Zone (*) | DNSSEC - Informations |
---|
|
|
Zone: (root)
|
|
(root)
| 1 DS RR published
|
|
|
|
|
| DS with Algorithm 8, KeyTag 20326, DigestType 2 and Digest 4G1EuAuPHTmpXAsNfGXQhFjogECbvGg0VxBCN8f47I0=
|
|
|
|
|
| • Status: Valid because published
|
|
|
|
|
| 2 DNSKEY RR found
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 20326, Flags 257 (SEP = Secure Entry Point)
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 61050, Flags 256
|
|
|
|
|
| 1 RRSIG RR to validate DNSKEY RR found
|
|
|
|
|
| RRSIG-Owner (root), Algorithm: 8, 0 Labels, original TTL: 172800 sec, Signature-expiration: 11.11.2024, 00:00:00 +, Signature-Inception: 21.10.2024, 00:00:00 +, KeyTag 20326, Signer-Name: (root)
|
|
|
|
|
| • Status: Good - Algorithmus 8 and DNSKEY with KeyTag 20326 used to validate the DNSKEY RRSet
|
|
|
|
|
| • Status: Valid Chain of trust. Parent-DS with Algorithm 8, KeyTag 20326, DigestType 2 and Digest "4G1EuAuPHTmpXAsNfGXQhFjogECbvGg0VxBCN8f47I0=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone
|
|
|
Zone: om
|
|
om
| 0 DS RR in the parent zone found
|
|
|
|
|
| DS-Query in the parent zone has a valid NSEC RR as result with the domain name between the NSEC-Owner "om" and the NextOwner "omega". So the parent zone confirmes the non-existence of a DS RR.
Bitmap: NS, RRSIG, NSEC
|
|
|
|
|
| 3 DNSKEY RR found
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 10791, Flags 256
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 20359, Flags 257 (SEP = Secure Entry Point)
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 60906, Flags 256
|
|
|
|
|
| 1 RRSIG RR to validate DNSKEY RR found
|
|
|
|
|
| RRSIG-Owner om., Algorithm: 8, 1 Labels, original TTL: 86400 sec, Signature-expiration: 09.11.2024, 05:56:28 +, Signature-Inception: 26.10.2024, 04:56:41 +, KeyTag 20359, Signer-Name: om
|
|
|
|
|
| • Status: Good - Algorithmus 8 and DNSKEY with KeyTag 20359 used to validate the DNSKEY RRSet
|
|
|
|
|
| Error: DNSKEY 20359 signs DNSKEY RRset, but no confirming DS RR in the parent zone found. No chain of trust created.
|
|
|
Zone: pleuneservice.om
|
|
pleuneservice.om
| 0 DS RR in the parent zone found
|
|
|
|
|
| DS-Query in the parent zone sends valid NSEC3 RR with the Hash "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7" as Owner. That's the Hash of "om" with the NextHashedOwnerName "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7". So that domain name is the Closest Encloser of "pleuneservice.om". Opt-Out: True.
Bitmap: NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY Validated: RRSIG-Owner q80i2o2p6csfqpoobh5l8s8jvhhdpqt7.om., Algorithm: 8, 2 Labels, original TTL: 3600 sec, Signature-expiration: 09.11.2024, 05:56:28 +, Signature-Inception: 26.10.2024, 04:56:41 +, KeyTag 10791, Signer-Name: om
|
|
|
|
|
| DS-Query in the parent zone sends valid NSEC3 RR with the Hash "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7" as Owner. That's the Hash of "om" with the NextHashedOwnerName "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7". So that domain name is the Closest Encloser of "pleuneservice.om". Opt-Out: True.
Bitmap: NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY Validated: RRSIG-Owner q80i2o2p6csfqpoobh5l8s8jvhhdpqt7.om., Algorithm: 8, 2 Labels, original TTL: 3600 sec, Signature-expiration: 09.11.2024, 05:56:28 +, Signature-Inception: 26.10.2024, 04:56:41 +, KeyTag 60906, Signer-Name: om
|
|
|
|
|
| The ClosestEncloser says, that "*.om" with the Hash "4p23cjhi3vjhfoasnuurb8rdicpljg9n" is a possible Wildcard of the DS Query Name. But the DS-Query in the parent zone sends a valid NSEC3 RR With the owner "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7" and the Next Owner "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7", so the Hash of the wildcard is between these hashes. So that NSEC3 proves the Not-existence of that wildcard expansion. Opt-Out: True
Bitmap: NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY Validated: RRSIG-Owner q80i2o2p6csfqpoobh5l8s8jvhhdpqt7.om., Algorithm: 8, 2 Labels, original TTL: 3600 sec, Signature-expiration: 09.11.2024, 05:56:28 +, Signature-Inception: 26.10.2024, 04:56:41 +, KeyTag 10791, Signer-Name: om
|
|
|
|
|
| The ClosestEncloser says, that "*.om" with the Hash "4p23cjhi3vjhfoasnuurb8rdicpljg9n" is a possible Wildcard of the DS Query Name. But the DS-Query in the parent zone sends a valid NSEC3 RR With the owner "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7" and the Next Owner "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7", so the Hash of the wildcard is between these hashes. So that NSEC3 proves the Not-existence of that wildcard expansion. Opt-Out: True
Bitmap: NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY Validated: RRSIG-Owner q80i2o2p6csfqpoobh5l8s8jvhhdpqt7.om., Algorithm: 8, 2 Labels, original TTL: 3600 sec, Signature-expiration: 09.11.2024, 05:56:28 +, Signature-Inception: 26.10.2024, 04:56:41 +, KeyTag 60906, Signer-Name: om
|
|
|
|
|
| The NSEC3-Owner "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7" is the same as the NextHashedOwnerName. So the parent zone has only this one domain name and doesn't allow secure delegations. Conclusion: It's impossible to use DNSSEC with that parent zone.
|
|
|
|
|
| The NSEC3-Owner "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7" is the same as the NextHashedOwnerName. So the parent zone has only this one domain name and doesn't allow secure delegations. Conclusion: It's impossible to use DNSSEC with that parent zone.
|
|
|
Zone: mfa.pleuneservice.om
|
|
mfa.pleuneservice.om
| 0 DS RR in the parent zone found
|
|
|
|
|
| DS-Query in the parent zone sends valid NSEC3 RR with the Hash "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7" as Owner. That's the Hash of "om" with the NextHashedOwnerName "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7". So that domain name is the Closest Encloser of "mfa.pleuneservice.om". Opt-Out: True.
Bitmap: NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY Validated: RRSIG-Owner q80i2o2p6csfqpoobh5l8s8jvhhdpqt7.om., Algorithm: 8, 2 Labels, original TTL: 3600 sec, Signature-expiration: 09.11.2024, 05:56:28 +, Signature-Inception: 26.10.2024, 04:56:41 +, KeyTag 10791, Signer-Name: om
|
|
|
|
|
| DS-Query in the parent zone sends valid NSEC3 RR with the Hash "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7" as Owner. That's the Hash of "om" with the NextHashedOwnerName "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7". So that domain name is the Closest Encloser of "mfa.pleuneservice.om". Opt-Out: True.
Bitmap: NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY Validated: RRSIG-Owner q80i2o2p6csfqpoobh5l8s8jvhhdpqt7.om., Algorithm: 8, 2 Labels, original TTL: 3600 sec, Signature-expiration: 09.11.2024, 05:56:28 +, Signature-Inception: 26.10.2024, 04:56:41 +, KeyTag 60906, Signer-Name: om
|
|
|
|
|
| The ClosestEncloser says, that "*.om" with the Hash "4p23cjhi3vjhfoasnuurb8rdicpljg9n" is a possible Wildcard of the DS Query Name. But the DS-Query in the parent zone sends a valid NSEC3 RR With the owner "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7" and the Next Owner "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7", so the Hash of the wildcard is between these hashes. So that NSEC3 proves the Not-existence of that wildcard expansion. Opt-Out: True
Bitmap: NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY Validated: RRSIG-Owner q80i2o2p6csfqpoobh5l8s8jvhhdpqt7.om., Algorithm: 8, 2 Labels, original TTL: 3600 sec, Signature-expiration: 09.11.2024, 05:56:28 +, Signature-Inception: 26.10.2024, 04:56:41 +, KeyTag 10791, Signer-Name: om
|
|
|
|
|
| The ClosestEncloser says, that "*.om" with the Hash "4p23cjhi3vjhfoasnuurb8rdicpljg9n" is a possible Wildcard of the DS Query Name. But the DS-Query in the parent zone sends a valid NSEC3 RR With the owner "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7" and the Next Owner "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7", so the Hash of the wildcard is between these hashes. So that NSEC3 proves the Not-existence of that wildcard expansion. Opt-Out: True
Bitmap: NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY Validated: RRSIG-Owner q80i2o2p6csfqpoobh5l8s8jvhhdpqt7.om., Algorithm: 8, 2 Labels, original TTL: 3600 sec, Signature-expiration: 09.11.2024, 05:56:28 +, Signature-Inception: 26.10.2024, 04:56:41 +, KeyTag 60906, Signer-Name: om
|
|
|
|
|
| The NSEC3-Owner "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7" is the same as the NextHashedOwnerName. So the parent zone has only this one domain name and doesn't allow secure delegations. Conclusion: It's impossible to use DNSSEC with that parent zone.
|
|
|
|
|
| The NSEC3-Owner "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7" is the same as the NextHashedOwnerName. So the parent zone has only this one domain name and doesn't allow secure delegations. Conclusion: It's impossible to use DNSSEC with that parent zone.
|
|
|
Zone: www.mfa.pleuneservice.om
|
|
www.mfa.pleuneservice.om
| 0 DS RR in the parent zone found
|
|
|
|
|
| DS-Query in the parent zone sends valid NSEC3 RR with the Hash "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7" as Owner. That's the Hash of "om" with the NextHashedOwnerName "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7". So that domain name is the Closest Encloser of "www.mfa.pleuneservice.om". Opt-Out: True.
Bitmap: NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY Validated: RRSIG-Owner q80i2o2p6csfqpoobh5l8s8jvhhdpqt7.om., Algorithm: 8, 2 Labels, original TTL: 3600 sec, Signature-expiration: 09.11.2024, 05:56:28 +, Signature-Inception: 26.10.2024, 04:56:41 +, KeyTag 10791, Signer-Name: om
|
|
|
|
|
| DS-Query in the parent zone sends valid NSEC3 RR with the Hash "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7" as Owner. That's the Hash of "om" with the NextHashedOwnerName "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7". So that domain name is the Closest Encloser of "www.mfa.pleuneservice.om". Opt-Out: True.
Bitmap: NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY Validated: RRSIG-Owner q80i2o2p6csfqpoobh5l8s8jvhhdpqt7.om., Algorithm: 8, 2 Labels, original TTL: 3600 sec, Signature-expiration: 09.11.2024, 05:56:28 +, Signature-Inception: 26.10.2024, 04:56:41 +, KeyTag 60906, Signer-Name: om
|
|
|
|
|
| The ClosestEncloser says, that "*.om" with the Hash "4p23cjhi3vjhfoasnuurb8rdicpljg9n" is a possible Wildcard of the DS Query Name. But the DS-Query in the parent zone sends a valid NSEC3 RR With the owner "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7" and the Next Owner "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7", so the Hash of the wildcard is between these hashes. So that NSEC3 proves the Not-existence of that wildcard expansion. Opt-Out: True
Bitmap: NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY Validated: RRSIG-Owner q80i2o2p6csfqpoobh5l8s8jvhhdpqt7.om., Algorithm: 8, 2 Labels, original TTL: 3600 sec, Signature-expiration: 09.11.2024, 05:56:28 +, Signature-Inception: 26.10.2024, 04:56:41 +, KeyTag 10791, Signer-Name: om
|
|
|
|
|
| The ClosestEncloser says, that "*.om" with the Hash "4p23cjhi3vjhfoasnuurb8rdicpljg9n" is a possible Wildcard of the DS Query Name. But the DS-Query in the parent zone sends a valid NSEC3 RR With the owner "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7" and the Next Owner "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7", so the Hash of the wildcard is between these hashes. So that NSEC3 proves the Not-existence of that wildcard expansion. Opt-Out: True
Bitmap: NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY Validated: RRSIG-Owner q80i2o2p6csfqpoobh5l8s8jvhhdpqt7.om., Algorithm: 8, 2 Labels, original TTL: 3600 sec, Signature-expiration: 09.11.2024, 05:56:28 +, Signature-Inception: 26.10.2024, 04:56:41 +, KeyTag 60906, Signer-Name: om
|
|
|
|
|
| The NSEC3-Owner "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7" is the same as the NextHashedOwnerName. So the parent zone has only this one domain name and doesn't allow secure delegations. Conclusion: It's impossible to use DNSSEC with that parent zone.
|
|
|
|
|
| The NSEC3-Owner "q80i2o2p6csfqpoobh5l8s8jvhhdpqt7" is the same as the NextHashedOwnerName. So the parent zone has only this one domain name and doesn't allow secure delegations. Conclusion: It's impossible to use DNSSEC with that parent zone.
|