View on GitHub

DNSViz: A DNS visualization tool

desec.org

DNSSEC options (hide)
  1. |?|
  2. |?|
  3. |?|
  4. |?|
  5. |?|
  6. |?|
  7. |?|
  8. |?|
  9. |?|
Notices
DNSSEC Authentication Chain

RRset statusRRset status

Secure (9)
  • 91grntqly6.desec.org/A (NXDOMAIN)
  • _.desec.org/A
  • desec.org/A
  • desec.org/AAAA
  • desec.org/CNAME (NODATA)
  • desec.org/MX
  • desec.org/NS
  • desec.org/SOA
  • desec.org/TXT

DNSKEY/DS/NSEC statusDNSKEY/DS/NSEC status

Secure (10)
  • ./DNSKEY (alg 8, id 20326)
  • ./DNSKEY (alg 8, id 26116)
  • NSEC3 proving non-existence of 91grntqly6.desec.org/A
  • NSEC3 proving non-existence of desec.org/CNAME
  • desec.org/DNSKEY (alg 13, id 6697)
  • desec.org/DS (alg 13, id 6697)
  • org/DNSKEY (alg 8, id 26974)
  • org/DNSKEY (alg 8, id 34266)
  • org/DNSKEY (alg 8, id 63858)
  • org/DS (alg 8, id 26974)

Delegation statusDelegation status

Secure (2)
  • . to org
  • org to desec.org

NoticesNotices

Errors (8)
  • NSEC3 proving non-existence of 91grntqly6.desec.org/A: An iterations count of 0 must be used in NSEC3 records to alleviate computational burdens. See RFC 9276, Sec. 3.1.
  • NSEC3 proving non-existence of 91grntqly6.desec.org/A: An iterations count of 0 must be used in NSEC3 records to alleviate computational burdens. See RFC 9276, Sec. 3.1.
  • NSEC3 proving non-existence of desec.org/CNAME: An iterations count of 0 must be used in NSEC3 records to alleviate computational burdens. See RFC 9276, Sec. 3.1.
  • NSEC3 proving non-existence of desec.org/CNAME: An iterations count of 0 must be used in NSEC3 records to alleviate computational burdens. See RFC 9276, Sec. 3.1.
  • RRSIG NSEC3 proving non-existence of 91grntqly6.desec.org/A alg 13, id 6697: The TTL of the RRSIG (3600) exceeds the value of its Original TTL field (300). See RFC 4035, Sec. 2.2.
  • RRSIG NSEC3 proving non-existence of 91grntqly6.desec.org/A alg 13, id 6697: The TTL of the RRset (3600) exceeds the value of the Original TTL field of the RRSIG RR covering it (300). See RFC 4035, Sec. 2.2.
  • RRSIG NSEC3 proving non-existence of desec.org/CNAME alg 13, id 6697: The TTL of the RRSIG (3600) exceeds the value of its Original TTL field (300). See RFC 4035, Sec. 2.2.
  • RRSIG NSEC3 proving non-existence of desec.org/CNAME alg 13, id 6697: The TTL of the RRset (3600) exceeds the value of the Original TTL field of the RRSIG RR covering it (300). See RFC 4035, Sec. 2.2.
Warnings (4)
  • NSEC3 proving non-existence of 91grntqly6.desec.org/A: The salt value for an NSEC3 record should be empty. See RFC 9276, Sec. 3.1.
  • NSEC3 proving non-existence of 91grntqly6.desec.org/A: The salt value for an NSEC3 record should be empty. See RFC 9276, Sec. 3.1.
  • NSEC3 proving non-existence of desec.org/CNAME: The salt value for an NSEC3 record should be empty. See RFC 9276, Sec. 3.1.
  • NSEC3 proving non-existence of desec.org/CNAME: The salt value for an NSEC3 record should be empty. See RFC 9276, Sec. 3.1.

DNSKEY legend

Full legend
SEP bit setSEP bit set
Revoke bit setRevoke bit set
Trust anchorTrust anchor
Download: png | svg
Warning JavaScript is required to make the graph below interactive.
DNSSEC authentication graph