lr
Updated:
2020-11-02 00:14:14 UTC (1480 days ago)
Go to most recent »
Notices
DNSSEC Authentication Chain
RRset status
Bogus (2)
- lr/NS
- lr/SOA
DNSKEY/DS/NSEC status
Bogus (2)
- lr/DNSKEY (alg 8, id 13535)
- lr/DNSKEY (alg 8, id 48981)
Secure (3)
- ./DNSKEY (alg 8, id 20326)
- ./DNSKEY (alg 8, id 26116)
- lr/DS (alg 8, id 29984)
Non_existent (1)
- lr/DNSKEY (alg 8, id 29984)
Delegation status
Bogus (1)
- . to lr
Notices
Errors (2)
- . to lr: No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone. See RFC 4035, Sec. 2.2, RFC 6840, Sec. 5.11. (77.72.229.254, 147.28.0.39, 196.216.168.61, 2001:418:1::39, 2001:43f8:120::61, 2a01:3f0:0:306::53, UDP_-_EDNS0_4096_D_K)
- . to lr: The DS RRset for the zone included algorithm 8 (RSASHA256), but no DS RR matched a DNSKEY with algorithm 8 that signs the zone's DNSKEY RRset. See RFC 4035, Sec. 2.2, RFC 6840, Sec. 5.11. (77.72.229.254, 147.28.0.39, 196.216.168.61, 2001:418:1::39, 2001:43f8:120::61, 2a01:3f0:0:306::53, UDP_-_EDNS0_4096_D_K)
Warnings (4)
- lr/DS (alg 8, id 29984): DNSSEC implementers are prohibited from implementing signing with DS algorithm 1 (SHA-1). See RFC 8624, Sec. 3.2.
- lr/DS (alg 8, id 29984): DNSSEC implementers are prohibited from implementing signing with DS algorithm 1 (SHA-1). See RFC 8624, Sec. 3.2.
- lr/DS (alg 8, id 29984): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. See RFC 4509, Sec. 3.
- lr/DS (alg 8, id 29984): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. See RFC 4509, Sec. 3.
JavaScript is required to make the graph below interactive.
