View on GitHub

DNSViz: A DNS visualization tool

root-dnssec.org

DNSSEC options (hide)
  1. |?|
  2. |?|
  3. |?|
  4. |?|
  5. |?|
  6. |?|
  7. |?|
Notices
DNSSEC Authentication Chain

RRset statusRRset status

Bogus (3)
  • root-dnssec.org/NS
  • root-dnssec.org/SOA
  • root-dnssec.org/TXT

DNSKEY/DS/NSEC statusDNSKEY/DS/NSEC status

Bogus (3)
  • root-dnssec.org/DNSKEY (alg 8, id 27763)
  • root-dnssec.org/DNSKEY (alg 8, id 38245)
  • root-dnssec.org/DNSKEY (alg 8, id 53366)
Secure (8)
  • ./DNSKEY (alg 8, id 19036)
  • ./DNSKEY (alg 8, id 22603)
  • org/DNSKEY (alg 7, id 11112)
  • org/DNSKEY (alg 7, id 21366)
  • org/DNSKEY (alg 7, id 60764)
  • org/DNSKEY (alg 7, id 9795)
  • org/DS (alg 7, id 21366)
  • root-dnssec.org/DS (alg 5, id 61492)
Non_existent (1)
  • root-dnssec.org/DNSKEY (alg 5, id 61492)

Delegation statusDelegation status

Bogus (1)
  • org to root-dnssec.org
Secure (1)
  • . to org

NoticesNotices

Errors (8)
  • org to root-dnssec.org: No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone. (199.4.138.53, 199.43.132.53, 199.43.133.53, 199.43.134.53, 2001:500:89::53, 2001:500:8c::53, 2001:500:8d::53, 2001:500:8e::53, UDP_-_EDNS0_4096_D)
  • org to root-dnssec.org: The DS RRset for the zone included algorithm 5 (RSASHA1), but no DS RR matched a DNSKEY with algorithm 5 that signs the zone's DNSKEY RRset. (199.4.138.53, 199.43.132.53, 199.43.133.53, 199.43.134.53, 2001:500:89::53, 2001:500:8c::53, 2001:500:8d::53, 2001:500:8e::53, UDP_-_EDNS0_4096_D)
  • root-dnssec.org/DNSKEY (alg 8, id 27763): The DS RRset for the zone included algorithm 5 (RSASHA1), but no RRSIG with algorithm 5 covering the RRset was returned in the response. (199.4.138.53, 199.43.132.53, 199.43.133.53, 199.43.134.53, 2001:500:89::53, 2001:500:8c::53, 2001:500:8d::53, 2001:500:8e::53, UDP_-_EDNS0_4096_D)
  • root-dnssec.org/DNSKEY (alg 8, id 38245): The DS RRset for the zone included algorithm 5 (RSASHA1), but no RRSIG with algorithm 5 covering the RRset was returned in the response. (199.4.138.53, 199.43.132.53, 199.43.133.53, 199.43.134.53, 2001:500:89::53, 2001:500:8c::53, 2001:500:8d::53, 2001:500:8e::53, UDP_-_EDNS0_4096_D)
  • root-dnssec.org/DNSKEY (alg 8, id 53366): The DS RRset for the zone included algorithm 5 (RSASHA1), but no RRSIG with algorithm 5 covering the RRset was returned in the response. (199.4.138.53, 199.43.132.53, 199.43.133.53, 199.43.134.53, 2001:500:89::53, 2001:500:8c::53, 2001:500:8d::53, 2001:500:8e::53, UDP_-_EDNS0_4096_D)
  • root-dnssec.org/NS: The DS RRset for the zone included algorithm 5 (RSASHA1), but no RRSIG with algorithm 5 covering the RRset was returned in the response. (199.4.138.53, 199.43.132.53, 199.43.133.53, 199.43.134.53, 2001:500:89::53, 2001:500:8c::53, 2001:500:8d::53, 2001:500:8e::53, UDP_-_EDNS0_4096_D)
  • root-dnssec.org/SOA: The DS RRset for the zone included algorithm 5 (RSASHA1), but no RRSIG with algorithm 5 covering the RRset was returned in the response. (199.4.138.53, 199.43.132.53, 199.43.133.53, 199.43.134.53, 2001:500:89::53, 2001:500:8c::53, 2001:500:8d::53, 2001:500:8e::53, TCP_-_EDNS0_4096_D)
  • root-dnssec.org/TXT: The DS RRset for the zone included algorithm 5 (RSASHA1), but no RRSIG with algorithm 5 covering the RRset was returned in the response. (199.4.138.53, 199.43.132.53, 199.43.133.53, 199.43.134.53, 2001:500:89::53, 2001:500:8c::53, 2001:500:8d::53, 2001:500:8e::53, UDP_-_EDNS0_4096_D)

DNSKEY legend

Full legend
SEP bit setSEP bit set
Revoke bit setRevoke bit set
Trust anchorTrust anchor
Download: png | svg
Warning JavaScript is required to make the graph below interactive.
DNSSEC authentication graph