Skip to content
https://raiplay.it

Infrastructure

· 17 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.
SCORE
85
GRADE
B
FIX
1
REVIEW
10
PASS
6
INFO
0
Probed from Sao Paulo, Brazil
301 Moved Permanently
Checks
17
6 PASS 10 REVIEW 1 FIX
D
CDN & Delivery
Action
No CDN detected
FIX
No CDN detected
Warning::
No CDN detected
A CDN can significantly improve load times for users around the world by caching content at edge nodes closer to them.
No CDN detected

Consider using a CDN to improve global delivery speed and reduce origin load.

B
DNSSEC
Unsigned (DNSSEC not deployed)
REVIEW
Unsigned (DNSSEC not deployed)
Info::
DNSSEC is not deployed
The zone is not DNSSEC-signed. Users on validating resolvers (Cloudflare 1.1.1.1, Quad9 9.9.9.9, growing default in mobile resolvers) get no protection against DNS spoofing for this domain. Most registrars now offer DNSSEC at a single click; consider enabling it for sites where authenticity matters (banking, healthcare, government).
B
CAA Records
No CAA records (any CA may issue certificates)
REVIEW
No CAA records (any CA may issue certificates)
Info::
No CAA records published
Without CAA records, any publicly-trusted CA can issue certificates for this domain. Adding a CAA record (`yourdomain. IN CAA 0 issue "letsencrypt.org"`) restricts issuance to CAs you authorize. Required by CAB Forum baseline since 2017; the default of 'any CA' is widely supported but is the broader attack surface for issuance fraud.
B
Reverse DNS
0/1 IPs match cert SAN
REVIEW
0/1 IPs match cert SAN
Info::
PTR for 212.162.68.90 does not match any cert SAN: www.milluminodimeno.rai.it
Common when behind a CDN or shared hosting (PTR points at the provider's hostname). Mismatch can also affect mail deliverability if this IP sends email -- many MTAs reject mail when forward+reverse DNS disagree.
C
Multi-Resolver DNS Speed
Action
Mean 153ms across 3 resolvers (spread 228ms)
REVIEW
Mean 153ms across 3 resolvers (spread 228ms)
Info::
Cloudflare: 2ms
Got: 2ms via 1.1.1.1:53
Info::
Google: 227ms
Got: 227ms via 8.8.8.8:53
Info::
Quad9: 230ms
Got: 230ms via 9.9.9.9:53
Info::
High latency spread between resolvers: 228ms (min 2ms / max 230ms)
Wide gap between the fastest and slowest public resolver suggests a geographic anycast issue or an authoritative-server cache problem. Users in different regions will see materially different DNS times.
C
IPv6 Readiness
Action
No IPv6 support
REVIEW
No IPv6 support
Info::
No IPv6 (AAAA) records found
IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.
No IPv6 Support
About 40% of internet users have IPv6. Consider adding AAAA records.

IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.

Why this matters

No AAAA records — same impact as 'no IPv6 (AAAA) records'; IPv6-preferring clients pay extra latency falling back to IPv4.

Source: Google IPv6 stats

B
HTTP Probe Timing
Total 1023 ms — DNS, TCP, TLS, TTFB, content transfer breakdown
REVIEW
DNS Lookup DNS Lookup — time to resolve the domain name to an IP address.
413 ms
TCP Connect TCP Connect — time to establish a TCP connection to the server.
201 ms
TLS Handshake TLS Handshake — time to complete the HTTPS encryption handshake.
206 ms
Time to First Byte Time to First Byte — how long the server takes to respond with the first byte of data.
1.02 s
Total Time Total request time from DNS lookup through full response.
1.02 s

Connection waterfall

DNS Lookup 413 ms TCP Connect 201 ms TLS Handshake 206 ms Server Processing 202 ms Content Transfer 0 ms
B
TLS Certificate Expiry & Recommendations
179 days until leaf cert expires — 3 issues to address
REVIEW

Certificate validity

179
days left
0d 30d 60d 90d+

Recommended actions

  • Enable HSTS: Strict-Transport-Security: max-age=31536000; includeSubDomains
  • Enable DNSSEC on your domain for DNS spoofing protection
  • Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
B
CDN Cache Observability
No CDN cache-status headers in the response
REVIEW
No CDN cache-status headers in the response
Info::
No CDN cache-status headers in the response
Without an X-Cache / CF-Cache-Status / X-Vercel-Cache / Age header, you can't tell from outside whether a request hit the cache or went to origin. Operationally important: enables debugging stale-content reports and verifying cache rules. Most managed CDN platforms emit at least one of these by default; absence often means the platform's diagnostic headers are stripped at an upstream proxy.
B
Operational Status Page
No status page link detected
REVIEW
No status page link detected
Info::
No operational status page link detected
Status pages communicate planned maintenance and incidents to users -- a hallmark of operationally-mature services. Most SaaS teams publish one via Atlassian Statuspage, Instatus, BetterUptime, or a self-hosted Cachet. Smaller sites legitimately don't need one; flagged as Info, not a failure.
B
Health Check Endpoint
No conventional health endpoint found
REVIEW
No conventional health endpoint found
Info::
No conventional health endpoint found
Health endpoints (/health, /healthz, /status, /ping, /api/health) let uptime monitors, load balancers, and orchestration systems (Kubernetes, ECS, Fly.io) verify the service is alive. Marketing sites and small services often skip them legitimately; flagged as Info, not a failure. Probe results: /api/health: 404, /health: 404, /healthz: 404, /ping: 404, /status: 404.
A
DNS Records
1 A records, 213 ms lookup
PASS
1 A records, 213 ms lookup
Info::
Resolves to 1 IPv4 address(es)
Got: 212.162.68.90
Info::
Single A record — no DNS redundancy
Multiple A records provide failover if one server goes down.
Info::
No IPv6 (AAAA) records
Info::
6 nameserver(s) configured
Got: ns.rai.it, ns2.rai.it, dnsso1.interbusiness.it, dnsso2.interbusiness.it, dnsso3.interbusiness.it, dnsso4.interbusiness.it
Info::
12 mail exchanger(s) configured
Info::
SPF record present in TXT
Warning::
DNS resolution is slow (213 ms)
Slow DNS adds latency to every page load. Consider a faster DNS provider.
Got: 213 ms
A212.162.68.90
AAAA
CNAME
NSns.rai.it, ns2.rai.it, dnsso1.interbusiness.it, dnsso2.interbusiness.it, dnsso3.interbusiness.it, dnsso4.interbusiness.it
MX
10 relay11.rai.it
10 relay.rai.it
100 relay30.rai.it
100 relay20.rai.it
100 relay2.rai.it
100 relay60.rai.it
100 relay90.rai.it
100 relay70.rai.it
100 relay50.rai.it
100 relay80.rai.it
100 relay40.rai.it
200 relay12.rai.it
TXT
MS=ms45661406
0bqzf8cjw4fjnbpb2f61m5695tg2fmmv
3d0lxy1jwgt7b9m8cljv8rw0pgvs7tf5
_6lygbiaud9p8ddu6nuopi8fqustjso5
_j6z6qd81dssht229qgu6n37jix3p83q
_mm40yxc2kdqt5d1cukt99uwfcslgyn5
_vu41illfct1s1aqcua8oldrhi700437
cvk8650m34yf020wfmttjwkvs0fdznhp
sjvy2znlgr3vmkkl27tll4g5mykwh7rf
vd7r5fv7t559ll3cb4jw00rzpvj9v038
vdzpwzt5xvltb7f33vsv7h6gvdthhgyr
google-site-verification=oeIOps5Tk-JI68eUOWyMbOyshPyCXF20ryqy8_4HL4w
SPF v=spf1 ip4:212.162.86.180/30 ip4:212.162.86.184/30 ip4:212.162.86.188/30 ip4:212...
CAALookup not available with standard resolver
Resolved in 213 ms

Multiple A records provide failover if one server goes down.

Why this matters

Single A record means a single point of failure — if that IP goes down, your site is unreachable until DNS TTL expires.

Learn more

Add multiple A records for round-robin failover, or use a managed DNS provider with health-checked failover (Route 53, Cloudflare, NS1). Short TTL (60-300s) lets clients recover faster on outages.

Source: SRE practice / DNS architecture

Slow DNS adds latency to every page load. Consider a faster DNS provider.

Why this matters

DNS resolution is slow — anycast DNS providers (Cloudflare, Route 53) typically resolve <50ms globally.

Source: DNS performance benchmarks

A+
Subdomain Takeover
No subdomain takeover risk detected
PASS
No subdomain takeover risk detected
Info::
No CNAME record present
A
Redirect Chain
1 redirect(s), 840 ms total
PASS
1 redirect(s), 840 ms total
Info::
Single redirect
Got: https://raiplay.it → https://www.raiplay.it/ (301)
Info::
WWW normalization redirect
Info::
Redirect overhead: 840 ms total
Got: 840 ms

https://raiplay.it

817 ms · HTTP/1.0

301

https://www.raiplay.it/

23 ms · HTTP/1.1 FINAL

#URLStatusTimeProtocolServer
1https://raiplay.it301817 msHTTP/1.0BigIP
2https://www.raiplay.it/20023 msHTTP/1.1

See the visual redirect chain in the HTTP Probe tab →

A+
Crawlability
robots.txt present, sitemap with 117 URLs
PASS
robots.txt present, sitemap with 117 URLs
Info::
robots.txt is present
Got: 2598 bytes
Info::
sitemap.xml is present
Info::
sitemap.xml is valid XML
Info::
sitemap.xml contains 117 entries
Info::
Sitemap index with 117 child sitemaps
Info::
robots.txt references sitemap
robots.txt 200 OK
Size 2598 B Sitemaps referenced 2 User-agents AwarioRssBot, DataForSeoBot, magpie-crawler, news-please, peer39_crawler, PerplexityBot, Scrapy, AwarioSmartBot, CCBot, Claude-Web, cohere-ai, GPTBot, TurnitinBot, *, Bytespider, omgili, peer39_crawler/1.0, anthropic-ai, ChatGPT-User, ClaudeBot, Diffbot, FacebookBot, Google-Extended, NewsNow, omgilibot, Amazonbot Blocking No — crawling allowed
# Rai RadioTelevisione Italiana content is made available for your personal, non-commercial
# use subject to our Terms of Service.
# Use of any device, tool, or process designed to data mine or scrape the content
# using automated means is prohibited without prior written permission from
# Rai RadioTelevisione Italiana. Prohibited uses include but are not limited to:
# (1) text and data mining activities under Art. 4 of the EU Directive on Copyright in
# the Digital Single Market;
# (2) the development of any software, machine learning, artificial intelligence (AI),
# and/or large language models (LLMs);
# (3) creating or providing archived or cached data sets containing our content to others; and/or
# (4) any commercial purposes.
# Contact https://www.rai.it/centroassistenza

User-agent: *

Disallow: */StatisticheProxy/proxy.jsp?action=mostVisited&domain=RaiTv*
Disallow: */StatisticheProxy/tagCloudVisualizza.jsp?tagName=*
Disallow: */dl/test/*
Disallow: */dl/palinsesti/Page-e120a813-1b92-4057-a214-15943d95aa68.html*
Disallow: /*json$
Disallow: /programmi/*/$
Disallow: /programmi/*/index.html$
Disallow: /collezioni/*/$
Disallow: /collezioni/*/index.html$
Disallow: /guidatv-old$
Disallow: /guidatv/lista$
Disallow: /native$
Disallow: /hp/focus-retrocompatibile$
Disallow: /internal/*
Disallow: /palinsesto/guidatv/*/*.html$
Disallow: /palinsesto/guidatv/lista/*/*.html$
Disallow: /palinsesto/retrocompatibile/*/*.html
Disallow: /video-old*
Disallow: /iframe/video*
Disallow: /iframe/dirette*
Disallow: /dl/RaiTV/programmi/media/*
Disallow: /hbbtv/*
Disallow: /appTv/*

User-agent: Amazonbot
Disallow: /

User-agent: anthropic-ai
Disallow: /

User-agent: AwarioRssBot
Disallow: /

User-agent: AwarioSmartBot
Disallow: /

User-agent: Bytespider
Disallow: /

User-agent: CCBot
Disallow: /

User-agent: ChatGPT-User
Disallow: /

User-agent: ClaudeBot
Disallow: /

User-agent: Claude-Web
Disallow: /

User-agent: cohere-ai
Disallow: /

User-agent: DataForSeoBot
Disallow: /

User-agent: Diffbot
Disallow: /

User-agent: FacebookBot
Disallow: /

User-agent: Google-Extended
Disallow: /

User-agent: GPTBot
Disallow: /

User-agent: magpie-crawler
Disallow: /

User-agent: NewsNow
Disallow: /

User-agent: news-please
Disallow: /

User-agent: omgili
Disallow: /

User-agent: omgilibot
Disallow: /

User-agent: peer39_crawler
Disallow: /

User-agent: peer39_crawler/1.0
Disallow: /

User-agent: PerplexityBot
Disallow: /

User-agent: Scrapy
Disallow: /

User-agent: TurnitinBot
Disallow: /

Sitemap: https://www.raiplay.it/sitemap.xml
Sitemap: https://www.raiplay.it/sitemap.palinsesto.xml
sitemap.xml 200 OK
Type Sitemap Index URLs 117 entries Valid XML Yes
Child Sitemaps:
A+
URL Variants
www/non-www, trailing slash, HTTP→HTTPS
PASS
www/non-www, trailing slash, HTTP→HTTPS
Info::
HTTP correctly 301-redirects to HTTPS

www / non-www

403https://www.raiplay.it/
200https://raiplay.it/

HTTP → HTTPS

301http://raiplay.it/ https://www.raiplay.it/

Consistent

A+
Domain Intelligence
raiplay.it — via DOTNICE-REG, 10 years old, hosted on RAI-AS - RAI RadioTelevisione Italiana SPA, IT
PASS
raiplay.it — via DOTNICE-REG, 10 years old, hosted on RAI-AS - RAI RadioTelevisione Italiana SPA, IT
Info::
Domain registered until May 2, 2027 (9 months remaining)
Info::
Registrar: DOTNICE-REG
Warning::
Registrar lock is NOT enabled
The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.
Info::
Hosting: RAI-AS - RAI RadioTelevisione Italiana SPA, IT
Got: AS8234
Domain expiry

293 days

May 2, 2027

SSL certificate

179 days

Issued by DigiCert Inc

Domain age

10 years

Registered August 9, 2016

DNSSEC

Status unknown

Protects against DNS spoofing

Hosting

RAI-AS - RAI RadioTelevisione Italiana SPA, IT

ASN AS8234

212.162.68.90

Registrar

DOTNICE-REG

Unlocked 2 NS records
Expiry timeline
Today
+1 year
Domain expiry SSL expiry Danger zone (≤30 days)
Recommended actions
  • Enable registrar lock (clientTransferProhibited) to block unauthorized domain transfers
Registrar DOTNICE-REG
Created August 9, 2016 (10 years ago)
Expires May 2, 2027 (9 months)
Last Updated May 18, 2026
Name Servers ns.rai.it, ns2.rai.it
Registrant RAI Radiotelevisione Italiana S.p.A.
Hosting
IP Address 212.162.68.90
ASN AS8234 (RAI-AS - RAI RadioTelevisione Italiana SPA, IT)
Provider RAI-AS - RAI RadioTelevisione Italiana SPA, IT
Data source: whois (2.2s)

The domain can be transferred without an unlock step. Enable registrar lock (clientTransferProhibited) in your registrar's control panel to protect against unauthorized or accidental transfers.

Why this matters

Without registrar lock, an attacker who phishes your registrar credentials can transfer the domain in minutes — total brand hijack.

Learn more

Registrar lock (clientTransferProhibited, clientUpdateProhibited, clientDeleteProhibited) requires extra verification before any transfer/update/delete. Every major registrar offers it free. Combined with 2FA on your registrar account, it's the strongest defense against domain hijacking.

Source: ICANN / domain-security best practice

All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.

Send Feedback