View on GitHub

DNSViz: A DNS visualization tool

www.usembassy.gov

« Previous analysis | Next analysis »
DNSSEC options (hide)
  1. |?|
  2. |?|
  3. |?|
  4. |?|
  5. |?|
  6. |?|
  7. |?|
  8. |?|
  9. |?|
  10. |?|
Notices
DNSSEC Authentication Chain

RRset statusRRset status

Bogus (1)
  • www.usembassy.gov/CNAME
Insecure (9)
  • akamaiedge.net/SOA
  • e11540.dscb.akamaiedge.net.0.1.cn.akamaiedge.net/A
  • e11540.dscb.akamaiedge.net.0.1.cn.akamaiedge.net/AAAA
  • e11540.dscb.akamaiedge.net.0.1.cn.akamaiedge.net/AAAA
  • e11540.dscb.akamaiedge.net/A
  • e11540.dscb.akamaiedge.net/AAAA
  • e11540.dscb.akamaiedge.net/AAAA
  • e11540.dscb.akamaiedge.net/CNAME
  • wildcard.usembassy.gov.edgekey.net/CNAME
Secure (3)
  • net/SOA
  • net/SOA
  • net/SOA

DNSKEY/DS/NSEC statusDNSKEY/DS/NSEC status

Secure (16)
  • ./DNSKEY (alg 8, id 20326)
  • ./DNSKEY (alg 8, id 26116)
  • NSEC3 proving non-existence of akamaiedge.net/DS
  • NSEC3 proving non-existence of edgekey.net/DS
  • gov/DNSKEY (alg 8, id 15489)
  • gov/DNSKEY (alg 8, id 7698)
  • gov/DS (alg 8, id 7698)
  • gov/DS (alg 8, id 7698)
  • net/DNSKEY (alg 8, id 15314)
  • net/DNSKEY (alg 8, id 35886)
  • net/DS (alg 8, id 35886)
  • usembassy.gov/DNSKEY (alg 8, id 11080)
  • usembassy.gov/DNSKEY (alg 8, id 1129)
  • usembassy.gov/DNSKEY (alg 8, id 21715)
  • usembassy.gov/DS (alg 8, id 11080)
  • usembassy.gov/DS (alg 8, id 11080)

Delegation statusDelegation status

Insecure (4)
  • akamaiedge.net to cn.akamaiedge.net
  • akamaiedge.net to dscb.akamaiedge.net
  • net to akamaiedge.net
  • net to edgekey.net
Secure (3)
  • . to gov
  • . to net
  • gov to usembassy.gov

NoticesNotices

Errors (3)
  • RRSIG www.usembassy.gov/CNAME alg 8, id 21715: The cryptographic signature of the RRSIG RR does not properly validate. See RFC 4035, Sec. 5.3.3.
  • RRSIG www.usembassy.gov/CNAME alg 8, id 21715: The cryptographic signature of the RRSIG RR does not properly validate. See RFC 4035, Sec. 5.3.3.
  • usembassy.gov/CNAME has errors; select the "Denial of existence" DNSSEC option to see them.
Warnings (27)
  • akamaiedge.net to cn.akamaiedge.net: The glue address(es) for n1cn.akamaiedge.net (2600:1403:9:f000:ce44::, 2600:1403:9:f000:ce46:dc72:9ccd:dcf8) differed from its authoritative address(es) (2600:1403:9:f000:ce46:dc72:9ccd:dcf8). See RFC 1034, Sec. 4.2.2.
  • akamaiedge.net to cn.akamaiedge.net: The glue address(es) for n2cn.akamaiedge.net (23.200.73.219, 23.200.73.222) differed from its authoritative address(es) (23.200.73.219). See RFC 1034, Sec. 4.2.2.
  • akamaiedge.net to cn.akamaiedge.net: The glue address(es) for n3cn.akamaiedge.net (23.200.73.217, 23.200.73.223) differed from its authoritative address(es) (23.200.73.223). See RFC 1034, Sec. 4.2.2.
  • akamaiedge.net to cn.akamaiedge.net: The glue address(es) for n4cn.akamaiedge.net (23.200.73.216, 23.200.73.218) differed from its authoritative address(es) (23.200.73.216). See RFC 1034, Sec. 4.2.2.
  • akamaiedge.net to cn.akamaiedge.net: The glue address(es) for n5cn.akamaiedge.net (23.200.73.216, 23.200.73.221) differed from its authoritative address(es) (23.200.73.221). See RFC 1034, Sec. 4.2.2.
  • akamaiedge.net to cn.akamaiedge.net: The glue address(es) for n6cn.akamaiedge.net (23.200.73.220, 23.200.73.223) differed from its authoritative address(es) (23.200.73.220). See RFC 1034, Sec. 4.2.2.
  • akamaiedge.net to dscb.akamaiedge.net: The glue address(es) for n1dscb.akamaiedge.net (23.61.195.168, 23.61.195.184) differed from its authoritative address(es) (23.61.195.184). See RFC 1034, Sec. 4.2.2.
  • akamaiedge.net to dscb.akamaiedge.net: The glue address(es) for n2dscb.akamaiedge.net (23.61.195.181, 23.61.195.185) differed from its authoritative address(es) (23.61.195.181). See RFC 1034, Sec. 4.2.2.
  • akamaiedge.net to dscb.akamaiedge.net: The glue address(es) for n3dscb.akamaiedge.net (23.61.195.164, 23.61.195.184) differed from its authoritative address(es) (23.61.195.164). See RFC 1034, Sec. 4.2.2.
  • akamaiedge.net to dscb.akamaiedge.net: The glue address(es) for n4dscb.akamaiedge.net (23.61.195.167, 63.141.195.111) differed from its authoritative address(es) (23.61.195.167). See RFC 1034, Sec. 4.2.2.
  • akamaiedge.net to dscb.akamaiedge.net: The glue address(es) for n6dscb.akamaiedge.net (23.61.195.165, 23.61.195.185) differed from its authoritative address(es) (23.61.195.185). See RFC 1034, Sec. 4.2.2.
  • akamaiedge.net to dscb.akamaiedge.net: The glue address(es) for n7dscb.akamaiedge.net (23.61.195.166, 63.141.195.103) differed from its authoritative address(es) (63.141.195.103). See RFC 1034, Sec. 4.2.2.
  • e11540.dscb.akamaiedge.net/CNAME: The server returned CNAME for e11540.dscb.akamaiedge.net, but records of other types exist at that name. See RFC 2181, Sec. 10.1.
  • gov/DS (alg 8, id 7698): DNSSEC implementers are prohibited from implementing signing with DS algorithm 1 (SHA-1). See RFC 8624, Sec. 3.2.
  • gov/DS (alg 8, id 7698): DNSSEC implementers are prohibited from implementing signing with DS algorithm 1 (SHA-1). See RFC 8624, Sec. 3.2.
  • gov/DS (alg 8, id 7698): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. See RFC 4509, Sec. 3.
  • gov/DS (alg 8, id 7698): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. See RFC 4509, Sec. 3.
  • net to akamaiedge.net: Authoritative AAAA records exist for a11-192.akamaiedge.net, but there are no corresponding AAAA glue records. See RFC 1034, Sec. 4.2.2.
  • net to edgekey.net: Authoritative AAAA records exist for a13-65.akam.net, but there are no corresponding AAAA glue records. See RFC 1034, Sec. 4.2.2.
  • net to edgekey.net: Authoritative AAAA records exist for a5-65.akam.net, but there are no corresponding AAAA glue records. See RFC 1034, Sec. 4.2.2.
  • net to edgekey.net: The following NS name(s) were found in the authoritative NS RRset, but not in the delegation NS RRset (i.e., in the net zone): a11-65.akam.net, ns1-2.akam.net, a9-65.akam.net, a3-65.akam.net See RFC 1034, Sec. 4.2.2.
  • net to edgekey.net: The following NS name(s) were found in the delegation NS RRset (i.e., in the net zone), but not in the authoritative NS RRset: ns1-66.akam.net, ns4-66.akam.net, ns5-66.akam.net, ns7-65.akam.net See RFC 1034, Sec. 4.2.2.
  • usembassy.gov/DS (alg 8, id 11080): DNSSEC implementers are prohibited from implementing signing with DS algorithm 1 (SHA-1). See RFC 8624, Sec. 3.2.
  • usembassy.gov/DS (alg 8, id 11080): DNSSEC implementers are prohibited from implementing signing with DS algorithm 1 (SHA-1). See RFC 8624, Sec. 3.2.
  • usembassy.gov/DS (alg 8, id 11080): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. See RFC 4509, Sec. 3.
  • usembassy.gov/DS (alg 8, id 11080): DS records with digest type 1 (SHA-1) are ignored when DS records with digest type 2 (SHA-256) exist in the same RRset. See RFC 4509, Sec. 3.
  • usembassy.gov/CNAME has warnings; select the "Denial of existence" DNSSEC option to see them.

DNSKEY legend

Full legend
SEP bit setSEP bit set
Revoke bit setRevoke bit set
Trust anchorTrust anchor
Download: png | svg
Warning JavaScript is required to make the graph below interactive.
DNSSEC authentication graph