www.catch-22.co.nz

Updated: 2021-03-07 08:35:36 UTC (1403 days ago) Update now

DNSSEC options (hide)

|?| RR types:
|?| DNSSEC algorithms:
|?| DS digest algorithms:
|?| Denial of existence:
|?| Redundant edges:
|?| Ignore RFC 8624:
|?| Ignore RFC 9276:
|?| Multi-signer:
|?| Trust anchors:
- Root zone KSK
|?| Additional trusted keys:

Notices

DNSSEC Authentication Chain

RRset status

Secure (1)

co.nz/SOA

DNSKEY/DS/NSEC status

Secure (19)

./DNSKEY (alg 8, id 20326)
./DNSKEY (alg 8, id 42351)
NSEC3 proving non-existence of catch-22.co.nz/DS
co.nz/DNSKEY (alg 8, id 12085)
co.nz/DNSKEY (alg 8, id 14701)
co.nz/DNSKEY (alg 8, id 17230)
co.nz/DNSKEY (alg 8, id 42666)
co.nz/DS (alg 8, id 14701)
co.nz/DS (alg 8, id 14701)
co.nz/DS (alg 8, id 17230)
co.nz/DS (alg 8, id 17230)
nz/DNSKEY (alg 8, id 1324)
nz/DNSKEY (alg 8, id 17580)
nz/DNSKEY (alg 8, id 25234)
nz/DNSKEY (alg 8, id 60744)
nz/DS (alg 8, id 1324)
nz/DS (alg 8, id 1324)
nz/DS (alg 8, id 25234)
nz/DS (alg 8, id 25234)

Delegation status

Lame (1)

co.nz to catch-22.co.nz

Secure (2)

. to nz
nz to co.nz

Notices

Errors (7)

NSEC3 proving non-existence of catch-22.co.nz/DS: An iterations count of 0 must be used in NSEC3 records to alleviate computational burdens. See RFC 9276, Sec. 3.1.
NSEC3 proving non-existence of catch-22.co.nz/DS: An iterations count of 0 must be used in NSEC3 records to alleviate computational burdens. See RFC 9276, Sec. 3.1.
catch-22.co.nz zone: The server(s) responded over UDP with a malformed response or with an invalid RCODE. See RFC 1035, Sec. 4.1.1. (45.113.8.216, 50.116.13.108, 103.250.232.100, 172.104.48.23)
catch-22.co.nz/DNSKEY: The response had an invalid RCODE (SERVFAIL). See RFC 1035, Sec. 4.1.1. (45.113.8.216, 50.116.13.108, 103.250.232.100, 172.104.48.23, UDP_-_EDNS0_512_D_KN, UDP_-_NOEDNS_)
www.catch-22.co.nz/A: The response had an invalid RCODE (SERVFAIL). See RFC 1035, Sec. 4.1.1. (45.113.8.216, 50.116.13.108, 103.250.232.100, 172.104.48.23, UDP_-_NOEDNS_)
www.catch-22.co.nz/AAAA: The response had an invalid RCODE (SERVFAIL). See RFC 1035, Sec. 4.1.1. (45.113.8.216, 50.116.13.108, 103.250.232.100, 172.104.48.23, UDP_-_NOEDNS_)
catch-22.co.nz/CNAME has errors; select the "Denial of existence" DNSSEC option to see them.

Warnings (18)

NSEC3 proving non-existence of catch-22.co.nz/DS: The salt value for an NSEC3 record should be empty. See RFC 9276, Sec. 3.1.
NSEC3 proving non-existence of catch-22.co.nz/DS: The salt value for an NSEC3 record should be empty. See RFC 9276, Sec. 3.1.
co.nz/DS (alg 8, id 14701): DNSSEC implementers are prohibited from implementing signing with DS algorithm 1 (SHA-1). See RFC 8624, Sec. 3.2.
co.nz/DS (alg 8, id 14701): DNSSEC implementers are prohibited from implementing signing with DS algorithm 1 (SHA-1). See RFC 8624, Sec. 3.2.
co.nz/DS (alg 8, id 14701): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. See RFC 4509, Sec. 3.
co.nz/DS (alg 8, id 14701): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. See RFC 4509, Sec. 3.
co.nz/DS (alg 8, id 17230): DNSSEC implementers are prohibited from implementing signing with DS algorithm 1 (SHA-1). See RFC 8624, Sec. 3.2.
co.nz/DS (alg 8, id 17230): DNSSEC implementers are prohibited from implementing signing with DS algorithm 1 (SHA-1). See RFC 8624, Sec. 3.2.
co.nz/DS (alg 8, id 17230): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. See RFC 4509, Sec. 3.
co.nz/DS (alg 8, id 17230): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. See RFC 4509, Sec. 3.
nz/DS (alg 8, id 1324): DNSSEC implementers are prohibited from implementing signing with DS algorithm 1 (SHA-1). See RFC 8624, Sec. 3.2.
nz/DS (alg 8, id 1324): DNSSEC implementers are prohibited from implementing signing with DS algorithm 1 (SHA-1). See RFC 8624, Sec. 3.2.
nz/DS (alg 8, id 1324): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. See RFC 4509, Sec. 3.
nz/DS (alg 8, id 1324): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. See RFC 4509, Sec. 3.
nz/DS (alg 8, id 25234): DNSSEC implementers are prohibited from implementing signing with DS algorithm 1 (SHA-1). See RFC 8624, Sec. 3.2.
nz/DS (alg 8, id 25234): DNSSEC implementers are prohibited from implementing signing with DS algorithm 1 (SHA-1). See RFC 8624, Sec. 3.2.
nz/DS (alg 8, id 25234): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. See RFC 4509, Sec. 3.
nz/DS (alg 8, id 25234): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. See RFC 4509, Sec. 3.