DNSSEC Debugger

Domain Name:

Time: 2025-09-17 19:41:00 UTC

Analyzing DNSSEC problems for irs.gov

DS=20326/SHA-256 is now in the chain-of-trust

	Checking DS between Trust Anchor and .
	`. IN DS ( 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d )`
	Query to i.root-servers.net for ./DNSKEY
	Received 1417 bytes from 192.36.148.17
	;; Response received from [192.36.148.17] 1417 octets ;; HEADER SECTION ;; id = 29032 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 5 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; . IN DNSKEY ;; ANSWER SECTION (5 records) . 172800 IN DNSKEY ( 256 3 8 AwEAAbauxLSFZ+KSWi2cT6TJbm3d+GIVqb2N1XnDjMsRme0b6JlGp/cvwmM5CaJ5LQ7tG1r7LuTH jYZadtbNk2nZmclq9r4KInS48ungoAZb0gJXVw8IvBTBb1YWQmiBqD285pJuORwTii7DF++nNJJk 3i55HJt9SmBI7m7t8nvx7OOY/w0inxg3fLH2uY0SKO8he4FGwMc4Ubiab8N8Yhyhh+FkKKdD/+oA cuGF75PjlSXO460B4MlNLlEcjDEzIsKauRYx4YVgSaNomGhMMFblmXRzgW+1R6ywvm5mC9+omlyy izZp2GJfPwGMezuKSGDndO6CYYEc5/lsRhvBYsGjdPM= ) ; keytag 46441 . 172800 IN DNSKEY ( 256 3 8 AwEAAbEbGCpGTDrcZTWqWWE72nphyshpRcILdzCVlBGU9Ln1Fui9kkseUOP+g5GLUeVFKdTloeRT A9+EYiQdXgWXmXmuW/nGxZjAikluF/O9NzLVrr5iZnth2xu+F48nrJlAgWWiMNau54NI5sZ3iVQf hFsq2pZmf43RauRPniYMShOLO7EBWWXr5glDSgZGS9fSm6xHwwF+g8D4m8oanjvdCBNxXzSEKS31 ibxjLifTfvwCg3y4XXcNW9U6Nu3JmoKUdxqpPPIkBvVQbIz4UO2FwaR13uXC03ALP1Yx2QNSS4SZ lcIMtAftQR9wtCiuPWQnFv4jkzWqlhp1Lmf7bcoL9yk= ) ; keytag 53148 . 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696 . 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326 . 172800 IN RRSIG ( DNSKEY 8 0 172800 20250930000000 20250909000000 20326 . aqj52+DKW6PhTa31l3xyxa0lbMd8T/UyK1sNUC42EY1+cSp0hSC0VlW82RsWYU5G5NmewrInT/Sx glWFlFz94yVqiKAK7ZNQr94nRbA7okrrlfnloiBi3cQ1IvEUgvNcmlZMLTeA6rINvdcBwS7ljMOH m0vQDce9IOxhQT7iAu23oiNORw5nWG/npNkYRFDD4yQvD3HsNeXFTuyDuc57ZEjs/pnIG5nkcqx7 tp/ba3XbOGllDr/V/0ubak7OeWum1eckIljqUsx5BnfBfIA7rJ2JJBIT7JMJ/O/cflTKoJFHQoKG TVYrNVBq9vsnZ01Q4ss688IvI8vO3zkP6LQLEA== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 4 DNSKEY records for .
	`. 172800 IN DNSKEY ( 256 3 8 AwEAAbauxLSFZ+KSWi2cT6TJbm3d+GIVqb2N1XnDjMsRme0b6JlGp/cvwmM5CaJ5LQ7tG1r7LuTH jYZadtbNk2nZmclq9r4KInS48ungoAZb0gJXVw8IvBTBb1YWQmiBqD285pJuORwTii7DF++nNJJk 3i55HJt9SmBI7m7t8nvx7OOY/w0inxg3fLH2uY0SKO8he4FGwMc4Ubiab8N8Yhyhh+FkKKdD/+oA cuGF75PjlSXO460B4MlNLlEcjDEzIsKauRYx4YVgSaNomGhMMFblmXRzgW+1R6ywvm5mC9+omlyy izZp2GJfPwGMezuKSGDndO6CYYEc5/lsRhvBYsGjdPM= ) ; keytag 46441`
	`. 172800 IN DNSKEY ( 256 3 8 AwEAAbEbGCpGTDrcZTWqWWE72nphyshpRcILdzCVlBGU9Ln1Fui9kkseUOP+g5GLUeVFKdTloeRT A9+EYiQdXgWXmXmuW/nGxZjAikluF/O9NzLVrr5iZnth2xu+F48nrJlAgWWiMNau54NI5sZ3iVQf hFsq2pZmf43RauRPniYMShOLO7EBWWXr5glDSgZGS9fSm6xHwwF+g8D4m8oanjvdCBNxXzSEKS31 ibxjLifTfvwCg3y4XXcNW9U6Nu3JmoKUdxqpPPIkBvVQbIz4UO2FwaR13uXC03ALP1Yx2QNSS4SZ lcIMtAftQR9wtCiuPWQnFv4jkzWqlhp1Lmf7bcoL9yk= ) ; keytag 53148`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326`
	DNSKEY=20326/SEP is now in the chain-of-trust
	DS=20326/SHA-256 verifies DNSKEY=20326/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`. 172800 IN RRSIG ( DNSKEY 8 0 172800 20250930000000 20250909000000 20326 . aqj52+DKW6PhTa31l3xyxa0lbMd8T/UyK1sNUC42EY1+cSp0hSC0VlW82RsWYU5G5NmewrInT/Sx glWFlFz94yVqiKAK7ZNQr94nRbA7okrrlfnloiBi3cQ1IvEUgvNcmlZMLTeA6rINvdcBwS7ljMOH m0vQDce9IOxhQT7iAu23oiNORw5nWG/npNkYRFDD4yQvD3HsNeXFTuyDuc57ZEjs/pnIG5nkcqx7 tp/ba3XbOGllDr/V/0ubak7OeWum1eckIljqUsx5BnfBfIA7rJ2JJBIT7JMJ/O/cflTKoJFHQoKG TVYrNVBq9vsnZ01Q4ss688IvI8vO3zkP6LQLEA== )`
	RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset
	DNSKEY=46441 is now in the chain-of-trust
	DNSKEY=53148 is now in the chain-of-trust
	DNSKEY=38696/SEP is now in the chain-of-trust
	Query to c.root-servers.net for irs.gov/A
	Received 617 bytes from 192.33.4.12
	;; Response received from [192.33.4.12] 617 octets ;; HEADER SECTION ;; id = 4445 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 9 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) gov. 172800 IN NS a.ns.gov. gov. 172800 IN NS b.ns.gov. gov. 172800 IN NS c.ns.gov. gov. 172800 IN NS d.ns.gov. gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20250930170000 20250917160000 46441 . AwbNY+voMl1OUTjSvUErAS5G/ScBk7y9kbl6u+4NsdnPdJe5RsPLVUMRn5bLmCFkT/13f+CSwvPT P4HvbqtehnLMfpwXI1tXWoZBdwbySOQaMWoehRg6BXlpIEQDdTMEcm0Um6Q0d2Kd0C6Myjrx927O nDxSkBOLcggqZRZdvFw+VPfPo/LJxi77dlNLKYAE9FFLotskc/dIEmEaArEfwud7prMIlu87iLAn XejqdNM8qWfccK5/AGjgYfvzKx44a3iCT2yT4kapWNeYpEep5a0pqQMBRfLMHlWmGRqcGmBlkjaL 6mPI4sQNxG8IJ1Pyf0i3QODtlwZ5l5Wwmwr7Lw== ) ;; ADDITIONAL SECTION (9 records) d.ns.gov. 172800 IN A 199.33.233.1 c.ns.gov. 172800 IN A 199.33.232.1 b.ns.gov. 172800 IN A 199.33.231.1 a.ns.gov. 172800 IN A 199.33.230.1 d.ns.gov. 172800 IN AAAA 2001:503:ff43::1 c.ns.gov. 172800 IN AAAA 2001:503:ff42::1 b.ns.gov. 172800 IN AAAA 2001:503:ff41::1 a.ns.gov. 172800 IN AAAA 2001:503:ff40::1 ;; { "EDNS-VERSION": 0 }
	Query to d.root-servers.net for gov/DNSKEY
	Received 610 bytes from 199.7.91.13
	;; Response received from [199.7.91.13] 610 octets ;; HEADER SECTION ;; id = 990 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 9 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1450, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) gov. 172800 IN NS a.ns.gov. gov. 172800 IN NS b.ns.gov. gov. 172800 IN NS c.ns.gov. gov. 172800 IN NS d.ns.gov. gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20250930170000 20250917160000 46441 . AwbNY+voMl1OUTjSvUErAS5G/ScBk7y9kbl6u+4NsdnPdJe5RsPLVUMRn5bLmCFkT/13f+CSwvPT P4HvbqtehnLMfpwXI1tXWoZBdwbySOQaMWoehRg6BXlpIEQDdTMEcm0Um6Q0d2Kd0C6Myjrx927O nDxSkBOLcggqZRZdvFw+VPfPo/LJxi77dlNLKYAE9FFLotskc/dIEmEaArEfwud7prMIlu87iLAn XejqdNM8qWfccK5/AGjgYfvzKx44a3iCT2yT4kapWNeYpEep5a0pqQMBRfLMHlWmGRqcGmBlkjaL 6mPI4sQNxG8IJ1Pyf0i3QODtlwZ5l5Wwmwr7Lw== ) ;; ADDITIONAL SECTION (9 records) a.ns.gov. 172800 IN A 199.33.230.1 b.ns.gov. 172800 IN A 199.33.231.1 c.ns.gov. 172800 IN A 199.33.232.1 d.ns.gov. 172800 IN A 199.33.233.1 a.ns.gov. 172800 IN AAAA 2001:503:ff40::1 b.ns.gov. 172800 IN AAAA 2001:503:ff41::1 c.ns.gov. 172800 IN AAAA 2001:503:ff42::1 d.ns.gov. 172800 IN AAAA 2001:503:ff43::1 ;; { "EDNS-VERSION": 0 }
	Found child zone gov

gov

	Checking DS between . and gov
	Query to a.root-servers.net for gov/DS
	Received 367 bytes from 198.41.0.4
	;; Response received from [198.41.0.4] 367 octets ;; HEADER SECTION ;; id = 2308 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DS ;; ANSWER SECTION (2 records) gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20250930170000 20250917160000 46441 . AwbNY+voMl1OUTjSvUErAS5G/ScBk7y9kbl6u+4NsdnPdJe5RsPLVUMRn5bLmCFkT/13f+CSwvPT P4HvbqtehnLMfpwXI1tXWoZBdwbySOQaMWoehRg6BXlpIEQDdTMEcm0Um6Q0d2Kd0C6Myjrx927O nDxSkBOLcggqZRZdvFw+VPfPo/LJxi77dlNLKYAE9FFLotskc/dIEmEaArEfwud7prMIlu87iLAn XejqdNM8qWfccK5/AGjgYfvzKx44a3iCT2yT4kapWNeYpEep5a0pqQMBRfLMHlWmGRqcGmBlkjaL 6mPI4sQNxG8IJ1Pyf0i3QODtlwZ5l5Wwmwr7Lw== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for gov in the . zone
	DS=2536/SHA-256 has algorithm ECDSAP256SHA256
	Found 1 RRSIGs over DS RRset
	`gov. 86400 IN RRSIG ( DS 8 1 86400 20250930170000 20250917160000 46441 . AwbNY+voMl1OUTjSvUErAS5G/ScBk7y9kbl6u+4NsdnPdJe5RsPLVUMRn5bLmCFkT/13f+CSwvPT P4HvbqtehnLMfpwXI1tXWoZBdwbySOQaMWoehRg6BXlpIEQDdTMEcm0Um6Q0d2Kd0C6Myjrx927O nDxSkBOLcggqZRZdvFw+VPfPo/LJxi77dlNLKYAE9FFLotskc/dIEmEaArEfwud7prMIlu87iLAn XejqdNM8qWfccK5/AGjgYfvzKx44a3iCT2yT4kapWNeYpEep5a0pqQMBRfLMHlWmGRqcGmBlkjaL 6mPI4sQNxG8IJ1Pyf0i3QODtlwZ5l5Wwmwr7Lw== )`
	RRSIG=46441 and DNSKEY=46441 verifies the DS RRset
	DS=2536/SHA-256 is now in the chain-of-trust
	`gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 )`
	Query to d.ns.gov for gov/DNSKEY
	Received 291 bytes from 199.33.233.1
	;; Response received from [199.33.233.1] 291 octets ;; HEADER SECTION ;; id = 24921 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DNSKEY ;; ANSWER SECTION (3 records) gov. 3600 IN DNSKEY ( 257 3 13 D6ZhJTObQw3+kcewWf5iTHbzD3uTdbs5xf0kQfP/VXZcDovWJd0DUgHlp2VC002aLDCwhLoPPVN2 VfyoPnjCqg== ) ; keytag 2536 gov. 3600 IN DNSKEY ( 256 3 13 Of5kU9k4XfdcPwCK9k/zRJNu+Xspnw/BDd+1V6ZpDXRIpHe35BnHTZUBJN9gd6++HkiGXx2YnTji iO7/q+Yamg== ) ; keytag 35496 gov. 3600 IN RRSIG ( DNSKEY 13 1 3600 20251101110613 20250901110613 2536 gov. D1H2/lQxqi95pn45IcLLiEhJqLj7xvGsuBj73AYEAzqX48/P7GQMRCj7rQAOTEwKoZaj70cVbIvD dPV4T5L9mw== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for gov
	`gov. 3600 IN DNSKEY ( 257 3 13 D6ZhJTObQw3+kcewWf5iTHbzD3uTdbs5xf0kQfP/VXZcDovWJd0DUgHlp2VC002aLDCwhLoPPVN2 VfyoPnjCqg== ) ; keytag 2536`
	`gov. 3600 IN DNSKEY ( 256 3 13 Of5kU9k4XfdcPwCK9k/zRJNu+Xspnw/BDd+1V6ZpDXRIpHe35BnHTZUBJN9gd6++HkiGXx2YnTji iO7/q+Yamg== ) ; keytag 35496`
	DNSKEY=2536/SEP is now in the chain-of-trust
	DS=2536/SHA-256 verifies DNSKEY=2536/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`gov. 3600 IN RRSIG ( DNSKEY 13 1 3600 20251101110613 20250901110613 2536 gov. D1H2/lQxqi95pn45IcLLiEhJqLj7xvGsuBj73AYEAzqX48/P7GQMRCj7rQAOTEwKoZaj70cVbIvD dPV4T5L9mw== )`
	RRSIG=2536 and DNSKEY=2536/SEP verifies the DNSKEY RRset
	DNSKEY=35496 is now in the chain-of-trust
	Query to d.ns.gov for irs.gov/A
	Received 249 bytes from 199.33.233.1
	;; Response received from [199.33.233.1] 249 octets ;; HEADER SECTION ;; id = 49586 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) irs.gov. 10800 IN NS ns0022.secondary.cloudflare.com. irs.gov. 10800 IN NS ns0227.secondary.cloudflare.com. irs.gov. 3600 IN DS ( 10226 8 2 c94f81e17566ebb0aca0227e07297e9b3236b9dcafc018bbe72ce0c9229630bb ) irs.gov. 3600 IN RRSIG ( DS 13 2 3600 20250918204100 20250916184100 35496 gov. T3aOcZwoW887knl1a+rQ2JjLlzkfk9CzpUe0Dv/Xa9qwZDO9PVBRWyy51tyFURYSugqX7Z3nCWz3 KfXBBDPIkQ== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to d.ns.gov for irs.gov/DNSKEY
	Received 249 bytes from 199.33.233.1
	;; Response received from [199.33.233.1] 249 octets ;; HEADER SECTION ;; id = 41473 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) irs.gov. 10800 IN NS ns0022.secondary.cloudflare.com. irs.gov. 10800 IN NS ns0227.secondary.cloudflare.com. irs.gov. 3600 IN DS ( 10226 8 2 c94f81e17566ebb0aca0227e07297e9b3236b9dcafc018bbe72ce0c9229630bb ) irs.gov. 3600 IN RRSIG ( DS 13 2 3600 20250918204100 20250916184100 35496 gov. TT/A5RDcJX/pCp50qSQ2Tb0edgY/HP3VBe74x7uewXMiKX82O6Kwl5urbuiWwWdsGO9DzIaY5niX wnoLKZHbjQ== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found child zone irs.gov

irs.gov

	Checking DS between gov and irs.gov
	Query to b.ns.gov for irs.gov/DS
	Received 183 bytes from 199.33.231.1
	;; Response received from [199.33.231.1] 183 octets ;; HEADER SECTION ;; id = 45241 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN DS ;; ANSWER SECTION (2 records) irs.gov. 3600 IN DS ( 10226 8 2 c94f81e17566ebb0aca0227e07297e9b3236b9dcafc018bbe72ce0c9229630bb ) irs.gov. 3600 IN RRSIG ( DS 13 2 3600 20250918204100 20250916184100 35496 gov. VZKl3A4fZ3NJ/FqrhhYuuyHQmbcev3jR44Jn22rFPKKrWPMeGf02dyUopB+GCDy9uSGvKLDyhK6z EXiwb3SvOQ== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for irs.gov in the gov zone
	DS=10226/SHA-256 has algorithm RSASHA256
	Found 1 RRSIGs over DS RRset
	`irs.gov. 3600 IN RRSIG ( DS 13 2 3600 20250918204100 20250916184100 35496 gov. VZKl3A4fZ3NJ/FqrhhYuuyHQmbcev3jR44Jn22rFPKKrWPMeGf02dyUopB+GCDy9uSGvKLDyhK6z EXiwb3SvOQ== )`
	RRSIG=35496 and DNSKEY=35496 verifies the DS RRset
	DS=10226/SHA-256 is now in the chain-of-trust
	`irs.gov. 3600 IN DS ( 10226 8 2 c94f81e17566ebb0aca0227e07297e9b3236b9dcafc018bbe72ce0c9229630bb )`
	Query to ns0022.secondary.cloudflare.com for irs.gov/DNSKEY
	Received 883 bytes from 162.159.32.23
	;; Response received from [162.159.32.23] 883 octets ;; HEADER SECTION ;; id = 12071 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN DNSKEY ;; ANSWER SECTION (3 records) irs.gov. 10800 IN DNSKEY ( 256 3 8 AwEAAafmnkoz7lMbmJre7erAjopeKMKH4lTbMULh1HfM3NSBMzO4GqpXCqvSZyFSE30AI+HhCrbP 7ToD912T5TCbpLfykzX+Ydynn4PkO9nk3eNVcfEHAkc1lE8vyuQRQ280c+tfRLqEYXFYvJW0NAV+ zbi4muAO+HxTtShPBcERNt1dd1xryrYS74RgxEmPYxDRsU/4O8xEnUiPm5qB7cfTYJ0XBIKqS0k6 jEyKnwyYArmp5Tm3AX/L12ejWExZTga3pQ2rjrElI4Hs0eIFHcIHD0NiOEuDJlcmDSd88k5G09uH v0+C+lyVpKOzK8bp5aNaVsHDkC9g0mOiVCbD/Xh+id0= ) ; keytag 48424 irs.gov. 10800 IN DNSKEY ( 257 3 8 AwEAAdyBXX4YQk/F+GRZr0fnahrki3+8fXT4xgbeKjhBqtYm4YIaOCYVP2Ld0HOimw2oYC9Hm51w +EPxwVp3Y3Yvb3ldpLnxUmHhzh7cAwxeRbBEoj1s6vxdwhLFrbabhtkB+ZATbBLccRhJSa9hcgLJ HMG+RQ4Q9pXzfJktjS/vutdcXPma0zWUjMk/VEg9o9RQG1BNNYRFJVBWbi6eHbNQc16Skz53jSiU 4dSm5xFK71tAz6gB5YGwlSL/05moLUgTE9PkfZZFhRidK02TDOXof/sxjSTafNXn44NjB4caZfko bDRQHRKlrQNd7MqGtEq5cWTQHJwOdjIEU7Vayefv4Z0= ) ; keytag 10226 irs.gov. 10800 IN RRSIG ( DNSKEY 8 2 10800 20250929135848 20250915122848 10226 irs.gov. ztmdtSzRDCVYMYgphYlIzlLvXZW5hMFA3RNgWSQhJUvoKgDNlwWv6RGT1diKzV8p9v+geYQjyiPe pcXGKeYebcfWg00SvrlGB6WMR+Dlaujbwop1fcupGVmuPmO4SopQ0CP5j43CXOtZzhDd6KLLmzTS 6KYE+1PSm4f1vGjKIITdemd2dvsPt7zWYGqH3ffSrtL5CzCK/eHgFkaDtfMKCEAXeLFqSqIIjIhN bWPqVfxiiGRiAvS2BYkmcwvUQxVE8vVmexIJ2gJCGoh9s0Gawdk4fd98cxl402/SE4D7g+PF1JGU qYnU8QYd4bdI+YEqBPR7cl5znUitftMZ3kfSFQ== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for irs.gov
	`irs.gov. 10800 IN DNSKEY ( 256 3 8 AwEAAafmnkoz7lMbmJre7erAjopeKMKH4lTbMULh1HfM3NSBMzO4GqpXCqvSZyFSE30AI+HhCrbP 7ToD912T5TCbpLfykzX+Ydynn4PkO9nk3eNVcfEHAkc1lE8vyuQRQ280c+tfRLqEYXFYvJW0NAV+ zbi4muAO+HxTtShPBcERNt1dd1xryrYS74RgxEmPYxDRsU/4O8xEnUiPm5qB7cfTYJ0XBIKqS0k6 jEyKnwyYArmp5Tm3AX/L12ejWExZTga3pQ2rjrElI4Hs0eIFHcIHD0NiOEuDJlcmDSd88k5G09uH v0+C+lyVpKOzK8bp5aNaVsHDkC9g0mOiVCbD/Xh+id0= ) ; keytag 48424`
	`irs.gov. 10800 IN DNSKEY ( 257 3 8 AwEAAdyBXX4YQk/F+GRZr0fnahrki3+8fXT4xgbeKjhBqtYm4YIaOCYVP2Ld0HOimw2oYC9Hm51w +EPxwVp3Y3Yvb3ldpLnxUmHhzh7cAwxeRbBEoj1s6vxdwhLFrbabhtkB+ZATbBLccRhJSa9hcgLJ HMG+RQ4Q9pXzfJktjS/vutdcXPma0zWUjMk/VEg9o9RQG1BNNYRFJVBWbi6eHbNQc16Skz53jSiU 4dSm5xFK71tAz6gB5YGwlSL/05moLUgTE9PkfZZFhRidK02TDOXof/sxjSTafNXn44NjB4caZfko bDRQHRKlrQNd7MqGtEq5cWTQHJwOdjIEU7Vayefv4Z0= ) ; keytag 10226`
	DNSKEY=10226/SEP is now in the chain-of-trust
	DS=10226/SHA-256 verifies DNSKEY=10226/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`irs.gov. 10800 IN RRSIG ( DNSKEY 8 2 10800 20250929135848 20250915122848 10226 irs.gov. ztmdtSzRDCVYMYgphYlIzlLvXZW5hMFA3RNgWSQhJUvoKgDNlwWv6RGT1diKzV8p9v+geYQjyiPe pcXGKeYebcfWg00SvrlGB6WMR+Dlaujbwop1fcupGVmuPmO4SopQ0CP5j43CXOtZzhDd6KLLmzTS 6KYE+1PSm4f1vGjKIITdemd2dvsPt7zWYGqH3ffSrtL5CzCK/eHgFkaDtfMKCEAXeLFqSqIIjIhN bWPqVfxiiGRiAvS2BYkmcwvUQxVE8vVmexIJ2gJCGoh9s0Gawdk4fd98cxl402/SE4D7g+PF1JGU qYnU8QYd4bdI+YEqBPR7cl5znUitftMZ3kfSFQ== )`
	RRSIG=10226 and DNSKEY=10226/SEP verifies the DNSKEY RRset
	DNSKEY=48424 is now in the chain-of-trust
	Query to ns0227.secondary.cloudflare.com for irs.gov/A
	Received 363 bytes from 162.159.33.102
	;; Response received from [162.159.33.102] 363 octets ;; HEADER SECTION ;; id = 63834 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (3 records) irs.gov. 10800 IN A 152.216.11.110 irs.gov. 10800 IN A 152.216.7.110 irs.gov. 10800 IN RRSIG ( A 8 2 10800 20250929095848 20250915082848 48424 irs.gov. Ew38na5uFsay3T5yk8Pa74cZE8u0XklvRvw5ce0tHqekx3j9fYlac8vUr6bE7K1NrVYmszblPrSP /3oqg1sxCkCQhGprE1N1JNt5IjxnGqeNSSFRknWwAW+KH0dG06ZUOLW0+OLlICGT9z/GLKOS/iF/ ppYY4PRLXtztgyzFnbb9xCG9q0D3R0E2uyhY1ZOjcOLpB58uqwjcLG5eLaU7M4CFABgphEfdHGgf WHENw/iD6SCaFAmmYpWykw2ql2my+7vQXu0kbcAVnuFScgykrsq6g2rJ7qjTQBB22u2VNXyVchGQ LbJO1nFLBqwnjL8kBXvQx+LCTE6cElyX2pInPA== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	ns0227.secondary.cloudflare.com is authoritative for irs.gov
	Found RRSIG signed by irs.gov zone
	Query to ns0022.secondary.cloudflare.com for irs.gov/SOA
	Received 401 bytes from 162.159.32.23
	;; Response received from [162.159.32.23] 401 octets ;; HEADER SECTION ;; id = 53092 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN SOA ;; ANSWER SECTION (2 records) irs.gov. 900 IN SOA ( ns1.irs.gov. it\.aciouns\.external\.dns\.admin.irs.gov. 2010092919 ;serial 3600 ;refresh 1800 ;retry 2419200 ;expire 900 ;minimum ) irs.gov. 900 IN RRSIG ( SOA 8 2 10800 20251001100423 20250917083423 48424 irs.gov. n7D/se3PAnJnAhG9V046aWuZ0ybsYoy51OVBo0YJkRFPZcXCGXGQCGQQ6HDChTu/H39Mtm4XVa47 5pHKc+xIKabij6qIvzenQ+W00KSCcZjGAl7qcKsO4zxjKzyWQx3AM2U+UUvDneKAYZwuz2LdehuX KuAf0+uE5Mujeo5UlAexobNGqOHITWcaLv+dGQo5n/ys63KmT9Zw4VURyx8VofbZh9cl7npNXx68 ZtDh4ISmt8UVWpY+uj6bgjWwCogaBIgzdXQA1KkjrvIgEVzWbNnvP/8lkAJ27YHgg3GYf2gVV73G b5dT7AqDBx4V+UQFXWcvmWtX08+3Y6dkNmYExA== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to ns0227.secondary.cloudflare.com for irs.gov/A
	Received 363 bytes from 162.159.33.102
	;; Response received from [162.159.33.102] 363 octets ;; HEADER SECTION ;; id = 5272 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (3 records) irs.gov. 10800 IN A 152.216.7.110 irs.gov. 10800 IN A 152.216.11.110 irs.gov. 10800 IN RRSIG ( A 8 2 10800 20250929095848 20250915082848 48424 irs.gov. Ew38na5uFsay3T5yk8Pa74cZE8u0XklvRvw5ce0tHqekx3j9fYlac8vUr6bE7K1NrVYmszblPrSP /3oqg1sxCkCQhGprE1N1JNt5IjxnGqeNSSFRknWwAW+KH0dG06ZUOLW0+OLlICGT9z/GLKOS/iF/ ppYY4PRLXtztgyzFnbb9xCG9q0D3R0E2uyhY1ZOjcOLpB58uqwjcLG5eLaU7M4CFABgphEfdHGgf WHENw/iD6SCaFAmmYpWykw2ql2my+7vQXu0kbcAVnuFScgykrsq6g2rJ7qjTQBB22u2VNXyVchGQ LbJO1nFLBqwnjL8kBXvQx+LCTE6cElyX2pInPA== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	irs.gov A RR has value 152.216.7.110
	irs.gov A RR has value 152.216.11.110
	Found 1 RRSIGs over A RRset
	`irs.gov. 10800 IN RRSIG ( A 8 2 10800 20250929095848 20250915082848 48424 irs.gov. Ew38na5uFsay3T5yk8Pa74cZE8u0XklvRvw5ce0tHqekx3j9fYlac8vUr6bE7K1NrVYmszblPrSP /3oqg1sxCkCQhGprE1N1JNt5IjxnGqeNSSFRknWwAW+KH0dG06ZUOLW0+OLlICGT9z/GLKOS/iF/ ppYY4PRLXtztgyzFnbb9xCG9q0D3R0E2uyhY1ZOjcOLpB58uqwjcLG5eLaU7M4CFABgphEfdHGgf WHENw/iD6SCaFAmmYpWykw2ql2my+7vQXu0kbcAVnuFScgykrsq6g2rJ7qjTQBB22u2VNXyVchGQ LbJO1nFLBqwnjL8kBXvQx+LCTE6cElyX2pInPA== )`
	RRSIG=48424 and DNSKEY=48424 verifies the A RRset

irs.gov

	Query to ns0022.secondary.cloudflare.com for irs.gov/A
	Received 363 bytes from 162.159.32.23
	;; Response received from [162.159.32.23] 363 octets ;; HEADER SECTION ;; id = 43212 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (3 records) irs.gov. 10800 IN A 152.216.11.110 irs.gov. 10800 IN A 152.216.7.110 irs.gov. 10800 IN RRSIG ( A 8 2 10800 20250929095848 20250915082848 48424 irs.gov. Ew38na5uFsay3T5yk8Pa74cZE8u0XklvRvw5ce0tHqekx3j9fYlac8vUr6bE7K1NrVYmszblPrSP /3oqg1sxCkCQhGprE1N1JNt5IjxnGqeNSSFRknWwAW+KH0dG06ZUOLW0+OLlICGT9z/GLKOS/iF/ ppYY4PRLXtztgyzFnbb9xCG9q0D3R0E2uyhY1ZOjcOLpB58uqwjcLG5eLaU7M4CFABgphEfdHGgf WHENw/iD6SCaFAmmYpWykw2ql2my+7vQXu0kbcAVnuFScgykrsq6g2rJ7qjTQBB22u2VNXyVchGQ LbJO1nFLBqwnjL8kBXvQx+LCTE6cElyX2pInPA== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	ns0022.secondary.cloudflare.com is authoritative for irs.gov
	Found RRSIG signed by irs.gov zone
	Query to ns0022.secondary.cloudflare.com for irs.gov/A
	Received 363 bytes from 162.159.32.23
	;; Response received from [162.159.32.23] 363 octets ;; HEADER SECTION ;; id = 813 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; irs.gov. IN A ;; ANSWER SECTION (3 records) irs.gov. 10800 IN A 152.216.11.110 irs.gov. 10800 IN A 152.216.7.110 irs.gov. 10800 IN RRSIG ( A 8 2 10800 20250929095848 20250915082848 48424 irs.gov. Ew38na5uFsay3T5yk8Pa74cZE8u0XklvRvw5ce0tHqekx3j9fYlac8vUr6bE7K1NrVYmszblPrSP /3oqg1sxCkCQhGprE1N1JNt5IjxnGqeNSSFRknWwAW+KH0dG06ZUOLW0+OLlICGT9z/GLKOS/iF/ ppYY4PRLXtztgyzFnbb9xCG9q0D3R0E2uyhY1ZOjcOLpB58uqwjcLG5eLaU7M4CFABgphEfdHGgf WHENw/iD6SCaFAmmYpWykw2ql2my+7vQXu0kbcAVnuFScgykrsq6g2rJ7qjTQBB22u2VNXyVchGQ LbJO1nFLBqwnjL8kBXvQx+LCTE6cElyX2pInPA== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	irs.gov A RR has value 152.216.11.110
	irs.gov A RR has value 152.216.7.110
	Found 1 RRSIGs over A RRset
	`irs.gov. 10800 IN RRSIG ( A 8 2 10800 20250929095848 20250915082848 48424 irs.gov. Ew38na5uFsay3T5yk8Pa74cZE8u0XklvRvw5ce0tHqekx3j9fYlac8vUr6bE7K1NrVYmszblPrSP /3oqg1sxCkCQhGprE1N1JNt5IjxnGqeNSSFRknWwAW+KH0dG06ZUOLW0+OLlICGT9z/GLKOS/iF/ ppYY4PRLXtztgyzFnbb9xCG9q0D3R0E2uyhY1ZOjcOLpB58uqwjcLG5eLaU7M4CFABgphEfdHGgf WHENw/iD6SCaFAmmYpWykw2ql2my+7vQXu0kbcAVnuFScgykrsq6g2rJ7qjTQBB22u2VNXyVchGQ LbJO1nFLBqwnjL8kBXvQx+LCTE6cElyX2pInPA== )`
	RRSIG=48424 and DNSKEY=48424 verifies the A RRset

Move your mouse over any or symbols for remediation hints.

Want a second opinion? Test irs.gov at dnsviz.net.

DNSSEC Debugger

↓ Advanced options ↑ Advanced options

Trust Anchor:
Name Servers: