DNSSEC Debugger - cfpb.gov

Domain Name:

Time: 2026-01-23 11:45:57 UTC

Analyzing DNSSEC problems for cfpb.gov

DS=20326/SHA-256 is now in the chain-of-trust

	Checking DS between Trust Anchor and .
	`. IN DS ( 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d )`
	Query to c.root-servers.net for ./DNSKEY
	Received 1141 bytes from 192.33.4.12
	;; Response received from [192.33.4.12] 1141 octets ;; HEADER SECTION ;; id = 28915 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 4 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; . IN DNSKEY ;; ANSWER SECTION (4 records) . 172800 IN DNSKEY ( 256 3 8 AwEAAbNTVC2+pry4pc37pZI9Oj6b8FHxT3VGrvSPKLE1Tjyfe2kUZUtVX5xrv6AV4BVO+ygrYjGZ MNgEnbLU4zknnlnhI2e0g6iTza1aZh0dRZXGH16C1NUNq1CxBkUhIYQhQDeIOtLacx+RmFTc+hSH JJ2MJ79IS00kA7eKi6mofQ7SPJmdJVjI+JAx791y0f5QaB+iHGANU53FwiYXNUQjfAzCrtOaSevG sx8SO8BTaXLAjFq5eewOtwScVwfVDhEXlvpE6e+mIncwhNKaMRD9IPuHENqCNPI5MjxfAMVS6cEY 8eEozIkv/vHc+0Auu3n+Fcx6F2Js4KPXaHEShAXugfU= ) ; keytag 21831 . 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696 . 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326 . 172800 IN RRSIG ( DNSKEY 8 0 172800 20260211000000 20260121000000 20326 . EBetGA/PKYoAlq56mQMDn03GRImGJtuP7+VneaBFBz6bKPYOkJCeH+iWyvbdHc2EdpdPwod/fNV2 buvubzluWs2ORvqpr/w3awExDRBLgjuGRo8LyRlPG/utQh2tmjC5t5CzPKKtUOjKcotmlYgfV+pQ CT1zqZfavyxYJXMGILkSVcQe+3rraAvzXQoZzMfewQZOJrhyFfKtugkpOLWCuWg5/dKleyYB8G4r EWDPhywRt+GSlOgFWhNYTHhEpZsSA6vnb3FTtIgu7CqlDD1zOTrIFuiv7L8cFizHm542Bm69lbzg QGJGdgSwOGAe4Aj55UXMdRobYUdhoWOsdGOJKA== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 3 DNSKEY records for .
	`. 172800 IN DNSKEY ( 256 3 8 AwEAAbNTVC2+pry4pc37pZI9Oj6b8FHxT3VGrvSPKLE1Tjyfe2kUZUtVX5xrv6AV4BVO+ygrYjGZ MNgEnbLU4zknnlnhI2e0g6iTza1aZh0dRZXGH16C1NUNq1CxBkUhIYQhQDeIOtLacx+RmFTc+hSH JJ2MJ79IS00kA7eKi6mofQ7SPJmdJVjI+JAx791y0f5QaB+iHGANU53FwiYXNUQjfAzCrtOaSevG sx8SO8BTaXLAjFq5eewOtwScVwfVDhEXlvpE6e+mIncwhNKaMRD9IPuHENqCNPI5MjxfAMVS6cEY 8eEozIkv/vHc+0Auu3n+Fcx6F2Js4KPXaHEShAXugfU= ) ; keytag 21831`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326`
	DNSKEY=20326/SEP is now in the chain-of-trust
	DS=20326/SHA-256 verifies DNSKEY=20326/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`. 172800 IN RRSIG ( DNSKEY 8 0 172800 20260211000000 20260121000000 20326 . EBetGA/PKYoAlq56mQMDn03GRImGJtuP7+VneaBFBz6bKPYOkJCeH+iWyvbdHc2EdpdPwod/fNV2 buvubzluWs2ORvqpr/w3awExDRBLgjuGRo8LyRlPG/utQh2tmjC5t5CzPKKtUOjKcotmlYgfV+pQ CT1zqZfavyxYJXMGILkSVcQe+3rraAvzXQoZzMfewQZOJrhyFfKtugkpOLWCuWg5/dKleyYB8G4r EWDPhywRt+GSlOgFWhNYTHhEpZsSA6vnb3FTtIgu7CqlDD1zOTrIFuiv7L8cFizHm542Bm69lbzg QGJGdgSwOGAe4Aj55UXMdRobYUdhoWOsdGOJKA== )`
	RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset
	DNSKEY=21831 is now in the chain-of-trust
	DNSKEY=38696/SEP is now in the chain-of-trust
	Query to a.root-servers.net for cfpb.gov/A
	Received 615 bytes from 198.41.0.4
	;; Response received from [198.41.0.4] 615 octets ;; HEADER SECTION ;; id = 5455 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 9 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; cfpb.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) gov. 172800 IN NS c.ns.gov. gov. 172800 IN NS a.ns.gov. gov. 172800 IN NS d.ns.gov. gov. 172800 IN NS b.ns.gov. gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20260205050000 20260123040000 21831 . CLvvZW0zMDKpHFKtAclhMNkpUUqpfJETd/NG7hyjVuFz2/KnKnX0OtdsiKFaf3SIlIoATVtwHpkc Z8aXqhiK4i58aKmFYOZEMxuIEiNpAXFKyfJOMidu47VjCynL4ZkBF4C6RIb8+7bl8WSke3Dhmsep D9i7W/KETNUub7s5zrAEZucuvSjmt1PN2niYEAIJGTLOdvz8+dxUS+F+eTP/V+wpyzvzCVRbnFC1 JK0QF6YwvH2u8GENAHoWRoRGs8J2tisvBfKGbGrylQbT/NeThSQutnTVibuVvbhyZVYE+RxHU6TD GtT+Vp38U+D8lIo2Np2zxpGYMXF91IWuQ5uFHA== ) ;; ADDITIONAL SECTION (9 records) c.ns.gov. 172800 IN A 199.33.232.1 c.ns.gov. 172800 IN AAAA 2001:503:ff42::1 a.ns.gov. 172800 IN A 199.33.230.1 a.ns.gov. 172800 IN AAAA 2001:503:ff40::1 d.ns.gov. 172800 IN A 199.33.233.1 d.ns.gov. 172800 IN AAAA 2001:503:ff43::1 b.ns.gov. 172800 IN A 199.33.231.1 b.ns.gov. 172800 IN AAAA 2001:503:ff41::1 ;; { "EDNS-VERSION": 0 }
	Query to b.root-servers.net for gov/DNSKEY
	Received 610 bytes from 170.247.170.2
	;; Response received from [170.247.170.2] 610 octets ;; HEADER SECTION ;; id = 56560 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 9 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) gov. 172800 IN NS a.ns.gov. gov. 172800 IN NS b.ns.gov. gov. 172800 IN NS c.ns.gov. gov. 172800 IN NS d.ns.gov. gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20260205050000 20260123040000 21831 . CLvvZW0zMDKpHFKtAclhMNkpUUqpfJETd/NG7hyjVuFz2/KnKnX0OtdsiKFaf3SIlIoATVtwHpkc Z8aXqhiK4i58aKmFYOZEMxuIEiNpAXFKyfJOMidu47VjCynL4ZkBF4C6RIb8+7bl8WSke3Dhmsep D9i7W/KETNUub7s5zrAEZucuvSjmt1PN2niYEAIJGTLOdvz8+dxUS+F+eTP/V+wpyzvzCVRbnFC1 JK0QF6YwvH2u8GENAHoWRoRGs8J2tisvBfKGbGrylQbT/NeThSQutnTVibuVvbhyZVYE+RxHU6TD GtT+Vp38U+D8lIo2Np2zxpGYMXF91IWuQ5uFHA== ) ;; ADDITIONAL SECTION (9 records) a.ns.gov. 172800 IN A 199.33.230.1 a.ns.gov. 172800 IN AAAA 2001:503:ff40::1 b.ns.gov. 172800 IN A 199.33.231.1 b.ns.gov. 172800 IN AAAA 2001:503:ff41::1 c.ns.gov. 172800 IN A 199.33.232.1 c.ns.gov. 172800 IN AAAA 2001:503:ff42::1 d.ns.gov. 172800 IN A 199.33.233.1 d.ns.gov. 172800 IN AAAA 2001:503:ff43::1 ;; { "EDNS-VERSION": 0 }
	Found child zone gov

gov

	Checking DS between . and gov
	Query to j.root-servers.net for gov/DS
	Received 367 bytes from 192.58.128.30
	;; Response received from [192.58.128.30] 367 octets ;; HEADER SECTION ;; id = 39324 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1472, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DS ;; ANSWER SECTION (2 records) gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20260205050000 20260123040000 21831 . CLvvZW0zMDKpHFKtAclhMNkpUUqpfJETd/NG7hyjVuFz2/KnKnX0OtdsiKFaf3SIlIoATVtwHpkc Z8aXqhiK4i58aKmFYOZEMxuIEiNpAXFKyfJOMidu47VjCynL4ZkBF4C6RIb8+7bl8WSke3Dhmsep D9i7W/KETNUub7s5zrAEZucuvSjmt1PN2niYEAIJGTLOdvz8+dxUS+F+eTP/V+wpyzvzCVRbnFC1 JK0QF6YwvH2u8GENAHoWRoRGs8J2tisvBfKGbGrylQbT/NeThSQutnTVibuVvbhyZVYE+RxHU6TD GtT+Vp38U+D8lIo2Np2zxpGYMXF91IWuQ5uFHA== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for gov in the . zone
	DS=2536/SHA-256 has algorithm ECDSAP256SHA256
	Found 1 RRSIGs over DS RRset
	`gov. 86400 IN RRSIG ( DS 8 1 86400 20260205050000 20260123040000 21831 . CLvvZW0zMDKpHFKtAclhMNkpUUqpfJETd/NG7hyjVuFz2/KnKnX0OtdsiKFaf3SIlIoATVtwHpkc Z8aXqhiK4i58aKmFYOZEMxuIEiNpAXFKyfJOMidu47VjCynL4ZkBF4C6RIb8+7bl8WSke3Dhmsep D9i7W/KETNUub7s5zrAEZucuvSjmt1PN2niYEAIJGTLOdvz8+dxUS+F+eTP/V+wpyzvzCVRbnFC1 JK0QF6YwvH2u8GENAHoWRoRGs8J2tisvBfKGbGrylQbT/NeThSQutnTVibuVvbhyZVYE+RxHU6TD GtT+Vp38U+D8lIo2Np2zxpGYMXF91IWuQ5uFHA== )`
	RRSIG=21831 and DNSKEY=21831 verifies the DS RRset
	DS=2536/SHA-256 is now in the chain-of-trust
	`gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 )`
	Query to c.ns.gov for gov/DNSKEY
	Received 291 bytes from 199.33.232.1
	;; Response received from [199.33.232.1] 291 octets ;; HEADER SECTION ;; id = 14101 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DNSKEY ;; ANSWER SECTION (3 records) gov. 3600 IN DNSKEY ( 257 3 13 D6ZhJTObQw3+kcewWf5iTHbzD3uTdbs5xf0kQfP/VXZcDovWJd0DUgHlp2VC002aLDCwhLoPPVN2 VfyoPnjCqg== ) ; keytag 2536 gov. 3600 IN DNSKEY ( 256 3 13 Of5kU9k4XfdcPwCK9k/zRJNu+Xspnw/BDd+1V6ZpDXRIpHe35BnHTZUBJN9gd6++HkiGXx2YnTji iO7/q+Yamg== ) ; keytag 35496 gov. 3600 IN RRSIG ( DNSKEY 13 1 3600 20260301110621 20251230110621 2536 gov. iCtKgojxRJ3aC+zRkeRtYN8ULchb9nyn0dGHPebhgcZI66aNxjbxFRdkFaPdfb7Jm2tyceq+I9oR dhCENtiufw== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for gov
	`gov. 3600 IN DNSKEY ( 257 3 13 D6ZhJTObQw3+kcewWf5iTHbzD3uTdbs5xf0kQfP/VXZcDovWJd0DUgHlp2VC002aLDCwhLoPPVN2 VfyoPnjCqg== ) ; keytag 2536`
	`gov. 3600 IN DNSKEY ( 256 3 13 Of5kU9k4XfdcPwCK9k/zRJNu+Xspnw/BDd+1V6ZpDXRIpHe35BnHTZUBJN9gd6++HkiGXx2YnTji iO7/q+Yamg== ) ; keytag 35496`
	DNSKEY=2536/SEP is now in the chain-of-trust
	DS=2536/SHA-256 verifies DNSKEY=2536/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`gov. 3600 IN RRSIG ( DNSKEY 13 1 3600 20260301110621 20251230110621 2536 gov. iCtKgojxRJ3aC+zRkeRtYN8ULchb9nyn0dGHPebhgcZI66aNxjbxFRdkFaPdfb7Jm2tyceq+I9oR dhCENtiufw== )`
	RRSIG=2536 and DNSKEY=2536/SEP verifies the DNSKEY RRset
	DNSKEY=35496 is now in the chain-of-trust
	Query to a.ns.gov for cfpb.gov/A
	Received 287 bytes from 199.33.230.1
	;; Response received from [199.33.230.1] 287 octets ;; HEADER SECTION ;; id = 35217 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 5 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; cfpb.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (5 records) cfpb.gov. 10800 IN NS sauthns1.qwest.net. cfpb.gov. 10800 IN NS sauthns2.qwest.net. cfpb.gov. 3600 IN DS ( 27603 7 2 a3eb1dbfb78f0aad8491195b6a5af5a27ff71ca7d0425a0ca405d8cb0374fcab ) cfpb.gov. 3600 IN DS ( 31188 7 2 9155c3050a3252683182939dce277a6b9a318c5d20cce24c79ef7ce255add375 ) cfpb.gov. 3600 IN RRSIG ( DS 13 2 3600 20260124124557 20260122104557 35496 gov. 6enf+ST1GL4W2u1w/Be7KHI7mA9OYo72otJF0+K/QEtHusn/TNO1HPsmdPwxnf0bL0RLEV9LWCLG MA4EmSaQag== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to d.ns.gov for cfpb.gov/DNSKEY
	Received 287 bytes from 199.33.233.1
	;; Response received from [199.33.233.1] 287 octets ;; HEADER SECTION ;; id = 20717 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 5 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; cfpb.gov. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (5 records) cfpb.gov. 10800 IN NS sauthns1.qwest.net. cfpb.gov. 10800 IN NS sauthns2.qwest.net. cfpb.gov. 3600 IN DS ( 27603 7 2 a3eb1dbfb78f0aad8491195b6a5af5a27ff71ca7d0425a0ca405d8cb0374fcab ) cfpb.gov. 3600 IN DS ( 31188 7 2 9155c3050a3252683182939dce277a6b9a318c5d20cce24c79ef7ce255add375 ) cfpb.gov. 3600 IN RRSIG ( DS 13 2 3600 20260124124557 20260122104557 35496 gov. 3z1K3cHhRryBOM8bLQQ72WD2GGvqYeNiJIApm5MgWytUt3BVskjqJ0p8tV0ugD2x4/yjg702O5rl +ka1s4+l+g== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found child zone cfpb.gov

cfpb.gov

	Checking DS between gov and cfpb.gov
	Query to d.ns.gov for cfpb.gov/DS
	Received 232 bytes from 199.33.233.1
	;; Response received from [199.33.233.1] 232 octets ;; HEADER SECTION ;; id = 37677 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; cfpb.gov. IN DS ;; ANSWER SECTION (3 records) cfpb.gov. 3600 IN DS ( 27603 7 2 a3eb1dbfb78f0aad8491195b6a5af5a27ff71ca7d0425a0ca405d8cb0374fcab ) cfpb.gov. 3600 IN DS ( 31188 7 2 9155c3050a3252683182939dce277a6b9a318c5d20cce24c79ef7ce255add375 ) cfpb.gov. 3600 IN RRSIG ( DS 13 2 3600 20260124124557 20260122104557 35496 gov. cNaEPWZReOBnHpDQKQa4209uXFsB7GBL/z59ZQ0TbfhKzTmJkCxlHwAWorX5plYu3G9iSR9SG3hD +fMvgcp9Mw== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DS records for cfpb.gov in the gov zone
	DS=27603/SHA-256 has algorithm RSASHA1-NSEC3-SHA1
	DS=31188/SHA-256 has algorithm RSASHA1-NSEC3-SHA1
	Found 1 RRSIGs over DS RRset
	`cfpb.gov. 3600 IN RRSIG ( DS 13 2 3600 20260124124557 20260122104557 35496 gov. cNaEPWZReOBnHpDQKQa4209uXFsB7GBL/z59ZQ0TbfhKzTmJkCxlHwAWorX5plYu3G9iSR9SG3hD +fMvgcp9Mw== )`
	RRSIG=35496 and DNSKEY=35496 verifies the DS RRset
	DS=27603/SHA-256 is now in the chain-of-trust
	DS=31188/SHA-256 is now in the chain-of-trust
	`cfpb.gov. 3600 IN DS ( 27603 7 2 a3eb1dbfb78f0aad8491195b6a5af5a27ff71ca7d0425a0ca405d8cb0374fcab )`
	`cfpb.gov. 3600 IN DS ( 31188 7 2 9155c3050a3252683182939dce277a6b9a318c5d20cce24c79ef7ce255add375 )`
	Query to sauthns2.qwest.net for cfpb.gov/DNSKEY
	Received 1645 bytes from 208.44.130.121
	;; Response received from [208.44.130.121] 1645 octets ;; HEADER SECTION ;; id = 62382 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 7 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; cfpb.gov. IN DNSKEY ;; ANSWER SECTION (7 records) cfpb.gov. 86400 IN DNSKEY ( 257 3 7 AwEAAcdhjFlnADdw5jVZjUCWxqaaIsgYb9TMwlsuu4Q65zn4PZaba0aPukbMyojc6XRRMFEWWH7R 5I35GCQk8+bIMUF6tU3AdlbFpFSeURUOy2Q0QPhbf4gXATOVePU/JxTcP9YEH3g61X4Rq1HtHWxv X20oSNAZGS6YLgdD1KUf+B+j2RU07YOIU5lr7LIOdA2zTBIHkqRWYDSDSu3Vd1HStNGUruElFm8y mNC0wxQ8IOorsrznPdAv42pEqYGMNbNFDA8c5K5uw2X0QGhBStpXK8P3jHyVMZhDMF95oBXEZBKr itaarDqx04AWO3UVzWcS8d4vcB1iD+MRKq3U94+dNSE= ) ; keytag 27603 cfpb.gov. 86400 IN DNSKEY ( 256 3 7 AwEAAag94qSKUJ0F1HRrE6i21ppeKuWT3QyCF4yHFPxRC02EF5CcjWaaXT754V10CC8aXnsdmpsj LGhT0riHkYXwYKEHC14PIjCTiRA8KSsLj6aYzkb7lMe/M72Cs/3b1aRwxHHLYDLy5gMOqKz79Hw+ f9/BXxG+GZQJTlAm17iBgHef ) ; keytag 16742 cfpb.gov. 86400 IN DNSKEY ( 257 3 7 AwEAAaNR7s6NpaIgP0U0JQeLl9ICJFBOkKv5BXYrb+WRgECx7zXfhpt1dDWOPyfsCyoqk+TPlDVG 3UykpsR8XirdRXTfAlZS0N7zQ2Cy9kGtfp8Rpuo17iGv8I02l3uJVw3xPOpbJFvOeX+rla7+Jl4/ o6aJ5/oYqKG3YrWp4fdRVZNQXXxerXAcdz+uzPRIxYlFWZoelnIfAt5qx/tI/9/JELbMAXzUo27F uf3rtRwdmkMIokA5pGWLV9U8RxJaZsiFGy/5o84u2pLhCJjlo7GphNO6Y7G3Cg7WXEG70sJnw/Nf q3a7HSRqKcR0UNDjECbmp880Mcv+Omb4FuxnqsDG9Lc= ) ; keytag 53163 cfpb.gov. 86400 IN DNSKEY ( 256 3 7 AwEAAcy7KdKTCBcNxUWmBH6P7k5YRImt9PqlvCnbj9CLv67k5n19Awtodf/2MFpjKdf0w0goJS8D iey99R9U+OAF1ZIhJMCffPf0XqeBROWXnA9ealhzzJFefmqNPKIpq9+Xw2ZrwcrE5/WZMKpe87b7 44/bBimFacFL/bs7gXwO5JKd ) ; keytag 36623 cfpb.gov. 86400 IN RRSIG ( DNSKEY 7 2 86400 20260130030015 20260123020015 16742 cfpb.gov. Ho9cWwLK1t1npVMd0Wh50vE82qnV2O3ZAQfCgQeAKbdnpKoivmeyphUrzCdurH4NRjJOksO1MhQ+ SMtaNhcy/qHsgLisPVDmlpEjO1SWSTnb7Ce7K5dK8twFQn69+agHH2erQGOy4CF1V9lPCvBzrTvn f1gptdmI969Fvrg/sBM= ) cfpb.gov. 86400 IN RRSIG ( DNSKEY 7 2 86400 20260130030015 20260123020015 27603 cfpb.gov. ZAbbU+4Rh19EyxLvj8geO0iOJqIMugDvn2enGEDCNGBqKjlv8vT23LSoi2PhyLW10LmovjdkFNpW iOw+trqDf9xDllXjpDy3wn+Zu+deiUJt9uKLCxeuP0ai+AqHgMpzOgqLHGs/Md8NQrIIDHG9w4oH zU5eJi0CqP0vsPOWsAwGgo731O1a5bNLLWqvGNuZXc0q7szFKhskcYIRwRQb5FDBMXHKGkz+gEWv g0n06yXroYc0spaROrUDJJkiM+cho6w6fZkYoIxvmtTbwxiUWnQu4rw2/cfLVPtNZF/Uq5Msonhx +UzgxJONsu7jeGLiXhiFhO+nFIgClvziWDBsIg== ) cfpb.gov. 86400 IN RRSIG ( DNSKEY 7 2 86400 20260130030015 20260123020015 53163 cfpb.gov. Um+k6Q6ZU+Pfw4z+ZMA61hgTncRcaFhvda6EIICiUhw0n54RS94WnAi9K6oMEaZFuqHa+7QsaE7+ t91ExfVKn45MsX+340Rd8RyognoiaYKbH8YfQ/3O3QvAzR8Bb0/tLPoOq9rED7cXpsbRKCBLJNV/ UgLmg3mtEE2kvt2//nHxamrmOl/oZGKrKWgtTKJKbS5WPhUC/2Ukq91pxGt7yJdAyIQEIrzpKOjj uXy9rxKZmf/4ChLVHsCVSrzPSdhhmzC3OWAIw7VqT0HJx0TEZLr7EDk1bkTmH0pSSHCGKbxNhgvj nQPVQ0j4Rk388Y/ST/iXRZcPJcxsxMW0tO95iQ== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 4 DNSKEY records for cfpb.gov
	`cfpb.gov. 86400 IN DNSKEY ( 257 3 7 AwEAAcdhjFlnADdw5jVZjUCWxqaaIsgYb9TMwlsuu4Q65zn4PZaba0aPukbMyojc6XRRMFEWWH7R 5I35GCQk8+bIMUF6tU3AdlbFpFSeURUOy2Q0QPhbf4gXATOVePU/JxTcP9YEH3g61X4Rq1HtHWxv X20oSNAZGS6YLgdD1KUf+B+j2RU07YOIU5lr7LIOdA2zTBIHkqRWYDSDSu3Vd1HStNGUruElFm8y mNC0wxQ8IOorsrznPdAv42pEqYGMNbNFDA8c5K5uw2X0QGhBStpXK8P3jHyVMZhDMF95oBXEZBKr itaarDqx04AWO3UVzWcS8d4vcB1iD+MRKq3U94+dNSE= ) ; keytag 27603`
	`cfpb.gov. 86400 IN DNSKEY ( 256 3 7 AwEAAag94qSKUJ0F1HRrE6i21ppeKuWT3QyCF4yHFPxRC02EF5CcjWaaXT754V10CC8aXnsdmpsj LGhT0riHkYXwYKEHC14PIjCTiRA8KSsLj6aYzkb7lMe/M72Cs/3b1aRwxHHLYDLy5gMOqKz79Hw+ f9/BXxG+GZQJTlAm17iBgHef ) ; keytag 16742`
	`cfpb.gov. 86400 IN DNSKEY ( 257 3 7 AwEAAaNR7s6NpaIgP0U0JQeLl9ICJFBOkKv5BXYrb+WRgECx7zXfhpt1dDWOPyfsCyoqk+TPlDVG 3UykpsR8XirdRXTfAlZS0N7zQ2Cy9kGtfp8Rpuo17iGv8I02l3uJVw3xPOpbJFvOeX+rla7+Jl4/ o6aJ5/oYqKG3YrWp4fdRVZNQXXxerXAcdz+uzPRIxYlFWZoelnIfAt5qx/tI/9/JELbMAXzUo27F uf3rtRwdmkMIokA5pGWLV9U8RxJaZsiFGy/5o84u2pLhCJjlo7GphNO6Y7G3Cg7WXEG70sJnw/Nf q3a7HSRqKcR0UNDjECbmp880Mcv+Omb4FuxnqsDG9Lc= ) ; keytag 53163`
	`cfpb.gov. 86400 IN DNSKEY ( 256 3 7 AwEAAcy7KdKTCBcNxUWmBH6P7k5YRImt9PqlvCnbj9CLv67k5n19Awtodf/2MFpjKdf0w0goJS8D iey99R9U+OAF1ZIhJMCffPf0XqeBROWXnA9ealhzzJFefmqNPKIpq9+Xw2ZrwcrE5/WZMKpe87b7 44/bBimFacFL/bs7gXwO5JKd ) ; keytag 36623`
	DNSKEY=27603/SEP is now in the chain-of-trust
	DS=27603/SHA-256 verifies DNSKEY=27603/SEP
	DS=31188/SHA-256 is published, but a corresponding DNSKEY is not
	Found 3 RRSIGs over DNSKEY RRset
	`cfpb.gov. 86400 IN RRSIG ( DNSKEY 7 2 86400 20260130030015 20260123020015 16742 cfpb.gov. Ho9cWwLK1t1npVMd0Wh50vE82qnV2O3ZAQfCgQeAKbdnpKoivmeyphUrzCdurH4NRjJOksO1MhQ+ SMtaNhcy/qHsgLisPVDmlpEjO1SWSTnb7Ce7K5dK8twFQn69+agHH2erQGOy4CF1V9lPCvBzrTvn f1gptdmI969Fvrg/sBM= )`
	`cfpb.gov. 86400 IN RRSIG ( DNSKEY 7 2 86400 20260130030015 20260123020015 27603 cfpb.gov. ZAbbU+4Rh19EyxLvj8geO0iOJqIMugDvn2enGEDCNGBqKjlv8vT23LSoi2PhyLW10LmovjdkFNpW iOw+trqDf9xDllXjpDy3wn+Zu+deiUJt9uKLCxeuP0ai+AqHgMpzOgqLHGs/Md8NQrIIDHG9w4oH zU5eJi0CqP0vsPOWsAwGgo731O1a5bNLLWqvGNuZXc0q7szFKhskcYIRwRQb5FDBMXHKGkz+gEWv g0n06yXroYc0spaROrUDJJkiM+cho6w6fZkYoIxvmtTbwxiUWnQu4rw2/cfLVPtNZF/Uq5Msonhx +UzgxJONsu7jeGLiXhiFhO+nFIgClvziWDBsIg== )`
	`cfpb.gov. 86400 IN RRSIG ( DNSKEY 7 2 86400 20260130030015 20260123020015 53163 cfpb.gov. Um+k6Q6ZU+Pfw4z+ZMA61hgTncRcaFhvda6EIICiUhw0n54RS94WnAi9K6oMEaZFuqHa+7QsaE7+ t91ExfVKn45MsX+340Rd8RyognoiaYKbH8YfQ/3O3QvAzR8Bb0/tLPoOq9rED7cXpsbRKCBLJNV/ UgLmg3mtEE2kvt2//nHxamrmOl/oZGKrKWgtTKJKbS5WPhUC/2Ukq91pxGt7yJdAyIQEIrzpKOjj uXy9rxKZmf/4ChLVHsCVSrzPSdhhmzC3OWAIw7VqT0HJx0TEZLr7EDk1bkTmH0pSSHCGKbxNhgvj nQPVQ0j4Rk388Y/ST/iXRZcPJcxsxMW0tO95iQ== )`
	RRSIG=16742 and DNSKEY=16742 does not verify the DNSKEY RRset (libcrypto error (SEC.xs line 223)signature verification failed)
	RRSIG=27603 and DNSKEY=27603/SEP does not verify the DNSKEY RRset (libcrypto error (SEC.xs line 223)signature verification failed)
	RRSIG=53163 and DNSKEY=53163/SEP does not verify the DNSKEY RRset (libcrypto error (SEC.xs line 223)signature verification failed)
	None of the 3 RRSIG and 4 DNSKEY records validate the DNSKEY RRset
	The DNSKEY RRset was not signed by any trusted keys
	Query to sauthns1.qwest.net for cfpb.gov/A
	Received 444 bytes from 63.150.72.5
	;; Response received from [63.150.72.5] 444 octets ;; HEADER SECTION ;; id = 27650 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 3 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; cfpb.gov. IN A ;; ANSWER SECTION (2 records) cfpb.gov. 120 IN A 52.21.11.213 cfpb.gov. 120 IN RRSIG ( A 7 2 120 20260130030015 20260123020015 16742 cfpb.gov. F5aJZBTHPZcpZblYdNhEpQzvc/dDPhZtJ/IGj6J9UfMhlKPU99IUv3ZoEliAl7cREuc3iAeJFKOm 95QBZSQDxUM4zuXSSmwJQYpQxI7/X8PEzoTQ14MbBmzDOMspa3WNyrIpA89nOE+uyma9J6qH1TNo W0ls4QRYv+meNQUva6I= ) ;; AUTHORITY SECTION (3 records) cfpb.gov. 900 IN NS sauthns2.qwest.net. cfpb.gov. 900 IN NS sauthns1.qwest.net. cfpb.gov. 900 IN RRSIG ( NS 7 2 900 20260130030015 20260123020015 16742 cfpb.gov. SdxT3nOJo5G7DFfUh4ztupfBthe3/DrCHMvO133XLwymDE7GLjS5ERmkOLfl9t3e3MHODLzvy3Ja 9u1APQ24SzP7USVt9lBWTsQPBN1XvUqv20Ar/JJayORHhb/kyxW5+2/lzgDpzSTl39yfQwp31wgC wm6c3RATqfrG3YXLGeA= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	sauthns1.qwest.net is authoritative for cfpb.gov
	Found RRSIG signed by cfpb.gov zone
	Query to sauthns2.qwest.net for cfpb.gov/SOA
	Received 483 bytes from 208.44.130.121
	;; Response received from [208.44.130.121] 483 octets ;; HEADER SECTION ;; id = 17001 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 3 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; cfpb.gov. IN SOA ;; ANSWER SECTION (2 records) cfpb.gov. 86400 IN SOA ( sauthns2.qwest.net. abuse.aup.lumen.com. 2260121012 ;serial 10800 ;refresh 3600 ;retry 604800 ;expire 300 ;minimum ) cfpb.gov. 86400 IN RRSIG ( SOA 7 2 86400 20260130030015 20260123020015 16742 cfpb.gov. BabDAsxgtwnAw3v752wmrNTIbUcZvItTqEh5TykYcH/D/C9k0sChni6i2aCPqS/hZlfpaFjyY1t+ qvuNvC9esg1wkX+W93ld7MMpgLt6EG185UPs7m0Zq0uh0CQuEYTHv84ndA04BuOJeeN4hWCRRrh0 fQknkedMMLRaUOO1OZs= ) ;; AUTHORITY SECTION (3 records) cfpb.gov. 900 IN NS sauthns1.qwest.net. cfpb.gov. 900 IN NS sauthns2.qwest.net. cfpb.gov. 900 IN RRSIG ( NS 7 2 900 20260130030015 20260123020015 16742 cfpb.gov. SdxT3nOJo5G7DFfUh4ztupfBthe3/DrCHMvO133XLwymDE7GLjS5ERmkOLfl9t3e3MHODLzvy3Ja 9u1APQ24SzP7USVt9lBWTsQPBN1XvUqv20Ar/JJayORHhb/kyxW5+2/lzgDpzSTl39yfQwp31wgC wm6c3RATqfrG3YXLGeA= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to sauthns1.qwest.net for cfpb.gov/A
	Received 444 bytes from 63.150.72.5
	;; Response received from [63.150.72.5] 444 octets ;; HEADER SECTION ;; id = 10931 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 3 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; cfpb.gov. IN A ;; ANSWER SECTION (2 records) cfpb.gov. 120 IN A 52.21.11.213 cfpb.gov. 120 IN RRSIG ( A 7 2 120 20260130030015 20260123020015 16742 cfpb.gov. F5aJZBTHPZcpZblYdNhEpQzvc/dDPhZtJ/IGj6J9UfMhlKPU99IUv3ZoEliAl7cREuc3iAeJFKOm 95QBZSQDxUM4zuXSSmwJQYpQxI7/X8PEzoTQ14MbBmzDOMspa3WNyrIpA89nOE+uyma9J6qH1TNo W0ls4QRYv+meNQUva6I= ) ;; AUTHORITY SECTION (3 records) cfpb.gov. 900 IN NS sauthns2.qwest.net. cfpb.gov. 900 IN NS sauthns1.qwest.net. cfpb.gov. 900 IN RRSIG ( NS 7 2 900 20260130030015 20260123020015 16742 cfpb.gov. SdxT3nOJo5G7DFfUh4ztupfBthe3/DrCHMvO133XLwymDE7GLjS5ERmkOLfl9t3e3MHODLzvy3Ja 9u1APQ24SzP7USVt9lBWTsQPBN1XvUqv20Ar/JJayORHhb/kyxW5+2/lzgDpzSTl39yfQwp31wgC wm6c3RATqfrG3YXLGeA= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	cfpb.gov A RR has value 52.21.11.213
	Found 1 RRSIGs over A RRset
	`cfpb.gov. 120 IN RRSIG ( A 7 2 120 20260130030015 20260123020015 16742 cfpb.gov. F5aJZBTHPZcpZblYdNhEpQzvc/dDPhZtJ/IGj6J9UfMhlKPU99IUv3ZoEliAl7cREuc3iAeJFKOm 95QBZSQDxUM4zuXSSmwJQYpQxI7/X8PEzoTQ14MbBmzDOMspa3WNyrIpA89nOE+uyma9J6qH1TNo W0ls4QRYv+meNQUva6I= )`
	RRSIG=16742 and DNSKEY=16742 does not verify the A RRset (libcrypto error (SEC.xs line 223)signature verification failed)
	None of the 1 RRSIG and 4 DNSKEY records validate the A RRset

cfpb.gov

	Query to sauthns2.qwest.net for cfpb.gov/A
	Received 444 bytes from 208.44.130.121
	;; Response received from [208.44.130.121] 444 octets ;; HEADER SECTION ;; id = 18937 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 3 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; cfpb.gov. IN A ;; ANSWER SECTION (2 records) cfpb.gov. 120 IN A 52.21.11.213 cfpb.gov. 120 IN RRSIG ( A 7 2 120 20260130030015 20260123020015 16742 cfpb.gov. F5aJZBTHPZcpZblYdNhEpQzvc/dDPhZtJ/IGj6J9UfMhlKPU99IUv3ZoEliAl7cREuc3iAeJFKOm 95QBZSQDxUM4zuXSSmwJQYpQxI7/X8PEzoTQ14MbBmzDOMspa3WNyrIpA89nOE+uyma9J6qH1TNo W0ls4QRYv+meNQUva6I= ) ;; AUTHORITY SECTION (3 records) cfpb.gov. 900 IN NS sauthns2.qwest.net. cfpb.gov. 900 IN NS sauthns1.qwest.net. cfpb.gov. 900 IN RRSIG ( NS 7 2 900 20260130030015 20260123020015 16742 cfpb.gov. SdxT3nOJo5G7DFfUh4ztupfBthe3/DrCHMvO133XLwymDE7GLjS5ERmkOLfl9t3e3MHODLzvy3Ja 9u1APQ24SzP7USVt9lBWTsQPBN1XvUqv20Ar/JJayORHhb/kyxW5+2/lzgDpzSTl39yfQwp31wgC wm6c3RATqfrG3YXLGeA= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	sauthns2.qwest.net is authoritative for cfpb.gov
	Found RRSIG signed by cfpb.gov zone
	Query to sauthns2.qwest.net for cfpb.gov/A
	Received 444 bytes from 208.44.130.121
	;; Response received from [208.44.130.121] 444 octets ;; HEADER SECTION ;; id = 37793 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 3 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; cfpb.gov. IN A ;; ANSWER SECTION (2 records) cfpb.gov. 120 IN A 52.21.11.213 cfpb.gov. 120 IN RRSIG ( A 7 2 120 20260130030015 20260123020015 16742 cfpb.gov. F5aJZBTHPZcpZblYdNhEpQzvc/dDPhZtJ/IGj6J9UfMhlKPU99IUv3ZoEliAl7cREuc3iAeJFKOm 95QBZSQDxUM4zuXSSmwJQYpQxI7/X8PEzoTQ14MbBmzDOMspa3WNyrIpA89nOE+uyma9J6qH1TNo W0ls4QRYv+meNQUva6I= ) ;; AUTHORITY SECTION (3 records) cfpb.gov. 900 IN NS sauthns1.qwest.net. cfpb.gov. 900 IN NS sauthns2.qwest.net. cfpb.gov. 900 IN RRSIG ( NS 7 2 900 20260130030015 20260123020015 16742 cfpb.gov. SdxT3nOJo5G7DFfUh4ztupfBthe3/DrCHMvO133XLwymDE7GLjS5ERmkOLfl9t3e3MHODLzvy3Ja 9u1APQ24SzP7USVt9lBWTsQPBN1XvUqv20Ar/JJayORHhb/kyxW5+2/lzgDpzSTl39yfQwp31wgC wm6c3RATqfrG3YXLGeA= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	cfpb.gov A RR has value 52.21.11.213
	Found 1 RRSIGs over A RRset
	`cfpb.gov. 120 IN RRSIG ( A 7 2 120 20260130030015 20260123020015 16742 cfpb.gov. F5aJZBTHPZcpZblYdNhEpQzvc/dDPhZtJ/IGj6J9UfMhlKPU99IUv3ZoEliAl7cREuc3iAeJFKOm 95QBZSQDxUM4zuXSSmwJQYpQxI7/X8PEzoTQ14MbBmzDOMspa3WNyrIpA89nOE+uyma9J6qH1TNo W0ls4QRYv+meNQUva6I= )`
	RRSIG=16742 and DNSKEY=16742 does not verify the A RRset (libcrypto error (SEC.xs line 223)signature verification failed)
	None of the 1 RRSIG and 4 DNSKEY records validate the A RRset

Move your mouse over any or symbols for remediation hints.

Want a second opinion? Test cfpb.gov at dnsviz.net.

DNSSEC Debugger

↓ Advanced options ↑ Advanced options

Trust Anchor:
Name Servers: