DNSSEC Debugger - mail.gov

Domain Name:

Time: 2024-10-22 15:42:29 UTC

Analyzing DNSSEC problems for mail.gov

DS=20326/SHA-256 is now in the chain-of-trust

	Checking DS between Trust Anchor and .
	`. IN DS ( 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d )`
	Query to k.root-servers.net for ./DNSKEY
	Received 864 bytes from 193.0.14.129
	;; Response received from [193.0.14.129] 864 octets ;; HEADER SECTION ;; id = 57453 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; qdcount = 1 ancount = 3 nscount = 0 arcount = 1 ;; do = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; . IN DNSKEY ;; ANSWER SECTION (3 records) . 172800 IN DNSKEY ( 256 3 8 AwEAAc0SunbHdS0KFEyZbYII/+tzsrNzIwurKxmJA+0fhAYlTPA/5LrMGkGEqvvufzM0w/CaVtdm 5eWkZYQcsoSKT5bycx0C4jxnLEb3ZiZUQSqu1rWcKGF1fj/GyDWLkOu7a5h3el+gPmglj/4l4V31 ugNYfqYq84vCB+3D6Sodrd+85KyonnzWJ8cS7aZ57x0d0sGqsAKA+6tRnIXjVNVe7Ro5xJuz8IR7 rOxdzfuRLriN+Z00EL3U5E7s9SISU/hDh7Q7N70W1mLMc1o2+tCRGjEWrw4wmCWMzc1kegbLES/d UOWFvPjJz0+AEeWDhd2GqtXk02BzAhdfeIAEIv68FTs= ) ; Key ID = 61050 . 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; Key ID = 20326 . 172800 IN RRSIG ( DNSKEY 8 0 172800 20241111000000 20241021000000 20326 . alCFgDZS+0l5zcpQ/7R+5OFeCrk9KGkNP2F9ynXIXG6QigPj/9qjm0xxItRJUUim+SrJywAmLKe+ 48oTUeSRyDKVVg3LGDekLKcIVz0EBqTL2y44usDlUlxqx5O0LQVHy4h/hm9+dCXFiSBWoV0LcApl V9OYWhxi+CxmxZU58vK6eVAde8E2JHdeDuy23WF5lxYEg1q7ehEt5EdRvZ7hZzfawEFR3Qv3WMoo tO2eBAAneIe94daJP/i1iwQJ4p+bGVCZ4sJk+Pk9J7lwEQq6GhkdSpLsRxArUhvoVgtnh0LkAV7T sajYk8K2JRt7wHNDbBV6+Vdq2bh7ZPGvLiGkIQ== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for .
	`. 172800 IN DNSKEY ( 256 3 8 AwEAAc0SunbHdS0KFEyZbYII/+tzsrNzIwurKxmJA+0fhAYlTPA/5LrMGkGEqvvufzM0w/CaVtdm 5eWkZYQcsoSKT5bycx0C4jxnLEb3ZiZUQSqu1rWcKGF1fj/GyDWLkOu7a5h3el+gPmglj/4l4V31 ugNYfqYq84vCB+3D6Sodrd+85KyonnzWJ8cS7aZ57x0d0sGqsAKA+6tRnIXjVNVe7Ro5xJuz8IR7 rOxdzfuRLriN+Z00EL3U5E7s9SISU/hDh7Q7N70W1mLMc1o2+tCRGjEWrw4wmCWMzc1kegbLES/d UOWFvPjJz0+AEeWDhd2GqtXk02BzAhdfeIAEIv68FTs= ) ; Key ID = 61050`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; Key ID = 20326`
	DNSKEY=20326/SEP is now in the chain-of-trust
	DS=20326/SHA-256 verifies DNSKEY=20326/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`. 172800 IN RRSIG ( DNSKEY 8 0 172800 20241111000000 20241021000000 20326 . alCFgDZS+0l5zcpQ/7R+5OFeCrk9KGkNP2F9ynXIXG6QigPj/9qjm0xxItRJUUim+SrJywAmLKe+ 48oTUeSRyDKVVg3LGDekLKcIVz0EBqTL2y44usDlUlxqx5O0LQVHy4h/hm9+dCXFiSBWoV0LcApl V9OYWhxi+CxmxZU58vK6eVAde8E2JHdeDuy23WF5lxYEg1q7ehEt5EdRvZ7hZzfawEFR3Qv3WMoo tO2eBAAneIe94daJP/i1iwQJ4p+bGVCZ4sJk+Pk9J7lwEQq6GhkdSpLsRxArUhvoVgtnh0LkAV7T sajYk8K2JRt7wHNDbBV6+Vdq2bh7ZPGvLiGkIQ== )`
	RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset
	DNSKEY=61050 is now in the chain-of-trust
	Query to a.root-servers.net for mail.gov/A
	Received 615 bytes from 198.41.0.4
	;; Response received from [198.41.0.4] 615 octets ;; HEADER SECTION ;; id = 29077 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; qdcount = 1 ancount = 0 nscount = 6 arcount = 9 ;; do = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) gov. 172800 IN NS c.ns.gov. gov. 172800 IN NS a.ns.gov. gov. 172800 IN NS d.ns.gov. gov. 172800 IN NS b.ns.gov. gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20241104050000 20241022040000 61050 . QDXVOwEnASUAI40BGDttxq7qGhvCMEac486WIGSve98vzbXX+DtkWnd7z8LaETy7VbTIPy1KOj5A BPnEWAck4dyal0iO3FGHMxTjlkOGHkjZ/EwUux+CeESCvZJ9VjcktKR7o7yg/sC6bf6HcJ2EgnA+ Ck0Yh6B5e7GX8R0YJG95CgxCX/MQtOxgOJUekfUTz7Yi+HlYhCoLolP+DQWkPnzCZabd8FoOexHX Fsme/6iHMa3inPLa3R7hXiygsW0/QHY8CsJbqkZX3TFiHIKi+mr3hx/h/gbROLcqge7E0vtKsKdu vqeO1X7dSFlbxuuoRZUvPi+7/uMv1+kVge+YXw== ) ;; ADDITIONAL SECTION (9 records) c.ns.gov. 172800 IN A 199.33.232.1 c.ns.gov. 172800 IN AAAA 2001:503:ff42::1 a.ns.gov. 172800 IN A 199.33.230.1 a.ns.gov. 172800 IN AAAA 2001:503:ff40::1 d.ns.gov. 172800 IN A 199.33.233.1 d.ns.gov. 172800 IN AAAA 2001:503:ff43::1 b.ns.gov. 172800 IN A 199.33.231.1 b.ns.gov. 172800 IN AAAA 2001:503:ff41::1 ;; { "EDNS-VERSION": 0 }
	Query to a.root-servers.net for gov/DNSKEY
	Received 610 bytes from 198.41.0.4
	;; Response received from [198.41.0.4] 610 octets ;; HEADER SECTION ;; id = 41670 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; qdcount = 1 ancount = 0 nscount = 6 arcount = 9 ;; do = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) gov. 172800 IN NS c.ns.gov. gov. 172800 IN NS a.ns.gov. gov. 172800 IN NS d.ns.gov. gov. 172800 IN NS b.ns.gov. gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20241104050000 20241022040000 61050 . QDXVOwEnASUAI40BGDttxq7qGhvCMEac486WIGSve98vzbXX+DtkWnd7z8LaETy7VbTIPy1KOj5A BPnEWAck4dyal0iO3FGHMxTjlkOGHkjZ/EwUux+CeESCvZJ9VjcktKR7o7yg/sC6bf6HcJ2EgnA+ Ck0Yh6B5e7GX8R0YJG95CgxCX/MQtOxgOJUekfUTz7Yi+HlYhCoLolP+DQWkPnzCZabd8FoOexHX Fsme/6iHMa3inPLa3R7hXiygsW0/QHY8CsJbqkZX3TFiHIKi+mr3hx/h/gbROLcqge7E0vtKsKdu vqeO1X7dSFlbxuuoRZUvPi+7/uMv1+kVge+YXw== ) ;; ADDITIONAL SECTION (9 records) c.ns.gov. 172800 IN A 199.33.232.1 c.ns.gov. 172800 IN AAAA 2001:503:ff42::1 a.ns.gov. 172800 IN A 199.33.230.1 a.ns.gov. 172800 IN AAAA 2001:503:ff40::1 d.ns.gov. 172800 IN A 199.33.233.1 d.ns.gov. 172800 IN AAAA 2001:503:ff43::1 b.ns.gov. 172800 IN A 199.33.231.1 b.ns.gov. 172800 IN AAAA 2001:503:ff41::1 ;; { "EDNS-VERSION": 0 }
	Found child zone gov

gov

	Checking DS between . and gov
	Query to j.root-servers.net for gov/DS
	Received 367 bytes from 192.58.128.30
	;; Response received from [192.58.128.30] 367 octets ;; HEADER SECTION ;; id = 3915 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; qdcount = 1 ancount = 2 nscount = 0 arcount = 1 ;; do = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1472, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DS ;; ANSWER SECTION (2 records) gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20241104050000 20241022040000 61050 . QDXVOwEnASUAI40BGDttxq7qGhvCMEac486WIGSve98vzbXX+DtkWnd7z8LaETy7VbTIPy1KOj5A BPnEWAck4dyal0iO3FGHMxTjlkOGHkjZ/EwUux+CeESCvZJ9VjcktKR7o7yg/sC6bf6HcJ2EgnA+ Ck0Yh6B5e7GX8R0YJG95CgxCX/MQtOxgOJUekfUTz7Yi+HlYhCoLolP+DQWkPnzCZabd8FoOexHX Fsme/6iHMa3inPLa3R7hXiygsW0/QHY8CsJbqkZX3TFiHIKi+mr3hx/h/gbROLcqge7E0vtKsKdu vqeO1X7dSFlbxuuoRZUvPi+7/uMv1+kVge+YXw== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for gov in the . zone
	DS=2536/SHA-256 has algorithm ECDSAP256SHA256
	Found 1 RRSIGs over DS RRset
	`gov. 86400 IN RRSIG ( DS 8 1 86400 20241104050000 20241022040000 61050 . QDXVOwEnASUAI40BGDttxq7qGhvCMEac486WIGSve98vzbXX+DtkWnd7z8LaETy7VbTIPy1KOj5A BPnEWAck4dyal0iO3FGHMxTjlkOGHkjZ/EwUux+CeESCvZJ9VjcktKR7o7yg/sC6bf6HcJ2EgnA+ Ck0Yh6B5e7GX8R0YJG95CgxCX/MQtOxgOJUekfUTz7Yi+HlYhCoLolP+DQWkPnzCZabd8FoOexHX Fsme/6iHMa3inPLa3R7hXiygsW0/QHY8CsJbqkZX3TFiHIKi+mr3hx/h/gbROLcqge7E0vtKsKdu vqeO1X7dSFlbxuuoRZUvPi+7/uMv1+kVge+YXw== )`
	RRSIG=61050 and DNSKEY=61050 verifies the DS RRset
	DS=2536/SHA-256 is now in the chain-of-trust
	`gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 )`
	Query to b.ns.gov for gov/DNSKEY
	Received 291 bytes from 199.33.231.1
	;; Response received from [199.33.231.1] 291 octets ;; HEADER SECTION ;; id = 38825 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; qdcount = 1 ancount = 3 nscount = 0 arcount = 1 ;; do = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DNSKEY ;; ANSWER SECTION (3 records) gov. 3600 IN DNSKEY ( 257 3 13 D6ZhJTObQw3+kcewWf5iTHbzD3uTdbs5xf0kQfP/VXZcDovWJd0DUgHlp2VC002aLDCwhLoPPVN2 VfyoPnjCqg== ) ; Key ID = 2536 gov. 3600 IN DNSKEY ( 256 3 13 Of5kU9k4XfdcPwCK9k/zRJNu+Xspnw/BDd+1V6ZpDXRIpHe35BnHTZUBJN9gd6++HkiGXx2YnTji iO7/q+Yamg== ) ; Key ID = 35496 gov. 3600 IN RRSIG ( DNSKEY 13 1 3600 20241130110534 20240930110534 2536 gov. h+Iyb0tqmydmCz6R4wG6Ldr2zopf1WBr/SM7MutctneoFWjCjO/k0ErdVLVoXEXenkMNv5My6iIv oCnmSrJeOQ== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for gov
	`gov. 3600 IN DNSKEY ( 257 3 13 D6ZhJTObQw3+kcewWf5iTHbzD3uTdbs5xf0kQfP/VXZcDovWJd0DUgHlp2VC002aLDCwhLoPPVN2 VfyoPnjCqg== ) ; Key ID = 2536`
	`gov. 3600 IN DNSKEY ( 256 3 13 Of5kU9k4XfdcPwCK9k/zRJNu+Xspnw/BDd+1V6ZpDXRIpHe35BnHTZUBJN9gd6++HkiGXx2YnTji iO7/q+Yamg== ) ; Key ID = 35496`
	DNSKEY=2536/SEP is now in the chain-of-trust
	DS=2536/SHA-256 verifies DNSKEY=2536/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`gov. 3600 IN RRSIG ( DNSKEY 13 1 3600 20241130110534 20240930110534 2536 gov. h+Iyb0tqmydmCz6R4wG6Ldr2zopf1WBr/SM7MutctneoFWjCjO/k0ErdVLVoXEXenkMNv5My6iIv oCnmSrJeOQ== )`
	RRSIG=2536 and DNSKEY=2536/SEP verifies the DNSKEY RRset
	DNSKEY=35496 is now in the chain-of-trust
	Query to c.ns.gov for mail.gov/A
	Received 282 bytes from 199.33.232.1
	;; Response received from [199.33.232.1] 282 octets ;; HEADER SECTION ;; id = 43597 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; qdcount = 1 ancount = 0 nscount = 5 arcount = 1 ;; do = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (5 records) mail.gov. 10800 IN NS dns082.usps.com. mail.gov. 10800 IN NS dns141.usps.com. mail.gov. 3600 IN DS ( 23373 7 2 a4387cc28f342dcba0c8ade8769c610b1d7c973f611755b3c40c30a3afa30409 ) mail.gov. 3600 IN DS ( 47754 7 2 761e706ad5f36023f172735902794f0e3c7e6b189d82af538358ff91206b352e ) mail.gov. 3600 IN RRSIG ( DS 13 2 3600 20241023164230 20241021144230 35496 gov. dZtukfS20jsNCHo6mYRaBzmaL5xqSk1SoxVzTXCzKltrzWBpYsdRhvBr9GhV9PufH28F8fMe6Wpi NBXCOG91DQ== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to a.ns.gov for mail.gov/DNSKEY
	Received 282 bytes from 199.33.230.1
	;; Response received from [199.33.230.1] 282 octets ;; HEADER SECTION ;; id = 16292 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; qdcount = 1 ancount = 0 nscount = 5 arcount = 1 ;; do = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (5 records) mail.gov. 10800 IN NS dns082.usps.com. mail.gov. 10800 IN NS dns141.usps.com. mail.gov. 3600 IN DS ( 23373 7 2 a4387cc28f342dcba0c8ade8769c610b1d7c973f611755b3c40c30a3afa30409 ) mail.gov. 3600 IN DS ( 47754 7 2 761e706ad5f36023f172735902794f0e3c7e6b189d82af538358ff91206b352e ) mail.gov. 3600 IN RRSIG ( DS 13 2 3600 20241023164230 20241021144230 35496 gov. QSMXi8BFgLIwg7jml2QoDkxbeE9s9JW5AgUmDTPikO37baE6WLO3E7i0gyuuEHSclhS4VL6zKioW BtxrqrnXFg== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found child zone mail.gov

mail.gov

	Checking DS between gov and mail.gov
	Query to a.ns.gov for mail.gov/DS
	Received 232 bytes from 199.33.230.1
	;; Response received from [199.33.230.1] 232 octets ;; HEADER SECTION ;; id = 6650 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; qdcount = 1 ancount = 3 nscount = 0 arcount = 1 ;; do = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN DS ;; ANSWER SECTION (3 records) mail.gov. 3600 IN DS ( 23373 7 2 a4387cc28f342dcba0c8ade8769c610b1d7c973f611755b3c40c30a3afa30409 ) mail.gov. 3600 IN DS ( 47754 7 2 761e706ad5f36023f172735902794f0e3c7e6b189d82af538358ff91206b352e ) mail.gov. 3600 IN RRSIG ( DS 13 2 3600 20241023164230 20241021144230 35496 gov. 9Zz4g47UaLp0GvLiDYph0bbhl6vuFchPhAdHjujv1ezUWOKQF2yJX6zm44bzF7S+RmJElw77rTgi aZWKC+rBCg== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DS records for mail.gov in the gov zone
	DS=23373/SHA-256 has algorithm RSASHA1-NSEC3-SHA1
	DS=47754/SHA-256 has algorithm RSASHA1-NSEC3-SHA1
	Found 1 RRSIGs over DS RRset
	`mail.gov. 3600 IN RRSIG ( DS 13 2 3600 20241023164230 20241021144230 35496 gov. 9Zz4g47UaLp0GvLiDYph0bbhl6vuFchPhAdHjujv1ezUWOKQF2yJX6zm44bzF7S+RmJElw77rTgi aZWKC+rBCg== )`
	RRSIG=35496 and DNSKEY=35496 verifies the DS RRset
	DS=23373/SHA-256 is now in the chain-of-trust
	DS=47754/SHA-256 is now in the chain-of-trust
	`mail.gov. 3600 IN DS ( 23373 7 2 a4387cc28f342dcba0c8ade8769c610b1d7c973f611755b3c40c30a3afa30409 )`
	`mail.gov. 3600 IN DS ( 47754 7 2 761e706ad5f36023f172735902794f0e3c7e6b189d82af538358ff91206b352e )`
	Query to dns141.usps.com for mail.gov/DNSKEY
	Received 1073 bytes from 56.0.141.25
	;; Response received from [56.0.141.25] 1073 octets ;; HEADER SECTION ;; id = 16945 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; qdcount = 1 ancount = 5 nscount = 0 arcount = 1 ;; do = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN DNSKEY ;; ANSWER SECTION (5 records) mail.gov. 3600 IN DNSKEY ( 256 3 7 AwEAAc8bbf/aAeK6mS4c7k4EDYaU3xygOvjJnjqPXqqYp+qS5n3oVPN4WMvaJrgdvcZXQYMDgMSd HbBvloCKJcTJFtD2RXWeq+L77gsdrmPr8YKodz2KsGzZcS/OZVoRiiHM4rZk0bIvlvMy8gTPXYlI SYx2vp69HWj6yLeo5VPVyZFn ) ; Key ID = 323 mail.gov. 3600 IN DNSKEY ( 256 3 7 AwEAAYzat89RJGcWf41U/cJ4jYdoWIKimjRc8Sm9dm8SoYgGyek2V4BHFFGFFG5PI/pMb0GgqKqC 1hPzQWGuSPi0akNS9lhgpSIvvbsVoDaRrbYGP11lbyO2oBeUh0NyGbSnWjBlWcgIhz8FuTFVuEs3 DntToqIq3+cCoEp29MgiukVF ) ; Key ID = 61583 mail.gov. 3600 IN DNSKEY ( 257 3 7 AwEAAdRPnI1ujqikXz66nFrpzylE0E78LthWE2kWFICzYYbv2f0qpB1nC39VXCbApiWawhy1N1jE 4iWcPbjPM349I/cpzOMt6MWxumJVeDpx0zFhKOyow3JWp6CrKhn3EvG8xNopxZ+iwoaVH6aufhxE 0h4lRDXwM+kFdBTCcorRq7hV1+ZBVl3ING1hbBn+qgizwiC8v05ra295R7Cg62GoyDqPDevbzUwf jJD8jyAtMxTIjrQaNZCj4Y09lE9cdybfttQEN6CjcQDztvIgWXlHE89eguZsCz192hdD1esPvKk4 QPclmjcItr/+M/1iWosN2sFy305vc3eJHysqMwFCPzs= ) ; Key ID = 47754 mail.gov. 3600 IN RRSIG ( DNSKEY 7 2 3600 20241101052104 20241022051604 323 mail.gov. ljfylEkFG7CkCgYGISE/1cW5rj5JXkBpYLGDzmGrFpaKIpU/M6zc2wxCQi+WJnaz4hd5yMtRs2rA /B+xpWUmbuq90C2cuQ/xcGCm+67neEZMHBnnuh6WFpELARsu7dbVlTHTGp+i31z4l1WX0IkUJnf5 q5WK+QsAf1/1kdk9mv4= ) mail.gov. 3600 IN RRSIG ( DNSKEY 7 2 3600 20241101052104 20241022051604 47754 mail.gov. ltLMaL4GYmUt2SS1zclPIlAHllShouSeQsZ32jYmF51LOAdpHjQ7DRVvPC1ExgM/+c63rTupqlVm hPpoXPv77/8yoK0OsG3lec6mC6dhMu8Nq764MjrCDKvGkx9HBL6pkT6O+zp95eT2Owyef32kLUzc CiPkypOq/ZVuDjnUhV5NB2F7UGrVHU/Sm4Mu7H+PlwBN2XniUOXZLNW21TxVdoDPJDF3M2hguFrQ wxXDSO4ZrH6v5Ivb6CWcW8tm/mmsjqnDzrHgoDHX1Ko9TWP1QikaNyFxQa+9SBHv25K1FzgrY3Be 4N+4ZavZM2u4DrkW2+BaGolTinsbXDhQeGneCg== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 3 DNSKEY records for mail.gov
	`mail.gov. 3600 IN DNSKEY ( 256 3 7 AwEAAc8bbf/aAeK6mS4c7k4EDYaU3xygOvjJnjqPXqqYp+qS5n3oVPN4WMvaJrgdvcZXQYMDgMSd HbBvloCKJcTJFtD2RXWeq+L77gsdrmPr8YKodz2KsGzZcS/OZVoRiiHM4rZk0bIvlvMy8gTPXYlI SYx2vp69HWj6yLeo5VPVyZFn ) ; Key ID = 323`
	`mail.gov. 3600 IN DNSKEY ( 256 3 7 AwEAAYzat89RJGcWf41U/cJ4jYdoWIKimjRc8Sm9dm8SoYgGyek2V4BHFFGFFG5PI/pMb0GgqKqC 1hPzQWGuSPi0akNS9lhgpSIvvbsVoDaRrbYGP11lbyO2oBeUh0NyGbSnWjBlWcgIhz8FuTFVuEs3 DntToqIq3+cCoEp29MgiukVF ) ; Key ID = 61583`
	`mail.gov. 3600 IN DNSKEY ( 257 3 7 AwEAAdRPnI1ujqikXz66nFrpzylE0E78LthWE2kWFICzYYbv2f0qpB1nC39VXCbApiWawhy1N1jE 4iWcPbjPM349I/cpzOMt6MWxumJVeDpx0zFhKOyow3JWp6CrKhn3EvG8xNopxZ+iwoaVH6aufhxE 0h4lRDXwM+kFdBTCcorRq7hV1+ZBVl3ING1hbBn+qgizwiC8v05ra295R7Cg62GoyDqPDevbzUwf jJD8jyAtMxTIjrQaNZCj4Y09lE9cdybfttQEN6CjcQDztvIgWXlHE89eguZsCz192hdD1esPvKk4 QPclmjcItr/+M/1iWosN2sFy305vc3eJHysqMwFCPzs= ) ; Key ID = 47754`
	DNSKEY=47754/SEP is now in the chain-of-trust
	DS=47754/SHA-256 verifies DNSKEY=47754/SEP
	DS=23373/SHA-256 is published, but a corresponding DNSKEY is not
	Found 2 RRSIGs over DNSKEY RRset
	`mail.gov. 3600 IN RRSIG ( DNSKEY 7 2 3600 20241101052104 20241022051604 323 mail.gov. ljfylEkFG7CkCgYGISE/1cW5rj5JXkBpYLGDzmGrFpaKIpU/M6zc2wxCQi+WJnaz4hd5yMtRs2rA /B+xpWUmbuq90C2cuQ/xcGCm+67neEZMHBnnuh6WFpELARsu7dbVlTHTGp+i31z4l1WX0IkUJnf5 q5WK+QsAf1/1kdk9mv4= )`
	`mail.gov. 3600 IN RRSIG ( DNSKEY 7 2 3600 20241101052104 20241022051604 47754 mail.gov. ltLMaL4GYmUt2SS1zclPIlAHllShouSeQsZ32jYmF51LOAdpHjQ7DRVvPC1ExgM/+c63rTupqlVm hPpoXPv77/8yoK0OsG3lec6mC6dhMu8Nq764MjrCDKvGkx9HBL6pkT6O+zp95eT2Owyef32kLUzc CiPkypOq/ZVuDjnUhV5NB2F7UGrVHU/Sm4Mu7H+PlwBN2XniUOXZLNW21TxVdoDPJDF3M2hguFrQ wxXDSO4ZrH6v5Ivb6CWcW8tm/mmsjqnDzrHgoDHX1Ko9TWP1QikaNyFxQa+9SBHv25K1FzgrY3Be 4N+4ZavZM2u4DrkW2+BaGolTinsbXDhQeGneCg== )`
	RRSIG=323 and DNSKEY=323 verifies the DNSKEY RRset
	RRSIG=47754 and DNSKEY=47754/SEP verifies the DNSKEY RRset
	DNSKEY=323 is now in the chain-of-trust
	DNSKEY=61583 is now in the chain-of-trust
	Query to dns082.usps.com for mail.gov/A
	Received 530 bytes from 56.0.82.25
	;; Response received from [56.0.82.25] 530 octets ;; HEADER SECTION ;; id = 61993 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; qdcount = 1 ancount = 0 nscount = 4 arcount = 1 ;; do = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) mail.gov. 1800 IN SOA ( dns141.usps.com. domainadmin.imail.usps.gov. 748567265 ;serial 3600 ;refresh 1800 ;retry 1209600 ;expire 1800 ;minimum ) mail.gov. 1800 IN RRSIG ( SOA 7 2 3600 20241101052104 20241022051604 323 mail.gov. uxMo7WGX1cZh+B27bKhFQKxM0s4xMPNlvj+DFIDb8OdexH18Cv6iQaPmAyqco0YP5TjYX4jxvpeN 8iqq3QPnepY1SkvBbXhvjiWy45jnQqMcgVXLRc/KLe01zjCwG4XFz0XhVc2p8gV5Xp9IX2dvfjtj GiDdeHr4vCe3mDM3eC8= ) ONQKBDS1AC5SJHSL345H9LDNM3PRR44S.mail.gov. 1800 IN NSEC3 ( 1 0 10 - a58chuknv01fo4d3cq2jl2kke2qv8a0l NS SOA TXT RRSIG DNSKEY NSEC3PARAM ) ONQKBDS1AC5SJHSL345H9LDNM3PRR44S.mail.gov. 1800 IN RRSIG ( NSEC3 7 3 1800 20241101052104 20241022051604 323 mail.gov. SLmG60eQzjzVrV3Gnsq8hS56v02jYnES9f8/gdc161wKs0d1A/vX6ZJZ6c4pGsWUb199OdFfubUt 81v2oMnidaKScK3e8ao4/jDhso7LG+LVNCPRDYZifnRmdtCx3uhkk03/dAf7Q+dqMtUZ251yKgHV JzVAhKbtHg8q7EFk0qY= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	dns082.usps.com is authoritative for mail.gov
	Found RRSIG signed by mail.gov zone
	Query to dns141.usps.com for mail.gov/SOA
	Received 485 bytes from 56.0.141.25
	;; Response received from [56.0.141.25] 485 octets ;; HEADER SECTION ;; id = 38369 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; qdcount = 1 ancount = 2 nscount = 3 arcount = 1 ;; do = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN SOA ;; ANSWER SECTION (2 records) mail.gov. 3600 IN SOA ( dns141.usps.com. domainadmin.imail.usps.gov. 748567265 ;serial 3600 ;refresh 1800 ;retry 1209600 ;expire 1800 ;minimum ) mail.gov. 3600 IN RRSIG ( SOA 7 2 3600 20241101052104 20241022051604 323 mail.gov. uxMo7WGX1cZh+B27bKhFQKxM0s4xMPNlvj+DFIDb8OdexH18Cv6iQaPmAyqco0YP5TjYX4jxvpeN 8iqq3QPnepY1SkvBbXhvjiWy45jnQqMcgVXLRc/KLe01zjCwG4XFz0XhVc2p8gV5Xp9IX2dvfjtj GiDdeHr4vCe3mDM3eC8= ) ;; AUTHORITY SECTION (3 records) mail.gov. 3600 IN NS dns141.usps.com. mail.gov. 3600 IN NS dns082.usps.com. mail.gov. 3600 IN RRSIG ( NS 7 2 3600 20241101052104 20241022051604 323 mail.gov. HsRyRdqTpm2300DkH9dS3MQNMfD0ENF6wJ1BPw2M8Q+whbHopchX6r/bnVg3E1MjWkmXFiN1FZKB RgNHe5V1sN4NbV8Zaf3J1N+mBpwYsv9r4Cj3Nqf1kK+qib+S8OzYtjSY26DcV3tNEl+3ilEc8jqY x0U0J1epNVQVhc96AFE= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to dns082.usps.com for mail.gov/A
	Received 530 bytes from 56.0.82.25
	;; Response received from [56.0.82.25] 530 octets ;; HEADER SECTION ;; id = 15625 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; qdcount = 1 ancount = 0 nscount = 4 arcount = 1 ;; do = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) mail.gov. 1800 IN SOA ( dns141.usps.com. domainadmin.imail.usps.gov. 748567265 ;serial 3600 ;refresh 1800 ;retry 1209600 ;expire 1800 ;minimum ) mail.gov. 1800 IN RRSIG ( SOA 7 2 3600 20241101052104 20241022051604 323 mail.gov. uxMo7WGX1cZh+B27bKhFQKxM0s4xMPNlvj+DFIDb8OdexH18Cv6iQaPmAyqco0YP5TjYX4jxvpeN 8iqq3QPnepY1SkvBbXhvjiWy45jnQqMcgVXLRc/KLe01zjCwG4XFz0XhVc2p8gV5Xp9IX2dvfjtj GiDdeHr4vCe3mDM3eC8= ) ONQKBDS1AC5SJHSL345H9LDNM3PRR44S.mail.gov. 1800 IN NSEC3 ( 1 0 10 - a58chuknv01fo4d3cq2jl2kke2qv8a0l NS SOA TXT RRSIG DNSKEY NSEC3PARAM ) ONQKBDS1AC5SJHSL345H9LDNM3PRR44S.mail.gov. 1800 IN RRSIG ( NSEC3 7 3 1800 20241101052104 20241022051604 323 mail.gov. SLmG60eQzjzVrV3Gnsq8hS56v02jYnES9f8/gdc161wKs0d1A/vX6ZJZ6c4pGsWUb199OdFfubUt 81v2oMnidaKScK3e8ao4/jDhso7LG+LVNCPRDYZifnRmdtCx3uhkk03/dAf7Q+dqMtUZ251yKgHV JzVAhKbtHg8q7EFk0qY= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	NSEC3 validation not implemented yet
	Found 1 RRSIGs over SOA RRset
	`mail.gov. 1800 IN RRSIG ( SOA 7 2 3600 20241101052104 20241022051604 323 mail.gov. uxMo7WGX1cZh+B27bKhFQKxM0s4xMPNlvj+DFIDb8OdexH18Cv6iQaPmAyqco0YP5TjYX4jxvpeN 8iqq3QPnepY1SkvBbXhvjiWy45jnQqMcgVXLRc/KLe01zjCwG4XFz0XhVc2p8gV5Xp9IX2dvfjtj GiDdeHr4vCe3mDM3eC8= )`
	RRSIG=323 and DNSKEY=323 verifies the SOA RRset

mail.gov

	Query to dns141.usps.com for mail.gov/A
	Received 530 bytes from 56.0.141.25
	;; Response received from [56.0.141.25] 530 octets ;; HEADER SECTION ;; id = 8510 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; qdcount = 1 ancount = 0 nscount = 4 arcount = 1 ;; do = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) mail.gov. 1800 IN SOA ( dns141.usps.com. domainadmin.imail.usps.gov. 748567265 ;serial 3600 ;refresh 1800 ;retry 1209600 ;expire 1800 ;minimum ) mail.gov. 1800 IN RRSIG ( SOA 7 2 3600 20241101052104 20241022051604 323 mail.gov. uxMo7WGX1cZh+B27bKhFQKxM0s4xMPNlvj+DFIDb8OdexH18Cv6iQaPmAyqco0YP5TjYX4jxvpeN 8iqq3QPnepY1SkvBbXhvjiWy45jnQqMcgVXLRc/KLe01zjCwG4XFz0XhVc2p8gV5Xp9IX2dvfjtj GiDdeHr4vCe3mDM3eC8= ) ONQKBDS1AC5SJHSL345H9LDNM3PRR44S.mail.gov. 1800 IN NSEC3 ( 1 0 10 - a58chuknv01fo4d3cq2jl2kke2qv8a0l NS SOA TXT RRSIG DNSKEY NSEC3PARAM ) ONQKBDS1AC5SJHSL345H9LDNM3PRR44S.mail.gov. 1800 IN RRSIG ( NSEC3 7 3 1800 20241101052104 20241022051604 323 mail.gov. SLmG60eQzjzVrV3Gnsq8hS56v02jYnES9f8/gdc161wKs0d1A/vX6ZJZ6c4pGsWUb199OdFfubUt 81v2oMnidaKScK3e8ao4/jDhso7LG+LVNCPRDYZifnRmdtCx3uhkk03/dAf7Q+dqMtUZ251yKgHV JzVAhKbtHg8q7EFk0qY= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	dns141.usps.com is authoritative for mail.gov
	Found RRSIG signed by mail.gov zone
	Query to dns141.usps.com for mail.gov/A
	Received 530 bytes from 56.0.141.25
	;; Response received from [56.0.141.25] 530 octets ;; HEADER SECTION ;; id = 22151 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; qdcount = 1 ancount = 0 nscount = 4 arcount = 1 ;; do = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) mail.gov. 1800 IN SOA ( dns141.usps.com. domainadmin.imail.usps.gov. 748567265 ;serial 3600 ;refresh 1800 ;retry 1209600 ;expire 1800 ;minimum ) mail.gov. 1800 IN RRSIG ( SOA 7 2 3600 20241101052104 20241022051604 323 mail.gov. uxMo7WGX1cZh+B27bKhFQKxM0s4xMPNlvj+DFIDb8OdexH18Cv6iQaPmAyqco0YP5TjYX4jxvpeN 8iqq3QPnepY1SkvBbXhvjiWy45jnQqMcgVXLRc/KLe01zjCwG4XFz0XhVc2p8gV5Xp9IX2dvfjtj GiDdeHr4vCe3mDM3eC8= ) ONQKBDS1AC5SJHSL345H9LDNM3PRR44S.mail.gov. 1800 IN NSEC3 ( 1 0 10 - a58chuknv01fo4d3cq2jl2kke2qv8a0l NS SOA TXT RRSIG DNSKEY NSEC3PARAM ) ONQKBDS1AC5SJHSL345H9LDNM3PRR44S.mail.gov. 1800 IN RRSIG ( NSEC3 7 3 1800 20241101052104 20241022051604 323 mail.gov. SLmG60eQzjzVrV3Gnsq8hS56v02jYnES9f8/gdc161wKs0d1A/vX6ZJZ6c4pGsWUb199OdFfubUt 81v2oMnidaKScK3e8ao4/jDhso7LG+LVNCPRDYZifnRmdtCx3uhkk03/dAf7Q+dqMtUZ251yKgHV JzVAhKbtHg8q7EFk0qY= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	NSEC3 validation not implemented yet
	Found 1 RRSIGs over SOA RRset
	`mail.gov. 1800 IN RRSIG ( SOA 7 2 3600 20241101052104 20241022051604 323 mail.gov. uxMo7WGX1cZh+B27bKhFQKxM0s4xMPNlvj+DFIDb8OdexH18Cv6iQaPmAyqco0YP5TjYX4jxvpeN 8iqq3QPnepY1SkvBbXhvjiWy45jnQqMcgVXLRc/KLe01zjCwG4XFz0XhVc2p8gV5Xp9IX2dvfjtj GiDdeHr4vCe3mDM3eC8= )`
	RRSIG=323 and DNSKEY=323 verifies the SOA RRset

Move your mouse over any or symbols for remediation hints.

Want a second opinion? Test mail.gov at dnsviz.net.

DNSSEC Debugger

↓ Advanced options ↑ Advanced options

Trust Anchor:
Name Servers: