Back to Verisign Labs Tools
Domain Name: Detail: more(+) / less(-) Time: 2019-04-23 08:15:12 UTC, NTP stratum 4

Analyzing DNSSEC problems for irs.gov

.
Found 2 DNSKEY records for .
DS=20326/SHA-256 verifies DNSKEY=20326/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset
gov
Found 2 DS records for gov in the . zone
DS=7698/SHA-1 has algorithm RSASHA256
DS=7698/SHA-256 has algorithm RSASHA256
Found 1 RRSIGs over DS RRset
RRSIG=25266 and DNSKEY=25266 verifies the DS RRset
Found 2 DNSKEY records for gov
DS=7698/SHA-1 verifies DNSKEY=7698/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=7698 and DNSKEY=7698/SEP verifies the DNSKEY RRset
irs.gov
Found 1 DS records for irs.gov in the gov zone
DS=37739/SHA-256 has algorithm RSASHA256
Found 1 RRSIGs over DS RRset
RRSIG=43583 and DNSKEY=43583 verifies the DS RRset
Found 4 DNSKEY records for irs.gov
DS=37739/SHA-256 verifies DNSKEY=37739/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=37739 and DNSKEY=37739/SEP verifies the DNSKEY RRset
ns3.irs.gov serial (2010087480) differs from ns4.irs.gov serial (2010087482)
ns1.irs.gov serial (2010087490) differs from ns4.irs.gov serial (2010087482)
ns2.irs.gov serial (2010087490) differs from ns4.irs.gov serial (2010087482)
irs.gov A RR has value 152.216.7.110
Found 1 RRSIGs over A RRset
RRSIG=38169 is expired
None of the 1 RRSIG and 4 DNSKEY records validate the A RRset
The A RRset was not signed by any keys in the chain-of-trust

Move your mouse over any or symbols for remediation hints.

Want a second opinion? Test irs.gov at dnsviz.net.

DNSSEC Analyzer

↓ Advanced options