460B4MlNLlEcjDEzIsKauRYx4YVgSaNomGhMMFblmXRzgW+1R6ywvm5mC9+omlyy izZp2GJfPwGMezuKSGDndO6CYYEc5/lsRhvBYsGjdPM= ) ; keytag 46441 . 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326 . 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696 . 172800 IN RRSIG ( DNSKEY 8 0 172800 20250801000000 20250711000000 20326 . WwWSfJzdfRVlUhGNEnrahgVWN54iU6fIm3g0XhxC1f3yxbK7s1iQFZpKwJ0xNQkBeBFA0/sb7N4D nZVn1gdF9F8oOQ5sDllyjewNoDjAgtyN+inLgl9Ta/aK1Tn183K0P0jevWG8MmbIC8TCmbv/SvyD TZK3BIMsQ+HGu8jloGYgIgbliKrG14GtXcF2jcjLFaIT7J1j1pO1ErcUrgd7hmfEC9emCZbDuQAt RQ+mWJL9NNTj6RToAUxA8sI4kEgrslBAzzc6co7TbhediJ/2ya1in+nLTCBHV53oL1JGITWaGwMf lcDwQEkWFJ0dRxhNDkKvuDCRz3VnPaAkDPLrbA== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 4 DNSKEY records for .
	`. 172800 IN DNSKEY ( 256 3 8 AwEAAbEbGCpGTDrcZTWqWWE72nphyshpRcILdzCVlBGU9Ln1Fui9kkseUOP+g5GLUeVFKdTloeRT A9+EYiQdXgWXmXmuW/nGxZjAikluF/O9NzLVrr5iZnth2xu+F48nrJlAgWWiMNau54NI5sZ3iVQf hFsq2pZmf43RauRPniYMShOLO7EBWWXr5glDSgZGS9fSm6xHwwF+g8D4m8oanjvdCBNxXzSEKS31 ibxjLifTfvwCg3y4XXcNW9U6Nu3JmoKUdxqpPPIkBvVQbIz4UO2FwaR13uXC03ALP1Yx2QNSS4SZ lcIMtAftQR9wtCiuPWQnFv4jkzWqlhp1Lmf7bcoL9yk= ) ; keytag 53148`
	`. 172800 IN DNSKEY ( 256 3 8 AwEAAbauxLSFZ+KSWi2cT6TJbm3d+GIVqb2N1XnDjMsRme0b6JlGp/cvwmM5CaJ5LQ7tG1r7LuTH jYZadtbNk2nZmclq9r4KInS48ungoAZb0gJXVw8IvBTBb1YWQmiBqD285pJuORwTii7DF++nNJJk 3i55HJt9SmBI7m7t8nvx7OOY/w0inxg3fLH2uY0SKO8he4FGwMc4Ubiab8N8Yhyhh+FkKKdD/+oA cuGF75PjlSXO460B4MlNLlEcjDEzIsKauRYx4YVgSaNomGhMMFblmXRzgW+1R6ywvm5mC9+omlyy izZp2GJfPwGMezuKSGDndO6CYYEc5/lsRhvBYsGjdPM= ) ; keytag 46441`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696`
	DNSKEY=20326/SEP is now in the chain-of-trust
	DS=20326/SHA-256 verifies DNSKEY=20326/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`. 172800 IN RRSIG ( DNSKEY 8 0 172800 20250801000000 20250711000000 20326 . WwWSfJzdfRVlUhGNEnrahgVWN54iU6fIm3g0XhxC1f3yxbK7s1iQFZpKwJ0xNQkBeBFA0/sb7N4D nZVn1gdF9F8oOQ5sDllyjewNoDjAgtyN+inLgl9Ta/aK1Tn183K0P0jevWG8MmbIC8TCmbv/SvyD TZK3BIMsQ+HGu8jloGYgIgbliKrG14GtXcF2jcjLFaIT7J1j1pO1ErcUrgd7hmfEC9emCZbDuQAt RQ+mWJL9NNTj6RToAUxA8sI4kEgrslBAzzc6co7TbhediJ/2ya1in+nLTCBHV53oL1JGITWaGwMf lcDwQEkWFJ0dRxhNDkKvuDCRz3VnPaAkDPLrbA== )`
	RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset
	DNSKEY=53148 is now in the chain-of-trust
	DNSKEY=46441 is now in the chain-of-trust
	DNSKEY=38696/SEP is now in the chain-of-trust
	Query to h.root-servers.net for irs.gov/A
	Received 614 bytes from 198.97.190.53
	;; Response received from [198.97.190.53] 614 octets ;; HEADER SECTION ;; id = 62403 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 9 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) gov. 172800 IN NS a.ns.gov. gov. 172800 IN NS b.ns.gov. gov. 172800 IN NS c.ns.gov. gov. 172800 IN NS d.ns.gov. gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20250725050000 20250712040000 46441 . DEm9vkrj3eEHVgnAcvmJkyDGC1lZSQoyji4ny/alFqNQpsEak2su6Fek2wicNxIy5zpDmLcdabd2 52LdvlAIBJ13LTr4LZUHxjb/ig683o6DohBOyfOBY0hzhN77WAmgGqmTi32SGh4dqjSU27KZcpNm tRBHdm5Ljj7kh0gUBKkUmoSPO9FK9JHo1xzjSU5f2DNZvvQDJeNWmUZ2fatiK7K/TS3B0kPS1gxp u1ti7T9Vgitam2HSkaGezTpCmKZy7lJLjYZ50dclorc3IZvwaySjunbH4961hzO3ZDLSdkHlDgQc k/665I3yAu7H4Ij7E5Xk3/2hT4luYuPqebJBbA== ) ;; ADDITIONAL SECTION (9 records) a.ns.gov. 172800 IN A 199.33.230.1 b.ns.gov. 172800 IN A 199.33.231.1 c.ns.gov. 172800 IN A 199.33.232.1 d.ns.gov. 172800 IN A 199.33.233.1 a.ns.gov. 172800 IN AAAA 2001:503:ff40::1 b.ns.gov. 172800 IN AAAA 2001:503:ff41::1 c.ns.gov. 172800 IN AAAA 2001:503:ff42::1 d.ns.gov. 172800 IN AAAA 2001:503:ff43::1 ;; { "EDNS-VERSION": 0 }
	Query to d.root-servers.net for gov/DNSKEY
	Received 610 bytes from 199.7.91.13
	;; Response received from [199.7.91.13] 610 octets ;; HEADER SECTION ;; id = 51695 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 9 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1450, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) gov. 172800 IN NS a.ns.gov. gov. 172800 IN NS b.ns.gov. gov. 172800 IN NS c.ns.gov. gov. 172800 IN NS d.ns.gov. gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20250725050000 20250712040000 46441 . DEm9vkrj3eEHVgnAcvmJkyDGC1lZSQoyji4ny/alFqNQpsEak2su6Fek2wicNxIy5zpDmLcdabd2 52LdvlAIBJ13LTr4LZUHxjb/ig683o6DohBOyfOBY0hzhN77WAmgGqmTi32SGh4dqjSU27KZcpNm tRBHdm5Ljj7kh0gUBKkUmoSPO9FK9JHo1xzjSU5f2DNZvvQDJeNWmUZ2fatiK7K/TS3B0kPS1gxp u1ti7T9Vgitam2HSkaGezTpCmKZy7lJLjYZ50dclorc3IZvwaySjunbH4961hzO3ZDLSdkHlDgQc k/665I3yAu7H4Ij7E5Xk3/2hT4luYuPqebJBbA== ) ;; ADDITIONAL SECTION (9 records) a.ns.gov. 172800 IN A 199.33.230.1 b.ns.gov. 172800 IN A 199.33.231.1 c.ns.gov. 172800 IN A 199.33.232.1 d.ns.gov. 172800 IN A 199.33.233.1 a.ns.gov. 172800 IN AAAA 2001:503:ff40::1 b.ns.gov. 172800 IN AAAA 2001:503:ff41::1 c.ns.gov. 172800 IN AAAA 2001:503:ff42::1 d.ns.gov. 172800 IN AAAA 2001:503:ff43::1 ;; { "EDNS-VERSION": 0 }
	Found child zone gov

gov

	Checking DS between . and gov
	Query to c.root-servers.net for gov/DS
	Received 367 bytes from 192.33.4.12
	;; Response received from [192.33.4.12] 367 octets ;; HEADER SECTION ;; id = 53552 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DS ;; ANSWER SECTION (2 records) gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20250725050000 20250712040000 46441 . DEm9vkrj3eEHVgnAcvmJkyDGC1lZSQoyji4ny/alFqNQpsEak2su6Fek2wicNxIy5zpDmLcdabd2 52LdvlAIBJ13LTr4LZUHxjb/ig683o6DohBOyfOBY0hzhN77WAmgGqmTi32SGh4dqjSU27KZcpNm tRBHdm5Ljj7kh0gUBKkUmoSPO9FK9JHo1xzjSU5f2DNZvvQDJeNWmUZ2fatiK7K/TS3B0kPS1gxp u1ti7T9Vgitam2HSkaGezTpCmKZy7lJLjYZ50dclorc3IZvwaySjunbH4961hzO3ZDLSdkHlDgQc k/665I3yAu7H4Ij7E5Xk3/2hT4luYuPqebJBbA== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for gov in the . zone
	DS=2536/SHA-256 has algorithm ECDSAP256SHA256
	Found 1 RRSIGs over DS RRset
	`gov. 86400 IN RRSIG ( DS 8 1 86400 20250725050000 20250712040000 46441 . DEm9vkrj3eEHVgnAcvmJkyDGC1lZSQoyji4ny/alFqNQpsEak2su6Fek2wicNxIy5zpDmLcdabd2 52LdvlAIBJ13LTr4LZUHxjb/ig683o6DohBOyfOBY0hzhN77WAmgGqmTi32SGh4dqjSU27KZcpNm tRBHdm5Ljj7kh0gUBKkUmoSPO9FK9JHo1xzjSU5f2DNZvvQDJeNWmUZ2fatiK7K/TS3B0kPS1gxp u1ti7T9Vgitam2HSkaGezTpCmKZy7lJLjYZ50dclorc3IZvwaySjunbH4961hzO3ZDLSdkHlDgQc k/665I3yAu7H4Ij7E5Xk3/2hT4luYuPqebJBbA== )`
	RRSIG=46441 and DNSKEY=46441 verifies the DS RRset
	DS=2536/SHA-256 is now in the chain-of-trust
	`gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 )`
	Query to d.ns.gov for gov/DNSKEY
	Received 291 bytes from 199.33.233.1
	;; Response received from [199.33.233.1] 291 octets ;; HEADER SECTION ;; id = 44332 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DNSKEY ;; ANSWER SECTION (3 records) gov. 3600 IN DNSKEY ( 257 3 13 D6ZhJTObQw3+kcewWf5iTHbzD3uTdbs5xf0kQfP/VXZcDovWJd0DUgHlp2VC002aLDCwhLoPPVN2 VfyoPnjCqg== ) ; keytag 2536 gov. 3600 IN DNSKEY ( 256 3 13 Of5kU9k4XfdcPwCK9k/zRJNu+Xspnw/BDd+1V6ZpDXRIpHe35BnHTZUBJN9gd6++HkiGXx2YnTji iO7/q+Yamg== ) ; keytag 35496 gov. 3600 IN RRSIG ( DNSKEY 13 1 3600 20250821110604 20250621110604 2536 gov. n6svyrR3H3gY3Fie3fgekD6gXenvEpExK1GXpXb0NxWZW3AHyD02jwlrZecgESKHXU9ydtsw6ibM Y9FOlT+89A== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for gov
	`gov. 3600 IN DNSKEY ( 257 3 13 D6ZhJTObQw3+kcewWf5iTHbzD3uTdbs5xf0kQfP/VXZcDovWJd0DUgHlp2VC002aLDCwhLoPPVN2 VfyoPnjCqg== ) ; keytag 2536`
	`gov. 3600 IN DNSKEY ( 256 3 13 Of5kU9k4XfdcPwCK9k/zRJNu+Xspnw/BDd+1V6ZpDXRIpHe35BnHTZUBJN9gd6++HkiGXx2YnTji iO7/q+Yamg== ) ; keytag 35496`
	DNSKEY=2536/SEP is now in the chain-of-trust
	DS=2536/SHA-256 verifies DNSKEY=2536/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`gov. 3600 IN RRSIG ( DNSKEY 13 1 3600 20250821110604 20250621110604 2536 gov. n6svyrR3H3gY3Fie3fgekD6gXenvEpExK1GXpXb0NxWZW3AHyD02jwlrZecgESKHXU9ydtsw6ibM Y9FOlT+89A== )`
	RRSIG=2536 and DNSKEY=2536/SEP verifies the DNSKEY RRset
	DNSKEY=35496 is now in the chain-of-trust
	Query to c.ns.gov for irs.gov/A
	Received 249 bytes from 199.33.232.1
	;; Response received from [199.33.232.1] 249 octets ;; HEADER SECTION ;; id = 28087 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) irs.gov. 10800 IN NS ns0022.secondary.cloudflare.com. irs.gov. 10800 IN NS ns0227.secondary.cloudflare.com. irs.gov. 3600 IN DS ( 10226 8 2 c94f81e17566ebb0aca0227e07297e9b3236b9dcafc018bbe72ce0c9229630bb ) irs.gov. 3600 IN RRSIG ( DS 13 2 3600 20250713075900 20250711055900 35496 gov. FtGBAs+GLuYyZQOJzsPC0WGpkvZEgaTBMbQutgLb15ZUjUjsJhKe9JWgB3y5gE9vu/O/z70Ch3NR nnIFzDfLgw== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to a.ns.gov for irs.gov/DNSKEY
	Received 249 bytes from 199.33.230.1
	;; Response received from [199.33.230.1] 249 octets ;; HEADER SECTION ;; id = 5523 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) irs.gov. 10800 IN NS ns0022.secondary.cloudflare.com. irs.gov. 10800 IN NS ns0227.secondary.cloudflare.com. irs.gov. 3600 IN DS ( 10226 8 2 c94f81e17566ebb0aca0227e07297e9b3236b9dcafc018bbe72ce0c9229630bb ) irs.gov. 3600 IN RRSIG ( DS 13 2 3600 20250713075900 20250711055900 35496 gov. 29WI+an25LL1tIrz86SceRMOnBz5oxz73j/WC3Y7hwCv7OZNTudVFlg/8IYKJquLqQ+2apieBSrb 01WJWqENkA== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found child zone irs.gov

irs.gov

	Checking DS between gov and irs.gov
	Query to c.ns.gov for irs.gov/DS
	Received 183 bytes from 199.33.232.1
	;; Response received from [199.33.232.1] 183 octets ;; HEADER SECTION ;; id = 39812 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN DS ;; ANSWER SECTION (2 records) irs.gov. 3600 IN DS ( 10226 8 2 c94f81e17566ebb0aca0227e07297e9b3236b9dcafc018bbe72ce0c9229630bb ) irs.gov. 3600 IN RRSIG ( DS 13 2 3600 20250713075900 20250711055900 35496 gov. KqQ9GpfDDK2sRqpm+/I7Q09EmacR6i/q9UmUvcs/A0H8UXmVBgP3UiyJC5JOxVzvCQdpyulVErGt DbbA6V9EKg== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for irs.gov in the gov zone
	DS=10226/SHA-256 has algorithm RSASHA256
	Found 1 RRSIGs over DS RRset
	`irs.gov. 3600 IN RRSIG ( DS 13 2 3600 20250713075900 20250711055900 35496 gov. KqQ9GpfDDK2sRqpm+/I7Q09EmacR6i/q9UmUvcs/A0H8UXmVBgP3UiyJC5JOxVzvCQdpyulVErGt DbbA6V9EKg== )`
	RRSIG=35496 and DNSKEY=35496 verifies the DS RRset
	DS=10226/SHA-256 is now in the chain-of-trust
	`irs.gov. 3600 IN DS ( 10226 8 2 c94f81e17566ebb0aca0227e07297e9b3236b9dcafc018bbe72ce0c9229630bb )`
	Query to ns0227.secondary.cloudflare.com for irs.gov/DNSKEY
	Received 883 bytes from 162.159.33.102
	;; Response received from [162.159.33.102] 883 octets ;; HEADER SECTION ;; id = 6943 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN DNSKEY ;; ANSWER SECTION (3 records) irs.gov. 10800 IN DNSKEY ( 256 3 8 AwEAAazo0KPr0tWuD5uaxvxU+hMe17gQQC/fy933IaFfv5SOmm13oTcqzuAn2p1n/5+JyIk4Otni 0UIFWZFIrlGMkeqPb6av/71BGnUK9AIlL0lrBNnkFMt0Fi3fG4c0vX43LXpL/Y7j0WmGcQVaqBEw tl9/rrGeHWJaUMMuIOIY2QQekmL7PaMbTi1ax1B3eZuvO5Fm8Jg9L6S8CVK4/D6somt7y5EXBY3e /EFYfSZ72jKSQ25uv/jVMU44R14vxf8Y1f7dm8jE00cF+DYDCL22cS93TPQAt6GwIs7cK+Mk2CcU 5jn6nlq0C7B1a8RnHK/ZEnbcUtPIcxf3ec7NYxhRBvM= ) ; keytag 39361 irs.gov. 10800 IN DNSKEY ( 257 3 8 AwEAAdyBXX4YQk/F+GRZr0fnahrki3+8fXT4xgbeKjhBqtYm4YIaOCYVP2Ld0HOimw2oYC9Hm51w +EPxwVp3Y3Yvb3ldpLnxUmHhzh7cAwxeRbBEoj1s6vxdwhLFrbabhtkB+ZATbBLccRhJSa9hcgLJ HMG+RQ4Q9pXzfJktjS/vutdcXPma0zWUjMk/VEg9o9RQG1BNNYRFJVBWbi6eHbNQc16Skz53jSiU 4dSm5xFK71tAz6gB5YGwlSL/05moLUgTE9PkfZZFhRidK02TDOXof/sxjSTafNXn44NjB4caZfko bDRQHRKlrQNd7MqGtEq5cWTQHJwOdjIEU7Vayefv4Z0= ) ; keytag 10226 irs.gov. 10800 IN RRSIG ( DNSKEY 8 2 10800 20250723055844 20250709042844 10226 irs.gov. E8maukT+6uQskhxOAHKLBx/29gr8o92KsOmAW0BOqk0KJZ9TPBf8g4ghfIxoSVm6ypis6XZpZL+o JWj3DOb3jSxCHbkFIAj0FGEcP0bc6taJunAcnHLK+XHVXbfqR/KSa9ghA5G3RfHbcrNwayyGuPAs RCreBMbu+k7esX/1USVtoUhzT6LnvQj0NreTha2Lijzr1mp80FLV2GpySA2OIPzTjWEamfVwgNIk zDWxwC//CpLDPj0C4dx7Kh660HvhoOCsQkmMqokX4n3FrXAdSDj5U9w7RJeo2fcEKyJk075ITHTN /s2t0IYEhXlr9HAOPASHs92NvO00trk7Mw2tkg== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for irs.gov
	`irs.gov. 10800 IN DNSKEY ( 256 3 8 AwEAAazo0KPr0tWuD5uaxvxU+hMe17gQQC/fy933IaFfv5SOmm13oTcqzuAn2p1n/5+JyIk4Otni 0UIFWZFIrlGMkeqPb6av/71BGnUK9AIlL0lrBNnkFMt0Fi3fG4c0vX43LXpL/Y7j0WmGcQVaqBEw tl9/rrGeHWJaUMMuIOIY2QQekmL7PaMbTi1ax1B3eZuvO5Fm8Jg9L6S8CVK4/D6somt7y5EXBY3e /EFYfSZ72jKSQ25uv/jVMU44R14vxf8Y1f7dm8jE00cF+DYDCL22cS93TPQAt6GwIs7cK+Mk2CcU 5jn6nlq0C7B1a8RnHK/ZEnbcUtPIcxf3ec7NYxhRBvM= ) ; keytag 39361`
	`irs.gov. 10800 IN DNSKEY ( 257 3 8 AwEAAdyBXX4YQk/F+GRZr0fnahrki3+8fXT4xgbeKjhBqtYm4YIaOCYVP2Ld0HOimw2oYC9Hm51w +EPxwVp3Y3Yvb3ldpLnxUmHhzh7cAwxeRbBEoj1s6vxdwhLFrbabhtkB+ZATbBLccRhJSa9hcgLJ HMG+RQ4Q9pXzfJktjS/vutdcXPma0zWUjMk/VEg9o9RQG1BNNYRFJVBWbi6eHbNQc16Skz53jSiU 4dSm5xFK71tAz6gB5YGwlSL/05moLUgTE9PkfZZFhRidK02TDOXof/sxjSTafNXn44NjB4caZfko bDRQHRKlrQNd7MqGtEq5cWTQHJwOdjIEU7Vayefv4Z0= ) ; keytag 10226`
	DNSKEY=10226/SEP is now in the chain-of-trust
	DS=10226/SHA-256 verifies DNSKEY=10226/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`irs.gov. 10800 IN RRSIG ( DNSKEY 8 2 10800 20250723055844 20250709042844 10226 irs.gov. E8maukT+6uQskhxOAHKLBx/29gr8o92KsOmAW0BOqk0KJZ9TPBf8g4ghfIxoSVm6ypis6XZpZL+o JWj3DOb3jSxCHbkFIAj0FGEcP0bc6taJunAcnHLK+XHVXbfqR/KSa9ghA5G3RfHbcrNwayyGuPAs RCreBMbu+k7esX/1USVtoUhzT6LnvQj0NreTha2Lijzr1mp80FLV2GpySA2OIPzTjWEamfVwgNIk zDWxwC//CpLDPj0C4dx7Kh660HvhoOCsQkmMqokX4n3FrXAdSDj5U9w7RJeo2fcEKyJk075ITHTN /s2t0IYEhXlr9HAOPASHs92NvO00trk7Mw2tkg== )`
	RRSIG=10226 and DNSKEY=10226/SEP verifies the DNSKEY RRset
	DNSKEY=39361 is now in the chain-of-trust
	Query to ns0227.secondary.cloudflare.com for irs.gov/A
	Received 363 bytes from 162.159.33.102
	;; Response received from [162.159.33.102] 363 octets ;; HEADER SECTION ;; id = 15781 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (3 records) irs.gov. 10800 IN A 152.216.7.110 irs.gov. 10800 IN A 152.216.11.110 irs.gov. 10800 IN RRSIG ( A 8 2 10800 20250723015844 20250709002844 39361 irs.gov. RJItnfQMRt0CwNefcnIN/RfJnv+AFommfekGMCWuN+p06Jk9HJIGnW7UCSuD7lNbUJ7cGi7eOo7A KeDgMw7GW7QXRXMosLgDd3cLaYJdOKDVuWAJzXDCwLTPCUaDRUVLBOxoSARw2fjg9R1XYAGTmcla RPi4ru3FENP+q2actPpz7ZbMEGBLbY4bUxmqY8YKUlK2Neocg2c533e2UHz+jn0ynnlGDRoP+Zjm l1l6QOGPH80zz+D6f6lThpvYXz4remwYl9avf0g11AbHDKw4Vnz2JQt/4ZHdaxFXRzna7vf045fS he8d4w0mL8ResDxUKPt9rWxBZCcvjX7d8hwYqw== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	ns0227.secondary.cloudflare.com is authoritative for irs.gov
	Found RRSIG signed by irs.gov zone
	Query to ns0022.secondary.cloudflare.com for irs.gov/SOA
	Received 401 bytes from 162.159.32.23
	;; Response received from [162.159.32.23] 401 octets ;; HEADER SECTION ;; id = 23004 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN SOA ;; ANSWER SECTION (2 records) irs.gov. 900 IN SOA ( ns1.irs.gov. it\.aciouns\.external\.dns\.admin.irs.gov. 2010092830 ;serial 3600 ;refresh 1800 ;retry 2419200 ;expire 900 ;minimum ) irs.gov. 900 IN RRSIG ( SOA 8 2 10800 20250723055844 20250709042844 39361 irs.gov. b5vccplymgg4ltiH+6yAU+jk51kHicc00lnUn3Q1N6vefuqZlYmIkFMVyb9Rg3cjMofbZw2KSvA9 r/MrWCaVA4XUERGczkX555yXNvhoeJNDp0GenF11AGQS5e8lD/nUrycX16S42lpuJ14icwIuAOxt sE5/RiIDsEYZW73lknZhbhUfstFOS3Z+D5/3ffZaurgdExYul8zwSu3PsxwnRmfVmLDHDD2dOX8T 8s8PEqoVLcEOEV65Ecwebpc5tgCTzyWKQaPzXygQY0wArWdZ1ZLm1nqiMPgxAhI6wB+vID6WNZfM hGJz7X/MaEHHPS50OzIRwPXV8QxRjczdD66XJQ== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to ns0227.secondary.cloudflare.com for irs.gov/A
	Received 363 bytes from 162.159.33.102
	;; Response received from [162.159.33.102] 363 octets ;; HEADER SECTION ;; id = 16261 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (3 records) irs.gov. 10800 IN A 152.216.7.110 irs.gov. 10800 IN A 152.216.11.110 irs.gov. 10800 IN RRSIG ( A 8 2 10800 20250723015844 20250709002844 39361 irs.gov. RJItnfQMRt0CwNefcnIN/RfJnv+AFommfekGMCWuN+p06Jk9HJIGnW7UCSuD7lNbUJ7cGi7eOo7A KeDgMw7GW7QXRXMosLgDd3cLaYJdOKDVuWAJzXDCwLTPCUaDRUVLBOxoSARw2fjg9R1XYAGTmcla RPi4ru3FENP+q2actPpz7ZbMEGBLbY4bUxmqY8YKUlK2Neocg2c533e2UHz+jn0ynnlGDRoP+Zjm l1l6QOGPH80zz+D6f6lThpvYXz4remwYl9avf0g11AbHDKw4Vnz2JQt/4ZHdaxFXRzna7vf045fS he8d4w0mL8ResDxUKPt9rWxBZCcvjX7d8hwYqw== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	irs.gov A RR has value 152.216.7.110
	irs.gov A RR has value 152.216.11.110
	Found 1 RRSIGs over A RRset
	`irs.gov. 10800 IN RRSIG ( A 8 2 10800 20250723015844 20250709002844 39361 irs.gov. RJItnfQMRt0CwNefcnIN/RfJnv+AFommfekGMCWuN+p06Jk9HJIGnW7UCSuD7lNbUJ7cGi7eOo7A KeDgMw7GW7QXRXMosLgDd3cLaYJdOKDVuWAJzXDCwLTPCUaDRUVLBOxoSARw2fjg9R1XYAGTmcla RPi4ru3FENP+q2actPpz7ZbMEGBLbY4bUxmqY8YKUlK2Neocg2c533e2UHz+jn0ynnlGDRoP+Zjm l1l6QOGPH80zz+D6f6lThpvYXz4remwYl9avf0g11AbHDKw4Vnz2JQt/4ZHdaxFXRzna7vf045fS he8d4w0mL8ResDxUKPt9rWxBZCcvjX7d8hwYqw== )`
	RRSIG=39361 and DNSKEY=39361 verifies the A RRset

irs.gov

	Query to ns0022.secondary.cloudflare.com for irs.gov/A
	Received 363 bytes from 162.159.32.23
	;; Response received from [162.159.32.23] 363 octets ;; HEADER SECTION ;; id = 64652 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (3 records) irs.gov. 10800 IN A 152.216.7.110 irs.gov. 10800 IN A 152.216.11.110 irs.gov. 10800 IN RRSIG ( A 8 2 10800 20250723015844 20250709002844 39361 irs.gov. RJItnfQMRt0CwNefcnIN/RfJnv+AFommfekGMCWuN+p06Jk9HJIGnW7UCSuD7lNbUJ7cGi7eOo7A KeDgMw7GW7QXRXMosLgDd3cLaYJdOKDVuWAJzXDCwLTPCUaDRUVLBOxoSARw2fjg9R1XYAGTmcla RPi4ru3FENP+q2actPpz7ZbMEGBLbY4bUxmqY8YKUlK2Neocg2c533e2UHz+jn0ynnlGDRoP+Zjm l1l6QOGPH80zz+D6f6lThpvYXz4remwYl9avf0g11AbHDKw4Vnz2JQt/4ZHdaxFXRzna7vf045fS he8d4w0mL8ResDxUKPt9rWxBZCcvjX7d8hwYqw== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	ns0022.secondary.cloudflare.com is authoritative for irs.gov
	Found RRSIG signed by irs.gov zone
	Query to ns0022.secondary.cloudflare.com for irs.gov/A
	Received 363 bytes from 162.159.32.23
	;; Response received from [162.159.32.23] 363 octets ;; HEADER SECTION ;; id = 17446 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (3 records) irs.gov. 10800 IN A 152.216.11.110 irs.gov. 10800 IN A 152.216.7.110 irs.gov. 10800 IN RRSIG ( A 8 2 10800 20250723015844 20250709002844 39361 irs.gov. RJItnfQMRt0CwNefcnIN/RfJnv+AFommfekGMCWuN+p06Jk9HJIGnW7UCSuD7lNbUJ7cGi7eOo7A KeDgMw7GW7QXRXMosLgDd3cLaYJdOKDVuWAJzXDCwLTPCUaDRUVLBOxoSARw2fjg9R1XYAGTmcla RPi4ru3FENP+q2actPpz7ZbMEGBLbY4bUxmqY8YKUlK2Neocg2c533e2UHz+jn0ynnlGDRoP+Zjm l1l6QOGPH80zz+D6f6lThpvYXz4remwYl9avf0g11AbHDKw4Vnz2JQt/4ZHdaxFXRzna7vf045fS he8d4w0mL8ResDxUKPt9rWxBZCcvjX7d8hwYqw== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	irs.gov A RR has value 152.216.11.110
	irs.gov A RR has value 152.216.7.110
	Found 1 RRSIGs over A RRset
	`irs.gov. 10800 IN RRSIG ( A 8 2 10800 20250723015844 20250709002844 39361 irs.gov. RJItnfQMRt0CwNefcnIN/RfJnv+AFommfekGMCWuN+p06Jk9HJIGnW7UCSuD7lNbUJ7cGi7eOo7A KeDgMw7GW7QXRXMosLgDd3cLaYJdOKDVuWAJzXDCwLTPCUaDRUVLBOxoSARw2fjg9R1XYAGTmcla RPi4ru3FENP+q2actPpz7ZbMEGBLbY4bUxmqY8YKUlK2Neocg2c533e2UHz+jn0ynnlGDRoP+Zjm l1l6QOGPH80zz+D6f6lThpvYXz4remwYl9avf0g11AbHDKw4Vnz2JQt/4ZHdaxFXRzna7vf045fS he8d4w0mL8ResDxUKPt9rWxBZCcvjX7d8hwYqw== )`
	RRSIG=39361 and DNSKEY=39361 verifies the A RRset

Move your mouse over any or symbols for remediation hints.

Want a second opinion? Test irs.gov at dnsviz.net.

DNSSEC Debugger

↓ Advanced options ↑ Advanced options

Trust Anchor:
Name Servers: