DNSSEC Debugger - CFPA.GOV

Domain Name:

Time: 2026-02-23 05:56:28 UTC

Analyzing DNSSEC problems for CFPA.GOV

DS=20326/SHA-256 is now in the chain-of-trust

	Checking DS between Trust Anchor and .
	`. IN DS ( 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d )`
	Query to g.root-servers.net for ./DNSKEY
	Received 1141 bytes from 192.112.36.4
	;; Response received from [192.112.36.4] 1141 octets ;; HEADER SECTION ;; id = 13114 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 4 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; . IN DNSKEY ;; ANSWER SECTION (4 records) . 172800 IN DNSKEY ( 256 3 8 AwEAAbNTVC2+pry4pc37pZI9Oj6b8FHxT3VGrvSPKLE1Tjyfe2kUZUtVX5xrv6AV4BVO+ygrYjGZ MNgEnbLU4zknnlnhI2e0g6iTza1aZh0dRZXGH16C1NUNq1CxBkUhIYQhQDeIOtLacx+RmFTc+hSH JJ2MJ79IS00kA7eKi6mofQ7SPJmdJVjI+JAx791y0f5QaB+iHGANU53FwiYXNUQjfAzCrtOaSevG sx8SO8BTaXLAjFq5eewOtwScVwfVDhEXlvpE6e+mIncwhNKaMRD9IPuHENqCNPI5MjxfAMVS6cEY 8eEozIkv/vHc+0Auu3n+Fcx6F2Js4KPXaHEShAXugfU= ) ; keytag 21831 . 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696 . 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326 . 172800 IN RRSIG ( DNSKEY 8 0 172800 20260313000000 20260220000000 20326 . JZtm46fb0oPZQLxBUHYEG5Fv0arLLlu7lUpYjsEPdGrggxWWMbB/rA0CbLCsZ0+rk84t5BvOtfPd mBDhJiDQhzJSRK8l8u0roT79KnJU81H+Hdzg+/095yK9djpihg/72I9UyJO3UU1SIdmxzriTE15z Tz/QrKKLME3vp5lBSPkggMMrRkKNW2rpL1JgD6bsXNqJLEHTfpNRGX0EbEKW9VKK27rXxXFa3r0X V2mvOrNiDOCN1nl1YTHWOkuNGxpKlv+kDwrDyGs5Z8WJb4gm47O1xOijfna5dzlEXAjqahKboJsF kMHrQdSnYG0XcTdxhAAMnQjbxDfBEeowXrOt8w== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 3 DNSKEY records for .
	`. 172800 IN DNSKEY ( 256 3 8 AwEAAbNTVC2+pry4pc37pZI9Oj6b8FHxT3VGrvSPKLE1Tjyfe2kUZUtVX5xrv6AV4BVO+ygrYjGZ MNgEnbLU4zknnlnhI2e0g6iTza1aZh0dRZXGH16C1NUNq1CxBkUhIYQhQDeIOtLacx+RmFTc+hSH JJ2MJ79IS00kA7eKi6mofQ7SPJmdJVjI+JAx791y0f5QaB+iHGANU53FwiYXNUQjfAzCrtOaSevG sx8SO8BTaXLAjFq5eewOtwScVwfVDhEXlvpE6e+mIncwhNKaMRD9IPuHENqCNPI5MjxfAMVS6cEY 8eEozIkv/vHc+0Auu3n+Fcx6F2Js4KPXaHEShAXugfU= ) ; keytag 21831`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326`
	DNSKEY=20326/SEP is now in the chain-of-trust
	DS=20326/SHA-256 verifies DNSKEY=20326/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`. 172800 IN RRSIG ( DNSKEY 8 0 172800 20260313000000 20260220000000 20326 . JZtm46fb0oPZQLxBUHYEG5Fv0arLLlu7lUpYjsEPdGrggxWWMbB/rA0CbLCsZ0+rk84t5BvOtfPd mBDhJiDQhzJSRK8l8u0roT79KnJU81H+Hdzg+/095yK9djpihg/72I9UyJO3UU1SIdmxzriTE15z Tz/QrKKLME3vp5lBSPkggMMrRkKNW2rpL1JgD6bsXNqJLEHTfpNRGX0EbEKW9VKK27rXxXFa3r0X V2mvOrNiDOCN1nl1YTHWOkuNGxpKlv+kDwrDyGs5Z8WJb4gm47O1xOijfna5dzlEXAjqahKboJsF kMHrQdSnYG0XcTdxhAAMnQjbxDfBEeowXrOt8w== )`
	RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset
	DNSKEY=21831 is now in the chain-of-trust
	DNSKEY=38696/SEP is now in the chain-of-trust
	Query to m.root-servers.net for CFPA.GOV/A
	Received 621 bytes from 202.12.27.33
	;; Response received from [202.12.27.33] 621 octets ;; HEADER SECTION ;; id = 24442 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 9 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; CFPA.GOV. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) gov. 172800 IN NS d.ns.gov. gov. 172800 IN NS b.ns.gov. gov. 172800 IN NS a.ns.gov. gov. 172800 IN NS c.ns.gov. gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20260308050000 20260223040000 21831 . ZeXP0Nefopc0ETOWDo97WAWEfTWRg+NCOW24SWBC91grax7uVuwBOyeR6b6l9W0A4p0wKWN0Mqqt eM/LwmQ0ZrJBfGot0ZjN2qcwRyIbbsbHMNzKUjJZZtKhal+eWnAciotZoDfwRHR8rkq0PWBoMmQ6 Q/ATg2o28XaJidLJ+kkjRdcx3CZsCZwFYtgKyich87HmjP6F/Wr3jFraImIToreobL2dHv6c7A1C GY23iH8D6LqTc6NXJwbWMwvHL5/EijG+ZNwhSG/Tvix2J8Y7yYmCcAeE5dAAgilfiqdwogi7ld6r gyu1KIVNzJUwp7FT6y271wq8jGg+rhyi2ta8SQ== ) ;; ADDITIONAL SECTION (9 records) d.ns.gov. 172800 IN A 199.33.233.1 c.ns.gov. 172800 IN A 199.33.232.1 b.ns.gov. 172800 IN A 199.33.231.1 a.ns.gov. 172800 IN A 199.33.230.1 d.ns.gov. 172800 IN AAAA 2001:503:ff43::1 c.ns.gov. 172800 IN AAAA 2001:503:ff42::1 b.ns.gov. 172800 IN AAAA 2001:503:ff41::1 a.ns.gov. 172800 IN AAAA 2001:503:ff40::1 ;; { "EDNS-VERSION": 0 }
	Query to d.root-servers.net for GOV/DNSKEY
	Received 610 bytes from 199.7.91.13
	;; Response received from [199.7.91.13] 610 octets ;; HEADER SECTION ;; id = 2220 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 9 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1450, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; GOV. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) GOV. 172800 IN NS a.ns.GOV. GOV. 172800 IN NS b.ns.GOV. GOV. 172800 IN NS c.ns.GOV. GOV. 172800 IN NS d.ns.GOV. GOV. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) GOV. 86400 IN RRSIG ( DS 8 1 86400 20260308050000 20260223040000 21831 . ZeXP0Nefopc0ETOWDo97WAWEfTWRg+NCOW24SWBC91grax7uVuwBOyeR6b6l9W0A4p0wKWN0Mqqt eM/LwmQ0ZrJBfGot0ZjN2qcwRyIbbsbHMNzKUjJZZtKhal+eWnAciotZoDfwRHR8rkq0PWBoMmQ6 Q/ATg2o28XaJidLJ+kkjRdcx3CZsCZwFYtgKyich87HmjP6F/Wr3jFraImIToreobL2dHv6c7A1C GY23iH8D6LqTc6NXJwbWMwvHL5/EijG+ZNwhSG/Tvix2J8Y7yYmCcAeE5dAAgilfiqdwogi7ld6r gyu1KIVNzJUwp7FT6y271wq8jGg+rhyi2ta8SQ== ) ;; ADDITIONAL SECTION (9 records) a.ns.GOV. 172800 IN A 199.33.230.1 b.ns.GOV. 172800 IN A 199.33.231.1 c.ns.GOV. 172800 IN A 199.33.232.1 d.ns.GOV. 172800 IN A 199.33.233.1 a.ns.GOV. 172800 IN AAAA 2001:503:ff40::1 b.ns.GOV. 172800 IN AAAA 2001:503:ff41::1 c.ns.GOV. 172800 IN AAAA 2001:503:ff42::1 d.ns.GOV. 172800 IN AAAA 2001:503:ff43::1 ;; { "EDNS-VERSION": 0 }
	Found child zone GOV

GOV

	Checking DS between . and GOV
	Query to h.root-servers.net for GOV/DS
	Received 367 bytes from 198.97.190.53
	;; Response received from [198.97.190.53] 367 octets ;; HEADER SECTION ;; id = 15494 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; GOV. IN DS ;; ANSWER SECTION (2 records) GOV. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) GOV. 86400 IN RRSIG ( DS 8 1 86400 20260308050000 20260223040000 21831 . ZeXP0Nefopc0ETOWDo97WAWEfTWRg+NCOW24SWBC91grax7uVuwBOyeR6b6l9W0A4p0wKWN0Mqqt eM/LwmQ0ZrJBfGot0ZjN2qcwRyIbbsbHMNzKUjJZZtKhal+eWnAciotZoDfwRHR8rkq0PWBoMmQ6 Q/ATg2o28XaJidLJ+kkjRdcx3CZsCZwFYtgKyich87HmjP6F/Wr3jFraImIToreobL2dHv6c7A1C GY23iH8D6LqTc6NXJwbWMwvHL5/EijG+ZNwhSG/Tvix2J8Y7yYmCcAeE5dAAgilfiqdwogi7ld6r gyu1KIVNzJUwp7FT6y271wq8jGg+rhyi2ta8SQ== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for GOV in the . zone
	DS=2536/SHA-256 has algorithm ECDSAP256SHA256
	Found 1 RRSIGs over DS RRset
	`GOV. 86400 IN RRSIG ( DS 8 1 86400 20260308050000 20260223040000 21831 . ZeXP0Nefopc0ETOWDo97WAWEfTWRg+NCOW24SWBC91grax7uVuwBOyeR6b6l9W0A4p0wKWN0Mqqt eM/LwmQ0ZrJBfGot0ZjN2qcwRyIbbsbHMNzKUjJZZtKhal+eWnAciotZoDfwRHR8rkq0PWBoMmQ6 Q/ATg2o28XaJidLJ+kkjRdcx3CZsCZwFYtgKyich87HmjP6F/Wr3jFraImIToreobL2dHv6c7A1C GY23iH8D6LqTc6NXJwbWMwvHL5/EijG+ZNwhSG/Tvix2J8Y7yYmCcAeE5dAAgilfiqdwogi7ld6r gyu1KIVNzJUwp7FT6y271wq8jGg+rhyi2ta8SQ== )`
	RRSIG=21831 and DNSKEY=21831 verifies the DS RRset
	DS=2536/SHA-256 is now in the chain-of-trust
	`GOV. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 )`
	Query to b.ns.GOV for GOV/DNSKEY
	Received 291 bytes from 199.33.231.1
	;; Response received from [199.33.231.1] 291 octets ;; HEADER SECTION ;; id = 57786 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; GOV. IN DNSKEY ;; ANSWER SECTION (3 records) GOV. 3600 IN DNSKEY ( 257 3 13 D6ZhJTObQw3+kcewWf5iTHbzD3uTdbs5xf0kQfP/VXZcDovWJd0DUgHlp2VC002aLDCwhLoPPVN2 VfyoPnjCqg== ) ; keytag 2536 GOV. 3600 IN DNSKEY ( 256 3 13 Of5kU9k4XfdcPwCK9k/zRJNu+Xspnw/BDd+1V6ZpDXRIpHe35BnHTZUBJN9gd6++HkiGXx2YnTji iO7/q+Yamg== ) ; keytag 35496 GOV. 3600 IN RRSIG ( DNSKEY 13 1 3600 20260418110625 20260216110625 2536 gov. I0iSDDCNvKVMZA6sNbu/vSpxFxExdKw4wolKgp9n5lVU+L+LLIrgFsg7MfMTRCgrMX1UDqFBsElS w+yMvE1WnQ== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for GOV
	`GOV. 3600 IN DNSKEY ( 257 3 13 D6ZhJTObQw3+kcewWf5iTHbzD3uTdbs5xf0kQfP/VXZcDovWJd0DUgHlp2VC002aLDCwhLoPPVN2 VfyoPnjCqg== ) ; keytag 2536`
	`GOV. 3600 IN DNSKEY ( 256 3 13 Of5kU9k4XfdcPwCK9k/zRJNu+Xspnw/BDd+1V6ZpDXRIpHe35BnHTZUBJN9gd6++HkiGXx2YnTji iO7/q+Yamg== ) ; keytag 35496`
	DNSKEY=2536/SEP is now in the chain-of-trust
	DS=2536/SHA-256 verifies DNSKEY=2536/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`GOV. 3600 IN RRSIG ( DNSKEY 13 1 3600 20260418110625 20260216110625 2536 gov. I0iSDDCNvKVMZA6sNbu/vSpxFxExdKw4wolKgp9n5lVU+L+LLIrgFsg7MfMTRCgrMX1UDqFBsElS w+yMvE1WnQ== )`
	RRSIG=2536 and DNSKEY=2536/SEP verifies the DNSKEY RRset
	DNSKEY=35496 is now in the chain-of-trust
	Query to c.ns.GOV for CFPA.GOV/A
	Received 287 bytes from 199.33.232.1
	;; Response received from [199.33.232.1] 287 octets ;; HEADER SECTION ;; id = 3254 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 5 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; CFPA.GOV. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (5 records) CFPA.GOV. 10800 IN NS sauthns1.qwest.net. CFPA.GOV. 10800 IN NS sauthns2.qwest.net. CFPA.GOV. 3600 IN DS ( 30681 7 2 09bd13968c00d32a5dd57985089802154dbf83ba9467340a0185fca51e5e067a ) CFPA.GOV. 3600 IN DS ( 31350 7 2 27c472385c585a61043a11dfabe3ea38e42dc28c528ce86781cc2b12beb0aeaa ) CFPA.GOV. 3600 IN RRSIG ( DS 13 2 3600 20260224065628 20260222045628 35496 gov. rEGDkomvFJMb+omTLUMQUO42Q00UQJBvteuEFFHiaOI6QlGPjFyraV9nkj8AEyRF+e8EYEG+/NSr +G+GHG38Zg== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to a.ns.GOV for CFPA.GOV/DNSKEY
	Received 287 bytes from 199.33.230.1
	;; Response received from [199.33.230.1] 287 octets ;; HEADER SECTION ;; id = 59983 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 5 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; CFPA.GOV. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (5 records) CFPA.GOV. 10800 IN NS sauthns1.qwest.net. CFPA.GOV. 10800 IN NS sauthns2.qwest.net. CFPA.GOV. 3600 IN DS ( 30681 7 2 09bd13968c00d32a5dd57985089802154dbf83ba9467340a0185fca51e5e067a ) CFPA.GOV. 3600 IN DS ( 31350 7 2 27c472385c585a61043a11dfabe3ea38e42dc28c528ce86781cc2b12beb0aeaa ) CFPA.GOV. 3600 IN RRSIG ( DS 13 2 3600 20260224065628 20260222045628 35496 gov. rhW3GwtQL7FrrY12+ehB9MRauhtEpwtK33cRQRv0FeCIHra8qhI+NW1YWelrHWse6TKGwABO7BYM nQuFD1HCag== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found child zone CFPA.GOV

CFPA.GOV

	Checking DS between GOV and CFPA.GOV
	Query to d.ns.GOV for CFPA.GOV/DS
	Received 232 bytes from 199.33.233.1
	;; Response received from [199.33.233.1] 232 octets ;; HEADER SECTION ;; id = 8704 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; CFPA.GOV. IN DS ;; ANSWER SECTION (3 records) CFPA.GOV. 3600 IN DS ( 30681 7 2 09bd13968c00d32a5dd57985089802154dbf83ba9467340a0185fca51e5e067a ) CFPA.GOV. 3600 IN DS ( 31350 7 2 27c472385c585a61043a11dfabe3ea38e42dc28c528ce86781cc2b12beb0aeaa ) CFPA.GOV. 3600 IN RRSIG ( DS 13 2 3600 20260224065628 20260222045628 35496 gov. yv1k6Ln7Z7ulfvaB5KmHQaMSXIMyMm4wi/u+f0vHgR58yDTINhBFnloKut7EHKcdZvvkVXOsbVcL ww8aKICL9Q== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DS records for CFPA.GOV in the GOV zone
	DS=30681/SHA-256 has algorithm RSASHA1-NSEC3-SHA1
	DS=31350/SHA-256 has algorithm RSASHA1-NSEC3-SHA1
	Found 1 RRSIGs over DS RRset
	`CFPA.GOV. 3600 IN RRSIG ( DS 13 2 3600 20260224065628 20260222045628 35496 gov. yv1k6Ln7Z7ulfvaB5KmHQaMSXIMyMm4wi/u+f0vHgR58yDTINhBFnloKut7EHKcdZvvkVXOsbVcL ww8aKICL9Q== )`
	RRSIG=35496 and DNSKEY=35496 verifies the DS RRset
	DS=30681/SHA-256 is now in the chain-of-trust
	DS=31350/SHA-256 is now in the chain-of-trust
	`CFPA.GOV. 3600 IN DS ( 30681 7 2 09bd13968c00d32a5dd57985089802154dbf83ba9467340a0185fca51e5e067a )`
	`CFPA.GOV. 3600 IN DS ( 31350 7 2 27c472385c585a61043a11dfabe3ea38e42dc28c528ce86781cc2b12beb0aeaa )`
	Query to sauthns1.qwest.net for CFPA.GOV/DNSKEY
	Received 1653 bytes from 63.150.72.5
	;; Response received from [63.150.72.5] 1653 octets ;; HEADER SECTION ;; id = 10545 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 7 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; CFPA.GOV. IN DNSKEY ;; ANSWER SECTION (7 records) cfpa.gov. 86400 IN DNSKEY ( 257 3 7 AwEAAbc83UA9eH/xPogXez7c+oiu1Tm7agHsm+E9SOUAsUKerxjsv/UZtqcmea/kF4530lCK9bzI Sg43BOPGXycn6fXrbYZC8A3Bnb86DqmdxNK99yERfKs1qDYnFBxQfa7R16DsS6yEVpfmASr28WDU JUwflLCJocuCj49dULwbPC+hSwRxjAHXajHm2n9sOu+YALWVNrljg/rEMNsl8fi7Gc42d7tPfga4 xX9nc2xJyC+scw5covyCxfDbwqDlLyZljaMxILybuGg/dbRbJh5Ip91QPNiIcNj5vtPix5LavF+X q2G0CvxWD1k8XzfyKhnYqlu9CSla/pnJU3J5ieArSJE= ) ; keytag 31350 cfpa.gov. 86400 IN DNSKEY ( 256 3 7 AwEAAdVohqK4hshuZ64yUwI/o0HAqXtGAooI6mvJsVFTaIt0mRWixcbCyS8IVdhL7ZXl3Co6vE8/ lzNtoYT03hHUJ3kkBVu3r8Tt16vHdpvTbE2YWAEd1XmbS1T5TRxQDcdeeXnwFsbdk4DKJuLA2Ox4 x7umkdEuqSPKdX0aya7hTZ5P ) ; keytag 27188 cfpa.gov. 86400 IN DNSKEY ( 256 3 7 AwEAAbQpdfN/XjzLbBJ2R9Z+mYCwLr92wPmyVnJoHb1TkajPOQhUn4qoBmSIrKwSSZRtxNW9/pr6 CVMDnxEwVKmomOpQZvTE8ibzQS3LyLUBCdSoONODvdVDadFdTRARuUitajrIy0ocKygGY6UzXuYO Y86pGAW/J+GjsRhEwjg4uu13 ) ; keytag 23054 cfpa.gov. 86400 IN DNSKEY ( 257 3 7 AwEAAarH/HGlWc+jhIE6i5x1kS+X9Q7bZjlR5+yNCC010InPNKVulOuVfpo7lYlsJyt/3Md5ioOv jVs9hiAitxcCBfgqtKxxXpHFcAMDZU25LAQChp6ho5OGZ8nxgaj/K83uBNh7efm628eoVocyGikN yHn6DSN1PR7ocustowxm++aN1YCIeZjoch8WjQ+UquKuZLeFlqvfzw4Qd9UtCunX6maFEQV51uED YRmXoTMLCpTG4UWdem0XNQVEaHCJpQ9AaavCbn25+pPLVYWSDqSPyRTHW0jJIF8Fn40EjKTeaKIH 4VNqhnBbjJX78fHLAz2/uMml1TUbCelm1z186LSlzUc= ) ; keytag 15993 cfpa.gov. 86400 IN RRSIG ( DNSKEY 7 2 86400 20260302030004 20260223020004 15993 cfpa.gov. XoNBCUdQk4aySoX2l2gwJsg03rmidlKUdcFfStZZe7tVqeyChphDjlJoOiPTu/86dQhHkpV8XNIV 2nOPH1SXZ1RAb1UXRp+qRE8vmtIFV/8AzHAb60XQHUOKRocvbrqWiFJ1VOAa8k0zXvzxenPJHEIC kW1eWDLuHTiVLzWgXd2GBuaQupS212rXr7on8+LMzceX/PS7D3+rCwEifdjT5/jp5WOEi+krMsUl PBcyBftxInU4SX09vFg7GWjHvJE5vfZlPIuwg5B7D35+I36gqQAvgepL2fpKaadEfu2FCCybp3c/ LYhqgbf1g9qKCt5+Hq4AxTuG7SEpE0esrSH2eA== ) cfpa.gov. 86400 IN RRSIG ( DNSKEY 7 2 86400 20260302030004 20260223020004 23054 cfpa.gov. g54lTIfwSsZ74884LxyytuA3ZKY6EU+UYx4hgqXvviNbYNKy0ezy4uebhjsB8GxEq1lwixYpI2Cj EeYT/SLCCYP5mby0EJb5yJqxJ9ZISpToNyw3Rbnfp0yD//4jaL4W+CzeUrQzN6YhIiFk7BxSZxTn Pk2ItGU5W1CKJJKk7DE= ) cfpa.gov. 86400 IN RRSIG ( DNSKEY 7 2 86400 20260302030004 20260223020004 31350 cfpa.gov. B1JQ1Ee49ocsKmNByL0Ru2jGd6Al4fsODIOApgk1MT78WLVobn8M1RcEICJ09jDHrwowZVsefKpF cPe+r+jfUmaHj8nye9CPhTTdOns0kB+NA7a3STgA1SN14ws2MMtuQWMbr+nRUu0OWK0Oo+aW4t7v FgD64iU6XvGzjFfCkOex14jXNtWufgGflQho+JTAppnpHpE5avuGf1b+aGw6TpmSYLSuLaA/vpsM 2rVnCtfEZKVeOfOPvaA2P1MyYZ5gARyRhy/CRg8ZMw/iKUmyrsxokEJAh0KMZRIBgFYMCnlIGN4T X7RHIzctKFEJzOgwMDI4sLWqDdTJXIMzoVJlZA== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 4 DNSKEY records for CFPA.GOV
	`cfpa.gov. 86400 IN DNSKEY ( 257 3 7 AwEAAbc83UA9eH/xPogXez7c+oiu1Tm7agHsm+E9SOUAsUKerxjsv/UZtqcmea/kF4530lCK9bzI Sg43BOPGXycn6fXrbYZC8A3Bnb86DqmdxNK99yERfKs1qDYnFBxQfa7R16DsS6yEVpfmASr28WDU JUwflLCJocuCj49dULwbPC+hSwRxjAHXajHm2n9sOu+YALWVNrljg/rEMNsl8fi7Gc42d7tPfga4 xX9nc2xJyC+scw5covyCxfDbwqDlLyZljaMxILybuGg/dbRbJh5Ip91QPNiIcNj5vtPix5LavF+X q2G0CvxWD1k8XzfyKhnYqlu9CSla/pnJU3J5ieArSJE= ) ; keytag 31350`
	`cfpa.gov. 86400 IN DNSKEY ( 256 3 7 AwEAAdVohqK4hshuZ64yUwI/o0HAqXtGAooI6mvJsVFTaIt0mRWixcbCyS8IVdhL7ZXl3Co6vE8/ lzNtoYT03hHUJ3kkBVu3r8Tt16vHdpvTbE2YWAEd1XmbS1T5TRxQDcdeeXnwFsbdk4DKJuLA2Ox4 x7umkdEuqSPKdX0aya7hTZ5P ) ; keytag 27188`
	`cfpa.gov. 86400 IN DNSKEY ( 256 3 7 AwEAAbQpdfN/XjzLbBJ2R9Z+mYCwLr92wPmyVnJoHb1TkajPOQhUn4qoBmSIrKwSSZRtxNW9/pr6 CVMDnxEwVKmomOpQZvTE8ibzQS3LyLUBCdSoONODvdVDadFdTRARuUitajrIy0ocKygGY6UzXuYO Y86pGAW/J+GjsRhEwjg4uu13 ) ; keytag 23054`
	`cfpa.gov. 86400 IN DNSKEY ( 257 3 7 AwEAAarH/HGlWc+jhIE6i5x1kS+X9Q7bZjlR5+yNCC010InPNKVulOuVfpo7lYlsJyt/3Md5ioOv jVs9hiAitxcCBfgqtKxxXpHFcAMDZU25LAQChp6ho5OGZ8nxgaj/K83uBNh7efm628eoVocyGikN yHn6DSN1PR7ocustowxm++aN1YCIeZjoch8WjQ+UquKuZLeFlqvfzw4Qd9UtCunX6maFEQV51uED YRmXoTMLCpTG4UWdem0XNQVEaHCJpQ9AaavCbn25+pPLVYWSDqSPyRTHW0jJIF8Fn40EjKTeaKIH 4VNqhnBbjJX78fHLAz2/uMml1TUbCelm1z186LSlzUc= ) ; keytag 15993`
	DNSKEY=31350/SEP is now in the chain-of-trust
	DS=31350/SHA-256 verifies DNSKEY=31350/SEP
	DS=30681/SHA-256 is published, but a corresponding DNSKEY is not
	Found 3 RRSIGs over DNSKEY RRset
	`cfpa.gov. 86400 IN RRSIG ( DNSKEY 7 2 86400 20260302030004 20260223020004 15993 cfpa.gov. XoNBCUdQk4aySoX2l2gwJsg03rmidlKUdcFfStZZe7tVqeyChphDjlJoOiPTu/86dQhHkpV8XNIV 2nOPH1SXZ1RAb1UXRp+qRE8vmtIFV/8AzHAb60XQHUOKRocvbrqWiFJ1VOAa8k0zXvzxenPJHEIC kW1eWDLuHTiVLzWgXd2GBuaQupS212rXr7on8+LMzceX/PS7D3+rCwEifdjT5/jp5WOEi+krMsUl PBcyBftxInU4SX09vFg7GWjHvJE5vfZlPIuwg5B7D35+I36gqQAvgepL2fpKaadEfu2FCCybp3c/ LYhqgbf1g9qKCt5+Hq4AxTuG7SEpE0esrSH2eA== )`
	`cfpa.gov. 86400 IN RRSIG ( DNSKEY 7 2 86400 20260302030004 20260223020004 23054 cfpa.gov. g54lTIfwSsZ74884LxyytuA3ZKY6EU+UYx4hgqXvviNbYNKy0ezy4uebhjsB8GxEq1lwixYpI2Cj EeYT/SLCCYP5mby0EJb5yJqxJ9ZISpToNyw3Rbnfp0yD//4jaL4W+CzeUrQzN6YhIiFk7BxSZxTn Pk2ItGU5W1CKJJKk7DE= )`
	`cfpa.gov. 86400 IN RRSIG ( DNSKEY 7 2 86400 20260302030004 20260223020004 31350 cfpa.gov. B1JQ1Ee49ocsKmNByL0Ru2jGd6Al4fsODIOApgk1MT78WLVobn8M1RcEICJ09jDHrwowZVsefKpF cPe+r+jfUmaHj8nye9CPhTTdOns0kB+NA7a3STgA1SN14ws2MMtuQWMbr+nRUu0OWK0Oo+aW4t7v FgD64iU6XvGzjFfCkOex14jXNtWufgGflQho+JTAppnpHpE5avuGf1b+aGw6TpmSYLSuLaA/vpsM 2rVnCtfEZKVeOfOPvaA2P1MyYZ5gARyRhy/CRg8ZMw/iKUmyrsxokEJAh0KMZRIBgFYMCnlIGN4T X7RHIzctKFEJzOgwMDI4sLWqDdTJXIMzoVJlZA== )`
	RRSIG=15993 and DNSKEY=15993/SEP does not verify the DNSKEY RRset (libcrypto error (SEC.xs line 223)signature verification failed)
	RRSIG=23054 and DNSKEY=23054 does not verify the DNSKEY RRset (libcrypto error (SEC.xs line 223)signature verification failed)
	RRSIG=31350 and DNSKEY=31350/SEP does not verify the DNSKEY RRset (libcrypto error (SEC.xs line 223)signature verification failed)
	None of the 3 RRSIG and 4 DNSKEY records validate the DNSKEY RRset
	The DNSKEY RRset was not signed by any trusted keys
	Query to sauthns1.qwest.net for CFPA.GOV/A
	Received 452 bytes from 63.150.72.5
	;; Response received from [63.150.72.5] 452 octets ;; HEADER SECTION ;; id = 19509 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 3 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; CFPA.GOV. IN A ;; ANSWER SECTION (2 records) cfpa.gov. 120 IN A 52.21.11.213 cfpa.gov. 120 IN RRSIG ( A 7 2 120 20260302030004 20260223020004 23054 cfpa.gov. XS/EvW4QM4yNyzU6ZbIg7oWVaupW0lu/haoUJ7nGncoBP7PxfS/EnUD4VpcNXL3ia/R7RizgEdWu dK8v8CkzsdTSpvauwCgtxexIl8DJjpr/oF+xfIawkd+KtA1MwjJ5eNbADallkihakfby4Jz865Do i54uQBjso7Rfq/lclG0= ) ;; AUTHORITY SECTION (3 records) cfpa.gov. 28800 IN NS sauthns1.qwest.net. cfpa.gov. 28800 IN NS sauthns2.qwest.net. cfpa.gov. 28800 IN RRSIG ( NS 7 2 28800 20260302030004 20260223020004 23054 cfpa.gov. Ah+jppaDODD4yFbdVan5s9Xe3PJicOqqGMYfZlLt5wux9UTfR7xbt2HlmuIgSgvyfNsf9qkHNi7N QHu5B/2eJu/HqdF915uBH6j5h0ptxpg+xmeAM/EKp3hnZd+EWH0D5+mC1ycJOfmihJQ50sEUEyWx /gD/qpu6t7VoFjFcIZE= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	sauthns1.qwest.net is authoritative for CFPA.GOV
	Found RRSIG signed by cfpa.gov zone
	Query to sauthns2.qwest.net for CFPA.GOV/SOA
	Received 490 bytes from 208.44.130.121
	;; Response received from [208.44.130.121] 490 octets ;; HEADER SECTION ;; id = 6767 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 3 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; CFPA.GOV. IN SOA ;; ANSWER SECTION (2 records) cfpa.gov. 86400 IN SOA ( sauthns2.qwest.net. dns-admin.qwestip.net. 2250722320 ;serial 10800 ;refresh 3601 ;retry 604800 ;expire 300 ;minimum ) cfpa.gov. 86400 IN RRSIG ( SOA 7 2 86400 20260302030004 20260223020004 23054 cfpa.gov. Jv8dw8aoN76EyFp1mLI6FbDI65xWdhGKFrwqeF4Jw5rFX8iVhAHLwQCM0smkwQBytnHVLvKZlAhm 4vqO3LWwZ4haQMorq2spGe+5lRTSL1kuxJCVRI+rb1iS/HYDUW8a2zRP/G8U1n8gM+8SO06tPiqV s3SeEyccThGH9USQDZc= ) ;; AUTHORITY SECTION (3 records) cfpa.gov. 28800 IN NS sauthns2.qwest.net. cfpa.gov. 28800 IN NS sauthns1.qwest.net. cfpa.gov. 28800 IN RRSIG ( NS 7 2 28800 20260302030004 20260223020004 23054 cfpa.gov. Ah+jppaDODD4yFbdVan5s9Xe3PJicOqqGMYfZlLt5wux9UTfR7xbt2HlmuIgSgvyfNsf9qkHNi7N QHu5B/2eJu/HqdF915uBH6j5h0ptxpg+xmeAM/EKp3hnZd+EWH0D5+mC1ycJOfmihJQ50sEUEyWx /gD/qpu6t7VoFjFcIZE= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to sauthns1.qwest.net for CFPA.GOV/A
	Received 452 bytes from 63.150.72.5
	;; Response received from [63.150.72.5] 452 octets ;; HEADER SECTION ;; id = 31596 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 3 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; CFPA.GOV. IN A ;; ANSWER SECTION (2 records) cfpa.gov. 120 IN A 52.21.11.213 cfpa.gov. 120 IN RRSIG ( A 7 2 120 20260302030004 20260223020004 23054 cfpa.gov. XS/EvW4QM4yNyzU6ZbIg7oWVaupW0lu/haoUJ7nGncoBP7PxfS/EnUD4VpcNXL3ia/R7RizgEdWu dK8v8CkzsdTSpvauwCgtxexIl8DJjpr/oF+xfIawkd+KtA1MwjJ5eNbADallkihakfby4Jz865Do i54uQBjso7Rfq/lclG0= ) ;; AUTHORITY SECTION (3 records) cfpa.gov. 28800 IN NS sauthns1.qwest.net. cfpa.gov. 28800 IN NS sauthns2.qwest.net. cfpa.gov. 28800 IN RRSIG ( NS 7 2 28800 20260302030004 20260223020004 23054 cfpa.gov. Ah+jppaDODD4yFbdVan5s9Xe3PJicOqqGMYfZlLt5wux9UTfR7xbt2HlmuIgSgvyfNsf9qkHNi7N QHu5B/2eJu/HqdF915uBH6j5h0ptxpg+xmeAM/EKp3hnZd+EWH0D5+mC1ycJOfmihJQ50sEUEyWx /gD/qpu6t7VoFjFcIZE= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	CFPA.GOV A RR has value 52.21.11.213
	Found 1 RRSIGs over A RRset
	`cfpa.gov. 120 IN RRSIG ( A 7 2 120 20260302030004 20260223020004 23054 cfpa.gov. XS/EvW4QM4yNyzU6ZbIg7oWVaupW0lu/haoUJ7nGncoBP7PxfS/EnUD4VpcNXL3ia/R7RizgEdWu dK8v8CkzsdTSpvauwCgtxexIl8DJjpr/oF+xfIawkd+KtA1MwjJ5eNbADallkihakfby4Jz865Do i54uQBjso7Rfq/lclG0= )`
	RRSIG=23054 and DNSKEY=23054 does not verify the A RRset (libcrypto error (SEC.xs line 223)signature verification failed)
	None of the 1 RRSIG and 4 DNSKEY records validate the A RRset

CFPA.GOV

	Query to sauthns2.qwest.net for CFPA.GOV/A
	Received 452 bytes from 208.44.130.121
	;; Response received from [208.44.130.121] 452 octets ;; HEADER SECTION ;; id = 58309 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 3 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; CFPA.GOV. IN A ;; ANSWER SECTION (2 records) cfpa.gov. 120 IN A 52.21.11.213 cfpa.gov. 120 IN RRSIG ( A 7 2 120 20260302030004 20260223020004 23054 cfpa.gov. XS/EvW4QM4yNyzU6ZbIg7oWVaupW0lu/haoUJ7nGncoBP7PxfS/EnUD4VpcNXL3ia/R7RizgEdWu dK8v8CkzsdTSpvauwCgtxexIl8DJjpr/oF+xfIawkd+KtA1MwjJ5eNbADallkihakfby4Jz865Do i54uQBjso7Rfq/lclG0= ) ;; AUTHORITY SECTION (3 records) cfpa.gov. 28800 IN NS sauthns2.qwest.net. cfpa.gov. 28800 IN NS sauthns1.qwest.net. cfpa.gov. 28800 IN RRSIG ( NS 7 2 28800 20260302030004 20260223020004 23054 cfpa.gov. Ah+jppaDODD4yFbdVan5s9Xe3PJicOqqGMYfZlLt5wux9UTfR7xbt2HlmuIgSgvyfNsf9qkHNi7N QHu5B/2eJu/HqdF915uBH6j5h0ptxpg+xmeAM/EKp3hnZd+EWH0D5+mC1ycJOfmihJQ50sEUEyWx /gD/qpu6t7VoFjFcIZE= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	sauthns2.qwest.net is authoritative for CFPA.GOV
	Found RRSIG signed by cfpa.gov zone
	Query to sauthns2.qwest.net for CFPA.GOV/A
	Received 452 bytes from 208.44.130.121
	;; Response received from [208.44.130.121] 452 octets ;; HEADER SECTION ;; id = 21611 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 3 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; CFPA.GOV. IN A ;; ANSWER SECTION (2 records) cfpa.gov. 120 IN A 52.21.11.213 cfpa.gov. 120 IN RRSIG ( A 7 2 120 20260302030004 20260223020004 23054 cfpa.gov. XS/EvW4QM4yNyzU6ZbIg7oWVaupW0lu/haoUJ7nGncoBP7PxfS/EnUD4VpcNXL3ia/R7RizgEdWu dK8v8CkzsdTSpvauwCgtxexIl8DJjpr/oF+xfIawkd+KtA1MwjJ5eNbADallkihakfby4Jz865Do i54uQBjso7Rfq/lclG0= ) ;; AUTHORITY SECTION (3 records) cfpa.gov. 28800 IN NS sauthns2.qwest.net. cfpa.gov. 28800 IN NS sauthns1.qwest.net. cfpa.gov. 28800 IN RRSIG ( NS 7 2 28800 20260302030004 20260223020004 23054 cfpa.gov. Ah+jppaDODD4yFbdVan5s9Xe3PJicOqqGMYfZlLt5wux9UTfR7xbt2HlmuIgSgvyfNsf9qkHNi7N QHu5B/2eJu/HqdF915uBH6j5h0ptxpg+xmeAM/EKp3hnZd+EWH0D5+mC1ycJOfmihJQ50sEUEyWx /gD/qpu6t7VoFjFcIZE= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	CFPA.GOV A RR has value 52.21.11.213
	Found 1 RRSIGs over A RRset
	`cfpa.gov. 120 IN RRSIG ( A 7 2 120 20260302030004 20260223020004 23054 cfpa.gov. XS/EvW4QM4yNyzU6ZbIg7oWVaupW0lu/haoUJ7nGncoBP7PxfS/EnUD4VpcNXL3ia/R7RizgEdWu dK8v8CkzsdTSpvauwCgtxexIl8DJjpr/oF+xfIawkd+KtA1MwjJ5eNbADallkihakfby4Jz865Do i54uQBjso7Rfq/lclG0= )`
	RRSIG=23054 and DNSKEY=23054 does not verify the A RRset (libcrypto error (SEC.xs line 223)signature verification failed)
	None of the 1 RRSIG and 4 DNSKEY records validate the A RRset

Move your mouse over any or symbols for remediation hints.

Want a second opinion? Test CFPA.GOV at dnsviz.net.

DNSSEC Debugger

↓ Advanced options ↑ Advanced options

Trust Anchor:
Name Servers: