Zone (*) | DNSSEC - Informations |
---|
|
|
Zone: (root)
|
|
(root)
| 1 DS RR published
|
|
|
|
|
| DS with Algorithm 8, KeyTag 20326, DigestType 2 and Digest 4G1EuAuPHTmpXAsNfGXQhFjogECbvGg0VxBCN8f47I0=
|
|
|
|
|
| • Status: Valid because published
|
|
|
|
|
| 2 DNSKEY RR found
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 20326, Flags 257 (SEP = Secure Entry Point)
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 61050, Flags 256
|
|
|
|
|
| 1 RRSIG RR to validate DNSKEY RR found
|
|
|
|
|
| RRSIG-Owner (root), Algorithm: 8, 0 Labels, original TTL: 172800 sec, Signature-expiration: 11.12.2024, 00:00:00 +, Signature-Inception: 20.11.2024, 00:00:00 +, KeyTag 20326, Signer-Name: (root)
|
|
|
|
|
| • Status: Good - Algorithmus 8 and DNSKEY with KeyTag 20326 used to validate the DNSKEY RRSet
|
|
|
|
|
| • Status: Valid Chain of trust. Parent-DS with Algorithm 8, KeyTag 20326, DigestType 2 and Digest "4G1EuAuPHTmpXAsNfGXQhFjogECbvGg0VxBCN8f47I0=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone
|
|
|
Zone: app
|
|
app
| 1 DS RR in the parent zone found
|
|
|
|
|
| DS with Algorithm 8, KeyTag 23684, DigestType 2 and Digest OlzIox4CyUq6ZGGRL6u36fXjSVe7YRSlWoZNlq7DGDY=
|
|
|
|
|
| 1 RRSIG RR to validate DS RR found
|
|
|
|
|
| RRSIG-Owner app., Algorithm: 8, 1 Labels, original TTL: 86400 sec, Signature-expiration: 12.12.2024, 05:00:00 +, Signature-Inception: 29.11.2024, 04:00:00 +, KeyTag 61050, Signer-Name: (root)
|
|
|
|
|
| • Status: Good - Algorithmus 8 and DNSKEY with KeyTag 61050 used to validate the DS RRSet in the parent zone
|
|
|
|
|
| 2 DNSKEY RR found
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 23684, Flags 257 (SEP = Secure Entry Point)
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 54916, Flags 256
|
|
|
|
|
| 1 RRSIG RR to validate DNSKEY RR found
|
|
|
|
|
| RRSIG-Owner app., Algorithm: 8, 1 Labels, original TTL: 300 sec, Signature-expiration: 20.12.2024, 11:58:48 +, Signature-Inception: 28.11.2024, 11:58:48 +, KeyTag 23684, Signer-Name: app
|
|
|
|
|
| • Status: Good - Algorithmus 8 and DNSKEY with KeyTag 23684 used to validate the DNSKEY RRSet
|
|
|
|
|
| • Status: Valid Chain of trust. Parent-DS with Algorithm 8, KeyTag 23684, DigestType 2 and Digest "OlzIox4CyUq6ZGGRL6u36fXjSVe7YRSlWoZNlq7DGDY=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone
|
|
|
Zone: synaltic.app
|
|
synaltic.app
| 1 DS RR in the parent zone found
|
|
|
|
|
| DS with Algorithm 8, KeyTag 58, DigestType 2 and Digest Whc2mOBNcl5Q1GixpPEl4Mpugm2C5vf9dyLK6vQi0lE=
|
|
|
|
|
| 1 RRSIG RR to validate DS RR found
|
|
|
|
|
| RRSIG-Owner synaltic.app., Algorithm: 8, 2 Labels, original TTL: 1800 sec, Signature-expiration: 20.12.2024, 11:58:48 +, Signature-Inception: 28.11.2024, 11:58:48 +, KeyTag 54916, Signer-Name: app
|
|
|
|
|
| • Status: Good - Algorithmus 8 and DNSKEY with KeyTag 54916 used to validate the DS RRSet in the parent zone
|
|
|
|
|
| 2 DNSKEY RR found
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 58, Flags 257 (SEP = Secure Entry Point)
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 6883, Flags 256
|
|
|
|
|
| 2 RRSIG RR to validate DNSKEY RR found
|
|
|
|
|
| RRSIG-Owner synaltic.app., Algorithm: 8, 2 Labels, original TTL: 3600 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 58, Signer-Name: synaltic.app
|
|
|
|
|
| RRSIG-Owner synaltic.app., Algorithm: 8, 2 Labels, original TTL: 3600 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| • Status: Good - Algorithmus 8 and DNSKEY with KeyTag 58 used to validate the DNSKEY RRSet
|
|
|
|
|
| • Status: Good - Algorithmus 8 and DNSKEY with KeyTag 6883 used to validate the DNSKEY RRSet
|
|
|
|
|
| • Status: Valid Chain of trust. Parent-DS with Algorithm 8, KeyTag 58, DigestType 2 and Digest "Whc2mOBNcl5Q1GixpPEl4Mpugm2C5vf9dyLK6vQi0lE=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone
|
|
|
Zone: arnia-bfc.synaltic.app
|
|
arnia-bfc.synaltic.app
| 0 DS RR in the parent zone found
|
|
|
|
|
| DS-Query in the parent zone has a valid NSEC3 RR as result with the hashed query name "orq1gcljgbj085jcta4c6epm99od7tsa" between the hashed NSEC3-owner "orq1gcljgbj085jcta4c6epm99od7tsa" and the hashed NextOwner "picmik0f8lbhl7p7psnis27aplltff1g". So the parent zone confirmes the not-existence of a DS RR.
Bitmap: No Bitmap? Validated: RRSIG-Owner orq1gcljgbj085jcta4c6epm99od7tsa.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| 0 DNSKEY RR found
|
|
|
|
|
|
|
|
|
Zone: argocd.arnia-bfc.synaltic.app
|
|
argocd.arnia-bfc.synaltic.app
| 0 DS RR in the parent zone found
|
|
|
|
|
| DS-Query in the parent zone has a valid NSEC3 RR as result with the hashed query name "38ovhvogrhlkhctmei918s52n7vouna1" between the hashed NSEC3-owner "1vdfipnm2jgplb738tcn6k53mmai9amd" and the hashed NextOwner "3vof4cvu0n57b2su69ctnu0a3ubs6tk1". So the parent zone confirmes the not-existence of a DS RR.
Bitmap: A, RRSIG Validated: RRSIG-Owner 1vdfipnm2jgplb738tcn6k53mmai9amd.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| DS-Query in the parent zone sends valid NSEC3 RR with the Hash "orq1gcljgbj085jcta4c6epm99od7tsa" as Owner. That's the Hash of "arnia-bfc.synaltic.app" with the NextHashedOwnerName "picmik0f8lbhl7p7psnis27aplltff1g". So that domain name is the Closest Encloser of "argocd.arnia-bfc.synaltic.app". Opt-Out: False.
Bitmap: No Bitmap? Validated: RRSIG-Owner orq1gcljgbj085jcta4c6epm99od7tsa.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| The ClosestEncloser says, that "*.arnia-bfc.synaltic.app" with the Hash "d6sh2hd9v42q9mjleu0irek2v4mbn3r1" is a possible Wildcard of the DS Query Name. But the DS-Query in the parent zone sends a valid NSEC3 RR With the owner "d6sh2hd9v42q9mjleu0irek2v4mbn3r1" and the Next Owner "ddhbtotncvpahob9smfule8009vsmae9", so the Hash of the wildcard is between these hashes. So that NSEC3 proves the Not-existence of that wildcard expansion. Opt-Out: False.
Bitmap: A, RRSIG Validated: RRSIG-Owner d6sh2hd9v42q9mjleu0irek2v4mbn3r1.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| 0 DNSKEY RR found
|
|
|
|
|
|
|
|
|
|
|
| RRSIG Type 1 validates the A - Result: 141.94.169.202. RRSIG Owner has 4 labels, RRSIG Labels = 3, so it's a wildcard expansion, the Query Name doesn't exists. An additional NSEC/NSEC3 is required to confirm the Not-Existence of the query name.
Validated: RRSIG-Owner argocd.arnia-bfc.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 3600 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| CNAME-Query sends a valid NSEC3 RR as result with the hashed owner name "orq1gcljgbj085jcta4c6epm99od7tsa" (unhashed: arnia-bfc.synaltic.app). So that's the Closest Encloser of the query name.
Bitmap: No Bitmap? Validated: RRSIG-Owner orq1gcljgbj085jcta4c6epm99od7tsa.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| CNAME-Query sends a valid NSEC3 RR as result with the hashed owner name "d6sh2hd9v42q9mjleu0irek2v4mbn3r1" (unhashed: *.arnia-bfc.synaltic.app) as the Wildcard-Expansion of the Closest Encloser of the query name "38ovhvogrhlkhctmei918s52n7vouna1". So the Wildcard-Expansion of the Closest Encloser confirms that the query name is generated via wildcard expansion (NoError instead of NXDomain).
Bitmap: A, RRSIG Validated: RRSIG-Owner d6sh2hd9v42q9mjleu0irek2v4mbn3r1.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| TXT-Query sends a valid NSEC3 RR as result with the hashed owner name "orq1gcljgbj085jcta4c6epm99od7tsa" (unhashed: arnia-bfc.synaltic.app). So that's the Closest Encloser of the query name.
Bitmap: No Bitmap? Validated: RRSIG-Owner orq1gcljgbj085jcta4c6epm99od7tsa.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| TXT-Query sends a valid NSEC3 RR as result with the hashed owner name "d6sh2hd9v42q9mjleu0irek2v4mbn3r1" (unhashed: *.arnia-bfc.synaltic.app) as the Wildcard-Expansion of the Closest Encloser of the query name "38ovhvogrhlkhctmei918s52n7vouna1". So the Wildcard-Expansion of the Closest Encloser confirms that the query name is generated via wildcard expansion (NoError instead of NXDomain).
Bitmap: A, RRSIG Validated: RRSIG-Owner d6sh2hd9v42q9mjleu0irek2v4mbn3r1.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| AAAA-Query sends a valid NSEC3 RR as result with the hashed owner name "orq1gcljgbj085jcta4c6epm99od7tsa" (unhashed: arnia-bfc.synaltic.app). So that's the Closest Encloser of the query name.
Bitmap: No Bitmap? Validated: RRSIG-Owner orq1gcljgbj085jcta4c6epm99od7tsa.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| AAAA-Query sends a valid NSEC3 RR as result with the hashed owner name "d6sh2hd9v42q9mjleu0irek2v4mbn3r1" (unhashed: *.arnia-bfc.synaltic.app) as the Wildcard-Expansion of the Closest Encloser of the query name "38ovhvogrhlkhctmei918s52n7vouna1". So the Wildcard-Expansion of the Closest Encloser confirms that the query name is generated via wildcard expansion (NoError instead of NXDomain).
Bitmap: A, RRSIG Validated: RRSIG-Owner d6sh2hd9v42q9mjleu0irek2v4mbn3r1.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| TLSA-Query (_443._tcp.argocd.arnia-bfc.synaltic.app) sends a valid NSEC3 RR as result with the hashed owner name "orq1gcljgbj085jcta4c6epm99od7tsa" (unhashed: arnia-bfc.synaltic.app). So that's the Closest Encloser of the query name.
Bitmap: No Bitmap? Validated: RRSIG-Owner orq1gcljgbj085jcta4c6epm99od7tsa.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| TLSA-Query sends a valid NSEC3 RR as result and covers the hashed Next Closer Name "38ovhvogrhlkhctmei918s52n7vouna1" (unhashed: argocd.arnia-bfc.synaltic.app) with the owner "1vdfipnm2jgplb738tcn6k53mmai9amd" and the NextOwner "3vof4cvu0n57b2su69ctnu0a3ubs6tk1". So that NSEC3 confirms the not-existence of the Next Closer Name.
Bitmap: A, RRSIG Validated: RRSIG-Owner 1vdfipnm2jgplb738tcn6k53mmai9amd.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| TLSA-Query sends a valid NSEC3 RR as result with the hashed owner name "d6sh2hd9v42q9mjleu0irek2v4mbn3r1" (unhashed: *.arnia-bfc.synaltic.app) as the Wildcard-Expansion of the Closest Encloser of the query name "b4n6mtc0s2cvfj9ncehe0560h6p8c2le". So the Wildcard-Expansion of the Closest Encloser confirms that the query name is generated via wildcard expansion (NoError instead of NXDomain).
Bitmap: A, RRSIG Validated: RRSIG-Owner d6sh2hd9v42q9mjleu0irek2v4mbn3r1.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| CAA-Query sends a valid NSEC3 RR as result with the hashed owner name "orq1gcljgbj085jcta4c6epm99od7tsa" (unhashed: arnia-bfc.synaltic.app). So that's the Closest Encloser of the query name.
Bitmap: No Bitmap? Validated: RRSIG-Owner orq1gcljgbj085jcta4c6epm99od7tsa.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| CAA-Query sends a valid NSEC3 RR as result with the hashed owner name "d6sh2hd9v42q9mjleu0irek2v4mbn3r1" (unhashed: *.arnia-bfc.synaltic.app) as the Wildcard-Expansion of the Closest Encloser of the query name "38ovhvogrhlkhctmei918s52n7vouna1". So the Wildcard-Expansion of the Closest Encloser confirms that the query name is generated via wildcard expansion (NoError instead of NXDomain).
Bitmap: A, RRSIG Validated: RRSIG-Owner d6sh2hd9v42q9mjleu0irek2v4mbn3r1.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| A-Query sends a valid NSEC3 RR as result with the hashed query name "38ovhvogrhlkhctmei918s52n7vouna1" between the hashed NSEC3-owner "1vdfipnm2jgplb738tcn6k53mmai9amd" and the hashed NextOwner "3vof4cvu0n57b2su69ctnu0a3ubs6tk1". So the zone confirmes the not-existence of that A RR.
Bitmap: A, RRSIG Validated: RRSIG-Owner 1vdfipnm2jgplb738tcn6k53mmai9amd.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Fatal / bogus. NoError+NoDataResult sent, the answer says, the query name exists, the NSEC3 covers the Query Name, but there are not enough informations about wildcards: Validated Data sent, but the NSEC3Recalculate the zone or update the name server software. Or there is a Man in the middle, who has removed one of the required NSEC3-Records, so DNSSEC works.
|
|
|
|
|
| CNAME-Query sends a valid NSEC3 RR as result with the hashed query name "38ovhvogrhlkhctmei918s52n7vouna1" between the hashed NSEC3-owner "1vdfipnm2jgplb738tcn6k53mmai9amd" and the hashed NextOwner "3vof4cvu0n57b2su69ctnu0a3ubs6tk1". So the zone confirmes the not-existence of that CNAME RR.
Bitmap: A, RRSIG Validated: RRSIG-Owner 1vdfipnm2jgplb738tcn6k53mmai9amd.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Fatal / bogus. NoError+NoDataResult sent, the answer says, the query name exists, the NSEC3 covers the Query Name, but there are not enough informations about wildcards: NoError - there must be a confirmed wildcard expansion to create the query name. Recalculate the zone or update the name server software. Or there is a Man in the middle, who has removed one of the required NSEC3-Records, so DNSSEC works.
|
|
|
|
|
| TXT-Query sends a valid NSEC3 RR as result with the hashed query name "38ovhvogrhlkhctmei918s52n7vouna1" between the hashed NSEC3-owner "1vdfipnm2jgplb738tcn6k53mmai9amd" and the hashed NextOwner "3vof4cvu0n57b2su69ctnu0a3ubs6tk1". So the zone confirmes the not-existence of that TXT RR.
Bitmap: A, RRSIG Validated: RRSIG-Owner 1vdfipnm2jgplb738tcn6k53mmai9amd.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Fatal / bogus. NoError+NoDataResult sent, the answer says, the query name exists, the NSEC3 covers the Query Name, but there are not enough informations about wildcards: NoError - there must be a confirmed wildcard expansion to create the query name. Recalculate the zone or update the name server software. Or there is a Man in the middle, who has removed one of the required NSEC3-Records, so DNSSEC works.
|
|
|
|
|
| AAAA-Query sends a valid NSEC3 RR as result with the hashed query name "38ovhvogrhlkhctmei918s52n7vouna1" between the hashed NSEC3-owner "1vdfipnm2jgplb738tcn6k53mmai9amd" and the hashed NextOwner "3vof4cvu0n57b2su69ctnu0a3ubs6tk1". So the zone confirmes the not-existence of that AAAA RR.
Bitmap: A, RRSIG Validated: RRSIG-Owner 1vdfipnm2jgplb738tcn6k53mmai9amd.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Fatal / bogus. NoError+NoDataResult sent, the answer says, the query name exists, the NSEC3 covers the Query Name, but there are not enough informations about wildcards: NoError - there must be a confirmed wildcard expansion to create the query name. Recalculate the zone or update the name server software. Or there is a Man in the middle, who has removed one of the required NSEC3-Records, so DNSSEC works.
|
|
|
|
|
| CAA-Query sends a valid NSEC3 RR as result with the hashed query name "38ovhvogrhlkhctmei918s52n7vouna1" between the hashed NSEC3-owner "1vdfipnm2jgplb738tcn6k53mmai9amd" and the hashed NextOwner "3vof4cvu0n57b2su69ctnu0a3ubs6tk1". So the zone confirmes the not-existence of that CAA RR.
Bitmap: A, RRSIG Validated: RRSIG-Owner 1vdfipnm2jgplb738tcn6k53mmai9amd.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Fatal / bogus. NoError+NoDataResult sent, the answer says, the query name exists, the NSEC3 covers the Query Name, but there are not enough informations about wildcards: NoError - there must be a confirmed wildcard expansion to create the query name. Recalculate the zone or update the name server software. Or there is a Man in the middle, who has removed one of the required NSEC3-Records, so DNSSEC works.
|
|
|
Zone: www.argocd.arnia-bfc.synaltic.app
|
|
www.argocd.arnia-bfc.synaltic.app
| 0 DS RR in the parent zone found
|
|
|
|
|
| DS-Query in the parent zone sends valid NSEC3 RR with the Hash "orq1gcljgbj085jcta4c6epm99od7tsa" as Owner. That's the Hash of "arnia-bfc.synaltic.app" with the NextHashedOwnerName "picmik0f8lbhl7p7psnis27aplltff1g". So that domain name is the Closest Encloser of "www.argocd.arnia-bfc.synaltic.app". Opt-Out: False.
Bitmap: No Bitmap? Validated: RRSIG-Owner orq1gcljgbj085jcta4c6epm99od7tsa.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| The ClosestEncloser says, that "*.arnia-bfc.synaltic.app" with the Hash "d6sh2hd9v42q9mjleu0irek2v4mbn3r1" is a possible Wildcard of the DS Query Name. But the DS-Query in the parent zone sends a valid NSEC3 RR With the owner "d6sh2hd9v42q9mjleu0irek2v4mbn3r1" and the Next Owner "ddhbtotncvpahob9smfule8009vsmae9", so the Hash of the wildcard is between these hashes. So that NSEC3 proves the Not-existence of that wildcard expansion. Opt-Out: False.
Bitmap: A, RRSIG Validated: RRSIG-Owner d6sh2hd9v42q9mjleu0irek2v4mbn3r1.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| RRSIG Type 1 validates the A - Result: 141.94.169.202. RRSIG Owner has 5 labels, RRSIG Labels = 3, so it's a wildcard expansion, the Query Name doesn't exists. An additional NSEC/NSEC3 is required to confirm the Not-Existence of the query name.
Validated: RRSIG-Owner www.argocd.arnia-bfc.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 3600 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| A-Query sends a valid NSEC3 RR as result and covers the hashed Next Closer Name "38ovhvogrhlkhctmei918s52n7vouna1" (unhashed: argocd.arnia-bfc.synaltic.app) with the owner "1vdfipnm2jgplb738tcn6k53mmai9amd" and the NextOwner "3vof4cvu0n57b2su69ctnu0a3ubs6tk1". So that NSEC3 confirms the not-existence of the Next Closer Name.
Bitmap: A, RRSIG Validated: RRSIG-Owner 1vdfipnm2jgplb738tcn6k53mmai9amd.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| CNAME-Query sends a valid NSEC3 RR as result with the hashed owner name "orq1gcljgbj085jcta4c6epm99od7tsa" (unhashed: arnia-bfc.synaltic.app). So that's the Closest Encloser of the query name.
Bitmap: No Bitmap? Validated: RRSIG-Owner orq1gcljgbj085jcta4c6epm99od7tsa.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| CNAME-Query sends a valid NSEC3 RR as result and covers the hashed Next Closer Name "38ovhvogrhlkhctmei918s52n7vouna1" (unhashed: argocd.arnia-bfc.synaltic.app) with the owner "1vdfipnm2jgplb738tcn6k53mmai9amd" and the NextOwner "3vof4cvu0n57b2su69ctnu0a3ubs6tk1". So that NSEC3 confirms the not-existence of the Next Closer Name.
Bitmap: A, RRSIG Validated: RRSIG-Owner 1vdfipnm2jgplb738tcn6k53mmai9amd.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| CNAME-Query sends a valid NSEC3 RR as result with the hashed owner name "d6sh2hd9v42q9mjleu0irek2v4mbn3r1" (unhashed: *.arnia-bfc.synaltic.app) as the Wildcard-Expansion of the Closest Encloser of the query name "clforer0b7955v13qerb97rqccnhu4lq". So the Wildcard-Expansion of the Closest Encloser confirms that the query name is generated via wildcard expansion (NoError instead of NXDomain).
Bitmap: A, RRSIG Validated: RRSIG-Owner d6sh2hd9v42q9mjleu0irek2v4mbn3r1.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| TXT-Query sends a valid NSEC3 RR as result with the hashed owner name "orq1gcljgbj085jcta4c6epm99od7tsa" (unhashed: arnia-bfc.synaltic.app). So that's the Closest Encloser of the query name.
Bitmap: No Bitmap? Validated: RRSIG-Owner orq1gcljgbj085jcta4c6epm99od7tsa.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| TXT-Query sends a valid NSEC3 RR as result and covers the hashed Next Closer Name "38ovhvogrhlkhctmei918s52n7vouna1" (unhashed: argocd.arnia-bfc.synaltic.app) with the owner "1vdfipnm2jgplb738tcn6k53mmai9amd" and the NextOwner "3vof4cvu0n57b2su69ctnu0a3ubs6tk1". So that NSEC3 confirms the not-existence of the Next Closer Name.
Bitmap: A, RRSIG Validated: RRSIG-Owner 1vdfipnm2jgplb738tcn6k53mmai9amd.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| TXT-Query sends a valid NSEC3 RR as result with the hashed owner name "d6sh2hd9v42q9mjleu0irek2v4mbn3r1" (unhashed: *.arnia-bfc.synaltic.app) as the Wildcard-Expansion of the Closest Encloser of the query name "clforer0b7955v13qerb97rqccnhu4lq". So the Wildcard-Expansion of the Closest Encloser confirms that the query name is generated via wildcard expansion (NoError instead of NXDomain).
Bitmap: A, RRSIG Validated: RRSIG-Owner d6sh2hd9v42q9mjleu0irek2v4mbn3r1.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| AAAA-Query sends a valid NSEC3 RR as result with the hashed owner name "orq1gcljgbj085jcta4c6epm99od7tsa" (unhashed: arnia-bfc.synaltic.app). So that's the Closest Encloser of the query name.
Bitmap: No Bitmap? Validated: RRSIG-Owner orq1gcljgbj085jcta4c6epm99od7tsa.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| AAAA-Query sends a valid NSEC3 RR as result and covers the hashed Next Closer Name "38ovhvogrhlkhctmei918s52n7vouna1" (unhashed: argocd.arnia-bfc.synaltic.app) with the owner "1vdfipnm2jgplb738tcn6k53mmai9amd" and the NextOwner "3vof4cvu0n57b2su69ctnu0a3ubs6tk1". So that NSEC3 confirms the not-existence of the Next Closer Name.
Bitmap: A, RRSIG Validated: RRSIG-Owner 1vdfipnm2jgplb738tcn6k53mmai9amd.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| AAAA-Query sends a valid NSEC3 RR as result with the hashed owner name "d6sh2hd9v42q9mjleu0irek2v4mbn3r1" (unhashed: *.arnia-bfc.synaltic.app) as the Wildcard-Expansion of the Closest Encloser of the query name "clforer0b7955v13qerb97rqccnhu4lq". So the Wildcard-Expansion of the Closest Encloser confirms that the query name is generated via wildcard expansion (NoError instead of NXDomain).
Bitmap: A, RRSIG Validated: RRSIG-Owner d6sh2hd9v42q9mjleu0irek2v4mbn3r1.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| TLSA-Query (_443._tcp.www.argocd.arnia-bfc.synaltic.app) sends a valid NSEC3 RR as result with the hashed owner name "orq1gcljgbj085jcta4c6epm99od7tsa" (unhashed: arnia-bfc.synaltic.app). So that's the Closest Encloser of the query name.
Bitmap: No Bitmap? Validated: RRSIG-Owner orq1gcljgbj085jcta4c6epm99od7tsa.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| TLSA-Query sends a valid NSEC3 RR as result and covers the hashed Next Closer Name "38ovhvogrhlkhctmei918s52n7vouna1" (unhashed: argocd.arnia-bfc.synaltic.app) with the owner "1vdfipnm2jgplb738tcn6k53mmai9amd" and the NextOwner "3vof4cvu0n57b2su69ctnu0a3ubs6tk1". So that NSEC3 confirms the not-existence of the Next Closer Name.
Bitmap: A, RRSIG Validated: RRSIG-Owner 1vdfipnm2jgplb738tcn6k53mmai9amd.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| TLSA-Query sends a valid NSEC3 RR as result with the hashed owner name "d6sh2hd9v42q9mjleu0irek2v4mbn3r1" (unhashed: *.arnia-bfc.synaltic.app) as the Wildcard-Expansion of the Closest Encloser of the query name "sb534ilmel978trvi9jst4d668tedngo". So the Wildcard-Expansion of the Closest Encloser confirms that the query name is generated via wildcard expansion (NoError instead of NXDomain).
Bitmap: A, RRSIG Validated: RRSIG-Owner d6sh2hd9v42q9mjleu0irek2v4mbn3r1.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| CAA-Query sends a valid NSEC3 RR as result with the hashed owner name "orq1gcljgbj085jcta4c6epm99od7tsa" (unhashed: arnia-bfc.synaltic.app). So that's the Closest Encloser of the query name.
Bitmap: No Bitmap? Validated: RRSIG-Owner orq1gcljgbj085jcta4c6epm99od7tsa.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| CAA-Query sends a valid NSEC3 RR as result and covers the hashed Next Closer Name "38ovhvogrhlkhctmei918s52n7vouna1" (unhashed: argocd.arnia-bfc.synaltic.app) with the owner "1vdfipnm2jgplb738tcn6k53mmai9amd" and the NextOwner "3vof4cvu0n57b2su69ctnu0a3ubs6tk1". So that NSEC3 confirms the not-existence of the Next Closer Name.
Bitmap: A, RRSIG Validated: RRSIG-Owner 1vdfipnm2jgplb738tcn6k53mmai9amd.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| CAA-Query sends a valid NSEC3 RR as result with the hashed owner name "d6sh2hd9v42q9mjleu0irek2v4mbn3r1" (unhashed: *.arnia-bfc.synaltic.app) as the Wildcard-Expansion of the Closest Encloser of the query name "clforer0b7955v13qerb97rqccnhu4lq". So the Wildcard-Expansion of the Closest Encloser confirms that the query name is generated via wildcard expansion (NoError instead of NXDomain).
Bitmap: A, RRSIG Validated: RRSIG-Owner d6sh2hd9v42q9mjleu0irek2v4mbn3r1.synaltic.app., Algorithm: 8, 3 Labels, original TTL: 300 sec, Signature-expiration: 29.12.2024, 01:00:13 +, Signature-Inception: 29.11.2024, 01:00:13 +, KeyTag 6883, Signer-Name: synaltic.app
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|