Skip to main content
Registry Zone Health Intelligenceagentquery is a shared registry suffix.
This report focuses on zone infrastructure health: DNSSEC signing, nameserver diversity, certificate authority policy, and delegation security. Email authentication protocols (SPF, DMARC, DKIM) are not applicable to registry suffixes — they apply to domains registered under this zone.
Registry operators, ICANN, and ccTLD authorities can use this view to assess zone security posture.
DNS Tool
Registry Zone Health Report
Generated 17 May 2026, 20:45 UTC
Version v26.48.10
Integrity 586a922ef8103af4e74539e24d7f0579cd068f8af22b55d90a31f55fc02b14fd0fecc6ec09bbac5d086279c039302f400efc547044af0984ff1703aa18af333a
Subject Domain
agentquery

Registry Zone Health Report

agentquery
17 May 2026, 20:45 UTC ·v26.48.10 · SHA-3-512: 586a✱✱✱✱ Verify ·Cross-Referenced
Executive Topology
Recon Mode Snapshot Re-analyze New Domain

Non-existent / Undelegated Domain

Domain is not delegated or has no DNS records. This may be an unused subdomain or unregistered domain.

What This Means

  • No authoritative DNS data is available for this domain
  • Security posture cannot be evaluated without DNS records
  • The domain may never have been registered, or has expired
  • If this is your domain, check your registrar to confirm it's active
Try Another Domain
Intelligence Sources

This analysis used 4 DNS resolvers (consensus), reverse DNS (PTR), Team Cymru (ASN attribution), IANA RDAP (registrar), crt.sh (CT logs), and SMTP probing (transport). All using open-standard protocols.

Full List
Verify Report Integrity SHA-3-512 Has this report been altered since generation? Verify below

This cryptographic hash seals the analysis data, domain, timestamp, and tool version into a tamper-evident fingerprint. Any modification to the report data will produce a different hash. This is distinct from the posture hash (used for drift detection) — the integrity hash uniquely identifies this specific report instance.

586a922ef8103af4e74539e24d7f0579cd068f8af22b55d90a31f55fc02b14fd0fecc6ec09bbac5d086279c039302f400efc547044af0984ff1703aa18af333a
Evaluations reference 12 RFCs. Methods are reproducible using the verification commands provided. Results reflect DNS state at 17 May 2026, 20:45 UTC.
Download Raw Intelligence Download Checksum (.sha3) Cross-Reference Verification

Download the intelligence dump and verify its integrity, like you would a Kali ISO or any critical artifact. The SHA-3-512 checksum covers every byte of the download — deterministic serialization ensures identical hashes across downloads.

After downloading, verify with any of these commands:

Tip: cd ~/Downloads first (or wherever you saved the files).

OpenSSL + Sidecar (macOS, Linux, WSL) 
cat dns-intelligence-agentquery.json.sha3 && echo '---' && openssl dgst -sha3-512 dns-intelligence-agentquery.json
Python 3 (cross-platform) 
python3 -c "import hashlib; print(hashlib.sha3_512(open('dns-intelligence-agentquery.json','rb').read()).hexdigest())"
sha3sum (coreutils 9+) 
sha3sum -a 512 dns-intelligence-agentquery.json
Compare the output against the .sha3 file or the checksum API at /api/analysis/17823/checksum. Hash algorithm: SHA-3-512 (Keccak, NIST FIPS 202).

Every finding in this report is backed by DNS queries you can run yourself. These vetted one-liners reproduce the exact checks used to build this report for agentquery. Our analysis adds multi-resolver consensus, RFC-based evaluation, and cross-referencing — but the underlying data is always independently verifiable. We are intelligence analysts, not gatekeepers.

DNS Records

Query A records (IPv4) RFC 1035 
dig +noall +answer agentquery A
Query AAAA records (IPv6) RFC 1035 
dig +noall +answer agentquery AAAA
Query MX records (mail servers) RFC 1035 
dig +noall +answer agentquery MX
Query NS records (nameservers) RFC 1035 
dig +noall +answer agentquery NS
Query TXT records RFC 1035 
dig +noall +answer agentquery TXT

Domain Security

Check DNSSEC DNSKEY records RFC 4035 
dig +dnssec +noall +answer agentquery DNSKEY
Check DNSSEC DS records RFC 4035 
dig +noall +answer agentquery DS
Validate DNSSEC chain (requires DNSSEC-validating resolver) RFC 4035 
dig +dnssec +cd agentquery A @1.1.1.1

Brand & Trust

Check CAA records (certificate authority authorization) RFC 8659 
dig +noall +answer agentquery CAA

DNS Records

Check HTTPS/SVCB records RFC 9460 
dig +noall +answer agentquery HTTPS

Domain Security

Check CDS/CDNSKEY automation records RFC 7344 
dig +noall +answer agentquery CDS

Infrastructure Intelligence

RDAP domain registration lookup RFC 9083 
curl -sL 'https://rdap.org/domain/agentquery' | python3 -m json.tool | head -50
Commands use dig, openssl, and curl — standard tools available on macOS, Linux, and WSL. Results may vary slightly due to DNS propagation timing and resolver caching.
Intelligence Confidence Audit Engine Gold · 9/9 Evaluated
How confident are these results? Each protocol is independently verified against RFC standards. No self-awarded badges.
SPF
Gold 15236 runs
DKIM
Gold 15013 runs
DMARC
Gold 15217 runs
DANE/TLSA
Gold 14995 runs
DNSSEC
Gold 15194 runs
BIMI
Gold 15010 runs
MTA-STS
Gold 15031 runs
TLS-RPT
Gold 15046 runs
CAA
Gold 15043 runs
Maturity: Development Verified Consistent Gold Gold Master

Appendix: Verification Commands

The core DNS queries behind this report can be independently verified using these standard terminal commands (dig, openssl, curl). DNS Tool adds multi-resolver consensus, RFC-based evaluation, and cross-referencing on top of the raw data shown here.

DNS Records

Query A records (IPv4) (RFC 1035) 
dig +noall +answer agentquery A
Query AAAA records (IPv6) (RFC 1035) 
dig +noall +answer agentquery AAAA
Query MX records (mail servers) (RFC 1035) 
dig +noall +answer agentquery MX
Query NS records (nameservers) (RFC 1035) 
dig +noall +answer agentquery NS
Query TXT records (RFC 1035) 
dig +noall +answer agentquery TXT

Domain Security

Check DNSSEC DNSKEY records (RFC 4035) 
dig +dnssec +noall +answer agentquery DNSKEY
Check DNSSEC DS records (RFC 4035) 
dig +noall +answer agentquery DS
Validate DNSSEC chain (requires DNSSEC-validating resolver) (RFC 4035) 
dig +dnssec +cd agentquery A @1.1.1.1

Brand & Trust

Check CAA records (certificate authority authorization) (RFC 8659) 
dig +noall +answer agentquery CAA

DNS Records

Check HTTPS/SVCB records (RFC 9460) 
dig +noall +answer agentquery HTTPS

Domain Security

Check CDS/CDNSKEY automation records (RFC 7344) 
dig +noall +answer agentquery CDS

Infrastructure Intelligence

RDAP domain registration lookup (RFC 9083) 
curl -sL 'https://rdap.org/domain/agentquery' | python3 -m json.tool | head -50

0s

Running Real-Time Scan Telemetry

Most scans complete in less than one minute. Some may take longer.

Markers represent known resolver locations. Anycast routing selects the nearest node — exact routing is internal to each provider.

Pipeline nodes reflect live data as each analysis phase completes.

Telemetry Log 0 polls