Skip to main content
Registry Zone Health Intelligenceagentquery is a shared registry suffix.
This report focuses on zone infrastructure health: DNSSEC signing, nameserver diversity, certificate authority policy, and delegation security. Email authentication protocols (SPF, DMARC, DKIM) are not applicable to registry suffixes — they apply to domains registered under this zone.
Registry operators, ICANN, and ccTLD authorities can use this view to assess zone security posture.
DNS Tool
Registry Zone Health Report
Generated 1 Apr 2026, 03:31 UTC
Version v26.40.29
Integrity c5497cba9fb366064ec1c3304b06aa2bbbd7f36cfe58198d5396bfb7a15d6383c94acf3ece4ce8ed158a947684f4143338bdb2884b5e3cd27d55b016f6b6a0a2
Subject Domain
agentquery

Registry Zone Health Report

agentquery
1 Apr 2026, 03:31 UTC ·v26.40.29 · SHA-3-512: c549✱✱✱✱ Verify ·Cross-Referenced
Executive Topology
Recon Mode Snapshot Re-analyze New Domain
Footprint N/A

Non-existent / Undelegated Domain

Domain is not delegated or has no DNS records. This may be an unused subdomain or unregistered domain.

What This Means

  • No authoritative DNS data is available for this domain
  • Security posture cannot be evaluated without DNS records
  • The domain may never have been registered, or has expired
  • If this is your domain, check your registrar to confirm it's active
Try Another Domain
Intelligence Sources

This analysis used 4 DNS resolvers (consensus), reverse DNS (PTR), Team Cymru (ASN attribution), IANA RDAP (registrar), crt.sh (CT logs), and SMTP probing (transport). All using open-standard protocols.

Full List
Verify Report Integrity SHA-3-512 Has this report been altered since generation? Verify below

This cryptographic hash seals the analysis data, domain, timestamp, and tool version into a tamper-evident fingerprint. Any modification to the report data will produce a different hash. This is distinct from the posture hash (used for drift detection) — the integrity hash uniquely identifies this specific report instance.

c5497cba9fb366064ec1c3304b06aa2bbbd7f36cfe58198d5396bfb7a15d6383c94acf3ece4ce8ed158a947684f4143338bdb2884b5e3cd27d55b016f6b6a0a2
Evaluations reference 12 RFCs. Methods are reproducible using the verification commands provided. Results reflect DNS state at 1 Apr 2026, 03:31 UTC.
Download Raw Intelligence Download Checksum (.sha3) Cross-Reference Verification

Download the intelligence dump and verify its integrity, like you would a Kali ISO or any critical artifact. The SHA-3-512 checksum covers every byte of the download — deterministic serialization ensures identical hashes across downloads.

After downloading, verify with any of these commands:

Tip: cd ~/Downloads first (or wherever you saved the files).

OpenSSL + Sidecar (macOS, Linux, WSL) 
cat dns-intelligence-agentquery.json.sha3 && echo '---' && openssl dgst -sha3-512 dns-intelligence-agentquery.json
Python 3 (cross-platform) 
python3 -c "import hashlib; print(hashlib.sha3_512(open('dns-intelligence-agentquery.json','rb').read()).hexdigest())"
sha3sum (coreutils 9+) 
sha3sum -a 512 dns-intelligence-agentquery.json
Compare the output against the .sha3 file or the checksum API at /api/analysis/10450/checksum. Hash algorithm: SHA-3-512 (Keccak, NIST FIPS 202).

Every finding in this report is backed by DNS queries you can run yourself. These vetted one-liners reproduce the exact checks used to build this report for agentquery. Our analysis adds multi-resolver consensus, RFC-based evaluation, and cross-referencing — but the underlying data is always independently verifiable. We are intelligence analysts, not gatekeepers.

DNS Records

Query A records (IPv4) RFC 1035 
dig +noall +answer agentquery A
Query AAAA records (IPv6) RFC 1035 
dig +noall +answer agentquery AAAA
Query MX records (mail servers) RFC 1035 
dig +noall +answer agentquery MX
Query NS records (nameservers) RFC 1035 
dig +noall +answer agentquery NS
Query TXT records RFC 1035 
dig +noall +answer agentquery TXT

Domain Security

Check DNSSEC DNSKEY records RFC 4035 
dig +dnssec +noall +answer agentquery DNSKEY
Check DNSSEC DS records RFC 4035 
dig +noall +answer agentquery DS
Validate DNSSEC chain (requires DNSSEC-validating resolver) RFC 4035 
dig +dnssec +cd agentquery A @1.1.1.1

Brand & Trust

Check CAA records (certificate authority authorization) RFC 8659 
dig +noall +answer agentquery CAA

DNS Records

Check HTTPS/SVCB records RFC 9460 
dig +noall +answer agentquery HTTPS

Domain Security

Check CDS/CDNSKEY automation records RFC 7344 
dig +noall +answer agentquery CDS

Infrastructure Intelligence

RDAP domain registration lookup RFC 9083 
curl -sL 'https://rdap.org/domain/agentquery' | python3 -m json.tool | head -50
Commands use dig, openssl, and curl — standard tools available on macOS, Linux, and WSL. Results may vary slightly due to DNS propagation timing and resolver caching.
Intelligence Confidence Audit Engine Consistent · 9/9 Evaluated
How confident are these results? Each protocol is independently verified against RFC standards. No self-awarded badges.
SPF
Consistent 15108 runs
DKIM
Consistent 14885 runs
DMARC
Consistent 15089 runs
DANE/TLSA
Consistent 14867 runs
DNSSEC
Consistent 15066 runs
BIMI
Consistent 14882 runs
MTA-STS
Consistent 14903 runs
TLS-RPT
Consistent 14918 runs
CAA
Consistent 14915 runs
Maturity: Development Verified Consistent Gold Gold Master

Appendix: Verification Commands

The core DNS queries behind this report can be independently verified using these standard terminal commands (dig, openssl, curl). DNS Tool adds multi-resolver consensus, RFC-based evaluation, and cross-referencing on top of the raw data shown here.

DNS Records

Query A records (IPv4) (RFC 1035) 
dig +noall +answer agentquery A
Query AAAA records (IPv6) (RFC 1035) 
dig +noall +answer agentquery AAAA
Query MX records (mail servers) (RFC 1035) 
dig +noall +answer agentquery MX
Query NS records (nameservers) (RFC 1035) 
dig +noall +answer agentquery NS
Query TXT records (RFC 1035) 
dig +noall +answer agentquery TXT

Domain Security

Check DNSSEC DNSKEY records (RFC 4035) 
dig +dnssec +noall +answer agentquery DNSKEY
Check DNSSEC DS records (RFC 4035) 
dig +noall +answer agentquery DS
Validate DNSSEC chain (requires DNSSEC-validating resolver) (RFC 4035) 
dig +dnssec +cd agentquery A @1.1.1.1

Brand & Trust

Check CAA records (certificate authority authorization) (RFC 8659) 
dig +noall +answer agentquery CAA

DNS Records

Check HTTPS/SVCB records (RFC 9460) 
dig +noall +answer agentquery HTTPS

Domain Security

Check CDS/CDNSKEY automation records (RFC 7344) 
dig +noall +answer agentquery CDS

Infrastructure Intelligence

RDAP domain registration lookup (RFC 9083) 
curl -sL 'https://rdap.org/domain/agentquery' | python3 -m json.tool | head -50

0s

Running Real-Time Scan Telemetry

Most scans complete in less than one minute. Some may take longer.

Markers represent known resolver locations. Anycast routing selects the nearest node — exact routing is internal to each provider.

Pipeline nodes reflect live data as each analysis phase completes.

Telemetry Log 0 polls