View on GitHub

DNSViz: A DNS visualization tool

nic.hsbc

« Previous analysis | Next analysis »
DNSSEC options (hide)
  1. |?|
  2. |?|
  3. |?|
  4. |?|
  5. |?|
  6. |?|
  7. |?|
Notices
DNSSEC Authentication Chain

RRset statusRRset status

Bogus (4)
  • nic.hsbc/A
  • nic.hsbc/NS
  • nic.hsbc/NSEC3PARAM
  • nic.hsbc/SOA

DNSKEY/DS/NSEC statusDNSKEY/DS/NSEC status

Bogus (3)
  • NSEC3 proving non-existence of nic.hsbc/DS
  • nic.hsbc/DNSKEY (alg 8, id 47620)
  • nic.hsbc/DNSKEY (alg 8, id 6633)
Secure (4)
  • ./DNSKEY (alg 8, id 14748)
  • ./DNSKEY (alg 8, id 20326)
  • ./DNSKEY (alg 8, id 26838)
  • hsbc/DS (alg 8, id 862)
Non_existent (1)
  • hsbc/DNSKEY (alg 8, id 862)

Delegation statusDelegation status

Bogus (2)
  • . to hsbc
  • hsbc to nic.hsbc

NoticesNotices

Errors (7)
  • . to hsbc: No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone.
  • NSEC3 proving non-existence of nic.hsbc/DS: The SOA bit was set in the bitmap of the NSEC3 RR corresponding to the delegated name (nic.hsbc).
  • NSEC3 proving non-existence of nic.hsbc/DS: The SOA bit was set in the bitmap of the NSEC3 RR corresponding to the delegated name (nic.hsbc).
  • RRSIG NSEC3 proving non-existence of nic.hsbc/DS alg 8, id 6633: The Signer's Name field of the RRSIG RR (nic.hsbc) does not match the name of the zone containing the RRset (hsbc).
  • hsbc to nic.hsbc: An SOA RR with owner name (nic.hsbc) not matching the zone name (hsbc) was returned with the NODATA response. (156.154.144.76, 156.154.145.76, 156.154.156.76, 156.154.157.76, 156.154.158.76, 156.154.159.76, 2610:a1:1071::4c, 2610:a1:1072::4c, 2610:a1:1073::4c, 2610:a1:1074::4c, 2610:a1:1075::4c, 2610:a1:1076::4c, UDP_-_EDNS0_4096_D_KN)
  • hsbc zone: The server(s) responded over UDP with a malformed response or with an invalid RCODE. (156.154.144.76, 156.154.145.76, 156.154.156.76, 156.154.157.76, 156.154.158.76, 156.154.159.76, 2610:a1:1071::4c, 2610:a1:1072::4c, 2610:a1:1073::4c, 2610:a1:1074::4c, 2610:a1:1075::4c, 2610:a1:1076::4c)
  • hsbc/DNSKEY: The response had an invalid RCODE (SERVFAIL). (156.154.144.76, 156.154.145.76, 156.154.156.76, 156.154.157.76, 156.154.158.76, 156.154.159.76, 2610:a1:1071::4c, 2610:a1:1072::4c, 2610:a1:1073::4c, 2610:a1:1074::4c, 2610:a1:1075::4c, 2610:a1:1076::4c, UDP_-_EDNS0_512_D_KN, UDP_-_NOEDNS_)
Warnings (7)
  • hsbc/DS (alg 8, id 862): DNSSEC specification prohibits signing with DS records that use digest algorithm 1 (SHA-1).
  • hsbc/DS (alg 8, id 862): DNSSEC specification prohibits signing with DS records that use digest algorithm 1 (SHA-1).
  • hsbc/DS (alg 8, id 862): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset.
  • hsbc/DS (alg 8, id 862): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset.
  • hsbc/DS (alg 8, id 862): The server appears to support DNS cookies but did not return a COOKIE option. (193.0.14.129, UDP_-_EDNS0_4096_D_KN)
  • hsbc/DS (alg 8, id 862): The server appears to support DNS cookies but did not return a COOKIE option. (193.0.14.129, UDP_-_EDNS0_4096_D_KN)
  • nic.hsbc/NS: No response was received until the UDP payload size was decreased, indicating that the server might be attempting to send a payload that exceeds the path maximum transmission unit (PMTU) size. (2610:a1:1072::4c, 2610:a1:1076::4c, UDP_-_EDNS0_4096_D_KN)

DNSKEY legend

Full legend
SEP bit setSEP bit set
Revoke bit setRevoke bit set
Trust anchorTrust anchor
Download: png | svg
Warning JavaScript is required to make the graph below interactive.
DNSSEC authentication graph