DNSSEC Debugger - mail.gov

Domain Name:

Time: 2026-02-13 07:03:23 UTC

Analyzing DNSSEC problems for mail.gov

DS=20326/SHA-256 is now in the chain-of-trust

	Checking DS between Trust Anchor and .
	`. IN DS ( 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d )`
	Query to c.root-servers.net for ./DNSKEY
	Received 1141 bytes from 192.33.4.12
	;; Response received from [192.33.4.12] 1141 octets ;; HEADER SECTION ;; id = 31641 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 4 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; . IN DNSKEY ;; ANSWER SECTION (4 records) . 172800 IN DNSKEY ( 256 3 8 AwEAAbNTVC2+pry4pc37pZI9Oj6b8FHxT3VGrvSPKLE1Tjyfe2kUZUtVX5xrv6AV4BVO+ygrYjGZ MNgEnbLU4zknnlnhI2e0g6iTza1aZh0dRZXGH16C1NUNq1CxBkUhIYQhQDeIOtLacx+RmFTc+hSH JJ2MJ79IS00kA7eKi6mofQ7SPJmdJVjI+JAx791y0f5QaB+iHGANU53FwiYXNUQjfAzCrtOaSevG sx8SO8BTaXLAjFq5eewOtwScVwfVDhEXlvpE6e+mIncwhNKaMRD9IPuHENqCNPI5MjxfAMVS6cEY 8eEozIkv/vHc+0Auu3n+Fcx6F2Js4KPXaHEShAXugfU= ) ; keytag 21831 . 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696 . 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326 . 172800 IN RRSIG ( DNSKEY 8 0 172800 20260303000000 20260210000000 20326 . TNriFzthFM1hKzGD2meB96QrMIdTe/9ZFzMPdP3wWZAOvyfH9F9wuIhjT0V3H/0UE2cq04wvOtdG sEdmJaF7fCIj8aEE3e9Zn/woJXXXl9J3fhZQyGMq5jQLr+4KAuaNPwaMwlGHMDgZuwVJx1KpsAii b+GldJsCAVqM9hW9FpPwtuiN3c8xKT+A8DlAImzKTAUyQEyfSa9UlQzRwPeWcs2HQA/5GL0eosEW pwfdCHfpMw7JPFIMhUEsRftyZuxDgrPQs/geHoSXMeI+bgIRirnRkOLVDaNSiAKt1VtWeDrVeOBc IEzocdRicpX7VmwFHiHM1BblamwYCsX/nfexFg== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 3 DNSKEY records for .
	`. 172800 IN DNSKEY ( 256 3 8 AwEAAbNTVC2+pry4pc37pZI9Oj6b8FHxT3VGrvSPKLE1Tjyfe2kUZUtVX5xrv6AV4BVO+ygrYjGZ MNgEnbLU4zknnlnhI2e0g6iTza1aZh0dRZXGH16C1NUNq1CxBkUhIYQhQDeIOtLacx+RmFTc+hSH JJ2MJ79IS00kA7eKi6mofQ7SPJmdJVjI+JAx791y0f5QaB+iHGANU53FwiYXNUQjfAzCrtOaSevG sx8SO8BTaXLAjFq5eewOtwScVwfVDhEXlvpE6e+mIncwhNKaMRD9IPuHENqCNPI5MjxfAMVS6cEY 8eEozIkv/vHc+0Auu3n+Fcx6F2Js4KPXaHEShAXugfU= ) ; keytag 21831`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF 2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdp WWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwu MoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBev YtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ) ; keytag 38696`
	`. 172800 IN DNSKEY ( 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlE xOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgC mr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+ SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnX GXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; keytag 20326`
	DNSKEY=20326/SEP is now in the chain-of-trust
	DS=20326/SHA-256 verifies DNSKEY=20326/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`. 172800 IN RRSIG ( DNSKEY 8 0 172800 20260303000000 20260210000000 20326 . TNriFzthFM1hKzGD2meB96QrMIdTe/9ZFzMPdP3wWZAOvyfH9F9wuIhjT0V3H/0UE2cq04wvOtdG sEdmJaF7fCIj8aEE3e9Zn/woJXXXl9J3fhZQyGMq5jQLr+4KAuaNPwaMwlGHMDgZuwVJx1KpsAii b+GldJsCAVqM9hW9FpPwtuiN3c8xKT+A8DlAImzKTAUyQEyfSa9UlQzRwPeWcs2HQA/5GL0eosEW pwfdCHfpMw7JPFIMhUEsRftyZuxDgrPQs/geHoSXMeI+bgIRirnRkOLVDaNSiAKt1VtWeDrVeOBc IEzocdRicpX7VmwFHiHM1BblamwYCsX/nfexFg== )`
	RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset
	DNSKEY=21831 is now in the chain-of-trust
	DNSKEY=38696/SEP is now in the chain-of-trust
	Query to m.root-servers.net for mail.gov/A
	Received 618 bytes from 202.12.27.33
	;; Response received from [202.12.27.33] 618 octets ;; HEADER SECTION ;; id = 41512 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 9 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) gov. 172800 IN NS d.ns.gov. gov. 172800 IN NS c.ns.gov. gov. 172800 IN NS a.ns.gov. gov. 172800 IN NS b.ns.gov. gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20260226050000 20260213040000 21831 . TteXzNrNu/zzziMCoymmKEoOySuieWCToNgQ7hbboP7Z1kGFCzwpngThVgGAWPnRU3nvTrhNXawz FgCusQiYft9DGLe7XI2EDLwgVhkchDmLOcr0bw04aKvkUfFe+XTM6yeNxr20nb7Bbm64th/rI5KR cVRTG/hM9RjoNsrAJIL1V4SpTrIneGgR9hiMPEtdOr6o5m9RTxoMLfwedsx2VajOIM0avvCgeR8F B53W610kqN47p28d7gQ2yR/tTpoc8ll33B9TwLqwvXHCZ4RpRiJq4pyNcxUZ2RSyAvEJlYwoRtNm wzbWAs0MlRDCQ6gXn1NMWk7KF2e5goURv6+Y0Q== ) ;; ADDITIONAL SECTION (9 records) d.ns.gov. 172800 IN A 199.33.233.1 c.ns.gov. 172800 IN A 199.33.232.1 b.ns.gov. 172800 IN A 199.33.231.1 a.ns.gov. 172800 IN A 199.33.230.1 d.ns.gov. 172800 IN AAAA 2001:503:ff43::1 c.ns.gov. 172800 IN AAAA 2001:503:ff42::1 b.ns.gov. 172800 IN AAAA 2001:503:ff41::1 a.ns.gov. 172800 IN AAAA 2001:503:ff40::1 ;; { "EDNS-VERSION": 0 }
	Query to d.root-servers.net for gov/DNSKEY
	Received 610 bytes from 199.7.91.13
	;; Response received from [199.7.91.13] 610 octets ;; HEADER SECTION ;; id = 15215 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 6 arcount = 9 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1450, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (6 records) gov. 172800 IN NS a.ns.gov. gov. 172800 IN NS b.ns.gov. gov. 172800 IN NS c.ns.gov. gov. 172800 IN NS d.ns.gov. gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20260226050000 20260213040000 21831 . TteXzNrNu/zzziMCoymmKEoOySuieWCToNgQ7hbboP7Z1kGFCzwpngThVgGAWPnRU3nvTrhNXawz FgCusQiYft9DGLe7XI2EDLwgVhkchDmLOcr0bw04aKvkUfFe+XTM6yeNxr20nb7Bbm64th/rI5KR cVRTG/hM9RjoNsrAJIL1V4SpTrIneGgR9hiMPEtdOr6o5m9RTxoMLfwedsx2VajOIM0avvCgeR8F B53W610kqN47p28d7gQ2yR/tTpoc8ll33B9TwLqwvXHCZ4RpRiJq4pyNcxUZ2RSyAvEJlYwoRtNm wzbWAs0MlRDCQ6gXn1NMWk7KF2e5goURv6+Y0Q== ) ;; ADDITIONAL SECTION (9 records) a.ns.gov. 172800 IN A 199.33.230.1 b.ns.gov. 172800 IN A 199.33.231.1 c.ns.gov. 172800 IN A 199.33.232.1 d.ns.gov. 172800 IN A 199.33.233.1 a.ns.gov. 172800 IN AAAA 2001:503:ff40::1 b.ns.gov. 172800 IN AAAA 2001:503:ff41::1 c.ns.gov. 172800 IN AAAA 2001:503:ff42::1 d.ns.gov. 172800 IN AAAA 2001:503:ff43::1 ;; { "EDNS-VERSION": 0 }
	Found child zone gov

gov

	Checking DS between . and gov
	Query to l.root-servers.net for gov/DS
	Received 367 bytes from 199.7.83.42
	;; Response received from [199.7.83.42] 367 octets ;; HEADER SECTION ;; id = 50616 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 4096, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DS ;; ANSWER SECTION (2 records) gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 ) gov. 86400 IN RRSIG ( DS 8 1 86400 20260226050000 20260213040000 21831 . TteXzNrNu/zzziMCoymmKEoOySuieWCToNgQ7hbboP7Z1kGFCzwpngThVgGAWPnRU3nvTrhNXawz FgCusQiYft9DGLe7XI2EDLwgVhkchDmLOcr0bw04aKvkUfFe+XTM6yeNxr20nb7Bbm64th/rI5KR cVRTG/hM9RjoNsrAJIL1V4SpTrIneGgR9hiMPEtdOr6o5m9RTxoMLfwedsx2VajOIM0avvCgeR8F B53W610kqN47p28d7gQ2yR/tTpoc8ll33B9TwLqwvXHCZ4RpRiJq4pyNcxUZ2RSyAvEJlYwoRtNm wzbWAs0MlRDCQ6gXn1NMWk7KF2e5goURv6+Y0Q== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 1 DS records for gov in the . zone
	DS=2536/SHA-256 has algorithm ECDSAP256SHA256
	Found 1 RRSIGs over DS RRset
	`gov. 86400 IN RRSIG ( DS 8 1 86400 20260226050000 20260213040000 21831 . TteXzNrNu/zzziMCoymmKEoOySuieWCToNgQ7hbboP7Z1kGFCzwpngThVgGAWPnRU3nvTrhNXawz FgCusQiYft9DGLe7XI2EDLwgVhkchDmLOcr0bw04aKvkUfFe+XTM6yeNxr20nb7Bbm64th/rI5KR cVRTG/hM9RjoNsrAJIL1V4SpTrIneGgR9hiMPEtdOr6o5m9RTxoMLfwedsx2VajOIM0avvCgeR8F B53W610kqN47p28d7gQ2yR/tTpoc8ll33B9TwLqwvXHCZ4RpRiJq4pyNcxUZ2RSyAvEJlYwoRtNm wzbWAs0MlRDCQ6gXn1NMWk7KF2e5goURv6+Y0Q== )`
	RRSIG=21831 and DNSKEY=21831 verifies the DS RRset
	DS=2536/SHA-256 is now in the chain-of-trust
	`gov. 86400 IN DS ( 2536 13 2 0baf26b7bbf313a859046fd3b1ee49ddfba33934cfb3e717c21e2a2935c2f259 )`
	Query to d.ns.gov for gov/DNSKEY
	Received 291 bytes from 199.33.233.1
	;; Response received from [199.33.233.1] 291 octets ;; HEADER SECTION ;; id = 9593 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; gov. IN DNSKEY ;; ANSWER SECTION (3 records) gov. 3600 IN DNSKEY ( 257 3 13 D6ZhJTObQw3+kcewWf5iTHbzD3uTdbs5xf0kQfP/VXZcDovWJd0DUgHlp2VC002aLDCwhLoPPVN2 VfyoPnjCqg== ) ; keytag 2536 gov. 3600 IN DNSKEY ( 256 3 13 Of5kU9k4XfdcPwCK9k/zRJNu+Xspnw/BDd+1V6ZpDXRIpHe35BnHTZUBJN9gd6++HkiGXx2YnTji iO7/q+Yamg== ) ; keytag 35496 gov. 3600 IN RRSIG ( DNSKEY 13 1 3600 20260325110622 20260123110622 2536 gov. 1Yi8jf2XMbTmgyRtyAql82WHrDi/8ytE7icJRnRPcCVnXyEt3A8YdXw6HrWtpNUl/JkqW97k8CkQ IcmdNBTspg== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for gov
	`gov. 3600 IN DNSKEY ( 257 3 13 D6ZhJTObQw3+kcewWf5iTHbzD3uTdbs5xf0kQfP/VXZcDovWJd0DUgHlp2VC002aLDCwhLoPPVN2 VfyoPnjCqg== ) ; keytag 2536`
	`gov. 3600 IN DNSKEY ( 256 3 13 Of5kU9k4XfdcPwCK9k/zRJNu+Xspnw/BDd+1V6ZpDXRIpHe35BnHTZUBJN9gd6++HkiGXx2YnTji iO7/q+Yamg== ) ; keytag 35496`
	DNSKEY=2536/SEP is now in the chain-of-trust
	DS=2536/SHA-256 verifies DNSKEY=2536/SEP
	Found 1 RRSIGs over DNSKEY RRset
	`gov. 3600 IN RRSIG ( DNSKEY 13 1 3600 20260325110622 20260123110622 2536 gov. 1Yi8jf2XMbTmgyRtyAql82WHrDi/8ytE7icJRnRPcCVnXyEt3A8YdXw6HrWtpNUl/JkqW97k8CkQ IcmdNBTspg== )`
	RRSIG=2536 and DNSKEY=2536/SEP verifies the DNSKEY RRset
	DNSKEY=35496 is now in the chain-of-trust
	Query to a.ns.gov for mail.gov/A
	Received 282 bytes from 199.33.230.1
	;; Response received from [199.33.230.1] 282 octets ;; HEADER SECTION ;; id = 27267 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 5 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (5 records) mail.gov. 10800 IN NS dns082.usps.com. mail.gov. 10800 IN NS dns141.usps.com. mail.gov. 3600 IN DS ( 25815 7 2 2d19703a221ea7c191fcc31bb5c860a5601f34c5a4785bd5c7fa49101ac23b78 ) mail.gov. 3600 IN DS ( 47968 7 2 b80452997f3e3ae21814066628f2de0f0624b5a07a176014490fee5c8de2db3f ) mail.gov. 3600 IN RRSIG ( DS 13 2 3600 20260214080324 20260212060324 35496 gov. PJq/8W37D6ovqzAMisaPLJa91XvY1LwH/E6vNqyEA4KR1Ti4fbGHoU4J2Tlqtz9Z+Fw/CQdEsNnd h+S6fInr9Q== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to a.ns.gov for mail.gov/DNSKEY
	Received 282 bytes from 199.33.230.1
	;; Response received from [199.33.230.1] 282 octets ;; HEADER SECTION ;; id = 12996 ;; qr = 1 aa = 0 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 5 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN DNSKEY ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (5 records) mail.gov. 10800 IN NS dns082.usps.com. mail.gov. 10800 IN NS dns141.usps.com. mail.gov. 3600 IN DS ( 25815 7 2 2d19703a221ea7c191fcc31bb5c860a5601f34c5a4785bd5c7fa49101ac23b78 ) mail.gov. 3600 IN DS ( 47968 7 2 b80452997f3e3ae21814066628f2de0f0624b5a07a176014490fee5c8de2db3f ) mail.gov. 3600 IN RRSIG ( DS 13 2 3600 20260214080324 20260212060324 35496 gov. s7W+JCXzF4nFR/8VkgifZNWMJRTJtoWrjt6UUqzvdpxq3jSrB3Y+Am4BjGuBhzcF+8BVwGuCela0 Or9OF+oDdA== ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found child zone mail.gov

mail.gov

	Checking DS between gov and mail.gov
	Query to a.ns.gov for mail.gov/DS
	Received 232 bytes from 199.33.230.1
	;; Response received from [199.33.230.1] 232 octets ;; HEADER SECTION ;; id = 31223 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN DS ;; ANSWER SECTION (3 records) mail.gov. 3600 IN DS ( 25815 7 2 2d19703a221ea7c191fcc31bb5c860a5601f34c5a4785bd5c7fa49101ac23b78 ) mail.gov. 3600 IN DS ( 47968 7 2 b80452997f3e3ae21814066628f2de0f0624b5a07a176014490fee5c8de2db3f ) mail.gov. 3600 IN RRSIG ( DS 13 2 3600 20260214080324 20260212060324 35496 gov. 7ZI3Z4kFgfLF+Oo40b6SslvFYfj2k5p5NIPd8iqU6nPRjPSBHC9hDSHSrExHzsB/0qonElxVHc0b IbTCGvl5Bw== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DS records for mail.gov in the gov zone
	DS=25815/SHA-256 has algorithm RSASHA1-NSEC3-SHA1
	DS=47968/SHA-256 has algorithm RSASHA1-NSEC3-SHA1
	Found 1 RRSIGs over DS RRset
	`mail.gov. 3600 IN RRSIG ( DS 13 2 3600 20260214080324 20260212060324 35496 gov. 7ZI3Z4kFgfLF+Oo40b6SslvFYfj2k5p5NIPd8iqU6nPRjPSBHC9hDSHSrExHzsB/0qonElxVHc0b IbTCGvl5Bw== )`
	RRSIG=35496 and DNSKEY=35496 verifies the DS RRset
	DS=25815/SHA-256 is now in the chain-of-trust
	DS=47968/SHA-256 is now in the chain-of-trust
	`mail.gov. 3600 IN DS ( 25815 7 2 2d19703a221ea7c191fcc31bb5c860a5601f34c5a4785bd5c7fa49101ac23b78 )`
	`mail.gov. 3600 IN DS ( 47968 7 2 b80452997f3e3ae21814066628f2de0f0624b5a07a176014490fee5c8de2db3f )`
	Query to dns141.usps.com for mail.gov/DNSKEY
	Received 757 bytes from 56.0.141.25
	;; Response received from [56.0.141.25] 757 octets ;; HEADER SECTION ;; id = 7929 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 3 ;; nscount = 0 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN DNSKEY ;; ANSWER SECTION (3 records) mail.gov. 3600 IN DNSKEY ( 257 3 7 AwEAAa3cq3G1h0mHd40cN78ctjAKDvjkjf+USykQj0WaoVae/67ScvGriqO6ekJWTNQzaW69h8gk arwokCVD9mTTjWX8oyJQJCW0upnJSKoLJTxvegpfTbRVTXx6x3iVhCUgRsyIXS7uQZpOU3UIIL74 dtsvwYlWmcL3OkPqL7+fsQ/7z9hMVV7REscERIv1v3qtD4cqz9+C4D03cSQdl8WuQ4oJp9AQ1Bdj gz6kqJrkxcM2BcBxliFuSyqPHpcOI56aMl3uTkxrXeFMq2Bz0+nIWVb68b8nAYKQgdg9B60V4CUz /17iIGXEFAqUtRgIg6y0ukc1gFCRsWAoVpcgwVZCUtM= ) ; keytag 25815 mail.gov. 3600 IN DNSKEY ( 256 3 7 AwEAAcfQQwwr/vFk+4sbca5kunb2ME7zrzZZBQjEGa41vU2Z5ws7lWfjPmuUxdD1wR3MhYJCc4UN WomxoS/mOV6j95XE7MNeTBaeErXLzzLtVdug9rAqbLbUxBv4ChHh3ejIPyPtZXrEnUCp7jj+KRdL YK87oSOMb7fJExq+J8bMnClB ) ; keytag 39170 mail.gov. 3600 IN RRSIG ( DNSKEY 7 2 3600 20260218044222 20260208042137 25815 mail.gov. LQsy77fRNkW0ijqsb1HgV9ul8qmprOxJQ8LanBrVwzszh3qFsrtAB5YetG9QXdV8H0b+eFZP2eIC crgQDldkyr70Sr/x6eIakDqC0gaYo//ySNUfJfQYsw/KsCUSdxD82WVm5F8Zoc+0oq62nXOb2EFt Y0qLf2QLoGWWr4c+f3NGaGHQd19Fj0E0byES1UbL+ML6/KZCeAgamzdgMT4dE2Fu6fRwVfX2BMu7 cGRMoIF4o8YAxvtpIVPKal7mtlJR2avWNasklW/P8zkk92z5LFx8USuN6QF4cauWTWdfORkgY1LO gmJMmu0HMA1uFCItRs4tv1GrtbyN3hQ33XdIXw== ) ;; AUTHORITY SECTION (0 records) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Found 2 DNSKEY records for mail.gov
	`mail.gov. 3600 IN DNSKEY ( 257 3 7 AwEAAa3cq3G1h0mHd40cN78ctjAKDvjkjf+USykQj0WaoVae/67ScvGriqO6ekJWTNQzaW69h8gk arwokCVD9mTTjWX8oyJQJCW0upnJSKoLJTxvegpfTbRVTXx6x3iVhCUgRsyIXS7uQZpOU3UIIL74 dtsvwYlWmcL3OkPqL7+fsQ/7z9hMVV7REscERIv1v3qtD4cqz9+C4D03cSQdl8WuQ4oJp9AQ1Bdj gz6kqJrkxcM2BcBxliFuSyqPHpcOI56aMl3uTkxrXeFMq2Bz0+nIWVb68b8nAYKQgdg9B60V4CUz /17iIGXEFAqUtRgIg6y0ukc1gFCRsWAoVpcgwVZCUtM= ) ; keytag 25815`
	`mail.gov. 3600 IN DNSKEY ( 256 3 7 AwEAAcfQQwwr/vFk+4sbca5kunb2ME7zrzZZBQjEGa41vU2Z5ws7lWfjPmuUxdD1wR3MhYJCc4UN WomxoS/mOV6j95XE7MNeTBaeErXLzzLtVdug9rAqbLbUxBv4ChHh3ejIPyPtZXrEnUCp7jj+KRdL YK87oSOMb7fJExq+J8bMnClB ) ; keytag 39170`
	DNSKEY=25815/SEP is now in the chain-of-trust
	DS=25815/SHA-256 verifies DNSKEY=25815/SEP
	DS=47968/SHA-256 is published, but a corresponding DNSKEY is not
	Found 1 RRSIGs over DNSKEY RRset
	`mail.gov. 3600 IN RRSIG ( DNSKEY 7 2 3600 20260218044222 20260208042137 25815 mail.gov. LQsy77fRNkW0ijqsb1HgV9ul8qmprOxJQ8LanBrVwzszh3qFsrtAB5YetG9QXdV8H0b+eFZP2eIC crgQDldkyr70Sr/x6eIakDqC0gaYo//ySNUfJfQYsw/KsCUSdxD82WVm5F8Zoc+0oq62nXOb2EFt Y0qLf2QLoGWWr4c+f3NGaGHQd19Fj0E0byES1UbL+ML6/KZCeAgamzdgMT4dE2Fu6fRwVfX2BMu7 cGRMoIF4o8YAxvtpIVPKal7mtlJR2avWNasklW/P8zkk92z5LFx8USuN6QF4cauWTWdfORkgY1LO gmJMmu0HMA1uFCItRs4tv1GrtbyN3hQ33XdIXw== )`
	RRSIG=25815 and DNSKEY=25815/SEP does not verify the DNSKEY RRset (libcrypto error (SEC.xs line 223)signature verification failed)
	None of the 1 RRSIG and 2 DNSKEY records validate the DNSKEY RRset
	The DNSKEY RRset was not signed by any trusted keys
	Query to dns082.usps.com for mail.gov/A
	Received 530 bytes from 56.0.82.25
	;; Response received from [56.0.82.25] 530 octets ;; HEADER SECTION ;; id = 64157 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) mail.gov. 1800 IN SOA ( dns141.usps.com. domainadmin.imail.usps.gov. 788829700 ;serial 3600 ;refresh 1800 ;retry 1209600 ;expire 1800 ;minimum ) mail.gov. 1800 IN RRSIG ( SOA 7 2 3600 20260218052137 20260208042137 39170 mail.gov. bmYuRBkB0nD9Zr3q3JH9GSgNvmT2OqRJD1V4PLqw1V1qyBm7RZV2nNgm1wZu6tdpZRaJUNyz+sDn 0BxUw/1f4gpeXDO+XMNIfTthCiTadc3QKzX/lL846IVQTm4nCIoJzY9rQqtt5ey0SNmjZJBEQDST 5luyOFuBvtD+wiO8X8A= ) GO0KF893J4PSMLB1MEQ8OL0DB1DUVAF3.mail.gov. 1800 IN NSEC3 ( 1 0 0 - kn7mqhn8t7abtv6see54s22o94mv39pq NS SOA TXT RRSIG DNSKEY NSEC3PARAM ) GO0KF893J4PSMLB1MEQ8OL0DB1DUVAF3.mail.gov. 1800 IN RRSIG ( NSEC3 7 3 1800 20260218044222 20260208042137 39170 mail.gov. dl8+y2cNY3EAQ0aRDo86E7cw9vLxwgRs/zxCTvl+cFkymCqVQR0Xln9GX8nCgSaO9TKiwYd3I57i fSuBBUX7EnWDzxmusx0yCx8vIJUBbKmsE6Qo9jcfxDTK6CItyl2x7ycTUrnz4CL04H8glNLOML/r nV2JbCRQWeAQPLQCU/g= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	dns082.usps.com is authoritative for mail.gov
	Found RRSIG signed by mail.gov zone
	Query to dns141.usps.com for mail.gov/SOA
	Received 491 bytes from 56.0.141.25
	;; Response received from [56.0.141.25] 491 octets ;; HEADER SECTION ;; id = 58574 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 2 ;; nscount = 3 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ;; {"EXTENDED-ERROR": {"ERROR": "Prohibited", "EXTRA-TEXT": "", "INFO-CODE": 18}} ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN SOA ;; ANSWER SECTION (2 records) mail.gov. 3600 IN SOA ( dns141.usps.com. domainadmin.imail.usps.gov. 788829700 ;serial 3600 ;refresh 1800 ;retry 1209600 ;expire 1800 ;minimum ) mail.gov. 3600 IN RRSIG ( SOA 7 2 3600 20260218052137 20260208042137 39170 mail.gov. bmYuRBkB0nD9Zr3q3JH9GSgNvmT2OqRJD1V4PLqw1V1qyBm7RZV2nNgm1wZu6tdpZRaJUNyz+sDn 0BxUw/1f4gpeXDO+XMNIfTthCiTadc3QKzX/lL846IVQTm4nCIoJzY9rQqtt5ey0SNmjZJBEQDST 5luyOFuBvtD+wiO8X8A= ) ;; AUTHORITY SECTION (3 records) mail.gov. 3600 IN NS dns082.usps.com. mail.gov. 3600 IN NS dns141.usps.com. mail.gov. 3600 IN RRSIG ( NS 7 2 3600 20260218044222 20260208042137 39170 mail.gov. HHDmn48Tp8ucBlzmJuz8VCxFt4ix6upKCEsL+DK5OodPP+905LfW6LrKqEdYIfgddnl3TrgD0goK +g7y62sDnPTwuJF0UZGqh+c/KJqD6d8yo/DJVT5IjK5M05pzR9B8dy2OMcRFea4CEmiBJ0x6yI/N 786w/gdVe0/BKk/aPbc= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	Query to dns082.usps.com for mail.gov/A
	Received 530 bytes from 56.0.82.25
	;; Response received from [56.0.82.25] 530 octets ;; HEADER SECTION ;; id = 56064 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) mail.gov. 1800 IN SOA ( dns141.usps.com. domainadmin.imail.usps.gov. 788829700 ;serial 3600 ;refresh 1800 ;retry 1209600 ;expire 1800 ;minimum ) mail.gov. 1800 IN RRSIG ( SOA 7 2 3600 20260218052137 20260208042137 39170 mail.gov. bmYuRBkB0nD9Zr3q3JH9GSgNvmT2OqRJD1V4PLqw1V1qyBm7RZV2nNgm1wZu6tdpZRaJUNyz+sDn 0BxUw/1f4gpeXDO+XMNIfTthCiTadc3QKzX/lL846IVQTm4nCIoJzY9rQqtt5ey0SNmjZJBEQDST 5luyOFuBvtD+wiO8X8A= ) GO0KF893J4PSMLB1MEQ8OL0DB1DUVAF3.mail.gov. 1800 IN NSEC3 ( 1 0 0 - kn7mqhn8t7abtv6see54s22o94mv39pq NS SOA TXT RRSIG DNSKEY NSEC3PARAM ) GO0KF893J4PSMLB1MEQ8OL0DB1DUVAF3.mail.gov. 1800 IN RRSIG ( NSEC3 7 3 1800 20260218044222 20260208042137 39170 mail.gov. dl8+y2cNY3EAQ0aRDo86E7cw9vLxwgRs/zxCTvl+cFkymCqVQR0Xln9GX8nCgSaO9TKiwYd3I57i fSuBBUX7EnWDzxmusx0yCx8vIJUBbKmsE6Qo9jcfxDTK6CItyl2x7ycTUrnz4CL04H8glNLOML/r nV2JbCRQWeAQPLQCU/g= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	NSEC3 validation not implemented yet
	Found 1 RRSIGs over SOA RRset
	`mail.gov. 1800 IN RRSIG ( SOA 7 2 3600 20260218052137 20260208042137 39170 mail.gov. bmYuRBkB0nD9Zr3q3JH9GSgNvmT2OqRJD1V4PLqw1V1qyBm7RZV2nNgm1wZu6tdpZRaJUNyz+sDn 0BxUw/1f4gpeXDO+XMNIfTthCiTadc3QKzX/lL846IVQTm4nCIoJzY9rQqtt5ey0SNmjZJBEQDST 5luyOFuBvtD+wiO8X8A= )`
	RRSIG=39170 and DNSKEY=39170 does not verify the SOA RRset (libcrypto error (SEC.xs line 223)signature verification failed)
	None of the 1 RRSIG and 2 DNSKEY records validate the SOA RRset

mail.gov

	Query to dns141.usps.com for mail.gov/A
	Received 530 bytes from 56.0.141.25
	;; Response received from [56.0.141.25] 530 octets ;; HEADER SECTION ;; id = 27826 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) mail.gov. 1800 IN SOA ( dns141.usps.com. domainadmin.imail.usps.gov. 788829700 ;serial 3600 ;refresh 1800 ;retry 1209600 ;expire 1800 ;minimum ) mail.gov. 1800 IN RRSIG ( SOA 7 2 3600 20260218052137 20260208042137 39170 mail.gov. bmYuRBkB0nD9Zr3q3JH9GSgNvmT2OqRJD1V4PLqw1V1qyBm7RZV2nNgm1wZu6tdpZRaJUNyz+sDn 0BxUw/1f4gpeXDO+XMNIfTthCiTadc3QKzX/lL846IVQTm4nCIoJzY9rQqtt5ey0SNmjZJBEQDST 5luyOFuBvtD+wiO8X8A= ) GO0KF893J4PSMLB1MEQ8OL0DB1DUVAF3.mail.gov. 1800 IN NSEC3 ( 1 0 0 - kn7mqhn8t7abtv6see54s22o94mv39pq NS SOA TXT RRSIG DNSKEY NSEC3PARAM ) GO0KF893J4PSMLB1MEQ8OL0DB1DUVAF3.mail.gov. 1800 IN RRSIG ( NSEC3 7 3 1800 20260218044222 20260208042137 39170 mail.gov. dl8+y2cNY3EAQ0aRDo86E7cw9vLxwgRs/zxCTvl+cFkymCqVQR0Xln9GX8nCgSaO9TKiwYd3I57i fSuBBUX7EnWDzxmusx0yCx8vIJUBbKmsE6Qo9jcfxDTK6CItyl2x7ycTUrnz4CL04H8glNLOML/r nV2JbCRQWeAQPLQCU/g= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	dns141.usps.com is authoritative for mail.gov
	Found RRSIG signed by mail.gov zone
	Query to dns141.usps.com for mail.gov/A
	Received 530 bytes from 56.0.141.25
	;; Response received from [56.0.141.25] 530 octets ;; HEADER SECTION ;; id = 32499 ;; qr = 1 aa = 1 tc = 0 rd = 0 opcode = QUERY ;; ra = 0 z = 0 ad = 0 cd = 0 rcode = NOERROR ;; do = 1 co = 0 ;; qdcount = 1 ancount = 0 ;; nscount = 4 arcount = 1 ;; { "EDNS-VERSION": 0, ;; "FLAGS": "8000", ;; "RCODE": 0, ;; "UDPSIZE": 1232, ;; "OPTIONS": [ ] ;; } ;; QUESTION SECTION (1 record) ;; mail.gov. IN A ;; ANSWER SECTION (0 records) ;; AUTHORITY SECTION (4 records) mail.gov. 1800 IN SOA ( dns141.usps.com. domainadmin.imail.usps.gov. 788829700 ;serial 3600 ;refresh 1800 ;retry 1209600 ;expire 1800 ;minimum ) mail.gov. 1800 IN RRSIG ( SOA 7 2 3600 20260218052137 20260208042137 39170 mail.gov. bmYuRBkB0nD9Zr3q3JH9GSgNvmT2OqRJD1V4PLqw1V1qyBm7RZV2nNgm1wZu6tdpZRaJUNyz+sDn 0BxUw/1f4gpeXDO+XMNIfTthCiTadc3QKzX/lL846IVQTm4nCIoJzY9rQqtt5ey0SNmjZJBEQDST 5luyOFuBvtD+wiO8X8A= ) GO0KF893J4PSMLB1MEQ8OL0DB1DUVAF3.mail.gov. 1800 IN NSEC3 ( 1 0 0 - kn7mqhn8t7abtv6see54s22o94mv39pq NS SOA TXT RRSIG DNSKEY NSEC3PARAM ) GO0KF893J4PSMLB1MEQ8OL0DB1DUVAF3.mail.gov. 1800 IN RRSIG ( NSEC3 7 3 1800 20260218044222 20260208042137 39170 mail.gov. dl8+y2cNY3EAQ0aRDo86E7cw9vLxwgRs/zxCTvl+cFkymCqVQR0Xln9GX8nCgSaO9TKiwYd3I57i fSuBBUX7EnWDzxmusx0yCx8vIJUBbKmsE6Qo9jcfxDTK6CItyl2x7ycTUrnz4CL04H8glNLOML/r nV2JbCRQWeAQPLQCU/g= ) ;; ADDITIONAL SECTION (1 record) ;; { "EDNS-VERSION": 0 }
	NSEC3 validation not implemented yet
	Found 1 RRSIGs over SOA RRset
	`mail.gov. 1800 IN RRSIG ( SOA 7 2 3600 20260218052137 20260208042137 39170 mail.gov. bmYuRBkB0nD9Zr3q3JH9GSgNvmT2OqRJD1V4PLqw1V1qyBm7RZV2nNgm1wZu6tdpZRaJUNyz+sDn 0BxUw/1f4gpeXDO+XMNIfTthCiTadc3QKzX/lL846IVQTm4nCIoJzY9rQqtt5ey0SNmjZJBEQDST 5luyOFuBvtD+wiO8X8A= )`
	RRSIG=39170 and DNSKEY=39170 does not verify the SOA RRset (libcrypto error (SEC.xs line 223)signature verification failed)
	None of the 1 RRSIG and 2 DNSKEY records validate the SOA RRset

Move your mouse over any or symbols for remediation hints.

Want a second opinion? Test mail.gov at dnsviz.net.

DNSSEC Debugger

↓ Advanced options ↑ Advanced options

Trust Anchor:
Name Servers: