letsencrypt.org

Updated: 2020-10-19 00:08:36 UTC (1546 days ago) Go to most recent »

DNSSEC options (hide)

|?| RR types:
|?| DNSSEC algorithms:
|?| DS digest algorithms:
|?| Denial of existence:
|?| Redundant edges:
|?| Ignore RFC 8624:
|?| Ignore RFC 9276:
|?| Multi-signer:
|?| Trust anchors:
- Root zone KSK
|?| Additional trusted keys:

Notices

DNSSEC Authentication Chain

RRset status

Insecure (6)

letsencrypt.org/A
letsencrypt.org/AAAA
letsencrypt.org/MX
letsencrypt.org/NS
letsencrypt.org/SOA
letsencrypt.org/TXT

Secure (3)

org/SOA
org/SOA
org/SOA

DNSKEY/DS/NSEC status

Secure (7)

./DNSKEY (alg 8, id 20326)
./DNSKEY (alg 8, id 26116)
NSEC3 proving non-existence of letsencrypt.org/DS
org/DNSKEY (alg 8, id 26974)
org/DNSKEY (alg 8, id 34266)
org/DNSKEY (alg 8, id 63858)
org/DS (alg 8, id 26974)

Non_existent (1)

org/DNSKEY (alg 7, id 22064)

Delegation status

Insecure (1)

org to letsencrypt.org

Secure (1)

. to org

Notices

Errors (3)

NSEC3 proving non-existence of letsencrypt.org/DS: An iterations count of 0 must be used in NSEC3 records to alleviate computational burdens. See RFC 9276, Sec. 3.1.
NSEC3 proving non-existence of letsencrypt.org/DS: An iterations count of 0 must be used in NSEC3 records to alleviate computational burdens. See RFC 9276, Sec. 3.1.
letsencrypt.org/DS has errors; select the "Denial of existence" DNSSEC option to see them.

Warnings (10)

NSEC3 proving non-existence of letsencrypt.org/DS: The salt value for an NSEC3 record should be empty. See RFC 9276, Sec. 3.1.
NSEC3 proving non-existence of letsencrypt.org/DS: The salt value for an NSEC3 record should be empty. See RFC 9276, Sec. 3.1.
RRSIG NSEC3 proving non-existence of letsencrypt.org/DS alg 7, id 22064: DNSSEC implementers are recommended against implementing signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). See RFC 8624, Sec. 3.1.
RRSIG NSEC3 proving non-existence of letsencrypt.org/DS alg 7, id 22064: DNSSEC implementers are recommended against implementing signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). See RFC 8624, Sec. 3.1.
RRSIG NSEC3 proving non-existence of letsencrypt.org/DS alg 7, id 22064: DNSSEC implementers are recommended against implementing signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). See RFC 8624, Sec. 3.1.
RRSIG NSEC3 proving non-existence of letsencrypt.org/DS alg 7, id 22064: DNSSEC implementers are recommended against implementing signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). See RFC 8624, Sec. 3.1.
RRSIG org/SOA alg 7, id 22064: DNSSEC implementers are recommended against implementing signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). See RFC 8624, Sec. 3.1.
RRSIG org/SOA alg 7, id 22064: DNSSEC implementers are recommended against implementing signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). See RFC 8624, Sec. 3.1.
RRSIG org/SOA alg 7, id 22064: DNSSEC implementers are recommended against implementing signing with DNSSEC algorithm 7 (RSASHA1NSEC3SHA1). See RFC 8624, Sec. 3.1.
letsencrypt.org/DS has warnings; select the "Denial of existence" DNSSEC option to see them.

DNSKEY legend

Full legend

	SEP bit set
	Revoke bit set
	Trust anchor

letsencrypt.org

RRset status

Insecure (6)

Secure (3)

DNSKEY/DS/NSEC status

Secure (7)

Non_existent (1)

Delegation status

Insecure (1)

Secure (1)

Notices

Errors (3)

Warnings (10)

DNSKEY legend

See also