Back to Verisign Labs Tools
Domain Name: Detail: more(+) / less(-) Time: 2024-04-24 01:20:28 UTC

Analyzing DNSSEC problems for capitolgiftshop.gov

.
Found 2 DNSKEY records for .
DS=20326/SHA-256 verifies DNSKEY=20326/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset
gov
Found 1 DS records for gov in the . zone
DS=64280/SHA-256 has algorithm RSASHA256
Found 1 RRSIGs over DS RRset
RRSIG=5613 and DNSKEY=5613 verifies the DS RRset
Found 2 DNSKEY records for gov
DS=64280/SHA-256 verifies DNSKEY=64280/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=64280 and DNSKEY=64280/SEP verifies the DNSKEY RRset
capitolgiftshop.gov
Found 2 DS records for capitolgiftshop.gov in the gov zone
DS=62962/SHA-1 uses a deprecated digest algorithm
DS=62962/SHA-1 has algorithm RSASHA256
DS=62962/SHA-256 has algorithm RSASHA256
Found 1 RRSIGs over DS RRset
RRSIG=10104 and DNSKEY=10104 verifies the DS RRset
Found 5 DNSKEY records for capitolgiftshop.gov
DS=62962/SHA-1 verifies DNSKEY=62962/SEP
Found 3 RRSIGs over DNSKEY RRset
RRSIG=32116 is expired
RRSIG=20671 is expired
RRSIG=62962 is expired
None of the 3 RRSIG and 5 DNSKEY records validate the DNSKEY RRset
The DNSKEY RRset was not signed by any trusted keys
authns2.centurylink.net is authoritative for capitolgiftshop.gov
authns1.centurylink.net serial (2358) differs from ns3.comcastbusiness.net serial (2314)
ns2.aoc.gov serial (2358) differs from ns3.comcastbusiness.net serial (2314)
ns1.aoc.gov serial (2358) differs from ns3.comcastbusiness.net serial (2314)
Found 1 RRSIGs over NSEC RRset
RRSIG=33171 and DNSKEY=33171 verifies the NSEC RRset
NSEC proves no records of type A exist for capitolgiftshop.gov
Found 1 RRSIGs over SOA RRset
RRSIG=33171 and DNSKEY=33171 verifies the SOA RRset
capitolgiftshop.gov
authns1.centurylink.net is authoritative for capitolgiftshop.gov
Found 1 RRSIGs over NSEC RRset
RRSIG=33171 and DNSKEY=33171 verifies the NSEC RRset
NSEC proves no records of type A exist for capitolgiftshop.gov
Found 1 RRSIGs over SOA RRset
RRSIG=33171 and DNSKEY=33171 verifies the SOA RRset
capitolgiftshop.gov
ns3.comcastbusiness.net is authoritative for capitolgiftshop.gov
Found 1 RRSIGs over NSEC RRset
RRSIG=20671 is expired
None of the 1 RRSIG and 5 DNSKEY records validate the NSEC RRset
No NSEC record could prove that no records of type A for capitolgiftshop.gov exist
Found 1 RRSIGs over SOA RRset
None of the 1 RRSIG and 5 DNSKEY records validate the SOA RRset
capitolgiftshop.gov
ns2.aoc.gov is authoritative for capitolgiftshop.gov
Found 1 RRSIGs over NSEC RRset
RRSIG=33171 and DNSKEY=33171 verifies the NSEC RRset
NSEC proves no records of type A exist for capitolgiftshop.gov
Found 1 RRSIGs over SOA RRset
RRSIG=33171 and DNSKEY=33171 verifies the SOA RRset
capitolgiftshop.gov
ns2.comcastbusiness.net is authoritative for capitolgiftshop.gov
Found 1 RRSIGs over NSEC RRset
RRSIG=20671 is expired
None of the 1 RRSIG and 5 DNSKEY records validate the NSEC RRset
No NSEC record could prove that no records of type A for capitolgiftshop.gov exist
Found 1 RRSIGs over SOA RRset
None of the 1 RRSIG and 5 DNSKEY records validate the SOA RRset
capitolgiftshop.gov
ns1.aoc.gov is authoritative for capitolgiftshop.gov
Found 1 RRSIGs over NSEC RRset
RRSIG=33171 and DNSKEY=33171 verifies the NSEC RRset
NSEC proves no records of type A exist for capitolgiftshop.gov
Found 1 RRSIGs over SOA RRset
RRSIG=33171 and DNSKEY=33171 verifies the SOA RRset

Move your mouse over any or symbols for remediation hints.

Want a second opinion? Test capitolgiftshop.gov at dnsviz.net.

DNSSEC Debugger

↓ Advanced options