Zone (*) | DNSSEC - Informations |
---|
|
|
Zone: (root)
|
|
(root)
| 1 DS RR published
|
|
|
|
|
| DS with Algorithm 8, KeyTag 20326, DigestType 2 and Digest 4G1EuAuPHTmpXAsNfGXQhFjogECbvGg0VxBCN8f47I0=
|
|
|
|
|
| • Status: Valid because published
|
|
|
|
|
| 3 DNSKEY RR found
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 5613, Flags 256
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 20038, Flags 256
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 20326, Flags 257 (SEP = Secure Entry Point)
|
|
|
|
|
| 1 RRSIG RR to validate DNSKEY RR found
|
|
|
|
|
| RRSIG-Owner (root), Algorithm: 8, 0 Labels, original TTL: 172800 sec, Signature-expiration: 22.07.2024, 00:00:00 +, Signature-Inception: 01.07.2024, 00:00:00 +, KeyTag 20326, Signer-Name: (root)
|
|
|
|
|
| • Status: Good - Algorithmus 8 and DNSKEY with KeyTag 20326 used to validate the DNSKEY RRSet
|
|
|
|
|
| • Status: Valid Chain of trust. Parent-DS with Algorithm 8, KeyTag 20326, DigestType 2 and Digest "4G1EuAuPHTmpXAsNfGXQhFjogECbvGg0VxBCN8f47I0=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone
|
|
|
Zone: dk
|
|
dk
| 1 DS RR in the parent zone found
|
|
|
|
|
| DS with Algorithm 13, KeyTag 2181, DigestType 2 and Digest nnB7jJqK5Ik/bd9UWVf5gJ/oukdHv3BSY2AUZqoQBR0=
|
|
|
|
|
| 1 RRSIG RR to validate DS RR found
|
|
|
|
|
| RRSIG-Owner dk., Algorithm: 8, 1 Labels, original TTL: 86400 sec, Signature-expiration: 22.07.2024, 05:00:00 +, Signature-Inception: 09.07.2024, 04:00:00 +, KeyTag 20038, Signer-Name: (root)
|
|
|
|
|
| • Status: Good - Algorithmus 8 and DNSKEY with KeyTag 20038 used to validate the DS RRSet in the parent zone
|
|
|
|
|
| 2 DNSKEY RR found
|
|
|
|
|
| Public Key with Algorithm 13, KeyTag 2181, Flags 257 (SEP = Secure Entry Point)
|
|
|
|
|
| Public Key with Algorithm 13, KeyTag 55245, Flags 256
|
|
|
|
|
| 1 RRSIG RR to validate DNSKEY RR found
|
|
|
|
|
| RRSIG-Owner dk., Algorithm: 13, 1 Labels, original TTL: 86400 sec, Signature-expiration: 03.08.2024, 20:39:02 +, Signature-Inception: 06.07.2024, 19:09:02 +, KeyTag 2181, Signer-Name: dk
|
|
|
|
|
| • Status: Good - Algorithmus 13 and DNSKEY with KeyTag 2181 used to validate the DNSKEY RRSet
|
|
|
|
|
| • Status: Valid Chain of trust. Parent-DS with Algorithm 13, KeyTag 2181, DigestType 2 and Digest "nnB7jJqK5Ik/bd9UWVf5gJ/oukdHv3BSY2AUZqoQBR0=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone
|
|
|
Zone: inetwork.dk
|
|
inetwork.dk
| 1 DS RR in the parent zone found
|
|
|
|
|
| DS with Algorithm 13, KeyTag 9988, DigestType 2 and Digest YXBL4+Lsj4VhlypEpwQK80YkWfI4lRF+Q5YZ14iLzVg=
|
|
|
|
|
| 1 RRSIG RR to validate DS RR found
|
|
|
|
|
| RRSIG-Owner inetwork.dk., Algorithm: 13, 2 Labels, original TTL: 7200 sec, Signature-expiration: 02.08.2024, 20:38:39 +, Signature-Inception: 05.07.2024, 19:08:39 +, KeyTag 55245, Signer-Name: dk
|
|
|
|
|
| • Status: Good - Algorithmus 13 and DNSKEY with KeyTag 55245 used to validate the DS RRSet in the parent zone
|
|
|
|
|
| 2 DNSKEY RR found
|
|
|
|
|
| Public Key with Algorithm 13, KeyTag 9988, Flags 257 (SEP = Secure Entry Point)
|
|
|
|
|
| Public Key with Algorithm 13, KeyTag 11527, Flags 256
|
|
|
|
|
| 1 RRSIG RR to validate DNSKEY RR found
|
|
|
|
|
| RRSIG-Owner inetwork.dk., Algorithm: 13, 2 Labels, original TTL: 900 sec, Signature-expiration: 18.07.2024, 00:00:00 +, Signature-Inception: 27.06.2024, 00:00:00 +, KeyTag 9988, Signer-Name: inetwork.dk
|
|
|
|
|
| • Status: Good - Algorithmus 13 and DNSKEY with KeyTag 9988 used to validate the DNSKEY RRSet
|
|
|
|
|
| • Status: Valid Chain of trust. Parent-DS with Algorithm 13, KeyTag 9988, DigestType 2 and Digest "YXBL4+Lsj4VhlypEpwQK80YkWfI4lRF+Q5YZ14iLzVg=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone
|
|
|
Zone: secmail.inetwork.dk
|
|
secmail.inetwork.dk
| 0 DS RR in the parent zone found
|
|
|
|
|
| DS-Query in the parent zone has a valid NSEC3 RR as result with the hashed query name "k50uqd9orgehu5m5uh25cd6uourc4bu7" between the hashed NSEC3-owner "k50uqd9orgehu5m5uh25cd6uourc4bu7" and the hashed NextOwner "k50uqd9orgehu5m5uh25cd6uourc4bu8". So the parent zone confirmes the not-existence of a DS RR.
Bitmap: A, RRSIG Validated: RRSIG-Owner k50uqd9orgehu5m5uh25cd6uourc4bu7.inetwork.dk., Algorithm: 13, 3 Labels, original TTL: 900 sec, Signature-expiration: 18.07.2024, 00:00:00 +, Signature-Inception: 27.06.2024, 00:00:00 +, KeyTag 11527, Signer-Name: inetwork.dk
|
|
|
|
|
| 0 DNSKEY RR found
|
|
|
|
|
|
|
|
|
|
|
| RRSIG Type 1 validates the A - Result: 83.89.248.163
Validated: RRSIG-Owner secmail.inetwork.dk., Algorithm: 13, 3 Labels, original TTL: 3600 sec, Signature-expiration: 18.07.2024, 00:00:00 +, Signature-Inception: 27.06.2024, 00:00:00 +, KeyTag 11527, Signer-Name: inetwork.dk
|
|
|
|
|
| CNAME-Query sends a valid NSEC3 RR as result with the hashed query name "k50uqd9orgehu5m5uh25cd6uourc4bu7" equal the hashed NSEC3-owner "k50uqd9orgehu5m5uh25cd6uourc4bu7" and the hashed NextOwner "k50uqd9orgehu5m5uh25cd6uourc4bu8". So the zone confirmes the not-existence of that CNAME RR, but the existence of that query name (minimal one RR with that name exists).
Bitmap: A, RRSIG Validated: RRSIG-Owner k50uqd9orgehu5m5uh25cd6uourc4bu7.inetwork.dk., Algorithm: 13, 3 Labels, original TTL: 900 sec, Signature-expiration: 18.07.2024, 00:00:00 +, Signature-Inception: 27.06.2024, 00:00:00 +, KeyTag 11527, Signer-Name: inetwork.dk
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| TXT-Query sends a valid NSEC3 RR as result with the hashed query name "k50uqd9orgehu5m5uh25cd6uourc4bu7" equal the hashed NSEC3-owner "k50uqd9orgehu5m5uh25cd6uourc4bu7" and the hashed NextOwner "k50uqd9orgehu5m5uh25cd6uourc4bu8". So the zone confirmes the not-existence of that TXT RR, but the existence of that query name (minimal one RR with that name exists).
Bitmap: A, RRSIG Validated: RRSIG-Owner k50uqd9orgehu5m5uh25cd6uourc4bu7.inetwork.dk., Algorithm: 13, 3 Labels, original TTL: 900 sec, Signature-expiration: 18.07.2024, 00:00:00 +, Signature-Inception: 27.06.2024, 00:00:00 +, KeyTag 11527, Signer-Name: inetwork.dk
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| AAAA-Query sends a valid NSEC3 RR as result with the hashed query name "k50uqd9orgehu5m5uh25cd6uourc4bu7" equal the hashed NSEC3-owner "k50uqd9orgehu5m5uh25cd6uourc4bu7" and the hashed NextOwner "k50uqd9orgehu5m5uh25cd6uourc4bu8". So the zone confirmes the not-existence of that AAAA RR, but the existence of that query name (minimal one RR with that name exists).
Bitmap: A, RRSIG Validated: RRSIG-Owner k50uqd9orgehu5m5uh25cd6uourc4bu7.inetwork.dk., Algorithm: 13, 3 Labels, original TTL: 900 sec, Signature-expiration: 18.07.2024, 00:00:00 +, Signature-Inception: 27.06.2024, 00:00:00 +, KeyTag 11527, Signer-Name: inetwork.dk
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| TLSA-Query (_443._tcp.secmail.inetwork.dk) sends a valid NSEC3 RR as result with the hashed owner name "k50uqd9orgehu5m5uh25cd6uourc4bu7" (unhashed: secmail.inetwork.dk). So that's the Closest Encloser of the query name.
Bitmap: A, RRSIG Validated: RRSIG-Owner k50uqd9orgehu5m5uh25cd6uourc4bu7.inetwork.dk., Algorithm: 13, 3 Labels, original TTL: 900 sec, Signature-expiration: 18.07.2024, 00:00:00 +, Signature-Inception: 27.06.2024, 00:00:00 +, KeyTag 11527, Signer-Name: inetwork.dk
|
|
|
|
|
| Status: Good. NXDomain-Proof required and found.
|
|
|
|
|
| TLSA-Query sends a valid NSEC3 RR as result and covers the hashed Next Closer Name "n97oece54f15jgb6gsv2lgm6vlh2kibb" (unhashed: _tcp.secmail.inetwork.dk) with the owner "n97oece54f15jgb6gsv2lgm6vlh2kiba" and the NextOwner "n97oece54f15jgb6gsv2lgm6vlh2kibc". So that NSEC3 confirms the not-existence of the Next Closer Name.
Bitmap: No Bitmap? Validated: RRSIG-Owner n97oece54f15jgb6gsv2lgm6vlh2kiba.inetwork.dk., Algorithm: 13, 3 Labels, original TTL: 900 sec, Signature-expiration: 18.07.2024, 00:00:00 +, Signature-Inception: 27.06.2024, 00:00:00 +, KeyTag 11527, Signer-Name: inetwork.dk
|
|
|
|
|
| Status: Good. NXDomain-Proof required and found.
|
|
|
|
|
| TLSA-Query sends a valid NSEC3 RR as result and covers the hashed Wildcard expansion of the ClosestEncloser "mt1nkqtr814f0h9gn5nbrd5u5ton48fd" (unhashed: *.secmail.inetwork.dk) with the owner "mt1nkqtr814f0h9gn5nbrd5u5ton48fc" and the NextOwner "mt1nkqtr814f0h9gn5nbrd5u5ton48fe". So that NSEC3 confirms the not-existence of the Wildcard expansion.
Bitmap: No Bitmap? Validated: RRSIG-Owner mt1nkqtr814f0h9gn5nbrd5u5ton48fc.inetwork.dk., Algorithm: 13, 3 Labels, original TTL: 900 sec, Signature-expiration: 18.07.2024, 00:00:00 +, Signature-Inception: 27.06.2024, 00:00:00 +, KeyTag 11527, Signer-Name: inetwork.dk
|
|
|
|
|
| Status: Good. NXDomain-Proof required and found.
|
|
|
|
|
| CAA-Query sends a valid NSEC3 RR as result with the hashed query name "k50uqd9orgehu5m5uh25cd6uourc4bu7" equal the hashed NSEC3-owner "k50uqd9orgehu5m5uh25cd6uourc4bu7" and the hashed NextOwner "k50uqd9orgehu5m5uh25cd6uourc4bu8". So the zone confirmes the not-existence of that CAA RR, but the existence of that query name (minimal one RR with that name exists).
Bitmap: A, RRSIG Validated: RRSIG-Owner k50uqd9orgehu5m5uh25cd6uourc4bu7.inetwork.dk., Algorithm: 13, 3 Labels, original TTL: 900 sec, Signature-expiration: 18.07.2024, 00:00:00 +, Signature-Inception: 27.06.2024, 00:00:00 +, KeyTag 11527, Signer-Name: inetwork.dk
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
Zone: www.secmail.inetwork.dk
|
|
www.secmail.inetwork.dk
| 0 DS RR in the parent zone found
|
|
|
|
|
| DS-Query in the parent zone has a valid NSEC3 RR as result with the hashed query name "0e1sroo9ibhv42uqidka4mg3bdfm3bpc" between the hashed NSEC3-owner "0e1sroo9ibhv42uqidka4mg3bdfm3bpb" and the hashed NextOwner "0e1sroo9ibhv42uqidka4mg3bdfm3bpd". So the parent zone confirmes the not-existence of a DS RR.
Bitmap: No Bitmap? Validated: RRSIG-Owner 0e1sroo9ibhv42uqidka4mg3bdfm3bpb.inetwork.dk., Algorithm: 13, 3 Labels, original TTL: 900 sec, Signature-expiration: 18.07.2024, 00:00:00 +, Signature-Inception: 27.06.2024, 00:00:00 +, KeyTag 11527, Signer-Name: inetwork.dk
|
|
|
|
|
| DS-Query in the parent zone sends valid NSEC3 RR with the Hash "k50uqd9orgehu5m5uh25cd6uourc4bu7" as Owner. That's the Hash of "secmail.inetwork.dk" with the NextHashedOwnerName "k50uqd9orgehu5m5uh25cd6uourc4bu8". So that domain name is the Closest Encloser of "www.secmail.inetwork.dk". Opt-Out: False.
Bitmap: A, RRSIG Validated: RRSIG-Owner k50uqd9orgehu5m5uh25cd6uourc4bu7.inetwork.dk., Algorithm: 13, 3 Labels, original TTL: 900 sec, Signature-expiration: 18.07.2024, 00:00:00 +, Signature-Inception: 27.06.2024, 00:00:00 +, KeyTag 11527, Signer-Name: inetwork.dk
|
|
|
|
|
| The ClosestEncloser says, that "*.secmail.inetwork.dk" with the Hash "mt1nkqtr814f0h9gn5nbrd5u5ton48fd" is a possible Wildcard of the DS Query Name. But the DS-Query in the parent zone sends a valid NSEC3 RR With the owner "mt1nkqtr814f0h9gn5nbrd5u5ton48fc" and the Next Owner "mt1nkqtr814f0h9gn5nbrd5u5ton48fe", so the Hash of the wildcard is between these hashes. So that NSEC3 proves the Not-existence of that wildcard expansion. Opt-Out: False.
Bitmap: No Bitmap? Validated: RRSIG-Owner mt1nkqtr814f0h9gn5nbrd5u5ton48fc.inetwork.dk., Algorithm: 13, 3 Labels, original TTL: 900 sec, Signature-expiration: 18.07.2024, 00:00:00 +, Signature-Inception: 27.06.2024, 00:00:00 +, KeyTag 11527, Signer-Name: inetwork.dk
|