DNSSEC Debugger - mail.gov

Domain Name:

Time: 2025-03-15 20:34:37 UTC

Analyzing DNSSEC problems for mail.gov

DS=20326/SHA-256 is now in the chain-of-trust

	Checking DS between Trust Anchor and .
	`. IN DS ( 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d )`
	Query to a.root-servers.net for ./DNSKEY
	Received 1139 bytes from 198.41.0.4
	;; Response received from [198.41.0.4] 1139 octets ;; HEADER SECTION ;; id = 19605 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 4 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; . IN DNSKEY ;; ANSWER SECTION (4 records) . 172800 IN DNSKEY ( 256 3 8 AwEAAZ5A7jOztf62cGqhPhutjnyl7KBjIsjbyTb8il+FsgbMUbO2NQHaSbatHdlOlqANncDwSIKZ 9ryqd1+Dy1PoGzeTUv95vOJnVVJHlJu7xdavnUmPs+Mh2NV7hDlTTwPn5uXgFxAaxoO9M/YIAC92 GryCLjoJEg9JzeevkktEM/sFpmRv4I5jQtlLyRqVbnCzcWpi04XaVLxRKvURkd/Mdb/2RQS3MYvr kEBXuqtnAVBCf6Fx4sgBYOfYvbUuG2diLnGJW/MXvFpctZgQ76+3FwMqAZfR9k5bohL7AF3+jqz4 MUiootYoh5koyt7VEnUULxxy6U5PINTGgOC26f3zZuk= ) ; keytag 26470 . 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326 . 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696 . 172800 IN RRSIG ( DNSKEY 8 0 172800 20250402000000 20250312000000 20326 . joWEhr7Z7AY96Kpp+ioymNlyKtdPDPkzEvGO1tLYsoR0huN6i7rOVBRYQd0HHWdA4RaXiXf7ME5U 1qEiuH3xFG3H7BRBwddweL4ubSNVeVo5sk+BSv74uTSpnPcCgUgCxppaY4c9Q6lXOASVGNiyLPG4 bMUSbBONXBKRT5vnJss1z30BF47JaFM/OdT+0Zu8oVr8f8KX1hjcm8pZfpoIAnHg2BLsbVCS5iBf mtahqttuyEnJdw0R2ExBXpYNrK6ZR5sSiF5S4lMf66ix4bBl2eecQFWNAsD4H3yksS95JEgXkq4J JduKbn7t7B1aFennfSjC9lT3WZ7O6xuPXb2QLw== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 3 DNSKEY records for .
	`. 172800 IN DNSKEY ( 256 3 8 AwEAAZ5A7jOztf62cGqhPhutjnyl7KBjIsjbyTb8il+FsgbMUbO2NQHaSbatHdlOlqANncDwSIKZ 9ryqd1+Dy1PoGzeTUv95vOJnVVJHlJu7xdavnUmPs+Mh2NV7hDlTTwPn5uXgFxAaxoO9M/YIAC92 GryCLjoJEg9JzeevkktEM/sFpmRv4I5jQtlLyRqVbnCzcWpi04XaVLxRKvURkd/Mdb/2RQS3MYvr kEBXuqtnAVBCf6Fx4sgBYOfYvbUuG2diLnGJW/MXvFpctZgQ76+3FwMqAZfR9k5bohL7AF3+jqz4 MUiootYoh5koyt7VEnUULxxy6U5PINTGgOC26f3zZuk= ) ; keytag 26470`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696`
	DNSKEY=20326/SEP is now in the chain-of-trust
	DS=20326/SHA-256 verifies DNSKEY=20326/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`. 172800 IN RRSIG ( DNSKEY 8 0 172800 20250402000000 20250312000000 20326 . joWEhr7Z7AY96Kpp+ioymNlyKtdPDPkzEvGO1tLYsoR0huN6i7rOVBRYQd0HHWdA4RaXiXf7ME5U 1qEiuH3xFG3H7BRBwddweL4ubSNVeVo5sk+BSv74uTSpnPcCgUgCxppaY4c9Q6lXOASVGNiyLPG4 bMUSbBONXBKRT5vnJss1z30BF47JaFM/OdT+0Zu8oVr8f8KX1hjcm8pZfpoIAnHg2BLsbVCS5iBf mtahqttuyEnJdw0R2ExBXpYNrK6ZR5sSiF5S4lMf66ix4bBl2eecQFWNAsD4H3yksS95JEgXkq4J JduKbn7t7B1aFennfSjC9lT3WZ7O6xuPXb2QLw== )`
	RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset
	DNSKEY=26470 is now in the chain-of-trust
	DNSKEY=38696/SEP is now in the chain-of-trust
	Query to m.root-servers.net for mail.gov/A
	Received 618 bytes from 202.12.27.33
	;; Response received from [202.12.27.33] 618 octets ;; HEADER SECTION ;; id = 23381 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 9 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) gov. 172800 IN NS c.ns.gov. gov. 172800 IN NS b.ns.gov. gov. 172800 IN NS a.ns.gov. gov. 172800 IN NS d.ns.gov. gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20250328170000 20250315160000 26470 . atEgruLUi8duv2qE1dOhBXUHurhWHaZbNblLA/irKf8UYusDOV1VgZdgI/kDq1YYJpDsKbRqEw8X Ph46PExwajA8FENBMrVRY82U4BwbZweeKNAEWmJFIKcxr80dVFv7Cu373PINeQfSw7ZiKC8wQqh3 LrVjCnvcjdsMb3aFeY4h+cnhprqPSwPP4HHwXWXu9aPIbNYtgvDocaxWIzlEhabro9BesukeCEd4 NAGEq4d5hL/LXcaO5bDeTPUE1UOSXYFygreVHJMWc73+RojKsGy1GpyDUd5V9HpRJaE1j6yDaJCF e+wAXosfS3yTF4pJ51Ox9tel0lpJi5lzrphJMA== ) ;; ADDITIONAL SECTION (9 records) d.ns.gov. 172800 IN A 199.33.233.1 c.ns.gov. 172800 IN A 199.33.232.1 b.ns.gov. 172800 IN A 199.33.231.1 a.ns.gov. 172800 IN A 199.33.230.1 d.ns.gov. 172800 IN AAAA 2001:503:ff43::1 c.ns.gov. 172800 IN AAAA 2001:503:ff42::1 b.ns.gov. 172800 IN AAAA 2001:503:ff41::1 a.ns.gov. 172800 IN AAAA 2001:503:ff40::1 ;; { "EDNS-VERSION": 0 }
	Query to b.root-servers.net for gov/DNSKEY
	Received 610 bytes from 170.247.170.2
	;; Response received from [170.247.170.2] 610 octets ;; HEADER SECTION ;; id = 45465 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 9 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) gov. 172800 IN NS a.ns.gov. gov. 172800 IN NS b.ns.gov. gov. 172800 IN NS c.ns.gov. gov. 172800 IN NS d.ns.gov. gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20250328170000 20250315160000 26470 . atEgruLUi8duv2qE1dOhBXUHurhWHaZbNblLA/irKf8UYusDOV1VgZdgI/kDq1YYJpDsKbRqEw8X Ph46PExwajA8FENBMrVRY82U4BwbZweeKNAEWmJFIKcxr80dVFv7Cu373PINeQfSw7ZiKC8wQqh3 LrVjCnvcjdsMb3aFeY4h+cnhprqPSwPP4HHwXWXu9aPIbNYtgvDocaxWIzlEhabro9BesukeCEd4 NAGEq4d5hL/LXcaO5bDeTPUE1UOSXYFygreVHJMWc73+RojKsGy1GpyDUd5V9HpRJaE1j6yDaJCF e+wAXosfS3yTF4pJ51Ox9tel0lpJi5lzrphJMA== ) ;; ADDITIONAL SECTION (9 records) a.ns.gov. 172800 IN A 199.33.230.1 a.ns.gov. 172800 IN AAAA 2001:503:ff40::1 b.ns.gov. 172800 IN A 199.33.231.1 b.ns.gov. 172800 IN AAAA 2001:503:ff41::1 c.ns.gov. 172800 IN A 199.33.232.1 c.ns.gov. 172800 IN AAAA 2001:503:ff42::1 d.ns.gov. 172800 IN A 199.33.233.1 d.ns.gov. 172800 IN AAAA 2001:503:ff43::1 ;; { "EDNS-VERSION": 0 }
	Found child zone gov

gov

	Checking DS between . and gov
	Query to m.root-servers.net for gov/DS
	Received 367 bytes from 202.12.27.33
	;; Response received from [202.12.27.33] 367 octets ;; HEADER SECTION ;; id = 54474 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DS ;; ANSWER SECTION (2 records) gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20250328170000 20250315160000 26470 . atEgruLUi8duv2qE1dOhBXUHurhWHaZbNblLA/irKf8UYusDOV1VgZdgI/kDq1YYJpDsKbRqEw8X Ph46PExwajA8FENBMrVRY82U4BwbZweeKNAEWmJFIKcxr80dVFv7Cu373PINeQfSw7ZiKC8wQqh3 LrVjCnvcjdsMb3aFeY4h+cnhprqPSwPP4HHwXWXu9aPIbNYtgvDocaxWIzlEhabro9BesukeCEd4 NAGEq4d5hL/LXcaO5bDeTPUE1UOSXYFygreVHJMWc73+RojKsGy1GpyDUd5V9HpRJaE1j6yDaJCF e+wAXosfS3yTF4pJ51Ox9tel0lpJi5lzrphJMA== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for gov in the . zone
	DS=2536/SHA-256 has algorithm ECDSAP256SHA256
	Found 1 RRSIGs over DS RRset
	`gov. 86400 IN RRSIG ( DS 8 1 86400 20250328170000 20250315160000 26470 . atEgruLUi8duv2qE1dOhBXUHurhWHaZbNblLA/irKf8UYusDOV1VgZdgI/kDq1YYJpDsKbRqEw8X Ph46PExwajA8FENBMrVRY82U4BwbZweeKNAEWmJFIKcxr80dVFv7Cu373PINeQfSw7ZiKC8wQqh3 LrVjCnvcjdsMb3aFeY4h+cnhprqPSwPP4HHwXWXu9aPIbNYtgvDocaxWIzlEhabro9BesukeCEd4 NAGEq4d5hL/LXcaO5bDeTPUE1UOSXYFygreVHJMWc73+RojKsGy1GpyDUd5V9HpRJaE1j6yDaJCF e+wAXosfS3yTF4pJ51Ox9tel0lpJi5lzrphJMA== )`
	RRSIG=26470 and DNSKEY=26470 verifies the DS RRset
	DS=2536/SHA-256 is now in the chain-of-trust
	`gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 )`
	Query to d.ns.gov for gov/DNSKEY
	Received 291 bytes from 199.33.233.1
	;; Response received from [199.33.233.1] 291 octets ;; HEADER SECTION ;; id = 14603 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DNSKEY ;; ANSWER SECTION (3 records) gov. 3600 IN DNSKEY ( 257 3 13 D6ZhJTObQw3+kcewWf5iTHbzD3uTdbs5xf0kQfP/VXZcDovWJd0DUgHlp2VC002aLDCwhLoPPVN2 VfyoPnjCqg== ) ; keytag 2536 gov. 3600 IN DNSKEY ( 256 3 13 Of5kU9k4XfdcPwCK9k/zRJNu+Xspnw/BDd+1V6ZpDXRIpHe35BnHTZUBJN9gd6++HkiGXx2YnTji iO7/q+Yamg== ) ; keytag 35496 gov. 3600 IN RRSIG ( DNSKEY 13 1 3600 20250423110549 20250221110549 2536 gov. 8LTuzTLcX9Wd9nBCTZVdduaicz4pZ+NmJMAFo3Y3JPJO/5dHGFSDqMxvXmCqDLfjROfPMhvdtrF3 X8BsZto/sQ== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for gov
	`gov. 3600 IN DNSKEY ( 257 3 13 D6ZhJTObQw3+kcewWf5iTHbzD3uTdbs5xf0kQfP/VXZcDovWJd0DUgHlp2VC002aLDCwhLoPPVN2 VfyoPnjCqg== ) ; keytag 2536`
	`gov. 3600 IN DNSKEY ( 256 3 13 Of5kU9k4XfdcPwCK9k/zRJNu+Xspnw/BDd+1V6ZpDXRIpHe35BnHTZUBJN9gd6++HkiGXx2YnTji iO7/q+Yamg== ) ; keytag 35496`
	DNSKEY=2536/SEP is now in the chain-of-trust
	DS=2536/SHA-256 verifies DNSKEY=2536/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`gov. 3600 IN RRSIG ( DNSKEY 13 1 3600 20250423110549 20250221110549 2536 gov. 8LTuzTLcX9Wd9nBCTZVdduaicz4pZ+NmJMAFo3Y3JPJO/5dHGFSDqMxvXmCqDLfjROfPMhvdtrF3 X8BsZto/sQ== )`
	RRSIG=2536 and DNSKEY=2536/SEP verifies the DNSKEY RRset
	DNSKEY=35496 is now in the chain-of-trust
	Query to d.ns.gov for mail.gov/A
	Received 282 bytes from 199.33.233.1
	;; Response received from [199.33.233.1] 282 octets ;; HEADER SECTION ;; id = 16975 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 5 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (5 records) mail.gov. 10800 IN NS dns082.usps.com. mail.gov. 10800 IN NS dns141.usps.com. mail.gov. 3600 IN DS ( 47754 7 2 761e706ad5f36023f172735902794f0e3c7e6b189d82af538358ff91206b352e ) mail.gov. 3600 IN DS ( 47968 7 2 b80452997f3e3ae21814066628f2de0f0624b5a07a176014490fee5c8de2db3f ) mail.gov. 3600 IN RRSIG ( DS 13 2 3600 20250316213437 20250314193437 35496 gov. uQkPtm5KhCEoJJnMA01KFn0XJzazpm4d3xNv+DRKUxQpdPG05I57n4LsU5f6SVPCiNR8FgMWq1w/ 5iOE3EgWxA== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to b.ns.gov for mail.gov/DNSKEY
	Received 282 bytes from 199.33.231.1
	;; Response received from [199.33.231.1] 282 octets ;; HEADER SECTION ;; id = 59197 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 5 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (5 records) mail.gov. 10800 IN NS dns082.usps.com. mail.gov. 10800 IN NS dns141.usps.com. mail.gov. 3600 IN DS ( 47754 7 2 761e706ad5f36023f172735902794f0e3c7e6b189d82af538358ff91206b352e ) mail.gov. 3600 IN DS ( 47968 7 2 b80452997f3e3ae21814066628f2de0f0624b5a07a176014490fee5c8de2db3f ) mail.gov. 3600 IN RRSIG ( DS 13 2 3600 20250316213437 20250314193437 35496 gov. O81KQhoNJkRDHKaEoJOnalAl2fbIYNBR3mvAbqTSe2v9kX7twckYdUb7MTtF6aiYzcO1wxoMqfru P4lpvmZaWQ== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found child zone mail.gov

mail.gov

	Checking DS between gov and mail.gov
	Query to a.ns.gov for mail.gov/DS
	Received 232 bytes from 199.33.230.1
	;; Response received from [199.33.230.1] 232 octets ;; HEADER SECTION ;; id = 62005 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN DS ;; ANSWER SECTION (3 records) mail.gov. 3600 IN DS ( 47754 7 2 761e706ad5f36023f172735902794f0e3c7e6b189d82af538358ff91206b352e ) mail.gov. 3600 IN DS ( 47968 7 2 b80452997f3e3ae21814066628f2de0f0624b5a07a176014490fee5c8de2db3f ) mail.gov. 3600 IN RRSIG ( DS 13 2 3600 20250316213437 20250314193437 35496 gov. CehG7Wh/3aTeA+4zekiulDPkEWl/IZ+vbCqIvCV623V+tT5U9UWCO52EQ35TgbNWmtW2NmOIzA1p KGx/xXcm2Q== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DS records for mail.gov in the gov zone
	DS=47754/SHA-256 has algorithm RSASHA1-NSEC3-SHA1
	DS=47968/SHA-256 has algorithm RSASHA1-NSEC3-SHA1
	Found 1 RRSIGs over DS RRset
	`mail.gov. 3600 IN RRSIG ( DS 13 2 3600 20250316213437 20250314193437 35496 gov. CehG7Wh/3aTeA+4zekiulDPkEWl/IZ+vbCqIvCV623V+tT5U9UWCO52EQ35TgbNWmtW2NmOIzA1p KGx/xXcm2Q== )`
	RRSIG=35496 and DNSKEY=35496 verifies the DS RRset
	DS=47754/SHA-256 is now in the chain-of-trust
	DS=47968/SHA-256 is now in the chain-of-trust
	`mail.gov. 3600 IN DS ( 47754 7 2 761e706ad5f36023f172735902794f0e3c7e6b189d82af538358ff91206b352e )`
	`mail.gov. 3600 IN DS ( 47968 7 2 b80452997f3e3ae21814066628f2de0f0624b5a07a176014490fee5c8de2db3f )`
	Query to dns141.usps.com for mail.gov/DNSKEY
	Received 925 bytes from 56.0.141.25
	;; Response received from [56.0.141.25] 925 octets ;; HEADER SECTION ;; id = 41518 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 4 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN DNSKEY ;; ANSWER SECTION (4 records) mail.gov. 3600 IN DNSKEY ( 256 3 7 AwEAAcOqkH+8PukSqtA5Ay/7OTGeG39MTEAo44k6S3q0b+0EBUNakXmlejZIrgUy1sAFXinDVY+S UJny0ifIsHKmglp/BYSVgQ33a4fq1C7x/bPzlqB0DvUPr+uobx6uKBelmMWH921N7rJHZdEIh3wU tDeelrAiNN/U9wyT2mQxLrBN ) ; keytag 20165 mail.gov. 3600 IN DNSKEY ( 257 3 7 AwEAAcE1aNASjw5tGaDbfXE8y7oCX/Z+tP6K3pxMZDgVzZVoLeVMLgrdYoO1Ewy+1WZFky83EWbD kNSNRl1tXnKcPdI1+CcBjq393bDS2/y5u35OzjtsGnk6RkVh8MOnR0heLSfoqZs2SQUi0tAAAW6u QOe3NfjlqinrZtpgcjbJ0oQzf3sPAaxco/j307CL364ZROPjJ/IgHxED0eN9iVsAUwKlSHrn0PJ8 5u+t5TNKuLn5AbWxvTEpbxu2ql/uAukcD/2DS01p1LwrmAQ0nMwRELi0+huFKexjAmzDy9oGT6Wh uOyZDg6o4JdHki37aV4FDsmL5bduE93apYS5oV5VqzE= ) ; keytag 47968 mail.gov. 3600 IN RRSIG ( DNSKEY 7 2 3600 20250320013837 20250312042057 20165 mail.gov. SwlCMLL6wN2AFKQ6vQ07iAR4u2P1xq2ki/8KeGecZdI58maIvqUx1fSffedW38k+LKfXwZb5QSbo A+lQ6Fb9KSBWy8fzjShqTuABTd5vk5zjK9n57rfZYBk05nAyenmUTqX03e5Coi8zM3lVyAyTqNQd B1j3mD2fjEiqCn8RKyU= ) mail.gov. 3600 IN RRSIG ( DNSKEY 7 2 3600 20250320013837 20250312042057 47968 mail.gov. XpnD6KIvPEzQrAhE9QEWsQu9a+gI5duB0gmxSbMu62kWboX2jYir+ihPurXVh+eHn7lSXEXsoN2T qG4S+n5e/S8zkeaB1pvCAus51pbR+wDCH+Zfw/DrFeUQXl+YUBPSPHLPUpGBDVhnO4mI+UtLBewY PNk6sma+QL5jVegD/7n+fus28WLKlKuHjYCuF7CaAiLiVupqqLo3Z73qGVSlsvXUgNrYFuiG9MKR kZHpDvkVev5v21SAdQMHGxgjqWSMJpYde8Qu/tPqVHGvpQjMZrbBG2dRDR6h59sco0Kn7O7I+kjr M8Rxp+PtkUHoXE6qLb4rH9evCotKBKSuRunhag== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for mail.gov
	`mail.gov. 3600 IN DNSKEY ( 256 3 7 AwEAAcOqkH+8PukSqtA5Ay/7OTGeG39MTEAo44k6S3q0b+0EBUNakXmlejZIrgUy1sAFXinDVY+S UJny0ifIsHKmglp/BYSVgQ33a4fq1C7x/bPzlqB0DvUPr+uobx6uKBelmMWH921N7rJHZdEIh3wU tDeelrAiNN/U9wyT2mQxLrBN ) ; keytag 20165`
	`mail.gov. 3600 IN DNSKEY ( 257 3 7 AwEAAcE1aNASjw5tGaDbfXE8y7oCX/Z+tP6K3pxMZDgVzZVoLeVMLgrdYoO1Ewy+1WZFky83EWbD kNSNRl1tXnKcPdI1+CcBjq393bDS2/y5u35OzjtsGnk6RkVh8MOnR0heLSfoqZs2SQUi0tAAAW6u QOe3NfjlqinrZtpgcjbJ0oQzf3sPAaxco/j307CL364ZROPjJ/IgHxED0eN9iVsAUwKlSHrn0PJ8 5u+t5TNKuLn5AbWxvTEpbxu2ql/uAukcD/2DS01p1LwrmAQ0nMwRELi0+huFKexjAmzDy9oGT6Wh uOyZDg6o4JdHki37aV4FDsmL5bduE93apYS5oV5VqzE= ) ; keytag 47968`
	DNSKEY=47968/SEP is now in the chain-of-trust
	DS=47968/SHA-256 verifies DNSKEY=47968/SEP
	DS=47754/SHA-256 is published, but a corresponding DNSKEY is not
	Found 2 RRSIGs over DNSKEY RRset
	`mail.gov. 3600 IN RRSIG ( DNSKEY 7 2 3600 20250320013837 20250312042057 20165 mail.gov. SwlCMLL6wN2AFKQ6vQ07iAR4u2P1xq2ki/8KeGecZdI58maIvqUx1fSffedW38k+LKfXwZb5QSbo A+lQ6Fb9KSBWy8fzjShqTuABTd5vk5zjK9n57rfZYBk05nAyenmUTqX03e5Coi8zM3lVyAyTqNQd B1j3mD2fjEiqCn8RKyU= )`
	`mail.gov. 3600 IN RRSIG ( DNSKEY 7 2 3600 20250320013837 20250312042057 47968 mail.gov. XpnD6KIvPEzQrAhE9QEWsQu9a+gI5duB0gmxSbMu62kWboX2jYir+ihPurXVh+eHn7lSXEXsoN2T qG4S+n5e/S8zkeaB1pvCAus51pbR+wDCH+Zfw/DrFeUQXl+YUBPSPHLPUpGBDVhnO4mI+UtLBewY PNk6sma+QL5jVegD/7n+fus28WLKlKuHjYCuF7CaAiLiVupqqLo3Z73qGVSlsvXUgNrYFuiG9MKR kZHpDvkVev5v21SAdQMHGxgjqWSMJpYde8Qu/tPqVHGvpQjMZrbBG2dRDR6h59sco0Kn7O7I+kjr M8Rxp+PtkUHoXE6qLb4rH9evCotKBKSuRunhag== )`
	RRSIG=20165 and DNSKEY=20165 verifies the DNSKEY RRset
	RRSIG=47968 and DNSKEY=47968/SEP verifies the DNSKEY RRset
	DNSKEY=20165 is now in the chain-of-trust
	Query to dns082.usps.com for mail.gov/A
	Received 530 bytes from 56.0.82.25
	;; Response received from [56.0.82.25] 530 octets ;; HEADER SECTION ;; id = 22329 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) mail.gov. 1800 IN SOA ( dns141.usps.com. domainadmin.imail.usps.gov. 760490459 ;serial 3600 ;refresh 1800 ;retry 1209600 ;expire 1800 ;minimum ) mail.gov. 1800 IN RRSIG ( SOA 7 2 3600 20250322052057 20250312042057 20165 mail.gov. UH9dI3/7dmkc7tbHn5b+1uRZnnGW8XwfbqQGEKv5Ocsh0G2VwGkU+5AZWfNAB+bZxsMsjkfyS6UD JXbRb9PsPt7lo3/tOGtVOZbXh3JGN/YM2x4dN8I8gcM+hjQ4NpsR8+97gvZ0sXtFMyKEeSBSrYU3 aYpWCUxlHRryJMz2sfg= ) ONQKBDS1AC5SJHSL345H9LDNM3PRR44S.mail.gov. 1800 IN NSEC3 ( 1 0 10 - a58chuknv01fo4d3cq2jl2kke2qv8a0l NS SOA TXT RRSIG DNSKEY NSEC3PARAM ) ONQKBDS1AC5SJHSL345H9LDNM3PRR44S.mail.gov. 1800 IN RRSIG ( NSEC3 7 3 1800 20250318125222 20250312042057 20165 mail.gov. W6BeAgZ05FyMaxui4O74J6jVcvJGeTyWR0UjmqNd3tQc7P/ReYqRALc4O+dQoiwLGdxN/HYclef5 JhuTqqalKOIlh79T8u/WpHpAX/xbwaB6fBCnaQlKcPmfiEeKWzsx4x5KuC3+Aj5CtiVW07JW13En b8TsTfu/R9urHOixvsQ= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	dns082.usps.com is authoritative for mail.gov
	Found RRSIG signed by mail.gov zone
	Query to dns141.usps.com for mail.gov/SOA
	Received 485 bytes from 56.0.141.25
	;; Response received from [56.0.141.25] 485 octets ;; HEADER SECTION ;; id = 44913 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 3 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN SOA ;; ANSWER SECTION (2 records) mail.gov. 3600 IN SOA ( dns141.usps.com. domainadmin.imail.usps.gov. 760490459 ;serial 3600 ;refresh 1800 ;retry 1209600 ;expire 1800 ;minimum ) mail.gov. 3600 IN RRSIG ( SOA 7 2 3600 20250322052057 20250312042057 20165 mail.gov. UH9dI3/7dmkc7tbHn5b+1uRZnnGW8XwfbqQGEKv5Ocsh0G2VwGkU+5AZWfNAB+bZxsMsjkfyS6UD JXbRb9PsPt7lo3/tOGtVOZbXh3JGN/YM2x4dN8I8gcM+hjQ4NpsR8+97gvZ0sXtFMyKEeSBSrYU3 aYpWCUxlHRryJMz2sfg= ) ;; AUTHORITY SECTION (3 records) mail.gov. 3600 IN NS dns082.usps.com. mail.gov. 3600 IN NS dns141.usps.com. mail.gov. 3600 IN RRSIG ( NS 7 2 3600 20250319052056 20250309051556 20165 mail.gov. TNU0ZuGh0go7qoRvi4wAm2xg0UfqPCxKJnR/2tOFzsJVebKxIgeiG9ytHSmDChsBxGhf3FBxxy9f zZt0a+QymSs2+YijO11tLASgsAbhP3tvbIlAwjOOelzVr/LjxZIMz4dgn0sHlX6xeROk9Y6PLys/ 2jMLatHzmCGfuRQ9Olo= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to dns082.usps.com for mail.gov/A
	Received 530 bytes from 56.0.82.25
	;; Response received from [56.0.82.25] 530 octets ;; HEADER SECTION ;; id = 4437 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) mail.gov. 1800 IN SOA ( dns141.usps.com. domainadmin.imail.usps.gov. 760490459 ;serial 3600 ;refresh 1800 ;retry 1209600 ;expire 1800 ;minimum ) mail.gov. 1800 IN RRSIG ( SOA 7 2 3600 20250322052057 20250312042057 20165 mail.gov. UH9dI3/7dmkc7tbHn5b+1uRZnnGW8XwfbqQGEKv5Ocsh0G2VwGkU+5AZWfNAB+bZxsMsjkfyS6UD JXbRb9PsPt7lo3/tOGtVOZbXh3JGN/YM2x4dN8I8gcM+hjQ4NpsR8+97gvZ0sXtFMyKEeSBSrYU3 aYpWCUxlHRryJMz2sfg= ) ONQKBDS1AC5SJHSL345H9LDNM3PRR44S.mail.gov. 1800 IN NSEC3 ( 1 0 10 - a58chuknv01fo4d3cq2jl2kke2qv8a0l NS SOA TXT RRSIG DNSKEY NSEC3PARAM ) ONQKBDS1AC5SJHSL345H9LDNM3PRR44S.mail.gov. 1800 IN RRSIG ( NSEC3 7 3 1800 20250318125222 20250312042057 20165 mail.gov. W6BeAgZ05FyMaxui4O74J6jVcvJGeTyWR0UjmqNd3tQc7P/ReYqRALc4O+dQoiwLGdxN/HYclef5 JhuTqqalKOIlh79T8u/WpHpAX/xbwaB6fBCnaQlKcPmfiEeKWzsx4x5KuC3+Aj5CtiVW07JW13En b8TsTfu/R9urHOixvsQ= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	NSEC3 validation not implemented yet
	Found 1 RRSIGs over SOA RRset
	`mail.gov. 1800 IN RRSIG ( SOA 7 2 3600 20250322052057 20250312042057 20165 mail.gov. UH9dI3/7dmkc7tbHn5b+1uRZnnGW8XwfbqQGEKv5Ocsh0G2VwGkU+5AZWfNAB+bZxsMsjkfyS6UD JXbRb9PsPt7lo3/tOGtVOZbXh3JGN/YM2x4dN8I8gcM+hjQ4NpsR8+97gvZ0sXtFMyKEeSBSrYU3 aYpWCUxlHRryJMz2sfg= )`
	RRSIG=20165 and DNSKEY=20165 verifies the SOA RRset

mail.gov

	Query to dns141.usps.com for mail.gov/A
	Received 530 bytes from 56.0.141.25
	;; Response received from [56.0.141.25] 530 octets ;; HEADER SECTION ;; id = 39030 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) mail.gov. 1800 IN SOA ( dns141.usps.com. domainadmin.imail.usps.gov. 760490459 ;serial 3600 ;refresh 1800 ;retry 1209600 ;expire 1800 ;minimum ) mail.gov. 1800 IN RRSIG ( SOA 7 2 3600 20250322052057 20250312042057 20165 mail.gov. UH9dI3/7dmkc7tbHn5b+1uRZnnGW8XwfbqQGEKv5Ocsh0G2VwGkU+5AZWfNAB+bZxsMsjkfyS6UD JXbRb9PsPt7lo3/tOGtVOZbXh3JGN/YM2x4dN8I8gcM+hjQ4NpsR8+97gvZ0sXtFMyKEeSBSrYU3 aYpWCUxlHRryJMz2sfg= ) ONQKBDS1AC5SJHSL345H9LDNM3PRR44S.mail.gov. 1800 IN NSEC3 ( 1 0 10 - a58chuknv01fo4d3cq2jl2kke2qv8a0l NS SOA TXT RRSIG DNSKEY NSEC3PARAM ) ONQKBDS1AC5SJHSL345H9LDNM3PRR44S.mail.gov. 1800 IN RRSIG ( NSEC3 7 3 1800 20250318125222 20250312042057 20165 mail.gov. W6BeAgZ05FyMaxui4O74J6jVcvJGeTyWR0UjmqNd3tQc7P/ReYqRALc4O+dQoiwLGdxN/HYclef5 JhuTqqalKOIlh79T8u/WpHpAX/xbwaB6fBCnaQlKcPmfiEeKWzsx4x5KuC3+Aj5CtiVW07JW13En b8TsTfu/R9urHOixvsQ= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	dns141.usps.com is authoritative for mail.gov
	Found RRSIG signed by mail.gov zone
	Query to dns141.usps.com for mail.gov/A
	Received 530 bytes from 56.0.141.25
	;; Response received from [56.0.141.25] 530 octets ;; HEADER SECTION ;; id = 11524 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) mail.gov. 1800 IN SOA ( dns141.usps.com. domainadmin.imail.usps.gov. 760490459 ;serial 3600 ;refresh 1800 ;retry 1209600 ;expire 1800 ;minimum ) mail.gov. 1800 IN RRSIG ( SOA 7 2 3600 20250322052057 20250312042057 20165 mail.gov. UH9dI3/7dmkc7tbHn5b+1uRZnnGW8XwfbqQGEKv5Ocsh0G2VwGkU+5AZWfNAB+bZxsMsjkfyS6UD JXbRb9PsPt7lo3/tOGtVOZbXh3JGN/YM2x4dN8I8gcM+hjQ4NpsR8+97gvZ0sXtFMyKEeSBSrYU3 aYpWCUxlHRryJMz2sfg= ) ONQKBDS1AC5SJHSL345H9LDNM3PRR44S.mail.gov. 1800 IN NSEC3 ( 1 0 10 - a58chuknv01fo4d3cq2jl2kke2qv8a0l NS SOA TXT RRSIG DNSKEY NSEC3PARAM ) ONQKBDS1AC5SJHSL345H9LDNM3PRR44S.mail.gov. 1800 IN RRSIG ( NSEC3 7 3 1800 20250318125222 20250312042057 20165 mail.gov. W6BeAgZ05FyMaxui4O74J6jVcvJGeTyWR0UjmqNd3tQc7P/ReYqRALc4O+dQoiwLGdxN/HYclef5 JhuTqqalKOIlh79T8u/WpHpAX/xbwaB6fBCnaQlKcPmfiEeKWzsx4x5KuC3+Aj5CtiVW07JW13En b8TsTfu/R9urHOixvsQ= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	NSEC3 validation not implemented yet
	Found 1 RRSIGs over SOA RRset
	`mail.gov. 1800 IN RRSIG ( SOA 7 2 3600 20250322052057 20250312042057 20165 mail.gov. UH9dI3/7dmkc7tbHn5b+1uRZnnGW8XwfbqQGEKv5Ocsh0G2VwGkU+5AZWfNAB+bZxsMsjkfyS6UD JXbRb9PsPt7lo3/tOGtVOZbXh3JGN/YM2x4dN8I8gcM+hjQ4NpsR8+97gvZ0sXtFMyKEeSBSrYU3 aYpWCUxlHRryJMz2sfg= )`
	RRSIG=20165 and DNSKEY=20165 verifies the SOA RRset

Move your mouse over any or symbols for remediation hints.

Want a second opinion? Test mail.gov at dnsviz.net.

DNSSEC Debugger

↓ Advanced options ↑ Advanced options

Trust Anchor:
Name Servers: