Zone (*) | DNSSEC - Informations |
---|
|
|
Zone: (root)
|
|
(root)
| 1 DS RR published
|
|
|
|
|
| DS with Algorithm 8, KeyTag 20326, DigestType 2 and Digest 4G1EuAuPHTmpXAsNfGXQhFjogECbvGg0VxBCN8f47I0=
|
|
|
|
|
| • Status: Valid because published
|
|
|
|
|
| 2 DNSKEY RR found
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 20326, Flags 257 (SEP = Secure Entry Point)
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 46780, Flags 256
|
|
|
|
|
| 1 RRSIG RR to validate DNSKEY RR found
|
|
|
|
|
| RRSIG-Owner (root), Algorithm: 8, 0 Labels, original TTL: 172800 sec, Signature-expiration: 11.12.2023, 00:00:00 +, Signature-Inception: 20.11.2023, 00:00:00 +, KeyTag 20326, Signer-Name: (root)
|
|
|
|
|
| • Status: Good - Algorithmus 8 and DNSKEY with KeyTag 20326 used to validate the DNSKEY RRSet
|
|
|
|
|
| • Status: Valid Chain of trust. Parent-DS with Algorithm 8, KeyTag 20326, DigestType 2 and Digest "4G1EuAuPHTmpXAsNfGXQhFjogECbvGg0VxBCN8f47I0=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone
|
|
|
Zone: io
|
|
io
| 1 DS RR in the parent zone found
|
|
|
|
|
| DS with Algorithm 8, KeyTag 57355, DigestType 2 and Digest laV8O6t4SdvN33xyracaiBRrFBEQMYylvmcgV+hlw+I=
|
|
|
|
|
| 1 RRSIG RR to validate DS RR found
|
|
|
|
|
| RRSIG-Owner io., Algorithm: 8, 1 Labels, original TTL: 86400 sec, Signature-expiration: 03.12.2023, 05:00:00 +, Signature-Inception: 20.11.2023, 04:00:00 +, KeyTag 46780, Signer-Name: (root)
|
|
|
|
|
| • Status: Good - Algorithmus 8 and DNSKEY with KeyTag 46780 used to validate the DS RRSet in the parent zone
|
|
|
|
|
| 3 DNSKEY RR found
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 41901, Flags 256
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 45783, Flags 256
|
|
|
|
|
| Public Key with Algorithm 8, KeyTag 57355, Flags 257 (SEP = Secure Entry Point)
|
|
|
|
|
| 1 RRSIG RR to validate DNSKEY RR found
|
|
|
|
|
| RRSIG-Owner io., Algorithm: 8, 1 Labels, original TTL: 3600 sec, Signature-expiration: 10.12.2023, 03:14:27 +, Signature-Inception: 19.11.2023, 02:14:27 +, KeyTag 57355, Signer-Name: io
|
|
|
|
|
| • Status: Good - Algorithmus 8 and DNSKEY with KeyTag 57355 used to validate the DNSKEY RRSet
|
|
|
|
|
| • Status: Valid Chain of trust. Parent-DS with Algorithm 8, KeyTag 57355, DigestType 2 and Digest "laV8O6t4SdvN33xyracaiBRrFBEQMYylvmcgV+hlw+I=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone
|
|
|
Zone: dedyn.io
|
|
dedyn.io
| 2 DS RR in the parent zone found
|
|
|
|
|
| DS with Algorithm 13, KeyTag 35233, DigestType 2 and Digest nGcq4ySIT5oBdDMMp2RPaWAXLB2UAj+Ub3B2Ob5tOrA=
|
|
|
|
|
| DS with Algorithm 13, KeyTag 35233, DigestType 4 and Digest zoB+diKdZKrohrJzI1W91o4snRA5YJCF3+FZM/4DHHGYGn+nf0WyIZL3ZySpsp+5
|
|
|
|
|
| 1 RRSIG RR to validate DS RR found
|
|
|
|
|
| RRSIG-Owner dedyn.io., Algorithm: 8, 2 Labels, original TTL: 3600 sec, Signature-expiration: 10.12.2023, 03:14:27 +, Signature-Inception: 19.11.2023, 02:14:27 +, KeyTag 41901, Signer-Name: io
|
|
|
|
|
| • Status: Good - Algorithmus 8 and DNSKEY with KeyTag 41901 used to validate the DS RRSet in the parent zone
|
|
|
|
|
| 1 DNSKEY RR found
|
|
|
|
|
| Public Key with Algorithm 13, KeyTag 35233, Flags 257 (SEP = Secure Entry Point)
|
|
|
|
|
| 1 RRSIG RR to validate DNSKEY RR found
|
|
|
|
|
| RRSIG-Owner dedyn.io., Algorithm: 13, 2 Labels, original TTL: 3600 sec, Signature-expiration: 30.11.2023, 00:00:00 +, Signature-Inception: 09.11.2023, 00:00:00 +, KeyTag 35233, Signer-Name: dedyn.io
|
|
|
|
|
| • Status: Good - Algorithmus 13 and DNSKEY with KeyTag 35233 used to validate the DNSKEY RRSet
|
|
|
|
|
| • Status: Valid Chain of trust. Parent-DS with Algorithm 13, KeyTag 35233, DigestType 2 and Digest "nGcq4ySIT5oBdDMMp2RPaWAXLB2UAj+Ub3B2Ob5tOrA=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone
|
|
|
|
|
| • Status: Valid Chain of trust. Parent-DS with Algorithm 13, KeyTag 35233, DigestType 4 and Digest "zoB+diKdZKrohrJzI1W91o4snRA5YJCF3+FZM/4DHHGYGn+nf0WyIZL3ZySpsp+5" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone
|
|
|
Zone: twnet.dedyn.io
|
|
twnet.dedyn.io
| 2 DS RR in the parent zone found
|
|
|
|
|
| DS with Algorithm 13, KeyTag 49980, DigestType 2 and Digest HSYVAr6WEvce7lio9/rLspW6jDd5/RHbn5Kv+6zOaW8=
|
|
|
|
|
| DS with Algorithm 13, KeyTag 49980, DigestType 4 and Digest aHjQbwMkB+t1h2jkH02orDuqkWGyDpBRHuLR2GmbrsSo9NHzhTuWoYxyVLtAYAkJ
|
|
|
|
|
| 1 RRSIG RR to validate DS RR found
|
|
|
|
|
| RRSIG-Owner twnet.dedyn.io., Algorithm: 13, 3 Labels, original TTL: 300 sec, Signature-expiration: 30.11.2023, 00:00:00 +, Signature-Inception: 09.11.2023, 00:00:00 +, KeyTag 35233, Signer-Name: dedyn.io
|
|
|
|
|
| • Status: Good - Algorithmus 13 and DNSKEY with KeyTag 35233 used to validate the DS RRSet in the parent zone
|
|
|
|
|
| 1 DNSKEY RR found
|
|
|
|
|
| Public Key with Algorithm 13, KeyTag 49980, Flags 257 (SEP = Secure Entry Point)
|
|
|
|
|
| 1 RRSIG RR to validate DNSKEY RR found
|
|
|
|
|
| RRSIG-Owner twnet.dedyn.io., Algorithm: 13, 3 Labels, original TTL: 3600 sec, Signature-expiration: 30.11.2023, 00:00:00 +, Signature-Inception: 09.11.2023, 00:00:00 +, KeyTag 49980, Signer-Name: twnet.dedyn.io
|
|
|
|
|
| • Status: Good - Algorithmus 13 and DNSKEY with KeyTag 49980 used to validate the DNSKEY RRSet
|
|
|
|
|
| • Status: Valid Chain of trust. Parent-DS with Algorithm 13, KeyTag 49980, DigestType 2 and Digest "HSYVAr6WEvce7lio9/rLspW6jDd5/RHbn5Kv+6zOaW8=" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone
|
|
|
|
|
| • Status: Valid Chain of trust. Parent-DS with Algorithm 13, KeyTag 49980, DigestType 4 and Digest "aHjQbwMkB+t1h2jkH02orDuqkWGyDpBRHuLR2GmbrsSo9NHzhTuWoYxyVLtAYAkJ" validates local Key with the same values, Key ist Secure Entry Point (SEP) of the zone
|
|
|
|
|
| RRSIG Type 1 validates the A - Result: 83.7.12.236
Validated: RRSIG-Owner twnet.dedyn.io., Algorithm: 13, 3 Labels, original TTL: 60 sec, Signature-expiration: 30.11.2023, 00:00:00 +, Signature-Inception: 09.11.2023, 00:00:00 +, KeyTag 49980, Signer-Name: twnet.dedyn.io
|
|
|
|
|
| RRSIG Type 5 validates the TLSA - Result (_443._tcp.twnet.dedyn.io): twnet.dedyn.io. That's a CNAME answer. RRSIG Owner has 5 labels, RRSIG Labels = 3, so it's a wildcard expansion, the Query Name doesn't exists. An additional NSEC/NSEC3 is required to confirm the Not-Existence of the query name.
Validated: RRSIG-Owner _443._tcp.twnet.dedyn.io., Algorithm: 13, 3 Labels, original TTL: 3600 sec, Signature-expiration: 30.11.2023, 00:00:00 +, Signature-Inception: 09.11.2023, 00:00:00 +, KeyTag 49980, Signer-Name: twnet.dedyn.io
|
|
|
|
|
| RRSIG Type 257 validates the CAA - Result: 5|issueletsencrypt.org
Validated: RRSIG-Owner twnet.dedyn.io., Algorithm: 13, 3 Labels, original TTL: 3600 sec, Signature-expiration: 30.11.2023, 00:00:00 +, Signature-Inception: 09.11.2023, 00:00:00 +, KeyTag 49980, Signer-Name: twnet.dedyn.io
|
|
|
|
|
| CNAME-Query sends a valid NSEC3 RR as result with the hashed query name "ck2pl10al0hp07amhklpgadcdq6jak7p" equal the hashed NSEC3-owner "ck2pl10al0hp07amhklpgadcdq6jak7p" and the hashed NextOwner "65frd99n5lajrk3b9eknjukcac07m5g5". So the zone confirmes the not-existence of that CNAME RR, but the existence of that query name (minimal one RR with that name exists).
Bitmap: A, NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY, CAA Validated: RRSIG-Owner ck2pl10al0hp07amhklpgadcdq6jak7p.twnet.dedyn.io., Algorithm: 13, 4 Labels, original TTL: 300 sec, Signature-expiration: 30.11.2023, 00:00:00 +, Signature-Inception: 09.11.2023, 00:00:00 +, KeyTag 49980, Signer-Name: twnet.dedyn.io
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| TXT-Query sends a valid NSEC3 RR as result with the hashed query name "ck2pl10al0hp07amhklpgadcdq6jak7p" equal the hashed NSEC3-owner "ck2pl10al0hp07amhklpgadcdq6jak7p" and the hashed NextOwner "65frd99n5lajrk3b9eknjukcac07m5g5". So the zone confirmes the not-existence of that TXT RR, but the existence of that query name (minimal one RR with that name exists).
Bitmap: A, NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY, CAA Validated: RRSIG-Owner ck2pl10al0hp07amhklpgadcdq6jak7p.twnet.dedyn.io., Algorithm: 13, 4 Labels, original TTL: 300 sec, Signature-expiration: 30.11.2023, 00:00:00 +, Signature-Inception: 09.11.2023, 00:00:00 +, KeyTag 49980, Signer-Name: twnet.dedyn.io
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| AAAA-Query sends a valid NSEC3 RR as result with the hashed query name "ck2pl10al0hp07amhklpgadcdq6jak7p" equal the hashed NSEC3-owner "ck2pl10al0hp07amhklpgadcdq6jak7p" and the hashed NextOwner "65frd99n5lajrk3b9eknjukcac07m5g5". So the zone confirmes the not-existence of that AAAA RR, but the existence of that query name (minimal one RR with that name exists).
Bitmap: A, NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY, CAA Validated: RRSIG-Owner ck2pl10al0hp07amhklpgadcdq6jak7p.twnet.dedyn.io., Algorithm: 13, 4 Labels, original TTL: 300 sec, Signature-expiration: 30.11.2023, 00:00:00 +, Signature-Inception: 09.11.2023, 00:00:00 +, KeyTag 49980, Signer-Name: twnet.dedyn.io
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
|
|
| TLSA-Query (_443._tcp.twnet.dedyn.io) sends a valid NSEC3 RR as result with the hashed owner name "ck2pl10al0hp07amhklpgadcdq6jak7p" (unhashed: twnet.dedyn.io). So that's the Closest Encloser of the query name. TLSA-Query sends a valid NSEC3 RR as result and covers the hashed Next Closer Name "d2aej1h227rtngujfus64o2edsumlqmj" (unhashed: _tcp.twnet.dedyn.io) with the owner "ck2pl10al0hp07amhklpgadcdq6jak7p" and the NextOwner "65frd99n5lajrk3b9eknjukcac07m5g5". So that NSEC3 confirms the not-existence of the Next Closer Name. TLSA-Query (_443._tcp.twnet.dedyn.io) sends a valid NSEC3 RR as result with the owner name "ck2pl10al0hp07amhklpgadcdq6jak7p" greater the NextOwner-Name "65frd99n5lajrk3b9eknjukcac07m5g5", so the NSEC3 covers the end of the zone. The hashed query name "2vvpt58olslvtimt7aqsttros2ic9vde" comes before the hashed NextOwner, so the zone confirmes the not-existence of that TLSA RR.
Bitmap: A, NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY, CAA Validated: RRSIG-Owner ck2pl10al0hp07amhklpgadcdq6jak7p.twnet.dedyn.io., Algorithm: 13, 4 Labels, original TTL: 300 sec, Signature-expiration: 30.11.2023, 00:00:00 +, Signature-Inception: 09.11.2023, 00:00:00 +, KeyTag 49980, Signer-Name: twnet.dedyn.io
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|
|
|
Zone: www.twnet.dedyn.io
|
|
www.twnet.dedyn.io
| 2 DS RR in the parent zone found
|
|
|
|
|
| DS with Algorithm 13, KeyTag 49980, DigestType 2 and Digest HSYVAr6WEvce7lio9/rLspW6jDd5/RHbn5Kv+6zOaW8=
|
|
|
|
|
| DS with Algorithm 13, KeyTag 49980, DigestType 4 and Digest aHjQbwMkB+t1h2jkH02orDuqkWGyDpBRHuLR2GmbrsSo9NHzhTuWoYxyVLtAYAkJ
|
|
|
|
|
| 1 RRSIG RR to validate DS RR found
|
|
|
|
|
| RRSIG-Owner twnet.dedyn.io., Algorithm: 13, 3 Labels, original TTL: 300 sec, Signature-expiration: 30.11.2023, 00:00:00 +, Signature-Inception: 09.11.2023, 00:00:00 +, KeyTag 35233, Signer-Name: dedyn.io
|
|
|
|
|
| • not checked
|
|
|
|
|
| DS-Query in the parent zone sends valid NSEC3 RR with the Hash "ck2pl10al0hp07amhklpgadcdq6jak7p" as Owner. That's the Hash of "twnet.dedyn.io" with the NextHashedOwnerName "65frd99n5lajrk3b9eknjukcac07m5g5". So that domain name is the Closest Encloser of "www.twnet.dedyn.io". Opt-Out: False.
Bitmap: A, NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY, CAA Validated: RRSIG-Owner ck2pl10al0hp07amhklpgadcdq6jak7p.twnet.dedyn.io., Algorithm: 13, 4 Labels, original TTL: 300 sec, Signature-expiration: 30.11.2023, 00:00:00 +, Signature-Inception: 09.11.2023, 00:00:00 +, KeyTag 49980, Signer-Name: twnet.dedyn.io
|
|
|
|
|
| The ClosestEncloser says, that "*.twnet.dedyn.io" with the Hash "65frd99n5lajrk3b9eknjukcac07m5g5" is a possible Wildcard of the DS Query Name. But the DS-Query in the parent zone sends a valid NSEC3 RR With the owner "ck2pl10al0hp07amhklpgadcdq6jak7p" and the Next Owner "65frd99n5lajrk3b9eknjukcac07m5g5", so the Hash of the wildcard is between these hashes. So that NSEC3 proves the Not-existence of that wildcard expansion. Opt-Out: False.
Bitmap: A, NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY, CAA Validated: RRSIG-Owner ck2pl10al0hp07amhklpgadcdq6jak7p.twnet.dedyn.io., Algorithm: 13, 4 Labels, original TTL: 300 sec, Signature-expiration: 30.11.2023, 00:00:00 +, Signature-Inception: 09.11.2023, 00:00:00 +, KeyTag 49980, Signer-Name: twnet.dedyn.io
|
|
|
|
|
| RRSIG Type 5 validates the CNAME - Result: twnet.dedyn.io. RRSIG Owner has 4 labels, RRSIG Labels = 3, so it's a wildcard expansion, the Query Name doesn't exists. An additional NSEC/NSEC3 is required to confirm the Not-Existence of the query name.
Validated: RRSIG-Owner www.twnet.dedyn.io., Algorithm: 13, 3 Labels, original TTL: 3600 sec, Signature-expiration: 30.11.2023, 00:00:00 +, Signature-Inception: 09.11.2023, 00:00:00 +, KeyTag 49980, Signer-Name: twnet.dedyn.io
|
|
|
|
|
| CNAME-Query sends a valid NSEC3 RR as result with the hashed owner name "ck2pl10al0hp07amhklpgadcdq6jak7p" (unhashed: twnet.dedyn.io). So that's the Closest Encloser of the query name. CNAME-Query sends a valid NSEC3 RR as result with the owner name "ck2pl10al0hp07amhklpgadcdq6jak7p" greater the NextOwner-Name "65frd99n5lajrk3b9eknjukcac07m5g5", so the NSEC3 covers the end of the zone. The hashed query name "umldukcf760krcstk5v6n46hddb0e2cq" comes after the hashed Owner, so the zone confirmes the not-existence of that CNAME RR.
Bitmap: A, NS, SOA, RRSIG, DNSKEY, NSEC3PARAM, CDS, CDNSKEY, CAA Validated: RRSIG-Owner ck2pl10al0hp07amhklpgadcdq6jak7p.twnet.dedyn.io., Algorithm: 13, 4 Labels, original TTL: 300 sec, Signature-expiration: 30.11.2023, 00:00:00 +, Signature-Inception: 09.11.2023, 00:00:00 +, KeyTag 49980, Signer-Name: twnet.dedyn.io
|
|
|
|
|
| Status: Good. NoData-Proof required and found.
|