# loading rule file # /usr/local/share/dnssec-tools/donuts/rules/check_nameservers.txt # Rules Run: # DNS_SERVERS_MATCH_DATA # loading rule file # /usr/local/share/dnssec-tools/donuts/rules/dns.errors.txt # Rules Run: # DNS_NS_NO_CNAME DNS_SOA_REQUIRED DNS_SERVERS_MATCH_DATA # loading rule file # /usr/local/share/dnssec-tools/donuts/rules/dnssec.rules.txt # Rules Run: # DNSSEC_MISSING_RRSIG_RECORD1 DNSSEC_BOGUS_NS_MEMORIZE # DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_MISSING_NSEC_RECORD1 # DNSSEC_OPENSSL_KEY_ISSUES DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE # DNSSEC_RRSIG_TTL_MATCH_ORGTTL DNSSEC_NSEC_FOR_NS_GLUE_RECORD # DNS_SOA_REQUIRED DNS_SERVERS_MATCH_DATA DNSSEC_MISSING_NSEC_RECORD2 # DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD DNSSEC_RRSIGS_VERIFY # DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_RRSIG_SIGEXP # DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME DNSSEC_TWO_ZSKS DNS_NS_NO_CNAME # DNSSEC_RRSIG_FOR_NS_GLUE_RECORD DNSSEC_NSEC_TTL # DNSSEC_MISSING_RRSIG_RECORD2 DNSSEC_RRSIG_NOT_SIGNING_RRSIG # DNSSEC_NSEC3_TTL # loading rule file # /usr/local/share/dnssec-tools/donuts/rules/nsec_check.rules.txt # Rules Run: # DNSSEC_MISSING_RRSIG_RECORD1 DNSSEC_BOGUS_NS_MEMORIZE # DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_MISSING_NSEC_RECORD1 # DNSSEC_NSEC_MEMORIZE DNSSEC_OPENSSL_KEY_ISSUES # DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE DNSSEC_RRSIG_TTL_MATCH_ORGTTL # DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNSSEC_NSEC_CHECK DNS_SOA_REQUIRED # DNS_SERVERS_MATCH_DATA DNSSEC_NSEC3_MEMORIZE DNSSEC_MISSING_NSEC_RECORD2 # DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD DNSSEC_RRSIGS_VERIFY # DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_RRSIG_SIGEXP # DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME DNSSEC_NSEC3_CHECK DNSSEC_TWO_ZSKS # DNS_NS_NO_CNAME DNSSEC_RRSIG_FOR_NS_GLUE_RECORD DNSSEC_NSEC_TTL # DNSSEC_MISSING_RRSIG_RECORD2 DNSSEC_RRSIG_NOT_SIGNING_RRSIG # DNSSEC_NSEC3_TTL # loading rule file # /usr/local/share/dnssec-tools/donuts/rules/parent_child.rules.txt # Rules Run: # DNSSEC_MISSING_RRSIG_RECORD1 DNSSEC_BOGUS_NS_MEMORIZE # DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_DS_CHILD_HAS_MATCHING_DNSKEY # DNSSEC_MISSING_NSEC_RECORD1 DNSSEC_NSEC_MEMORIZE # DNSSEC_OPENSSL_KEY_ISSUES DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE # DNSSEC_DNSKEY_PARENT_HAS_VALID_DS DNSSEC_RRSIG_TTL_MATCH_ORGTTL # DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNSSEC_NSEC_CHECK DNS_SOA_REQUIRED # DNS_SERVERS_MATCH_DATA DNS_MULTIPLE_NS DNSSEC_NSEC3_MEMORIZE # DNSSEC_MISSING_NSEC_RECORD2 DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD # DNSSEC_RRSIGS_VERIFY DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_RRSIG_SIGEXP # DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME DNSSEC_NSEC3_CHECK DNSSEC_TWO_ZSKS # DNS_NS_NO_CNAME DNSSEC_SUB_NOT_SECURE DNSSEC_RRSIG_FOR_NS_GLUE_RECORD # DNSSEC_NSEC_TTL DNSSEC_MISSING_RRSIG_RECORD2 # DNSSEC_RRSIG_NOT_SIGNING_RRSIG DNSSEC_NSEC3_TTL # loading rule file # /usr/local/share/dnssec-tools/donuts/rules/recommendations.rules.txt # Rules Run: # DNSSEC_BOGUS_NS_MEMORIZE DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 # DNSSEC_MISSING_NSEC_RECORD1 DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE # DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNS_MULTIPLE_NS # DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD DNSSEC_RRSIGS_VERIFY # DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_RRSIG_SIGEXP # DNS_NO_DOMAIN_MX_RECORDS DNSSEC_NSEC3_CHECK DNSSEC_SUB_NOT_SECURE # DNSSEC_MISSING_RRSIG_RECORD2 DNSSEC_MISSING_RRSIG_RECORD1 # DNSSEC_DS_CHILD_HAS_MATCHING_DNSKEY DNSSEC_OPENSSL_KEY_ISSUES # DNSSEC_NSEC_MEMORIZE DNSSEC_DNSKEY_PARENT_HAS_VALID_DS # DNSSEC_RRSIG_TTL_MATCH_ORGTTL DNSSEC_NSEC_CHECK DNS_SOA_REQUIRED # DNS_SERVERS_MATCH_DATA DNSSEC_MISSING_NSEC_RECORD2 DNSSEC_NSEC3_MEMORIZE # DNS_REASONABLE_TTLS DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME DNS_NS_NO_CNAME # DNSSEC_TWO_ZSKS DNSSEC_RRSIG_FOR_NS_GLUE_RECORD DNSSEC_NSEC_TTL # DNSSEC_NSEC3_TTL DNSSEC_RRSIG_NOT_SIGNING_RRSIG Donuts Analysis: test.dnssec-tools.org Donuts Results: test.dnssec-tools.org Source: db.test.dnssec-tools.org.zs.signed.modified Record Results: # Analyzing individual records in # db.test.dnssec-tools.org.zs.signed.modified Error: test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:42 Message: An DNSKEY was generated with a broken version of OpenSSL. Upgrade to a new version of bind and generate a new key. See this web page for details: http://marc.info/?l=bind-announce&m=116253119512445 Details: Tests to make sure that the vulnerability found in OpenSSL does not affect current keys within a zone. Error: test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:49 Message: An DNSKEY was generated with a broken version of OpenSSL. Upgrade to a new version of bind and generate a new key. See this web page for details: http://marc.info/?l=bind-announce&m=116253119512445 Details: Tests to make sure that the vulnerability found in OpenSSL does not affect current keys within a zone. Error: test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:56 Message: An DNSKEY was generated with a broken version of OpenSSL. Upgrade to a new version of bind and generate a new key. See this web page for details: http://marc.info/?l=bind-announce&m=116253119512445 Details: Tests to make sure that the vulnerability found in OpenSSL does not affect current keys within a zone. Error: test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:78 Message: An DNSKEY was generated with a broken version of OpenSSL. Upgrade to a new version of bind and generate a new key. See this web page for details: http://marc.info/?l=bind-announce&m=116253119512445 Details: Tests to make sure that the vulnerability found in OpenSSL does not affect current keys within a zone. Error: pastdate-a.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2030 Message: RRSIG record for pastdate-a.test.dnssec-tools.org has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: pastdate-aaaa.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2045 Message: RRSIG record for pastdate-aaaa.test.dnssec-tools.org has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: pastdate-cname-to-baddata-a.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2060 Message: RRSIG record for pastdate-cname-to-baddata-a.test.dnssec-tools.org has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: pastdate-cname-to-baddata-aaaa.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2075 Message: RRSIG record for pastdate-cname-to-baddata-aaaa.test.dnssec-tools.org has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: pastdate-cname-to-badsign-a.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2090 Message: RRSIG record for pastdate-cname-to-badsign-a.test.dnssec-tools.org has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: pastdate-cname-to-badsign-aaaa.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2105 Message: RRSIG record for pastdate-cname-to-badsign-aaaa.test.dnssec-tools.org has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: pastdate-cname-to-futuredate-a.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2120 Message: RRSIG record for pastdate-cname-to-futuredate-a.test.dnssec-tools.org has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: pastdate-cname-to-futuredate-aaaa.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2135 Message: RRSIG record for pastdate-cname-to-futuredate-aaaa.test.dnssec-tools.or g has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: pastdate-cname-to-good-a.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2150 Message: RRSIG record for pastdate-cname-to-good-a.test.dnssec-tools.org has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: pastdate-cname-to-good-aaaa.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2165 Message: RRSIG record for pastdate-cname-to-good-aaaa.test.dnssec-tools.org has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: pastdate-cname-to-nosig-a.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2180 Message: RRSIG record for pastdate-cname-to-nosig-a.test.dnssec-tools.org has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: pastdate-cname-to-nosig-aaaa.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2195 Message: RRSIG record for pastdate-cname-to-nosig-aaaa.test.dnssec-tools.org has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: pastdate-cname-to-pastdate-a.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2210 Message: RRSIG record for pastdate-cname-to-pastdate-a.test.dnssec-tools.org has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: pastdate-cname-to-pastdate-aaaa.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2225 Message: RRSIG record for pastdate-cname-to-pastdate-aaaa.test.dnssec-tools.org has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: pastdate-cname-to-reverseddates-a.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2240 Message: RRSIG record for pastdate-cname-to-reverseddates-a.test.dnssec-tools.or g has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: pastdate-cname-to-reverseddates-aaaa.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2255 Message: RRSIG record for pastdate-cname-to-reverseddates-aaaa.test.dnssec-tools .org has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: pastdate-ds.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2275 Message: RRSIG record for pastdate-ds.test.dnssec-tools.org has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-a.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2282 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-aaaa.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2298 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-cname-to-baddata-a.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2314 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-cname-to-baddata-aaaa.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2330 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-cname-to-badsign-a.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2346 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-cname-to-badsign-aaaa.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2362 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-cname-to-futuredate-a.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2378 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-cname-to-futuredate-aaaa.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2394 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-cname-to-good-a.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2410 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-cname-to-good-aaaa.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2426 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-cname-to-nosig-a.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2442 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-cname-to-nosig-aaaa.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2458 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-cname-to-pastdate-a.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2474 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-cname-to-pastdate-aaaa.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2490 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-cname-to-reverseddates-a.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2506 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-cname-to-reverseddates-aaaa.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2522 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-ns.test.dnssec-tools.org Rule Type: Error Location: db.test.dnssec-tools.org.zs.signed.modified:2547 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Name Results: # Analyzing records for each name in # db.test.dnssec-tools.org.zs.signed.modified Error: baddata-cname-to-futuredate-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: baddata-cname-to-futuredate-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: reverseddates-cname-to-pastdate-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-cname-to-pastdate-a.test.dnssec-tools.or g type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: pastdate-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-a.test.dnssec-tools.org type: A failed to verify: Signature has expired since: 20140909065619 Details: RRSIGs must cryptographically verify the records they are signing. Error: cnametodne-cname-to-badsign-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: cnametodne-cname-to-badsign-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: reverseddates-cname-to-pastdate-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-cname-to-pastdate-aaaa.test.dnssec-tools .org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: dns1.rollzsk-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.rollzsk-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns1.rollzsk-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.rollzsk-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: pastdate-cname-to-pastdate-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-cname-to-pastdate-aaaa.test.dnssec-tools.org type: CNAME failed to verify: Signature has expired since: 20140909065619 Details: RRSIGs must cryptographically verify the records they are signing. Error: pastdate-cname-to-nosig-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-cname-to-nosig-aaaa.test.dnssec-tools.org type: CNAME failed to verify: Signature has expired since: 20140909065619 Details: RRSIGs must cryptographically verify the records they are signing. Error: addedlater-withsig-aaaa.test.dnssec-tools.org Rule Type: Error Message: name addedlater-withsig-aaaa.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: futuredate-ds.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-ds.test.dnssec-tools.org type: DS failed to verify: Signature may only be used in the future; after 20141108060119 Details: RRSIGs must cryptographically verify the records they are signing. Error: badsign-cname-to-reverseddates-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-cname-to-reverseddates-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: futuredate-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-aaaa.test.dnssec-tools.org type: AAAA failed to verify: Signature may only be used in the future; after 20141108060119 Details: RRSIGs must cryptographically verify the records they are signing. Error: dns2.nosig-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.nosig-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns2.nosig-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.nosig-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: reverseddates-cname-to-nosig-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-cname-to-nosig-aaaa.test.dnssec-tools.or g type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: reverseddates-cname-to-badsign-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-cname-to-badsign-aaaa.test.dnssec-tools. org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: reverseddates-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-a.test.dnssec-tools.org type: A failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: futuredate-cname-to-futuredate-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-cname-to-futuredate-aaaa.test.dnssec-tools. org type: CNAME failed to verify: Signature may only be used in the future; after 20141108060119 Details: RRSIGs must cryptographically verify the records they are signing. Error: cnametodne-cname-to-futuredate-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: cnametodne-cname-to-futuredate-aaaa.test.dnssec-tools. org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: pastdate-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-aaaa.test.dnssec-tools.org type: AAAA failed to verify: Signature has expired since: 20140909065619 Details: RRSIGs must cryptographically verify the records they are signing. Error: dns2.good-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.good-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns2.good-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.good-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: pastdate-cname-to-baddata-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-cname-to-baddata-aaaa.test.dnssec-tools.org type: CNAME failed to verify: Signature has expired since: 20140909065619 Details: RRSIGs must cryptographically verify the records they are signing. Error: baddata-cname-to-nosig-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: baddata-cname-to-nosig-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: baddata-cname-to-pastdate-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: baddata-cname-to-pastdate-aaaa.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: futuredate-cname-to-badsign-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-cname-to-badsign-aaaa.test.dnssec-tools.org type: CNAME failed to verify: Signature may only be used in the future; after 20141108060119 Details: RRSIGs must cryptographically verify the records they are signing. Error: reverseddates-cname-to-baddata-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-cname-to-baddata-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: dns1.pastdate-ds.test.dnssec-tools.org Rule Type: Error Message: name dns1.pastdate-ds.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns1.pastdate-ds.test.dnssec-tools.org Rule Type: Error Message: name dns1.pastdate-ds.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: badsign-cname-to-pastdate-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-cname-to-pastdate-aaaa.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: dns1.nsec3-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.nsec3-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns1.nsec3-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.nsec3-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: baddata-cname-to-badsign-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: baddata-cname-to-badsign-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: cnametodne-cname-to-baddata-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: cnametodne-cname-to-baddata-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: dns1.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns1.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: dns2.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.newkeys-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns2.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.newkeys-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: pastdate-cname-to-badsign-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-cname-to-badsign-a.test.dnssec-tools.org type: CNAME failed to verify: Signature has expired since: 20140909065619 Details: RRSIGs must cryptographically verify the records they are signing. Error: futuredate-cname-to-baddata-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-cname-to-baddata-a.test.dnssec-tools.org type: CNAME failed to verify: Signature may only be used in the future; after 20141108060119 Details: RRSIGs must cryptographically verify the records they are signing. Error: reverseddates-cname-to-badsign-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-cname-to-badsign-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: pastdate-cname-to-futuredate-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-cname-to-futuredate-a.test.dnssec-tools.org type: CNAME failed to verify: Signature has expired since: 20140909065619 Details: RRSIGs must cryptographically verify the records they are signing. Error: dns2.badsign-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.badsign-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns2.badsign-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.badsign-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: insecure-ns.test.dnssec-tools.org Rule Type: Error Message: sub-domain insecure-ns.test.dnssec-tools.org is not securely delegated. It is missing a DS record. Details: Tests for the existence of a DS record in a zone for sub-domains. If not present then the sub-domain is not being securely delegated to. Error: pastdate-cname-to-reverseddates-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-cname-to-reverseddates-aaaa.test.dnssec-tools .org type: CNAME failed to verify: Signature has expired since: 20140909065619 Details: RRSIGs must cryptographically verify the records they are signing. Error: futuredate-cname-to-pastdate-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-cname-to-pastdate-a.test.dnssec-tools.org type: CNAME failed to verify: Signature may only be used in the future; after 20141108060119 Details: RRSIGs must cryptographically verify the records they are signing. Error: baddata-cname-to-good-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: baddata-cname-to-good-aaaa.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: dns1.newzsk-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.newzsk-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns1.newzsk-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.newzsk-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: badsign-cname-to-futuredate-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-cname-to-futuredate-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: pastdate-cname-to-good-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-cname-to-good-a.test.dnssec-tools.org type: CNAME failed to verify: Signature has expired since: 20140909065619 Details: RRSIGs must cryptographically verify the records they are signing. Error: dns2.reverseddates-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.reverseddates-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns2.reverseddates-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.reverseddates-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: dns2.nods-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.nods-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns2.nods-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.nods-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: baddata-cname-to-badsign-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: baddata-cname-to-badsign-aaaa.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: cnametodne-cname-to-baddata-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: cnametodne-cname-to-baddata-aaaa.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: dns1.rsamd5keys-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.rsamd5keys-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns1.rsamd5keys-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.rsamd5keys-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: badsign-cname-to-baddata-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-cname-to-baddata-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: badsign-ns.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-ns.test.dnssec-tools.org type: DS failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: badsign-cname-to-futuredate-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-cname-to-futuredate-aaaa.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: badsign-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-aaaa.test.dnssec-tools.org type: AAAA failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: dns2.pastdate-ds.test.dnssec-tools.org Rule Type: Error Message: name dns2.pastdate-ds.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns2.pastdate-ds.test.dnssec-tools.org Rule Type: Error Message: name dns2.pastdate-ds.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: nods-ns.test.dnssec-tools.org Rule Type: Error Message: sub-domain nods-ns.test.dnssec-tools.org is not securely delegated. It is missing a DS record. Details: Tests for the existence of a DS record in a zone for sub-domains. If not present then the sub-domain is not being securely delegated to. Error: baddata-cname-to-baddata-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: baddata-cname-to-baddata-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: cnametodne-cname-to-reverseddates-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: cnametodne-cname-to-reverseddates-a.test.dnssec-tools. org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: baddata-cname-to-nosig-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: baddata-cname-to-nosig-aaaa.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: dns2.newzsk-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.newzsk-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns2.newzsk-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.newzsk-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: futuredate-cname-to-reverseddates-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-cname-to-reverseddates-aaaa.test.dnssec-too ls.org type: CNAME failed to verify: Signature may only be used in the future; after 20141108060119 Details: RRSIGs must cryptographically verify the records they are signing. Error: pastdate-cname-to-baddata-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-cname-to-baddata-a.test.dnssec-tools.org type: CNAME failed to verify: Signature has expired since: 20140909065619 Details: RRSIGs must cryptographically verify the records they are signing. Error: pastdate-cname-to-good-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-cname-to-good-aaaa.test.dnssec-tools.org type: CNAME failed to verify: Signature has expired since: 20140909065619 Details: RRSIGs must cryptographically verify the records they are signing. Error: dns1.reverseddates-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.reverseddates-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns1.reverseddates-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.reverseddates-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: pastdate-cname-to-futuredate-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-cname-to-futuredate-aaaa.test.dnssec-tools.or g type: CNAME failed to verify: Signature has expired since: 20140909065619 Details: RRSIGs must cryptographically verify the records they are signing. Error: futuredate-cname-to-baddata-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-cname-to-baddata-aaaa.test.dnssec-tools.org type: CNAME failed to verify: Signature may only be used in the future; after 20141108060119 Details: RRSIGs must cryptographically verify the records they are signing. Error: dns2.rsamd5keys-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.rsamd5keys-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns2.rsamd5keys-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.rsamd5keys-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: futuredate-cname-to-good-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-cname-to-good-aaaa.test.dnssec-tools.org type: CNAME failed to verify: Signature may only be used in the future; after 20141108060119 Details: RRSIGs must cryptographically verify the records they are signing. Error: futuredate-cname-to-pastdate-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-cname-to-pastdate-aaaa.test.dnssec-tools.or g type: CNAME failed to verify: Signature may only be used in the future; after 20141108060119 Details: RRSIGs must cryptographically verify the records they are signing. Error: futuredate-cname-to-nosig-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-cname-to-nosig-aaaa.test.dnssec-tools.org type: CNAME failed to verify: Signature may only be used in the future; after 20141108060119 Details: RRSIGs must cryptographically verify the records they are signing. Error: dns1.futuredate-ds.test.dnssec-tools.org Rule Type: Error Message: name dns1.futuredate-ds.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns1.futuredate-ds.test.dnssec-tools.org Rule Type: Error Message: name dns1.futuredate-ds.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: reverseddates-cname-to-nosig-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-cname-to-nosig-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: dns2.futuredate-ds.test.dnssec-tools.org Rule Type: Error Message: name dns2.futuredate-ds.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns2.futuredate-ds.test.dnssec-tools.org Rule Type: Error Message: name dns2.futuredate-ds.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: badsign-cname-to-badsign-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-cname-to-badsign-aaaa.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: baddata-cname-to-futuredate-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: baddata-cname-to-futuredate-aaaa.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: reverseddates-cname-to-good-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-cname-to-good-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: cnametodne-cname-to-nosig-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: cnametodne-cname-to-nosig-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: reverseddates-cname-to-futuredate-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-cname-to-futuredate-aaaa.test.dnssec-too ls.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: baddata-cname-to-pastdate-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: baddata-cname-to-pastdate-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: cnametodne-cname-to-good-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: cnametodne-cname-to-good-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: cnametodne-cname-to-reverseddates-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: cnametodne-cname-to-reverseddates-aaaa.test.dnssec-too ls.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: baddata-cname-to-reverseddates-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: baddata-cname-to-reverseddates-aaaa.test.dnssec-tools. org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: badsign-cname-to-nosig-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-cname-to-nosig-aaaa.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: baddata-cname-to-reverseddates-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: baddata-cname-to-reverseddates-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: baddata-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: baddata-aaaa.test.dnssec-tools.org type: AAAA failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: reverseddates-ns.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-ns.test.dnssec-tools.org type: DS failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: dns1.nosig-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.nosig-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns1.nosig-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.nosig-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: cnametodne-cname-to-pastdate-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: cnametodne-cname-to-pastdate-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: reverseddates-cname-to-futuredate-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-cname-to-futuredate-a.test.dnssec-tools. org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: futuredate-cname-to-badsign-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-cname-to-badsign-a.test.dnssec-tools.org type: CNAME failed to verify: Signature may only be used in the future; after 20141108060119 Details: RRSIGs must cryptographically verify the records they are signing. Error: badsign-cname-to-badsign-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-cname-to-badsign-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: baddata-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: baddata-a.test.dnssec-tools.org type: A failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: futuredate-cname-to-good-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-cname-to-good-a.test.dnssec-tools.org type: CNAME failed to verify: Signature may only be used in the future; after 20141108060119 Details: RRSIGs must cryptographically verify the records they are signing. Error: badsign-cname-to-baddata-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-cname-to-baddata-aaaa.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: futuredate-cname-to-nosig-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-cname-to-nosig-a.test.dnssec-tools.org type: CNAME failed to verify: Signature may only be used in the future; after 20141108060119 Details: RRSIGs must cryptographically verify the records they are signing. Error: reverseddates-cname-to-baddata-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-cname-to-baddata-aaaa.test.dnssec-tools. org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: baddata-cname-to-good-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: baddata-cname-to-good-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: badsign-cname-to-pastdate-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-cname-to-pastdate-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: cnametodne-cname-to-nosig-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: cnametodne-cname-to-nosig-aaaa.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: addedlater-nosig-aaaa.test.dnssec-tools.org Rule Type: Error Message: name addedlater-nosig-aaaa.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: addedlater-nosig-aaaa.test.dnssec-tools.org Rule Type: Error Message: name addedlater-nosig-aaaa.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: pastdate-cname-to-nosig-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-cname-to-nosig-a.test.dnssec-tools.org type: CNAME failed to verify: Signature has expired since: 20140909065619 Details: RRSIGs must cryptographically verify the records they are signing. Error: futuredate-cname-to-reverseddates-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-cname-to-reverseddates-a.test.dnssec-tools. org type: CNAME failed to verify: Signature may only be used in the future; after 20141108060119 Details: RRSIGs must cryptographically verify the records they are signing. Error: dns2.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns2.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: reverseddates-cname-to-reverseddates-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-cname-to-reverseddates-a.test.dnssec-too ls.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: dns2.rollzsk-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.rollzsk-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns2.rollzsk-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.rollzsk-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: cnametodne-cname-to-pastdate-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: cnametodne-cname-to-pastdate-aaaa.test.dnssec-tools.or g type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: dns1.badsign-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.badsign-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns1.badsign-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.badsign-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: badsign-cname-to-good-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-cname-to-good-aaaa.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: futuredate-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-a.test.dnssec-tools.org type: A failed to verify: Signature may only be used in the future; after 20141108060119 Details: RRSIGs must cryptographically verify the records they are signing. Error: reverseddates-cname-to-reverseddates-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-cname-to-reverseddates-aaaa.test.dnssec- tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: dns1.good-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.good-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns1.good-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.good-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: reverseddates-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-aaaa.test.dnssec-tools.org type: AAAA failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: reverseddates-cname-to-good-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-cname-to-good-aaaa.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: nsectest.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: nsectest.test.dnssec-tools.org type: NSEC failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: pastdate-cname-to-pastdate-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-cname-to-pastdate-a.test.dnssec-tools.org type: CNAME failed to verify: Signature has expired since: 20140909065619 Details: RRSIGs must cryptographically verify the records they are signing. Error: dns1.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.newkeys-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns1.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.newkeys-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: badsign-cname-to-reverseddates-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-cname-to-reverseddates-aaaa.test.dnssec-tools. org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: pastdate-cname-to-badsign-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-cname-to-badsign-aaaa.test.dnssec-tools.org type: CNAME failed to verify: Signature has expired since: 20140909065619 Details: RRSIGs must cryptographically verify the records they are signing. Error: futuredate-cname-to-futuredate-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-cname-to-futuredate-a.test.dnssec-tools.org type: CNAME failed to verify: Signature may only be used in the future; after 20141108060119 Details: RRSIGs must cryptographically verify the records they are signing. Error: baddata-cname-to-baddata-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: baddata-cname-to-baddata-aaaa.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: pastdate-ds.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-ds.test.dnssec-tools.org type: DS failed to verify: Signature has expired since: 20140909065619 Details: RRSIGs must cryptographically verify the records they are signing. Error: dns1.nods-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.nods-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns1.nods-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.nods-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: badsign-cname-to-nosig-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-cname-to-nosig-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: cnametodne-cname-to-good-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: cnametodne-cname-to-good-aaaa.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: cnametodne-cname-to-futuredate-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: cnametodne-cname-to-futuredate-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: badsign-cname-to-good-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-cname-to-good-a.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: pastdate-cname-to-reverseddates-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-cname-to-reverseddates-a.test.dnssec-tools.or g type: CNAME failed to verify: Signature has expired since: 20140909065619 Details: RRSIGs must cryptographically verify the records they are signing. Error: dns2.nsec3-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.nsec3-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns2.nsec3-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.nsec3-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: addedlater-nosig-a.test.dnssec-tools.org Rule Type: Error Message: name addedlater-nosig-a.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: addedlater-nosig-a.test.dnssec-tools.org Rule Type: Error Message: name addedlater-nosig-a.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: addedlater-withsig-a.test.dnssec-tools.org Rule Type: Error Message: name addedlater-withsig-a.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: cnametodne-cname-to-badsign-aaaa.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: cnametodne-cname-to-badsign-aaaa.test.dnssec-tools.org type: CNAME failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: badsign-a.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-a.test.dnssec-tools.org type: A failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Donuts Summary: test.dnssec-tools.org Rules Considered: 33 Rules Tested: 21 Records Analyzed: 702 Names Analyzed: 191 Errors Found: 197