pax_global_header00006660000000000000000000000064126546562670014535gustar00rootroot0000000000000052 comment=5a374cf1d629d8d2fecdf6f215aec9b056370868 .gitignore000066400000000000000000000001051265465626700130650ustar00rootroot00000000000000validns base64-test base32hex-test *.o *.core experiment* *.swp core Changes000066400000000000000000000021501265465626700123720ustar00rootroot00000000000000Revision history for validns. 0.8 Tue Feb 11 21:39:41 CET 2014 Miscellaneous bug fixes. Miscellaneous portability fixes. Support ECDSA and SHA-256 in SSHFP. Add support for SHA-384 digests in DS (RFC 6605). Support multiple -t options. 0.7 Tue Apr 16 12:37:11 CEST 2013 Support for KX, DLV, DHCID, NAPTR records. Support for X25, ISDN, RT, PX records. Support for MB, MG, MR, MINFO, AFSDB records. NSEC chain validation fix. Do not allow LP point to itself. Miscellaneous performance improvements. Miscellaneous portability fixes. Miscellaneous bug fixes. 0.6 Thu Oct 4 16:40:56 CEST 2012 Support for TLSA records. Support for ILNP (NID, L64, L3, LP) records (untested). Support for IPSECKEY records. Handle TYPEXXX for known types correctly. A number of NSEC3-related bug fixes. Miscellaneous bug fixes. 0.5 Thu Jun 7 15:45:55 CEST 2012 Parallelize signature verification (-n option) 0.4 Thu Mar 22 15:48:25 CET 2012 Support ECC algorithms in DS and DNSKEY (by Miek Gieben) Fix a parsing bug for \nnn in text fields (by Göran Bengtson) 0.3 Tue Feb 14 14:09:54 CET 2012 First packaged release. LICENSE000066400000000000000000000024241265465626700121100ustar00rootroot00000000000000Copyright (c) 2011-2014 Anton Berezin "". All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Makefile000066400000000000000000000205401265465626700125420ustar00rootroot00000000000000# The following options seem to work fine on Linux, FreeBSD, and Darwin OPTIMIZE=-O2 -g CFLAGS=-Wall -Werror -pthread -fno-strict-aliasing INCPATH=-I/usr/local/include -I/opt/local/include -I/usr/local/ssl/include CC?=cc # These additional options work on Solaris/gcc to which I have an access # (when combined with the options above, and CC=gcc). #EXTRALPATH=-L/usr/local/ssl/lib -Wl,-R,/usr/local/ssl/lib #EXTRALIBS=-lnsl -lrt # According to Daniel Stirnimann, the following is needed # to make it work on Solaris/cc. #CFLAGS=-fast -xtarget=ultra3 -m64 -xarch=sparcvis2 #INCPATH=-I/opt/sws/include #CC=cc #EXTRALPATH=-L/opt/sws/lib/64 -R/opt/sws/lib/64 #EXTRALIBS-lrt -lnsl #EXTRALINKING=-mt -lpthread validns: main.o carp.o mempool.o textparse.o base64.o base32hex.o \ rr.o soa.o a.o cname.o mx.o ns.o \ rrsig.o nsec.o dnskey.o txt.o aaaa.o \ naptr.o srv.o nsec3param.o nsec3.o ds.o \ hinfo.o loc.o nsec3checks.o ptr.o \ sshfp.o threads.o rp.o spf.o cert.o \ dname.o tlsa.o nid.o l32.o l64.o lp.o \ ipseckey.o cbtree.o mb.o mg.o mr.o minfo.o \ afsdb.o x25.o isdn.o rt.o px.o kx.o \ dlv.o dhcid.o nsap.o $(CC) $(CFLAGS) $(OPTIMIZE) -o validns \ main.o carp.o mempool.o textparse.o base64.o base32hex.o \ rr.o soa.o a.o cname.o mx.o ns.o \ rrsig.o nsec.o dnskey.o txt.o aaaa.o \ naptr.o srv.o nsec3param.o nsec3.o ds.o \ hinfo.o loc.o nsec3checks.o ptr.o \ sshfp.o threads.o rp.o spf.o cert.o \ dname.o tlsa.o nid.o l32.o l64.o lp.o \ ipseckey.o cbtree.o mb.o mg.o mr.o minfo.o \ afsdb.o x25.o isdn.o rt.o px.o kx.o \ dlv.o dhcid.o nsap.o \ -L/usr/local/lib -L/opt/local/lib $(EXTRALPATH) \ -lJudy -lcrypto $(EXTRALIBS) $(EXTRALINKING) clean: -rm -f validns main.o carp.o mempool.o textparse.o -rm -f rr.o soa.o a.o cname.o mx.o ns.o -rm -f rrsig.o nsec.o dnskey.o txt.o aaaa.o -rm -f naptr.o srv.o nsec3param.o nsec3.o ds.o -rm -f hinfo.o loc.o nsec3checks.o ptr.o -rm -f sshfp.o base32hex.o base64.o threads.o -rm -f rp.o spf.o cert.o dname.o tlsa.o -rm -f nid.o l32.o l64.o lp.o ipseckey.o -rm -f cbtree.o mb.o mg.o mr.o minfo.o -rm -f afsdb.o x25.o isdn.o rt.o px.o kx.o -rm -f dlv.o dhcid.o nsap.o -rm -f validns.core core @echo ':-)' main.o: main.c common.h carp.h mempool.h textparse.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o main.o main.c $(INCPATH) carp.o: carp.c carp.h common.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o carp.o carp.c $(INCPATH) mempool.o: mempool.c mempool.h carp.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o mempool.o mempool.c $(INCPATH) textparse.o: textparse.c common.h carp.h mempool.h textparse.h base64.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o textparse.o textparse.c $(INCPATH) base64.o: base64.c base64.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o base64.o base64.c $(INCPATH) base32hex.o: base32hex.c base32hex.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o base32hex.o base32hex.c $(INCPATH) rr.o: rr.c common.h mempool.h carp.h textparse.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o rr.o rr.c $(INCPATH) soa.o: soa.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o soa.o soa.c $(INCPATH) a.o: a.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o a.o a.c $(INCPATH) cname.o: cname.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o cname.o cname.c $(INCPATH) mb.o: mb.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o mb.o mb.c $(INCPATH) mg.o: mg.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o mg.o mg.c $(INCPATH) minfo.o: minfo.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o minfo.o minfo.c $(INCPATH) mr.o: mr.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o mr.o mr.c $(INCPATH) mx.o: mx.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o mx.o mx.c $(INCPATH) afsdb.o: afsdb.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o afsdb.o afsdb.c $(INCPATH) x25.o: x25.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o x25.o x25.c $(INCPATH) isdn.o: isdn.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o isdn.o isdn.c $(INCPATH) rt.o: rt.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o rt.o rt.c $(INCPATH) px.o: px.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o px.o px.c $(INCPATH) kx.o: kx.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o kx.o kx.c $(INCPATH) dlv.o: dlv.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o dlv.o dlv.c $(INCPATH) dhcid.o: dhcid.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o dhcid.o dhcid.c $(INCPATH) nsap.o: nsap.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o nsap.o nsap.c $(INCPATH) ns.o: ns.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o ns.o ns.c $(INCPATH) rrsig.o: rrsig.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o rrsig.o rrsig.c $(INCPATH) nsec.o: nsec.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o nsec.o nsec.c $(INCPATH) dnskey.o: dnskey.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o dnskey.o dnskey.c $(INCPATH) txt.o: txt.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o txt.o txt.c $(INCPATH) aaaa.o: aaaa.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o aaaa.o aaaa.c $(INCPATH) naptr.o: naptr.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o naptr.o naptr.c $(INCPATH) srv.o: srv.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o srv.o srv.c $(INCPATH) nsec3param.o: nsec3param.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o nsec3param.o nsec3param.c $(INCPATH) nsec3.o: nsec3.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o nsec3.o nsec3.c $(INCPATH) ds.o: ds.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o ds.o ds.c $(INCPATH) hinfo.o: hinfo.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o hinfo.o hinfo.c $(INCPATH) loc.o: loc.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o loc.o loc.c $(INCPATH) nsec3checks.o: nsec3checks.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o nsec3checks.o nsec3checks.c $(INCPATH) ptr.o: ptr.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o ptr.o ptr.c $(INCPATH) sshfp.o: sshfp.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o sshfp.o sshfp.c $(INCPATH) rp.o: rp.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o rp.o rp.c $(INCPATH) spf.o: spf.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o spf.o spf.c $(INCPATH) cert.o: cert.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o cert.o cert.c $(INCPATH) dname.o: dname.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o dname.o dname.c $(INCPATH) tlsa.o: tlsa.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o tlsa.o tlsa.c $(INCPATH) nid.o: nid.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o nid.o nid.c $(INCPATH) l32.o: l32.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o l32.o l32.c $(INCPATH) l64.o: l64.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o l64.o l64.c $(INCPATH) lp.o: lp.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o lp.o lp.c $(INCPATH) ipseckey.o: ipseckey.c common.h textparse.h mempool.h carp.h rr.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o ipseckey.o ipseckey.c $(INCPATH) cbtree.o: cbtree.c cbtree.h $(CC) $(CFLAGS) $(OPTIMIZE) -c -o cbtree.o cbtree.c $(INCPATH) threads.o: threads.c $(CC) $(CFLAGS) $(OPTIMIZE) -c -o threads.o threads.c $(INCPATH) test: validns perl -MTest::Harness -e 'runtests("t/test.pl")' test-details: validns perl t/test.pl test64: $(CC) -Wall -O2 -o base64-test base64.c -DTEST_PROGRAM ./base64-test test32hex: $(CC) -Wall -O2 -o base32hex-test base32hex.c -DTEST_PROGRAM ./base32hex-test README000066400000000000000000000011171265465626700117610ustar00rootroot00000000000000validns version 0.8 validns - DNS and DNSSEC zone file validator. For installation instructions, see installation.mdwn. For usage, see usage.mdwn. For miscellaneous notes, see notes.mdwn. For technical notes, see technical-notes.mdwn. The most recent version can always be found at https://github.com/tobez/validns/ The tarballs of releases can be found at http://www.validns.net/download/ Support: - web: http://www.validns.net/ - email: mailing list validns-users@validns.net (for users and developers alike) author: tobez@tobez.org - IRC: join #validns on EFNet a.c000066400000000000000000000024711265465626700114710ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *a_parse(char *name, long ttl, int type, char *s) { struct rr_a *rr = getmem(sizeof(*rr)); if (extract_ipv4(&s, "IPv4 address", &rr->address) <= 0) return NULL; if (*s) { return bitch("garbage after valid A data"); } return store_record(type, name, ttl, rr); } static char* a_human(struct rr *rrv) { RRCAST(a); char s[1024]; if (inet_ntop(AF_INET, &rr->address, s, 1024)) return quickstrdup_temp(s); return "????"; } static struct binary_data a_wirerdata(struct rr *rrv) { RRCAST(a); struct binary_data r; r.length = sizeof(rr->address); r.data = (void *)&rr->address; return r; } static void* a_validate_set(struct rr_set *rr_set) { if (rr_set->named_rr->flags & NAME_FLAG_CONTAINS_SLASH) { struct rr *rr = rr_set->tail; return moan(rr->file_name, rr->line, "host name contains '/'"); } return NULL; } struct rr_methods a_methods = { a_parse, a_human, a_wirerdata, a_validate_set, NULL }; aaaa.c000066400000000000000000000025451265465626700121360ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *aaaa_parse(char *name, long ttl, int type, char *s) { struct rr_aaaa *rr = getmem(sizeof(*rr)); if (extract_ipv6(&s, "IPv6 address", &rr->address) <= 0) return NULL; if (*s) { return bitch("garbage after valid AAAA data"); } return store_record(type, name, ttl, rr); } static char* aaaa_human(struct rr *rrv) { RRCAST(aaaa); char s[1024]; if (inet_ntop(AF_INET6, &rr->address, s, 1024)) return quickstrdup_temp(s); return "????"; } static struct binary_data aaaa_wirerdata(struct rr *rrv) { RRCAST(aaaa); struct binary_data r; r.length = sizeof(rr->address); r.data = (void *)&rr->address; return r; } static void* aaaa_validate_set(struct rr_set *rr_set) { if (rr_set->named_rr->flags & NAME_FLAG_CONTAINS_SLASH) { struct rr *rr = rr_set->tail; return moan(rr->file_name, rr->line, "host name contains '/'"); } return NULL; } struct rr_methods aaaa_methods = { aaaa_parse, aaaa_human, aaaa_wirerdata, aaaa_validate_set, NULL }; afsdb.c000066400000000000000000000024361265465626700123310ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *afsdb_parse(char *name, long ttl, int type, char *s) { struct rr_afsdb *rr = getmem(sizeof(*rr)); rr->subtype = extract_integer(&s, "AFSDB subtype", NULL); if (rr->subtype < 0) return NULL; if (rr->subtype != 1 && rr->subtype != 2) return bitch("unknown AFSDB subtype"); rr->hostname = extract_name(&s, "AFSDB hostname", 0); if (!rr->hostname) return NULL; if (*s) { return bitch("garbage after valid AFSDB data"); } return store_record(type, name, ttl, rr); } static char* afsdb_human(struct rr *rrv) { RRCAST(afsdb); char s[1024]; snprintf(s, 1024, "%d %s", rr->subtype, rr->hostname); return quickstrdup_temp(s); } static struct binary_data afsdb_wirerdata(struct rr *rrv) { RRCAST(afsdb); return compose_binary_data("2d", 1, rr->subtype, name2wire_name(rr->hostname)); } struct rr_methods afsdb_methods = { afsdb_parse, afsdb_human, afsdb_wirerdata, NULL, NULL }; base32hex.c000066400000000000000000000211011265465626700130240ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include "base32hex.h" /* base32/normal alignment: * * 0 1 2 3 4 5 6 7 * |12345|123 45|12345|1 2345|1234 5|12345|12 345|12345| * |12345 678|12 34567 8|1234 5678|1 23456 78|123 45678| * 0 1 2 3 4 * * normal byte 0 is (base32[0] << 3) | (base32[1] >> 2) * masks: F8; 07 * normal byte 1 is ((base32[1]&0x03) << 6) | (base32[2] << 1) | (base32[3] >> 4) * masks: C0; 3E; 01 * normal byte 2 is ((base32[3]&0x0F) << 4) | (base32[4] >> 1) * masks: F0; 0F * normal byte 3 is ((base32[4]&0x01) << 7) | (base32[5] << 2) | (base32[6] >> 3) * masks: 80; 7C; 03 * normal byte 4 is ((base32[6]&0x07) << 5) | base32[7] * masks: E0; 1F */ int decode_base32hex(void *dest, char *src, size_t dstsize) { size_t processed = 0; int full_bytes = 0; unsigned char *dst = dest; while (*src) { int v; if (*src >= 'A' && *src <= 'V') v = *src - 'A' + 10; else if (*src >= 'a' && *src <= 'v') v = *src - 'a' + 10; else if (*src >= '0' && *src <= '9') v = *src - '0'; else if (isspace(*src) || *src == '=') { src++; continue; } else { /* any junk chars means input is corrupted */ errno = EINVAL; return -1; } src++; if (processed % 8 == 0) { if (dstsize <= 0) { errno = EINVAL; return -1; } dst[0] &= 0x07; dst[0] |= (v << 3) & 0xF8; processed++; } else if (processed % 8 == 1) { if (dstsize < 1) { errno = EINVAL; return -1; } dst[0] &= 0xF8; dst[0] |= (v >> 2) & 0x07; if (dstsize >= 2) { dst[1] &= 0x3F; dst[1] |= (v << 6) & 0xC0; } processed++; full_bytes++; } else if (processed % 8 == 2) { if (dstsize < 2) { errno = EINVAL; return -1; } dst[1] &= 0xC1; dst[1] |= (v << 1) & 0x3E; processed++; } else if (processed % 8 == 3) { if (dstsize < 2) { errno = EINVAL; return -1; } dst[1] &= 0xFE; dst[1] |= (v >> 4) & 0x01; if (dstsize >= 3) { dst[2] &= 0x0F; dst[2] |= (v << 4) & 0xF0; } processed++; full_bytes++; } else if (processed % 8 == 4) { if (dstsize < 3) { errno = EINVAL; return -1; } dst[2] &= 0xF0; dst[2] |= (v >> 1) & 0x0F; if (dstsize >= 4) { dst[3] &= 0x7F; dst[3] |= (v << 7) & 0x80; } processed++; full_bytes++; } else if (processed % 8 == 5) { if (dstsize < 4) { errno = EINVAL; return -1; } dst[3] &= 0x83; dst[3] |= (v << 2) & 0x7C; processed++; } else if (processed % 8 == 6) { if (dstsize < 4) { errno = EINVAL; return -1; } dst[3] &= 0xFC; dst[3] |= (v >> 3) & 0x03; if (dstsize >= 5) { dst[4] &= 0x1F; dst[4] |= (v << 5) & 0xE0; } processed++; full_bytes++; } else { if (dstsize < 5) { errno = EINVAL; return -1; } dst[4] &= 0xE0; dst[4] |= v & 0x1F; processed++; dst += 5; dstsize -= 5; full_bytes++; } } return full_bytes; } int encode_base32hex(void *dest, size_t dstsize, void *source, size_t srclength) { size_t need_dstsize; int byte = 0; unsigned char *dst = dest; unsigned char *src = source; int i; need_dstsize = 8*(srclength / 5); switch (srclength % 5) { case 1: need_dstsize += 2; break; case 2: need_dstsize += 4; break; case 3: need_dstsize += 5; break; case 4: need_dstsize += 7; break; } if (dstsize < need_dstsize) { errno = EINVAL; return -1; } while (srclength) { switch (byte) { case 0: dst[0] = *src >> 3; dst[1] = (*src & 0x07) << 2; break; case 1: dst[1] |= (*src >> 6) & 0x03; dst[2] = (*src >> 1) & 0x1f; dst[3] = (*src & 0x01) << 4; break; case 2: dst[3] |= (*src >> 4) & 0x0f; dst[4] = (*src & 0x0f) << 1; break; case 3: dst[4] |= (*src >> 7) & 0x01; dst[5] = (*src >> 2) & 0x1f; dst[6] = (*src & 0x03) << 3; break; case 4: dst[6] |= (*src >> 5) & 0x07; dst[7] = *src & 0x1f; break; } srclength--; src++; byte++; if (byte == 5) { dst += 8; byte = 0; } } dst = dest; for (i = 0; i < need_dstsize; i++) { if (*dst < 10) *dst = *dst +'0'; else if (*dst < 32) *dst = *dst - 10 + 'a'; else *dst = '?'; dst++; } return need_dstsize; } #ifdef TEST_PROGRAM static int ok_string_test(int testnum, char *src, char *expect) { unsigned char dstbuf[512]; unsigned char reverse_buf[1024]; int r, r0, i; int expect_sz = strlen(expect); int expect_reverse; char *s, *d; if (expect_sz >= 512) { printf("test %d: NOT OK: internal *test* error, buffer too small for proper testing, FIXME\n", testnum); return 1; } memset(dstbuf, 0xAA, 512); r = decode_base32hex(dstbuf, src, expect_sz); if (r != expect_sz) { printf("test %d: NOT OK: expect size %d, got %d\n", testnum, expect_sz, r); return 1; } else if (memcmp(dstbuf, expect, r) != 0) { printf("test %d: NOT OK: unexpected buffer content\n", testnum); return 1; } if (dstbuf[expect_sz] != 0xAA) { printf("test %d: NOT OK: corrupts memory with \"just enough\" bufsize\n", testnum); return 1; } r = encode_base32hex(reverse_buf, 1024, dstbuf, expect_sz); s = src; d = (char*)dstbuf; expect_reverse = 0; while (*s) { if (*s != ' ' && *s != '=') { *d++ = tolower(*s); expect_reverse++; } s++; } if (r != expect_reverse) { printf("test %d: NOT OK: REVERSE: expect size %d, got %d\n", testnum, expect_reverse, r); return 1; } else if (memcmp(reverse_buf, dstbuf, r) != 0) { printf("test %d: NOT OK: REVERSE: unexpected buffer content\n", testnum); return 1; } memset(dstbuf, 0xAA, 512); for (i = 0; i < expect_sz; i++) { r0 = decode_base32hex(dstbuf, src, i); if (r0 > 0) { printf("test %d: NOT OK: buffer size %d should not be enough\n", testnum, i); return 1; } if (dstbuf[i] != 0xAA) { printf("test %d: NOT OK: corrupts memory with bufsize %d\n", testnum, i); return 1; } } printf("test %d: ok\n", testnum); return 0; } static int expect_junk_error(int testnum, char *src) { char *buf[20]; int r; r = decode_base32hex(buf, src, 20); if (r != -1) { printf("test %d: NOT OK: junk input not recognized\n", testnum); return 1; } printf("test %d: ok\n", testnum); return 0; } int main(void) { int ret = 0; int t = 1; /* from http://tools.ietf.org/html/rfc4648#section-10 */ ret |= ok_string_test(t++, "", ""); ret |= ok_string_test(t++, "CO======", "f"); ret |= ok_string_test(t++, "Co=====", "f"); ret |= ok_string_test(t++, "cO====", "f"); ret |= ok_string_test(t++, "co===", "f"); ret |= ok_string_test(t++, "CO==", "f"); ret |= ok_string_test(t++, "CO=", "f"); ret |= ok_string_test(t++, "CO", "f"); ret |= ok_string_test(t++, "CPNG====", "fo"); ret |= ok_string_test(t++, "cPNG===", "fo"); ret |= ok_string_test(t++, "cpNG==", "fo"); ret |= ok_string_test(t++, "cpnG=", "fo"); ret |= ok_string_test(t++, "cpng", "fo"); ret |= ok_string_test(t++, "CPNMU===", "foo"); ret |= ok_string_test(t++, "CPnMU==", "foo"); ret |= ok_string_test(t++, "CPnmu=", "foo"); ret |= ok_string_test(t++, "cpNMU", "foo"); ret |= ok_string_test(t++, "CPNMUOG=", "foob"); ret |= ok_string_test(t++, "CPNMUoG", "foob"); ret |= ok_string_test(t++, "CPNMUOJ1", "fooba"); ret |= ok_string_test(t++, "cPnMuOj1", "fooba"); ret |= ok_string_test(t++, "CpNmUoJ1", "fooba"); ret |= ok_string_test(t++, "CpNm UoJ1", "fooba"); ret |= ok_string_test(t++, "CPNMUOJ1E8======", "foobar"); ret |= ok_string_test(t++, "CPNMuOJ1E8=====", "foobar"); ret |= ok_string_test(t++, "CpNMuOJ1E8====", "foobar"); ret |= ok_string_test(t++, "CpNMuOJ1e8===", "foobar"); ret |= ok_string_test(t++, "CpNmuOJ 1e8==", "foobar"); ret |= ok_string_test(t++, "CpnmuOJ 1e8=", "foobar"); ret |= ok_string_test(t++, "Cpn muOj 1e8", "foobar"); ret |= expect_junk_error(t++, "?m9vmF"); ret |= expect_junk_error(t++, "%m9vmF"); ret |= expect_junk_error(t++, "m&9vmF"); ret |= expect_junk_error(t++, "m9-vmF"); ret |= expect_junk_error(t++, "m9v*mF"); ret |= expect_junk_error(t++, "m9v#mF"); ret |= expect_junk_error(t++, "m9vm\x01F"); ret |= expect_junk_error(t++, "m9vmF!"); ret |= expect_junk_error(t++, "m9vmF."); ret |= expect_junk_error(t++, "CpnmuOj/1e8x"); ret |= expect_junk_error(t++, "CpnYmuOj1e8"); ret |= expect_junk_error(t++, "CZpnmuOj1e8"); ret |= expect_junk_error(t++, "CzpnmuOj1e8"); ret |= ok_string_test(t++, "MEQIMI6FJE5NI47PJAHV5QIGU1LV3JLJ", "\xb3\xb5\x2b\x48\xcf\x9b\x8b\x79\x10\xf9\x9a\xa3\xf2\xea\x50\xf0\x6b\xf1\xce\xb3"); return ret; } #endif base32hex.h000066400000000000000000000005731265465626700130430ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #ifndef _BASE32HEX_H_ #define _BASE32HEX_H_ 1 int decode_base32hex(void *dst, char *src, size_t dstsize); int encode_base32hex(void *dest, size_t dstsize, void *source, size_t srclength); #endif base64.c000066400000000000000000000126141265465626700123350ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include "base64.h" /* * Very straightforward, ugly, unoptimized, * not much in the way of error handling. * But it works. */ int decode_base64(void *dest, char *src, size_t dstsize) { size_t processed = 0; int full_bytes = 0; unsigned char *dst = dest; while (*src) { int v; if (*src >= 'A' && *src <= 'Z') v = *src - 'A'; else if (*src >= 'a' && *src <= 'z') v = 26 + *src - 'a'; else if (*src >= '0' && *src <= '9') v = 52 + *src - '0'; else if (*src == '+') v = 62; else if (*src == '/') v = 63; else if (isspace(*src) || *src == '=') { src++; continue; } else { /* any junk chars means input is corrupted */ errno = EINVAL; return -1; } src++; if (processed % 4 == 0) { if (dstsize <= 0) { errno = EINVAL; return -1; } dst[0] &= 0x03; dst[0] |= (v << 2) & 0xFC; processed++; } else if (processed % 4 == 1) { if (dstsize < 1) { errno = EINVAL; return -1; } dst[0] &= 0xFC; dst[0] |= (v >> 4) & 0x03; if (dstsize >= 2) { dst[1] &= 0x0F; dst[1] |= (v << 4) & 0xF0; } processed++; full_bytes++; } else if (processed % 4 == 2) { if (dstsize < 2) { errno = EINVAL; return -1; } dst[1] &= 0xF0; dst[1] |= (v >> 2) & 0x0F; if (dstsize >= 3) { dst[2] &= 0x3F; dst[2] |= (v << 6) & 0xC0; } processed++; full_bytes++; } else { if (dstsize <= 2) { errno = EINVAL; return -1; } dst[2] &= 0xC0; dst[2] |= v & 0x3F; processed++; dst += 3; dstsize -= 3; full_bytes++; } } return full_bytes; } #ifdef TEST_PROGRAM static int ok_string_test(int testnum, char *src, char *expect) { unsigned char dstbuf[512]; int r, r0, i; int expect_sz = strlen(expect); if (expect_sz >= 512) { printf("test %d: NOT OK: internal *test* error, buffer too small for proper testing, FIXME\n", testnum); return 1; } memset(dstbuf, 0xAA, 512); r = decode_base64(dstbuf, src, expect_sz); if (r != expect_sz) { printf("test %d: NOT OK: expect size %d, got %d\n", testnum, expect_sz, r); return 1; } else if (memcmp(dstbuf, expect, r) != 0) { printf("test %d: NOT OK: unexpected buffer content\n", testnum); return 1; } if (dstbuf[expect_sz] != 0xAA) { printf("test %d: NOT OK: corrupts memory with \"just enough\" bufsize\n", testnum); return 1; } memset(dstbuf, 0xAA, 512); for (i = 0; i < expect_sz; i++) { r0 = decode_base64(dstbuf, src, i); if (r0 > 0) { printf("test %d: NOT OK: buffer size %d should not be enough\n", testnum, i); return 1; } if (dstbuf[i] != 0xAA) { printf("test %d: NOT OK: corrupts memory with bufsize %d\n", testnum, i); return 1; } } printf("test %d: ok\n", testnum); return 0; } static int expect_junk_error(int testnum, char *src) { char *buf[20]; int r; r = decode_base64(buf, src, 20); if (r != -1) { printf("test %d: NOT OK: junk input not recognized\n", testnum); return 1; } printf("test %d: ok\n", testnum); return 0; } int main(void) { int ret = 0; /* from http://en.wikipedia.org/wiki/Base64 */ ret |= ok_string_test(1, "bGVhc3VyZS4=", "leasure."); ret |= ok_string_test(2, "bGVhc3VyZS4", "leasure."); ret |= ok_string_test(3, "ZWFzdXJlLg==", "easure."); ret |= ok_string_test(4, "ZWFzdXJlLg=", "easure."); ret |= ok_string_test(5, "ZWFzdXJlLg", "easure."); ret |= ok_string_test(6, "YXN1cmUu", "asure."); ret |= ok_string_test(7, "c3VyZS4=", "sure."); ret |= ok_string_test(8, "c3VyZS4", "sure."); ret |= ok_string_test(9, "TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz\n" "IHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2Yg\n" "dGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGlu\n" "dWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRo\n" "ZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4=", "Man is distinguished, not only by his reason, but by this singular passion from other animals, which is a lust of the mind, that by a perseverance of delight in the continued and indefatigable generation of knowledge, exceeds the short vehemence of any carnal pleasure."); /* from http://tools.ietf.org/html/rfc4648#section-10 */ ret |= ok_string_test(10, "", ""); ret |= ok_string_test(11, "Zg==", "f"); ret |= ok_string_test(12, "Zg=", "f"); ret |= ok_string_test(13, "Zg", "f"); ret |= ok_string_test(14, "Zm8=", "fo"); ret |= ok_string_test(15, "Zm8", "fo"); ret |= ok_string_test(16, "Zm9v", "foo"); ret |= ok_string_test(17, "Zm9vYg==", "foob"); ret |= ok_string_test(18, "Zm9vYg=", "foob"); ret |= ok_string_test(19, "Zm9vYg", "foob"); ret |= ok_string_test(20, "Zm9vYmE=", "fooba"); ret |= ok_string_test(21, "Zm9vYmE", "fooba"); ret |= ok_string_test(22, "Zm9vYmFy", "foobar"); ret |= expect_junk_error(23, "?Zm9vYmFy"); ret |= expect_junk_error(24, "Z%m9vYmFy"); ret |= expect_junk_error(25, "Zm&9vYmFy"); ret |= expect_junk_error(26, "Zm9-vYmFy"); ret |= expect_junk_error(27, "Zm9v*YmFy"); ret |= expect_junk_error(28, "Zm9vY#mFy"); ret |= expect_junk_error(29, "Zm9vYm\x01Fy"); ret |= expect_junk_error(30, "Zm9vYmF!y"); ret |= expect_junk_error(31, "Zm9vYmFy."); return ret; } #endif base64.h000066400000000000000000000004401265465626700123340ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #ifndef _BASE64_H_ #define _BASE64_H_ 1 int decode_base64(void *dst, char *src, size_t dstsize); #endif carp.c000066400000000000000000000042671265465626700122030ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include #include #include #include "common.h" #include "carp.h" static void v(int is_croak, int is_x, int exit_code, const char *fmt, va_list ap); void croak(int exit_code, const char *fmt, ...) { va_list ap; va_start(ap, fmt); v(1, errno, exit_code, fmt, ap); va_end(ap); } void croakx(int exit_code, const char *fmt, ...) { va_list ap; va_start(ap, fmt); v(1, -1, exit_code, fmt, ap); va_end(ap); } void * bitch(const char *fmt, ...) { va_list ap; va_start(ap, fmt); if (!G.opt.no_output) { fprintf(stderr, "%s:%d: ", file_info->name, file_info->line); if (fmt != NULL) { vfprintf(stderr, fmt, ap); } fprintf(stderr, "\n"); } va_end(ap); G.exit_code = 1; G.stats.error_count++; file_info->paren_mode = 0; if (G.opt.die_on_first_error) exit(1); return NULL; } void * moan(char *file_name, int line, const char *fmt, ...) { va_list ap; va_start(ap, fmt); if (!G.opt.no_output) { fprintf(stderr, "%s:%d: ", file_name, line); if (fmt != NULL) { vfprintf(stderr, fmt, ap); } fprintf(stderr, "\n"); } va_end(ap); G.exit_code = 1; G.stats.error_count++; if (G.opt.die_on_first_error) exit(1); return NULL; } void v(int is_croak, int use_errno, int exit_code, const char *fmt, va_list ap) { fprintf(stderr, "%s: ", thisprogname()); if (fmt != NULL) { vfprintf(stderr, fmt, ap); if (use_errno >= 0) fprintf(stderr, ": "); } if (use_errno >= 0) fprintf(stderr, "%s\n", strerror(use_errno)); else fprintf(stderr, "\n"); if (is_croak) exit(exit_code); } #if defined(__linux__) static char proggy[MAXPATHLEN]; #endif const char *thisprogname(void) { #if defined(__FreeBSD__) return getprogname(); #elif defined(__APPLE__) return getprogname(); #elif defined(__sun__) return getexecname(); #elif defined(__linux__) if (readlink("/proc/self/exe", proggy, MAXPATHLEN) != -1) return proggy; return ""; #else #error "unsupported OS" #endif } carp.h000066400000000000000000000007061265465626700122020ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #ifndef _CARP_H #define _CARP_H 1 const char *thisprogname(void); void croak(int exit_code, const char *fmt, ...); void croakx(int exit_code, const char *fmt, ...); void *bitch(const char *fmt, ...); void *moan(char *file_name, int line, const char *fmt, ...); #endif cbtree.c000066400000000000000000000211001265465626700125030ustar00rootroot00000000000000/* djb's critbit with associated data storage. * * Based on https://github.com/agl/critbit, which is in public domain. * Changes: * - data storage added * - cweb removed * - functions renamed and data types cleaned to my liking */ #include #include #include #include #include #include "cbtree.h" struct node { void *child[2]; uint32_t byte; uint8_t otherbits; }; /* our own memory management */ struct pool { struct pool *next; size_t pool_size; size_t free_index; char mem[0]; }; static struct pool *internal = NULL; static struct pool *external = NULL; static int new_pool(struct pool **root, size_t size) { struct pool *pool; size = (size + sizeof(void *) - 1) / sizeof(void *); size *= sizeof(void *); pool = malloc(size + sizeof(struct pool)); if (!pool) { return 1; } pool->next = *root; pool->free_index = 0; pool->pool_size = size; *root = pool; return 0; } static void *alloc(struct pool **root, size_t size) { void *ret; size = (size + sizeof(void *) - 1) / sizeof(void *); size *= sizeof(void *); if (!*root) if (new_pool(root, size > 256000 ? size : 256000) != 0) return NULL; if ((*root)->pool_size - (*root)->free_index < size) if (new_pool(root, size > 256000 ? size : 256000) != 0) return NULL; ret = (*root)->mem + (*root)->free_index; (*root)->free_index += size; return ret; } /* main code */ intptr_t* cbtree_find(struct cbtree *t, const char *u) { const uint8_t *ubytes = (void *)u; const size_t ulen = strlen(u); uint8_t *p = t->root; /* Test for empty tree */ if (!p) return NULL; /* Walk tree for best member */ while (1 & (intptr_t) p) { struct node *q = (void *)(p - 1); /* Calculate direction */ int direction; uint8_t c = 0; if (q->byte < ulen) c = ubytes[q->byte]; direction = (1 + (q->otherbits | c)) >> 8; p = q->child[direction]; } /* The leaves contain "[data ptr][string]" */ if (strcmp(u, (const char *)(p + sizeof(intptr_t))) == 0) return (intptr_t *)p; return NULL; } intptr_t* cbtree_insert(struct cbtree *t, const char *u) { const uint8_t *const ubytes = (void *) u; const size_t ulen = strlen(u); uint8_t *p = t->root; /* Deal with inserting into an empty tree */ if (!p) { char *x = alloc(&external, ulen + 1 + sizeof(intptr_t)); if (!x) return NULL; *((intptr_t *)x) = 0; memcpy(x + sizeof(intptr_t), u, ulen + 1); t->root = x; return (intptr_t *)x; } /* Walk tree for best member */ while (1 & (intptr_t) p) { struct node *q = (void *)(p - 1); /* Calculate direction */ int direction; uint8_t c = 0; if (q->byte < ulen) c = ubytes[q->byte]; direction = (1 + (q->otherbits | c)) >> 8; p = q->child[direction]; } /* Find the critical bit */ /* 1: Find differing byte */ uint32_t newbyte; uint32_t newotherbits; for (newbyte = 0; newbyte < ulen; ++newbyte) { if (p[sizeof(intptr_t) + newbyte] != ubytes[newbyte]) { newotherbits = p[sizeof(intptr_t) + newbyte] ^ ubytes[newbyte]; goto different_byte_found; } } if (p[sizeof(intptr_t) + newbyte] != 0) { newotherbits = p[sizeof(intptr_t) + newbyte]; goto different_byte_found; } return (intptr_t *)p; different_byte_found: /* 2: Find differing bit */ newotherbits |= newotherbits >> 1; newotherbits |= newotherbits >> 2; newotherbits |= newotherbits >> 4; newotherbits = (newotherbits & ~(newotherbits >> 1)) ^ 255; uint8_t c = p[sizeof(intptr_t) + newbyte]; int newdirection = (1 + (newotherbits | c)) >> 8; /* Insert new string */ /* 1: Allocate new node structure */ struct node *newnode; newnode = alloc(&internal, sizeof(struct node)); if (!newnode) return NULL; char *x = alloc(&external, ulen + 1 + sizeof(intptr_t)); if (!x) return NULL; *((intptr_t *)x) = 0; memcpy(x + sizeof(intptr_t), ubytes, ulen + 1); newnode->byte = newbyte; newnode->otherbits = newotherbits; newnode->child[1 - newdirection] = x; /* 2: Insert new node */ void **wherep = &t->root; for (;;) { uint8_t *p = *wherep; if (!(1 & (intptr_t) p)) break; struct node *q = (void *) (p - 1); if (q->byte > newbyte) break; if (q->byte == newbyte && q->otherbits > newotherbits) break; uint8_t c = 0; if (q->byte < ulen) c = ubytes[q->byte]; const int direction = (1 + (q->otherbits | c)) >> 8; wherep = q->child + direction; } newnode->child[newdirection] = *wherep; *wherep = (void *) (1 + (char *) newnode); return (intptr_t *)x; } intptr_t cbtree_delete(struct cbtree *t, const char *u) { const uint8_t *ubytes = (void *) u; const size_t ulen = strlen(u); uint8_t *p = t->root; void **wherep = &t->root; void **whereq = 0; struct node *q = 0; int direction = 0; intptr_t ret; /* Deal with deleting from an empty tree */ if (!p) return 0; /* Walk the tree for the best match */ while (1 & (intptr_t) p) { whereq = wherep; q = (void *) (p - 1); uint8_t c = 0; if (q->byte < ulen) c = ubytes[q->byte]; direction = (1 + (q->otherbits | c)) >> 8; wherep = q->child + direction; p = *wherep; } /* Check the best match */ if (0 != strcmp(u, (const char *)(p + sizeof(intptr_t)))) return 0; ret = *((intptr_t *)p); /* Remove the element and/or node */ if (!whereq) { t->root = 0; return ret; } *whereq = q->child[1 - direction]; // free(q); return ret; } static void traverse(void *top) { uint8_t *p = top; if (1 & (intptr_t) p) { struct node *q = (void *) (p - 1); traverse(q->child[0]); traverse(q->child[1]); // free(q); } else { // free(p); } } void cbtree_clear(struct cbtree *t) { if (t->root) traverse(t->root); t->root = NULL; } static int allprefixed_traverse(uint8_t *top, int (*handle)(const char *, intptr_t *, void *), void *arg) { int direction; /* Deal with an internal node */ if (1 & (intptr_t) top) { struct node *q = (void *) (top - 1); for (direction = 0; direction < 2; ++direction) switch(allprefixed_traverse(q->child[direction], handle, arg)) { case 1: break; case 0: return 0; default: return -1; } return 1; } /* Deal with an external node */ return handle((const char *)(top + sizeof(intptr_t)), (intptr_t *)top, arg); } int cbtree_allprefixed(struct cbtree *t, const char *prefix, int (*handle)(const char *, intptr_t *, void *), void *arg) { const uint8_t *ubytes = (void *) prefix; const size_t ulen = strlen(prefix); uint8_t *p = t->root; uint8_t *top = p; int i; if (!p) return 1; /* S = $\emptyset$ */ /* Walk tree, maintaining top pointer */ while (1 & (intptr_t) p) { struct node *q = (void *) (p - 1); uint8_t c = 0; if (q->byte < ulen) c = ubytes[q->byte]; const int direction = (1 + (q->otherbits | c)) >> 8; p = q->child[direction]; if (q->byte < ulen) top = p; } /* Check prefix */ for (i = 0; i < ulen; ++i) { if (p[i+sizeof(intptr_t)] != ubytes[i]) return 1; } return allprefixed_traverse(top, handle, arg); } static const char *byte_to_binary(int x) { static char b[9]; int z; b[0] = '\0'; for (z = 128; z > 0; z >>= 1) strcat(b, ((x & z) == z) ? "1" : "0"); return b; } static void traverse_dump(void *top, int level, int byte) { uint8_t *p = top; int i; for (i = 0; i < level; i++) printf(" "); if (1 & (intptr_t) p) { struct node *q = (void *) (p - 1); printf("[byte(%d),otherbits(%s)]\n", q->byte, byte_to_binary(q->otherbits)); traverse_dump(q->child[0], level + 1, q->byte); traverse_dump(q->child[1], level + 1, q->byte); } else { const size_t ulen = strlen((char *)(p + sizeof(intptr_t))); int c = byte < ulen ? p[sizeof(intptr_t) + byte] : 0; printf("\"%s\" (%s)\n", p + sizeof(intptr_t), byte_to_binary(c)); } } void cbtree_dump(struct cbtree *t) { if (t->root) traverse_dump(t->root, 0, 0); printf("\n"); } char* cbtree_next(struct cbtree *t, const char *u, intptr_t *data) { const uint8_t *ubytes = (void *) u; const size_t ulen = strlen(u); uint8_t *p = t->root; uint8_t *branch = NULL; if (!p) return NULL; /* Walk tree, maintaining top pointer */ while (1 & (intptr_t) p) { struct node *q = (void *) (p - 1); uint8_t c = 0; if (q->byte < ulen) c = ubytes[q->byte]; const int direction = (1 + (q->otherbits | c)) >> 8; if (direction == 0) branch = q->child[1]; p = q->child[direction]; } /* check whether what we found is what we are looking for already */ if (strcmp((char *)(p + sizeof(intptr_t)), u) > 0) { if (data) *data = *((intptr_t *)p); return (char *)(p + sizeof(intptr_t)); } if (!branch) return NULL; /* select the lowest value on the branch */ p = branch; while (1 & (intptr_t) p) { struct node *q = (void *) (p - 1); p = q->child[0]; } if (data) *data = *((intptr_t *)p); return (char *)(p + sizeof(intptr_t)); } cbtree.h000066400000000000000000000033151265465626700125200ustar00rootroot00000000000000#ifndef _CBTREE_H #define _CBTREE_H #include #include struct cbtree { void *root; }; /* Re: use of intptr_t instead of void * or a union { void *; int }: * I am aware it is not recommened (see * http://stackoverflow.com/questions/9492798/using-intptr-t-instead-of-void), * but I am not sure I agree; maybe I just don't understand all * implications. Anyways, Judy trees, which I am replacing in my code * with this tiny library, are using "unsigned long", which * is even worse, but works everywherewhere I tested it. */ /* Search for the string u in the tree t. * Returns: * NULL if not found, or * a pointer to a user value associated with the string */ intptr_t *cbtree_find(struct cbtree *t, const char *u); /* Insert the string u into the tree t. * Returns: * NULL in case of an error, or * a pointer to a user value associated with the string; * the user value will be initialized to 0 in * case the insertion has happened, and left * untouched in case the string was already in the tree. */ intptr_t *cbtree_insert(struct cbtree *t, const char *u); /* Delete the string u from the tree t. * Returns: * 0 in case u was not in t, or * a user value which was associated with the string; * please note that the user value can be 0 as well, * so there is no general way to distinguish these two * situations */ intptr_t cbtree_delete(struct cbtree *t, const char *u); void cbtree_clear(struct cbtree *t); int cbtree_allprefixed(struct cbtree *t, const char *prefix, int (*handle)(const char *, intptr_t *, void *), void *arg); void cbtree_dump(struct cbtree *t); char *cbtree_next(struct cbtree *t, const char *u, intptr_t *data); #endif cert.c000066400000000000000000000067531265465626700122150ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" /* See http://tools.ietf.org/html/rfc4398 for CERT description. * See http://www.iana.org/assignments/cert-rr-types/cert-rr-types.xml * for certificate types. The version implemented here * has "Last Updated" equal to "2006-09-27" */ static int extract_certificate_type(char **s, char *what) { int type; char *str_type; if (isdigit(**s)) { type = extract_integer(s, what, NULL); if (type >= 1 && type <= 8) return type; if (type == 253 || type == 254) return type; if (type >= 65280 && type <= 65534) return type; if (type < 0 || type > 65535) { bitch("bad certificate type %d", type); return -1; } if (type == 0 || type == 255 || type == 65535) { bitch("certificate type %d is reserved by IANA", type); return -1; } bitch("certificate type %d is unassigned", type); return -1; } else { str_type = extract_label(s, what, "temporary"); if (!str_type) return -1; if (strcmp(str_type, "pkix") == 0) return 1; if (strcmp(str_type, "spki") == 0) return 2; if (strcmp(str_type, "pgp") == 0) return 3; if (strcmp(str_type, "ipkix") == 0) return 4; if (strcmp(str_type, "ispki") == 0) return 5; if (strcmp(str_type, "ipgp") == 0) return 6; if (strcmp(str_type, "acpkix") == 0) return 7; if (strcmp(str_type, "iacpkix") == 0) return 8; if (strcmp(str_type, "uri") == 0) return 253; if (strcmp(str_type, "oid") == 0) return 254; bitch("bad certificate type %s", str_type); return -1; } } static struct rr* cert_parse(char *name, long ttl, int type, char *s) { struct rr_cert *rr = getmem(sizeof(*rr)); int cert_type, key_tag, alg; cert_type = extract_certificate_type(&s, "certificate type"); if (cert_type < 0) return NULL; rr->type = cert_type; key_tag = extract_integer(&s, "key tag", NULL); if (key_tag < 0) return NULL; if (key_tag > 65535) return bitch("bad key tag"); rr->key_tag = key_tag; if (isdigit(*s)) { alg = extract_integer(&s, "algorithm", NULL); if (alg < 0) return NULL; if (alg > 255) return bitch("bad algorithm"); if (alg != 0) { /* 0 is just fine */ if (algorithm_type(alg) == ALG_UNSUPPORTED) return bitch("bad algorithm %d", alg); } } else { alg = extract_algorithm(&s, "algorithm"); if (alg == ALG_UNSUPPORTED) return NULL; } rr->algorithm = alg; if (alg == 0 && key_tag != 0) { /* we might want to bitch here, but RFC says "SHOULD", so we don't */ } rr->certificate = extract_base64_binary_data(&s, "certificate"); if (rr->certificate.length < 0) return NULL; /* TODO validate cert length based on algorithm */ if (*s) { return bitch("garbage after valid CERT data"); } return store_record(type, name, ttl, rr); } static char* cert_human(struct rr *rrv) { RRCAST(cert); char s[1024]; snprintf(s, 1024, "%d %d %d ...", rr->type, rr->key_tag, rr->algorithm); return quickstrdup_temp(s); } static struct binary_data cert_wirerdata(struct rr *rrv) { RRCAST(cert); return compose_binary_data("221d", 1, rr->type, rr->key_tag, rr->algorithm, rr->certificate); } struct rr_methods cert_methods = { cert_parse, cert_human, cert_wirerdata, NULL, NULL }; cname.c000066400000000000000000000033231265465626700123310ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *cname_parse(char *name, long ttl, int type, char *s) { struct rr_cname *rr = getmem(sizeof(*rr)); rr->cname = extract_name(&s, "cname", 0); if (!rr->cname) return NULL; if (*s) { return bitch("garbage after valid CNAME data"); } return store_record(type, name, ttl, rr); } static char* cname_human(struct rr *rrv) { RRCAST(cname); return rr->cname; } static struct binary_data cname_wirerdata(struct rr *rrv) { RRCAST(cname); return name2wire_name(rr->cname); } static void* cname_validate_set(struct rr_set *rr_set) { struct rr *rr; struct rr_set *another_set; struct named_rr *named_rr; int count; if (G.opt.policy_checks[POLICY_CNAME_OTHER_DATA]) { if (rr_set->count > 1) { rr = rr_set->tail; return moan(rr->file_name, rr->line, "CNAME and other data"); } named_rr = rr_set->named_rr; count = get_rr_set_count(named_rr); if (count > 1) { another_set = find_rr_set_in_named_rr(named_rr, T_RRSIG); if (another_set) count -= another_set->count; another_set = find_rr_set_in_named_rr(named_rr, T_NSEC); if (another_set) count -= another_set->count; if (count > 1) { rr = rr_set->tail; return moan(rr->file_name, rr->line, "CNAME and other data"); } } } return NULL; } struct rr_methods cname_methods = { cname_parse, cname_human, cname_wirerdata, cname_validate_set, NULL }; common.h000066400000000000000000000037071265465626700125510ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #ifndef _COMMON_H_ #define _COMMON_H_ 1 struct generate_template_piece; struct generate_template_piece { char *constant_string; struct generate_template_piece *next; }; #define LINEBUFSZ 2048 struct file_info { struct file_info *next; FILE *file; int line; int paren_mode; char buf[LINEBUFSZ]; char *current_origin; int generate_cur; int generate_lim; char *generate_type; struct generate_template_piece *generate_lhs; struct generate_template_piece *generate_rhs; /* must be last struct member */ char name[0]; }; extern struct file_info *file_info; #define N_POLICY_CHECKS 10 #define POLICY_SINGLE_NS 0 #define POLICY_CNAME_OTHER_DATA 1 #define POLICY_NSEC3PARAM_NOT_APEX 2 #define POLICY_MX_ALIAS 3 #define POLICY_NS_ALIAS 4 #define POLICY_RP_TXT_EXISTS 5 #define POLICY_DNAME 6 #define POLICY_DNSKEY 7 #define POLICY_TLSA_HOST 8 #define POLICY_KSK_EXISTS 9 #define MAX_TIMES_TO_CHECK 32 struct globals { struct stats { int names_count; int rr_count; int rrset_count; int error_count; int skipped_dup_rr_count; int soa_rr_count; int signatures_verified; int delegations; int not_authoritative; int nsec3_count; } stats; struct command_line_options { int die_on_first_error; int no_output; int summary; int verbose; char *include_path; int include_path_specified; char *first_origin; int n_times_to_check; uint32_t times_to_check[MAX_TIMES_TO_CHECK]; char policy_checks[N_POLICY_CHECKS]; int n_threads; int soa_minttl_as_default_ttl; } opt; int exit_code; long default_ttl; int nsec3_present; int nsec3_opt_out_present; int dnssec_active; }; extern struct globals G; #define SHA1_BYTES 20 #define SHA256_BYTES 32 #define SHA384_BYTES 48 #define SHA512_BYTES 64 /* GOST R 34.11-94 - 32 bytes */ #define GOST_BYTES 32 #endif dhcid.c000066400000000000000000000030231265465626700123160ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr* dhcid_parse(char *name, long ttl, int type, char *s) { struct rr_dhcid *rr = getmem(sizeof(*rr)); struct binary_data data; data = extract_base64_binary_data(&s, "rdata"); if (data.length < 0) return NULL; if (data.length < 3) return bitch("rdata too short"); rr->id_type = data.data[0]*256 + data.data[1]; if (rr->id_type > 2) return bitch("unsupported identifier type %s", rr->id_type); rr->digest_type = data.data[2]; if (rr->digest_type != 1) return bitch("unsupported digest type %s", rr->digest_type); if (data.length != 35) return bitch("wrong digest length, must be 32 for SHA-256"); /* let's cheat a bit */ data.length -= 3; data.data += 3; rr->digest = data; if (*s) { return bitch("garbage after valid DHCID data"); } return store_record(type, name, ttl, rr); } static char* dhcid_human(struct rr *rrv) { return "..."; } static struct binary_data dhcid_wirerdata(struct rr *rrv) { RRCAST(dhcid); return compose_binary_data("21d", 1, rr->id_type, rr->digest_type, rr->digest); } struct rr_methods dhcid_methods = { dhcid_parse, dhcid_human, dhcid_wirerdata, NULL, NULL }; dlv.c000066400000000000000000000050271265465626700120360ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr* dlv_parse(char *name, long ttl, int type, char *s) { struct rr_dlv *rr = getmem(sizeof(*rr)); int key_tag, algorithm, digest_type; key_tag = extract_integer(&s, "key tag", NULL); if (key_tag < 0) return NULL; rr->key_tag = key_tag; algorithm = extract_algorithm(&s, "algorithm"); if (algorithm == ALG_UNSUPPORTED) return NULL; rr->algorithm = algorithm; digest_type = extract_integer(&s, "digest type", NULL); if (digest_type < 0) return NULL; rr->digest_type = digest_type; rr->digest = extract_hex_binary_data(&s, "digest", EXTRACT_EAT_WHITESPACE); if (rr->digest.length < 0) return NULL; switch (digest_type) { case 1: if (rr->digest.length != SHA1_BYTES) { return bitch("wrong SHA-1 digest length: %d bytes found, %d bytes expected", rr->digest.length, SHA1_BYTES); } break; case 2: if (rr->digest.length != SHA256_BYTES) { return bitch("wrong SHA-256 digest length: %d bytes found, %d bytes expected", rr->digest.length, SHA256_BYTES); } break; case 3: if (rr->digest.length != GOST_BYTES) { return bitch("wrong GOST R 34.11-94 digest length: %d bytes found, %d bytes expected", rr->digest.length, GOST_BYTES); } break; case 4: if (rr->digest.length != SHA384_BYTES) { return bitch("wrong SHA-384 digest length: %d bytes found, %d bytes expected", rr->digest.length, SHA384_BYTES); } break; default: return bitch("bad or unsupported digest type %d", digest_type); } if (*s) { return bitch("garbage after valid DLV data"); } G.dnssec_active = 1; return store_record(type, name, ttl, rr); } static char* dlv_human(struct rr *rrv) { RRCAST(dlv); char ss[4096]; char *s = ss; int l; int i; l = snprintf(s, 4096, "%u %u %u ", rr->key_tag, rr->algorithm, rr->digest_type); s += l; for (i = 0; i < rr->digest.length; i++) { l = snprintf(s, 4096-(s-ss), "%02X", (unsigned char)rr->digest.data[i]); s += l; } return quickstrdup_temp(ss); } static struct binary_data dlv_wirerdata(struct rr *rrv) { RRCAST(dlv); return compose_binary_data("211d", 1, rr->key_tag, rr->algorithm, rr->digest_type, rr->digest); } struct rr_methods dlv_methods = { dlv_parse, dlv_human, dlv_wirerdata, NULL, NULL }; dname.c000066400000000000000000000045051265465626700123350ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" /* DNAMEs are described in http://tools.ietf.org/html/rfc2672 */ static struct rr *dname_parse(char *name, long ttl, int type, char *s) { struct rr_dname *rr = getmem(sizeof(*rr)); rr->target = extract_name(&s, "dname target", 0); if (!rr->target) return NULL; if (*s) { return bitch("garbage after valid DNAME data"); } return store_record(type, name, ttl, rr); } static char* dname_human(struct rr *rrv) { RRCAST(dname); return rr->target; } static struct binary_data dname_wirerdata(struct rr *rrv) { RRCAST(dname); return name2wire_name(rr->target); } static void* dname_validate_set(struct rr_set *rr_set) { struct rr *rr; struct rr_set *suspect; int count; struct named_rr *named_rr, *next_named_rr; if (G.opt.policy_checks[POLICY_DNAME]) { named_rr = rr_set->named_rr; rr = rr_set->tail; if (rr_set->count > 1) return moan(rr->file_name, rr->line, "multiple DNAMEs"); /* This check is already handled by "CNAME and other data" in cname.c * another_set = find_rr_set_in_named_rr(named_rr, T_CNAME); if (another_set) return moan(rr->file_name, rr->line, "DNAME cannot co-exist with a CNAME"); */ next_named_rr = find_next_named_rr(named_rr); /* handle http://tools.ietf.org/html/rfc5155#section-10.2 case */ if (next_named_rr && next_named_rr->parent == named_rr && (named_rr->flags & NAME_FLAG_APEX)) { count = get_rr_set_count(next_named_rr); if (count > 0) { suspect = find_rr_set_in_named_rr(next_named_rr, T_RRSIG); if (suspect) count--; suspect = find_rr_set_in_named_rr(next_named_rr, T_NSEC3); if (suspect) count--; if (count == 0) next_named_rr = find_next_named_rr(next_named_rr); } } if (next_named_rr && next_named_rr->parent == named_rr) return moan(rr->file_name, rr->line, "DNAME must not have any children (but %s exists)", next_named_rr->name); } return NULL; } struct rr_methods dname_methods = { dname_parse, dname_human, dname_wirerdata, dname_validate_set, NULL }; dnskey.c000066400000000000000000000113431265465626700125440ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr_dnskey *all_dns_keys = NULL; static struct rr* dnskey_parse(char *name, long ttl, int type, char *s) { struct rr_dnskey *rr = getmem(sizeof(*rr)); struct binary_data key; int flags, proto, algorithm; unsigned int ac; int i; static struct rr *result; flags = extract_integer(&s, "flags", NULL); if (flags < 0) return NULL; if (flags & 0xfe7e) return bitch("reserved flags bits are set"); if (flags & 0x0001 && !(flags & 0x0100)) return bitch("SEP bit is set but Zone Key bit is unset"); rr->flags = flags; /* TODO validate that `name` is the name of the zone if flags have Zone Key bit set */ proto = extract_integer(&s, "protocol", NULL); if (proto < 0) return NULL; if (proto != 3) return bitch("bad protocol value"); rr->protocol = proto; algorithm = extract_algorithm(&s, "algorithm"); if (algorithm == ALG_UNSUPPORTED) return NULL; if (algorithm == ALG_PRIVATEDNS || algorithm == ALG_PRIVATEOID) { return bitch("private algorithms are not supported in DNSKEY"); } rr->algorithm = algorithm; key = extract_base64_binary_data(&s, "public key"); if (key.length < 0) return NULL; /* TODO validate key length based on algorithm */ rr->pubkey = key; ac = 0; ac += rr->flags; ac += rr->protocol << 8; ac += rr->algorithm; for (i = 0; i < rr->pubkey.length; i++) { ac += (i & 1) ? (unsigned char)rr->pubkey.data[i] : ((unsigned char)rr->pubkey.data[i]) << 8; } ac += (ac >> 16) & 0xFFFF; rr->key_tag = ac & 0xFFFF; rr->pkey_built = 0; rr->pkey = NULL; rr->key_type = KEY_TYPE_UNUSED; if (*s) { return bitch("garbage after valid DNSKEY data"); } result = store_record(type, name, ttl, rr); if (result) { rr->next_key = all_dns_keys; all_dns_keys = rr; } return result; } static char* dnskey_human(struct rr *rrv) { RRCAST(dnskey); char s[1024]; snprintf(s, 1024, "%hu %d %d XXX ; key id = %hu", rr->flags, rr->protocol, rr->algorithm, rr->key_tag); return quickstrdup_temp(s); } static struct binary_data dnskey_wirerdata(struct rr *rrv) { RRCAST(dnskey); return compose_binary_data("211d", 1, rr->flags, rr->protocol, rr->algorithm, rr->pubkey); } static void *dnskey_validate(struct rr *rrv) { RRCAST(dnskey); if (G.opt.policy_checks[POLICY_DNSKEY]) { if (algorithm_type(rr->algorithm) == ALG_RSA_FAMILY) { unsigned int e_bytes; unsigned char *pk; int l; pk = (unsigned char *)rr->pubkey.data; l = rr->pubkey.length; e_bytes = *pk++; l--; if (e_bytes == 0) { if (l < 2) return moan(rr->rr.file_name, rr->rr.line, "public key is too short"); e_bytes = (*pk++) << 8; e_bytes += *pk++; l -= 2; } if (l < e_bytes) return moan(rr->rr.file_name, rr->rr.line, "public key is too short"); if (*pk == 0) return moan(rr->rr.file_name, rr->rr.line, "leading zero octets in public key exponent"); pk += e_bytes; l -= e_bytes; if (l > 0 && *pk == 0) return moan(rr->rr.file_name, rr->rr.line, "leading zero octets in key modulus"); } } return NULL; } struct rr_methods dnskey_methods = { dnskey_parse, dnskey_human, dnskey_wirerdata, NULL, dnskey_validate }; int dnskey_build_pkey(struct rr_dnskey *rr) { if (rr->pkey_built) return rr->pkey ? 1 : 0; rr->pkey_built = 1; if (algorithm_type(rr->algorithm) == ALG_RSA_FAMILY) { RSA *rsa; EVP_PKEY *pkey; unsigned int e_bytes; unsigned char *pk; int l; rsa = RSA_new(); if (!rsa) goto done; pk = (unsigned char *)rr->pubkey.data; l = rr->pubkey.length; e_bytes = *pk++; l--; if (e_bytes == 0) { if (l < 2) /* public key is too short */ goto done; e_bytes = (*pk++) << 8; e_bytes += *pk++; l -= 2; } if (l < e_bytes) /* public key is too short */ goto done; rsa->e = BN_bin2bn(pk, e_bytes, NULL); pk += e_bytes; l -= e_bytes; rsa->n = BN_bin2bn(pk, l, NULL); pkey = EVP_PKEY_new(); if (!pkey) goto done; if (!EVP_PKEY_set1_RSA(pkey, rsa)) goto done; rr->pkey = pkey; } done: if (!rr->pkey) { moan(rr->rr.file_name, rr->rr.line, "error building pkey"); } return rr->pkey ? 1 : 0; } void dnskey_ksk_policy_check(void) { struct rr_dnskey *rr = all_dns_keys; int ksk_found = 0; while (rr) { if (rr->key_type == KEY_TYPE_KSK) ksk_found = 1; rr = rr->next_key; } if (!ksk_found) moan(all_dns_keys->rr.file_name, all_dns_keys->rr.line, "No KSK found"); } ds.c000066400000000000000000000051311265465626700116530ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr* ds_parse(char *name, long ttl, int type, char *s) { struct rr_ds *rr = getmem(sizeof(*rr)); int key_tag, algorithm, digest_type; key_tag = extract_integer(&s, "key tag", NULL); if (key_tag < 0) return NULL; rr->key_tag = key_tag; algorithm = extract_algorithm(&s, "algorithm"); if (algorithm == ALG_UNSUPPORTED) return NULL; rr->algorithm = algorithm; digest_type = extract_integer(&s, "digest type", NULL); if (digest_type < 0) return NULL; rr->digest_type = digest_type; rr->digest = extract_hex_binary_data(&s, "digest", EXTRACT_EAT_WHITESPACE); if (rr->digest.length < 0) return NULL; /* See http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xml * for valid digest types. */ switch (digest_type) { case 1: if (rr->digest.length != SHA1_BYTES) { return bitch("wrong SHA-1 digest length: %d bytes found, %d bytes expected", rr->digest.length, SHA1_BYTES); } break; case 2: if (rr->digest.length != SHA256_BYTES) { return bitch("wrong SHA-256 digest length: %d bytes found, %d bytes expected", rr->digest.length, SHA256_BYTES); } break; case 3: if (rr->digest.length != GOST_BYTES) { return bitch("wrong GOST R 34.11-94 digest length: %d bytes found, %d bytes expected", rr->digest.length, GOST_BYTES); } break; case 4: if (rr->digest.length != SHA384_BYTES) { return bitch("wrong SHA-384 digest length: %d bytes found, %d bytes expected", rr->digest.length, SHA384_BYTES); } break; default: return bitch("bad or unsupported digest type %d", digest_type); } if (*s) { return bitch("garbage after valid DS data"); } return store_record(type, name, ttl, rr); } static char* ds_human(struct rr *rrv) { RRCAST(ds); char ss[4096]; char *s = ss; int l; int i; l = snprintf(s, 4096, "%u %u %u ", rr->key_tag, rr->algorithm, rr->digest_type); s += l; for (i = 0; i < rr->digest.length; i++) { l = snprintf(s, 4096-(s-ss), "%02X", (unsigned char)rr->digest.data[i]); s += l; } return quickstrdup_temp(ss); } static struct binary_data ds_wirerdata(struct rr *rrv) { RRCAST(ds); return compose_binary_data("211d", 1, rr->key_tag, rr->algorithm, rr->digest_type, rr->digest); } struct rr_methods ds_methods = { ds_parse, ds_human, ds_wirerdata, NULL, NULL }; hinfo.c000066400000000000000000000024461265465626700123560ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *hinfo_parse(char *name, long ttl, int type, char *s) { struct rr_hinfo *rr = getmem(sizeof(*rr)); rr->cpu = extract_text(&s, "CPU"); if (rr->cpu.length < 0) return NULL; if (rr->cpu.length > 255) return bitch("CPU string is too long"); rr->os = extract_text(&s, "OS"); if (rr->os.length < 0) return NULL; if (rr->os.length > 255) return bitch("OS string is too long"); if (*s) { return bitch("garbage after valid HINFO data"); } return store_record(type, name, ttl, rr); } static char* hinfo_human(struct rr *rrv) { RRCAST(hinfo); char s[1024]; snprintf(s, 1024, "\"%s\" \"%s\"", rr->cpu.data, rr->os.data); return quickstrdup_temp(s); } static struct binary_data hinfo_wirerdata(struct rr *rrv) { RRCAST(hinfo); return compose_binary_data("bb", 1, rr->cpu, rr->os); } struct rr_methods hinfo_methods = { hinfo_parse, hinfo_human, hinfo_wirerdata, NULL, NULL }; installation.mdwn000066400000000000000000000015151265465626700144730ustar00rootroot00000000000000# validns installation ## Compatibility Known to compile and work on: - FreeBSD 10.0 amd64 - FreeBSD 9.0 amd64 - FreeBSD 8.2 i386 - Ubuntu 10.10 1 i386 - Debian 5.0.3 "lenny" x86_64 - MacOS X 10.6.7 (10.7.0 Darwin) i386 Is likely to compile and work on any modern Unix-like OS. ## Requirements - Judy dynamic arrays - http://judy.sourceforge.net/ - FreeBSD: ports/devel/judy - Debian/Ubuntu: libjudy-dev - MacOS X: macports judy - Test::Command::Simple perl module (for tests only) - FreeBSD: ports/devel/p5-Test-Command-Simple - anywhere: cpanm Test::Command::Simple ## Compilation Type `make`. If there are troubles, have a long hard look at the `Makefile`, fix the problems, repeat. ## Installation Copy `validns` executable someplace. The manual page will be added soon. Once it is here, copy it some(other)place as well. ipseckey.c000066400000000000000000000112561265465626700130660ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *ipseckey_parse(char *name, long ttl, int type, char *s) { struct rr_ipseckey *rr = getmem(sizeof(*rr)); int i; rr->precedence = i = extract_integer(&s, "precedence", NULL); if (i < 0) return NULL; if (i >= 256) return bitch("precedence range is not valid"); rr->gateway_type = i = extract_integer(&s, "gateway type", NULL); if (i < 0) return NULL; if (i > 3) return bitch("gateway type is not valid"); rr->algorithm = i = extract_integer(&s, "algorithm", NULL); if (i < 0) return NULL; if (i > 2) return bitch("algorithm is not valid"); switch (rr->gateway_type) { case 0: rr->gateway.gateway_none = extract_name(&s, "gateway/.", KEEP_CAPITALIZATION); if (!rr->gateway.gateway_none) return NULL; if (strcmp(rr->gateway.gateway_none, ".") != 0) return bitch("gateway must be \".\" for gateway type 0"); break; case 1: if (extract_ipv4(&s, "gateway/IPv4", &rr->gateway.gateway_ipv4) <= 0) return NULL; break; case 2: if (extract_ipv6(&s, "gateway/IPv6", &rr->gateway.gateway_ipv6) <= 0) return NULL; break; case 3: rr->gateway.gateway_name = extract_name(&s, "gateway/name", KEEP_CAPITALIZATION); if (!rr->gateway.gateway_name) return NULL; break; default: croakx(7, "assertion failed: gateway type %d not within range", rr->gateway_type); } /* My reading of http://tools.ietf.org/html/rfc4025 is fuzzy on: * * - whether it is possible to have algorithm 0 and non-empty key; * - whether it is possible to have empty key and algorithm != 0. * * Here I assume "not possible" for both. */ switch (rr->algorithm) { case 0: break; case 1: /* DSA key */ rr->public_key = extract_base64_binary_data(&s, "public key"); if (rr->public_key.length < 0) return NULL; break; case 2: /* RSA key */ rr->public_key = extract_base64_binary_data(&s, "public key"); if (rr->public_key.length < 0) return NULL; break; default: croakx(7, "assertion failed: algorithm %d not within range", rr->algorithm); } if (*s) { return bitch("garbage after valid IPSECKEY data"); } return store_record(type, name, ttl, rr); } static char* ipseckey_human(struct rr *rrv) { RRCAST(ipseckey); char s[1024], gw[1024]; switch (rr->gateway_type) { case 0: strcpy(gw, rr->gateway.gateway_none); break; case 1: inet_ntop(AF_INET, &rr->gateway.gateway_ipv4, gw, 1024); break; case 2: inet_ntop(AF_INET6, &rr->gateway.gateway_ipv6, gw, 1024); break; case 3: strcpy(gw, rr->gateway.gateway_name); break; default: strcpy(gw, "??"); } snprintf(s, 1024, "( %d %d %d %s ... )", rr->precedence, rr->gateway_type, rr->algorithm, gw); return quickstrdup_temp(s); } static struct binary_data ipseckey_wirerdata(struct rr *rrv) { RRCAST(ipseckey); struct binary_data helper; switch (rr->gateway_type) { case 0: if (rr->algorithm != 0) return compose_binary_data("111d", 1, rr->precedence, rr->gateway_type, rr->algorithm, rr->public_key); else return compose_binary_data("111", 1, rr->precedence, rr->gateway_type, rr->algorithm); break; case 1: helper.length = sizeof(rr->gateway.gateway_ipv4); helper.data = (void *)&rr->gateway.gateway_ipv4; if (rr->algorithm != 0) return compose_binary_data("111dd", 1, rr->precedence, rr->gateway_type, rr->algorithm, helper, rr->public_key); else return compose_binary_data("111d", 1, rr->precedence, rr->gateway_type, rr->algorithm, helper); break; case 2: helper.length = sizeof(rr->gateway.gateway_ipv6); helper.data = (void *)&rr->gateway.gateway_ipv6; if (rr->algorithm != 0) return compose_binary_data("111dd", 1, rr->precedence, rr->gateway_type, rr->algorithm, helper, rr->public_key); else return compose_binary_data("111d", 1, rr->precedence, rr->gateway_type, rr->algorithm, helper); break; case 3: if (rr->algorithm != 0) return compose_binary_data("111dd", 1, rr->precedence, rr->gateway_type, rr->algorithm, name2wire_name(rr->gateway.gateway_name), rr->public_key); else return compose_binary_data("111d", 1, rr->precedence, rr->gateway_type, rr->algorithm, name2wire_name(rr->gateway.gateway_name)); break; } return bad_binary_data(); } struct rr_methods ipseckey_methods = { ipseckey_parse, ipseckey_human, ipseckey_wirerdata, NULL, NULL }; isdn.c000066400000000000000000000030571265465626700122070ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" /* XXX Does not accept multiple character-strings */ static struct rr *isdn_parse(char *name, long ttl, int type, char *s) { struct rr_isdn *rr = getmem(sizeof(*rr)); rr->isdn_address = extract_text(&s, "ISDN-address"); if (rr->isdn_address.length < 0) return NULL; if (rr->isdn_address.length > 255) return bitch("ISDN-address too long"); rr->sa_present = 0; if (*s) { rr->sa = extract_text(&s, "subaddress"); if (rr->sa.length < 0) return NULL; if (rr->sa.length > 255) return bitch("subaddress too long"); rr->sa_present = 1; } if (*s) { return bitch("garbage after valid ISDN data"); } return store_record(type, name, ttl, rr); } static char* isdn_human(struct rr *rrv) { RRCAST(isdn); return rr->isdn_address.data; } static struct binary_data isdn_wirerdata(struct rr *rrv) { RRCAST(isdn); struct binary_data r, t; r = bad_binary_data(); t.length = 0; t.data = NULL; r = compose_binary_data("db", 1, t, rr->isdn_address); t = r; if (rr->sa_present) { r = compose_binary_data("db", 1, t, rr->sa); t = r; } return r; } struct rr_methods isdn_methods = { isdn_parse, isdn_human, isdn_wirerdata, NULL, NULL }; kx.c000066400000000000000000000022701265465626700116700ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *kx_parse(char *name, long ttl, int type, char *s) { struct rr_kx *rr = getmem(sizeof(*rr)); rr->preference = extract_integer(&s, "KX preference", NULL); if (rr->preference < 0) return NULL; rr->exchanger = extract_name(&s, "KX exchanger", 0); if (!rr->exchanger) return NULL; if (*s) { return bitch("garbage after valid KX data"); } return store_record(type, name, ttl, rr); } static char* kx_human(struct rr *rrv) { RRCAST(kx); char s[1024]; snprintf(s, 1024, "%d %s", rr->preference, rr->exchanger); return quickstrdup_temp(s); } static struct binary_data kx_wirerdata(struct rr *rrv) { RRCAST(kx); return compose_binary_data("2d", 1, rr->preference, name2wire_name(rr->exchanger)); } struct rr_methods kx_methods = { kx_parse, kx_human, kx_wirerdata, NULL, NULL }; l32.c000066400000000000000000000025541265465626700116530ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *l32_parse(char *name, long ttl, int type, char *s) { struct rr_l32 *rr = getmem(sizeof(*rr)); struct in_addr ipv4_like; int preference; rr->preference = preference = extract_integer(&s, "L32 preference", NULL); if (preference < 0) return NULL; if (extract_ipv4(&s, "Locator32", &ipv4_like) <= 0) return NULL; rr->locator32 = ipv4_like.s_addr; if (*s) { return bitch("garbage after valid L32 data"); } return store_record(type, name, ttl, rr); } static char* l32_human(struct rr *rrv) { RRCAST(l32); char s[1024]; snprintf(s, 1024, "%d %d.%d.%d.%d", rr->preference, (rr->locator32 >> 24) & 0xff, (rr->locator32 >> 16) & 0xff, (rr->locator32 >> 8) & 0xff, (rr->locator32 >> 0) & 0xff); return quickstrdup_temp(s); } static struct binary_data l32_wirerdata(struct rr *rrv) { RRCAST(l32); return compose_binary_data("24", 1, rr->preference, rr->locator32); } struct rr_methods l32_methods = { l32_parse, l32_human, l32_wirerdata, NULL, NULL }; l64.c000066400000000000000000000025411265465626700116540ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *l64_parse(char *name, long ttl, int type, char *s) { struct rr_l64 *rr = getmem(sizeof(*rr)); int preference; rr->preference = preference = extract_integer(&s, "L64 preference", NULL); if (preference < 0) return NULL; if (extract_u64(&s, "Locator64", &rr->locator64) < 0) return NULL; if (*s) { return bitch("garbage after valid L64 data"); } return store_record(type, name, ttl, rr); } static char* l64_human(struct rr *rrv) { RRCAST(l64); char s[1024]; snprintf(s, 1024, "%d %x:%x:%x:%x", rr->preference, (unsigned)(rr->locator64 >> 48) & 0xffff, (unsigned)(rr->locator64 >> 32) & 0xffff, (unsigned)(rr->locator64 >> 16) & 0xffff, (unsigned)(rr->locator64 >> 0) & 0xffff); return quickstrdup_temp(s); } static struct binary_data l64_wirerdata(struct rr *rrv) { RRCAST(l64); return compose_binary_data("28", 1, rr->preference, rr->locator64); } struct rr_methods l64_methods = { l64_parse, l64_human, l64_wirerdata, NULL, NULL }; loc.c000066400000000000000000000123731265465626700120300ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static uint8_t double2loc_format(double val) { if (val > 1000000000) { return (((uint8_t)(val / 1000000000)) << 4) | 9; } else if (val > 100000000) { return (((uint8_t)(val / 100000000)) << 4) | 8; } else if (val > 10000000) { return (((uint8_t)(val / 10000000)) << 4) | 7; } else if (val > 1000000) { return (((uint8_t)(val / 1000000)) << 4) | 6; } else if (val > 100000) { return (((uint8_t)(val / 100000)) << 4) | 5; } else if (val > 10000) { return (((uint8_t)(val / 10000)) << 4) | 4; } else if (val > 1000) { return (((uint8_t)(val / 1000)) << 4) | 3; } else if (val > 100) { return (((uint8_t)(val / 100)) << 4) | 2; } else if (val > 10) { return (((uint8_t)(val / 10)) << 4) | 1; } else { return (((uint8_t)(val)) << 4); } } static struct rr *loc_parse(char *name, long ttl, int type, char *s) { struct rr_loc *rr = getmem(sizeof(*rr)); long long i; int deg; int min; double sec, val; rr->version = 0; /* latitude block */ i = extract_integer(&s, "degrees latitude", NULL); if (i < 0) return NULL; if (i > 90) return bitch("degrees latitude not in the range 0..90"); deg = i; min = 0; sec = 0; if (isdigit(*s)) { i = extract_integer(&s, "minutes latitude", NULL); if (i < 0) return NULL; if (i > 59) return bitch("minutes latitude not in the range 0..59"); min = i; if (isdigit(*s)) { /* restricted floating point, starting with a digit */ if (extract_double(&s, "seconds latitude", &sec, 0) < 0) return NULL; if (sec < 0 || sec > 59.999) return bitch("seconds latitude not in the range 0..59.999"); } } rr->latitude = sec*1000 + .5 + min*1000*60 + deg*1000*60*60; if (*s == 'n' || *s == 'N') { s++; rr->latitude = 2147483648u + rr->latitude; } else if (*s == 's' || *s == 'S') { s++; rr->latitude = 2147483648u - rr->latitude; } else { return bitch("latitude: N or S is expected"); } if (*s && !isspace(*s) && *s != ';' && *s != ')') { return bitch("latitude: N or S is expected"); } s = skip_white_space(s); if (!s) return NULL; /* longitude block */ i = extract_integer(&s, "degrees longitude", NULL); if (i < 0) return NULL; if (i > 180) return bitch("degrees longitude not in the range 0..90"); deg = i; min = 0; sec = 0; if (isdigit(*s)) { i = extract_integer(&s, "minutes longitude", NULL); if (i < 0) return NULL; if (i > 59) return bitch("minutes longitude not in the range 0..59"); min = i; if (isdigit(*s)) { /* restricted floating point, starting with a digit */ if (extract_double(&s, "seconds longitude", &sec, 0) < 0) return NULL; if (sec < 0 || sec > 59.999) return bitch("seconds longitude not in the range 0..59.999"); } } rr->longitude = sec*1000 + .5 + min*1000*60 + deg*1000*60*60; if (*s == 'e' || *s == 'E') { s++; rr->longitude = 2147483648u + rr->longitude; } else if (*s == 'w' || *s == 'W') { s++; rr->longitude = 2147483648u - rr->longitude; } else { return bitch("longitude: E or W is expected"); } if (*s && !isspace(*s) && *s != ';' && *s != ')') { return bitch("longitude: E or W is expected"); } s = skip_white_space(s); if (!s) return NULL; if (extract_double(&s, "altitude", &val, 1) < 0) return NULL; if (val < -100000.00 || val > 42849672.95) return bitch("altitude is out of supported range"); rr->altitude = (val + 100000.00) * 100 + 0.5; if (*s) { if (extract_double(&s, "sphere size", &val, 1) < 0) return NULL; if (val < 0 || val > 90000000.00) return bitch("sphere size is out of supported range"); rr->size = double2loc_format(val * 100 + 0.5); if (*s) { if (extract_double(&s, "horizontal precision", &val, 1) < 0) return NULL; if (val < 0 || val > 90000000.00) return bitch("horizontal precision is out of supported range"); rr->horiz_pre = double2loc_format(val * 100 + 0.5); if (*s) { if (extract_double(&s, "vertical precision", &val, 1) < 0) return NULL; if (val < 0 || val > 90000000.00) return bitch("vertical precision is out of supported range"); rr->vert_pre = double2loc_format(val * 100 + 0.5); } else { rr->vert_pre = double2loc_format(10 * 100 + 0.5); } } else { rr->horiz_pre = double2loc_format(10000 * 100 + 0.5); } } else { rr->size = double2loc_format(1 * 100 + 0.5); } if (*s) { return bitch("garbage after valid LOC data"); } return store_record(type, name, ttl, rr); } static char* loc_human(struct rr *rrv) { // struct rr_loc *rr = (struct rr_loc *)rrv; // char s[1024]; // snprintf(s, 1024, "\"%s\" \"%s\"", rr->cpu.data, rr->os.data); // return quickstrdup_temp(s); return "meow"; } static struct binary_data loc_wirerdata(struct rr *rrv) { RRCAST(loc); return compose_binary_data("1111444", 1, rr->version, rr->size, rr->horiz_pre, rr->vert_pre, rr->latitude, rr->longitude, rr->altitude); } struct rr_methods loc_methods = { loc_parse, loc_human, loc_wirerdata, NULL, NULL }; lp.c000066400000000000000000000024201265465626700116560ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *lp_parse(char *name, long ttl, int type, char *s) { struct rr_lp *rr = getmem(sizeof(*rr)); int preference; rr->preference = preference = extract_integer(&s, "LP preference", NULL); if (preference < 0) return NULL; rr->fqdn = extract_name(&s, "LP fqdn", 0); if (!rr->fqdn) return NULL; if (strcasecmp(name, rr->fqdn) == 0) { return bitch("LP points to itself"); } if (*s) { return bitch("garbage after valid LP data"); } return store_record(type, name, ttl, rr); } static char* lp_human(struct rr *rrv) { RRCAST(lp); char s[1024]; snprintf(s, 1024, "%d %s", rr->preference, rr->fqdn); return quickstrdup_temp(s); } static struct binary_data lp_wirerdata(struct rr *rrv) { RRCAST(lp); return compose_binary_data("2d", 1, rr->preference, name2wire_name(rr->fqdn)); } struct rr_methods lp_methods = { lp_parse, lp_human, lp_wirerdata, NULL, NULL }; main.c000066400000000000000000000432041265465626700121740ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #include #include "common.h" #include "carp.h" #include "mempool.h" #include "textparse.h" #include "rr.h" struct globals G; struct file_info *file_info = NULL; int read_zone_file(void); void open_zone_file(char *fname); static void concat_generate_template(char *buf, int bufsz, int val, struct generate_template_piece *t) { char sval[40]; while (t) { if (t->constant_string) { mystrlcat(buf, t->constant_string, bufsz); } else { snprintf(sval, 40, "%d", val); mystrlcat(buf, sval, bufsz); } t = t->next; } } static struct generate_template_piece * free_generate_template(struct generate_template_piece *t) { struct generate_template_piece *n; while (t) { n = t->next; free(t); t = n; } return NULL; } static void create_generate_template_piece(struct generate_template_piece **generate_template, char *s) { if (s && *s == 0) return; struct generate_template_piece *p = malloc(sizeof(struct generate_template_piece)); p->constant_string = s; p->next = NULL; if (*generate_template) { struct generate_template_piece *t = *generate_template; while (t->next) t = t->next; t->next = p; } else { *generate_template = p; } } static struct generate_template_piece * prepare_generate_template(char *t) { char *s = t; struct generate_template_piece *r = NULL; while (1) { while (*t && *t != '$') t++; if (!*t) { create_generate_template_piece(&r, s); break; } else { *t = 0; create_generate_template_piece(&r, s); create_generate_template_piece(&r, NULL); t++; s = t; } } return r; } static char *process_directive(char *s) { char *d = s+1; if (*(s+1) == 'O' && strncmp(s, "$ORIGIN", 7) == 0) { char *o; s += 7; if (!isspace(*s)) { if (isalnum(*s)) goto unrecognized_directive; return bitch("bad $ORIGIN format"); } s = skip_white_space(s); o = extract_name(&s, "$ORIGIN value", 0); if (!o) { return NULL; } if (*s) { return bitch("garbage after valid $ORIGIN directive"); } file_info->current_origin = o; if (G.opt.verbose) { fprintf(stderr, "-> %s:%d: ", file_info->name, file_info->line); fprintf(stderr, "origin is now %s\n", o); } } else if (*(s+1) == 'T' && strncmp(s, "$TTL", 4) == 0) { s += 4; if (!isspace(*s)) { if (isalnum(*s)) goto unrecognized_directive; return bitch("bad $TTL format"); } s = skip_white_space(s); G.default_ttl = extract_timevalue(&s, "$TTL value"); if (G.default_ttl < 0) { return NULL; } if (*s) { return bitch("garbage after valid $TTL directive"); } if (G.opt.verbose) { fprintf(stderr, "-> %s:%d: ", file_info->name, file_info->line); fprintf(stderr, "default ttl is now %ld\n", G.default_ttl); } } else if (*(s+1) == 'G' && strncmp(s, "$GENERATE", 9) == 0) { int from, to; char *lhs, *rdtype; s += 9; if (!isspace(*s)) { if (isalnum(*s)) goto unrecognized_directive; return bitch("bad $GENERATE format"); } s = skip_white_space(s); from = extract_integer(&s, "generate-from", "-"); if (from < 0) return NULL; if (*s != '-') return bitch("'-' between generate-from and generate-to is expected"); s++; to = extract_integer(&s, "generate-to", "-"); if (to < 0) return NULL; if (*s == '/') return bitch("generate-step is unsupported for now"); lhs = extract_name(&s, "generate-lhs", KEEP_CAPITALIZATION | DOLLAR_OK_IN_NAMES); if (!lhs) return NULL; if (*s == '{') return bitch("{offset,width,type} is unsupported for now"); rdtype = extract_label(&s, "type", NULL); if (!rdtype) return NULL; file_info->generate_cur = from; file_info->generate_lim = to; file_info->generate_type = rdtype; file_info->generate_lhs = prepare_generate_template(lhs); file_info->generate_rhs = prepare_generate_template(quickstrdup(s)); return s; } else if (*(s+1) == 'I' && strncmp(s, "$INCLUDE", 8) == 0) { char *p, *f; char c; s += 8; if (!isspace(*s)) { if (isalnum(*s)) goto unrecognized_directive; return bitch("bad $INCLUDE format"); } s = skip_white_space(s); p = s; while (*s && !isspace(*s) && *s != ';') s++; c = *s; *s = '\0'; if (!*p) { return bitch("$INCLUDE directive with empty file name"); } f = quickstrdup_temp(p); *s = c; s = skip_white_space(s); if (*s) { return bitch("garbage after valid $INCLUDE directive"); } if (*f == '/') { open_zone_file(f); } else { char buf[1024]; snprintf(buf, 1024, "%s/%s", G.opt.include_path, f); open_zone_file(buf); } } else { unrecognized_directive: s = d-1; while (isalnum(*d)) d++; *d = '\0'; return bitch("unrecognized directive: %s", s); } return s; } char * read_zone_line(void) { char *r; if (file_info->generate_lhs) { if (file_info->generate_cur <= file_info->generate_lim) { file_info->buf[0] = 0; concat_generate_template(file_info->buf, LINEBUFSZ, file_info->generate_cur, file_info->generate_lhs); mystrlcat(file_info->buf, " ", LINEBUFSZ); mystrlcat(file_info->buf, file_info->generate_type, LINEBUFSZ); mystrlcat(file_info->buf, " ", LINEBUFSZ); concat_generate_template(file_info->buf, LINEBUFSZ, file_info->generate_cur, file_info->generate_rhs); file_info->generate_cur++; return file_info->buf; } else { /* Done with this $GENERATE */ file_info->generate_cur = 0; file_info->generate_lim = 0; file_info->generate_type = NULL; file_info->generate_lhs = NULL; free_generate_template(file_info->generate_lhs); free_generate_template(file_info->generate_rhs); file_info->generate_rhs = NULL; } } r = fgets(file_info->buf, LINEBUFSZ, file_info->file); if (r) file_info->line++; return r; } int read_zone_file(void) { char *s; char *name = NULL, *class, *rdtype; long ttl = -1; while (file_info) { while (read_zone_line()) { freeall_temp(); file_info->paren_mode = 0; rdtype = NULL; if (empty_line_or_comment(file_info->buf)) continue; s = file_info->buf; if (!isspace(*s)) { /* , $INCLUDE, $ORIGIN */ if (*s == '$') { process_directive(s); continue; } else { /* */ name = extract_name(&s, "record name", 0); if (!name) continue; } } else { s = skip_white_space(s); } if (!s) continue; if (!name) { bitch("cannot assume previous name for it is not known"); continue; } if (G.default_ttl >= 0) ttl = G.default_ttl; if (isdigit(*s)) { ttl = extract_timevalue(&s, "TTL"); if (ttl < 0) continue; class = extract_label(&s, "class or type", "temporary"); if (!class) continue; if (*class == 'i' && *(class+1) == 'n' && *(class+2) == 0) { } else if (*class == 'c' && *(class+1) == 's' && *(class+2) == 0) { bitch("CSNET class is not supported"); continue; } else if (*class == 'c' && *(class+1) == 'h' && *(class+2) == 0) { bitch("CHAOS class is not supported"); continue; } else if (*class == 'h' && *(class+1) == 's' && *(class+2) == 0) { bitch("HESIOD class is not supported"); continue; } else { rdtype = class; } } else { class = extract_label(&s, "class or type", "temporary"); if (!class) continue; if (*class == 'i' && *(class+1) == 'n' && *(class+2) == 0) { if (isdigit(*s)) { ttl = extract_timevalue(&s, "TTL"); if (ttl < 0) continue; } } else if (*class == 'c' && *(class+1) == 's' && *(class+2) == 0) { bitch("CSNET class is not supported"); continue; } else if (*class == 'c' && *(class+1) == 'h' && *(class+2) == 0) { bitch("CHAOS class is not supported"); continue; } else if (*class == 'h' && *(class+1) == 's' && *(class+2) == 0) { bitch("HESIOD class is not supported"); continue; } else { rdtype = class; } } if (!rdtype) { rdtype = extract_label(&s, "type", "temporary"); } if (!rdtype) { continue; } if (ttl < 0) { ttl = G.default_ttl; } { int is_generic; int type = str2rdtype(rdtype, &is_generic); struct rr *rr; if (type <= 0) continue; if (ttl < 0 && !(G.opt.soa_minttl_as_default_ttl && type == T_SOA)) { bitch("ttl not specified and default is not known"); continue; } if (is_generic) rr = rr_parse_any(name, ttl, type, s); else if (type > T_MAX) rr = rr_parse_any(name, ttl, type, s); else if (rr_methods[type].rr_parse) rr = rr_methods[type].rr_parse(name, ttl, type, s); else rr = rr_parse_any(name, ttl, type, s); if (type == T_SOA && ttl < 0 && rr) { struct rr_soa *soa = (struct rr_soa *) rr; soa->rr.ttl = G.default_ttl = soa->minimum; if (G.opt.verbose) { fprintf(stderr, "-> %s:%d: ", file_info->name, file_info->line); fprintf(stderr, "no ttl specified; using SOA MINTTL (%ld) instead\n", G.default_ttl); } } } } if (ferror(file_info->file)) croak(1, "read error for %s", file_info->name); file_info = file_info->next; } return 0; } void open_zone_file(char *fname) { FILE *f; struct file_info *new_file_info; if (strcmp(fname, "-") == 0) { f = stdin; fname = "stdin"; } else { f = fopen(fname, "r"); if (!file_info && !G.opt.include_path_specified) { G.opt.include_path = quickstrdup(dirname(quickstrdup_temp(fname))); } } if (!f) croak(1, "open %s", fname); new_file_info = malloc(sizeof(*new_file_info) + strlen(fname) + 1); if (!new_file_info) croak(1, "malloc(file_info), %s", fname); new_file_info->next = file_info; new_file_info->file = f; new_file_info->line = 0; strcpy(new_file_info->name, fname); if (file_info) { new_file_info->current_origin = file_info->current_origin; } else { new_file_info->current_origin = G.opt.first_origin; } file_info = new_file_info; } void usage(char *err) { if (err) fprintf(stderr, "%s\n", err); fprintf(stderr, "Usage:\n"); fprintf(stderr, " %s -h\n", thisprogname()); fprintf(stderr, " %s [options] zone-file\n", thisprogname()); fprintf(stderr, "Usage parameters:\n"); fprintf(stderr, "\t-h\t\tproduce usage text and quit\n"); fprintf(stderr, "\t-f\t\tquit on first validation error\n"); fprintf(stderr, "\t-p name\tperform policy check \n"); fprintf(stderr, "\t\t\tsingle-ns\n"); fprintf(stderr, "\t\t\tcname-other-data\n"); fprintf(stderr, "\t\t\tdname\n"); fprintf(stderr, "\t\t\tnsec3param-not-apex\n"); fprintf(stderr, "\t\t\tmx-alias\n"); fprintf(stderr, "\t\t\tns-alias\n"); fprintf(stderr, "\t\t\trp-txt-exists\n"); fprintf(stderr, "\t\t\ttlsa-host\n"); fprintf(stderr, "\t\t\tksk-exists\n"); fprintf(stderr, "\t\t\tall\n"); fprintf(stderr, "\t-n N\t\tuse N worker threads\n"); fprintf(stderr, "\t-q\t\tquiet - do not produce any output\n"); fprintf(stderr, "\t-s\t\tprint validation summary/stats\n"); fprintf(stderr, "\t-v\t\tbe extra verbose\n"); fprintf(stderr, "\t-I path\tuse this path for $INCLUDE files\n"); fprintf(stderr, "\t-z origin\tuse this origin as initial $ORIGIN\n"); fprintf(stderr, "\t-t epoch-time\tuse this time instead of \"now\"\n"); exit(1); } struct rr_methods rr_methods[T_MAX+1]; static void initialize_globals(void) { int i; setenv("TZ", "GMT0", 1); tzset(); memset(&G, 0, sizeof(G)); memset(&G.opt, 0, sizeof(G.opt)); memset(&G.stats, 0, sizeof(G.stats)); G.default_ttl = -1; /* XXX orly? */ G.opt.times_to_check[0] = time(NULL); G.opt.n_times_to_check = 0; G.opt.include_path = "."; for (i = 0; i <= T_MAX; i++) { rr_methods[i] = unknown_methods; } rr_methods[T_AAAA] = aaaa_methods; rr_methods[T_A] = a_methods; rr_methods[T_AFSDB] = afsdb_methods; rr_methods[T_CERT] = cert_methods; rr_methods[T_CNAME] = cname_methods; rr_methods[T_DHCID] = dhcid_methods; rr_methods[T_DLV] = dlv_methods; rr_methods[T_DNAME] = dname_methods; rr_methods[T_DNSKEY] = dnskey_methods; rr_methods[T_DS] = ds_methods; rr_methods[T_HINFO] = hinfo_methods; rr_methods[T_IPSECKEY] = ipseckey_methods; rr_methods[T_ISDN] = isdn_methods; rr_methods[T_KX] = kx_methods; rr_methods[T_L32] = l32_methods; rr_methods[T_L64] = l64_methods; rr_methods[T_LOC] = loc_methods; rr_methods[T_LP] = lp_methods; rr_methods[T_MB] = mb_methods; rr_methods[T_MG] = mg_methods; rr_methods[T_MINFO] = minfo_methods; rr_methods[T_MR] = mr_methods; rr_methods[T_MX] = mx_methods; rr_methods[T_NAPTR] = naptr_methods; rr_methods[T_NID] = nid_methods; rr_methods[T_NSAP] = nsap_methods; rr_methods[T_NSEC3PARAM] = nsec3param_methods; rr_methods[T_NSEC3] = nsec3_methods; rr_methods[T_NSEC] = nsec_methods; rr_methods[T_NS] = ns_methods; rr_methods[T_PTR] = ptr_methods; rr_methods[T_PX] = px_methods; rr_methods[T_RP] = rp_methods; rr_methods[T_RT] = rt_methods; rr_methods[T_RRSIG] = rrsig_methods; rr_methods[T_SOA] = soa_methods; rr_methods[T_SPF] = spf_methods; rr_methods[T_SRV] = srv_methods; rr_methods[T_SSHFP] = sshfp_methods; rr_methods[T_TLSA] = tlsa_methods; rr_methods[T_TXT] = txt_methods; rr_methods[T_X25] = x25_methods; } int main(int argc, char **argv) { int o; struct timeval start, stop; initialize_globals(); while ((o = getopt(argc, argv, "fhMqsvI:z:t:p:n:")) != -1) { switch(o) { case 'h': usage(NULL); break; case 'f': G.opt.die_on_first_error = 1; break; case 'M': G.opt.soa_minttl_as_default_ttl = 1; break; case 'q': G.opt.no_output = 1; break; case 's': G.opt.summary = 1; break; case 'v': G.opt.verbose = 1; break; case 'p': if (strcmp(optarg, "all") == 0) { int i; for (i = 0; i < N_POLICY_CHECKS; i++) { G.opt.policy_checks[i] = 1; } } else if (strcmp(optarg, "single-ns") == 0) { G.opt.policy_checks[POLICY_SINGLE_NS] = 1; } else if (strcmp(optarg, "cname-other-data") == 0) { G.opt.policy_checks[POLICY_CNAME_OTHER_DATA] = 1; } else if (strcmp(optarg, "dname") == 0) { G.opt.policy_checks[POLICY_DNAME] = 1; } else if (strcmp(optarg, "dnskey") == 0) { G.opt.policy_checks[POLICY_DNSKEY] = 1; } else if (strcmp(optarg, "nsec3param-not-apex") == 0) { G.opt.policy_checks[POLICY_NSEC3PARAM_NOT_APEX] = 1; } else if (strcmp(optarg, "mx-alias") == 0) { G.opt.policy_checks[POLICY_MX_ALIAS] = 1; } else if (strcmp(optarg, "ns-alias") == 0) { G.opt.policy_checks[POLICY_NS_ALIAS] = 1; } else if (strcmp(optarg, "rp-txt-exists") == 0) { G.opt.policy_checks[POLICY_RP_TXT_EXISTS] = 1; } else if (strcmp(optarg, "tlsa-host") == 0) { G.opt.policy_checks[POLICY_TLSA_HOST] = 1; } else if (strcmp(optarg, "ksk-exists") == 0) { G.opt.policy_checks[POLICY_KSK_EXISTS] = 1; } else { usage("unknown policy name"); } break; case 'I': G.opt.include_path = optarg; G.opt.include_path_specified = 1; break; case 'z': if (strlen(optarg) && *(optarg+strlen(optarg)-1) == '.') { G.opt.first_origin = optarg; } else if (strlen(optarg)) { G.opt.first_origin = getmem(strlen(optarg)+2); strcpy(mystpcpy(G.opt.first_origin, optarg), "."); } else { usage("origin must not be empty"); } break; case 'n': G.opt.n_threads = strtol(optarg, NULL, 10); if (G.opt.n_threads > 256) usage("non-sensical number of threads requested"); if (G.opt.verbose) fprintf(stderr, "using %d worker threads\n", G.opt.n_threads); break; case 't': if (G.opt.n_times_to_check >= MAX_TIMES_TO_CHECK) usage("too many -t specified"); G.opt.times_to_check[G.opt.n_times_to_check++] = strtol(optarg, NULL, 10); break; default: usage(NULL); } } if (G.opt.n_times_to_check <= 0) G.opt.n_times_to_check = 1; argc -= optind; argv += optind; if (argc != 1) usage(NULL); gettimeofday(&start, NULL); open_zone_file(argv[0]); read_zone_file(); validate_zone(); verify_all_keys(); if (G.nsec3_present) { if (first_nsec3) nsec3_validate(&first_nsec3->rr); perform_remaining_nsec3checks(); } if (G.dnssec_active && G.opt.policy_checks[POLICY_KSK_EXISTS]) { dnskey_ksk_policy_check(); } gettimeofday(&stop, NULL); if (G.opt.summary) { printf("records found: %d\n", G.stats.rr_count); printf("skipped dups: %d\n", G.stats.skipped_dup_rr_count); printf("record sets found: %d\n", G.stats.rrset_count); printf("unique names found: %d\n", G.stats.names_count); printf("delegations found: %d\n", G.stats.delegations); printf(" nsec3 records: %d\n", G.stats.nsec3_count); /* "not authoritative names" - non-empty terminals without any authoritative records */ /* delegation points count as authoritative, which might or might not be correct */ printf("not authoritative names, not counting delegation points:\n" " %d\n", G.stats.not_authoritative); printf("validation errors: %d\n", G.stats.error_count); printf("signatures verified: %d\n", G.stats.signatures_verified); printf("time taken: %.3fs\n", stop.tv_sec - start.tv_sec + (stop.tv_usec - start.tv_usec)/1000000.); } return G.exit_code; } mb.c000066400000000000000000000016571265465626700116540ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *mb_parse(char *name, long ttl, int type, char *s) { struct rr_mb *rr = getmem(sizeof(*rr)); rr->madname = extract_name(&s, "madname", 0); if (!rr->madname) return NULL; if (*s) { return bitch("garbage after valid MB data"); } return store_record(type, name, ttl, rr); } static char* mb_human(struct rr *rrv) { RRCAST(mb); return rr->madname; } static struct binary_data mb_wirerdata(struct rr *rrv) { RRCAST(mb); return name2wire_name(rr->madname); } struct rr_methods mb_methods = { mb_parse, mb_human, mb_wirerdata, NULL, NULL }; mempool.c000066400000000000000000000043051265465626700127170ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include "mempool.h" #include "carp.h" struct pool { struct pool *next; size_t pool_size; size_t free_index; char mem[0]; }; static struct pool *freespace = NULL; static struct pool *temp_freespace = NULL; static void new_pool(size_t size) { struct pool *pool; size = (size + sizeof(void *) - 1) / sizeof(void *); size *= sizeof(void *); pool = malloc(size + sizeof(struct pool)); if (!pool) croak(1, "new_pool malloc"); pool->next = freespace; pool->free_index = 0; pool->pool_size = size; freespace = pool; } void mem_requirements_hint(size_t size) { if (freespace) return; new_pool(size); } void *getmem(size_t size) { void *ret; size = (size + sizeof(void *) - 1) / sizeof(void *); size *= sizeof(void *); if (!freespace) new_pool(size > 256000 ? size : 256000); if (freespace->pool_size - freespace->free_index < size) new_pool(size > 256000 ? size : 256000); ret = freespace->mem + freespace->free_index; freespace->free_index += size; return ret; } void *getmem_temp(size_t size) { void *ret; size = (size + sizeof(void *) - 1) / sizeof(void *); size *= sizeof(void *); if (!temp_freespace) { size_t pool_size = size > 1024*1024 ? size : 1024*1024; pool_size = (pool_size + sizeof(void *) - 1) / sizeof(void *); pool_size *= sizeof(void *); temp_freespace = malloc(pool_size + sizeof(struct pool)); if (!temp_freespace) croak(1, "getmem_temp malloc"); temp_freespace->next = NULL; temp_freespace->free_index = 0; temp_freespace->pool_size = pool_size; } if (temp_freespace->pool_size - temp_freespace->free_index < size) croak(1, "getmem_temp request too large"); ret = temp_freespace->mem + temp_freespace->free_index; temp_freespace->free_index += size; return ret; } int freeall_temp(void) { if (temp_freespace) { temp_freespace->free_index = 0; } return 1; } char *quickstrdup(char *s) { char *r = getmem(strlen(s)+1); return strcpy(r, s); } char *quickstrdup_temp(char *s) { char *r = getmem_temp(strlen(s)+1); return strcpy(r, s); } mempool.h000066400000000000000000000006411265465626700127230ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #ifndef _MEMPOOL_H #define _MEMPOOL_H 1 void mem_requirements_hint(size_t size); void *getmem(size_t size); char *quickstrdup(char *s); int freeall_temp(void); void *getmem_temp(size_t size); char *quickstrdup_temp(char *s); #endif mg.c000066400000000000000000000016571265465626700116610ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *mg_parse(char *name, long ttl, int type, char *s) { struct rr_mg *rr = getmem(sizeof(*rr)); rr->mgmname = extract_name(&s, "mgmname", 0); if (!rr->mgmname) return NULL; if (*s) { return bitch("garbage after valid MG data"); } return store_record(type, name, ttl, rr); } static char* mg_human(struct rr *rrv) { RRCAST(mg); return rr->mgmname; } static struct binary_data mg_wirerdata(struct rr *rrv) { RRCAST(mg); return name2wire_name(rr->mgmname); } struct rr_methods mg_methods = { mg_parse, mg_human, mg_wirerdata, NULL, NULL }; minfo.c000066400000000000000000000022561265465626700123620ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *minfo_parse(char *name, long ttl, int type, char *s) { struct rr_minfo *rr = getmem(sizeof(*rr)); rr->rmailbx = extract_name(&s, "rmailbx", 0); if (!rr->rmailbx) return NULL; rr->emailbx = extract_name(&s, "emailbx", 0); if (!rr->emailbx) return NULL; if (*s) { return bitch("garbage after valid MINFO data"); } return store_record(type, name, ttl, rr); } static char* minfo_human(struct rr *rrv) { RRCAST(minfo); char s[1024]; snprintf(s, 1024, "%s %s", rr->rmailbx, rr->emailbx); return quickstrdup_temp(s); } static struct binary_data minfo_wirerdata(struct rr *rrv) { RRCAST(minfo); return compose_binary_data("dd", 1, name2wire_name(rr->rmailbx), name2wire_name(rr->emailbx)); } struct rr_methods minfo_methods = { minfo_parse, minfo_human, minfo_wirerdata, NULL, NULL }; mr.c000066400000000000000000000016571265465626700116740ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *mr_parse(char *name, long ttl, int type, char *s) { struct rr_mr *rr = getmem(sizeof(*rr)); rr->newname = extract_name(&s, "newname", 0); if (!rr->newname) return NULL; if (*s) { return bitch("garbage after valid MR data"); } return store_record(type, name, ttl, rr); } static char* mr_human(struct rr *rrv) { RRCAST(mr); return rr->newname; } static struct binary_data mr_wirerdata(struct rr *rrv) { RRCAST(mr); return name2wire_name(rr->newname); } struct rr_methods mr_methods = { mr_parse, mr_human, mr_wirerdata, NULL, NULL }; mx.c000066400000000000000000000032761265465626700117010ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *mx_parse(char *name, long ttl, int type, char *s) { struct rr_mx *rr = getmem(sizeof(*rr)); rr->preference = extract_integer(&s, "MX preference", NULL); if (rr->preference < 0) return NULL; /* XXX preference range check */ rr->exchange = extract_name(&s, "MX exchange", 0); if (!rr->exchange) return NULL; if (*s) { return bitch("garbage after valid MX data"); } return store_record(type, name, ttl, rr); } static char* mx_human(struct rr *rrv) { RRCAST(mx); char s[1024]; snprintf(s, 1024, "%d %s", rr->preference, rr->exchange); return quickstrdup_temp(s); } static struct binary_data mx_wirerdata(struct rr *rrv) { RRCAST(mx); return compose_binary_data("2d", 1, rr->preference, name2wire_name(rr->exchange)); } static void* mx_validate_set(struct rr_set *rr_set) { if (rr_set->named_rr->flags & NAME_FLAG_CONTAINS_SLASH) { struct rr *rr = rr_set->tail; return moan(rr->file_name, rr->line, "host name contains '/'"); } return NULL; } static void *mx_validate(struct rr *rrv) { RRCAST(mx); if (G.opt.policy_checks[POLICY_MX_ALIAS]) { if (find_rr_set(T_CNAME, rr->exchange)) { return moan(rr->rr.file_name, rr->rr.line, "MX exchange is an alias"); } } return NULL; } struct rr_methods mx_methods = { mx_parse, mx_human, mx_wirerdata, mx_validate_set, mx_validate }; naptr.c000066400000000000000000000037051265465626700123760ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *naptr_parse(char *name, long ttl, int type, char *s) { struct rr_naptr *rr = getmem(sizeof(*rr)); int i; struct binary_data text; i = extract_integer(&s, "order", NULL); if (i < 0) return NULL; if (i >= 65536) return bitch("order range is not valid"); rr->order = i; i = extract_integer(&s, "preference", NULL); if (i < 0) return NULL; if (i >= 65536) return bitch("preference range is not valid"); rr->preference = i; text = extract_text(&s, "flags"); if (text.length < 0) return NULL; for (i = 0; i < text.length; i++) { if (!isalnum(text.data[i])) { return bitch("flags contains illegal characters"); } } rr->flags = text; text = extract_text(&s, "services"); if (text.length < 0) return NULL; rr->services = text; text = extract_text(&s, "regexp"); if (text.length < 0) return NULL; rr->regexp = text; rr->replacement = extract_name(&s, "replacement", 0); if (!rr->replacement) return NULL; if (*s) { return bitch("garbage after valid NAPTR data"); } return store_record(type, name, ttl, rr); } static char* naptr_human(struct rr *rrv) { RRCAST(naptr); char s[1024]; snprintf(s, 1024, "%hu %hu \"%s\" ...", rr->order, rr->preference, rr->flags.data); return quickstrdup_temp(s); } static struct binary_data naptr_wirerdata(struct rr *rrv) { RRCAST(naptr); return compose_binary_data("22bbbd", 1, rr->order, rr->preference, rr->flags, rr->services, rr->regexp, name2wire_name(rr->replacement)); } struct rr_methods naptr_methods = { naptr_parse, naptr_human, naptr_wirerdata, NULL, NULL }; nid.c000066400000000000000000000025221265465626700120200ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *nid_parse(char *name, long ttl, int type, char *s) { struct rr_nid *rr = getmem(sizeof(*rr)); int preference; rr->preference = preference = extract_integer(&s, "NID preference", NULL); if (preference < 0) return NULL; if (extract_u64(&s, "NodeID", &rr->node_id) < 0) return NULL; if (*s) { return bitch("garbage after valid NID data"); } return store_record(type, name, ttl, rr); } static char* nid_human(struct rr *rrv) { RRCAST(nid); char s[1024]; snprintf(s, 1024, "%d %x:%x:%x:%x", rr->preference, (unsigned)(rr->node_id >> 48) & 0xffff, (unsigned)(rr->node_id >> 32) & 0xffff, (unsigned)(rr->node_id >> 16) & 0xffff, (unsigned)(rr->node_id >> 0) & 0xffff); return quickstrdup_temp(s); } static struct binary_data nid_wirerdata(struct rr *rrv) { RRCAST(nid); return compose_binary_data("28", 1, rr->preference, rr->node_id); } struct rr_methods nid_methods = { nid_parse, nid_human, nid_wirerdata, NULL, NULL }; notes.mdwn000066400000000000000000000012121265465626700131140ustar00rootroot00000000000000# validns notes ## OMISSIONS A number of corners were cut to assume the most usual way of doing things. Therefore, in many cases, `validns` currently does not strictly adhere to various standards. In particular, it should be possible (and easy) to construct a perfectly valid zone file which `validns` will report as problematic. It is expected that those cases will be all fixed over time. But if you have a valid zone which `validns` cannot parse, please do report this fact to the author, with examples. If there is a need for the community to fix a particular omission, it will be fixed sooner. Needless to say, patches are always welcome. ns.c000066400000000000000000000035021265465626700116650ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *ns_parse(char *name, long ttl, int type, char *s) { struct rr_ns *rr = getmem(sizeof(*rr)); struct rr *ret_rr; rr->nsdname = extract_name(&s, "name server domain name", 0); if (!rr->nsdname) return NULL; if (*s) { return bitch("garbage after valid NS data"); } ret_rr = store_record(type, name, ttl, rr); if (ret_rr) { if (!(ret_rr->rr_set->named_rr->flags & (NAME_FLAG_APEX|NAME_FLAG_DELEGATION))) { ret_rr->rr_set->named_rr->flags |= NAME_FLAG_DELEGATION; G.stats.delegations++; } } return ret_rr; } static char* ns_human(struct rr *rrv) { RRCAST(ns); return rr->nsdname; } static struct binary_data ns_wirerdata(struct rr *rrv) { RRCAST(ns); return name2wire_name(rr->nsdname); } static void* ns_validate_set(struct rr_set *rr_set) { struct rr *rr; if (G.opt.policy_checks[POLICY_SINGLE_NS]) { if (rr_set->count < 2) { rr = rr_set->tail; return moan(rr->file_name, rr->line, "there should be at least two NS records per name"); } } return NULL; } static void *ns_validate(struct rr *rrv) { RRCAST(ns); if (G.opt.policy_checks[POLICY_NS_ALIAS]) { if (find_rr_set(T_CNAME, rr->nsdname)) { return moan(rr->rr.file_name, rr->rr.line, "NS data is an alias"); } } if (strchr(rr->nsdname, '/') != NULL) return moan(rr->rr.file_name, rr->rr.line, "NS data contains '/'"); return NULL; } struct rr_methods ns_methods = { ns_parse, ns_human, ns_wirerdata, ns_validate_set, ns_validate }; nsap.c000066400000000000000000000017371265465626700122160ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr* nsap_parse(char *name, long ttl, int type, char *s) { struct rr_nsap *rr = getmem(sizeof(*rr)); rr->data = extract_hex_binary_data(&s, "NSAP data", EXTRACT_EAT_WHITESPACE); if (rr->data.length < 0) return NULL; if (*s) { return bitch("garbage after valid NSAP data"); } return store_record(type, name, ttl, rr); } static char* nsap_human(struct rr *rrv) { return "..."; } static struct binary_data nsap_wirerdata(struct rr *rrv) { RRCAST(nsap); return compose_binary_data("d", 1, rr->data); } struct rr_methods nsap_methods = { nsap_parse, nsap_human, nsap_wirerdata, NULL, NULL }; nsec.c000066400000000000000000000070401265465626700121760ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. 604800 NSEC example.com. NS DS RRSIG NSEC 604800 RRSIG NSEC 10 3 604800 20130321184221 ( 20130219184221 35615 example.com. WWg7EiYoY8Hp593I2i5Mkl2ezg7YuAnq0y75 oymTCuEfGwh4OxbMT/mWNqAFL5Y8f0YoQOOY wZP0m/sGK/EJN7ulNsfQyULY4WsyHIGlKMwT KdyDXJLrmrzlmRnGv7pFb0bo53n3osE0uFfH yMQYOkQRYfqa4yWXF9Nl48dy67frtVih0foy 9Mm76mmJSDUd/jGsYQmaoFGVU/a64rWapVQ9 O/mXPqr6Pw2ZCHecsF4ElMEp41YqG1DfR5QR khTjvTlg4aTKvgX1YuvDhjUygSHit47xn2NC 2WwEZF+vYXT9DIUCMcKdVeb4bjWwUXbWNFqz Ca3jb/mpOpUDFnrRPw== ) * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr* nsec_parse(char *name, long ttl, int type, char *s) { struct rr_nsec *rr = getmem(sizeof(*rr)); struct binary_data bitmap; char *str_type = NULL; int ltype; rr->next_domain = extract_name(&s, "next domain", KEEP_CAPITALIZATION); /* TODO: validate next_domain, http://tools.ietf.org/html/rfc4034#section-4.1.1 */ bitmap = new_set(); while (s && *s) { str_type = extract_label(&s, "type list", "temporary"); if (!str_type) return NULL; ltype = str2rdtype(str_type, NULL); if (ltype < 0) return NULL; add_bit_to_set(&bitmap, ltype); } if (!s) return NULL; if (!str_type) { return bitch("NSEC type list should not be empty"); } rr->type_bitmap = compressed_set(&bitmap); G.dnssec_active = 1; return store_record(type, name, ttl, rr); } static char* nsec_human(struct rr *rrv) { RRCAST(nsec); char ss[1024]; char *s = ss; int l; char *base; int i, k; int type; char *type_name; l = snprintf(s, 1024, "%s", rr->next_domain); s += l; base = rr->type_bitmap.data; while (base - rr->type_bitmap.data < rr->type_bitmap.length) { for (i = 0; i < base[1]; i++) { for (k = 0; k <= 7; k++) { if (base[2+i] & (0x80 >> k)) { type = ((unsigned char)base[0])*256 + i*8 + k; type_name = rdtype2str(type); l = snprintf(s, 1024-(s-ss), " %s", type_name); s += l; } } } base += base[1]+2; } return quickstrdup_temp(ss); } static struct binary_data nsec_wirerdata(struct rr *rrv) { RRCAST(nsec); return compose_binary_data("dd", 1, name2wire_name(rr->next_domain), rr->type_bitmap); } static void* nsec_validate(struct rr *rrv) { RRCAST(nsec); struct named_rr *named_rr; named_rr = rr->rr.rr_set->named_rr; if (!check_typemap(rr->type_bitmap, named_rr, rrv)) return NULL; return rr; } void validate_nsec_chain(void) { struct rr_set *rr_set; struct named_rr *named_rr; rr_set = find_rr_set(T_NSEC, zone_apex); if (!rr_set) { named_rr = find_named_rr(zone_apex); moan(named_rr->file_name, named_rr->line, "apex NSEC not found"); return; } while (1) { char name[1024]; struct rr_nsec *rr = (struct rr_nsec *)rr_set->tail; char *s, *t; if (strcasecmp(rr->next_domain, zone_apex) == 0) /* chain complete */ break; freeall_temp(); s = rr->next_domain; t = name; while (*s) *t++ = tolower(*s++); *t = 0; rr_set = find_rr_set(T_NSEC, name); if (!rr_set) { moan(rr->rr.file_name, rr->rr.line, "broken NSEC chain %s -> %s", rr->rr.rr_set->named_rr->name, rr->next_domain); break; } } freeall_temp(); } struct rr_methods nsec_methods = { nsec_parse, nsec_human, nsec_wirerdata, NULL, nsec_validate }; nsec3.c000066400000000000000000000105661265465626700122700ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" #include "base32hex.h" static struct rr* nsec3_parse(char *name, long ttl, int type, char *s) { struct rr_nsec3 *rr = getmem(sizeof(*rr)); struct rr *ret_rr; struct binary_data bitmap; int i; int opt_out = 0; char *str_type = NULL; int ltype; i = extract_integer(&s, "hash algorithm", NULL); if (i < 0) return NULL; if (i > 255) return bitch("bad hash algorithm value"); if (i != 1) return bitch("unrecognized or unsupported hash algorithm"); rr->hash_algorithm = i; i = extract_integer(&s, "flags", NULL); if (i < 0) return NULL; if (i > 255) return bitch("bad flags value"); if (!(i == 0 || i == 1)) return bitch("unsupported flags value"); if (i == 1) opt_out = 1; rr->flags = i; i = extract_integer(&s, "iterations", NULL); if (i < 0) return NULL; if (i > 2500) return bitch("bad iterations value"); rr->iterations = i; /* TODO validate iteration count according to key size, * as per http://tools.ietf.org/html/rfc5155#section-10.3 */ if (*s == '-') { rr->salt.length = 0; rr->salt.data = NULL; s++; if (*s && !isspace(*s) && *s != ';' && *s != ')') return bitch("salt is not valid"); s = skip_white_space(s); } else { rr->salt = extract_hex_binary_data(&s, "salt", EXTRACT_DONT_EAT_WHITESPACE); if (rr->salt.length <= 0) return NULL; if (rr->salt.length > 255) return bitch("salt is too long"); } rr->next_hashed_owner = extract_base32hex_binary_data(&s, "next hashed owner"); if (rr->next_hashed_owner.length != 20) { return bitch("next hashed owner does not have the right size"); } bitmap = new_set(); while (s && *s) { str_type = extract_label(&s, "type list", "temporary"); if (!str_type) return NULL; ltype = str2rdtype(str_type, NULL); if (ltype < 0) return NULL; add_bit_to_set(&bitmap, ltype); } if (!s) return NULL; rr->type_bitmap = compressed_set(&bitmap); rr->corresponding_name = NULL; rr->next_nsec3 = NULL; if (!remember_nsec3(name, rr)) return NULL; ret_rr = store_record(type, name, ttl, rr); if (ret_rr) { G.nsec3_present = 1; G.dnssec_active = 1; G.stats.nsec3_count++; if (opt_out) { G.nsec3_opt_out_present = 1; } if (ret_rr && !nsec3param) nsec3param = ret_rr; } return ret_rr; } static char* nsec3_human(struct rr *rrv) { RRCAST(nsec3); char ss[1024]; char *s = ss; int l; int i; l = snprintf(s, 1024, "%u %u %u ", rr->hash_algorithm, rr->flags, rr->iterations); s += l; if (rr->salt.length) { for (i = 0; i < rr->salt.length; i++) { l = snprintf(s, 1024-(s-ss), "%02X", (unsigned char)rr->salt.data[i]); s += l; } } else { sprintf(s, "-"); } return quickstrdup_temp(ss); } static struct binary_data nsec3_wirerdata(struct rr *rrv) { RRCAST(nsec3); return compose_binary_data("112bbd", 1, rr->hash_algorithm, rr->flags, rr->iterations, rr->salt, rr->next_hashed_owner, rr->type_bitmap); } struct rr_nsec3 *first_nsec3 = NULL; struct rr_nsec3 *latest_nsec3 = NULL; void* nsec3_validate(struct rr *rrv) { RRCAST(nsec3); if (!first_nsec3) { first_nsec3 = rr; } if (latest_nsec3) { if (memcmp(latest_nsec3->next_hashed_owner.data, rr->this_hashed_name.data, 20) != 0) { char *expected_name = quickstrdup_temp(rr->rr.rr_set->named_rr->name); /* guaranteed to have same length, I think */ encode_base32hex(expected_name, 32, latest_nsec3->next_hashed_owner.data, 20); if (rr == first_nsec3) { moan(latest_nsec3->rr.file_name, latest_nsec3->rr.line, "broken NSEC3 chain, expected %s, but nothing found", expected_name); } else { moan(latest_nsec3->rr.file_name, latest_nsec3->rr.line, "broken NSEC3 chain, expected %s, but found %s", expected_name, rr->rr.rr_set->named_rr->name); } if (rr != first_nsec3) latest_nsec3->next_nsec3 = rr; latest_nsec3 = rr; return NULL; } if (rr != first_nsec3) latest_nsec3->next_nsec3 = rr; } latest_nsec3 = rr; return rr; } struct rr_methods nsec3_methods = { nsec3_parse, nsec3_human, nsec3_wirerdata, NULL, nsec3_validate }; nsec3checks.c000066400000000000000000000172701265465626700134500ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" #include "base32hex.h" #include "cbtree.h" static struct binary_data name2hash(char *name, struct rr *param) { struct rr_nsec3param *p = (struct rr_nsec3param *)param; EVP_MD_CTX ctx; unsigned char md0[EVP_MAX_MD_SIZE]; unsigned char md1[EVP_MAX_MD_SIZE]; unsigned char *md[2]; int mdi = 0; struct binary_data r = bad_binary_data(); struct binary_data wire_name = name2wire_name(name); int i; int digest_size; md[0] = md0; md[1] = md1; if (wire_name.length < 0) return r; /* XXX Maybe use Init_ex and Final_ex for speed? */ EVP_MD_CTX_init(&ctx); if (EVP_DigestInit(&ctx, EVP_sha1()) != 1) return r; digest_size = EVP_MD_CTX_size(&ctx); EVP_DigestUpdate(&ctx, wire_name.data, wire_name.length); EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length); EVP_DigestFinal(&ctx, md[mdi], NULL); for (i = 0; i < p->iterations; i++) { if (EVP_DigestInit(&ctx, EVP_sha1()) != 1) return r; EVP_DigestUpdate(&ctx, md[mdi], digest_size); mdi = (mdi + 1) % 2; EVP_DigestUpdate(&ctx, p->salt.data, p->salt.length); EVP_DigestFinal(&ctx, md[mdi], NULL); } r.length = digest_size; r.data = getmem(digest_size); memcpy(r.data, md[mdi], digest_size); return r; } int sorted_hashed_names_count; uint32_t mask; struct binary_data *sorted_hashed_names; void *nsec3_hash; static int validate_nsec3_for_name(const char *name, intptr_t *data, void *p) { struct named_rr *named_rr = *((struct named_rr **)data); struct binary_data hash; struct rr_nsec3 **nsec3_slot; struct rr_nsec3 *nsec3; if ((named_rr->flags & mask) == NAME_FLAG_KIDS_WITH_RECORDS) { //fprintf(stderr, "--- need nsec3, kids with records: %s\n", named_rr->name); needs_nsec3: freeall_temp(); hash = name2hash(named_rr->name, nsec3param); if (hash.length < 0) { moan(named_rr->file_name, named_rr->line, "internal: cannot calculate hashed name"); goto next; } if (hash.length != 20) croak(4, "assertion failed: wrong hashed name size %d", hash.length); JHSG(nsec3_slot, nsec3_hash, hash.data, hash.length); if (nsec3_slot == PJERR) croak(5, "perform_remaining_nsec3checks: JHSG failed"); if (!nsec3_slot) { moan(named_rr->file_name, named_rr->line, "no corresponding NSEC3 found for %s", named_rr->name); goto next; } nsec3 = *nsec3_slot; if (!nsec3) croak(6, "assertion failed: existing nsec3 from hash is empty"); nsec3->corresponding_name = named_rr; sorted_hashed_names_count++; check_typemap(nsec3->type_bitmap, named_rr, &nsec3->rr); } else if ((named_rr->flags & (NAME_FLAG_NOT_AUTHORITATIVE|NAME_FLAG_SIGNED_DELEGATION)) == NAME_FLAG_SIGNED_DELEGATION) { //fprintf(stderr, "--- need nsec3, signed delegation: %s\n", named_rr->name); goto needs_nsec3; } else if (!G.nsec3_opt_out_present && (named_rr->flags & (NAME_FLAG_APEX_PARENT|NAME_FLAG_NOT_AUTHORITATIVE|NAME_FLAG_DELEGATION|NAME_FLAG_HAS_RECORDS)) == 0) { //fprintf(stderr, "--- need nsec3, empty non-term: %s\n", named_rr->name); goto needs_nsec3; } else if (!G.nsec3_opt_out_present && (named_rr->flags & (NAME_FLAG_DELEGATION|NAME_FLAG_NOT_AUTHORITATIVE))==NAME_FLAG_DELEGATION) { //fprintf(stderr, "--- need nsec3, no opt-out: %s\n", named_rr->name); goto needs_nsec3; } else if (!G.nsec3_opt_out_present && (named_rr->flags & (NAME_FLAG_THIS_WITH_RECORDS|NAME_FLAG_NOT_AUTHORITATIVE)) == NAME_FLAG_THIS_WITH_RECORDS) { //fprintf(stderr, "--- need nsec3, this with records: %s\n", named_rr->name); goto needs_nsec3; } else { //fprintf(stderr, "--- NO need for nsec3: %s\n", named_rr->name); } next: return 1; } void perform_remaining_nsec3checks(void) { struct rr_nsec3 *nsec3; sorted_hashed_names_count = 0; mask = NAME_FLAG_NOT_AUTHORITATIVE|NAME_FLAG_NSEC3_ONLY|NAME_FLAG_KIDS_WITH_RECORDS; if (G.nsec3_opt_out_present) { mask |= NAME_FLAG_DELEGATION; } cbtree_allprefixed(&zone_data, "", validate_nsec3_for_name, NULL); nsec3 = first_nsec3; while (nsec3) { if (!nsec3->corresponding_name) { moan(nsec3->rr.file_name, nsec3->rr.line, "NSEC3 without a corresponding record (or empty non-terminal)"); } nsec3 = nsec3->next_nsec3; } } void *remember_nsec3(char *name, struct rr_nsec3 *rr) { char hashed_name[33]; char binary_hashed_name[20]; int l; struct rr_nsec3 **nsec3_slot; l = strlen(name); if (l < 33 || name[32] != '.') return bitch("NSEC3 record name is not valid"); if (l == 33 && zone_apex_l != 1) /* root zone */ return bitch("NSEC3 record name is not valid"); if (l > 33 && strcmp(name+33, zone_apex) != 0) return bitch("NSEC3 record name is not valid"); memcpy(hashed_name, name, 32); hashed_name[32] = 0; l = decode_base32hex(binary_hashed_name, hashed_name, 20); if (l != 20) return bitch("NSEC3 record name is not valid"); JHSI(nsec3_slot, nsec3_hash, binary_hashed_name, 20); if (nsec3_slot == PJERR) croak(2, "remember_nsec3: JHSI failed"); if (*nsec3_slot) return bitch("multiple NSEC3 with the same record name"); *nsec3_slot = rr; rr->this_hashed_name.length = 20; rr->this_hashed_name.data = getmem(20); memcpy(rr->this_hashed_name.data, binary_hashed_name, 20); return rr; } void *check_typemap(struct binary_data type_bitmap, struct named_rr *named_rr, struct rr *reference_rr) { int type; char *base; int i, k; struct rr_set *set; uint32_t nsec_distinct_types = 0; uint32_t real_distinct_types; base = type_bitmap.data; while (base - type_bitmap.data < type_bitmap.length) { for (i = 0; i < base[1]; i++) { for (k = 0; k <= 7; k++) { if (base[2+i] & (0x80 >> k)) { type = ((unsigned char)base[0])*256 + i*8 + k; nsec_distinct_types++; set = find_rr_set_in_named_rr(named_rr, type); if (!set) { return moan(reference_rr->file_name, reference_rr->line, "%s mentions %s, but no such record found for %s", rdtype2str(reference_rr->rdtype), rdtype2str(type), named_rr->name); } } } } base += base[1]+2; } real_distinct_types = get_rr_set_count(named_rr); if (real_distinct_types > nsec_distinct_types) { void *bitmap = NULL; struct rr_set **rr_set_slot; int rc; Word_t rcw; Word_t rdtype; int skipped = 0; base = type_bitmap.data; while (base - type_bitmap.data < type_bitmap.length) { for (i = 0; i < base[1]; i++) { for (k = 0; k <= 7; k++) { if (base[2+i] & (0x80 >> k)) { type = ((unsigned char)base[0])*256 + i*8 + k; J1S(rc, bitmap, type); } } } base += base[1]+2; } rdtype = 0; JLF(rr_set_slot, named_rr->rr_sets, rdtype); while (rr_set_slot) { J1T(rc, bitmap, (*rr_set_slot)->rdtype); if (!rc) { if ((named_rr->flags & NAME_FLAG_DELEGATION) && ((*rr_set_slot)->rdtype == T_A || (*rr_set_slot)->rdtype == T_AAAA)) { skipped++; } else { moan(reference_rr->file_name, reference_rr->line, "%s exists, but %s does not mention it for %s", rdtype2str((*rr_set_slot)->rdtype), rdtype2str(reference_rr->rdtype), named_rr->name); J1FA(rcw, bitmap); return NULL; } } JLN(rr_set_slot, named_rr->rr_sets, rdtype); } J1FA(rcw, bitmap); if (real_distinct_types - skipped > nsec_distinct_types) { return moan(reference_rr->file_name, reference_rr->line, "internal: we know %s typemap is wrong, but don't know any details", rdtype2str(reference_rr->rdtype)); } } return reference_rr; } nsec3param.c000066400000000000000000000054611265465626700133070ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" struct rr *nsec3param = NULL; static struct rr* nsec3param_parse(char *name, long ttl, int type, char *s) { struct rr_nsec3param *rr = getmem(sizeof(*rr)); struct rr *ret_rr; int i; i = extract_integer(&s, "hash algorithm", NULL); if (i < 0) return NULL; if (i > 255) return bitch("bad hash algorithm value"); if (i != 1) return bitch("unrecognized or unsupported hash algorithm"); rr->hash_algorithm = i; i = extract_integer(&s, "flags", NULL); if (i < 0) return NULL; if (i > 255) return bitch("bad flags value"); if (i != 0) return bitch("flags is supposed to be 0 for NSEC3PARAM"); rr->flags = i; i = extract_integer(&s, "iterations", NULL); if (i < 0) return NULL; if (i > 2500) return bitch("bad iterations value"); rr->iterations = i; /* TODO validate iteration count according to key size, * as per http://tools.ietf.org/html/rfc5155#section-10.3 */ if (*s == '-') { rr->salt.length = 0; rr->salt.data = NULL; s++; if (*s && !isspace(*s) && *s != ';' && *s != ')') return bitch("salt is not valid"); s = skip_white_space(s); } else { rr->salt = extract_hex_binary_data(&s, "salt", EXTRACT_DONT_EAT_WHITESPACE); if (rr->salt.length <= 0) return NULL; if (rr->salt.length > 255) return bitch("salt is too long"); } if (*s) { return bitch("garbage after valid NSEC3PARAM data"); } G.dnssec_active = 1; ret_rr = store_record(type, name, ttl, rr); if (ret_rr && !nsec3param && (ret_rr->rr_set->named_rr->flags & NAME_FLAG_APEX)) nsec3param = ret_rr; if (G.opt.policy_checks[POLICY_NSEC3PARAM_NOT_APEX] && (ret_rr->rr_set->named_rr->flags & NAME_FLAG_APEX) == 0) { return bitch("NSEC3PARAM found not at zone apex"); } return ret_rr; } static char* nsec3param_human(struct rr *rrv) { RRCAST(nsec3param); char ss[1024]; char *s = ss; int l; int i; l = snprintf(s, 1024, "%u %u %u ", rr->hash_algorithm, rr->flags, rr->iterations); s += l; if (rr->salt.length) { for (i = 0; i < rr->salt.length; i++) { l = snprintf(s, 1024-(s-ss), "%02X", (unsigned char)rr->salt.data[i]); s += l; } } else { sprintf(s, "-"); } return quickstrdup_temp(ss); } static struct binary_data nsec3param_wirerdata(struct rr *rrv) { RRCAST(nsec3param); return compose_binary_data("112b", 1, rr->hash_algorithm, rr->flags, rr->iterations, rr->salt); } struct rr_methods nsec3param_methods = { nsec3param_parse, nsec3param_human, nsec3param_wirerdata, NULL, NULL }; ptr.c000066400000000000000000000017171265465626700120600ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *ptr_parse(char *name, long ttl, int type, char *s) { struct rr_ptr *rr = getmem(sizeof(*rr)); rr->ptrdname = extract_name(&s, "name server domain name", 0); if (!rr->ptrdname) return NULL; if (*s) { return bitch("garbage after valid PTR data"); } return store_record(type, name, ttl, rr); } static char* ptr_human(struct rr *rrv) { RRCAST(ptr); return rr->ptrdname; } static struct binary_data ptr_wirerdata(struct rr *rrv) { RRCAST(ptr); return name2wire_name(rr->ptrdname); } struct rr_methods ptr_methods = { ptr_parse, ptr_human, ptr_wirerdata, NULL, NULL }; px.c000066400000000000000000000024501265465626700116750ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *px_parse(char *name, long ttl, int type, char *s) { struct rr_px *rr = getmem(sizeof(*rr)); rr->preference = extract_integer(&s, "PX preference", NULL); if (rr->preference < 0) return NULL; rr->map822 = extract_name(&s, "map822", 0); if (!rr->map822) return NULL; rr->mapx400 = extract_name(&s, "mapx400", 0); if (!rr->mapx400) return NULL; if (*s) { return bitch("garbage after valid KX data"); } return store_record(type, name, ttl, rr); } static char* px_human(struct rr *rrv) { RRCAST(px); char s[1024]; snprintf(s, 1024, "%d %s %s", rr->preference, rr->map822, rr->mapx400); return quickstrdup_temp(s); } static struct binary_data px_wirerdata(struct rr *rrv) { RRCAST(px); return compose_binary_data("2dd", 1, rr->preference, name2wire_name(rr->map822), name2wire_name(rr->mapx400)); } struct rr_methods px_methods = { px_parse, px_human, px_wirerdata, NULL, NULL }; rp.c000066400000000000000000000030661265465626700116730ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *rp_parse(char *name, long ttl, int type, char *s) { struct rr_rp *rr = getmem(sizeof(*rr)); rr->mbox_dname = extract_name(&s, "mbox domain name", 0); if (!rr->mbox_dname) return NULL; rr->txt_dname = extract_name(&s, "txt domain name", 0); if (!rr->txt_dname) return NULL; if (*s) { return bitch("garbage after valid RP data"); } return store_record(type, name, ttl, rr); } static char* rp_human(struct rr *rrv) { RRCAST(rp); char s[1024]; snprintf(s, 1024, "\"%s\" \"%s\"", rr->mbox_dname, rr->txt_dname); return quickstrdup_temp(s); } static struct binary_data rp_wirerdata(struct rr *rrv) { RRCAST(rp); return compose_binary_data("dd", 1, name2wire_name(rr->mbox_dname), name2wire_name(rr->txt_dname)); } static void *rp_validate(struct rr *rrv) { RRCAST(rp); if (G.opt.policy_checks[POLICY_RP_TXT_EXISTS]) { if (name_belongs_to_zone(rr->txt_dname) && !find_rr_set(T_TXT, rr->txt_dname)) { return moan(rr->rr.file_name, rr->rr.line, "%s RP TXT %s does not exist", rr->rr.rr_set->named_rr->name, rr->txt_dname); } } return NULL; } struct rr_methods rp_methods = { rp_parse, rp_human, rp_wirerdata, NULL, rp_validate }; rr.c000066400000000000000000000500671265465626700117000ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include "common.h" #include "mempool.h" #include "carp.h" #include "textparse.h" #include "rr.h" #include "cbtree.h" static char* rdtype2str_map[T_MAX+1] = { "0", "A", "NS", "MD", "MF", "CNAME", /* 5 */ "SOA", "MB", "MG", "MR", "NULL", /* 10 */ "WKS", "PTR", "HINFO", "MINFO", "MX", /* 15 */ "TXT", "RP", "AFSDB", "X25", "ISDN", /* 20 */ "RT", "NSAP", "NSAP-PTR", "SIG", "KEY", /* 25 */ "PX", "GPOS", "AAAA", "LOC", "NXT", /* 30 */ "EID", "NIMLOC", "SRV", "ATMA", "NAPTR", /* 35 */ "KX", "CERT", "A6", "DNAME", "SINK", /* 40 */ "OPT", "APL", "DS", "SSHFP", "IPSECKEY", /* 45 */ "RRSIG", "NSEC", "DNSKEY", "DHCID", "NSEC3", /* 50 */ "NSEC3PARAM", "TLSA", 0, 0, 0, 0, 0, 0, 0, 0, /* 60 */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 70 */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 80 */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 90 */ 0, 0, 0, 0, 0, 0, 0, 0, "SPF", 0, /* 100 */ 0, 0, 0, "NID", "L32", "L64", "LP", }; struct cbtree zone_data = {NULL}; char *zone_apex = NULL; int zone_apex_l = 0; char *rdtype2str(int type) { char s[10]; char *r; if (type < 0 || type > 65535) { return "???"; } if (type > T_MAX) { sprintf(s, "TYPE%d", type); return quickstrdup_temp(s); } r = rdtype2str_map[type]; if (r) return r; if (type == 32769) { return rdtype2str_map[type] = "DLV"; } sprintf(s, "TYPE%d", type); return quickstrdup_temp(s); } static unsigned char *name2findable_name(char *s) { int l = strlen(s); unsigned char *res = getmem_temp(l+1); unsigned char *r = res; int i; if (l > 0 && s[l-1] == '.') l--; while (--l >= 0) { i = l; while (i >= 0 && s[i] != '.') i--; memcpy(r, s+i+1, l-i); r += l-i; *r = '\x01'; r++; l = i; } if (r > res) r--; *r = 0; return res; } struct binary_data name2wire_name(char *s) { unsigned char *res = getmem_temp(strlen(s)+2); unsigned char *r = res; unsigned char *c = res; struct binary_data toret; r++; *c = 0; while (*s) { if (*s != '.') { *r++ = *s++; } else { *c = (unsigned char)(r-c-1); c = r; *c = 0; r++; s++; } } *c = (unsigned char)(r-c-1); toret.length = r-res; toret.data = (char*)res; if (toret.length == 2) /* "." is just 00, not 00 00 */ toret.length = 1; return toret; } static struct named_rr *find_or_create_named_rr(char *name) { struct named_rr *named_rr = find_named_rr(name); if (!named_rr) { struct named_rr **named_rr_slot; char *s; named_rr = getmem(sizeof(struct named_rr)); named_rr->name = quickstrdup(name); named_rr->rr_sets = NULL; named_rr->line = file_info->line; named_rr->file_name = file_info->name; named_rr->flags = 0; named_rr->parent = NULL; if (strchr(name, '/') != NULL) named_rr->flags |= NAME_FLAG_CONTAINS_SLASH; named_rr_slot = (void *)cbtree_insert(&zone_data, (char *)name2findable_name(name)); if (!named_rr_slot) croak(2, "find_or_create_named_rr: tree insertion failed"); if (*named_rr_slot) croak(3, "find_or_create_named_rr: assertion error, %s should not be there", name); *named_rr_slot = named_rr; G.stats.names_count++; s = strchr(name, '.'); if (s && s[1] != '\0') { named_rr->parent = find_or_create_named_rr(s+1); } } return named_rr; } static struct rr_set *find_or_create_rr_set(struct named_rr *named_rr, int rdtype) { struct rr_set *rr_set = find_rr_set_in_named_rr(named_rr, rdtype); if (!rr_set) { struct rr_set **rr_set_slot; rr_set = getmem(sizeof(struct rr_set)); rr_set->head = NULL; rr_set->tail = NULL; rr_set->named_rr = named_rr; rr_set->rdtype = rdtype; rr_set->count = 0; JLI(rr_set_slot, named_rr->rr_sets, rdtype); if (rr_set_slot == PJERR) croak(2, "find_or_create_rr_set: JLI failed"); if (*rr_set_slot) croak(3, "find_or_create_rr_set: assertion error, %s/%s should not be there", named_rr->name, rdtype2str(rdtype)); *rr_set_slot = rr_set; G.stats.rrset_count++; } return rr_set; } int name_belongs_to_zone(const char *name) { int name_l; name_l = strlen(name); if (zone_apex && name_l >= zone_apex_l) { if (strcmp(zone_apex, name+name_l-zone_apex_l) != 0) { return 0; } else if (name_l > zone_apex_l && name[name_l-zone_apex_l-1] != '.') { return 0; } } else { if (zone_apex) { return 0; } else { // XXX this is actually very bad, zone apex is not know return 0; } } return 1; } struct binary_data call_get_wired(struct rr *rr) { rr_wire_func get_wired; if (rr->rdtype > T_MAX || rr->is_generic) get_wired = any_wirerdata; else get_wired = rr_methods[rr->rdtype].rr_wire; if (!get_wired) return bad_binary_data(); return get_wired(rr); } struct rr *store_record(int rdtype, char *name, long ttl, void *rrptr) { struct rr *rr = rrptr; struct named_rr *named_rr; struct rr_set *rr_set; int name_l; int apex_assigned = 0; int is_generic = 0; if (rdtype < 0) { rdtype = -rdtype; is_generic = 1; } name_l = strlen(name); if (name_l > 511) return bitch("name is too long: %s", name); if (G.stats.rr_count == 0) { if (rdtype != T_SOA) { return bitch("the first record in the zone must be an SOA record"); } else { zone_apex = name; zone_apex_l = name_l; apex_assigned = 1; } } if (zone_apex && name_l >= zone_apex_l) { if (strcmp(zone_apex, name+name_l-zone_apex_l) != 0) { return bitch("%s does not belong to zone %s", name, zone_apex); } else if (name_l > zone_apex_l && name[name_l-zone_apex_l-1] != '.') { return bitch("%s does not belong to zone %s", name, zone_apex); } } else { if (zone_apex) { return bitch("%s does not belong to zone %s", name, zone_apex); } else { croakx(3, "assertion error: %s does not belong to a zone", name); } } named_rr = find_or_create_named_rr(name); if (apex_assigned) { named_rr->flags |= NAME_FLAG_APEX; } rr_set = find_or_create_rr_set(named_rr, rdtype); rr->rdtype = rdtype; rr->ttl = ttl; rr->line = file_info->line; rr->file_name = file_info->name; rr->is_generic = is_generic; if (rr_set->count > 0) { struct binary_data new_d, old_d; struct rr *old_rr; new_d = call_get_wired(rr); if (new_d.length < 0) goto after_dup_check; old_rr = rr_set->tail; while (old_rr) { old_d = call_get_wired(old_rr); if (old_d.length == new_d.length && memcmp(old_d.data, new_d.data, old_d.length) == 0) { G.stats.skipped_dup_rr_count++; return old_rr; } old_rr = old_rr->next; } } after_dup_check: if (rdtype == T_SOA) { if (G.stats.soa_rr_count++) { return bitch("there could only be one SOA in a zone"); } } rr->rr_set = rr_set; rr->next = NULL; rr->prev = rr_set->head; rr_set->head = rr; if (rr->prev) rr->prev->next = rr; if (!rr_set->tail) rr_set->tail = rr; rr_set->count++; if (G.opt.verbose) { char *rdata; if (rdtype > T_MAX) rdata = any_human(rr); else rdata = rr_methods[rdtype].rr_human(rr); fprintf(stderr, "-> %s:%d: %s IN %ld %s", file_info->name, file_info->line, name, ttl, rdtype2str(rdtype)); if (rdata) { fprintf(stderr, " %s\n", rdata); } else { fprintf(stderr, "\n"); } } G.stats.rr_count++; named_rr->flags |= NAME_FLAG_HAS_RECORDS; return rr; } struct named_rr *find_named_rr(char *name) { struct named_rr **named_rr_slot; named_rr_slot = (void*) cbtree_find(&zone_data, (char *)name2findable_name(name)); if (named_rr_slot) return *named_rr_slot; return NULL; } struct named_rr *find_next_named_rr(struct named_rr *named_rr) { struct named_rr *res; if (cbtree_next(&zone_data, (char *)name2findable_name(named_rr->name), (intptr_t *)&res) == NULL) return NULL; return res; } struct rr_set *find_rr_set(int rdtype, char *name) { struct named_rr *named_rr; named_rr = find_named_rr(name); if (!named_rr) return NULL; return find_rr_set_in_named_rr(named_rr, rdtype); } struct rr_set *find_rr_set_in_named_rr(struct named_rr *named_rr, int rdtype) { struct rr_set **rr_set_slot; JLG(rr_set_slot, named_rr->rr_sets, rdtype); if (rr_set_slot) return *rr_set_slot; return NULL; } uint32_t get_rr_set_count(struct named_rr *named_rr) { uint32_t count; JLC(count, named_rr->rr_sets, 0, -1); return count; } struct rr *rr_parse_any(char *name, long ttl, int type, char *s) { struct rr_any *rr = getmem(sizeof(*rr)); long long len; if (*s++ != '\\') { invalid: return bitch("invalid custom type rdata"); } if (*s++ != '#') goto invalid; if (*s && !isspace(*s) && *s != ';' && *s != ')') goto invalid; s = skip_white_space(s); if (!s) return NULL; len = extract_integer(&s, "custom data size", NULL); if (len < 0) return NULL; if (len > 65535) goto invalid; rr->data = extract_hex_binary_data(&s, "custom data", EXTRACT_EAT_WHITESPACE); if (rr->data.length < 0) return NULL; if (rr->data.length != len) return bitch("custom data is longer than specified"); if (*s) { return bitch("garbage after valid %s data", rdtype2str(type)); } return store_record(-type, name, ttl, rr); } char* any_human(struct rr *rrv) { RRCAST(any); char buf[80]; sprintf(buf, "\\# %d ...", rr->data.length); return quickstrdup_temp(buf); } struct binary_data any_wirerdata(struct rr *rrv) { RRCAST(any); return compose_binary_data("d", 1, rr->data); } struct rr_methods unknown_methods = { NULL, any_human, any_wirerdata, NULL, NULL }; int str2rdtype(char *rdtype, int *is_generic) { if (!rdtype) return -1; if (is_generic) *is_generic = 0; switch (*rdtype) { case 'a': if (strcmp(rdtype, "a") == 0) { return T_A; } else if (strcmp(rdtype, "aaaa") == 0) { return T_AAAA; } else if (strcmp(rdtype, "afsdb") == 0) { return T_AFSDB; } break; case 'c': if (strcmp(rdtype, "cname") == 0) { return T_CNAME; } else if (strcmp(rdtype, "cert") == 0) { return T_CERT; } break; case 'd': if (strcmp(rdtype, "ds") == 0) { return T_DS; } else if (strcmp(rdtype, "dnskey") == 0) { return T_DNSKEY; } else if (strcmp(rdtype, "dname") == 0) { return T_DNAME; } else if (strcmp(rdtype, "dlv") == 0) { return T_DLV; } else if (strcmp(rdtype, "dhcid") == 0) { return T_DHCID; } break; case 'h': if (strcmp(rdtype, "hinfo") == 0) { return T_HINFO; } break; case 'i': if (strcmp(rdtype, "ipseckey") == 0) { return T_IPSECKEY; } else if (strcmp(rdtype, "isdn") == 0) { return T_ISDN; } break; case 'k': if (strcmp(rdtype, "kx") == 0) { return T_KX; } break; case 'l': if (strcmp(rdtype, "loc") == 0) { return T_LOC; } else if (strcmp(rdtype, "l32") == 0) { return T_L32; } else if (strcmp(rdtype, "l64") == 0) { return T_L64; } else if (strcmp(rdtype, "lp") == 0) { return T_LP; } break; case 'm': if (strcmp(rdtype, "mx") == 0) { return T_MX; } else if (strcmp(rdtype, "mb") == 0) { return T_MB; } else if (strcmp(rdtype, "mg") == 0) { return T_MG; } else if (strcmp(rdtype, "minfo") == 0) { return T_MINFO; } else if (strcmp(rdtype, "mr") == 0) { return T_MR; } break; case 'n': if (strcmp(rdtype, "ns") == 0) { return T_NS; } else if (strcmp(rdtype, "naptr") == 0) { return T_NAPTR; } else if (strcmp(rdtype, "nsec") == 0) { return T_NSEC; } else if (strcmp(rdtype, "nsec3") == 0) { return T_NSEC3; } else if (strcmp(rdtype, "nid") == 0) { return T_NID; } else if (strcmp(rdtype, "nsec3param") == 0) { return T_NSEC3PARAM; } else if (strcmp(rdtype, "nsap") == 0) { return T_NSAP; } break; case 'p': if (strcmp(rdtype, "ptr") == 0) { return T_PTR; } else if (strcmp(rdtype, "px") == 0) { return T_PX; } break; case 'r': if (strcmp(rdtype, "rrsig") == 0) { return T_RRSIG; } else if (strcmp(rdtype, "rp") == 0) { return T_RP; } else if (strcmp(rdtype, "rt") == 0) { return T_RT; } break; case 's': if (strcmp(rdtype, "soa") == 0) { return T_SOA; } else if (strcmp(rdtype, "srv") == 0) { return T_SRV; } else if (strcmp(rdtype, "spf") == 0) { return T_SPF; } else if (strcmp(rdtype, "sshfp") == 0) { return T_SSHFP; } break; case 't': if (strcmp(rdtype, "txt") == 0) { return T_TXT; } else if (strcmp(rdtype, "tlsa") == 0) { return T_TLSA; } else if (strncmp(rdtype, "type", 4) == 0) { long type = strtol(rdtype+4, NULL, 10); if (is_generic) *is_generic = 1; if (type <= 0 || type > 65535) bitch("invalid rdtype %s", rdtype); return type; } break; case 'x': if (strcmp(rdtype, "x25") == 0) { return T_X25; } break; } bitch("invalid or unsupported rdtype %s", rdtype); return -1; } void validate_rrset(struct rr_set *rr_set) { struct rr *rr; int ttl; /* This can happen when rr_set was allocated but * nothing was added to it due to an error. */ if (rr_set->count == 0) return; rr = rr_set->tail; if (!rr) { croakx(4, "assertion failed: %s %s is null, but count is %d", rdtype2str(rr_set->rdtype), rr_set->named_rr->name, rr_set->count); } if (rr_set->rdtype < T_MAX && rr_methods[rr_set->rdtype].rr_validate_set) rr_methods[rr_set->rdtype].rr_validate_set(rr_set); ttl = rr->ttl; while (rr) { validate_record(rr); if (ttl != rr->ttl) { if (rr->rdtype != T_RRSIG) /* RRSIG is an exception */ moan(rr->file_name, rr->line, "TTL values differ within an RR set"); } rr = rr->next; } } void debug(struct named_rr *named_rr, char *s) { fprintf(stderr, "%s %s", s, named_rr->name); if ((named_rr->flags & NAME_FLAG_APEX)) fprintf(stderr, ", apex"); if ((named_rr->flags & NAME_FLAG_HAS_RECORDS)) fprintf(stderr, ", has records"); if ((named_rr->flags & NAME_FLAG_DELEGATION)) fprintf(stderr, ", delegation"); if ((named_rr->flags & NAME_FLAG_NOT_AUTHORITATIVE)) fprintf(stderr, ", not auth"); if ((named_rr->flags & NAME_FLAG_NSEC3_ONLY)) fprintf(stderr, ", nsec3 only"); if ((named_rr->flags & NAME_FLAG_KIDS_WITH_RECORDS)) fprintf(stderr, ", kid records"); if ((named_rr->flags & NAME_FLAG_SIGNED_DELEGATION)) fprintf(stderr, ", signed delegation"); if ((named_rr->flags & NAME_FLAG_APEX_PARENT)) fprintf(stderr, ", apex parent"); fprintf(stderr, "\n"); } static int validate_named_rr(const char *name, intptr_t *data, void *p) { struct named_rr *named_rr = *((struct named_rr **)data); Word_t rdtype; struct rr_set **rr_set_p; int nsec3_present = 0; int nsec3_only = 1; static int seen_apex = 0; if ((named_rr->flags & NAME_FLAG_APEX)) seen_apex = 1; if (!seen_apex) named_rr->flags |= NAME_FLAG_APEX_PARENT; if (named_rr->parent && (named_rr->parent->flags & (NAME_FLAG_DELEGATION|NAME_FLAG_NOT_AUTHORITATIVE)) != 0) { named_rr->flags |= NAME_FLAG_NOT_AUTHORITATIVE; if ((named_rr->flags & NAME_FLAG_HAS_RECORDS) != 0) { G.stats.not_authoritative++; } } if (G.nsec3_opt_out_present && (named_rr->flags & NAME_FLAG_DELEGATION)) { JLG(rr_set_p, named_rr->rr_sets, T_DS); if (!rr_set_p) named_rr->flags |= NAME_FLAG_NOT_AUTHORITATIVE; } //debug(named_rr, ">>>>"); rdtype = 0; JLF(rr_set_p, named_rr->rr_sets, rdtype); while (rr_set_p) { validate_rrset(*rr_set_p); if (rdtype == T_NSEC3) nsec3_present = 1; else if (rdtype != T_RRSIG) nsec3_only = 0; if (rdtype != T_NSEC3 && rdtype != T_RRSIG && rdtype != T_NS) named_rr->flags |= NAME_FLAG_THIS_WITH_RECORDS; if ((named_rr->flags & NAME_FLAG_NOT_AUTHORITATIVE) == 0 && rdtype != T_NS && rdtype != T_NSEC3 && rdtype != T_RRSIG) { struct named_rr *nrr = named_rr; int skip_first = rdtype == T_NS; while (nrr && (nrr->flags & NAME_FLAG_KIDS_WITH_RECORDS) == 0) { if ((nrr->flags & NAME_FLAG_APEX_PARENT) || strlen(nrr->name) < zone_apex_l) { nrr->flags |= NAME_FLAG_APEX_PARENT; break; } if (!skip_first) nrr->flags |= NAME_FLAG_KIDS_WITH_RECORDS; skip_first = 0; nrr = nrr->parent; } } if (rdtype == T_DS) { struct named_rr *nrr = named_rr; while (nrr && (nrr->flags & (NAME_FLAG_DELEGATION|NAME_FLAG_NOT_AUTHORITATIVE)) != 0) { // nrr->flags &= ~(NAME_FLAG_DELEGATION|NAME_FLAG_NOT_AUTHORITATIVE); nrr->flags |= NAME_FLAG_SIGNED_DELEGATION; nrr = nrr->parent; } } JLN(rr_set_p, named_rr->rr_sets, rdtype); } if (nsec3_present && nsec3_only) { named_rr->flags |= NAME_FLAG_NSEC3_ONLY; } return 1; } static void* nsec_validate_pass2(struct rr *rrv) { RRCAST(nsec); struct named_rr *named_rr, *next_named_rr; named_rr = rr->rr.rr_set->named_rr; next_named_rr = find_next_named_rr(named_rr); /* Skip empty non-terminals and not authoritative records from consideration */ while (next_named_rr) { if ((next_named_rr->flags & NAME_FLAG_HAS_RECORDS) == 0) { next_named_rr = find_next_named_rr(next_named_rr); continue; } if (next_named_rr->parent && (next_named_rr->parent->flags & (NAME_FLAG_DELEGATION|NAME_FLAG_NOT_AUTHORITATIVE)) != 0) { named_rr->flags |= NAME_FLAG_NOT_AUTHORITATIVE; next_named_rr = find_next_named_rr(next_named_rr); continue; } break; } if (strcasecmp(rr->next_domain, zone_apex) == 0) { if (next_named_rr) { return moan(rr->rr.file_name, rr->rr.line, "NSEC says %s is the last name, but %s exists", named_rr->name, next_named_rr->name); } } else { if (!next_named_rr) { return moan(rr->rr.file_name, rr->rr.line, "NSEC says %s comes after %s, but nothing does", rr->next_domain, named_rr->name); } else if (strcasecmp(rr->next_domain, next_named_rr->name) != 0) { return moan(rr->rr.file_name, rr->rr.line, "NSEC says %s comes after %s, but %s does", rr->next_domain, named_rr->name, next_named_rr->name); } } /* TODO: more checks */ return rr; } static int second_pass_one_name(const char *name, intptr_t *data, void *p) { struct named_rr *named_rr = *((struct named_rr **)data); struct rr_set **rr_set_p; freeall_temp(); JLG(rr_set_p, named_rr->rr_sets, T_NSEC); if (rr_set_p && (*rr_set_p)->tail) { nsec_validate_pass2((*rr_set_p)->tail); } return 1; } void validate_zone(void) { cbtree_allprefixed(&zone_data, "", validate_named_rr, NULL); cbtree_allprefixed(&zone_data, "", second_pass_one_name, NULL); if (G.dnssec_active && !G.nsec3_present) validate_nsec_chain(); } void validate_record(struct rr *rr) { freeall_temp(); if (!rr->is_generic && rr->rdtype < T_MAX && rr_methods[rr->rdtype].rr_validate) rr_methods[rr->rdtype].rr_validate(rr); } int extract_algorithm(char **s, char *what) { int alg; char *str_alg; if (isdigit(**s)) { alg = extract_integer(s, what, NULL); if (algorithm_type(alg) == ALG_UNSUPPORTED) { bitch("bad or unsupported algorithm %d", alg); return ALG_UNSUPPORTED; } return alg; } else { str_alg = extract_label(s, what, "temporary"); if (!str_alg) return ALG_UNSUPPORTED; if (strcmp(str_alg, "dsa") == 0) return ALG_DSA; if (strcmp(str_alg, "rsasha1") == 0) return ALG_RSASHA1; if (strcmp(str_alg, "dsa-nsec3-sha1") == 0) return ALG_DSA_NSEC3_SHA1; if (strcmp(str_alg, "rsasha1-nsec3-sha1") == 0) return ALG_RSASHA1_NSEC3_SHA1; if (strcmp(str_alg, "rsasha256") == 0) return ALG_RSASHA256; if (strcmp(str_alg, "rsasha512") == 0) return ALG_RSASHA512; if (strcmp(str_alg, "ecc-gost") == 0) return ALG_ECCGOST; if (strcmp(str_alg, "ecdsap256sha256") == 0) return ALG_ECDSAP256SHA256; if (strcmp(str_alg, "ecdsap384sha384") == 0) return ALG_ECDSAP384SHA384; if (strcmp(str_alg, "privatedns") == 0) return ALG_PRIVATEDNS; if (strcmp(str_alg, "privateoid") == 0) return ALG_PRIVATEOID; bitch("bad or unsupported algorithm %s", str_alg); return ALG_UNSUPPORTED; } } int algorithm_type(int alg) { switch (alg) { case ALG_DSA: return ALG_DSA_FAMILY; case ALG_RSASHA1: return ALG_RSA_FAMILY; case ALG_DSA_NSEC3_SHA1: return ALG_DSA_FAMILY; case ALG_RSASHA1_NSEC3_SHA1: return ALG_RSA_FAMILY; case ALG_RSASHA256: return ALG_RSA_FAMILY; case ALG_RSASHA512: return ALG_RSA_FAMILY; case ALG_ECCGOST: return ALG_ECC_FAMILY; case ALG_ECDSAP256SHA256: return ALG_ECC_FAMILY; case ALG_ECDSAP384SHA384: return ALG_ECC_FAMILY; case ALG_PRIVATEDNS: return ALG_PRIVATE_FAMILY; case ALG_PRIVATEOID: return ALG_PRIVATE_FAMILY; } return ALG_UNSUPPORTED; } rr.h000066400000000000000000000251501265465626700117000ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #ifndef _RR_H #define _RR_H 1 #define T_A 1 #define T_NS 2 #define T_CNAME 5 #define T_SOA 6 #define T_MB 7 #define T_MG 8 #define T_MR 9 #define T_PTR 12 #define T_HINFO 13 #define T_MINFO 14 #define T_MX 15 #define T_TXT 16 #define T_RP 17 #define T_AFSDB 18 #define T_X25 19 #define T_ISDN 20 #define T_RT 21 #define T_NSAP 22 #define T_PX 26 #define T_AAAA 28 #define T_LOC 29 #define T_SRV 33 #define T_NAPTR 35 #define T_KX 36 #define T_CERT 37 #define T_DNAME 39 #define T_DS 43 #define T_SSHFP 44 #define T_IPSECKEY 45 #define T_RRSIG 46 #define T_NSEC 47 #define T_DNSKEY 48 #define T_DHCID 49 #define T_NSEC3 50 #define T_NSEC3PARAM 51 #define T_TLSA 52 #define T_SPF 99 #define T_NID 104 #define T_L32 105 #define T_L64 106 #define T_LP 107 #define T_DLV 32769 #define T_MAX 32769 #define ALG_DSA 3 #define ALG_RSASHA1 5 #define ALG_DSA_NSEC3_SHA1 6 #define ALG_RSASHA1_NSEC3_SHA1 7 #define ALG_RSASHA256 8 #define ALG_RSASHA512 10 #define ALG_ECCGOST 12 #define ALG_ECDSAP256SHA256 13 #define ALG_ECDSAP384SHA384 14 #define ALG_PRIVATEDNS 253 #define ALG_PRIVATEOID 254 #define ALG_UNSUPPORTED 0 #define ALG_DSA_FAMILY 1 #define ALG_RSA_FAMILY 2 #define ALG_PRIVATE_FAMILY 3 #define ALG_ECC_FAMILY 4 #define RRCAST(t) struct rr_ ## t *rr = (struct rr_ ## t *)rrv struct cbtree; extern struct cbtree zone_data; extern char *zone_apex; extern int zone_apex_l; struct named_rr; struct rr_set; struct rr; typedef struct rr* (*rr_parse_func)(char *, long, int, char *); typedef char* (*rr_human_func)(struct rr*); typedef struct binary_data (*rr_wire_func)(struct rr*); typedef void* (*rr_validate_set_func)(struct rr_set*); typedef void* (*rr_validate_func)(struct rr*); struct rr_methods { rr_parse_func rr_parse; rr_human_func rr_human; rr_wire_func rr_wire; rr_validate_set_func rr_validate_set; rr_validate_func rr_validate; }; extern struct rr_methods rr_methods[T_MAX+1]; extern struct rr_methods unknown_methods; struct binary_data call_get_wired(struct rr *rr); struct rr *rr_parse_any(char *name, long ttl, int type, char *s); char* any_human(struct rr *rrv); struct binary_data any_wirerdata(struct rr *rrv); int name_belongs_to_zone(const char *name); void validate_record(struct rr *rr); void validate_zone(void); struct rr *store_record(int rdtype, char *name, long ttl, void *rrptr); int str2rdtype(char *rdtype, int *is_generic); char *rdtype2str(int type); struct named_rr *find_named_rr(char *name); struct named_rr *find_next_named_rr(struct named_rr *named_rr); struct rr_set *find_rr_set(int rdtype, char *name); struct rr_set *find_rr_set_in_named_rr(struct named_rr *named_rr, int rdtype); uint32_t get_rr_set_count(struct named_rr *named_rr); struct binary_data name2wire_name(char *s); int algorithm_type(int alg); int extract_algorithm(char **s, char *what); #define NAME_FLAG_APEX 1 #define NAME_FLAG_HAS_RECORDS 2 #define NAME_FLAG_DELEGATION 4 #define NAME_FLAG_NOT_AUTHORITATIVE 8 #define NAME_FLAG_NSEC3_ONLY 16 #define NAME_FLAG_KIDS_WITH_RECORDS 32 #define NAME_FLAG_SIGNED_DELEGATION 64 #define NAME_FLAG_APEX_PARENT 128 #define NAME_FLAG_THIS_WITH_RECORDS 256 #define NAME_FLAG_CONTAINS_SLASH 512 struct named_rr { char *name; void *rr_sets; int line; char *file_name; uint32_t flags; struct named_rr *parent; }; struct rr_set { struct rr* head; struct rr* tail; struct named_rr *named_rr; int rdtype; int count; }; struct rr { struct rr* next; struct rr* prev; struct rr_set *rr_set; int ttl; int rdtype; int line; int is_generic; char *file_name; }; struct rr_any { struct rr rr; struct binary_data data; }; struct rr_a { struct rr rr; struct in_addr address; }; extern struct rr_methods a_methods; struct rr_soa { struct rr rr; uint32_t serial; int refresh, retry, expire, minimum; char *rname; char *mname; }; extern struct rr_methods soa_methods; struct rr_ns { struct rr rr; char *nsdname; }; extern struct rr_methods ns_methods; struct rr_dhcid { struct rr rr; int id_type; int digest_type; struct binary_data digest; }; extern struct rr_methods dhcid_methods; struct rr_txt_segment { struct binary_data txt; struct rr_txt_segment *next; }; struct rr_txt { struct rr rr; int count; struct rr_txt_segment *txt; }; extern struct rr_methods txt_methods; struct rr_tlsa { struct rr rr; uint8_t cert_usage; uint8_t selector; uint8_t matching_type; struct binary_data association_data; }; extern struct rr_methods tlsa_methods; struct rr_ipseckey { struct rr rr; uint8_t precedence; uint8_t gateway_type; uint8_t algorithm; union { char *gateway_none; /* gateway_type == 0 */ struct in_addr gateway_ipv4; /* gateway_type == 1 */ struct in6_addr gateway_ipv6; /* gateway_type == 2 */ char *gateway_name; /* gateway_type == 3 */ } gateway; struct binary_data public_key; }; extern struct rr_methods ipseckey_methods; struct rr_nid { struct rr rr; uint16_t preference; uint64_t node_id; }; extern struct rr_methods nid_methods; struct rr_l32 { struct rr rr; uint16_t preference; uint32_t locator32; }; extern struct rr_methods l32_methods; struct rr_l64 { struct rr rr; uint16_t preference; uint64_t locator64; }; extern struct rr_methods l64_methods; struct rr_lp { struct rr rr; uint16_t preference; char *fqdn; }; extern struct rr_methods lp_methods; struct rr_naptr { struct rr rr; uint16_t order; uint16_t preference; struct binary_data flags; struct binary_data services; struct binary_data regexp; char *replacement; }; extern struct rr_methods naptr_methods; struct rr_nsec { struct rr rr; char *next_domain; struct binary_data type_bitmap; }; extern struct rr_methods nsec_methods; void validate_nsec_chain(void); struct rr_nsec3 { struct rr rr; uint8_t hash_algorithm; uint8_t flags; uint16_t iterations; struct binary_data salt; struct binary_data next_hashed_owner; struct binary_data type_bitmap; struct binary_data this_hashed_name; struct named_rr *corresponding_name; struct rr_nsec3 *next_nsec3; }; extern struct rr_methods nsec3_methods; struct rr_nsec3param { struct rr rr; uint8_t hash_algorithm; uint8_t flags; uint16_t iterations; struct binary_data salt; }; extern struct rr_methods nsec3param_methods; extern struct rr *nsec3param; struct rr_rrsig { struct rr rr; uint16_t type_covered; int algorithm; int labels; int orig_ttl; uint32_t sig_expiration; uint32_t sig_inception; uint16_t key_tag; char *signer; struct binary_data signature; }; extern struct rr_methods rrsig_methods; struct rr_srv { struct rr rr; uint16_t priority; uint16_t weight; uint16_t port; char *target; }; extern struct rr_methods srv_methods; struct rr_cname { struct rr rr; char *cname; }; extern struct rr_methods cname_methods; struct rr_mb { struct rr rr; char *madname; }; extern struct rr_methods mb_methods; struct rr_mg { struct rr rr; char *mgmname; }; extern struct rr_methods mg_methods; struct rr_minfo { struct rr rr; char *rmailbx; char *emailbx; }; extern struct rr_methods minfo_methods; struct rr_mr { struct rr rr; char *newname; }; extern struct rr_methods mr_methods; struct rr_dname { struct rr rr; char *target; }; extern struct rr_methods dname_methods; struct rr_aaaa { struct rr rr; struct in6_addr address; }; extern struct rr_methods aaaa_methods; struct rr_mx { struct rr rr; int preference; char *exchange; }; extern struct rr_methods mx_methods; struct rr_rt { struct rr rr; int preference; char *intermediate_host; }; extern struct rr_methods rt_methods; struct rr_afsdb { struct rr rr; int subtype; char *hostname; }; extern struct rr_methods afsdb_methods; struct rr_x25 { struct rr rr; struct binary_data psdn_address; }; extern struct rr_methods x25_methods; struct rr_isdn { struct rr rr; struct binary_data isdn_address; struct binary_data sa; int sa_present; }; extern struct rr_methods isdn_methods; struct rr_px { struct rr rr; int preference; char *map822; char *mapx400; }; extern struct rr_methods px_methods; struct rr_kx { struct rr rr; int preference; char *exchanger; }; extern struct rr_methods kx_methods; struct rr_dnskey { struct rr rr; uint16_t flags; uint8_t protocol; uint8_t algorithm; struct binary_data pubkey; /* calculated */ uint16_t key_tag; int pkey_built; void *pkey; /* extras */ int key_type; struct rr_dnskey *next_key; }; extern struct rr_methods dnskey_methods; #define KEY_TYPE_UNUSED 0 #define KEY_TYPE_KSK 1 #define KEY_TYPE_ZSK 2 int dnskey_build_pkey(struct rr_dnskey *rr); void dnskey_ksk_policy_check(void); struct rr_ds { struct rr rr; uint16_t key_tag; uint8_t algorithm; uint8_t digest_type; struct binary_data digest; }; extern struct rr_methods ds_methods; struct rr_dlv { struct rr rr; uint16_t key_tag; uint8_t algorithm; uint8_t digest_type; struct binary_data digest; }; extern struct rr_methods dlv_methods; struct rr_nsap { struct rr rr; struct binary_data data; }; extern struct rr_methods nsap_methods; struct rr_hinfo { struct rr rr; struct binary_data cpu; struct binary_data os; }; extern struct rr_methods hinfo_methods; struct rr_rp { struct rr rr; char *mbox_dname; char *txt_dname; }; extern struct rr_methods rp_methods; struct rr_loc { struct rr rr; uint8_t version; uint8_t size; uint8_t horiz_pre; uint8_t vert_pre; uint32_t latitude; uint32_t longitude; uint32_t altitude; }; extern struct rr_methods loc_methods; struct rr_ptr { struct rr rr; char *ptrdname; }; extern struct rr_methods ptr_methods; struct rr_sshfp { struct rr rr; uint8_t algorithm; uint8_t fp_type; struct binary_data fingerprint; }; extern struct rr_methods sshfp_methods; struct rr_spf { struct rr rr; int count; struct binary_data spf[1]; }; extern struct rr_methods spf_methods; struct rr_cert { struct rr rr; uint16_t type; uint16_t key_tag; int algorithm; struct binary_data certificate; }; extern struct rr_methods cert_methods; extern struct rr_nsec3 *first_nsec3; extern struct rr_nsec3 *latest_nsec3; extern void verify_all_keys(void); extern void* nsec3_validate(struct rr *rrv); extern void *remember_nsec3(char *name, struct rr_nsec3 *rr); extern void perform_remaining_nsec3checks(void); extern void *check_typemap(struct binary_data type_bitmap, struct named_rr *named_rr, struct rr *reference_rr); #endif rrsig.c000066400000000000000000000307451265465626700124040ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" struct verification_data { struct verification_data *next; EVP_MD_CTX ctx; struct rr_dnskey *key; struct rr_rrsig *rr; int ok; unsigned long openssl_error; }; struct keys_to_verify { struct keys_to_verify *next; struct rr_rrsig *rr; struct rr_set *signed_set; int n_keys; struct verification_data to_verify[1]; }; static struct keys_to_verify *all_keys_to_verify = NULL; static struct rr* rrsig_parse(char *name, long ttl, int type, char *s) { struct rr_rrsig *rr = getmem(sizeof(*rr)); int type_covered, key_tag; char *str_type_covered; struct binary_data sig; long long ts; str_type_covered = extract_label(&s, "type covered", "temporary"); if (!str_type_covered) return NULL; type_covered = str2rdtype(str_type_covered, NULL); if (type_covered <= 0 || type_covered > 65535) return NULL; rr->type_covered = type_covered; rr->algorithm = extract_algorithm(&s, "algorithm"); if (rr->algorithm == ALG_UNSUPPORTED) return NULL; if (rr->algorithm == ALG_PRIVATEDNS || rr->algorithm == ALG_PRIVATEOID) { return bitch("private algorithms are not supported in RRSIG"); } rr->labels = extract_integer(&s, "labels", NULL); if (rr->labels < 0) return NULL; /* TODO validate labels, see http://tools.ietf.org/html/rfc4034#section-3.1.3 */ rr->orig_ttl = extract_timevalue(&s, "original TTL"); if (rr->orig_ttl < 0) return NULL; ts = extract_timestamp(&s, "signature expiration"); if (ts < 0) return NULL; rr->sig_expiration = ts; ts = extract_timestamp(&s, "signature inception"); if (ts < 0) return NULL; rr->sig_inception = ts; key_tag = extract_integer(&s, "key tag", NULL); if (key_tag < 0) return NULL; rr->key_tag = key_tag; rr->signer = extract_name(&s, "signer name", 0); if (!rr->signer) return NULL; /* TODO validate signer name, http://tools.ietf.org/html/rfc4034#section-3.1.7 */ sig = extract_base64_binary_data(&s, "signature"); if (sig.length < 0) return NULL; /* TODO validate signature length based on algorithm */ rr->signature = sig; if (*s) { return bitch("garbage after valid RRSIG data"); } G.dnssec_active = 1; return store_record(type, name, ttl, rr); } static char* rrsig_human(struct rr *rrv) { // RRCAST(rrsig); // char s[1024]; //snprintf(s, 1024, "SOA %s %s %d %d %d %d %d", // rr->mname, rr->rname, rr->serial, // rr->refresh, rr->retry, rr->expire, rr->minimum); //return quickstrdup_temp(s); return NULL; } static struct binary_data rrsig_wirerdata_ex(struct rr *rrv, int with_signature) { RRCAST(rrsig); struct binary_data bd; bd = compose_binary_data("2114442d", 1, rr->type_covered, rr->algorithm, rr->labels, rr->orig_ttl, rr->sig_expiration, rr->sig_inception, rr->key_tag, name2wire_name(rr->signer)); if (with_signature) { return compose_binary_data("dd", 1, bd, rr->signature); } return bd; } static struct binary_data rrsig_wirerdata(struct rr *rrv) { return rrsig_wirerdata_ex(rrv, 1); } struct rr_with_wired { struct rr *rr; struct binary_data wired; }; static int compare_rr_with_wired(const void *va, const void *vb) { const struct rr_with_wired *a = va; const struct rr_with_wired *b = vb; int r; if (a->wired.length == b->wired.length) { return memcmp(a->wired.data, b->wired.data, a->wired.length); } else if (a->wired.length < b->wired.length) { r = memcmp(a->wired.data, b->wired.data, a->wired.length); if (r != 0) return r; return -1; } else { r = memcmp(a->wired.data, b->wired.data, b->wired.length); if (r != 0) return r; return 1; } } static struct verification_data *verification_queue = NULL; static int verification_queue_size = 0; static pthread_mutex_t queue_lock; static int workers_started = 0; static pthread_t *workers; void *verification_thread(void *dummy) { struct verification_data *d; struct timespec sleep_time; while (1) { if (pthread_mutex_lock(&queue_lock) != 0) croak(1, "pthread_mutex_lock"); d = verification_queue; if (d) { verification_queue = d->next; G.stats.signatures_verified++; } if (pthread_mutex_unlock(&queue_lock) != 0) croak(1, "pthread_mutex_unlock"); if (d) { int r; d->next = NULL; r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); if (r == 1) { d->ok = 1; } else { d->openssl_error = ERR_peek_last_error(); } if (pthread_mutex_lock(&queue_lock) != 0) croak(1, "pthread_mutex_lock"); verification_queue_size--; if (pthread_mutex_unlock(&queue_lock) != 0) croak(1, "pthread_mutex_unlock"); } else { sleep_time.tv_sec = 0; sleep_time.tv_nsec = 10000000; nanosleep(&sleep_time, NULL); } } } static void start_workers(void) { int i; if (workers_started) return; if (G.opt.verbose) fprintf(stderr, "starting workers for signature verification\n"); workers = getmem(sizeof(*workers)*G.opt.n_threads); for (i = 0; i < G.opt.n_threads; i++) { if (pthread_create(&workers[i], NULL, verification_thread, NULL) != 0) croak(1, "pthread_create"); } workers_started = 1; } static void schedule_verification(struct verification_data *d) { int cur_size; if (G.opt.n_threads > 1) { if (pthread_mutex_lock(&queue_lock) != 0) croak(1, "pthread_mutex_lock"); d->next = verification_queue; verification_queue = d; verification_queue_size++; cur_size = verification_queue_size; if (pthread_mutex_unlock(&queue_lock) != 0) croak(1, "pthread_mutex_unlock"); if (!workers_started && cur_size >= G.opt.n_threads) start_workers(); } else { int r; G.stats.signatures_verified++; r = EVP_VerifyFinal(&d->ctx, (unsigned char *)d->rr->signature.data, d->rr->signature.length, d->key->pkey); if (r == 1) { d->ok = 1; } else { d->openssl_error = ERR_peek_last_error(); } } } static int verify_signature(struct verification_data *d, struct rr_set *signed_set) { uint16_t b2; uint32_t b4; struct binary_data chunk; struct rr_with_wired *set; struct rr *signed_rr; int i; EVP_MD_CTX_init(&d->ctx); switch (d->rr->algorithm) { case ALG_DSA: case ALG_RSASHA1: case ALG_DSA_NSEC3_SHA1: case ALG_RSASHA1_NSEC3_SHA1: if (EVP_VerifyInit(&d->ctx, EVP_sha1()) != 1) return 0; break; case ALG_RSASHA256: if (EVP_VerifyInit(&d->ctx, EVP_sha256()) != 1) return 0; break; case ALG_RSASHA512: if (EVP_VerifyInit(&d->ctx, EVP_sha512()) != 1) return 0; break; default: return 0; } chunk = rrsig_wirerdata_ex(&d->rr->rr, 0); if (chunk.length < 0) return 0; EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length); set = getmem_temp(sizeof(*set) * signed_set->count); signed_rr = signed_set->tail; i = 0; while (signed_rr) { set[i].rr = signed_rr; set[i].wired = call_get_wired(signed_rr); if (set[i].wired.length < 0) return 0; i++; signed_rr = signed_rr->next; } qsort(set, signed_set->count, sizeof(*set), compare_rr_with_wired); for (i = 0; i < signed_set->count; i++) { chunk = name2wire_name(signed_set->named_rr->name); if (chunk.length < 0) return 0; EVP_VerifyUpdate(&d->ctx, chunk.data, chunk.length); b2 = htons(set[i].rr->rdtype); EVP_VerifyUpdate(&d->ctx, &b2, 2); b2 = htons(1); /* class IN */ EVP_VerifyUpdate(&d->ctx, &b2, 2); b4 = htonl(set[i].rr->ttl); EVP_VerifyUpdate(&d->ctx, &b4, 4); b2 = htons(set[i].wired.length); EVP_VerifyUpdate(&d->ctx, &b2, 2); EVP_VerifyUpdate(&d->ctx, set[i].wired.data, set[i].wired.length); } schedule_verification(d); return 1; } static void *rrsig_validate(struct rr *rrv) { RRCAST(rrsig); struct named_rr *named_rr; struct rr_set *signed_set; struct rr_dnskey *key = NULL; struct rr_set *dnskey_rr_set; int candidate_keys = 0; struct keys_to_verify *candidates; int i = 0; int t; named_rr = rr->rr.rr_set->named_rr; for (t = 0; t < G.opt.n_times_to_check; t++) { if (G.opt.times_to_check[t] < rr->sig_inception) { return moan(rr->rr.file_name, rr->rr.line, "%s signature is too new", named_rr->name); } if (G.opt.times_to_check[t] > rr->sig_expiration) { return moan(rr->rr.file_name, rr->rr.line, "%s signature is too old", named_rr->name); } } signed_set = find_rr_set_in_named_rr(named_rr, rr->type_covered); if (!signed_set) { return moan(rr->rr.file_name, rr->rr.line, "%s RRSIG exists for non-existing type %s", named_rr->name, rdtype2str(rr->type_covered)); } if (signed_set->tail->ttl != rr->orig_ttl) { return moan(rr->rr.file_name, rr->rr.line, "%s RRSIG's original TTL differs from corresponding record's", named_rr->name); } dnskey_rr_set = find_rr_set(T_DNSKEY, rr->signer); if (!dnskey_rr_set) { return moan(rr->rr.file_name, rr->rr.line, "%s RRSIG(%s): cannot find a signer key (%s)", named_rr->name, rdtype2str(rr->type_covered), rr->signer); } key = (struct rr_dnskey *)dnskey_rr_set->tail; while (key) { if (key->algorithm == rr->algorithm && key->key_tag == rr->key_tag) { candidate_keys++; dnskey_build_pkey(key); } key = (struct rr_dnskey *)key->rr.next; } if (candidate_keys == 0) return moan(rr->rr.file_name, rr->rr.line, "%s RRSIG(%s): cannot find the right signer key (%s)", named_rr->name, rdtype2str(rr->type_covered), rr->signer); candidates = getmem(sizeof(struct keys_to_verify) + (candidate_keys-1) * sizeof(struct verification_data)); candidates->next = all_keys_to_verify; candidates->rr = rr; candidates->signed_set = signed_set; candidates->n_keys = candidate_keys; all_keys_to_verify = candidates; key = (struct rr_dnskey *)dnskey_rr_set->tail; while (key) { if (key->algorithm == rr->algorithm && key->key_tag == rr->key_tag) { candidates->to_verify[i].key = key; candidates->to_verify[i].rr = rr; candidates->to_verify[i].ok = 0; candidates->to_verify[i].openssl_error = 0; candidates->to_verify[i].next = NULL; i++; } key = (struct rr_dnskey *)key->rr.next; } return rr; } static pthread_mutex_t *lock_cs; static long *lock_count; static unsigned long pthreads_thread_id(void) { unsigned long ret; ret=(unsigned long)pthread_self(); return(ret); } static void pthreads_locking_callback(int mode, int type, char *file, int line) { if (mode & CRYPTO_LOCK) { pthread_mutex_lock(&(lock_cs[type])); lock_count[type]++; } else { pthread_mutex_unlock(&(lock_cs[type])); } } void verify_all_keys(void) { struct keys_to_verify *k = all_keys_to_verify; int i; struct timespec sleep_time; ERR_load_crypto_strings(); if (G.opt.n_threads > 1) { lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); for (i = 0; i < CRYPTO_num_locks(); i++) { lock_count[i] = 0; pthread_mutex_init(&lock_cs[i],NULL); } CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id); CRYPTO_set_locking_callback((void (*)())pthreads_locking_callback); if (pthread_mutex_init(&queue_lock, NULL) != 0) croak(1, "pthread_mutex_init"); } while (k) { freeall_temp(); for (i = 0; i < k->n_keys; i++) { if (dnskey_build_pkey(k->to_verify[i].key)) verify_signature(&k->to_verify[i], k->signed_set); } k = k->next; } start_workers(); /* this is needed in case n_threads is greater than the number of signatures to verify */ while (verification_queue_size > 0) { sleep_time.tv_sec = 0; sleep_time.tv_nsec = 10000000; nanosleep(&sleep_time, NULL); } k = all_keys_to_verify; while (k) { int ok = 0; unsigned long e = 0; for (i = 0; i < k->n_keys; i++) { if (k->to_verify[i].ok) { if (k->to_verify[i].rr->rr.rr_set->named_rr->flags & NAME_FLAG_APEX) { if (k->to_verify[i].key->key_type == KEY_TYPE_UNUSED) k->to_verify[i].key->key_type = KEY_TYPE_KSK; } else { k->to_verify[i].key->key_type = KEY_TYPE_ZSK; } ok = 1; break; } else { if (k->to_verify[i].openssl_error != 0) e = k->to_verify[i].openssl_error; } } if (!ok) { struct named_rr *named_rr; named_rr = k->rr->rr.rr_set->named_rr; moan(k->rr->rr.file_name, k->rr->rr.line, "%s RRSIG(%s): %s", named_rr->name, rdtype2str(k->rr->type_covered), e ? ERR_reason_error_string(e) : "cannot verify signature, reason unknown"); } k = k->next; } } struct rr_methods rrsig_methods = { rrsig_parse, rrsig_human, rrsig_wirerdata, NULL, rrsig_validate }; rt.c000066400000000000000000000023321265465626700116720ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *rt_parse(char *name, long ttl, int type, char *s) { struct rr_rt *rr = getmem(sizeof(*rr)); rr->preference = extract_integer(&s, "RT preference", NULL); if (rr->preference < 0) return NULL; rr->intermediate_host = extract_name(&s, "intermediate-host", 0); if (!rr->intermediate_host) return NULL; if (*s) { return bitch("garbage after valid RT data"); } return store_record(type, name, ttl, rr); } static char* rt_human(struct rr *rrv) { RRCAST(rt); char s[1024]; snprintf(s, 1024, "%d %s", rr->preference, rr->intermediate_host); return quickstrdup_temp(s); } static struct binary_data rt_wirerdata(struct rr *rrv) { RRCAST(rt); return compose_binary_data("2d", 1, rr->preference, name2wire_name(rr->intermediate_host)); } struct rr_methods rt_methods = { rt_parse, rt_human, rt_wirerdata, NULL, NULL }; soa.c000066400000000000000000000042201265465626700120250ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr* soa_parse(char *name, long ttl, int type, char *s) { struct rr_soa *rr = getmem(sizeof(*rr)); long long i; rr->mname = extract_name(&s, "mname", 0); if (!rr->mname) return NULL; rr->rname = extract_name(&s, "rname", 0); if (!rr->rname) return NULL; i = extract_integer(&s, "serial", NULL); if (i < 0) return NULL; if (i > 4294967295UL) return bitch("serial is out of range"); rr->serial = i; rr->refresh = extract_timevalue(&s, "refresh"); if (rr->refresh < 0) return NULL; rr->retry = extract_timevalue(&s, "retry"); if (rr->retry < 0) return NULL; rr->expire = extract_timevalue(&s, "expire"); if (rr->expire < 0) return NULL; rr->minimum = extract_timevalue(&s, "minimum"); if (rr->minimum < 0) return NULL; if (ttl < 0 && G.opt.soa_minttl_as_default_ttl) { ttl = rr->minimum; } if (*s) { return bitch("garbage after valid SOA data"); } return store_record(type, name, ttl, rr); } static char* soa_human(struct rr *rrv) { RRCAST(soa); char s[1024]; snprintf(s, 1024, "%s %s %u %d %d %d %d", rr->mname, rr->rname, rr->serial, rr->refresh, rr->retry, rr->expire, rr->minimum); return quickstrdup_temp(s); } static struct binary_data soa_wirerdata(struct rr *rrv) { RRCAST(soa); return compose_binary_data("dd44444", 1, name2wire_name(rr->mname), name2wire_name(rr->rname), rr->serial, rr->refresh, rr->retry, rr->expire, rr->minimum); } static void *soa_validate(struct rr *rrv) { RRCAST(soa); if (strchr(rr->mname, '/') != NULL) return moan(rr->rr.file_name, rr->rr.line, "MNAME contains '/'"); if (strchr(rr->rname, '/') != NULL) return moan(rr->rr.file_name, rr->rr.line, "RNAME contains '/'"); return NULL; } struct rr_methods soa_methods = { soa_parse, soa_human, soa_wirerdata, NULL, soa_validate }; spf.c000066400000000000000000000037201265465626700120370ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" /* XXX * We need to add the following spf-specific policy checks: * - record not too long (DNS name + length of SPF+TXT < 450) - rfc4408, 3.1.4 * - record should match /^v=spf1( |$)/ - rfc4408, 4.5 * - maybe check for other syntax features * - there should be an identical TXT record - rfc4408, 3.1.1 * - there should only be one SPF per DNS name - rfc4408, 4.5 */ static struct rr *spf_parse(char *name, long ttl, int type, char *s) { struct rr_spf *rr; struct binary_data spf[20]; int i; i = 0; while (*s) { if (i >= 20) return bitch("program limit: too many SPF text segments"); spf[i] = extract_text(&s, "SPF text segment"); if (spf[i].length < 0) return NULL; if (spf[i].length > 255) return bitch("SPF segment too long"); i++; } if (i == 0) return bitch("empty text record"); rr = getmem(sizeof(*rr) + sizeof(struct binary_data) * (i-1)); rr->count = i; for (i = 0; i < rr->count; i++) { rr->spf[i] = spf[i]; } return store_record(type, name, ttl, rr); } static char* spf_human(struct rr *rrv) { RRCAST(spf); char ss[1024]; int i; char *s = ss; int l; for (i = 0; i < rr->count; i++) { l = snprintf(s, 1024-(s-ss), "\"%s\" ", rr->spf[i].data); s += l; } return quickstrdup_temp(ss); } static struct binary_data spf_wirerdata(struct rr *rrv) { RRCAST(spf); struct binary_data r, t; int i; r = bad_binary_data(); t.length = 0; t.data = NULL; for (i = 0; i < rr->count; i++) { r = compose_binary_data("db", 1, t, rr->spf[i]); t = r; } return r; } struct rr_methods spf_methods = { spf_parse, spf_human, spf_wirerdata, NULL, NULL }; srv.c000066400000000000000000000032161265465626700120610ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr *srv_parse(char *name, long ttl, int type, char *s) { struct rr_srv *rr = getmem(sizeof(*rr)); int i; /* TODO validate `name` (underscores etc) http://tools.ietf.org/html/rfc2782 */ i = extract_integer(&s, "priority", NULL); if (i < 0) return NULL; if (i >= 65536) return bitch("priority range is not valid"); rr->priority = i; i = extract_integer(&s, "weight", NULL); if (i < 0) return NULL; if (i >= 65536) return bitch("weight range is not valid"); rr->weight = i; i = extract_integer(&s, "port", NULL); if (i < 0) return NULL; if (i >= 65536) return bitch("port range is not valid"); rr->port = i; rr->target = extract_name(&s, "target", 0); if (!rr->target) return NULL; if (*s) { return bitch("garbage after valid SRV data"); } return store_record(type, name, ttl, rr); } static char* srv_human(struct rr *rrv) { RRCAST(srv); char s[1024]; snprintf(s, 1024, "%hu %hu %hu %s", rr->priority, rr->weight, rr->port, rr->target); return quickstrdup_temp(s); } static struct binary_data srv_wirerdata(struct rr *rrv) { RRCAST(srv); return compose_binary_data("222d", 1, rr->priority, rr->weight, rr->port, name2wire_name(rr->target)); } struct rr_methods srv_methods = { srv_parse, srv_human, srv_wirerdata, NULL, NULL }; sshfp.c000066400000000000000000000042141265465626700123710ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" static struct rr* sshfp_parse(char *name, long ttl, int type, char *s) { struct rr_sshfp *rr = getmem(sizeof(*rr)); int algorithm, fp_type; algorithm = extract_integer(&s, "algorithm", NULL); if (algorithm < 0) return NULL; if (algorithm != 1 && algorithm != 2 && algorithm != 3 && algorithm != 4) return bitch("unsupported algorithm"); rr->algorithm = algorithm; fp_type = extract_integer(&s, "fp type", NULL); if (fp_type < 0) return NULL; if (fp_type != 1 && fp_type != 2) return bitch("unsupported fp_type"); rr->fp_type = fp_type; rr->fingerprint = extract_hex_binary_data(&s, "fingerprint", EXTRACT_EAT_WHITESPACE); if (rr->fingerprint.length < 0) return NULL; if (rr->fp_type == 1 && rr->fingerprint.length != SHA1_BYTES) { return bitch("wrong SHA-1 fingerprint length: %d bytes found, %d bytes expected", rr->fingerprint.length, SHA1_BYTES); } if (rr->fp_type == 2 && rr->fingerprint.length != SHA256_BYTES) { return bitch("wrong SHA-256 fingerprint length: %d bytes found, %d bytes expected", rr->fingerprint.length, SHA256_BYTES); } if (*s) { return bitch("garbage after valid SSHFP data"); } return store_record(type, name, ttl, rr); } static char* sshfp_human(struct rr *rrv) { RRCAST(sshfp); char ss[4096]; char *s = ss; int l; int i; l = snprintf(s, 4096, "%u %u ", rr->algorithm, rr->fp_type); s += l; for (i = 0; i < rr->fingerprint.length; i++) { l = snprintf(s, 4096-(s-ss), "%02X", (unsigned char)rr->fingerprint.data[i]); s += l; } return quickstrdup_temp(ss); } static struct binary_data sshfp_wirerdata(struct rr *rrv) { RRCAST(sshfp); return compose_binary_data("11d", 1, rr->algorithm, rr->fp_type, rr->fingerprint); } struct rr_methods sshfp_methods = { sshfp_parse, sshfp_human, sshfp_wirerdata, NULL, NULL }; t/000077500000000000000000000000001265465626700113445ustar00rootroot00000000000000t/issues/000077500000000000000000000000001265465626700126575ustar00rootroot00000000000000t/issues/21-nsec3-without-corresponding/000077500000000000000000000000001265465626700204655ustar00rootroot00000000000000t/issues/21-nsec3-without-corresponding/Kexample.sec.+008+48381.key000066400000000000000000000006021265465626700245600ustar00rootroot00000000000000example.sec. IN DNSKEY 256 3 8 AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg273Tp4oRpnmnmgizDFtLQh nIv1Mr3AuwSWVIDeavuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90yQwf C53hxyH10GzGnAx4Sutrdkh1w4HM1nMBdlTMa0g9yxjJ0vm/T7qHzj+3 dTUi84s8Du2mfMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB/QUuoY2F yThfidT+nhOQpzftVtLcta0E0Uv3PcVDp1d7vBXsAEYGHr54r2vb3eXd OTmoFyh/byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01u8SJYP6ULwx0 mZ0p5BmoMH8= t/issues/21-nsec3-without-corresponding/Kexample.sec.+008+48381.private000066400000000000000000000032471265465626700254520ustar00rootroot00000000000000Private-key-format: v1.2 Algorithm: 8 (RSASHA256) Modulus: 1k6+cu1N1CN90iqofey1vu8jpsmWDbvdOnihGmeaeaCLMMW0tCGci/UyvcC7BJZUgN5q+6LJYgC1+/DLR/cRgi/xizmQOIqzw8TWT3TJDB8LneHHIfXQbMacDHhK62t2SHXDgczWcwF2VMxrSD3LGMnS+b9PuofOP7d1NSLzizwO7aZ8wPqejL6V5nYi5fuUVxrxLMM2aFQ9ORe4WsH9BS6hjYXJOF+J1P6eE5CnN+1W0ty1rQTRS/c9xUOnV3u8FewARgYevniva9vd5d05OagXKH9vJ6FSU+rWAMQfSYFGVZtQepsacrKiXPR1HTW7xIlg/pQvDHSZnSnkGagwfw== PublicExponent: AQAB PrivateExponent: LOxwy9Km3/NYqre6fjsilhW3GX1kcRiSdXFYBBr3rMtUojKvgJsTH9uUeWZvTbTdne4B6yHiqSKRA3Eki79k8i9uqMq2SsP4ju8yJZHLmzjezIfJoHrQ6BxyFcMZoWPzdZkKFKmFwrHpxjjbvFcHvfiAu025Pta9C2o/rZXYC7V3BWQowqYBfukdpZkCEhzFzEtC1ROXN4jPJBwNIma52QTLH6jK5BOfOJ5DhS1SF+r/EkuvXnylApVfjPfUIC8ocVvpn5WLoabWL+eURIi6MvVT59ppzc6WRUT2PxDskT2WUWfw3zq5B7JCM8/qfYIDUHvt1h6JcJHTAOz9Hr2f4Q== Prime1: 8UNey2U7voMhZmVUMpH5C8q7+hp6PQ6dUYd+hjaQVnsDOLPBT+zZf8R3str7pY/xlOOHy+DxYmZ0e17OumSOXTeQR4VSdsr/tpWc/qd2jd1I5N58R4G/yZHgTm8pm6VRb7NwZ7Eg6o2z0G2UEykFeberyg4U6SHBDP6DZNvGrQk= Prime2: 42XeoQUBshFkTYekdeqPfGqC1YXsK0URLGAbPbk8HlOiG7ueVmUnsAS47lyuEJPzIUgqqBbDM+CCdW8AvPJFDXa09l4akfCrLRyAdkreGj3bgmUs5wUFbDZyOHvRFSxdUI8LOcAhXthy86l+wErKwm6sWfd1oPGvMmC1qiSsW0c= Exponent1: JpdjK1+3DcNF7W4Z6LjmwFceeGQR14Bl86ubtnY14k9s9X3zVwiIxeI0T1yt0g7TUsCOcTM7CUVgLne8053QE+MWZgpSZYQVISyPX0CEOy8BQPLBqGJ9vg1idslbO3VXMGngegWgQUSHVbihbesq4AxcI0bbW2s1yRFRDSoGfpk= Exponent2: NbR7bd/21I1S+RSN/ONW2/VzzOYCLv3y3l4cUOmMj0UFRjN7Y8AkLWgQHQt6eKPYigW3PVeS5o+hgAalT/qP4GwmtQDomYsTgmX22Pk5l00AqL0oa6895p69PyXO7Yc6yqnd5te/idzo2S8wpk2DsYPd5KmS+F3cGLPKc9KRekU= Coefficient: ev+8Aj3u6mICRe6Y0NqYTGrXSBMDXf92dI4+CZtwy43cyTvvZSABWvlLTTXf8XAlnnPxszSpG7+e8bQk4A7ZIagcDFSUjzwtVoLqKqbyLPMNjJKqvGW2iTwfpXAHTadd9EmvTPsEVCJnZAvkyn9XQ49phL9IkFzj9kmSrGqnN4Q= t/issues/21-nsec3-without-corresponding/dsset-example.sec.000066400000000000000000000002471265465626700240150ustar00rootroot00000000000000example.sec. IN DS 48381 8 1 99477B577BF885AB2512B8DCA052D7B71DD968BA example.sec. IN DS 48381 8 2 E5411AAE0758711B164730F9069CCFA3CAB00391FDD76D04EB3E8610 CAA09E93 t/issues/21-nsec3-without-corresponding/example.sec000066400000000000000000000011241265465626700226120ustar00rootroot00000000000000$TTL 1d $INCLUDE Kexample.sec.+008+48381.key @ IN SOA ns.example.sec. hostmaster.example.sec. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL IN NS ns1.example.net. 1.1.1.1.1.1.1.1.1.1.33 IN NS ns1.example.net. 6.5.4.3.2.33 IN NS ns1.example.net. 9.8.7.6.5.4.3.2.33 IN NS ns1.example.net. bebe.meme IN A 1.2.3.4 t/issues/21-nsec3-without-corresponding/example.sec.signed000066400000000000000000000351701265465626700240720ustar00rootroot00000000000000; File written on Fri Aug 24 16:33:53 2012 ; dnssec_signzone version 9.8.3 example.sec. 86400 IN SOA ns.example.sec. hostmaster.example.sec. ( 1 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 604800 ; minimum (1 week) ) 86400 RRSIG SOA 8 2 86400 20120923133353 ( 20120824133353 48381 example.sec. QySkSzvLPglLtsg976XY0GAdDCzZY9IEiVrn PAsFloXokhd3sYDi+/Wg+XNNPasoqvUv75c9 JYbXyV9ZF0axe7TVvCmynNi2fn5xvfU3MbiX bQqkoJq708xLtxkDjkKj4wo7aLfNXqItdvlG 8MBNI7lUMd9V1EAp1+sKz4oCbAm67dUZsJTs NNQewA2NTkZG8SLU12ueBoEm3SFIkDaGf3pr BqFKnKo7Dpi5quPydRyZv23lDkAFv86eMBky 7Ftz5JSnTrxQ96J5idVzc+8V2VJJLCMps/Lg 0f8EWXU13oy8hVNHgsbMkMgwuhK0TpoAQ3Xu 12I+iB9gXmOB7S1TWw== ) 86400 NS ns1.example.net. 86400 RRSIG NS 8 2 86400 20120923133353 ( 20120824133353 48381 example.sec. jq61ICTW2ofwSICLNMF5DiPO1wH6Y8t/oDO6 5Rz07pV02fSbEZXHpap4MLne0ikOqKPtFhsP qdircIdp9SccoXq1biKu+6yw0sGRwbR82Foq 4LIgz9yoSr0W2bUICSaa7SZDtnqpTj9tyVVx 9hFWM1DemqyU9k6wi3Qtvqyge9NRH2IbQstr Z6IhlpKlxeNR9P+H0aoYEoqfYIb8rSlv9KFq wB6HeBCgBl0rJ/EpHQI9P9SZzgvgVjzAgWzb yXCmwkDUoFNDaIt+6rbWIWxTO3NETVOPcCRh fWFJpahmKqy+7sQOdXYtOkUp4T48bMttktMN jGx0TDN6hDUWPOGKrA== ) 86400 DNSKEY 256 3 8 ( AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg27 3Tp4oRpnmnmgizDFtLQhnIv1Mr3AuwSWVIDe avuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90 yQwfC53hxyH10GzGnAx4Sutrdkh1w4HM1nMB dlTMa0g9yxjJ0vm/T7qHzj+3dTUi84s8Du2m fMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB /QUuoY2FyThfidT+nhOQpzftVtLcta0E0Uv3 PcVDp1d7vBXsAEYGHr54r2vb3eXdOTmoFyh/ byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01 u8SJYP6ULwx0mZ0p5BmoMH8= ) ; key id = 48381 86400 RRSIG DNSKEY 8 2 86400 20120923133353 ( 20120824133353 48381 example.sec. CxJvtfEuhQr694uCQg6fyz2sAg+TqH242DnL BSidvv9GzKZdHiZs+iFfcrGC4nJ3pTeWMv5/ zp2AXXkpJeCdW5Gy1xy9aexDRJuUMaFzE4xN v/QTdDzBWJBujDNM1C/HstntlQvOGLLTFGsY JCfVguYs0qqSPNd9fbDs7/edhMDe3f6v68+O UISrEgfy2PJpGeg5idX+63G4GE0OOa08dwUw LJQAGpobUjk3TjSh08jllQ21iQIdUV1pxfrC qBu2HH8ZMlSpk4ZoTsDKCNGy5VMQcRxtOOa6 9kTcmhNakfxnK+24Wu+xjqmmIWBPKxtmhYfw IlzGSu2uuGd7PvwovA== ) 0 NSEC3PARAM 1 0 1 94CD 0 RRSIG NSEC3PARAM 8 2 0 20120923133353 ( 20120824133353 48381 example.sec. N5gosx8Suslg27+3wPYAP8gXeH91Wc4ebH5H mZMkEL5b0ODgSvVgPhwTRRE1/SJGzXGWXSpW VopGKMh6SLBNAmfi6gsRtIfPutJA6hmqRtqK JiKEi6Sy3gRLKPJC1Hd/v8K2rslSoCFFsive w5cZBonS85f7n+BA9VglfQmPqux2/LvykcGS /tVGz5zZXWRdPPapj5e+TKrBfVglmcaIL9uk c4uMHtSkdwlKrXV2SCPK6H9meYIsEg8SvIXN Kx2Wfo3hvD9XINYRKwsN6FGFYrOvHpdJI/Mz QUZ70+nUQU4sbV3Y4yoHhI9Y8Dn8khdCqjCg ynbFt1GVrA0QobO9WQ== ) 9.8.7.6.5.4.3.2.33.example.sec. 86400 IN NS ns1.example.net. 1.1.1.1.1.1.1.1.1.1.33.example.sec. 86400 IN NS ns1.example.net. 6.5.4.3.2.33.example.sec. 86400 IN NS ns1.example.net. 0A8475SNU6T5P84AMC4I7KAEAMKCMIAF.example.sec. 604800 IN NSEC3 1 0 1 94CD 1F02V227102AEBUICGPQNPFSMSQ56UNC 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. mipK0k5i2YVpsDosay3tcOBgvykaBn9gaDJN /otEJTXurcfGkRria5C3AsTrq68PIhM9Ct5v bJxgaz0ab1hBHhDe8AZNVzrqrYWmmSgpNrBk VJTx3YnYUuO25MYEEh00/1/JYyHwaGdtjkoD KAwAUt7NqlLZjEHWlZUap+2sxeq1T6l6owDu xt/FNpb8QdUXYK5lsaqCWbNTHWQ3F8n49h1Y ve+m5NtbFL8+7qxrBRSC68eBTPrQfsAym4oB yU05KTFLgHgI7CrexI1dyx+mb19LA0IVKGas bo8lD20VQdiGuEflZj04rihXmJYGU/rNrV4r BhyABAvc26GMfGIa1w== ) 4H7F6LT6O2L8EJJEK17S0MPTF3G1GMS3.example.sec. 604800 IN NSEC3 1 0 1 94CD 6MMR4M238C6KQ7OL4J0HD33VSF2RBFE6 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. lX7thD4OK1v7YDU4waKvTR/YZN0c/jpLcZRh vEw/wVY6o2ZjC4DPmFlhHNDGcNil1Dtwxxnq iO4T6iNZOWWnnGy3WprLlO9hN6eZvC3c0jio uDynQyHytpwNIUtLSiHEqhNZUUt2f4BK0C6o oMFepT/+dKBuyK+FWWkjVswrhmPbpTvnKUOh ob2ONOh1UcOhjtTjl8kr51DnDe6/xOACCi4L a8UvTLRROvWUoQt4U7A8n4svrc7oYTh+lIfb I/6NYX6loVa9g1hiipx+Kn7VkcGGSTWP5lFv jx3nl9QyrqZYUMeCyF4FgYv2R029bxRJM4xN e03+Kwof3LuK6RiRhg== ) ANUH4A3TCIVO884LMD5SA3S1563VKCOG.example.sec. 604800 IN NSEC3 1 0 1 94CD B23STANUG8J6J7Q86S978IDEOHR9SKOK NS SOA RRSIG DNSKEY NSEC3PARAM 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. z8HofxVlX+519QE5aW0uywdOA6O+YP8y5Yr5 wJlyyLefw5Fti0dmU7qGzR5NoOxTfyH+lJDb 7IPB5DaA4OI3wA6XCHJ1CVrNZJ7kKOt35L0N vR1cq89V0wISlfVSMa4Lh6qOvfjEFcpZOziQ +G9s2hYdKQIxHEAmX35H+ZK3yDuWKgGvZCiP wARqDipOzAbsgMUXUFT4/q1YhXENU44yxMGv QoZWskJ5bfrHWvZY/PDPQX18JziMM5zkL+sJ 32HtIl2Ji3bPboqbGKrfXg35v6LR2oNl56Bq TTFFmGwUr0GOhJhtJOHxtxJ7gc6JBkn6MdG0 Rm41tHPCdsJqi2eYZA== ) B48FHI6PGSEKSCPQHI53K69GG9QPT86F.example.sec. 604800 IN NSEC3 1 0 1 94CD BUA7DPQPLLPMOFP3570HUGOCO0PMK9TI 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. ByAqe7JjTyKwuudzVHqZTQCtJLT3NSlKVGvQ EcpOVPr6f4VXHCpJ2U0uw1SgdzZgw/trIo0z MWY0MU94NDPZ0jt0G4Bz9CXF+MJSOmXF/G8D +DEvC0rdeAi3tMupIGMyAkkeL3hLiyo7FCBx SsuqWu0FQ5Gd2PTYUXiSX3ZG9NlTtDgjHtPS doAfO5ZtIJyLXUK6hWgEdNrfJOM/yDh7AS0y L7oHhk7xoGz+6U2ZoiScEIZ/wg2Ry02fvRgl CdkfQUAWctgpeBybCkImdlE18Ww3jPmknTcw fFpIsMGvdHW/yh7YMPibf9brn+l53DC52wQF hXENXf1Igy5KfMIgDQ== ) B23STANUG8J6J7Q86S978IDEOHR9SKOK.example.sec. 604800 IN NSEC3 1 0 1 94CD B48FHI6PGSEKSCPQHI53K69GG9QPT86F 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. YpjhuKP/CxZi1+/xsnYlq3Hb6KmxjXu7NaZ7 wL2+m1f5ffB8cu+1VMdMjXd9rA87KM+nZmIH ZgkM13BjscZYfZrD1QxTHZOpK98DsP0BVjab V3YxS99SrpWIWbsSGSnGuVnTIFg4Rc2Q7UY0 cPz2aPbTSjaYtmE+b4DS5KtZpsQUOc/mlPU5 1RiMkMOJqSnflQY922C43Xg/DaywBWaI18b1 gyL5wMyZ2OU+I1EVK1e/Hgp3xTU+VZFfH981 ooZvbHxTqvR2RPN/CiRmkb1j8OR8rtzQlAUq zE/N2G225694CXjbhnuxtMQDnARZ+YY59efI qRVe3R3RVwiIvnxubQ== ) 1F02V227102AEBUICGPQNPFSMSQ56UNC.example.sec. 604800 IN NSEC3 1 0 1 94CD 4H7F6LT6O2L8EJJEK17S0MPTF3G1GMS3 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. Sl0o9shH2wSZ11t342nNF8umWjmCc6aFTPab mhRnFDzzG2d++Cx4dXMsasDtUVspKQheiowA j6HZZSGYEQfmW8XFs5Hf4h0NVkQ83i3euXGl S1zbM0DiaGbNueIPSEyUBOyR1zzaBjzyhf6P axvora+y5Yb/UeiFQgvZY6JKBib9RHT61Dpk 8C30CK+KpBRIAa3nu+oESqP+qe+UDF6Gia8t Mn/8BMP+j070A38lrMFjfGmKq5QzMKP86Jnl dG88wXSmUe1EzvUM7Y/djimPvGfSfIFl7J8t rhQ3Cfs/Etu92HfQEqAhCg94BCv95RJXf9rj 6P2IRl7fn7tz8DPtcg== ) 71FH7088MFQ3GHCT8F0NKT9PF3BT46CC.example.sec. 604800 IN NSEC3 1 0 1 94CD ANUH4A3TCIVO884LMD5SA3S1563VKCOG 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. bFgJbtvnx6+ICYygvHrxhuCgZxcgUFA24pQl XwVUJqVgP+t8AfJ0GNURvoli4sxAa1ujJH/1 pdDrSTUSswqBClKM+n0C5Z1ZVEDdGLMsjxfH hRcnUaup5dwC2gwvxUg7ZYxUjxeCiLOc2UEA 7A/ASY/qwtMunGeXKFycY93k0F6udeFqnIFG jqR2yAoi271PbTkj7osSIJZJGi5bGIGlKDpu ht30LBfG243IlZeAm2nxg2vE9d4Nd+ZRlMJ0 8H9vahBubbT0yfJiREnILL14i4FvST++5i1y iaSRJPH2rMUp4oSsTvh8W07LjiytOG8IJkyY T1A2UFL/DOBxD2O8nw== ) IR5OEOOO61L2NLSFRK4OLKUJ6FEARD1Q.example.sec. 604800 IN NSEC3 1 0 1 94CD K9KP0QD9J3T0F3DH2LQPPB37CPPNP3PF 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. scrCa9zRBY4h4gHoe/esvDALkI7c6x6vXY4F pA7AnTb+L5WCrfp6tXiINwQ1Uvv16Olut162 QHdAe7GW1XQGdbuJ8tzBtQ9YkS6DvArSYYjb KiHMFND1dvy5UBc7BWJwM7ysLwdjEfiYkKBs WIZ/bfE3MbT3qRou/Kv8WQa33ELlkZ7x6sEs 5Era4soZ7SRzN4jba5r9TBwJoP9VQn7uNl2r h0hFclD4grfUcMZRcun3voVoVmpY/72xStsc r7btSUfDrzbcJP9W1WYcPDbsmyobY4QrYSCO VUzBP17DjEzIMztg+u5R7FhClb9lZ6qhrikW KtcOq3+nKs2JauRM4Q== ) BUA7DPQPLLPMOFP3570HUGOCO0PMK9TI.example.sec. 604800 IN NSEC3 1 0 1 94CD DGRBPEHGU29PPOAAQS0TK0K8KJLI60CF NS 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. EveB6krVUhecm3eWRh55oiDuHOfceimuJSAy 4KNd59B/+8FBB7U6KyaLm9YGZDP5d3wyP5Py 4G8z6j7vdTGbLTFsHyOxHwU1MGEqZU4vIB7N LX3P42CjD9FKFfTLS8ig0HJaxa/wYRMoxvxa fIPZZxuC/NR6ULLr6t7YIWp+rktew0vXAaPP tgmfEU9zAMqYsnKhyTttTT543btuXfHBg9th csf9dEz+p/lq1WZbyTTR4hs7ZkRYLA6TCI9q vxee5Hsfhjv2k1B7YA1AFCikAt3xqbxcuhir KpW66JXjbrp5ZxONejbYb3SLdY3PpWg2Al2W WHSV6e0cVZ47QsIFzw== ) K9KP0QD9J3T0F3DH2LQPPB37CPPNP3PF.example.sec. 604800 IN NSEC3 1 0 1 94CD MQAMDNGOIK8QUBPB4GDEG0EVOK91DQJ6 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. UFg9mb+GA3lmzuN/bJUdHf1o65i729zK0NUZ wQGscZD8q6vY+cPuaCGZxPBdIe0Jaf2XXzjp rJVyLwbdYVIR4IuoUZJLQbCfGOrBxp5BHTf8 ybft2+7foWAAQc8GNvhYKkmEpHdyfUWLrj8x Z4U+NP1fdBvO43TN0upQyeYTNa6E4umgQtYa zkMXeeQWf4+vf0Ue14rCEtCOFN2BDksL4mJF c93c1MfRMkTYX/2L7dtAfDgwcywdU+ndqXJv XC60MFEJfj/7oHO3LUQd1XdkNqg4gnyx6TgN zBcUXgN40FUZzRTHf5sXikmhm1Jm5Akaaune NB0mJ4DVzw8XLdDy2A== ) MQAMDNGOIK8QUBPB4GDEG0EVOK91DQJ6.example.sec. 604800 IN NSEC3 1 0 1 94CD PFQHTQGF3T3O7NQ37E7APPJS4E7G6FQI 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. aREhBMyCg3PaF9cbN2jS8Imj3GrfwrM2C3gU zVcJqD1SxPOGwr0UQq+IJxp2jf/4gKyGIU1V TQ2jFkdNLuF4tHtu4OQCAYwG7ngtawm/bT5J R7ecSVRQOmowEZa9/VbF8qN8EuTmB7L9wB2W 2Efj6moE/Yt0SLJ5UIbRoKN5mJZaxjzWOif5 F+xE7yi2JVOve4mbAkxV/cqYInksWedvrKZt SMBkIYbritHml3EHhI4MkDzAyDhw6rgY6P8I tWCgVZf/8NSTW8J89hon9y4Z5CZuQHZigdkx DVmcd6tsNyPlTP8HT4D+z5SaSD1GFKONjk5Z vYu3LXMlw2OT+8UsXA== ) 6MMR4M238C6KQ7OL4J0HD33VSF2RBFE6.example.sec. 604800 IN NSEC3 1 0 1 94CD 71FH7088MFQ3GHCT8F0NKT9PF3BT46CC NS 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. gH3QQQEbhWs3lNZn7yL+BMg8jOeILxZCMW4e 0iOBAfWpMxyxgvv9Jy3X9SQxui3zso6CfaoU av6bMupDNYvGsRb2e9I9K3KQKv48wI8Z7UN+ /z1RqXy7izL4MX7Df4EYnKvhi0eLGI4hBJLq my2AR4wswQiPG1tnBDa7lbx+o85GtHlX62lO MD8lS5CvkSxDMBb5bChR5DYl8NChdtaSMxRD yH7DZ6CI6t7ICUTKQs2aV8S6OTHmUQvDyA3U KThFvxPdSv9Cf+FAQzN9kwNSGC4gxjJYQtjA XjEIc+2ZPtOYI8+YJpAlNtR0kcy9TO5M9ioZ tEvquxTTQooWNuxdTQ== ) DGRBPEHGU29PPOAAQS0TK0K8KJLI60CF.example.sec. 604800 IN NSEC3 1 0 1 94CD E7Q5FM6A5MAMV8HQ7O6A8F5RIF1VJGMO 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. xH7j5GQt3bah8ezTmXZ7/LsWLHw2PDCrmBtA bEuqpKS/O7HvwVkQ1tQp1xznzpifDye2TqKH tnEY6sWJ+hbByDrP87j5oP6ZuRTnzCtwUU6c qqfEUV0JrAptkx+kxC4kLGjdB1OvaAiXvRg0 fhBaY458MLwQh7AxFsqv9Jd4KtJeVtm7PcWK VoHPckh2LdZJQyiUl7+5zUKhsGBzEqU7BZck OLPd6ccVJrNkOXfyrsYHj5NXILFtjJ/+avaY kiTYYp8ix9bSLG6LBbWuaDNcjgGV3hI2Woo2 onBRmHmuklKgmmmbZ+YRT94FZnkrQRtUlRo1 nRLQN21PBXCOfwYQAA== ) GGTEST9KCG7P1MNV2U653M6CIGD9Q6UJ.example.sec. 604800 IN NSEC3 1 0 1 94CD IR5OEOOO61L2NLSFRK4OLKUJ6FEARD1Q A RRSIG 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. vAQghXrUpaoGUONOUjKRSxBIno5udi5R9GhP L/ocMnuUYtIjtkPqFNmuIFpqMKOy34aox/TD SPuZjfb4+OMcdHw0Zz9FT6U/jw2B2aAWcrDf oU6HasH3e2lCUZizwiaCPPhFMuBdZjuwMqHN BMCW9JfsJ9ohKl+OJ7i/eS0MgAWU7/o/hmAl NRA4Q9fCUlivMQ+ZW+GUBLDzZh3tDMsIXhTK EenhqSZdL563ZmRnxe9hg2+rjp7T42UxtzUu MCt71MGnp+Q4ki8RjubLyDsjNbW9oXs02EwT B7Exydd4GHGXBiYdUt2fFHp1pJ5sgObvSoue FTw3xBWZ+TCnuohK/A== ) E7Q5FM6A5MAMV8HQ7O6A8F5RIF1VJGMO.example.sec. 604800 IN NSEC3 1 0 1 94CD GGTEST9KCG7P1MNV2U653M6CIGD9Q6UJ 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. NtTit77tk2WR/L0n3LcBnzceSfceR0y8bJjx 65oUXd+y+nu+c8I+OxmRDeoZHcHFvjH7TOpK /bET+/KUbs/43wMYsq5pIRAq6iY+pNZnnkOQ 8P4lhKm15dpFb4dO1y3rXQxhT278BMoRDrMH sOTveerXFOVI7hi7dSXsZp34to7hhdVrsF36 u00ogWJERVIZll3sCQOvKWyfFI8f8M69vWw1 o0U4OR3iWmz9L0zgIgxxSHHKnBZmW7cP+zW9 D746pMchP2TAYB43LZAMotU6jPLgWCcF0olz 73KJdziRJnko4ARx+iMgiWOUw0ujvCwK5kDo lTmrDPe6/z8aXM/roQ== ) VJ5SSNKSNS2CP5O6DCDDHK8HLH6N7CVC.example.sec. 604800 IN NSEC3 1 0 1 94CD 0A8475SNU6T5P84AMC4I7KAEAMKCMIAF 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. nP9dmjAs6A4GdtsD9Xk3S0WOt5Tg9cSXJQDT Ff+bd95AJKUeDRk0L71iUa60CYAHfDLI60gp M5JgO0YgCloLzV9UFvkDj7Fe+v7Ptyl9mdEk e7KwLBSVJyRsKMbgB+BgvenXEOH9hIiG+8CE uokdOvUEERaUYk3zaoA5SScFGoVy6v9GwCcq adUC16d5/WyNuaO2InVl2ug8dX1WtnZzdl09 evjhKiDiLABJ4Z1sLvkJsaNrwFpYn+Xkdv/W MIb08A9FypXXavAV3zJJZyB2eyQG2Ae8ozNs r7H06agUsiZKKMYtusq8FI7ISmgHPKbOu3ZZ dT6l4pFLmuXimm5LmQ== ) PFQHTQGF3T3O7NQ37E7APPJS4E7G6FQI.example.sec. 604800 IN NSEC3 1 0 1 94CD PII3ACEVPP84TH3B1FCEUBN9E8R1PQT6 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. t3PvXIfG9zqm90xrzWhYYcvSB8ZO26ia3c71 uXs+3XS94BJF8cnvecAq26YTmbwCkm4y6AQg 1P3VmM5fZqHHq5eGthdSMgACpGYk/1KL+ZtU qJ08LbtGFLS/Ai1YNOu+xVFj7Z1D27rAghGb 30z+qjkkgNKgF8RrtUrQtuZZHYljjypJ0bhU ehZitu87s0tLIGZIK8EvZ1lkAr+RcdOau37x HGIYSX262YOd7QZ/XytwhpnxjU6z99EefOKf sP9e5U1Q76czO9iptn8m17lkEKIFEEP8jUtF KGR1Qsb6PgDkAV82giZDxgFlq4WarIk6olu0 K03HV9skBS5BV2HqOg== ) PII3ACEVPP84TH3B1FCEUBN9E8R1PQT6.example.sec. 604800 IN NSEC3 1 0 1 94CD UB3H790SAMOQSDHHGOFHG1SBHU35K00O 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. 0RfXq4uTIqZJQzcGQ4s1FzIyafMn8Y9gO7zp Lf59a81Wr7feYG+KuOXc9sJC8Kk1Aerd1bSv bAmskxHxBI2cjjI4S8JDSGVezymeqMsopoEH c8jiACBjc9rCx2Z97YcXElo8PxE9AkC/a6/V PHXGr0aS3P6QB1O9AHE1rIv5t9mrATJkE1TF CH/ravS0ZaSZKPCLw7zSDObT9K4OazvRJHFO VAqd1rX8J5SHBs3ss9p3kBfnedaMNb2GLfjo Tky+WTIYoHexC2s4Kxdfj/8wWqlhw6JIcO9X g7Tc500A4/58YU7JqmLfu7a3H0kVF2oXwxkA KPlfulSsPGFYjB+5ng== ) UB3H790SAMOQSDHHGOFHG1SBHU35K00O.example.sec. 604800 IN NSEC3 1 0 1 94CD VJ5SSNKSNS2CP5O6DCDDHK8HLH6N7CVC 604800 RRSIG NSEC3 8 3 604800 20120923133353 ( 20120824133353 48381 example.sec. kWKeBzW7N07cmtm7TtqzJfPJOcxNHqr7nQpJ XqyRe2SvNlaUJpxqgTOQn3SjrsG4GUA5+j6Y Y/MjScGeSME0xIWiPV1ZBGnm/9mB8FEePK58 PvBLa7SlKj2v3mvlMlZQzJa657NtV5hbaVcx JP8YbK2W4zTGS8htg2VZMvRSfSV8gQwgKQlB BGeIeM+xfYkrxvklRfLl6+ogZlJVfPH71SLO PiEXrvfxU0HWbvej1HsNXdQDjv3Ix5vd8xZ9 QW4pyl+BHe22+Dx/TpAAoSXGdntuKuZqPF6P bpBZrMZcqdPlODnEUBgzGB3ChaZvaf4BlHzs vYqwsj87D5atXL3pOQ== ) bebe.meme.example.sec. 86400 IN A 1.2.3.4 86400 RRSIG A 8 4 86400 20120923133353 ( 20120824133353 48381 example.sec. vIeL1Bu8xiDbEn25Uard5kbWnI44qm7zMm7c ZRTHlvfBlEfo0uAqdOEsABmIDuj6bYfqifHC 6YpsPU246RKOLwZ+FGZn9hTiWkixCu4gi/Cg ynKCgRNprJdvRTiGTQ5glS2q0wNwn6SSgBAD F5W6wu/R6k2MHCzJHoR45xLwwsDBqPAvPMlB NgrtQh+L++zhvC5bw78WBnLY6h2wxlgby/6O qwiYbHborqhQLzIYmneOluceptx5gk9F5B10 8QTG8wDtACj2TcKUT5vQ8+ZzmC8l3CNKVoKO B2PrrtfNEaCNfYIjfW5d9feZkjxxqLSzrMTg FZT6ntGLpEOxDRgYxw== ) t/issues/24-delegated-nsec3/000077500000000000000000000000001265465626700160315ustar00rootroot00000000000000t/issues/24-delegated-nsec3/Kexample.sec.+008+48381.key000066400000000000000000000006021265465626700221240ustar00rootroot00000000000000example.sec. IN DNSKEY 256 3 8 AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg273Tp4oRpnmnmgizDFtLQh nIv1Mr3AuwSWVIDeavuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90yQwf C53hxyH10GzGnAx4Sutrdkh1w4HM1nMBdlTMa0g9yxjJ0vm/T7qHzj+3 dTUi84s8Du2mfMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB/QUuoY2F yThfidT+nhOQpzftVtLcta0E0Uv3PcVDp1d7vBXsAEYGHr54r2vb3eXd OTmoFyh/byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01u8SJYP6ULwx0 mZ0p5BmoMH8= t/issues/24-delegated-nsec3/Kexample.sec.+008+48381.private000066400000000000000000000032471265465626700230160ustar00rootroot00000000000000Private-key-format: v1.2 Algorithm: 8 (RSASHA256) Modulus: 1k6+cu1N1CN90iqofey1vu8jpsmWDbvdOnihGmeaeaCLMMW0tCGci/UyvcC7BJZUgN5q+6LJYgC1+/DLR/cRgi/xizmQOIqzw8TWT3TJDB8LneHHIfXQbMacDHhK62t2SHXDgczWcwF2VMxrSD3LGMnS+b9PuofOP7d1NSLzizwO7aZ8wPqejL6V5nYi5fuUVxrxLMM2aFQ9ORe4WsH9BS6hjYXJOF+J1P6eE5CnN+1W0ty1rQTRS/c9xUOnV3u8FewARgYevniva9vd5d05OagXKH9vJ6FSU+rWAMQfSYFGVZtQepsacrKiXPR1HTW7xIlg/pQvDHSZnSnkGagwfw== PublicExponent: AQAB PrivateExponent: LOxwy9Km3/NYqre6fjsilhW3GX1kcRiSdXFYBBr3rMtUojKvgJsTH9uUeWZvTbTdne4B6yHiqSKRA3Eki79k8i9uqMq2SsP4ju8yJZHLmzjezIfJoHrQ6BxyFcMZoWPzdZkKFKmFwrHpxjjbvFcHvfiAu025Pta9C2o/rZXYC7V3BWQowqYBfukdpZkCEhzFzEtC1ROXN4jPJBwNIma52QTLH6jK5BOfOJ5DhS1SF+r/EkuvXnylApVfjPfUIC8ocVvpn5WLoabWL+eURIi6MvVT59ppzc6WRUT2PxDskT2WUWfw3zq5B7JCM8/qfYIDUHvt1h6JcJHTAOz9Hr2f4Q== Prime1: 8UNey2U7voMhZmVUMpH5C8q7+hp6PQ6dUYd+hjaQVnsDOLPBT+zZf8R3str7pY/xlOOHy+DxYmZ0e17OumSOXTeQR4VSdsr/tpWc/qd2jd1I5N58R4G/yZHgTm8pm6VRb7NwZ7Eg6o2z0G2UEykFeberyg4U6SHBDP6DZNvGrQk= Prime2: 42XeoQUBshFkTYekdeqPfGqC1YXsK0URLGAbPbk8HlOiG7ueVmUnsAS47lyuEJPzIUgqqBbDM+CCdW8AvPJFDXa09l4akfCrLRyAdkreGj3bgmUs5wUFbDZyOHvRFSxdUI8LOcAhXthy86l+wErKwm6sWfd1oPGvMmC1qiSsW0c= Exponent1: JpdjK1+3DcNF7W4Z6LjmwFceeGQR14Bl86ubtnY14k9s9X3zVwiIxeI0T1yt0g7TUsCOcTM7CUVgLne8053QE+MWZgpSZYQVISyPX0CEOy8BQPLBqGJ9vg1idslbO3VXMGngegWgQUSHVbihbesq4AxcI0bbW2s1yRFRDSoGfpk= Exponent2: NbR7bd/21I1S+RSN/ONW2/VzzOYCLv3y3l4cUOmMj0UFRjN7Y8AkLWgQHQt6eKPYigW3PVeS5o+hgAalT/qP4GwmtQDomYsTgmX22Pk5l00AqL0oa6895p69PyXO7Yc6yqnd5te/idzo2S8wpk2DsYPd5KmS+F3cGLPKc9KRekU= Coefficient: ev+8Aj3u6mICRe6Y0NqYTGrXSBMDXf92dI4+CZtwy43cyTvvZSABWvlLTTXf8XAlnnPxszSpG7+e8bQk4A7ZIagcDFSUjzwtVoLqKqbyLPMNjJKqvGW2iTwfpXAHTadd9EmvTPsEVCJnZAvkyn9XQ49phL9IkFzj9kmSrGqnN4Q= t/issues/24-delegated-nsec3/dsset-example.sec.000066400000000000000000000002471265465626700213610ustar00rootroot00000000000000example.sec. IN DS 48381 8 1 99477B577BF885AB2512B8DCA052D7B71DD968BA example.sec. IN DS 48381 8 2 E5411AAE0758711B164730F9069CCFA3CAB00391FDD76D04EB3E8610 CAA09E93 t/issues/24-delegated-nsec3/example.sec000066400000000000000000000010531265465626700201570ustar00rootroot00000000000000$TTL 1d $INCLUDE Kexample.sec.+008+48381.key @ IN SOA ns.example.sec. hostmaster.example.sec. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL IN NS ns1.example.net. sub IN NS ns1.example.net. test.sub IN A 127.0.0.1 sub2 IN NS ns1.sub2 ns1.sub2 IN A 1.2.3.4 t/issues/24-delegated-nsec3/example.sec.signed000066400000000000000000000113161265465626700214320ustar00rootroot00000000000000; File written on Fri Aug 24 16:21:37 2012 ; dnssec_signzone version 9.8.3 example.sec. 86400 IN SOA ns.example.sec. hostmaster.example.sec. ( 1 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 604800 ; minimum (1 week) ) 86400 RRSIG SOA 8 2 86400 20120923132137 ( 20120824132137 48381 example.sec. tbjigL7HBI1uY1R5m/QrGVGYv0pWNz0TJiMl 5s600fiDV/0t4eZO0sLsa14gNWSycaHzZpeH AA29ZV07g+i/WE2BrNj00JzqfGeX3r8hd+LP vTF7pHAG4syGweqokn9F0ePG/HvW3263i3eN OuFJS7yeo1ey0REsCpkaMvmiTGYy4Ns/J3ft kIT92X7p9Ok4ECm2jvYUykXSa8oChWK65EIQ 3VbMn+X7od686gw8disrBIgHYSlWO5cPHIe+ T60PqGB9RM6INT+8x8t1hyYDgZcWlL9J0bM+ QNp24ug1E3nKNgtg8Uf9jvA4HGzRxuB4L0PH RCLY5Mv64LoNcuGmPA== ) 86400 NS ns1.example.net. 86400 RRSIG NS 8 2 86400 20120923132137 ( 20120824132137 48381 example.sec. uZ3XcCp2Ko/NqC184GE+3Vl0kaxFRs1QkpAB cZRS3DvTlFTJQFpAOpBD3YBiP4QTz6weJh9W seg0/ykNlfxzRJjLTMijsAK5M3CEIfIA+1hV 5AiqEXIsD1VvwB4bmeMZY2HgYteyfP9waNmS KE6hZG4VV4lHMdfxy6ovsi6UOGQrfA6+RdZ4 rRbMrQy4TofLPYWFA18TwcJRND+KMiLrbEB0 nsE7wtw09E6Fo/p9rfOJSId9zpkivSywvN60 dx5lH3RDM7dRKedLT26uWodoc+sm5ksma4b3 lVpkvVuRYsjx5380MC6Q3Ffi5lgGg+S6U+0x BNsl65g/cBi52Mx3sg== ) 86400 DNSKEY 256 3 8 ( AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg27 3Tp4oRpnmnmgizDFtLQhnIv1Mr3AuwSWVIDe avuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90 yQwfC53hxyH10GzGnAx4Sutrdkh1w4HM1nMB dlTMa0g9yxjJ0vm/T7qHzj+3dTUi84s8Du2m fMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB /QUuoY2FyThfidT+nhOQpzftVtLcta0E0Uv3 PcVDp1d7vBXsAEYGHr54r2vb3eXdOTmoFyh/ byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01 u8SJYP6ULwx0mZ0p5BmoMH8= ) ; key id = 48381 86400 RRSIG DNSKEY 8 2 86400 20120923132137 ( 20120824132137 48381 example.sec. vMI5/h3OOEYXPyz2EuTd1UTuOXArx80fDXR3 aqAg0VXxuDj5aCNNtrumGac8VQJSbcOFS6en zavsQbdF4GynuqVouq0+Cg+AKqbkf91mwoRo 9FfYjD+FiCH3AsTgY1sivgx96jxbUJrwlheV Aq0sRNt25oejEnytF7zkxg4gfAmwszym2iy9 eYUCo5J7lMd5PGWOeTaWM6B1dhTu3db70GNg s994rEqv9OM87d4XS9U+CrCbwQbj8VtHjUWv ne5eSVqIh0RgMkPaLISYE2MUG2JNcs6eqYuq z4LgGJAK3EE4QzsMGs5tmIK7rLbdIwUpLhlH gwW2y4E10Hz7KLOjAA== ) 0 NSEC3PARAM 1 0 1 94CD 0 RRSIG NSEC3PARAM 8 2 0 20120923132137 ( 20120824132137 48381 example.sec. TMvS8oUX2NkG/VZ1/LFh5NzGNgmuj1KORpjQ 6xLuuZ5EFvV97L5lG/QIeqDYBaeYbbxx6PuO q35aV3BRxcGkoDlWRC2cFyR3RNzeTjj1q50n o3RgqtMkvJE/gyl1/oXL4IjSnlw5xYdYGa7n G2mGQdc/0vh/De8VMh/n0Dq2WbuJ6vqsv3+i M3oiMrapG91EYnAcFB4ymBbkbuBqTwu4Gwkf dkweQRkufWI/d0WP8ziP6g3pX6uqJjwvDd4h wcLgQgajZ7wOzfnsqS/v+CMc1Hu4B44PN7BB 50IKaviAkYCftfyTIy1FSYnAt4MHFrrQBKzX c9ymqDL681D6zTNQtg== ) test.sub.example.sec. 86400 IN A 127.0.0.1 ns1.sub2.example.sec. 86400 IN A 1.2.3.4 sub.example.sec. 86400 IN NS ns1.example.net. sub2.example.sec. 86400 IN NS ns1.sub2.example.sec. VT6TVPSQUE085J73EUKCPVB32N894AUB.example.sec. 604800 IN NSEC3 1 0 1 94CD ANUH4A3TCIVO884LMD5SA3S1563VKCOG NS 604800 RRSIG NSEC3 8 3 604800 20120923132137 ( 20120824132137 48381 example.sec. eaQxYQX+q0DDG03cLYyG9L+WmleExeZWQLb4 rBCuJO1rRkzxtC3SAD6MLQ2NVpiv9c0IbbNQ EUCDXaA4/McY+CemogZV0pumI/xhzJ5Pd5k8 s8jxY0JNaaQ5cHDpUjyu6sWOTn4BwcZJaPtn fBESTP7cy6uVQWRXiT5TJ33bBk2CeFCgMxD9 x5yvl5fWH+ZBl7AVYXamh4TsU5l8kL+HD19v vauj4kQVEapBaaUEN3oS7S5lkUJ01ANHf39L D36sRF6cZ2BEjiv3axl5IW4uQVnmo46XSP9Y dX+0gjLFwfzUnt6bKO59pfZ1kAQnkpjvXC/h DFcnQ1TZMn+MjSimNg== ) L2BLRUARIR23VEOTUN998OLLATNAI6EE.example.sec. 604800 IN NSEC3 1 0 1 94CD VT6TVPSQUE085J73EUKCPVB32N894AUB NS 604800 RRSIG NSEC3 8 3 604800 20120923132137 ( 20120824132137 48381 example.sec. AU3924oCXsSm2yxkSzikdMHrKBgOCnTPQ8QQ Cv/+ROYGWedvkf5jivUuqRi4wqsx+dK6UAPB cmxb3zmebGfbzZtO1FI51z9tGSFPvahvTVcK LkMlbzDmdcNFUpl/npagQLz5FTumi8gD2Ozl dCdPATDlpoL1Won8t2rBIqPGaClahCHeub+2 FwAuWzjiNMsSAqUpIwHbUrf03AEYafVsacnI 1t6qELwFMIa2UUDXGsFSR4BIfAvDK3wFq/Pb i4nzKyINGmCPTaUphh2+uLQ8CIUAArVtgAj3 WcIGO8p8fHE3R9CneWANo6jPEjURzMxFLUjA RD31yV95Xj5SLwAGSg== ) ANUH4A3TCIVO884LMD5SA3S1563VKCOG.example.sec. 604800 IN NSEC3 1 0 1 94CD L2BLRUARIR23VEOTUN998OLLATNAI6EE NS SOA RRSIG DNSKEY NSEC3PARAM 604800 RRSIG NSEC3 8 3 604800 20120923132137 ( 20120824132137 48381 example.sec. kTRt2QfhcT+N+2MyDWz1kFpu0fpqa8AyXH7l GDgMUjILF6dSwSTH6OCYYk9HIrdleNwq352I LerDlaOOszwVrdyGnSFnyT0MYhXFEFUVDibl svZlpePqbHnMkCEWMGmZHa9k10xNa8e6lUd+ 8lpUhuNSdi7GihEmYo0ZNlDv3913cz7iqNmg 0dZk1Vs5GFZGZp5R5y36zBgS8TS+OiYNXL+9 YSsJukXnW93WcEUSvT5saUoxWD24rP41w6ro 9n9J5XUgNmfaLMFj0AiaAtlVz30q3Nbv5v2T w18A7ybrH2AiuSoRvL8ISQyIrA8P0pDIyftA 5e4wKXX9LZ/1E9laWw== ) t/issues/25-nsec/000077500000000000000000000000001265465626700140335ustar00rootroot00000000000000t/issues/25-nsec/Kexample.sec.+008+48381.key000066400000000000000000000006021265465626700201260ustar00rootroot00000000000000example.sec. IN DNSKEY 256 3 8 AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg273Tp4oRpnmnmgizDFtLQh nIv1Mr3AuwSWVIDeavuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90yQwf C53hxyH10GzGnAx4Sutrdkh1w4HM1nMBdlTMa0g9yxjJ0vm/T7qHzj+3 dTUi84s8Du2mfMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB/QUuoY2F yThfidT+nhOQpzftVtLcta0E0Uv3PcVDp1d7vBXsAEYGHr54r2vb3eXd OTmoFyh/byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01u8SJYP6ULwx0 mZ0p5BmoMH8= t/issues/25-nsec/Kexample.sec.+008+48381.private000066400000000000000000000032471265465626700210200ustar00rootroot00000000000000Private-key-format: v1.2 Algorithm: 8 (RSASHA256) Modulus: 1k6+cu1N1CN90iqofey1vu8jpsmWDbvdOnihGmeaeaCLMMW0tCGci/UyvcC7BJZUgN5q+6LJYgC1+/DLR/cRgi/xizmQOIqzw8TWT3TJDB8LneHHIfXQbMacDHhK62t2SHXDgczWcwF2VMxrSD3LGMnS+b9PuofOP7d1NSLzizwO7aZ8wPqejL6V5nYi5fuUVxrxLMM2aFQ9ORe4WsH9BS6hjYXJOF+J1P6eE5CnN+1W0ty1rQTRS/c9xUOnV3u8FewARgYevniva9vd5d05OagXKH9vJ6FSU+rWAMQfSYFGVZtQepsacrKiXPR1HTW7xIlg/pQvDHSZnSnkGagwfw== PublicExponent: AQAB PrivateExponent: LOxwy9Km3/NYqre6fjsilhW3GX1kcRiSdXFYBBr3rMtUojKvgJsTH9uUeWZvTbTdne4B6yHiqSKRA3Eki79k8i9uqMq2SsP4ju8yJZHLmzjezIfJoHrQ6BxyFcMZoWPzdZkKFKmFwrHpxjjbvFcHvfiAu025Pta9C2o/rZXYC7V3BWQowqYBfukdpZkCEhzFzEtC1ROXN4jPJBwNIma52QTLH6jK5BOfOJ5DhS1SF+r/EkuvXnylApVfjPfUIC8ocVvpn5WLoabWL+eURIi6MvVT59ppzc6WRUT2PxDskT2WUWfw3zq5B7JCM8/qfYIDUHvt1h6JcJHTAOz9Hr2f4Q== Prime1: 8UNey2U7voMhZmVUMpH5C8q7+hp6PQ6dUYd+hjaQVnsDOLPBT+zZf8R3str7pY/xlOOHy+DxYmZ0e17OumSOXTeQR4VSdsr/tpWc/qd2jd1I5N58R4G/yZHgTm8pm6VRb7NwZ7Eg6o2z0G2UEykFeberyg4U6SHBDP6DZNvGrQk= Prime2: 42XeoQUBshFkTYekdeqPfGqC1YXsK0URLGAbPbk8HlOiG7ueVmUnsAS47lyuEJPzIUgqqBbDM+CCdW8AvPJFDXa09l4akfCrLRyAdkreGj3bgmUs5wUFbDZyOHvRFSxdUI8LOcAhXthy86l+wErKwm6sWfd1oPGvMmC1qiSsW0c= Exponent1: JpdjK1+3DcNF7W4Z6LjmwFceeGQR14Bl86ubtnY14k9s9X3zVwiIxeI0T1yt0g7TUsCOcTM7CUVgLne8053QE+MWZgpSZYQVISyPX0CEOy8BQPLBqGJ9vg1idslbO3VXMGngegWgQUSHVbihbesq4AxcI0bbW2s1yRFRDSoGfpk= Exponent2: NbR7bd/21I1S+RSN/ONW2/VzzOYCLv3y3l4cUOmMj0UFRjN7Y8AkLWgQHQt6eKPYigW3PVeS5o+hgAalT/qP4GwmtQDomYsTgmX22Pk5l00AqL0oa6895p69PyXO7Yc6yqnd5te/idzo2S8wpk2DsYPd5KmS+F3cGLPKc9KRekU= Coefficient: ev+8Aj3u6mICRe6Y0NqYTGrXSBMDXf92dI4+CZtwy43cyTvvZSABWvlLTTXf8XAlnnPxszSpG7+e8bQk4A7ZIagcDFSUjzwtVoLqKqbyLPMNjJKqvGW2iTwfpXAHTadd9EmvTPsEVCJnZAvkyn9XQ49phL9IkFzj9kmSrGqnN4Q= t/issues/25-nsec/dsset-example.sec.000066400000000000000000000002471265465626700173630ustar00rootroot00000000000000example.sec. IN DS 48381 8 1 99477B577BF885AB2512B8DCA052D7B71DD968BA example.sec. IN DS 48381 8 2 E5411AAE0758711B164730F9069CCFA3CAB00391FDD76D04EB3E8610 CAA09E93 t/issues/25-nsec/example.sec000066400000000000000000000011241265465626700161600ustar00rootroot00000000000000$TTL 1d $INCLUDE Kexample.sec.+008+48381.key @ IN SOA ns.example.sec. hostmaster.example.sec. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL IN NS ns1.example.net. subA IN NS ns1.example.net. subb IN NS ns1.example.net. subC IN NS ns1.example.net. myMX IN MX 5 mx.example.net. t/issues/25-nsec/example.sec.signed000066400000000000000000000130441265465626700174340ustar00rootroot00000000000000; File written on Fri Aug 24 15:30:38 2012 ; dnssec_signzone version 9.8.3-P2 example.sec. 86400 IN SOA ns.example.sec. hostmaster.example.sec. ( 1 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 604800 ; minimum (1 week) ) 86400 RRSIG SOA 8 2 86400 20121220000000 ( 20120820000000 48381 example.sec. qzY4pxbPjaFEQyE960A1GD918TUlhq4RoJ+B QT5pkYo8RvqsN5g2MnfCegfe6ZS2/kwTMmWC XLFyP4bglatyq6YpSb/nCNLsp7GHvkA1lkzb VhvenUbYIvOjUXx6ME165fZbpP0NaUETvG6P LKncqB2ts+Ru7ZsXZqBeAokxvc0Nf3q7JKHO SHIV97zEeGxEbUqnbAVkjJzDeaUuIK6BBL0d 2cRpi385lVcAbDk0byH9l7nVzVeSf7NO06lX j4Nr7kWvDrp3+8G0ArawsjwuSf8++B8fqxPH hjvfw5hpvsKt99muko/gTsL/N3x7bAH9QQRe U+jSnD27HBChCJSFXg== ) 86400 NS ns1.example.net. 86400 RRSIG NS 8 2 86400 20121220000000 ( 20120820000000 48381 example.sec. thEwFRgijT/clJZq37540NFYrb/qPEMXdiuM z1QsNXzNumsuVmPyxTwv0YFOEh1yMesFQGhf AEVS+V9AoE+xA/r+eM64p+OMrxHmd476jyAi eEGUOiNx9sZBEIYXB8tr0RRadWzoRtovpJ72 S6mJ2vBT9BIHFt14BVbQayLwf9mqpD4zQ5MU gL33OxNXRdSsxRIxTyeC9RSSUd5hmCkNxjdX k2ZbY4AlCZPcFOcdI8ZhLWd1mBD+e3xBwPwn OILFQ/VpL5BCTB8Zw4yGAX8W0O2g7eXITD1p /WVKj8ssLW8mlEjBvTC7SBPiPo0T+wt7jJUT kcQz/cwfgGcGBgY0oQ== ) 604800 NSEC myMX.example.sec. NS SOA RRSIG NSEC DNSKEY 604800 RRSIG NSEC 8 2 604800 20121220000000 ( 20120820000000 48381 example.sec. m3GzdLzAPvf5ZUUWISV5cKGyNgDUZSbtKm2K vZ3Pm0vcBTvanrVsi4cyG9lpr0P+LnrRUgZ+ KgoBK3WG24vtLmPRHxdmRctYQ0HsxfEq474N ifwQzaHenv70OTy4luViH1fbBtyUUH1AFeJ7 28Jj9gf6bJ0ZdUNPg0nU5uxqUiP98dEHn6JX MMBGRMWrKzLM0QF8BP5P2BQ89JHnHVxDrzog CzG9Uf1+bbd4j4QVvWjk3m7Wqf4Cb/fezMsm lyme5u4yo3phrPgYCWWCgd+IssU7dNaxMnWE uaycDuVSRmBotgfm03ANUiEbKb9arcfukSbg IgGDyvfpvTzcpYi7cQ== ) 86400 DNSKEY 256 3 8 ( AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg27 3Tp4oRpnmnmgizDFtLQhnIv1Mr3AuwSWVIDe avuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90 yQwfC53hxyH10GzGnAx4Sutrdkh1w4HM1nMB dlTMa0g9yxjJ0vm/T7qHzj+3dTUi84s8Du2m fMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB /QUuoY2FyThfidT+nhOQpzftVtLcta0E0Uv3 PcVDp1d7vBXsAEYGHr54r2vb3eXdOTmoFyh/ byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01 u8SJYP6ULwx0mZ0p5BmoMH8= ) ; key id = 48381 86400 RRSIG DNSKEY 8 2 86400 20121220000000 ( 20120820000000 48381 example.sec. G2GT1BOwgV/uTbJf93jmUvl7bmu9I9gaV3B9 Iol/FeOE8/GQhpKYCM6zF6gT8iZtFJ37IYgD tF5Zi+9nWE6HfvVtB6cltAL5Ud0Tkzuwf2XY XsqnwiBmFlkJJgzNG7po0gkCWWrUpv+kg0Mn 0JJfmSOvo3srOyEg42pAWcEJ7dvAz/DgcOCk ef9i4cxlRRtgWE4a4QkHH/V7pFDAOEvWkXg3 RUih5VIFM0POxnqgS/QRbca2Zm6FyCgkbHR1 QF+ojRSKGVKkE2VbIcPX7yUcBagg6WdkWjri ZHZlwgF0bzbBNTc61MYiSK/PyDQpS1/m2JPd OVidiTu6ajWJpUo6jQ== ) myMX.example.sec. 86400 IN MX 5 mx.example.net. 86400 RRSIG MX 8 3 86400 20121220000000 ( 20120820000000 48381 example.sec. iDUsHGQ4Zj9vEDUsojq08tVxOG6s+wjs3Qtf DFXVPeqXmThdaMIVALzUyJYwnU0a4RNaM0lQ FcFiK3y8fGuvMYQVUhheKBDLc0MmAht9CjJi faUNJaNSTw/rjWtduJidzEaWUk5lh75YV3hc YPk54jEbgTYTEJKCbfgDfRVShxAk64TM++Sh xKSSW+4s2jKr98coYCcWYsHE6WlJXi0EJuDb o84YG0MKoaURNcvEwWBwHhpxLnzT+7Yg7/AN 2bmogQLy40Yr8bS9DiyBZikXJt01Bj+2sTrw t4JIxBPCPy08YayZzYcMLJ2M4FL0f633bWzX 4CPKb0ZLimqsAPXbPQ== ) 604800 NSEC subA.example.sec. MX RRSIG NSEC 604800 RRSIG NSEC 8 3 604800 20121220000000 ( 20120820000000 48381 example.sec. ljtWqo0kh1F5NZ1vNGaLipgKCxEQ+c5deq0I 0wK8xOUSCjT5q8Ac8tIX6B50NIjw65YpOfQu wzPVJM8PSsBA6eZuKIBKKy0MzD+X+eirunvS wpJ6PHix8C4/eChrNZlEJs4AX6Q6nVuCH4b4 rIDClNiOTC7cXiWSK3FWgCzWpgWpG5yusRdb EzDCyb5UTfnzcCZdjBRjXRA1c22nODgIlgS2 rqEJqn2o79CU8bYMx/LCQ96CO9y4XyVwAayK ekSo6f7w7YPcwb9aFURN2mQ7ZP1sGxWUifVx zpLE7aqM4fhlanG8OGEyvCZd2uXbtkdlw2m9 LGN/2omLoKgBK77JCg== ) subA.example.sec. 86400 IN NS ns1.example.net. 604800 NSEC subb.example.sec. NS RRSIG NSEC 604800 RRSIG NSEC 8 3 604800 20121220000000 ( 20120820000000 48381 example.sec. t68GfTtpxY7WZ8TVWBEEQdcsORVdG8a7hgL2 MMQgMW5K2DmdURAW3mEf8m8uXU2AwKJ+xCWL /LXVfkxqFMVI4dyn6YGLbCyVv8RggATIt6b1 saEFTvByo2WThWnJU3r8Sq4LV35NurjruZ/o DJVhTc//zPSSIQpUrz2kuUcOsL+djG3hJi+/ TB7CsrLGdEaD9elTwwAk9lvy0ZvfVhN63w0Q BPMtSRPkARNfsHLJS6m8zutcUIbAPBF7FZDp PUly5LNvZYbUQvFwo7A8JaZBUOBjFZ1apagt FV3dBVtRXuBIBraFwJjUuKIApX177uYpxD8l kDTfWeD/JD95z3a9Gg== ) subb.example.sec. 86400 IN NS ns1.example.net. 604800 NSEC subC.example.sec. NS RRSIG NSEC 604800 RRSIG NSEC 8 3 604800 20121220000000 ( 20120820000000 48381 example.sec. LJZFwPB4Aw4dLfqUnjmv3zeoKm/3ZZyHRusN NniNNct8zaH7rqfTZHQoSBMH//YyyeJwQ7uO 7YIRIJvIi3z1iM2FpxuHihtUE9fIHPOGpjo/ t42bh611Lod+OReiukOaUOkhavg0wMfYEX99 Bw2V+Sk5z4UrLwJd/slQYjow4ZnFIubpJhqt gw0fsygW6wb3XN9zs+nNo0XD1ksdQOyKu4tA ZmYXWYCEbw/BIg8BDw3TnqUxbV44namLTSUg 97rA/90Nh/s1tsDQ3RbL7iaCbBH8ylSyCz5m av1L+WK51LUJNgzm/fNJvI9kFzUG8s9oespe f+r2hqgomotK4WdxMQ== ) subC.example.sec. 86400 IN NS ns1.example.net. 604800 NSEC example.sec. NS RRSIG NSEC 604800 RRSIG NSEC 8 3 604800 20121220000000 ( 20120820000000 48381 example.sec. twkPkw069EOqYcUugvM2qD7+/Yk51+91WRnz Cq8AR8P4KlaBvahWg997haey4q8wV1rXsAXu lMc9iNgmX6TaIiHoq9kMXumELWzE8Oxa/ymH vvQnMOk2j0zcKh/7lyGeTX7cpSvXhz450XH3 3EfQeb6BLzlwyXgfnx/kGLS/lIez66Py/92v 2M87By7Gx69dv1vbBleeVxsYKmKe+sal7Ayl ZPP9+NlOqZqDBrCXvwOmn+ScfCbeYxgMzmcf 2LMBEGxpDHRfBuV35hOzOVCce47CCip1Xian Jmnh1A3dqZJXCrxFZidvAYVm7jEtAI8FS1OL VjBf8zzsLfQKiMpeGA== ) t/issues/26-spurios-glue/000077500000000000000000000000001265465626700155425ustar00rootroot00000000000000t/issues/26-spurios-glue/Kexample.sec.+008+48381.key000066400000000000000000000006021265465626700216350ustar00rootroot00000000000000example.sec. IN DNSKEY 256 3 8 AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg273Tp4oRpnmnmgizDFtLQh nIv1Mr3AuwSWVIDeavuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90yQwf C53hxyH10GzGnAx4Sutrdkh1w4HM1nMBdlTMa0g9yxjJ0vm/T7qHzj+3 dTUi84s8Du2mfMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB/QUuoY2F yThfidT+nhOQpzftVtLcta0E0Uv3PcVDp1d7vBXsAEYGHr54r2vb3eXd OTmoFyh/byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01u8SJYP6ULwx0 mZ0p5BmoMH8= t/issues/26-spurios-glue/Kexample.sec.+008+48381.private000066400000000000000000000032471265465626700225270ustar00rootroot00000000000000Private-key-format: v1.2 Algorithm: 8 (RSASHA256) Modulus: 1k6+cu1N1CN90iqofey1vu8jpsmWDbvdOnihGmeaeaCLMMW0tCGci/UyvcC7BJZUgN5q+6LJYgC1+/DLR/cRgi/xizmQOIqzw8TWT3TJDB8LneHHIfXQbMacDHhK62t2SHXDgczWcwF2VMxrSD3LGMnS+b9PuofOP7d1NSLzizwO7aZ8wPqejL6V5nYi5fuUVxrxLMM2aFQ9ORe4WsH9BS6hjYXJOF+J1P6eE5CnN+1W0ty1rQTRS/c9xUOnV3u8FewARgYevniva9vd5d05OagXKH9vJ6FSU+rWAMQfSYFGVZtQepsacrKiXPR1HTW7xIlg/pQvDHSZnSnkGagwfw== PublicExponent: AQAB PrivateExponent: LOxwy9Km3/NYqre6fjsilhW3GX1kcRiSdXFYBBr3rMtUojKvgJsTH9uUeWZvTbTdne4B6yHiqSKRA3Eki79k8i9uqMq2SsP4ju8yJZHLmzjezIfJoHrQ6BxyFcMZoWPzdZkKFKmFwrHpxjjbvFcHvfiAu025Pta9C2o/rZXYC7V3BWQowqYBfukdpZkCEhzFzEtC1ROXN4jPJBwNIma52QTLH6jK5BOfOJ5DhS1SF+r/EkuvXnylApVfjPfUIC8ocVvpn5WLoabWL+eURIi6MvVT59ppzc6WRUT2PxDskT2WUWfw3zq5B7JCM8/qfYIDUHvt1h6JcJHTAOz9Hr2f4Q== Prime1: 8UNey2U7voMhZmVUMpH5C8q7+hp6PQ6dUYd+hjaQVnsDOLPBT+zZf8R3str7pY/xlOOHy+DxYmZ0e17OumSOXTeQR4VSdsr/tpWc/qd2jd1I5N58R4G/yZHgTm8pm6VRb7NwZ7Eg6o2z0G2UEykFeberyg4U6SHBDP6DZNvGrQk= Prime2: 42XeoQUBshFkTYekdeqPfGqC1YXsK0URLGAbPbk8HlOiG7ueVmUnsAS47lyuEJPzIUgqqBbDM+CCdW8AvPJFDXa09l4akfCrLRyAdkreGj3bgmUs5wUFbDZyOHvRFSxdUI8LOcAhXthy86l+wErKwm6sWfd1oPGvMmC1qiSsW0c= Exponent1: JpdjK1+3DcNF7W4Z6LjmwFceeGQR14Bl86ubtnY14k9s9X3zVwiIxeI0T1yt0g7TUsCOcTM7CUVgLne8053QE+MWZgpSZYQVISyPX0CEOy8BQPLBqGJ9vg1idslbO3VXMGngegWgQUSHVbihbesq4AxcI0bbW2s1yRFRDSoGfpk= Exponent2: NbR7bd/21I1S+RSN/ONW2/VzzOYCLv3y3l4cUOmMj0UFRjN7Y8AkLWgQHQt6eKPYigW3PVeS5o+hgAalT/qP4GwmtQDomYsTgmX22Pk5l00AqL0oa6895p69PyXO7Yc6yqnd5te/idzo2S8wpk2DsYPd5KmS+F3cGLPKc9KRekU= Coefficient: ev+8Aj3u6mICRe6Y0NqYTGrXSBMDXf92dI4+CZtwy43cyTvvZSABWvlLTTXf8XAlnnPxszSpG7+e8bQk4A7ZIagcDFSUjzwtVoLqKqbyLPMNjJKqvGW2iTwfpXAHTadd9EmvTPsEVCJnZAvkyn9XQ49phL9IkFzj9kmSrGqnN4Q= t/issues/26-spurios-glue/dsset-example.sec.000066400000000000000000000002471265465626700210720ustar00rootroot00000000000000example.sec. IN DS 48381 8 1 99477B577BF885AB2512B8DCA052D7B71DD968BA example.sec. IN DS 48381 8 2 E5411AAE0758711B164730F9069CCFA3CAB00391FDD76D04EB3E8610 CAA09E93 t/issues/26-spurios-glue/example.sec000066400000000000000000000014671265465626700177010ustar00rootroot00000000000000$TTL 1d $INCLUDE Kexample.sec.+008+48381.key @ IN SOA ns.example.sec. hostmaster.example.sec. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL IN NS ns1.example.net. sub IN NS ns1.example.net. test.sub IN A 127.0.0.1 sub2 IN NS ns1.sub2 ns1.sub2 IN A 1.2.3.4 spurious.glue.optout IN A 5.5.5.5 spurious.glue.optout IN NS ns1.somewhere.else. spurious.glue.optout IN NS ns2.somewhere.else. glue.optout IN A 5.5.5.5 ns2.real.glue.optout IN A 6.6.6.6 real.glue.optout IN NS glue.optout real.glue.optout IN NS ns2.real.glue.optout t/issues/26-spurios-glue/example.sec.signed.no-optout000066400000000000000000000175711265465626700231170ustar00rootroot00000000000000; File written on Thu Oct 4 15:32:03 2012 ; dnssec_signzone version 9.8.3-P2 example.sec. 86400 IN SOA ns.example.sec. hostmaster.example.sec. ( 1 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 604800 ; minimum (1 week) ) 86400 RRSIG SOA 8 2 86400 20121103123203 ( 20121004123203 48381 example.sec. P7sNgb7duV7fy3Fe8e/8F4SivSNyUEjuEIc6 5ZmS6evSHGuqYW97qUAMnSNZGMeEzFTMX2Cv Gy3Zt84kHWo0mejuSBVqRhOLpA2WqZLBN7B2 u4hV9c/S/joi7Br9EsgXbIxyZ5DVx7BvDWGK zhCni3jYbWKrgqB12Or0sGaARAsk5ZmbYwdx 1iGmIchkPBafHvx9Y53GDoBfaSlFk5/lESqy FneiwOheVl1iVoORCjfhoPuQb2Ot4GHZW8am xBRzEO0aWOWg08Y52rossU1qEPrR8c6ef5AV C1B71i4kku/+RDbyNyV40q8RbO0WGiOLMR8z JmzPqoibmc6zEYed1g== ) 86400 NS ns1.example.net. 86400 RRSIG NS 8 2 86400 20121103123203 ( 20121004123203 48381 example.sec. OHcOzztD6b+FsImevSTkviScJMtf5FQ76Upu +o8dbdiEl04rtHmhYuIpZttWkJyNeZafBRMh Se1MfCnJsy5Jw1sGVSR99M8XDiJUELRPn69A DCycw/x0dVmDsqlyZYSPdQmHoipmPrvhBpDt MghbiDPMuCEx6fmtymGghgkaYr1Dvy3IfEVc vjNuCczsZ29LDQDmeG/vpS08GkfMEzA0RrJV u4qdNcuJQc2RwtEAg/pMQ0b1LN+dp5+f6zem eRul5bjmindkPwvmo7nYRrlj3YMyvilQkUmR xH7xwiWHxhiw2IsdR6lWKYYQMGYcmn2idR3f FGcEgSnqQu5aT+Pg0w== ) 86400 DNSKEY 256 3 8 ( AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg27 3Tp4oRpnmnmgizDFtLQhnIv1Mr3AuwSWVIDe avuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90 yQwfC53hxyH10GzGnAx4Sutrdkh1w4HM1nMB dlTMa0g9yxjJ0vm/T7qHzj+3dTUi84s8Du2m fMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB /QUuoY2FyThfidT+nhOQpzftVtLcta0E0Uv3 PcVDp1d7vBXsAEYGHr54r2vb3eXdOTmoFyh/ byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01 u8SJYP6ULwx0mZ0p5BmoMH8= ) ; key id = 48381 86400 RRSIG DNSKEY 8 2 86400 20121103123203 ( 20121004123203 48381 example.sec. aTLyK5dtPgmLkdo5aujXbWPtaPqvieMX0U60 FhGr9xAqeTkyguyyA+iUHXuGtmzstjkODMwE vDTNeYGzbu8Ep9et7GKexS/DrrmVLXDacveu 3mgjIr9HmlCD80NRo5YJh6NN/vGq/ue0J0z/ oD46JTe31wAlXhqk7xyEewG3FzMD65bVzCaw KqiB3WQWzItVVXfwb27rW+HjwysaqJQRoLqX bBqB2mt45xPHOFJl/5TMziHgWWUFULjK7nov J2A8OhAEMezjqJINRLHjn6Oi0DjflHrhCzyM 06aMrCHwffgXYBLM9qkDOG+nDlYqdOghuHDJ R7uU8fr8EMElsORKgg== ) 0 NSEC3PARAM 1 0 1 94CD 0 RRSIG NSEC3PARAM 8 2 0 20121103123203 ( 20121004123203 48381 example.sec. F+Qa4worI07Cv6mDGOuK45+mzFOZ65DTzSMY EYOWqNwIVgEZFUD120/c5cYkkMpgFICpImM9 aFgg0XPyhkIzevXeoxqn8s8eACDQc/O0m6PA dcvB+jckO8YeEiJuDK6FbEwOMRmL81EzJ8Q4 UoUxOq3Uwq/8FcqGNVgJdodkWJyU++IlPz37 p2dplxOqbwV6sN+91SUs0mNFW5tDz7O72EK1 Zk7cXyU+qZs0O5lMf8S045LZJ6UMcP9Ccdu9 EOP3zRRWNDmRGJFVfKns8UDz+4ViwOORrhP3 SFPr9hVzX9PBegYtsDED0HYh2hsbEnkZzmEr Q4o6RpCjxyfu0ARIEQ== ) ns2.real.glue.optout.example.sec. 86400 IN A 6.6.6.6 spurious.glue.optout.example.sec. 86400 IN NS ns1.somewhere.else. 86400 IN NS ns2.somewhere.else. 86400 A 5.5.5.5 test.sub.example.sec. 86400 IN A 127.0.0.1 sub.example.sec. 86400 IN NS ns1.example.net. ns1.sub2.example.sec. 86400 IN A 1.2.3.4 sub2.example.sec. 86400 IN NS ns1.sub2.example.sec. 5RORN4V6I2EUE59S86LSVBHNQNFH97BN.example.sec. 604800 IN NSEC3 1 0 1 94CD ANUH4A3TCIVO884LMD5SA3S1563VKCOG A RRSIG 604800 RRSIG NSEC3 8 3 604800 20121103123203 ( 20121004123203 48381 example.sec. X93YGUwDjl2i02qXZxJFL778dX0zjtn80Esd 1CJJx9FYUf7RNsUfD38A23C7SZQ3URCggx6t waizI4Ktax8sXoxtHuMtH+3hZ4asBcGuWYOn V3i4Zb4Z7LkqJg96gbC1Cn6R0JhTRcCfvfYI tjav2vEhvu8dNi/UObZXSGrpWOeVq2Fc5jpy eE4KkzHrlYwamdoucqjAdjWk3Icp5C05wWMU dmt+FUmN3qnq2FYYW/Z5007uFAG5M7uLk96r vqDyRXXMbz8NOOgLycM6qRVDfDvtuck4gJ/K ex8DDGeJsQlRTcmixf+JCBytZYOYN5HOrsGt NwBpiwuBZ6GepD4JzQ== ) ANUH4A3TCIVO884LMD5SA3S1563VKCOG.example.sec. 604800 IN NSEC3 1 0 1 94CD APFMIN8EJ96AD54VGTECHRPKHBR336EQ NS SOA RRSIG DNSKEY NSEC3PARAM 604800 RRSIG NSEC3 8 3 604800 20121103123203 ( 20121004123203 48381 example.sec. S2Ap4xcQkfIrgV4vCHD5DWlZjbhm/dI5vRpM V9eRKVOEMb2Z+dWibFeP92P0MPFu4eCl57+J qEoYlv3LX/o73oTEyZu6Kr3rs7S+qlwHtQ9a 0XPuIC4qvywYsrCHb3ROakqT6ORiIDrvxCKe 4aqZEvurYLLzTVynNsKjjGVSoBUHLW1iwlD0 Zs1l+CEh1ZrRfkRprliWeEfsJGsR/u2Ib1Sx vvx09zow5ENcNZpW7+2cQSmv4aRrVjWkOcuk 3aTaGZ5+5k2Go4NAMSkM0p2ww2J8T9GPIzPl Msdp6T4xNEjfS+tVxJe2PsgWmpNduPwbcYui SSUR+0UQvnSPqLtYcA== ) glue.optout.example.sec. 86400 IN A 5.5.5.5 86400 RRSIG A 8 4 86400 20121103123203 ( 20121004123203 48381 example.sec. zxAtBQAmpGGPBA9oV/LXhBuyU7lhnb9exQwk mP0nnP2a7+lLXXv6CZXeY6Jo0aOEuAmSNzVn bOEG4YMVap54sFQXuFpRDe/DqZbOIGRkmM17 YurbyHrYMADIrYbLcx/4jS9pZf5PMPK2Cf6f rOJAT1fEeOI+fv9qohKLK4YpB/+8as/vFtEx yquwJIsTFTTrcfempRixov01QTAVU1xAA6W+ a4xRjdycWdExHzIeclNs6fSCnYZWbIsy+oh+ unjIrLDeaoXDHROGIrPVRQcWLz+BiomkEAF5 AcBGmHh3qeTG/p1Sg6lroVscKUP8uXcAZB2w Q3wA4VSXWaNEvdQXeA== ) APFMIN8EJ96AD54VGTECHRPKHBR336EQ.example.sec. 604800 IN NSEC3 1 0 1 94CD CVL763SGK0IM3JISN2KLQBK8I5TLP0U7 604800 RRSIG NSEC3 8 3 604800 20121103123203 ( 20121004123203 48381 example.sec. Hla9zHjP0LnuI3iz7kqsJODjh2OW9SKgDKEx V/oFmIt2iOnuhhKaMF2pLMcHsjQDH3EZ2PyG Yn8om+d3J5pZbRPq8gIT5oa5P8IZwhGLZ85Q O7B6b87ZGbQic6Sd160f/N2AGWrV/3zqZjKg tSmWVHDORBRqW1zk3SVfSBFhwVUolGLTJT1y umZ+Q0573h53hmDcCrJplQ0Sdqj+OjzRcQ1R djyW+aFfFk64/U8/v5BOwdBE0VdvRCf0/U8S FTIJezTh5Gm/xVRJK3YIjjhy18mhBkBGN9hU FtWmtFIgeoSya8ptnXlOqEWe21YyreZsTEvz jcilieFLC++F7ZV8fQ== ) CVL763SGK0IM3JISN2KLQBK8I5TLP0U7.example.sec. 604800 IN NSEC3 1 0 1 94CD L2BLRUARIR23VEOTUN998OLLATNAI6EE NS 604800 RRSIG NSEC3 8 3 604800 20121103123203 ( 20121004123203 48381 example.sec. ZauqBlEOHvFQxV5Cu6ViTN7AtKrnBdh7AOnd DPUjkcJ81sIhsx7VHr0OXwUGkV0f95pzKX16 RjyaIQb0uuPyNQA8UrC/YtFdVP8xAWEMlVF0 hHDZbbo9/MA/I6s9A8m7TplJfdzmFY399ldo IwkyEXsbiV5A8LyGBJaTB41+S/HT02Z4jvc2 4NhLBnBQwvUwm7IifMepi+ICwgxxjNdz6iFy 8ppDV8zN4mqIiNIPCp2DTrS/ShNlvVe4BnBt S+bL/C2QahJucqBa7yD3tB+cDXhmvB/vYZ/d F9WR4c7v9u4azBvKR9eIYaX14TOsuJjsAl2m uONcluxWl/nQxqLSGw== ) L2BLRUARIR23VEOTUN998OLLATNAI6EE.example.sec. 604800 IN NSEC3 1 0 1 94CD NHPEGCSN6DFGI1PTTF76JD8LO1UTM457 NS 604800 RRSIG NSEC3 8 3 604800 20121103123203 ( 20121004123203 48381 example.sec. r5vQV2X8d7SFXUWEmU2xyj8R0QhJsUEkGMCb YkwbKWrHDzO2u1tcN/t3Q5Ku+6hwF/iU0wrR 2KGL49B3NEix6qoU4CqmrJIE/UNhXWv2yywB qtqKz+TOi5hefAGYl5AaQoBauXk8TF6f/3fs 4lvriiIhXN6AWBPPC5+HojLQOegXOhD50AG0 M0ME50BkcRTnDZdBFXr6FVDZrq5i7lp0Y2EC v0vpjZI+meSdRIVJKWqN0usTDQWzZfhGN7PP W8/hKmTcKCnXoYeardkqHDTQxRWKfl6ufKW8 AfL2fviA/LnDNhUpC+18C9w+60p4OIMG/W5B fak1/AxWGKxtCs/iyw== ) real.glue.optout.example.sec. 86400 IN NS ns2.real.glue.optout.example.sec. 86400 IN NS glue.optout.example.sec. NHPEGCSN6DFGI1PTTF76JD8LO1UTM457.example.sec. 604800 IN NSEC3 1 0 1 94CD VT6TVPSQUE085J73EUKCPVB32N894AUB NS 604800 RRSIG NSEC3 8 3 604800 20121103123203 ( 20121004123203 48381 example.sec. hmn39+fFO2mUMT1THTg2R8NivZQQDQ+Fi4qM 2G2z1bDKWbQrvALTMsW8rqiOnT3OX1kac+an ieTIILFRCMUVGl3o9ovYNmv5L1dANd8z/GTi TGdxMj8Y2Y/ws2AHrtJgHN7Osyw3/XYlU95Z MXlxdhmFHAV/KqGP3dlUco1No9fKHD0yAkP3 NOodY+v/36j8htvcwlkYiaQ+7rvR7+kqpE0m IxVL/lM96q9h+iiNC9/TfcMNQK80khLAYIxC aNYgajETpcNVEoTkBg2tAIv1ksUNazjEAebS ZIzHBDYqb14vwZS+mw44j4BU9Q3/9edQPTdN JjLxIM15ZzLR8tjcoQ== ) VT6TVPSQUE085J73EUKCPVB32N894AUB.example.sec. 604800 IN NSEC3 1 0 1 94CD 5RORN4V6I2EUE59S86LSVBHNQNFH97BN NS 604800 RRSIG NSEC3 8 3 604800 20121103123203 ( 20121004123203 48381 example.sec. FmzSC680qWWTQEvrlcTYt0uXccc6teAwYMCY 93MVf5eorAwJ9ijqH38A/O6bygfZu6ptTG1q SA/yJ3XPMuRIhE7io8xdj9nWCh2+liNG+CBW NpYdb2pXaoO/wVVxR2QYCsSx7BtFsyuYK/mG 7Fuz+1464uHHK88j7u0icFZ3YlpPIG8Qu2CS 2lzFxz3cPXF+fzTVJHwkqh7MIvcwMRoGGLDj ceHTqxukg4a/0ebA/sz3yzUFpTOrh8PmFiU7 ari44J9QXlDwjhPWz1hpdz+YFnSxpPHjpmva UIsn6kUYrSMHPfsYoEebyAj5NYLUaU1mHN1G FuINGo4eUd8Sg9StWQ== ) t/issues/26-spurios-glue/example.sec.signed.nsec000066400000000000000000000146471265465626700221040ustar00rootroot00000000000000; File written on Thu Oct 4 15:35:51 2012 ; dnssec_signzone version 9.8.3-P2 example.sec. 86400 IN SOA ns.example.sec. hostmaster.example.sec. ( 1 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 604800 ; minimum (1 week) ) 86400 RRSIG SOA 8 2 86400 20121103123551 ( 20121004123551 48381 example.sec. ZIjIFvlb+zoh+E7I63N+n2OBwyia/aR5K1FI FSNfvkCQ2vYOqEZLZYirGyAAnkx7iymnkz4x yLOK0R7wONt+nhJip3urYicYBzmF1NajyKSN k5rKk+04ShtAiQzc0oq9ujoONxYfZMauHUeD TzKiG/tJaOo6V89RCfx9PYa831nyxm8JdGe1 xlncxyTCzut+em3qFTzuYS5mAIOZ25SktQen 8s+hWfI08oz/zY37wiASOwcDST6t7zG6x9wm gWj9srFTx1Kh632ToDWgUzu9JDodzxgAP80/ xU2qCptj8dnQQ/5B/KpR47kxfKr+1WXxQ1Rh Qx8Qj+9sRahzJ1NPcg== ) 86400 NS ns1.example.net. 86400 RRSIG NS 8 2 86400 20121103123551 ( 20121004123551 48381 example.sec. EbM06z3JKpv1rRXMdkKE7QSaRMgek0zTFHoI qDLl+GLswmlf8QuPWjJ8HOuahWQEY610a+96 0zhRX+aL3IIH06iFEI8AGnQqOphkqwYsL+xo 1iFpmzL/nflflHUlm2c3I8SyrponMHHMYNOk 4ohu20gnVtwaHekB7t55BhvZJ6OpWXiRHCTk ToM5oNc1zrBz3Sv2XLhlU5n52XYcMt9iwBLq KRdKlmWaSAkwx7BtkRUMarqw+atrR+E4ruLd V3efgpfoAe0/wJuUxkzO/LsSLCNXHz2bro2z a5gIi2QCzwNdzhnUo6YOMqkSwKxPcm3TViZd 9Hski6lx7DGdbP8+XA== ) 604800 NSEC glue.optout.example.sec. NS SOA RRSIG NSEC DNSKEY 604800 RRSIG NSEC 8 2 604800 20121103123551 ( 20121004123551 48381 example.sec. GrJ/6KZrpX6Ms4v1Lc0EDiskWLFLQpdz73Ap rEI4aYix72peHobI40RJhb6qN2R7KtH0E/YZ zUmzVdC/OSlhZmadtzdpaEIyORETkCLLU3Hi O2wHoghgcxe/jvkjM46OTQ8+1UEwaESOIwoA 9p6i3jDK138J+q5jTjKqD6IWAUyTZoogZrD9 wlYYNMZJatdXfz5G565Ix6/MpkRDz9Djsmbd E5R4LEL0x5iBA12aBzxxDwqSkg7j4L3O7Ynk 92M+28nr2RPb4bSaEAWal7AJzjoLMwGVW97Y 9T2nMyFz9qAgeFdVwUEtEg4iUuZMj9SSkOi0 68e25IT8bg1caC5NNg== ) 86400 DNSKEY 256 3 8 ( AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg27 3Tp4oRpnmnmgizDFtLQhnIv1Mr3AuwSWVIDe avuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90 yQwfC53hxyH10GzGnAx4Sutrdkh1w4HM1nMB dlTMa0g9yxjJ0vm/T7qHzj+3dTUi84s8Du2m fMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB /QUuoY2FyThfidT+nhOQpzftVtLcta0E0Uv3 PcVDp1d7vBXsAEYGHr54r2vb3eXdOTmoFyh/ byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01 u8SJYP6ULwx0mZ0p5BmoMH8= ) ; key id = 48381 86400 RRSIG DNSKEY 8 2 86400 20121103123551 ( 20121004123551 48381 example.sec. 08rV3sRhOjAzGTa7QIFeRrF59oYdQwt78UC0 0nuM6yn1fIoA7lPsbTs3UzUoRgKfV95G90n/ t3LD4DoOlVHtMoFVYakSGjnftg0TtUctW3GE g7tK4gnvpokJblUxKZUsdDAvKsTJA+WSE2fS n459KoeLv+6rc+dJZORrSyIXvHtDuLhqPc0B 3J09KPMN6ePd/MpQn7mEZ4/UgxlIiT3DOifO 9YoLiWxYr1kFDdAwBCtspgF85EUPY0TlfOrQ 9zR3XxL+Dno/c/sdAW2cmwguN/TqeFNgPsy0 jpoR1pr3wm4GCNHZwLs9VJyaSul3ySdOAWNT FWiVuAIrT1aXk0AXdA== ) ns2.real.glue.optout.example.sec. 86400 IN A 6.6.6.6 spurious.glue.optout.example.sec. 86400 IN NS ns1.somewhere.else. 86400 IN NS ns2.somewhere.else. 86400 A 5.5.5.5 604800 NSEC sub.example.sec. NS RRSIG NSEC 604800 RRSIG NSEC 8 5 604800 20121103123551 ( 20121004123551 48381 example.sec. mfcjfqL7qTfGt2jki5Ye8QXkcmDrPGEu+0cE 1KQgFQnaw3lzty/MRPeA0EbUfj1latxT1+d2 DHoouDMhmrV1jm4mMB9WQ9QIc0vo/0EgwVUH s1H0+P8i6iHjCRk5WTuBiAwHfsnlSgzCnWgs 9zGK6CLyE5ijZ/Ar7w9lLzIallRce7UyNVui OKWOtE4PG34SarmgvR9dhKIYvnlpYRPr4w+n z9t5tJTJCpQY4dl8G6VI1HOOFajP+gobZbU3 WenNsvKfmjHClMuNw/lLPVIakMKC5SvO7rOb Eo0x1OWcorLU7JXs8CZsX7TV0/tU1/lmpPoa iqbLGD64gNvy5G3lTw== ) test.sub.example.sec. 86400 IN A 127.0.0.1 sub.example.sec. 86400 IN NS ns1.example.net. 604800 NSEC sub2.example.sec. NS RRSIG NSEC 604800 RRSIG NSEC 8 3 604800 20121103123551 ( 20121004123551 48381 example.sec. iXx7cENoookUmrYIZeEhQ2ke1nkIDKGpETvr ZfYb5g3oFEa4Mu2LtjolwMs30sMvxgidYxEi cBCzI8ub8W1mWHz4K4poXKUxbkmTKx4M/ThA 223dOMCw7gePN7jzJfpoL/t3X+aeTv8VNY4y qNyQxE23zaas4CqbN3WSFB0K1GVqGraor+2L aA1SLHurwUav6qmjWdv5Qc27+9lPzAzddUEh wCCSD+y0D19XX1XM4LqPnO5UDcEzC0wmyzKD rwkrgcIhkPLOCSWpBEHZtDdXAX2cKAhYG9QA wIZ3i3qME5gqxWlwPjSbAR9tuOSL8+qDpQu5 b6KfRdZ/d1c9AjjiAA== ) ns1.sub2.example.sec. 86400 IN A 1.2.3.4 sub2.example.sec. 86400 IN NS ns1.sub2.example.sec. 604800 NSEC example.sec. NS RRSIG NSEC 604800 RRSIG NSEC 8 3 604800 20121103123551 ( 20121004123551 48381 example.sec. qBjgWN8txVSPwGky9zkhie5oysTzIR/8sjP0 ia2NmlskjQe2n2wMJixOpydqtq1VY4Behlf/ IO9k8ANJLLVN1EywN/fTgD5IVItyphd1tCwQ IGOue/0sbjDpVW6Fzp2RyGHmhnCEax6BOr69 DgdXGyBm+vZ92C2vYgTTjyJjKnrigxA0F4e9 PJb9EJMMC+nApnw9Ul5l1MX42av05xAVQWVL oo3yUt6Eh7psbJM8EnyXAy5OzlEtuVUiFfJ+ XA0y5V6aYTO/XZ/9xabi/a4mLHu5GAOK2nlD cGXxlYwY5zuKTq8F0DPRMR5ogIX9gNzceNFW YLCBfpyztA8oxkuwHg== ) glue.optout.example.sec. 86400 IN A 5.5.5.5 86400 RRSIG A 8 4 86400 20121103123551 ( 20121004123551 48381 example.sec. zDX0ZutqbHE/W9KhlxEcVdM8HMk8OtLktbSe S+csQ4EGk9O7vrO0rcTQ9xLIwTpDsOhdXdmw g/m522a3qpDBxeAS1DKvmYqutsSQSqWWKL6p ylAjGv4DxAynw7zQARvTFx+1WiIDXFrUZKWK 7U0g7qMmxMxxgFCa9BSAouXW1WIuLFlYGsKs Zu8frV2OizIjTMHoh8gapur+gyGgCzExhOj+ shIoWz66E60ZMpA9z7gyc7q4BxfBfB5OhSlQ q2UzzUnWTamqmZhzOFP+wnGbNxPsJ0RYZ5qD 5MtxTZ3wM5I4z3r0N+t+zk1BI6182u8BqQ4E pCUyhuojyQjWdiZSFQ== ) 604800 NSEC real.glue.optout.example.sec. A RRSIG NSEC 604800 RRSIG NSEC 8 4 604800 20121103123551 ( 20121004123551 48381 example.sec. pgKlHxSe/WOYKKrDfb1FkKbxPkfW6R+G+zAC drB9rTcfj3dFBC4uZEl0PPlOBD7EJ5Ntvk0X 1BJlYg9EP9wmcRpQXaNZBgy4IzEe40HrEHpG 8lsOlif9YIJ5uE8szYrVBRvyYwrqr/PtSsqe iFw7xuE5s1esucz8xGNL0Ut/z8lTLYWMO+jD k5DvbFqVOihtgSZScgqgNbzdheTTI/sfEGVG e8+N2osTBwA8FWMIsbUyVraEklI82+bLzDLY l3xRcMhpY7e7m2M72nKIrm5StYXmwMTnAWRQ 9U9H+2hAxDTGRQmcb9G5gUhRvb8CecyRQtbW 6pbkGulBb9HKaca1Fg== ) real.glue.optout.example.sec. 86400 IN NS ns2.real.glue.optout.example.sec. 86400 IN NS glue.optout.example.sec. 604800 NSEC spurious.glue.optout.example.sec. NS RRSIG NSEC 604800 RRSIG NSEC 8 5 604800 20121103123551 ( 20121004123551 48381 example.sec. ii1CgKo6PP5Pv+mRyL1icoUaS0gQGa81CxeS LSs3Cd9l1J8qYmxVZllajqe7EPrVeqiTSZnj iQ40Ser1EDcoe08qNOkcSQvlI+cS/tD3YrGw CeVVREXz76L6L2PSJklR1iK9awxTHi/dQDxf 4b0NyBLFNE1/NtrZFzUeqEVnD9HFaiAQP3OD P0MJFSorJM+2NpiTGCcrp/j+fj0pvpuRjWYu BBdvyWR7zAInSV5ihA++nCszIkowhsA0GtAI H8basuZRBbni6WwflxCx12mqhNA8cNOm3Bvu 10vep76LtKQt85gw9LNYZWHrTiBjXg/rH3Ed c0keKnVXlTTdqmQbOQ== ) t/issues/26-spurios-glue/example.sec.signed.optout000066400000000000000000000130111265465626700224660ustar00rootroot00000000000000; File written on Thu Oct 4 15:18:53 2012 ; dnssec_signzone version 9.8.3-P2 example.sec. 86400 IN SOA ns.example.sec. hostmaster.example.sec. ( 1 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 604800 ; minimum (1 week) ) 86400 RRSIG SOA 8 2 86400 20121103121853 ( 20121004121853 48381 example.sec. Ulm/liwXxmglgip/GZchcOR8cAbZhXRnQQyv OavM3mVc+EtL+APaoQTMlhi1Sl09ft8zCxFq 9QN0Z3MXCYYWpkJ5yvOgso+Da5kabYslGTLm bTo2CsW1AFzJJi9sGheT+45otO+JQ5u0kxjC QdebeYcMkdVs8I7tfMklyfgeC7LfNZE4/Ipw 6F4x1HZe+Dqq6KU4VG4wxsiinQehXXGQZQyg C+vQHjs/EATrm5xymihPqRmeFchYUeQ4r1bq is1iVvcfezVRRnKjWZm0siv6WIMWu+asORnV 2GcBLmtvvlOCFc21zUx28dHMFXHFua4DWKB8 cgdYpt43xZ68GVxMPA== ) 86400 NS ns1.example.net. 86400 RRSIG NS 8 2 86400 20121103121853 ( 20121004121853 48381 example.sec. ikpkmIGlWyzehB7usRLodt80omtP0yP37Uf6 Suixfz94dQFXOZRccsJjvmwxK+SWCuODJvD6 4d4sb8dwsxPdrFpfdSELCGZqyCECTb6GvKzy fD1JnU1PujbqimNo+A2TBZAzKyolvh/9IfrN 5J4kXvjCAmssz2yF45hXRblJg3nkNs8nbD4U VbKWzKGWsoV7oDx81hISVjFaOeMJoBMOTQNY LHN9+EJDS7qo20sq6cYcSwCQ5FwpAxX3k8Ef rHCtBz4A6637jmYuSKGWcdwdzCZ/a5Dm7x73 OtLg3bMft2bZSeiCQW6NpmPjIWCsdbACJXnm 984YFW/pTqapEPTpsQ== ) 86400 DNSKEY 256 3 8 ( AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg27 3Tp4oRpnmnmgizDFtLQhnIv1Mr3AuwSWVIDe avuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90 yQwfC53hxyH10GzGnAx4Sutrdkh1w4HM1nMB dlTMa0g9yxjJ0vm/T7qHzj+3dTUi84s8Du2m fMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB /QUuoY2FyThfidT+nhOQpzftVtLcta0E0Uv3 PcVDp1d7vBXsAEYGHr54r2vb3eXdOTmoFyh/ byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01 u8SJYP6ULwx0mZ0p5BmoMH8= ) ; key id = 48381 86400 RRSIG DNSKEY 8 2 86400 20121103121853 ( 20121004121853 48381 example.sec. si+yguBDcwzghrH0h6R9cPIauscNjlA8j/sl 9VWDkeBi3yVdw1aX7BaE32sQdf2k0FN4A/+Y 00gJAwaMHem1L9wlOKg/cRGqsaz6+VACqAtK 3uvG2RbDAS83VZxU5650CupN/sivmtSj/YWO Utp1HEc8jZCw8LsFudmRTa2p9ps+kHzeC6BO Uy3SolmGnZdESoBqnUAWTrNFaTIwCyLGIIvK TcEIzP3SN1mw1Nt+GIL/ActgPTk0OpUPXvj7 KUoekBMAZcgAebVXuPPSkZq75cC6P2+08+di LK2Fs8wpf31+TBn3daAx7xvRF++nC0EA0GAp omMLBYDUAsDLsWMDUQ== ) 0 NSEC3PARAM 1 0 1 94CD 0 RRSIG NSEC3PARAM 8 2 0 20121103121853 ( 20121004121853 48381 example.sec. YHWYvmnPOvcuBXO7qz75IdG/Ceb+MsyizLAv z9A6QgfUI4x6z4ADbdQblhuZi5mMsnFaNtqV IYRcBEbx754hTEagLNXI/TEN+REF0P5Nhba3 cZm1vY+Dhnfz0ZOVIUuNDEk8S63F2TBaNm4j ezias9Az5E/De2oYaOxRciP2kYoYncUaBMhi HPjStz1jzrC+7YOah6uWfIAcdl3g8qqL2hjd YJdMbEuY90JVhRWzEjBftqxv7w9sgA86ERai 2TGBIpBxAfamCfKra1aQR4Wl2x3NF/RYYfZr lS4/Up0ouPI3TJXM2SGr2eHDQAhA+sGiUhm4 Y4mySTWd7MreJ53tAQ== ) real.glue.optout.example.sec. 86400 IN NS ns2.real.glue.optout.example.sec. 86400 IN NS glue.optout.example.sec. ns2.real.glue.optout.example.sec. 86400 IN A 6.6.6.6 spurious.glue.optout.example.sec. 86400 IN NS ns1.somewhere.else. 86400 IN NS ns2.somewhere.else. 86400 A 5.5.5.5 sub.example.sec. 86400 IN NS ns1.example.net. test.sub.example.sec. 86400 IN A 127.0.0.1 sub2.example.sec. 86400 IN NS ns1.sub2.example.sec. ns1.sub2.example.sec. 86400 IN A 1.2.3.4 5RORN4V6I2EUE59S86LSVBHNQNFH97BN.example.sec. 604800 IN NSEC3 1 1 1 94CD ANUH4A3TCIVO884LMD5SA3S1563VKCOG A RRSIG 604800 RRSIG NSEC3 8 3 604800 20121103121853 ( 20121004121853 48381 example.sec. N1v+1lsRMwY3WJtdMl8Eh9vOV3bdwKwTbnRQ kFtdKpLuvyc3256nlH6SKvWMBGPNxOyd1Qb1 WUdCmT4sLvY2UDzmTsvI6ETszQyntSMsORah osfWPG+0zAA6DnNkUVNDPvoSiimcl4ibuzCX 717pCz7ubTJEX0G2X3cVGZ6/qIQ2SrNWbtED LqBgJtu30w3A7APtxKTG2bAHOejrzSAVy3ms V4iTItdglAMrscloJNCveWTdPPXDlHrQmD3D nRPqA3gIKQzm0Y+ZI3Qzyw9bw9AiCYpMBehg 5gFt/jLTknaG5MCMYGJEXNFO0VbuHKgxAqsz KHpKK/ifUkn7MsJzeg== ) ANUH4A3TCIVO884LMD5SA3S1563VKCOG.example.sec. 604800 IN NSEC3 1 1 1 94CD APFMIN8EJ96AD54VGTECHRPKHBR336EQ NS SOA RRSIG DNSKEY NSEC3PARAM 604800 RRSIG NSEC3 8 3 604800 20121103121853 ( 20121004121853 48381 example.sec. od/Sqj/uWHgRTRs/zJaqqFrtItCSO2feO2XZ z2oTtpyri7PoeppBkfHI7RLU+S3erNsFovxF wCtrf0fyTqlp67uSyp9pDgNUKhpuKSKG+4q0 BcuLBXtQaKdeBD0goq9I1CyUGzvshIb51eBG aREsZjYQNoVRwbNIGgu7g+xnXexQmZPaSCW4 Q/TeJBaHX2HHV8iDwKK3XZepP0E07dpNECSE rKJpok52AeYg7PrNYwEuxA7LTJmrSmS7qCl9 KhU0m0CffxWDnEXkYKX3af3eahWeOZyGOhOP dxIIIQ7c82n/jcqMD4Sh8d3rerPF2U1gCz9u HCdKafHujj9rGn/M6Q== ) glue.optout.example.sec. 86400 IN A 5.5.5.5 86400 RRSIG A 8 4 86400 20121103121853 ( 20121004121853 48381 example.sec. QwYR1fW0291qEsM/oRaB3afMe+6gKpNvd2q9 RRA1y8jbS1X8xpvzJayxSBki/XEbAt5+/ruw z15HPcGBRo5a0To2iJ7rJiSFvUdKHfv1jdNx uRSVx9+RT8RgX2kXEk6SZOzl52fOtmF4KM3y inKh7REsL41ECQLM6ZYqFjDXOkzOjTR/s8V7 8xxAwZScRCa+DXlc2xVPcEMExMTEx+22L5fV HNRYXlJA2O+hsCiBUbiTBp0+rFDGTpG86MWR dgnOwX+brkiwD8AiFw23YfSp9F8y3ft8tAqv f9nXbHa3F9SCR5i1yzkUeVWKEn+by3LS4BLz VpIfeb99nocNo/7Mgg== ) APFMIN8EJ96AD54VGTECHRPKHBR336EQ.example.sec. 604800 IN NSEC3 1 1 1 94CD 5RORN4V6I2EUE59S86LSVBHNQNFH97BN 604800 RRSIG NSEC3 8 3 604800 20121103121853 ( 20121004121853 48381 example.sec. rbDtCPCS5QEJ5ESQimgn8318GRADUtZvCeqv I3hDGB0w9HXpLRkyZ1McyLVIZskK4yXB1Wgg ikfjG/ENVqiZ13XcXE6nZrdBJvMqZpkTmV10 1emVkS9q0x7wVKz9fBrVuznZij4PSZinEv0v leOFmgBe2yMuBWWV9t5o/KxG/2zgW1HU4PZC ue3c/iL1iEKTFaBQ856lvFyY5cqO191G26tn kCW8G8x4FrUiNyB3UgoGt/9jFbqDMHMFrSOg xLPNxPqBcT429qpbP7+d+QnmI7LR6usWus0A UU5w6Xzq+HVD2RSBpZX8ryUKEqXa92EDcfqB xYijmFAKbe24i+b1wQ== ) t/issues/29-slash/000077500000000000000000000000001265465626700142215ustar00rootroot00000000000000t/issues/29-slash/example.com000066400000000000000000000013311265465626700163520ustar00rootroot00000000000000$ORIGIN example.com. $TTL 1d @ IN SOA ns.example.com. hostmaster.example.com. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL IN NS ns1.example.com. host/1 IN CNAME example.net. host/2 IN A 127.0.0.1 host/3 IN NS ns2.example.org. 1 IN CNAME 1.host/3.example.com. 2 IN CNAME 2.host/3.example.com. host/4 IN MX 5 example.net. host/5 IN AAAA 2001:2010:1::feef host/6 IN NS host/28.example.net. t/issues/32-sshfp-ecdsa-sha-256/000077500000000000000000000000001265465626700163645ustar00rootroot00000000000000t/issues/32-sshfp-ecdsa-sha-256/Kexample.sec.+008+48381.key000066400000000000000000000006021265465626700224570ustar00rootroot00000000000000example.sec. IN DNSKEY 256 3 8 AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg273Tp4oRpnmnmgizDFtLQh nIv1Mr3AuwSWVIDeavuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90yQwf C53hxyH10GzGnAx4Sutrdkh1w4HM1nMBdlTMa0g9yxjJ0vm/T7qHzj+3 dTUi84s8Du2mfMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB/QUuoY2F yThfidT+nhOQpzftVtLcta0E0Uv3PcVDp1d7vBXsAEYGHr54r2vb3eXd OTmoFyh/byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01u8SJYP6ULwx0 mZ0p5BmoMH8= t/issues/32-sshfp-ecdsa-sha-256/Kexample.sec.+008+48381.private000066400000000000000000000032471265465626700233510ustar00rootroot00000000000000Private-key-format: v1.2 Algorithm: 8 (RSASHA256) Modulus: 1k6+cu1N1CN90iqofey1vu8jpsmWDbvdOnihGmeaeaCLMMW0tCGci/UyvcC7BJZUgN5q+6LJYgC1+/DLR/cRgi/xizmQOIqzw8TWT3TJDB8LneHHIfXQbMacDHhK62t2SHXDgczWcwF2VMxrSD3LGMnS+b9PuofOP7d1NSLzizwO7aZ8wPqejL6V5nYi5fuUVxrxLMM2aFQ9ORe4WsH9BS6hjYXJOF+J1P6eE5CnN+1W0ty1rQTRS/c9xUOnV3u8FewARgYevniva9vd5d05OagXKH9vJ6FSU+rWAMQfSYFGVZtQepsacrKiXPR1HTW7xIlg/pQvDHSZnSnkGagwfw== PublicExponent: AQAB PrivateExponent: LOxwy9Km3/NYqre6fjsilhW3GX1kcRiSdXFYBBr3rMtUojKvgJsTH9uUeWZvTbTdne4B6yHiqSKRA3Eki79k8i9uqMq2SsP4ju8yJZHLmzjezIfJoHrQ6BxyFcMZoWPzdZkKFKmFwrHpxjjbvFcHvfiAu025Pta9C2o/rZXYC7V3BWQowqYBfukdpZkCEhzFzEtC1ROXN4jPJBwNIma52QTLH6jK5BOfOJ5DhS1SF+r/EkuvXnylApVfjPfUIC8ocVvpn5WLoabWL+eURIi6MvVT59ppzc6WRUT2PxDskT2WUWfw3zq5B7JCM8/qfYIDUHvt1h6JcJHTAOz9Hr2f4Q== Prime1: 8UNey2U7voMhZmVUMpH5C8q7+hp6PQ6dUYd+hjaQVnsDOLPBT+zZf8R3str7pY/xlOOHy+DxYmZ0e17OumSOXTeQR4VSdsr/tpWc/qd2jd1I5N58R4G/yZHgTm8pm6VRb7NwZ7Eg6o2z0G2UEykFeberyg4U6SHBDP6DZNvGrQk= Prime2: 42XeoQUBshFkTYekdeqPfGqC1YXsK0URLGAbPbk8HlOiG7ueVmUnsAS47lyuEJPzIUgqqBbDM+CCdW8AvPJFDXa09l4akfCrLRyAdkreGj3bgmUs5wUFbDZyOHvRFSxdUI8LOcAhXthy86l+wErKwm6sWfd1oPGvMmC1qiSsW0c= Exponent1: JpdjK1+3DcNF7W4Z6LjmwFceeGQR14Bl86ubtnY14k9s9X3zVwiIxeI0T1yt0g7TUsCOcTM7CUVgLne8053QE+MWZgpSZYQVISyPX0CEOy8BQPLBqGJ9vg1idslbO3VXMGngegWgQUSHVbihbesq4AxcI0bbW2s1yRFRDSoGfpk= Exponent2: NbR7bd/21I1S+RSN/ONW2/VzzOYCLv3y3l4cUOmMj0UFRjN7Y8AkLWgQHQt6eKPYigW3PVeS5o+hgAalT/qP4GwmtQDomYsTgmX22Pk5l00AqL0oa6895p69PyXO7Yc6yqnd5te/idzo2S8wpk2DsYPd5KmS+F3cGLPKc9KRekU= Coefficient: ev+8Aj3u6mICRe6Y0NqYTGrXSBMDXf92dI4+CZtwy43cyTvvZSABWvlLTTXf8XAlnnPxszSpG7+e8bQk4A7ZIagcDFSUjzwtVoLqKqbyLPMNjJKqvGW2iTwfpXAHTadd9EmvTPsEVCJnZAvkyn9XQ49phL9IkFzj9kmSrGqnN4Q= t/issues/32-sshfp-ecdsa-sha-256/dsset-example.sec.000066400000000000000000000002471265465626700217140ustar00rootroot00000000000000example.sec. IN DS 48381 8 1 99477B577BF885AB2512B8DCA052D7B71DD968BA example.sec. IN DS 48381 8 2 E5411AAE0758711B164730F9069CCFA3CAB00391FDD76D04EB3E8610 CAA09E93 t/issues/32-sshfp-ecdsa-sha-256/example.sec000066400000000000000000000025111265465626700205120ustar00rootroot00000000000000$TTL 1d $INCLUDE Kexample.sec.+008+48381.key @ IN SOA ns.example.sec. hostmaster.example.sec. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL IN NS ns1.example.net. IN NS ns2.example.net. ; example sshfp rdata taken from rfc 6594 rsa-sha1 IN SSHFP 1 1 ( dd465c09cfa51fb45020cc83316fff 21b9ec74ac ) rsa-sha256 IN SSHFP 1 2 ( b049f950d1397b8fee6a61e4d14a9a cdc4721e084eff5460bbed80cfaa2c e2cb ) dsa-sha1 IN SSHFP 2 1 ( 3b6ba6110f5ffcd29469fc1ec2ee25 d61718badd ) dsa-sha256 IN SSHFP 2 2 ( f9b8a6a460639306f1b38910456a6a e1018a253c47ecec12db77d7a0878b 4d83 ) ecdsa-sha1 IN SSHFP 3 1 ( c64607a28c5300fec1180b6e417b92 2943cffcdd ) ecdsa-sha256 IN SSHFP 3 2 ( 821eb6c1c98d9cc827ab7f456304c0 f14785b7008d9e8646a8519de80849 afc7 ) t/issues/32-sshfp-ecdsa-sha-256/example.sec.signed000066400000000000000000000230561265465626700217710ustar00rootroot00000000000000; File written on Tue Sep 3 12:11:54 2013 ; dnssec_signzone version 9.8.4-P2 example.sec. 86400 IN SOA ns.example.sec. hostmaster.example.sec. ( 1 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 604800 ; minimum (1 week) ) 86400 RRSIG SOA 8 2 86400 20141212121212 ( 20121010101010 48381 example.sec. VaxX0dVGnzFwJN4uz322gewYiKqYyc2p6QYx xF9P8FPZnAbWPRYVJigykQ0o5QZsqU3fSc0s OhoAapQ7KNDE3lNkLY0lVkq9dDDTLt13avVK pFWLw61fdUDyVzggupz9n6rwNNz7/h1iec4Z EEiyCCIOqjH9HXcbHKuLe8DHt/h6AX5y9LPU DThqFjjdaOBl9JeFPOZIkiFmJsrGuStOVeLG bhCX7gt5/DZw4P2TQ8pullyPyjWnd2pjA2p6 WMbiqiMiHZjevzcFEFNb5TCkgUG7RvWPqzhH 6HgUdbd9hcIH4lIoocRfztyDojswd2LGq6LG enJM9fuTSqMMT5CPfQ== ) 86400 NS ns1.example.net. 86400 NS ns2.example.net. 86400 RRSIG NS 8 2 86400 20141212121212 ( 20121010101010 48381 example.sec. AEw1bOH7iWnw2+xOKViKiSCoP+2XBEYB01Lg HBNdnFYIL010c5YUewI+AsyOvxbpwjNIspY8 k45lyXpbhmbE/SSgI79MtRIwG+6YQERx4RS6 fw/9N6t41NhkkcyOfL8P4wMFzTxqq8TJ5Vd5 7CGFqBJLtVtQZvDcRYcSMoVsNFYJFqNEjve8 nPO8bwxd9UwgBVNx5sPJReSdUhb9//DvI1xS nr2UOHduNp4FppeOBhJYh7tjYs/1IbPUp90W iQSiinfNT47sVz1ntSgcrtKTrAJmm7TAqPGk cs9CcrqnN9f1SHU8/9M7nH9qnyGt5QxcbfBF BnGe6lS2mOJnETN8jQ== ) 604800 NSEC dsa-sha1.example.sec. NS SOA RRSIG NSEC DNSKEY 604800 RRSIG NSEC 8 2 604800 20141212121212 ( 20121010101010 48381 example.sec. LyRbBl03MKOn6ZqWwJQoAxFVI15rfNjlmF0w dE1LaX7cm3DwDLlBgqK+Z/Hv+aRKv2Yk4x9c 44eLS2Xcfq5OrqTQPId0UClHkmnm86SHDVgJ jtH2nu4+07FXukt01D6ap6R0nfbbdbPUC7x7 jVoxbFLw0m3rAXFXbewXfNRor4KO7LWf2koK AaMzNxpprfAElaAIX6iJzhgTOTaRLXv6w5+7 y95Ca3zn6xVcpXH3RSV5iyCGgGm/aAYE0sSW XRk4sGJ2zjSUj4RsnNc38W6FRMzAHmkMc1rf kTB2ozJ5dmN/6OQU+V1OVyEK0oTyidTmPEec IHYsORp7Iw2Hx37H4g== ) 86400 DNSKEY 256 3 8 ( AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg27 3Tp4oRpnmnmgizDFtLQhnIv1Mr3AuwSWVIDe avuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90 yQwfC53hxyH10GzGnAx4Sutrdkh1w4HM1nMB dlTMa0g9yxjJ0vm/T7qHzj+3dTUi84s8Du2m fMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB /QUuoY2FyThfidT+nhOQpzftVtLcta0E0Uv3 PcVDp1d7vBXsAEYGHr54r2vb3eXdOTmoFyh/ byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01 u8SJYP6ULwx0mZ0p5BmoMH8= ) ; key id = 48381 86400 RRSIG DNSKEY 8 2 86400 20141212121212 ( 20121010101010 48381 example.sec. jeH3CRSqBGG5ZvU8q+27/b0JJreGL8rIoIWg 8fS8SvU0MIiOHI9vjFld3EbmYcD6MqdadofW tMfVkb6mAmK25lXkqrggm5jnwsV2AJ17ec0A 4wGZz0WlkldkGsK0s+w0lxMb2bpFNpDI9p4R 3FWLGve6uRThuRv6oxlbPnNAyaz6bXLmu+q3 oBQsDS8GdxrzcupBqC2iVxmDRhi4rKpZf/DZ 0dDdafD5PG4rSUfvXY7Sd0G906dsWHL/2JRi 4q0xEgx5F6Ve7UcE6IaMLYCiu+DCOIVOucC8 SQI/APsfLN3dycXBjYY1J4C+vzh2ig7P8Iks z5tmeRR5vrd54yl+kw== ) dsa-sha256.example.sec. 86400 IN SSHFP 2 2 ( F9B8A6A460639306F1B38910456A6AE1018A 253C47ECEC12DB77D7A0878B4D83 ) 86400 RRSIG SSHFP 8 3 86400 20141212121212 ( 20121010101010 48381 example.sec. bn5KmK2UyUlhF77ZGXCE7EPRln8RMCn1VYYg FMvWuddZu/bwdeQ9V//mkEM3P0KwnfQ+GuAm q2ybXunLDmPcdwuHl3hhU4PIJ6qeFFbguRg9 6dW0JkQt7vN9EGRx6LQbGPX/UaAEaN3x971I Xr0KCThkwR07PRFf5OX8e1FD+Nuyu3YtGwNL mii9xN0gwX/FZHAqnUXxS/1B1M/UY7yZMazN jZDj3X9kIcNH+dM2Pgo2Gkej1VhxrZjbN3fV 0MkJUUxWkmE51pBAg89u1PwMjQqkb2+7e4lj 8+/Tg0JXA4Row46QDOcrq+MSfiHKNM4HiOKs FSxe/7OhH3FfENzelg== ) 604800 NSEC ecdsa-sha1.example.sec. SSHFP RRSIG NSEC 604800 RRSIG NSEC 8 3 604800 20141212121212 ( 20121010101010 48381 example.sec. quPG7kmU75o0/us5C5worKfUgWH8O7VXUHRe xPDx0g3yxFicwGa22Uniz7wZzI+AFwL9Kui8 KY+ZGqiKaiuW4OOCj87A4p5OBL6Q0ZMFMoNq Pv2xeKTfO//2DKpqFk1mm9HD7Geh0bsvIT78 pLZeUkzWfY7ms2juDIAuQ4uMa3Q9XCtbQcd2 fl2LBhzoWU/x6NThelMUVq8O9KvTX3F/Svt9 byLncSswcwGBHIcpmQDA/bVMd1yfj9V+uB+U v419X5BoznrDu0YSQj2KoFNUb6qkWezEeWd1 4yEYrogNibIHGxK2A/mEaMQ8bGfuhQvriRZI JQAZsMI+HVzURgUCpA== ) ecdsa-sha1.example.sec. 86400 IN SSHFP 3 1 ( C64607A28C5300FEC1180B6E417B922943CF FCDD ) 86400 RRSIG SSHFP 8 3 86400 20141212121212 ( 20121010101010 48381 example.sec. xZTXovaSXMlmsX5puB+JbEqOqofouS9aluao 89SS79iTZxfA2NQw9CCVTQTowQ7Lc7F4eYqM kAEEYyLk2XdopARrJelgMsNk4u/uGbUV/8/y dB9PwMKZcyDA6HC42LNxGjRo+SYvVXyOzWyu 5aQFP7LknuhEzjZxIXwooAL+Bc9zvnNEeWQT +xcWwlw+0wPucGQh6reAlxL0LqCtGVhGxErB 1l9XXs/0ViJfMLoaRtIasuG1eSfbpCgYdU0s 4i08ovR71q79ixvUI22h+Vbv3KZFgva5w02M flL1xgTINATtO6OpLci5/aTsBciU8jiHuE2N s+4GBci7zrV1mZl4Gg== ) 604800 NSEC ecdsa-sha256.example.sec. SSHFP RRSIG NSEC 604800 RRSIG NSEC 8 3 604800 20141212121212 ( 20121010101010 48381 example.sec. e8s85RPO1PL31ANtrK2cXCe2vBLX5NtDCJG+ BICwmZ4y7o72N4P7kN9MFCYzZg33Egh28uXB LxH5QA5mE+kt6KFaCvr7rnL93p82qydRUiku sjFGYIDIINwz9m6p/SxoidDI3nyYvghpllrS sRXV2vrDETLfBUY7RcOQbsCvCwE8j5EwZAmi Q81Ye99Gsf2MlyhcoYVkmBs4pRVpnVqHn+VI d18gPjg8UFdqlL/yLim9Tqk7nARU6jbvGSGx Ldz4QeuCHBKr3gtEx6MXdscxO+cLS4w7Hpws 1mxHtQ+iCpiG1Iz4CUcucdNAS2jTcBE9FcUf CDH43KFjxNSgiFcOWQ== ) dsa-sha1.example.sec. 86400 IN SSHFP 2 1 ( 3B6BA6110F5FFCD29469FC1EC2EE25D61718 BADD ) 86400 RRSIG SSHFP 8 3 86400 20141212121212 ( 20121010101010 48381 example.sec. R4BdW6B06U4U2xVvWNWWZ6VGnHY5XvJrI2/U NJ6j3tWdNP/v3FbK+RpFPZQk26SomY3KF7D8 dhjACC4jxlwQqwQYl5wC3jOnnt1xzqvW44GL r6GSjSwOC0QfDPXNYQ6H8JC1Ea+vGHJa3HKy sre2HEUn3YyxkqhktTAZ+eUxzQ5L5EP3pL+y DdKsVItWy/4LGkNPFBq0AJyE2Rv69TnIKx5Q MYxtTqFgFsO+iUyIK+RlRCq1HITtmg0o7YZN nc66uSLF1Fcy5iAolhC9Q1aX2Vj5j1rfocqh 8Y70QIi1n60PrzisgRrp4qdzG5ad057gJKNz hQ2wcrjurmGLbayv/A== ) 604800 NSEC dsa-sha256.example.sec. SSHFP RRSIG NSEC 604800 RRSIG NSEC 8 3 604800 20141212121212 ( 20121010101010 48381 example.sec. hr4HLlCWtcU5yLX0ikTcSKSSafXqjifnUCB6 m9+0bjsA7Oyi8ivA65yNUC0maiIyWkgrgw2t DbMXTFVvmJThu9sGAc5jj5j3PmoqTF1ztKrl jTIMnCgASraV1DWSBgDMV9FrJIZdf3k2leVO ib0BbT774r81pRsw/5OvcMl/8Fnikr+xylXc EOCBIPT052p+k83cQzmSMLZJXE19XhxSGZAB +WbpLIkFYkkFy0Yvokar+NFzDPkE4aG7XiJx WWJMft23q5D9RPD/uxnVrYCVADE8DDmTwziE cvVgv0o6SZTXvI6M4QKzDZuYMoukfjMkFBai SaGkiIbXTG8s/cz1dQ== ) ecdsa-sha256.example.sec. 86400 IN SSHFP 3 2 ( 821EB6C1C98D9CC827AB7F456304C0F14785 B7008D9E8646A8519DE80849AFC7 ) 86400 RRSIG SSHFP 8 3 86400 20141212121212 ( 20121010101010 48381 example.sec. BhuvbNtOY0vfVJYNyIR7SiN4q9/BfBbgX7Jd YQJK7zNxxf7EX7RlvZTrBI0VlRIeW++4MkOP BuQz3U45BiyPe1V/LDhXmsWNtusaPjO3z3NA fV661W1O078f+HYJS5EtNnfo64TNAnSOkd3r 8fQxYy/5NTWI9GLq7Uop4JVuqOYzr7/KN4WG HCvfR3duKHG6DUZ/nCY1cCpFjFvIDZa89EVX 2MUcB06F1rLKQiSZNBVjSy7RtrIlR0nrXLOB 0DIJ6cNZuF+t8+zPe1c5hG574B3SmUyz9VIv A1OXt0i4S2IQ/xmoncHDoVswNlTaWPDz+iEm e4dtrkspArlAfWrBAg== ) 604800 NSEC rsa-sha1.example.sec. SSHFP RRSIG NSEC 604800 RRSIG NSEC 8 3 604800 20141212121212 ( 20121010101010 48381 example.sec. KLXCFYreUBGQxpFcEsUKfr9whiNzae/2yjE0 ssFRHqVKgVzHWmBrh2Rz1995d+eeupTZdden RE7iY3ArKd/Gx0Rs2HmMvgJJ/z0auCHNCUaP LCW9WKRFFestBDvuRBHSJ5mt6Y5XLs3521r+ /fRIICwldr6zQjzoPZ1OOik8kujwYTLoQPRM UrEJoMskL+OgrQTDn+pdtwuAXF7hWsUkrEpL w9aqhYcl9C4AQoG8gVMcPmmZLYBhDYnXvT+R 9NJNrdKve2Xsw7pKOYMz54xZo9IjBrnFa+k6 QBH7yTIaT+E/Nuv02Ve2O3L9BQ3HUcIpYeGz LCegEmI1H5+VzqQyeA== ) rsa-sha1.example.sec. 86400 IN SSHFP 1 1 ( DD465C09CFA51FB45020CC83316FFF21B9EC 74AC ) 86400 RRSIG SSHFP 8 3 86400 20141212121212 ( 20121010101010 48381 example.sec. uyZJ8JEIe+1Nwn8umonD3qapuM6DDpyljlUO 1cCWCjoFiIOGqne4f9gQeN7p0eEjc94yVjTP P1XtVSIZYGRe+Yd+zEVqBJmVtT1fqIWxQokT aTiw6NUMP8uztnZANHnFH8EFzzmM2s6tJdbC bAj0VGVuR/a3gk3in3fTdWN1WkNO4rCW5rtZ MpJsCWb1w0/OOPLhgNma1W9+hE8XErxwR/1D tvyog+ccf2WKPoyph5tPBe98b6Eb2vo7f3Im PaasOcIno2yi35TN1NW0Da12cb51qo7vuPxU ISZZXXi5wXWX3lF66nXxnpiZkZ24k+ZPiN41 VPV817T53Wx+U8kDmQ== ) 604800 NSEC rsa-sha256.example.sec. SSHFP RRSIG NSEC 604800 RRSIG NSEC 8 3 604800 20141212121212 ( 20121010101010 48381 example.sec. rfOeXJndauKIfbI7Rja0KTZmw0jbpmZNKk7+ mh/QcchF7Ov/U3+vUhIiWrJtzm0w7HtVG+Cv IXidvyDd8yecr/WF9K7BCvOlXd4WcFJCCSze rAOoBZzpbkw7UKJD7cc4Nf0MWH1G4w3SNRAc gZXTXmRNVY10ZT7F42ApTirQMjbbujB2XSgy KYEdFRfcNLnHpUApjl4gv8Yli263IOSuhRaM 67BVNzlX7lgllRyvS1QDh+TPAlLsINuQp2Zw znFS0+gZggYzCDQlLoAAm55sFBOUnrBxIPCf 971T3ThN17hbilS27hJZQJvHf6HSdRm/SN6m Dz+EndqSwlDddtVxdQ== ) rsa-sha256.example.sec. 86400 IN SSHFP 1 2 ( B049F950D1397B8FEE6A61E4D14A9ACDC472 1E084EFF5460BBED80CFAA2CE2CB ) 86400 RRSIG SSHFP 8 3 86400 20141212121212 ( 20121010101010 48381 example.sec. O6bG4RWK53z/hhTf+oxZNuMa08XCr+oGuM5l TN+CxYLDX3y3jKuaR9G1U8XiW6BFxBIKW02G ufGlJTvFvRVazIzgeCnbcJSkeR3dW9aUP3+R zoUQHNiFPy1osIXrx9jYbbPBrR+OdIpKNk3H jcjVtUksHlo4QE2aNbl2jvybpz+ORb6IfxBL Fqxr7bWrMiw2VVTbvVU6FSI0ObIHsJsqnK6b XC7IoGl53mosrJi9AUGQ0NSbcEUOXwbHfQsM avvJQwjbvsyPi1BhXCO2/kU7Jtl4SdCHHr59 06ZB/D/0iaPBacT1NBbmTHWVMCeO4zjK2kgB V+6dc+ouUYupPbt/QA== ) 604800 NSEC example.sec. SSHFP RRSIG NSEC 604800 RRSIG NSEC 8 3 604800 20141212121212 ( 20121010101010 48381 example.sec. XJdaTjwHgp8E7Yd9CZl9ixnA9xSyu0qC/GEK BiVR0t4bPGjYG1qM6S8b3DkSXB81sb2hVI3F jEteyPlHPPsKEHsQx4EfwplO9iJH8h30qLBV TmPOCec9kbSvtV+YQp2wB+Yqi7QIlmEHKZrc 3zRMkRC9cjyO4W0YT4zcY7B2Vo5KhDKd8Y2E R144qQAWZ0mI5QW77iz7w0qnZV5IZSLYB6Sc 6PxNuRXY527ywYVhOX9O/2jl+4aDFSovU64P ZdYXeQxu6FZGqjkZWMJXH1gOx/ZY6yT3+Jhn G5EQz0P5qtEQUoEML2t+v8FKXlxEElBiPnFe Q8uMauGefXwnHglZOw== ) t/issues/36-include/000077500000000000000000000000001265465626700145305ustar00rootroot00000000000000t/issues/36-include/empty-include.zone000066400000000000000000000002431265465626700202030ustar00rootroot00000000000000$ORIGIN example.com. @ IN 200 SOA ns hostmaster 1 10800 3600 2592000 1200 IN NS ns $INCLUDE ; there is no include, and it is wrong t/issues/36-include/inc2.inc000066400000000000000000000000741265465626700160570ustar00rootroot00000000000000$ORIGIN inc2 ; i.e., inc2.inc1.example.com. @ A 55.55.55.55 t/issues/36-include/include.zone000066400000000000000000000003421265465626700170470ustar00rootroot00000000000000$ORIGIN example.com. @ IN 200 SOA ns hostmaster 1 10800 3600 2592000 1200 IN NS ns $INCLUDE reldir/inc1.inc ; relative to the zone file ; here we should be back to our origin @ IN A 99.99.99.99 t/issues/36-include/missing-include.zone000066400000000000000000000002071265465626700205160ustar00rootroot00000000000000$ORIGIN example.com. @ IN 200 SOA ns hostmaster 1 10800 3600 2592000 1200 IN NS ns $INCLUDE nosuch.inc t/issues/36-include/reldir/000077500000000000000000000000001265465626700160115ustar00rootroot00000000000000t/issues/36-include/reldir/inc1.inc000066400000000000000000000002561265465626700173410ustar00rootroot00000000000000$ORIGIN inc1 ; i.e., inc1.example.com. @ A 11.11.11.11 $INCLUDE inc2.inc ; still relative to the zone file, not to this dir ; should be back to this origin @ AAAA 1111::1111 t/issues/41-ksk-policy-check/000077500000000000000000000000001265465626700162415ustar00rootroot00000000000000t/issues/41-ksk-policy-check/Kexample.sec.+007+07686.key000066400000000000000000000011341265465626700223370ustar00rootroot00000000000000; This is a key-signing key, keyid 7686, for example.sec. ; Created: 20150630133112 (Tue Jun 30 15:31:12 2015) ; Publish: 20150630133112 (Tue Jun 30 15:31:12 2015) ; Activate: 20150630133112 (Tue Jun 30 15:31:12 2015) example.sec. IN DNSKEY 257 3 7 AwEAAciLWglw17dt8EDAN88BrQYCIaGPifC4pxrizfz3S1cC4XbSyRW5 loj5SSHVveUmmIV90MTEOhGCDUVq/qiYG7NgTNHn3YiqyRU3sirw4SAC Fiwln/ejxFDpQkeAbZMCzU8FQhTIB1K9y7QRiLacI6naULzgP3h4PsdQ SQmw3/TWy973M+lHzwkgVq6ML42L18rGG0sn1KQDNSs/6sd9dcRjPo7u J2OuUsnbu/5N3vWYLciSBUnY27FUvbFLkVIq072wjUMIb0Xc2EgYGRFK yV2MMckLvoD7vPclBE0Krv9fO/B2/KXsbObTgz4m5iQNF45QLU02kmvw B4iyIzIk9O0= t/issues/41-ksk-policy-check/Kexample.sec.+007+07686.private000066400000000000000000000033631265465626700232270ustar00rootroot00000000000000Private-key-format: v1.3 Algorithm: 7 (NSEC3RSASHA1) Modulus: yItaCXDXt23wQMA3zwGtBgIhoY+J8LinGuLN/PdLVwLhdtLJFbmWiPlJIdW95SaYhX3QxMQ6EYINRWr+qJgbs2BM0efdiKrJFTeyKvDhIAIWLCWf96PEUOlCR4BtkwLNTwVCFMgHUr3LtBGItpwjqdpQvOA/eHg+x1BJCbDf9NbL3vcz6UfPCSBWrowvjYvXysYbSyfUpAM1Kz/qx311xGM+ju4nY65Sydu7/k3e9ZgtyJIFSdjbsVS9sUuRUirTvbCNQwhvRdzYSBgZEUrJXYwxyQu+gPu89yUETQqu/1878Hb8pexs5tODPibmJA0XjlAtTTaSa/AHiLIjMiT07Q== PublicExponent: AQAB PrivateExponent: d5kDfRXaz/20hikcH0v0j9y9icg8j17P6WzRQ8eHGsERDPfwDBC+AboJLzB1Ky+1TgcWdgJATyisGXYRoSH1gygvKA+LQnH3sbuheZJl79zOtE1L9TepYEd7y4B/2GiXYETWf+Y619Fwpla+nYjIjAcylzF1KLctWVg79peROEXC0zb+IxWQFIBpe7OzTZ1qxG8ymm6uiu9KXH6qQi3BLSarxj5rY+tO8oj0qQNOGkbSVsXFax0arZ0qMRFT5UooOm+2Yl8Q9Z/PC52qwNqkSDZ2QeoYTJx5tDFhuVJxXhioxGIueA4QuCRA4cRL2U5ZnCYcQa10JFE2O4N990eLUQ== Prime1: 5LW1fl8ky4bBaIPg48Cq8bXQIvaK5syFTvzzMopuTeD6PGwOByuzc4u9KLVrDRebjeYfNVkqXIJAHMjolOr4jURWp2Q3FUrewqdgyY2ULSLMmQo0+dHkvjJIs2A/6vNme+MtFms6msJjyzj3EhLf32djvCH+jWStP3Vb/jopYWs= Prime2: 4HlJJB25JSLygHd0GWi8yu0z3FaYhWXnIs8bwpT8er1lH+tsBeYI8ughuX9h19STMRnBhAh0ZlQaKHOrPTsdVOFQJWr6aUbWIAhv5m+ij1IFsQ58DKnsYP0DXiNkR7K4pXO8yzPTo9UfaMCJAKYipENTgpfb43sVBQnDIGr9oQc= Exponent1: aJpK9g9h7swlLT4T31bBWGeFWFhWUxT7a5L5UAZMSMY67OOmztTH8HLbAwFmgshnVtEHOQkc/M59sCybY3DMWSAGWezV3KEvnOucstJUEQi3ds9aR2AeNHcfFRtSYI0ONF9EwdotJZb+uXXGWrfTOIQ681LA7746FqoAdxf20R0= Exponent2: QlFS3Iqzglc60d14vXEGJeXCZpxm3zJmARCzIN+nYBPIZo/FEFEP38PZAtaxb3RsMBtt4rYkvX6nY8AYnTRzy/ntFcDvTl8RL9GOTcQ5gKI48EBZQdyJ63WUoyFNpSkWCDuTUW10X3i9mNMZJsnufh0t9O0sl55rbVue/Frfp80= Coefficient: aLnGdfeRJ3nSjmbby8IDkJ+W+gFGOHd3XAMDSNP9D8kn6B3JyAfY6FDSg0+Bh+F80PFNGsESkYimXlWr3B6NlC0Gq99hPSV8yU2pYHq3TPVB0tWOAkNVIXM9icEH9wshCQH7wD7cPDWvhhgcgo64nYOGYeK6sjTL7XDtRanvbP8= Created: 20150630133112 Publish: 20150630133112 Activate: 20150630133112 t/issues/41-ksk-policy-check/Kexample.sec.+007+64232.key000066400000000000000000000006571265465626700223360ustar00rootroot00000000000000; This is a zone-signing key, keyid 64232, for example.sec. ; Created: 20150630133105 (Tue Jun 30 15:31:05 2015) ; Publish: 20150630133105 (Tue Jun 30 15:31:05 2015) ; Activate: 20150630133105 (Tue Jun 30 15:31:05 2015) example.sec. IN DNSKEY 256 3 7 AwEAAaMBYu1QXBi6AII33FKwWpHhOkGMhcVcIWJ73npEFjvDe0jJfLjk ghnij4tMfDI8MPIZ6xwVLYsEshxsDNEJJGdZ1dUvfJDxSCv8Wp0a2Iff xQ5NDRHSpUw27yJoQfI5gUqvor+wGTNCUWx2OU0Y1BOy1whHtVbDl1gt 1R6/8mOZ t/issues/41-ksk-policy-check/Kexample.sec.+007+64232.private000066400000000000000000000017671265465626700232230ustar00rootroot00000000000000Private-key-format: v1.3 Algorithm: 7 (NSEC3RSASHA1) Modulus: owFi7VBcGLoAgjfcUrBakeE6QYyFxVwhYnveekQWO8N7SMl8uOSCGeKPi0x8Mjww8hnrHBUtiwSyHGwM0QkkZ1nV1S98kPFIK/xanRrYh9/FDk0NEdKlTDbvImhB8jmBSq+iv7AZM0JRbHY5TRjUE7LXCEe1VsOXWC3VHr/yY5k= PublicExponent: AQAB PrivateExponent: ATf/b1rMdXreihq00QF0i+atMtREI8eekEfwz+U2bVf20gJ/pjo/JsZk4FvACfgdPZIoCdu2rXVph4DfT6jL1t7sDY/9mfcMd2Zge6eB8Kat3QpdDu4qClgkXFTYFLj2lQ5Bm/b+YbQ8fiPlZovp7YGFodmsjfnNvbT7UiOiSKE= Prime1: 1wNWdr5FIrew1NTzpbeClZr5NIIoRBpEPsSDCBZpbRDZ944LcjWgrJpVlG1klkp/cR/zcSzrq+637rva30jglQ== Prime2: whQSB4wqB87wyYrewJLU5qFY5Up/YiZ0iyD4m4OIQMk/K7eXtuqFuSOP4xTR4WAWHIyRixa1F85/eh7y6+9h9Q== Exponent1: XjHZJEYw9Yex0VvFrdjaPX5aJJXM3CEButnOabGf2Cckxl4VR6CU1mj6iv7trSXP9RhBR1idmoIHVHA57832jQ== Exponent2: dtzn9etoSoP5gNYmevbyoZWr5jJsNeardhJpcIVsS5F1uQamSob0A2G+XCuCJ3A72pxU/0SXAM+dz2NpEAr6iQ== Coefficient: egVfeiBCmggrVDolCSvAIg+XEb+YmLcD1SLT5qFLuqCtPKWGDx9lGMbqbx5s2gzeeoAPL1r34pohHNLMCqCNdw== Created: 20150630133105 Publish: 20150630133105 Activate: 20150630133105 t/issues/41-ksk-policy-check/dsset-example.sec.000066400000000000000000000002451265465626700215670ustar00rootroot00000000000000example.sec. IN DS 7686 7 1 51B9CD8F901235705C6D353ADA23736AE954B4DE example.sec. IN DS 7686 7 2 9EC80B8BAD67C66954B8FE726E06CA7840282C7F444BE51A916ED11C 36908A3F t/issues/41-ksk-policy-check/example.sec000066400000000000000000000010571265465626700203730ustar00rootroot00000000000000$TTL 1d @ IN SOA ns.example.sec. hostmaster.example.sec. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL IN NS ns1.example.net. subA IN NS ns1.example.net. subb IN NS ns1.example.net. subC IN NS ns1.example.net. myMX IN MX 5 mx.example.net. t/issues/41-ksk-policy-check/example.sec.signed000066400000000000000000000123611265465626700216430ustar00rootroot00000000000000; File written on Tue Jun 30 15:31:27 2015 ; dnssec_signzone version 9.9.7 example.sec. 86400 IN SOA ns.example.sec. hostmaster.example.sec. ( 1 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 604800 ; minimum (1 week) ) 86400 RRSIG SOA 7 2 86400 ( 20150730123127 20150630123127 64232 example.sec. b1Qs5d/0a4IDAvFPVvDKqWpir4189XoPOD4E 804eiNXRLP2ShkEUBPil44+6Ikwup5Im24XU PLnmStjUFHVniicvwbwT/IY4etXR4xNoBHUc BU8LiADPpZGfJ1tC/s/IHLcPbX21OltyYzi0 ++z9gxZGy4vCG5gYCH0vm+Q96fY= ) 86400 NS ns1.example.net. 86400 RRSIG NS 7 2 86400 ( 20150730123127 20150630123127 64232 example.sec. gyqsk3xSnKefnjTOVzJS4sdDFiJ5cPEupSkP +LGXGRDGrclY6V9mkfddQz3MkeCCjujvQNAi NpZllyzFj221se5bHLAVydkT0jhl2jgp8bsL DBk15FGa7SXcwtpXn5rkDvR1/wmS7M/aYnrY 3j5dTSSsOlZQLENWBEtct9QSNbU= ) 86400 DNSKEY 256 3 7 ( AwEAAaMBYu1QXBi6AII33FKwWpHhOkGMhcVc IWJ73npEFjvDe0jJfLjkghnij4tMfDI8MPIZ 6xwVLYsEshxsDNEJJGdZ1dUvfJDxSCv8Wp0a 2IffxQ5NDRHSpUw27yJoQfI5gUqvor+wGTNC UWx2OU0Y1BOy1whHtVbDl1gt1R6/8mOZ ) ; ZSK; alg = NSEC3RSASHA1; key id = 64232 86400 DNSKEY 257 3 7 ( AwEAAciLWglw17dt8EDAN88BrQYCIaGPifC4 pxrizfz3S1cC4XbSyRW5loj5SSHVveUmmIV9 0MTEOhGCDUVq/qiYG7NgTNHn3YiqyRU3sirw 4SACFiwln/ejxFDpQkeAbZMCzU8FQhTIB1K9 y7QRiLacI6naULzgP3h4PsdQSQmw3/TWy973 M+lHzwkgVq6ML42L18rGG0sn1KQDNSs/6sd9 dcRjPo7uJ2OuUsnbu/5N3vWYLciSBUnY27FU vbFLkVIq072wjUMIb0Xc2EgYGRFKyV2MMckL voD7vPclBE0Krv9fO/B2/KXsbObTgz4m5iQN F45QLU02kmvwB4iyIzIk9O0= ) ; KSK; alg = NSEC3RSASHA1; key id = 7686 86400 RRSIG DNSKEY 7 2 86400 ( 20150730123127 20150630123127 7686 example.sec. YQ42WBCr7e4MR51W+d6Awkxdff7tTNiA1qfJ wsst0UiNXKAv504YRcS6B34u4CfG59lWWtcd +xBHU7Zuox5nehsLEkFAneD1YrJLkgVw03nZ NzDNWFvlxfQ2/tJ7vGbjKG2cEwUnbJKl+Kcl JTAc5JzZegfM75M0Z4Yi9NiDjicpHbaICtKJ 5WZ6T5nVFo1nl2xCq2CiXiR1+jGKARUW+btO NzHMApLQszDo7CMgvYJoHy0CHAV1Uc7Ka4zO P3dVYkwu1Puk+gixhNUqo+UhKgLB2JUYdci7 cQ1JR9RzqEXzyZgGpLmXCOEOc8KD2c2dDN5L uvOV40OrWhST/bAQ+Q== ) 86400 RRSIG DNSKEY 7 2 86400 ( 20150730123127 20150630123127 64232 example.sec. lKX35bocQ1iR4VTW0Es+2bZ2qX1ON7OGU1fO Pb0ZqueG2GYgI63VE4Jv3WeOmGg/Tkjvsdb6 bMHVuVpxHvQKRqqzfaQmY7nzoDe53LfSJewj p2TvdhvpPRroEZGXXPmVl46R/p+jlYMJd47T o0oqB/BvQPUS61a5NThagGq6vJM= ) 0 NSEC3PARAM 1 0 10 - 0 RRSIG NSEC3PARAM 7 2 0 ( 20150730123127 20150630123127 64232 example.sec. hNJlc3JuGYBpnYEZQrhqNwrIL2fBegnnR4ii TOW+0Km2maqF5ZZMxBZ7x54gW4T0amXXz89+ uE+l02eknf/FgM81FFOrQvJul0toOzKW9g67 e2VwQAwcw7g6H06cSsypXM/h9wvsNQpoSdx0 rq6qU2ruYM9NmJf+xUzUk38AFUw= ) subA.example.sec. 86400 IN NS ns1.example.net. subb.example.sec. 86400 IN NS ns1.example.net. subC.example.sec. 86400 IN NS ns1.example.net. 93GL7KF6D2G7J2PSLEO2CIA70A3MM4KQ.example.sec. 604800 IN NSEC3 1 0 10 - ( CSLD6RFNKVSKA73DGNI0EOM95Q8DKGBQ NS ) 604800 RRSIG NSEC3 7 3 604800 ( 20150730123127 20150630123127 64232 example.sec. JRhyC3PbmnvYBkXzV5GmIBnj5LJTnrVeC1t3 v6t6o+3udfPZRecHw2cApf/Oed8H9jCeox77 vA13/fLXui635CYAcqXYxVgO4g0au1d1S6lo N2Pw96JXDNhIqyVBVj1Ii2ZOQLWXZ8YgZRQ6 lxgww8m0QGC8FjEnzR8z2liSG88= ) 3ED4GMVJJ0FT4TCFDKNFQ5EPEFSDBPNM.example.sec. 604800 IN NSEC3 1 0 10 - ( 93GL7KF6D2G7J2PSLEO2CIA70A3MM4KQ NS ) 604800 RRSIG NSEC3 7 3 604800 ( 20150730123127 20150630123127 64232 example.sec. B9L5NrHjO/J6FDmv7DjT1xq/f8jiB2WTEXSl bFeUVcTivoyvdyfNNTH+YlzJesqTtQ9GaEPQ ouzw7XbdyvtJ//GD+vrO/7XwfrVmkckQgEVl zPm70TksAkwLzj0uY6WBIGIPq/KJMM14f6El ct5w2KtgvF9sazFP+KMchU5Be3Q= ) myMX.example.sec. 86400 IN MX 5 mx.example.net. 86400 RRSIG MX 7 3 86400 ( 20150730123127 20150630123127 64232 example.sec. lh8vFwFg77gLtLyXbzqzYSlebkzn3yAlXHU2 /hgiyUWYcuZa5E33Ul+ZrUJPCGLaUQs3X+yL p/uk6LP2dnMaf/X1mow/tyYNtIdn0MhTYNqs WmYV1Ga/NSoErtoHYoNgeqV1w0Q/nfhipMdX RekpxVR6RUUt2d3LS8UIH+pEYd8= ) CSLD6RFNKVSKA73DGNI0EOM95Q8DKGBQ.example.sec. 604800 IN NSEC3 1 0 10 - ( JC1M8I9IPBEENK9RDGMN9LQKAMMSQEVV MX RRSIG ) 604800 RRSIG NSEC3 7 3 604800 ( 20150730123127 20150630123127 64232 example.sec. menCNV7RkbVWmfhuPfoYHfHCEtvQmVb3+p/x WYVymu5hXUPQ2+K4Ns0jQ+om4GuTmXmm1DYY IjIXv4jthJoD6jydqN6Hr+tr0ewxr6mHXj3I RizTBuw4zcgPUrIRVQStkMtwyjN4Nlznhg7I txZ14uH1G4U1DgkR2oC6YZsSqi8= ) JC1M8I9IPBEENK9RDGMN9LQKAMMSQEVV.example.sec. 604800 IN NSEC3 1 0 10 - ( NLF2NKFTCGVVRC4C941FOOCD00TPI9DV NS SOA RRSIG DNSKEY NSEC3PARAM ) 604800 RRSIG NSEC3 7 3 604800 ( 20150730123127 20150630123127 64232 example.sec. ggLIoKQYmI9GeBkSccVdE87G1QQwGGO0HlrN dg9Ah5QiWWjZ5icSOU4vyEm0XiqkFCrGEAq0 9L4HMOFuELMa28dAhVxOvZldbXizXUSCbWCS miYFLOIKcQ9IcmzeEgg+uJzHdAyYSSK2Jb+0 YYuoXOhiZwzluj+u2i6kbf6wDY4= ) NLF2NKFTCGVVRC4C941FOOCD00TPI9DV.example.sec. 604800 IN NSEC3 1 0 10 - ( 3ED4GMVJJ0FT4TCFDKNFQ5EPEFSDBPNM NS ) 604800 RRSIG NSEC3 7 3 604800 ( 20150730123127 20150630123127 64232 example.sec. buRQJjfJDIbRFZFr8s7odGSxqnrSHXXN/AAu tbG1k2L7WD+DGYFiRnR5Uia/C2oL186PqBtT R8oDKf/4zr5qOsZz9xYabaBqG98JVXwPTiFk JBoc7sFcwGJ16hj9Zey05aNs1h5RZm6BL8W0 9bRF3qIezckG0VA+U7ASTLNH4ME= ) t/issues/dot-is-single-zero/000077500000000000000000000000001265465626700163125ustar00rootroot00000000000000t/issues/dot-is-single-zero/Kexample.sec.+008+48381.key000066400000000000000000000006021265465626700224050ustar00rootroot00000000000000example.sec. IN DNSKEY 256 3 8 AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg273Tp4oRpnmnmgizDFtLQh nIv1Mr3AuwSWVIDeavuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90yQwf C53hxyH10GzGnAx4Sutrdkh1w4HM1nMBdlTMa0g9yxjJ0vm/T7qHzj+3 dTUi84s8Du2mfMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB/QUuoY2F yThfidT+nhOQpzftVtLcta0E0Uv3PcVDp1d7vBXsAEYGHr54r2vb3eXd OTmoFyh/byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01u8SJYP6ULwx0 mZ0p5BmoMH8= t/issues/dot-is-single-zero/Kexample.sec.+008+48381.private000066400000000000000000000032471265465626700232770ustar00rootroot00000000000000Private-key-format: v1.2 Algorithm: 8 (RSASHA256) Modulus: 1k6+cu1N1CN90iqofey1vu8jpsmWDbvdOnihGmeaeaCLMMW0tCGci/UyvcC7BJZUgN5q+6LJYgC1+/DLR/cRgi/xizmQOIqzw8TWT3TJDB8LneHHIfXQbMacDHhK62t2SHXDgczWcwF2VMxrSD3LGMnS+b9PuofOP7d1NSLzizwO7aZ8wPqejL6V5nYi5fuUVxrxLMM2aFQ9ORe4WsH9BS6hjYXJOF+J1P6eE5CnN+1W0ty1rQTRS/c9xUOnV3u8FewARgYevniva9vd5d05OagXKH9vJ6FSU+rWAMQfSYFGVZtQepsacrKiXPR1HTW7xIlg/pQvDHSZnSnkGagwfw== PublicExponent: AQAB PrivateExponent: LOxwy9Km3/NYqre6fjsilhW3GX1kcRiSdXFYBBr3rMtUojKvgJsTH9uUeWZvTbTdne4B6yHiqSKRA3Eki79k8i9uqMq2SsP4ju8yJZHLmzjezIfJoHrQ6BxyFcMZoWPzdZkKFKmFwrHpxjjbvFcHvfiAu025Pta9C2o/rZXYC7V3BWQowqYBfukdpZkCEhzFzEtC1ROXN4jPJBwNIma52QTLH6jK5BOfOJ5DhS1SF+r/EkuvXnylApVfjPfUIC8ocVvpn5WLoabWL+eURIi6MvVT59ppzc6WRUT2PxDskT2WUWfw3zq5B7JCM8/qfYIDUHvt1h6JcJHTAOz9Hr2f4Q== Prime1: 8UNey2U7voMhZmVUMpH5C8q7+hp6PQ6dUYd+hjaQVnsDOLPBT+zZf8R3str7pY/xlOOHy+DxYmZ0e17OumSOXTeQR4VSdsr/tpWc/qd2jd1I5N58R4G/yZHgTm8pm6VRb7NwZ7Eg6o2z0G2UEykFeberyg4U6SHBDP6DZNvGrQk= Prime2: 42XeoQUBshFkTYekdeqPfGqC1YXsK0URLGAbPbk8HlOiG7ueVmUnsAS47lyuEJPzIUgqqBbDM+CCdW8AvPJFDXa09l4akfCrLRyAdkreGj3bgmUs5wUFbDZyOHvRFSxdUI8LOcAhXthy86l+wErKwm6sWfd1oPGvMmC1qiSsW0c= Exponent1: JpdjK1+3DcNF7W4Z6LjmwFceeGQR14Bl86ubtnY14k9s9X3zVwiIxeI0T1yt0g7TUsCOcTM7CUVgLne8053QE+MWZgpSZYQVISyPX0CEOy8BQPLBqGJ9vg1idslbO3VXMGngegWgQUSHVbihbesq4AxcI0bbW2s1yRFRDSoGfpk= Exponent2: NbR7bd/21I1S+RSN/ONW2/VzzOYCLv3y3l4cUOmMj0UFRjN7Y8AkLWgQHQt6eKPYigW3PVeS5o+hgAalT/qP4GwmtQDomYsTgmX22Pk5l00AqL0oa6895p69PyXO7Yc6yqnd5te/idzo2S8wpk2DsYPd5KmS+F3cGLPKc9KRekU= Coefficient: ev+8Aj3u6mICRe6Y0NqYTGrXSBMDXf92dI4+CZtwy43cyTvvZSABWvlLTTXf8XAlnnPxszSpG7+e8bQk4A7ZIagcDFSUjzwtVoLqKqbyLPMNjJKqvGW2iTwfpXAHTadd9EmvTPsEVCJnZAvkyn9XQ49phL9IkFzj9kmSrGqnN4Q= t/issues/dot-is-single-zero/dsset-example.sec.000066400000000000000000000002471265465626700216420ustar00rootroot00000000000000example.sec. IN DS 48381 8 1 99477B577BF885AB2512B8DCA052D7B71DD968BA example.sec. IN DS 48381 8 2 E5411AAE0758711B164730F9069CCFA3CAB00391FDD76D04EB3E8610 CAA09E93 t/issues/dot-is-single-zero/example.sec000066400000000000000000000014571265465626700204500ustar00rootroot00000000000000$TTL 1d $INCLUDE Kexample.sec.+008+48381.key @ IN SOA ns.example.sec. hostmaster.example.sec. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL IN NS ns1.example.net. IN NAPTR 100 10 "" "" "!^urn:cid:.+@([^\\.]+\\.)(.*)$!\\2!i" . re-root IN NAPTR 102 10 "u" "E2U+email" "!^.*$!mailto:information@example.com!i" . no-re-root IN NAPTR 103 10 "u" "E2U+email" "" . re-non-root IN NAPTR 102 10 "u" "E2U+email" "!^.*$!mailto:information@example.com!i" meow.woof. no-re-non-root IN NAPTR 103 10 "u" "E2U+email" "" example.sec. t/issues/dot-is-single-zero/example.sec.signed000066400000000000000000000173751265465626700217260ustar00rootroot00000000000000; File written on Thu Apr 11 21:11:27 2013 ; dnssec_signzone version 9.8.3-P4 example.sec. 86400 IN SOA ns.example.sec. hostmaster.example.sec. ( 1 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 604800 ; minimum (1 week) ) 86400 RRSIG SOA 8 2 86400 20131212121212 ( 20111010101010 48381 example.sec. Fq4k/jiJFok+7glF4Nm0i58I524rmoJ1b6/N At6JVKWl0oja6db3puWnOP8hr+LeVcVWurqu XoV9Gka08da0xwaBmGnLZOalEUgN7b9MOsWu lSGhA/rA44GBdB8DLENt2XaM3EeSQ7IMLBGb ObOmwYrVgJbJpa8Nw3CtyzjqYSzde+BQuN/4 EYyP7fMdS8Uj6vHZq8XxolYeLgQBAmqDRg2X d0rETlT1SUfvAlckb6IIJEJl+qLDHWrebPWK ubVYzRrjTia8AKuo/UIuI2WYzAM7BNchh/7L GSh0HntsdrZ38ZeT82hr/ApfFIXpu/8jrQD+ muqATnMaAaFx10+j5A== ) 86400 NS ns1.example.net. 86400 RRSIG NS 8 2 86400 20131212121212 ( 20111010101010 48381 example.sec. I69J8S4zvi0luZE0va+MOum7IUODu7szp479 k844Mx4L5wb77SPxsiKwgVFtWOmFSgmNM935 ormzCsuAOTvtvm7b2Egov5Qo4yl/JvU3i0mR vLYFgGK0HFWFYM7Fj17ypqwMlAo2WYKYTVTa I9YWebM6saSkT2N19NTwBj1dGsW0CVzJPKo2 +ihnFi8FnoR7phZrEig0Z0U2zUmjgexYnrLU RRTzDtbAuDddRUr/tKmGrjTokpEKN7VzoNQi 5m9hiZQkoPrjui8k0KAckHSAiXKk+foKYrt8 TExvBjWCTHVIVk9JmsIBpyVtX/YLAGAorJyR nHAfTf6Z+YekBJbNrQ== ) 86400 NAPTR 100 10 "" "" "!^urn:cid:.+@([^\\.]+\\.)(.*)$!\\2!i" . 86400 RRSIG NAPTR 8 2 86400 20131212121212 ( 20111010101010 48381 example.sec. eaoY5DkXxp8NOLVfzqayHae7SeokwxAEkDFc Sk6xdRafMXrvJ4WDtfx7rcqq26WBcUXtvvG3 E/1ZXkCVekTjFu9XxYnaTgvoXzps8ybyTQ3a iTaDvttAwX21c7xAEOeqcxUiCQ6Uu6U5Baw8 8BqKc/tYMFv/lSlTK33LiqLjXOMrBWLsRdhP 4rbicl/xFnvFNz+MUMROpmcEVMhF4VWIflHS V521exuvW695/kRuvFzOUuvzP4NKaBVJizI1 RW3x5cx11UsVT5I6Si4h4PMeOcYFfZTCcwYt iIeBB9JcVAD8KDhe4ouMDS09R8o0ceHF4uJl uPbOyTsuLe4MuMB+zg== ) 604800 NSEC no-re-non-root.example.sec. NS SOA NAPTR RRSIG NSEC DNSKEY 604800 RRSIG NSEC 8 2 604800 20131212121212 ( 20111010101010 48381 example.sec. Pj5YE+pnDboIDPF/j1j7kZVMDRFaTN+7CDHC Y7DLCEO4V8t7sQkT6JW116tvmSjBato3fdrc u52IEbVZMvRM1An8uHAnBfvK+Bt44P6s55P5 fsqwi8KR8odCZLPcwsWK1ev0nDSmHk/PAHzd ROOxhbaltxs3hg8UNdk72dAwVFOj1A/etJHJ UMvTuj7bI4fGC1wpMm/jdnbG74lHOfj5e98F 3QZtTEv7ZOMoyrivs23hvjYV+r5miVbdw3LY 7OFtwfabWHaCgaV/zgqNoVgXqeexSIScXbO3 QiLh2QjJWwBgTaE5asUepmw6boB5lhNbJ75l pMhn2BkrtdZyeiP5Aw== ) 86400 DNSKEY 256 3 8 ( AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg27 3Tp4oRpnmnmgizDFtLQhnIv1Mr3AuwSWVIDe avuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90 yQwfC53hxyH10GzGnAx4Sutrdkh1w4HM1nMB dlTMa0g9yxjJ0vm/T7qHzj+3dTUi84s8Du2m fMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB /QUuoY2FyThfidT+nhOQpzftVtLcta0E0Uv3 PcVDp1d7vBXsAEYGHr54r2vb3eXdOTmoFyh/ byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01 u8SJYP6ULwx0mZ0p5BmoMH8= ) ; key id = 48381 86400 RRSIG DNSKEY 8 2 86400 20131212121212 ( 20111010101010 48381 example.sec. pOw63jF88dUEJt9V6jP5ddD1rUSGEyNn6ih1 Be7GWq2dcrY1ZxgI3fN8fGfCXyB089MdphUy 83TmWcz2KiuD0qRy/F0bK4sI4hk/2eokBVTo 31pIFNxZsANduz2nP9OoceLMxk5TCmm9zipr Bf0Ysrky0BReY2FRUjjaWNV4MuiMEf8ToZ/2 1+Zbqe7RGP0Z/IchDN2hpA+qHizloKTIFOCV sqG2CKHiG3ZcXMWKQaohuCrQyR9ee/vmF8ZQ IrY36SifxcgrT7cycE8NFhIlReLf7M41oYeo erdZHzrGZVGn2ZKCW1spsgpBRXdh37HvdVaV 8NOQSnaXLi1paogk1g== ) no-re-non-root.example.sec. 86400 IN NAPTR 103 10 "u" "E2U+email" "" example.sec. 86400 RRSIG NAPTR 8 3 86400 20131212121212 ( 20111010101010 48381 example.sec. thOK3O1btgK+IxcmKDo2BZx+tHOOhIRFJroj fmTan7U1Gm0ylrIGOpw64N0q1cUrn99g2iNF +p0zXo1k1ZMDXDG59jnzvQvqrq8h7XCA3GH1 ZI4Jts2xmvsmlBRmkGs6BexJHbsu2gA6bOE2 PTfcriQHRxLNe/H2/ysA2/C+uywf3ud6eLtT ztBR5m+m34IBAJ0MIZED0VD4XW7CV8jwSlQo cZXfdX9VYVyM7xCJt1C4BesMSojUGRk5at2Q 4/giW1bXGEqtbJj5xST4HBONnyzhPqK8slsx aVynOT60K3os+1M+Th3nPwPLhMMuXyi4pu+V gFnfeysv3lDLaWSoOw== ) 604800 NSEC no-re-root.example.sec. NAPTR RRSIG NSEC 604800 RRSIG NSEC 8 3 604800 20131212121212 ( 20111010101010 48381 example.sec. Imd15dZ1PVf12U8c21QUUD8aAFf3rC/pa9kb Ip/zMGShCDGT2wNd08TEjTHxaSHEWUJU4+9E DdL8S/dU9bEwjrkzH9dmp8VItVfo95rZmPvU jIypT6XdNinTkkeBSkoc1TNmOov/H/8UnzyA ryuXY/+GCyz8Srx3Iv388NxGDgSi89RBxcpJ pEcIwEhs6AGtc7dPc+oAVpqekCkADgF83N10 AwA/yLd1rUpAc/sZphiu5iQHeDUR6DAvhIk1 AN2F7HgVKmtgaVni7MLEQjzqPASN/jAx2mf5 jGBz3jeCiuGhkh8GMhI8g3Hu37q6Noa4FYO9 HLfrFgZVly6NPx3C8w== ) no-re-root.example.sec. 86400 IN NAPTR 103 10 "u" "E2U+email" "" . 86400 RRSIG NAPTR 8 3 86400 20131212121212 ( 20111010101010 48381 example.sec. Sa2e/jOAImtSOP+rJIimYtqs4UzkW0o1QbZJ hbyPlMwNicl6/tWCwlGnGOm+KCRMvo6DNgU7 kVHBMH1oZoHy674XRXP1VsNL24fXe3pTa5fq hVSKfY0sO/GnIZ4emmJ+HCIuKK8ML/U8Y2Si eart9IXhrwGtEPU0/RiU9oUsUWCA8Fd7eKx7 8k1qZCVYSq7uWhVsPpJAlernp1GEqggfc6hz y0q77BnJs/Hg0ZruwV8LhCSaOa3FLUBdXr78 AammfUfkkkoR4hREAgAV1hX/s3sFAkLe0z4y IyCKI38tzWSk9Fnvqh1ciUEK2Twk4+T916R4 iLFczgMHT32MSrWMzQ== ) 604800 NSEC re-non-root.example.sec. NAPTR RRSIG NSEC 604800 RRSIG NSEC 8 3 604800 20131212121212 ( 20111010101010 48381 example.sec. h1PxESogvqIgh9qIPVRK6gV+Ku2kczLvfcYx JjosK1sbyJHV3Wi0YJkSAdfmRAx5Xwx/kD4Z Rx3AVkR2vDxS8vHp/W8P7ZBSoc2FBPEHEDcl ip9M9HJRJrAwQAoPW8FRsR5xWQlK3jR5cQeu p6gtHYmX3bEGG9DJ4y9nOlfQJiKiiGzsrw3T p4YyznucIiszk4T9t9MROATvBnb+IqgnZgd/ 70NBHLBRokPSjxlo6urQCuA8c5pAAc6CNlbx bQrYCb1vQkR7HxtLT0D7TMsGk1VM9tDrRKji fdaGZuOcwpE6fyKVKscSSIbrmQyuWodeR5yQ zpWkkaYzGiiayhO5iQ== ) re-non-root.example.sec. 86400 IN NAPTR 102 10 "u" "E2U+email" "!^.*$!mailto:information@example.com!i" meow.woof. 86400 RRSIG NAPTR 8 3 86400 20131212121212 ( 20111010101010 48381 example.sec. CXKyN8XHuH0VoFmiGOBcNs39q8/+qrOF+QAM 78i0OkLLMz2v/aM2lrSOb+Hry5DWh+ot8G9U XI78hnP0ASZeB+8lQvEJIVuOiSEve8rPTPsQ 4tGmsryg85Kj9LUtCTEKCNV6YJaUVqt4mz8z h1f0SEbhqv0e3/7M7sYrWVTfB/kX0Bj8UqkH /05ga8XxMIMxtWsr75zlAZsscb61tn6XVa0B 3MV5O0U1eG1qoFeTuAbvr1DfZK0uF6ECCUyx JX8U2oo12Sxcz0o5L7Qfk0xERIwjxtN4lQ8R 9BdYLztEFxPPNGKKsvhSywLNZzL1hci+gNjq oO7yOXNxALYtmvKjBw== ) 604800 NSEC re-root.example.sec. NAPTR RRSIG NSEC 604800 RRSIG NSEC 8 3 604800 20131212121212 ( 20111010101010 48381 example.sec. Xqs0A2TayUWY/kqPFyOy+igaEqv3htnTdXCl C+yxb34UpJ8tBnbOVMchPvgRtfrWyKHdnQYw ovfdVsJ2vjWJ3CaZlji37Hq3+RdMM4I+ysUl mxKYqtb5StmpT2oHVk+YTLzSCcDCKaC3/1gk tCFXBxwmfj7KgnWXUtnO3JnaDKhRPFl2BJXA vWzcRNo1JsLa0HWDbvMe9WlHEgPZLjFV4D49 UgS3MPr+ugzpRe8oMFhwxRb5Jwhg09npoc/n iX9njvRbbFkWz8TpYpBxKd2gDfHmMmaHjorE ZFJZc1f9827L9bZC/ZQ4C0hjgnOVVnBadjSr 3C8ycWv1DYri5E20mA== ) re-root.example.sec. 86400 IN NAPTR 102 10 "u" "E2U+email" "!^.*$!mailto:information@example.com!i" . 86400 RRSIG NAPTR 8 3 86400 20131212121212 ( 20111010101010 48381 example.sec. FyUk9M6UtLK7SWoMR/lzOk3ZGzgvF0EyNR2E IngjzVMpZwgmxmumUgYGnXb7QNqgbv+0hq1O w6KFBLfGxAjM+R9Jl8TqiAsJ+iBUnPgf09aK AefnC7iF6O3ZpoZm3sXCogH6URXb9th0BIhE wIcp0zUBn9K7ZO0DpLT9o9SvOcJ6IyC1q2MX gb/vCD9J1ldIvzIixG4Kf9R7pOz3Skumxxh0 AdDpFaUnz4e8z+Mx1ggiaxu+7xpCyHt9IpqO xNUWXkDnAT7gJdmuRNrfMrZ95l1d9tRBRzdr a2hxjPKzkZZES22JP4bOacBIsmv9oFeWNwVl BTE21qIBdDbNM++aKA== ) 604800 NSEC example.sec. NAPTR RRSIG NSEC 604800 RRSIG NSEC 8 3 604800 20131212121212 ( 20111010101010 48381 example.sec. G7ALxMAtp+ZSLfaGoJ7G1OcEsO1GFI86ogY0 TlSH7RRj+Gq9AEI3q/wJYzmgxTiZyGNsQCHv gd6eetKCFhL7Bh5yyOwYClQVK+mPqLx0iqHt H3bkGiISUenbRBCMyjpb4MD2t0yDd0aXwqcL Pv6oOIKmdhFsZb+F+JvSMjSQjGJ5AWqFxZ9O Ip/VoJ24uO98vcTRaN8lyhRV+vYFfIFbaQOU Pki2DDN7HkOBLLL0XAMbX2B7lM24es0tp3F3 Y97FqegjBsbuEG2qD30FHeom97/cQBtf0MpA YgQbu9OFCi+wmE0CSANMAEecc+c86aMDjjC9 0X3fa5X5yacuZxz9zQ== ) t/issues/ds-does-not-mean-signed/000077500000000000000000000000001265465626700172005ustar00rootroot00000000000000t/issues/ds-does-not-mean-signed/example.com000066400000000000000000000005531265465626700213360ustar00rootroot00000000000000example.com. 86400 IN SOA ns.example.com. hostmaster.example.com. 1 604800 86400 2419200 604800 example.com. 86400 IN NS ns.example.com. foo.example.com. 86400 IN NS ns.example.org. foo.example.com. 86400 IN DS 45004 8 1 059D592478F4EB97496BB2294520B32A89A196BC ns.example.com. 86400 IN A 127.0.0.1 t/issues/lots-of-rare-rrs/000077500000000000000000000000001265465626700157755ustar00rootroot00000000000000t/issues/lots-of-rare-rrs/all.rr.org000066400000000000000000000414331265465626700177050ustar00rootroot00000000000000all.rr.org. 600 IN SOA ns1.all.rr.org. postmaster.all.rr.org. 1365591457 3600 600 86400 300 all.rr.org. 600 IN RRSIG SOA 7 3 600 20130410115638 20130410105629 54974 all.rr.org. JXs7cD0b3vbf9y6E68bY/xQ9Hwkb0ZUrgrj0Og9ol4OYaGuHF3fNV7iFBNy5dxGjGCc3jXTNBM0qqlZbRJkw2nF3X2KWjthh8CWE8SwY0EsaQGB48+ooSoZdnkFjK0gwZSjWuWQ1vIZi27hbT08IPXzeNJuROGWx5n8h1LcPR1k= all.rr.org. 600 IN DNSKEY 257 3 7 AwEAAcj3L+4HQwnDi8d/RtzTkQ2C2nhG6loHdSwxRSiJ6QuEnmEG7pAr+k1XdOijUWID3e+X6kGqOkwYy6e6mbjlrTqxqQcjRMOV4e2tsVnRvOqAmVOQBDNs+FUWt9iWkLd5iWeJy6IxfTOjiJf5hJqLYyLfAATggq2YUcAgdzGcCilzeOLUNAD6+dT56hHz7qetituUxMkENlSzA9PAwzdoNWhChkfVzur464m9QPsTzOsn40SpYOnczRcBXvdfbme4n8JLLPR3JF55uFhJRpdyTJ4d+BD01Zd4WkVE1wnKxZXCKX3vlns1jZd9V+tcOtqwNRhOFxxzHosRvgp57QvlMpM= ;{id = 43083 (ksk), size = 2048b} all.rr.org. 600 IN DNSKEY 256 3 7 AwEAAcEpJKnT6f2BpVl7eYdOA/p50n8t6e0CB4Fnaze6oiu/UF/SNY6G08cTJ5q7B8Jj9k4AiAph/FpTF1WkG30kE6JDo1t5M+qESC5IP1niS0vvVOKuPn0xygNZU9Yq2Kw9ifv3aFFM1Iu4G1Oo79EDYn/Id1WMYST9oExCIKJpSyyJ ;{id = 54974 (zsk), size = 1024b} all.rr.org. 600 IN DNSKEY 256 3 5 AQPSKmynfzW4kyBv015MUG2DeIQ3Cbl+BBZH4b/0PY1kxkmvHjcZc8nokfzj31GajIQKY+5CptLr3buXA10hWqTkF7H6RfoRqXQeogmMHfpftf6zMv1LyBUgia7za6ZEzOJBOztyvhjL742iU/TpPSEDhm2SNKLijfUppn1UaNvv4w== ;{id = 2642 (zsk), size = 1024b} all.rr.org. 600 IN RRSIG DNSKEY 7 3 600 20130410115643 20130410105629 43083 all.rr.org. t440YGFURqwrsG6XPr3FXSyF8/O5dQ7IdoN9ctPJBffTJuHKmKs72pmeYHzw905PRpUySYP6dNImhi/REe5y7KcD05ys7UymIlo53F3oJPz9t918UGuFbeMd2/ml7JbkpuZA21zNl4ICiXFjFdM3zqb3lWh4lUO1fOMtzHWB2Qvtr8hrhIhujq5JBTwRPSpDIGl6iVkmLFvuR90+8410QdebhOkuEZno/sb17HprcrU7VpJCJOGU/SHCuzLHnJeBdk5TtGQ0WSo0v9Da27glO4MKkMpCz5JU3vw1c0xJ7Aya+sgrJVuWs5OZTY5WH43QrepqKOMTgpnwH0mxSaHYcg== all.rr.org. 0 IN NSEC3PARAM 1 0 5 dfe3a4ef6152d5ab all.rr.org. 0 IN RRSIG NSEC3PARAM 7 3 0 20130410115731 20130410105629 54974 all.rr.org. wQKmR0Tsz8XSe7ty2OV3aKyWhvNloHvgvj3wxz1IhUdlkWewiecf6+OARygyt+0mUSRuikKV0ZvzjzTooiTZr+vC3YcZN0Sx0woCJkfxGh98KW8bQ53Wt/mVF+/OwIjqiRPS0ZJKtYItIlBrwEWn89RM8LOcO6R0HkOP2AXWpOE= all.rr.org. 300 IN NS ns1.example.com. all.rr.org. 300 IN RRSIG NS 7 3 300 20130410115647 20130410105629 54974 all.rr.org. VFgrYVdjVIJWS932Qw+al8p6gEFyJgsz88wWLfLUYi5ZNa0h8l9Lko4Lh1s2B+45FIEKpDtUurdzY5g6sqec1uGRWdTBhNNghyFeRBAwHA9+0DhLFQQPuRChX4skpHC15Al4cmNGXmw2JPo9LL4sR9TKpeBF6UFU8B9IZcCCgl4= all.rr.org. 300 IN MB mb-madname.example.com. all.rr.org. 300 IN RRSIG MB 7 3 300 20130410115729 20130410105629 54974 all.rr.org. QqpV9ODE4BhOU3GMGkPkPEmIvJxurkRC9eZ+Sgik5f0eeX0z4/XAKNx2mFVel7HefbfOCpJTe6odWWA74ZnxdTxvCoyPsJrp+uSbjs18K9yUj+GOAeiOqGo48+NGcAV76dDktVH21Po2dSN6c+lB0rhhmEEqIf+ah07iUPz0SFc= all.rr.org. 300 IN MG mg-mgmname.example.com. all.rr.org. 300 IN RRSIG MG 7 3 300 20130410115810 20130410105629 54974 all.rr.org. LfXUeTX24jLoOoyW36BrT15XELCDy9J0ov1Lm3DGNF7n1+Krt12NWP+tlhZRcql/LJw9ms49K772ll6LctzjppvPAqipk9DlxVHG0+joQFUEfv9ba1mgmgcMX16uklTwcUtUvLYINLx5+pJd+MnfTJAtlBhS+GYt9j+daUHMuc4= all.rr.org. 300 IN MR mr-newname.example.com. all.rr.org. 300 IN RRSIG MR 7 3 300 20130410115648 20130410105629 54974 all.rr.org. mXAh1voDX9BFxyIJH9N48VXjaaZH123gr0b0pAZJBndzxNsRF/NWe5+ll6moMwsEWzcrdZXv/J2qteDK1GsMjepTXq1jdbLuCaQYZu+1oCUGVjZo4f1A31wY03lZfaQq1XcYDeJPMoB0oEQ11ZZHczpuvrSE28IpOv8CIj4ZMhw= all.rr.org. 300 IN HINFO "SUN4/110" "UNIX" all.rr.org. 300 IN RRSIG HINFO 7 3 300 20130410115710 20130410105629 54974 all.rr.org. HethM0wWVfFoHk+k1H1wEFA2x5t5xGXXa/jWUTRGvdmvdU5DoibykO2ulTbhnWfha4gvufFBG+hh+94UPA2rEiACha0c1oWoaXkUfcGZJdhjJzfP84Y7Zujd+1+Iz8XdDWgCD1Q4VRCsKeHU3zfquVOAC0NEBXoSfpm9Q0nbV1A= all.rr.org. 300 IN MINFO minfo-rmailbx.example.com. minfo-emailbx.example.com. all.rr.org. 300 IN RRSIG MINFO 7 3 300 20130410115818 20130410105629 54974 all.rr.org. no9mgivSgSTU7HW9Tw6A8w171GRVkeObQfDmkYtK6w8/hsaZnP3sxCJ4450ik9S2HG3664dzLDP30Vr2mXQxqRDbFbk0sAbFLAxctGx1FJCcbov91K5OyeT/P5GaNDREjvnI4fPACeBmKOYwl0nPA+x97gfiOKyMojONlqRHnOk= all.rr.org. 300 IN MX 10 venera.all.rr.org. all.rr.org. 300 IN RRSIG MX 7 3 300 20130410115753 20130410105629 54974 all.rr.org. pQQ4jRKH/hvZuHZ4Gzzr8eXAGTSkl8kdae6Cf3iFRth+b/i8A2k3mhDbvMj5vZfr2SCSRQlj8c4Iwav3V/v3KKfJaCUqis/ezS7S2j3yp6ZLD4ovYVkf4eCRDuuyNV24ueOA9Qw3666NsjzgCj/VR1bDE8P3OKFciD6839w7ab4= all.rr.org. 300 IN RP rp-mbox.example.com. rp-txtdname.example.com. all.rr.org. 300 IN RRSIG RP 7 3 300 20130410115643 20130410105629 54974 all.rr.org. nzLrxR5toebeRucvM8pJHDy9gC1VbZho2tsh1YW5JAHs7+NApZhMDrx3Q1YK7YCNR6N7A0s9BNz0GCOjn+8/WjTgmgMboEGGFhzbAyY1feoWesPhA3teSHKGonwbsSSameg0p3zeHb6xsdH1Xy4iipldplknmDNptH6MDD/jigU= all.rr.org. 300 IN AFSDB 1 afsdb-hostname.example.com. all.rr.org. 300 IN RRSIG AFSDB 7 3 300 20130410115708 20130410105629 54974 all.rr.org. EkXQh/xF8BRRTlFBMnGhLiM71DajHFdBozPbnIm4jBoNbfpY6lL177793lRGrVYw3w+VwHIq9G6PTpoqvVdn2MC1nhTVzi3UOeJHJcL1W8YiwMcX9JF42fBC4EdmFosb2iiOjhhDY8YtNxV3sKm2EFXaxF19363L/49Nqu9eAr4= all.rr.org. 300 IN X25 "311061700956" all.rr.org. 300 IN RRSIG X25 7 3 300 20130410115750 20130410105629 54974 all.rr.org. HWpORPHWtudr/A0Fs3+lNo93tDLEeNaAXMBsoA2x+Uw6ZIfst9YtHo97+p/t+im/ujN+ecL2zJY9FwJIa6EOwozzlslTACxUdMdkw19PcSd4pDygKq12OR5gkwnrCKPnP+1Tw7jIdQgxsQ40sKKGOoF4P13DWJqCWKCgfkh3RZ8= all.rr.org. 300 IN ISDN "150862028003217" "004" all.rr.org. 300 IN RRSIG ISDN 7 3 300 20130410115631 20130410105629 54974 all.rr.org. VxgkkyThoBwnvqL/wsp061RXQFcqjTr1MH/TZcACxLJPYfyaVHf7/DsXcl3R+lVbZ1qKjO53zmhpshLBtAztpHKP1fH0s03jG6Vjo8ZpQ+3gCAvgUjmF1qfRBDsfqiwLNSnzvWOsZr1ztHcu6iwvTmzU4RHroSDE8zOnni0TXV8= all.rr.org. 300 IN RT 10 net.prime.com. all.rr.org. 300 IN RRSIG RT 7 3 300 20130410115645 20130410105629 54974 all.rr.org. dzlz4VrEni+LwvW6OaC0KX+/FCT8Z11XxKcQWK6dOG/mKO1/RCtAUrmgKutkXato47aBc7pfkmglvWaX6pA9libUvVZ+9L236IlZFqPkH3wLGwD0aGbdOx7BpR8R+XQ/vaUaYG5aTw4FfJZuMsliAyMkNIOPb946QfMDAtovb6Q= all.rr.org. 300 IN NSAP 0x47000580005a0000000001e133ffffff00016100 all.rr.org. 300 IN RRSIG NSAP 7 3 300 20130410115822 20130410105629 54974 all.rr.org. N4F77O7TdbQ4qZiYQANmgaUO24fEjxIvdHhI7tbWYFTClzGiMt2HEss9GlGIwFXDDhTnnlCJ7tZ5CWK0iJLt+1PDzShwk5IsWp/4a8AbOYpY148jUKAXETpLNRBCMfZDz+svw5mVTnYb3nsQ1rfOc+9PO5swa8vTCU6+TnrKBr4= all.rr.org. 300 IN PX 10 net2.it. prmd-net2.admd-p400.c-it. all.rr.org. 300 IN RRSIG PX 7 3 300 20130410115645 20130410105629 54974 all.rr.org. QI49aymhAWe7U48kAg8w0f2bayZZNS4X2DM1sICBpwqkCBzbzb6Wkb27OavwESkuqFczIgCLefUY6V8sWdpAYxEa6UxXOI4gqmtdU0QCgVC3wrvWl4Lmp16GCsPCNj0QT48LQylM5k3HDa6qkV4ws99QEUF7FyLsf+1Ui7hhEgM= all.rr.org. 300 IN AAAA 2001:db8::3 all.rr.org. 300 IN RRSIG AAAA 7 3 300 20130410115720 20130410105629 54974 all.rr.org. odKMWjUxeqm6MScpuWVEwpGIWVHWcBuvHYObwJ/N0ESe/8dj1/9hM19BbTAlx0T/CGgoZAciMtanVAahicGXGXxwOji1LQNzEsYEKkyNWYf0T6LWgCsK/WbkA1hxNKEmENvH9IwGLotS5zcgErqcIc44ns5jT2V4HwCpm/ylbKk= all.rr.org. 300 IN LOC 42 21 54.500 N 71 06 18.300 W -24m 30m 10000m 10m all.rr.org. 300 IN RRSIG LOC 7 3 300 20130410115634 20130410105629 54974 all.rr.org. FdziErbL/quIRYH9P+u+4kiAnwdB+PuTU21qh12JhusotZDAmAjBpvdHsjcIAIJmK/oR+najm5AKirJCnxj9F6pGdK3xPo1bIinFALYnlJzpHEklpBe8A9AMrfxxFnCCEKxqa2d95Oe8n1NcZGMBTiqBhxDRmcnmlS33FA+YJlc= all.rr.org. 300 IN NAPTR 100 10 "" "" "!^urn:cid:.+@([^\\.]+\\.)(.*)$!\\2!i" . all.rr.org. 300 IN RRSIG NAPTR 7 3 300 20130410115656 20130410105629 54974 all.rr.org. iZH5FWlSU8GIy6VQsUTorMdaRAG3Wbo1irlzrPbRuAQmPCfredI2236MvU1ZhQdy0O7OV9MbXxn6TmLWJWmntceBDj+sCauuMPMmU4+rZAuLhlV/MSspftlDXqnkvC6bzCFfhVDoFyF2zKY4Xs8JKPc6mfDeXUyGyLrgmV++hLk= all.rr.org. 300 IN KX 2 rt1.example.com. all.rr.org. 300 IN RRSIG KX 7 3 300 20130410115645 20130410105629 54974 all.rr.org. a52c4EMSQYVdBtJhi+JcgO3wVx/JuCDYgwQ68mo0LZ9M0fnUGDx1l6somvZMQoi/fbvfzUAZ62oU2UDW9Oz9enIxe5DmyYN+57gDqEDbNg3SoBrVIoOcftFQml6X+JH/grQ21no8hZLP5JXrJ8cHZ8ROhPST8J1NbLUKjp0uHEk= all.rr.org. 300 IN CERT IPGP 0 0 FFsAyW1dVK7hIGuvhN56r26UwJx/ all.rr.org. 300 IN RRSIG CERT 7 3 300 20130410115632 20130410105629 54974 all.rr.org. CcY3yTFCBjK+YQ9ZqZiSuPKUCdezf3n4Ul/UwwUy/39nZRYeU1MXOaAtnAzmNCMqER6/AHwweJ4d+6oSrLsAYoDUBToHwyhMg8at/f4TZ4UZSYGVj1fF3MS1mVdUAeHlN5/ZgVVoFX1nt93i7DIbAUjSKwHHBrTSQFyVb9kNhXM= all.rr.org. 300 IN SSHFP 2 1 123456789abcdef67890123456789abcdef67890 all.rr.org. 300 IN RRSIG SSHFP 7 3 300 20130410115742 20130410105629 54974 all.rr.org. cvXx5xDRh1fhNriUN66qpjmzW+pCFov32WALjEtZHKZ08UHDcw7oYk0bAITGEIa+JCujQ7RkAMgwpbFbyZYoJgV78j+YaEquqfT7ZjZDy8FB8eL9P+HpHqoXtEXLvO2WYsbtU5phSESflzW/8kOvFWduO5IRZPbstE4BdfauVa4= all.rr.org. 300 IN IPSECKEY 10 1 2 192.0.2.38 AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== all.rr.org. 300 IN RRSIG IPSECKEY 7 3 300 20130410115721 20130410105629 54974 all.rr.org. FwJEQzEu1pZkpnAYZc3cWCCdgVsCyserUhJVeByjaMD3oHvfSbmdIT/IbOYyTrmfSFpwcsdJ6oJ+bNEwIISzaM/puSAjT2sN5+ryoSjaqePldM2/iZdf44N21UhyH7IfxFfryhdzIHdq0jnFkaCX+Y4c76vqpHitlaUYXdv8IDI= all.rr.org. 300 IN DHCID AAIBY2/AuCccgoJbsaxcQc9TUapptP69lOjxfNuVAA2kjEA= all.rr.org. 300 IN RRSIG DHCID 7 3 300 20130410115751 20130410105629 54974 all.rr.org. ssk8jk702AJwC7tO6+b8IhgIoiSRjXDLw72EVaiwlOuNR+HV5gATb1FG3Ng/APg6wDWNEy6VRhv7pQQHm/E0gFBAzkUSfCCw/yUX0fVlw3PhC1qs0di4Id3I6sKBK7ZstNzUtoOXfqjF7xvGU60EPA4ZSDvQkCCdvO4Ok5RIdQM= all.rr.org. 300 IN SPF "v=spf1 +mx a:colo.example.com/28 -all" all.rr.org. 300 IN RRSIG SPF 7 3 300 20130410115804 20130410105629 54974 all.rr.org. HHseYzie8UWI+NPBto4pTZAKaT0V3U8iYbwsAb0WYi3MK9FJAFPM8RcUflDGMKjkA0UBEb1udIKbQfRmknK9GtifSnQupEnWhnbHEmbnJ+zAsSS6k0aZ4vgm8GGB29OTqmkETAxYH0X/0FniJw7P9LUU/KnOqs/wnNOFkMQnxgs= all.rr.org. 300 IN DLV 12345 3 1 123456789abcdef67890123456789abcdef67890 all.rr.org. 300 IN RRSIG DLV 7 3 300 20130410115749 20130410105629 54974 all.rr.org. Ddtqn8hfhSHSL9krYFfBPCDPUf6ABrrXwa/xiOzD9MrfnxaIZcGt7HZuVjj1fbXdrklacVTyDMgpLGTJHKn4TnCsgUzBvoCRrHZpCsS8eL2dCBc5EfIMjuIPM2V5/bZbCNdxji0FJQ5lebO/XlSpl51T75iAa1ntN0+RsqYb37A= lsjuf2e6mg5p2lhd4ifn9j1d0tau9v6m.all.rr.org. 300 IN NSEC3 1 1 5 dfe3a4ef6152d5ab p9idn47k3i4hl7uvrsala2cika6iqhrt NS SOA MB MG MR HINFO MINFO MX RP AFSDB X25 ISDN RT NSAP PX AAAA LOC NAPTR KX CERT SSHFP IPSECKEY RRSIG DNSKEY DHCID NSEC3PARAM SPF DLV lsjuf2e6mg5p2lhd4ifn9j1d0tau9v6m.all.rr.org. 300 IN RRSIG NSEC3 7 4 300 20130410115739 20130410105629 54974 all.rr.org. otfOdRSrnRxCz9vGEXwFoyxplCw5ZIm8L/fAtf7LBv/uq/WBes1oJ/hGcjNbJ98upD1OSQuP8H8fyZ9+XWOQ5YCdXFnO+oASPjko1eTDWDRE4NvpHuv0G2f73nFRvQDxJKx0k/geYSHMhtpy1jliDY9jMPSbkWaTjTqO1itznYE= ;;Empty non-terminal _domainkey.all.rr.org. ap94ot77hb4828sgce8b1vviq70e9vlb.all.rr.org. 300 IN NSEC3 1 1 5 dfe3a4ef6152d5ab g2l2o193s2lss98gj7rmmktavpqfjvq8 ap94ot77hb4828sgce8b1vviq70e9vlb.all.rr.org. 300 IN RRSIG NSEC3 7 4 300 20130410115702 20130410105629 54974 all.rr.org. IOCr90ztV18liuUpYYWwRN+wJ+aLQWTRpo7eb3vShpvDwLQFbQT9AKLQ/av3bCsmML28r5pn4czZC1MEXpTyYPbhTSBSyb8kU5DeauSOU+bjdQpgJppZ0eEQ1iKNRV7MY4mlVPa/jJ5MJuF/jjWAHRovYmgPBOanIXBBUqq3jv4= selector._domainkey.all.rr.org. 300 IN TXT "v=DKIM1; n=Use=20DKIM; p=AwEAAZfbYw8SffZwsbrCLbC+JLErREIF6Yfe9aqsa1Pz6tpGWiLxm9rSL6/YoBvNP3UWX91YDF0JMo6lhu3UIZjITvIwDhx+RJYko9vLzaaJKXGf3ygy6z+deWoZJAV1lTY0Ltx9genboe88CSCHw9aSLkh0obN9Ck8R6zAMYR19ciM/; t=s" selector._domainkey.all.rr.org. 300 IN RRSIG TXT 7 5 300 20130410115828 20130410105629 54974 all.rr.org. KT6xh9I5XLsvNxSfB469KXOv6MFRNAPBjOd25UcgMt+iaTKHzNWqW4dO3XfzJeT+/fi/zDhGsuwcBvd9Hv+vS/G5EWC9zWmkTpGtWONJcWe7sFh6JvBXKEb044vzB0fpYPRCrE3gztgJL+/hMLdo8Kie7bcK6twe4YyZoSkRz/g= g2l2o193s2lss98gj7rmmktavpqfjvq8.all.rr.org. 300 IN NSEC3 1 1 5 dfe3a4ef6152d5ab ibhek6s8u0esfnqpdrm8tuo03rgcfkjn TXT RRSIG g2l2o193s2lss98gj7rmmktavpqfjvq8.all.rr.org. 300 IN RRSIG NSEC3 7 4 300 20130410115652 20130410105629 54974 all.rr.org. soUOUj4nUVLWpjbCTaxYP/IwZsCUxDNqEvGEhtcWu3WX24C/nn3B8AFUHgYhzoU59cbcV8KX04DknCBx14iRB6nUGISCXLTDVL2oW7235UFgJf1+SAnPzh0xiqqbMhoC+TONUTIumD8aWOc4nreRCJu6sF3A9l8B4/exFwOsluc= ;;Empty non-terminal _tcp.all.rr.org. k8gq8bbuj67kiblf6eibvia6v06bdjnt.all.rr.org. 300 IN NSEC3 1 1 5 dfe3a4ef6152d5ab kguhs2hk2v7lkk84rksoepthlhstbp3h k8gq8bbuj67kiblf6eibvia6v06bdjnt.all.rr.org. 300 IN RRSIG NSEC3 7 4 300 20130410115715 20130410105629 54974 all.rr.org. DKWpBw4n8w4DAL8wJ0iHoKiPc6fIZz89MyVz+92ZGdBkx8+tv+7YtiEWPaTouVu76lJQn+04FphXL3eRNacCljmWgq4KDo63GJQtQPMlUcaj4dY1DL/XjW05So0pZMxpgM2Q2WhpkS7VaqmtVlrnH/dHiB9zPeKCjMVCpN7evwk= _http._tcp.all.rr.org. 300 IN SRV 0 5 80 ns1.example.com. _http._tcp.all.rr.org. 300 IN RRSIG SRV 7 5 300 20130410115722 20130410105629 54974 all.rr.org. l4TKCA0c2PodZZMspzR8UJpYxhvrSiyY7MGeQSWseRW09dj43gEiJoIlxq3AaK0lw4FDzyfWcA2CYRwL3RW2cBSfKyHp4Ubmhm91WPzlIxec9amtVkYq4WrC9h8tfblfceoNyOv48QTew1pw9a/Gah5jnw4de3XNy1PgZkh6HtM= p9idn47k3i4hl7uvrsala2cika6iqhrt.all.rr.org. 300 IN NSEC3 1 1 5 dfe3a4ef6152d5ab rdg0v236pd1v9ol0rhhft0c8a26unhvu SRV RRSIG p9idn47k3i4hl7uvrsala2cika6iqhrt.all.rr.org. 300 IN RRSIG NSEC3 7 4 300 20130410115700 20130410105629 54974 all.rr.org. RzjxnjDsBWBSKNIxPaI9yhOWsnleFNaL6iuXPhFF6sZtH3ejL+AQsnQiQO17vBPPzb6AILiBT7MWTF3YkZASEys978HWbHWgWESZDndXypJZe115v+yaU/rKGlx16lxtLbXSDqat+rsRBZdri8L6UwULlKDmwxnNMb57bVnR21o= bar.all.rr.org. 300 IN PTR ns1.all.rr.org. bar.all.rr.org. 300 IN RRSIG PTR 7 4 300 20130410115724 20130410105629 54974 all.rr.org. hqmf6g3txmdk6PuCnQ/ve5Cp7Oyh4Iol4bXNBsyvIZDsWto2UvUq0csquD21Tpo/MIq8BPCXesQMseprR+zZBr3w5qQbQJikvwUt1mx1mqABcPJeDgIPmBeIYys71IaTNdgmKib6rB9xndpeXuBtKJ737f+B0y3avy9eTsHbRfg= 17dh4524ajdqdot2u7ouvoko5p9assdh.all.rr.org. 300 IN NSEC3 1 1 5 dfe3a4ef6152d5ab 2t74lut69cjlkdoikr2lhjnaud9prhqh PTR RRSIG 17dh4524ajdqdot2u7ouvoko5p9assdh.all.rr.org. 300 IN RRSIG NSEC3 7 4 300 20130410115813 20130410105629 54974 all.rr.org. BvO6S1ZV58+QmFVFytvs4nRlQ43zaqgEL2/Omuyy3RXqTSSUjrX9wiyJ+ncLiITBXZYtoZHv6Xyr7U6kk/sA8CRVOHA29iyd/kr8yl+0YUEb+p05SSxH014i0AG4UXBaQbF20qGoM3hN4GJwmTHllv6eYB3svPh+27k1bWcc6CE= foo.all.rr.org. 300 IN CNAME ns1.all.rr.org. foo.all.rr.org. 300 IN RRSIG CNAME 7 4 300 20130410115632 20130410105629 54974 all.rr.org. I6BTgHmnZ5VIRywDWAKwf+k6XvuSQyWEAfED1TtK6Vrels39qo8Jc4yDoSzeorAwizNYABPTFpQZucTCkgxn75vTxFKK7aLem5opkw7uZFrGH3y3WoEp7utAtmrHYl5KtaB0u4FL9P2qfj8G2TfmnvwahHSBU4HvKxWcAFyEq/8= a2oddelqgm2q40lr53o246garr6a1lo1.all.rr.org. 300 IN NSEC3 1 1 5 dfe3a4ef6152d5ab ap94ot77hb4828sgce8b1vviq70e9vlb CNAME RRSIG a2oddelqgm2q40lr53o246garr6a1lo1.all.rr.org. 300 IN RRSIG NSEC3 7 4 300 20130410115735 20130410105629 54974 all.rr.org. OiYcHnhPg+Y4uA/lNC4SpO/wIPNYxv2AgQDAhDZZTHwEop99sWaTPWTo+l+Eu8gKswB2FRjEgY8kGuTfwSJjXibFuXSTwDs6xQdZfCmIatHnFPuSTV7WUub2L7ry03w6hnL31WzEnIHMESglKw3Wny2QHPfxpm+BArDryQ5lhOc= frobozz.all.rr.org. 300 IN DNAME frobozz-division.acme.example. frobozz.all.rr.org. 300 IN RRSIG DNAME 7 4 300 20130410115653 20130410105629 54974 all.rr.org. Q7y8w/y7BzLtzMI6eTlFj4TqbFfRhHUJMRsj5uY0TFESrHzIdxjanZebsvcfXSwA9KCadXx7jQdmAHtS1eNeuIZrAidQFeu2PWJJ5O/yGbswrmeNlcF46Mwz7qCKa3MzY5//liHZWbvZDM5o2w25+O6pkt2ICkkhlk4DcmcSSaI= rdg0v236pd1v9ol0rhhft0c8a26unhvu.all.rr.org. 300 IN NSEC3 1 1 5 dfe3a4ef6152d5ab 17dh4524ajdqdot2u7ouvoko5p9assdh DNAME RRSIG rdg0v236pd1v9ol0rhhft0c8a26unhvu.all.rr.org. 300 IN RRSIG NSEC3 7 4 300 20130410115820 20130410105629 54974 all.rr.org. uOVkY3yt9Lkws8Q/CnWB+T3gO3jgOubKyxL5p8P/0ehX5PoxEs5PQ8/IzLHSX9gkRW6ZZS4veb9Q5PChayVbYcJj7Hla06b/rBvYC7vwxlw66dhKfx1Hd6DwVPrNWz8P4OrIMmIafpmCw+iILMIE2mPMfidn8MDgS0e2qSR3pOA= helium.all.rr.org. 300 IN HINFO "Shuttle-ST61G4 Intel PIV3000" "FreeBSD 7.0-STABLE" helium.all.rr.org. 300 IN RRSIG HINFO 7 4 300 20130410115658 20130410105629 54974 all.rr.org. qFTZmZu71gTIEN9M1ShvWq+xyqGniMreuq2y6weYsSZCy32IQlFHuw8IBgkeqnrgToFFvC8ZQPC+gUp5jyN8WfTKmQLPdJJyuDQhiybQdPQgxA0mg/RYlQiTjVnzZkDkPAymYee4qBxk/gGhJcwGkHVJLZJRc79ydwhmoUVolwQ= kguhs2hk2v7lkk84rksoepthlhstbp3h.all.rr.org. 300 IN NSEC3 1 1 5 dfe3a4ef6152d5ab lsjuf2e6mg5p2lhd4ifn9j1d0tau9v6m HINFO RRSIG kguhs2hk2v7lkk84rksoepthlhstbp3h.all.rr.org. 300 IN RRSIG NSEC3 7 4 300 20130410115706 20130410105629 54974 all.rr.org. fYKJ/LZ3dvudYeP6fT+NjTwAdJX3OaYJQ8Ty4zDvnwizhV3usQdgkjL/UoSLUBRCFj9Y4x4C5ZZ+3Z6YSvkTO8vceFwoUl7QNwMKg4/R1yBte9GcH7BesMpG2QTovnXc1CEha4XHTWsGEjrFj1WOmz5kKruImykv0ILlbIjy37w= ns1.all.rr.org. 300 IN A 10.1.0.52 ns1.all.rr.org. 300 IN RRSIG A 7 4 300 20130410115651 20130410105629 54974 all.rr.org. tI8y5xo0zsUSeeh0ZJUuWr2xvbEtN5B5TFMwmOHOU70TNjcBLC1LE+2M9wtjn09mLphY84+YHzAH7PcpJByIwbstWAkHdjzjRpvQYg1UoeA6m/5hypTAU+7UWO99i4ccPKd7pM686zlQNBeDBdoQHVVDutQeXsXJ+BqchraKN2M= 2t74lut69cjlkdoikr2lhjnaud9prhqh.all.rr.org. 300 IN NSEC3 1 1 5 dfe3a4ef6152d5ab a2oddelqgm2q40lr53o246garr6a1lo1 A RRSIG 2t74lut69cjlkdoikr2lhjnaud9prhqh.all.rr.org. 300 IN RRSIG NSEC3 7 4 300 20130410115819 20130410105629 54974 all.rr.org. TVwpq/lVeLnHws9G0N4/ksa7xwWjQA5o0OBy/FIdGLZutp9crtQVRlk/03Bzfv2t0BiqIb/PrZtScvG+3X0Wm8JqjYod/akHtrMlpPx/mPE7d6dMpyU2cOSeYrfge4T1VuCHTmjdweo/Hl3JrwEF7fmr18b+RdiD+dS4IIV9QCk= sub.all.rr.org. 300 IN DS 12345 3 1 123456789abcdef67890123456789abcdef67890 sub.all.rr.org. 300 IN RRSIG DS 7 4 300 20130410115708 20130410105629 54974 all.rr.org. YPFdLZvdgZFp49p66slbZF/xp6D4Jm64NCR5ADl3D0OXs8nB64eh78IPIRJb8T55ob70FCSaW7zgBXSVrAeIYDEBHXXYYtaU45uuAtJeDLbo27j1FaSPiXERduc/01nARQOcGrEKRHMOw7rnihizFlfyCS4EWhyh5RX3NP0bLcg= ibhek6s8u0esfnqpdrm8tuo03rgcfkjn.all.rr.org. 300 IN NSEC3 1 1 5 dfe3a4ef6152d5ab k8gq8bbuj67kiblf6eibvia6v06bdjnt DS RRSIG ibhek6s8u0esfnqpdrm8tuo03rgcfkjn.all.rr.org. 300 IN RRSIG NSEC3 7 4 300 20130410115706 20130410105629 54974 all.rr.org. DWDO17UjzuSJCovz7w3vjRfQZR4qqr7qbOUCdcrkni4FnjU5PpF6+B7+dWUBHKwHf9jcH6QBElELoiYwAEuTZ3CZ8ofKNfvWCrekKEr3gUHSbL2Qh0tS3dZrYYm5WzpkZBZZqorjgVX1iAbOYx3KbhvsEBhFB6YSVLKpyXb9KiA= t/issues/nsec-chain/000077500000000000000000000000001265465626700146675ustar00rootroot00000000000000t/issues/nsec-chain/Kexample.com.+010+35615.key000066400000000000000000000011371265465626700207570ustar00rootroot00000000000000; This is a zone-signing key, keyid 35615, for example.com. ; Created: 20130219194149 (Tue Feb 19 20:41:49 2013) ; Publish: 20130219194149 (Tue Feb 19 20:41:49 2013) ; Activate: 20130219194149 (Tue Feb 19 20:41:49 2013) example.com. IN DNSKEY 256 3 10 AwEAAeYgLpfBmR2u+z7sm3aMjWVTGcfvLFIFBQ3zvplCeVrKPlEi0lN0 FzjLRPHKsQF22TnSFxjsu9DKGxj50f7sX9PsaZNRvOYXdVdnrh5YIJgu 5BcsTtpX+npQAAAqUC0nX+m3jJkvSvdWjtRIYF3ErHiCRam6rMDFGSA9 IupK+Z7TJfz/JRYxObYFoOZysVbTELPQjp+hk3QdSBDiYs5q2KaxFYz9 r18BlMUMmUwVNEDTisiF29iju44qn+pcqcRSUM1Fmse9CSjawltXhA0B /WbhYDQ2kiKO5UQS4Qip3C0sA3KECirCMcJbXEoaIHzXOrkNGJbaCq0b oHdytjdQSUM= t/issues/nsec-chain/Kexample.com.+010+35615.private000066400000000000000000000033611265465626700216420ustar00rootroot00000000000000Private-key-format: v1.3 Algorithm: 10 (RSASHA512) Modulus: 5iAul8GZHa77PuybdoyNZVMZx+8sUgUFDfO+mUJ5Wso+USLSU3QXOMtE8cqxAXbZOdIXGOy70MobGPnR/uxf0+xpk1G85hd1V2euHlggmC7kFyxO2lf6elAAACpQLSdf6beMmS9K91aO1EhgXcSseIJFqbqswMUZID0i6kr5ntMl/P8lFjE5tgWg5nKxVtMQs9COn6GTdB1IEOJizmrYprEVjP2vXwGUxQyZTBU0QNOKyIXb2KO7jiqf6lypxFJQzUWax70JKNrCW1eEDQH9ZuFgNDaSIo7lRBLhCKncLSwDcoQKKsIxwltcShogfNc6uQ0YltoKrRugd3K2N1BJQw== PublicExponent: AQAB PrivateExponent: JBU/uQPeIk1hj8hByCDZut2A2VyjMmkfFcT2ScmmhZnYk5hGKle1nG4i7Va+0l/0R6Cthnb4LBDElvH0/2fIzs3u7+6NE/bxqzbSkmd3FOWlVgzYgFvzJmKM3XnFAI9/9oGVRh+oPYgQ9TA0C//emzax/Z8Ln15IRknPw7Tl1wUwfAhUf9FR1FZ1oaD3hKuWx7jsvHCkKAtXoOlmTTBnTRAfVrlWdEONuln/iJuIEkuiTAD5m3jmiMljF1clTb/cczSPZhqPwlx9bqpj8cyePavrrJDIC2aseqs+E9t9oKeDj0Oi7/X083+7AX/XjcD05GohbgLeCAExH98gkB5OIQ== Prime1: 9iaC0LohyI7f4v4F1vwc+mVkeYvg6P7+3h3oC3R8iaE2sAwEFuDEmXXgbhkzvZiUbjGVzaGAj1HcbYzbrYCGsbx+8qWCCHW6e3/5sL7yoflsLF7y4XU7FVl9hsJSRcqkTEHwA1mRFpmy4kBkpzsBbfmNPnqJYIoGwS3lmr58rp0= Prime2: 71WEyVg6cxrInrciL9Ae7qm1ab7RF9sSqdF4UWhQDYPZJ0BimNoQsAa76o+UBM/Qld9NMBXKu8no2ydWnkXb6LraUpFkAxF89MRAkCLlzV6n5ABmwGrLGIcKUp/J2T8Gw3ojxClcCEnskx5295K86835FGbx/xEQdaHVpDXKYV8= Exponent1: NlU11uDfCCgRX0d2/odT1il/Th0EHin7FAhB6hViT/bX3XApjus6Oi18xpCljRoa2V/0kxktCXWmVEAdVWTjVmQnGWRTGY7zBMOw18SuRfaKXBjxP7bivcmtHYvTITijn3mGgxbIIdb3V12jWg56OE43US03Gaod55I79jZJyzk= Exponent2: XwePz/qOSsHpwstocZ+riIwuEizIDTbZNECOC5TlpFgj0ygHfjWnxp0F5F7aIQb7BWdC2MLuWp4TLWFzTSjj5oa6xWohUe6RtQZvtEuG/4KEG03lfqVouvZzrNbxaKdT4i4PIYZimo/vtYK1Lhw/k0mXivhNQj/eTzbRA4CwOPU= Coefficient: AdcUDb/gzCkVid24q5fusFX1qzilGI4BDA9VVvf6XICZWHX3p8L3GB4H/KFNokHLFJtbAVLsi5T/glxyH+eRlfkQMg6EmgsOgTBpiOp3/VzO182qR8gHeVEYSUoRXLYo9UhtGdUF290YBYbhwjJkLEIfYe/lhfwMlzN9va3EUXw= Created: 20130219194149 Publish: 20130219194149 Activate: 20130219194149 t/issues/nsec-chain/dsset-example.com.000066400000000000000000000002511265465626700202160ustar00rootroot00000000000000example.com. IN DS 35615 10 1 5293F83B0138B06E62542BF8D41C7AC4176BB08E example.com. IN DS 35615 10 2 B5995969441CEEA4C2114AAE50C40D730B65CFCDB76545AD02F73177 E8BD1A8F t/issues/nsec-chain/example.com000066400000000000000000000010351265465626700170210ustar00rootroot00000000000000$TTL 1d $INCLUDE Kexample.com.+010+35615.key @ IN SOA ns.example.com. hostmaster.example.com. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL IN NS ns1.example.net. domain1 IN NS ns1.example.net. IN DS 2629 8 1 422D2A1FEADD36337C719964637CA08EB4C6BECB t/issues/nsec-chain/example.com.signed000066400000000000000000000076341265465626700203040ustar00rootroot00000000000000; File written on Tue Feb 19 20:42:21 2013 ; dnssec_signzone version 9.8.3-P4 example.com. 86400 IN SOA ns.example.com. hostmaster.example.com. ( 1 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 604800 ; minimum (1 week) ) 86400 RRSIG SOA 10 2 86400 20130321184221 ( 20130219184221 35615 example.com. fSRKU+K9f0tGSpUVNFtQc0TBufHSMhQ4yWZX fv1+osKrMVHxfluIwlYa5ExqFBvf2EwVvruF 2gk3KGR9WtM62Ub+MsBCRZCZeIrfEZ5tWPRf UHSbi7WwOD7ELQw6yeZLiG+8BRZSove8txHC N0GqaB3FeFRg1BRnErsmutfG/TvNS2ihjeTw IIjELjcHbe79tsvD+JIzSHghWt0b+7dHpD5A Z0mNAhBSgRwtwb2BtrLwJhtRX+spPlM6iy87 6pfADRZQCzAlv4aridie5pQzFG15FLyyfvbF 5/YtMZjuAaBNf+2KqhZbGWQFuPLB9C30Vqa0 qQ7o10OAn3QQGHE+iA== ) 86400 NS ns1.example.net. 86400 RRSIG NS 10 2 86400 20130321184221 ( 20130219184221 35615 example.com. B3H3TYnpWgpc4cqIS79F/GSxSrUTaDdJEtVj Ps4fj0ETKrjBxIkq8r36/srAD72VK8nGuVvW aC90q6hy+T5oRjnDGke8XcOZLTeSsdqSiElL DgEFhKhL80Sxr9sMd2V+N7KzSLlPKsYtAW+O 5ktr/21CSzE0lhDI8b/GO8Hjs9gZwyMzLzlx j3kVtMlsul5aJrCA2WtdKEBXTiFrhr4FU+hY moe3uwrUNR6MHhb+l1IVo2yKCDBD7ZZ1ToGz dl2XuHEWiuOKiUAizTcpnWbdMWzSJMkrKx1/ gXdAq1q1t8VIi9WJs4XyKEDuJG0Ep8BeUTmE 4QbwLrOe1Tabell4eQ== ) 604800 NSEC domain1.example.com. NS SOA RRSIG NSEC DNSKEY 604800 RRSIG NSEC 10 2 604800 20130321184221 ( 20130219184221 35615 example.com. fi1kPn544HwVk3M/BhM0g2oyLrRj6XfS+r14 qbVtMtT4s9Nk7hmtKlqCjSvPRl+ichW9cGRn pfYC6cDkKb6VX6RUqtCfN+A1s+f9iX/TPCkY mo4FgxioOG6ZUNBxsbgYsBjM08VwtOf+4VZV P+NvRpbMvmNRJux2Ftba+wB0GA4Bl/x1jx5R O4EI8/hENXxnc+ak/eJdBRy7yDFgBMVvp2ZI 8nt353uXhq+C/HpB8CmQO290GpUStpQlQ9aW e5usfRplUfHLSvF+YfJGBV+7WxfQa7REIdXw 7wmbHdS0iy4XtyGXVs9/cFipP5l82skYl4zb YZol9Opb28njTmdxtg== ) 86400 DNSKEY 256 3 10 ( AwEAAeYgLpfBmR2u+z7sm3aMjWVTGcfvLFIF BQ3zvplCeVrKPlEi0lN0FzjLRPHKsQF22TnS Fxjsu9DKGxj50f7sX9PsaZNRvOYXdVdnrh5Y IJgu5BcsTtpX+npQAAAqUC0nX+m3jJkvSvdW jtRIYF3ErHiCRam6rMDFGSA9IupK+Z7TJfz/ JRYxObYFoOZysVbTELPQjp+hk3QdSBDiYs5q 2KaxFYz9r18BlMUMmUwVNEDTisiF29iju44q n+pcqcRSUM1Fmse9CSjawltXhA0B/WbhYDQ2 kiKO5UQS4Qip3C0sA3KECirCMcJbXEoaIHzX OrkNGJbaCq0boHdytjdQSUM= ) ; key id = 35615 86400 RRSIG DNSKEY 10 2 86400 20130321184221 ( 20130219184221 35615 example.com. Qx8EkBJQK08TIY9Ftt974UC788Nof2zwmCZM 203uXl/Pm6iDN/FgEigcl2IvtuhxrWiEvNJD dINpepPOkusX9apzG1pSs5rMj8RBxhEv60i1 OfBeC7F/jU6CY6f7JvQ+ULPwvQ2e3/r8P3jY 4ErC2rsxSJpAzKkWUWokNIS9e2VJA8FCpJCI oJbesCGXH7ydDFZ+x6+z60xGRIhK2/MoCzGu WbLRHww77y4q1ePC7v35hh4uoMPTwbtaD1P6 pw3ELhXuHMlh+A/K5v7gVfZWYEFipe/r2YhM dbjGdB9/ZTTiQddFBVll7G4EqhSqTA7+elTV RB9EkLCRntIpYCh9BQ== ) domain1.example.com. 86400 IN NS ns1.example.net. 86400 DS 2629 8 1 ( 422D2A1FEADD36337C719964637CA08EB4C6 BECB ) 86400 RRSIG DS 10 3 86400 20130321184221 ( 20130219184221 35615 example.com. cv4HDaasJ4SKii6DPbfHf+rRy/i4WBxRo4Uz 84B5Ta4tB5LaJF69c8T10mPC4jnwIFvcJ+1G h07mQZdt1FyPLMJM4lOEj9Nj+mKEtf25lRtT 58Rph6n95wwanRvuELtUEjeU+F7vMyCj2aFw NLXHIvyWvtbPCJOrSfyB7TPH+sIltOoMCziF 0kHHiMrVqV9CE8hjq5MgdbyZ2/LdF7vYNza3 btNmSJY0WpmoTyoHu9+bMQQdAKHfUx9u+MPJ jbF77yqBIzEkbV1j4eeQ5NLA6YlXmowuhhxF 8U+dko4h7TRxkmq0ih5XQJVoKnih76Dj7p/2 oHYE204X16iJXqKXLQ== ) 604800 NSEC example.com. NS DS RRSIG NSEC 604800 RRSIG NSEC 10 3 604800 20130321184221 ( 20130219184221 35615 example.com. WWg7EiYoY8Hp593I2i5Mkl2ezg7YuAnq0y75 oymTCuEfGwh4OxbMT/mWNqAFL5Y8f0YoQOOY wZP0m/sGK/EJN7ulNsfQyULY4WsyHIGlKMwT KdyDXJLrmrzlmRnGv7pFb0bo53n3osE0uFfH yMQYOkQRYfqa4yWXF9Nl48dy67frtVih0foy 9Mm76mmJSDUd/jGsYQmaoFGVU/a64rWapVQ9 O/mXPqr6Pw2ZCHecsF4ElMEp41YqG1DfR5QR khTjvTlg4aTKvgX1YuvDhjUygSHit47xn2NC 2WwEZF+vYXT9DIUCMcKdVeb4bjWwUXbWNFqz Ca3jb/mpOpUDFnrRPw== ) t/issues/nsec-chain/example.com.signed-without-first-nsec000066400000000000000000000065601265465626700240550ustar00rootroot00000000000000; File written on Tue Feb 19 20:42:21 2013 ; dnssec_signzone version 9.8.3-P4 example.com. 86400 IN SOA ns.example.com. hostmaster.example.com. ( 1 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 604800 ; minimum (1 week) ) 86400 RRSIG SOA 10 2 86400 20130321184221 ( 20130219184221 35615 example.com. fSRKU+K9f0tGSpUVNFtQc0TBufHSMhQ4yWZX fv1+osKrMVHxfluIwlYa5ExqFBvf2EwVvruF 2gk3KGR9WtM62Ub+MsBCRZCZeIrfEZ5tWPRf UHSbi7WwOD7ELQw6yeZLiG+8BRZSove8txHC N0GqaB3FeFRg1BRnErsmutfG/TvNS2ihjeTw IIjELjcHbe79tsvD+JIzSHghWt0b+7dHpD5A Z0mNAhBSgRwtwb2BtrLwJhtRX+spPlM6iy87 6pfADRZQCzAlv4aridie5pQzFG15FLyyfvbF 5/YtMZjuAaBNf+2KqhZbGWQFuPLB9C30Vqa0 qQ7o10OAn3QQGHE+iA== ) 86400 NS ns1.example.net. 86400 RRSIG NS 10 2 86400 20130321184221 ( 20130219184221 35615 example.com. B3H3TYnpWgpc4cqIS79F/GSxSrUTaDdJEtVj Ps4fj0ETKrjBxIkq8r36/srAD72VK8nGuVvW aC90q6hy+T5oRjnDGke8XcOZLTeSsdqSiElL DgEFhKhL80Sxr9sMd2V+N7KzSLlPKsYtAW+O 5ktr/21CSzE0lhDI8b/GO8Hjs9gZwyMzLzlx j3kVtMlsul5aJrCA2WtdKEBXTiFrhr4FU+hY moe3uwrUNR6MHhb+l1IVo2yKCDBD7ZZ1ToGz dl2XuHEWiuOKiUAizTcpnWbdMWzSJMkrKx1/ gXdAq1q1t8VIi9WJs4XyKEDuJG0Ep8BeUTmE 4QbwLrOe1Tabell4eQ== ) 86400 DNSKEY 256 3 10 ( AwEAAeYgLpfBmR2u+z7sm3aMjWVTGcfvLFIF BQ3zvplCeVrKPlEi0lN0FzjLRPHKsQF22TnS Fxjsu9DKGxj50f7sX9PsaZNRvOYXdVdnrh5Y IJgu5BcsTtpX+npQAAAqUC0nX+m3jJkvSvdW jtRIYF3ErHiCRam6rMDFGSA9IupK+Z7TJfz/ JRYxObYFoOZysVbTELPQjp+hk3QdSBDiYs5q 2KaxFYz9r18BlMUMmUwVNEDTisiF29iju44q n+pcqcRSUM1Fmse9CSjawltXhA0B/WbhYDQ2 kiKO5UQS4Qip3C0sA3KECirCMcJbXEoaIHzX OrkNGJbaCq0boHdytjdQSUM= ) ; key id = 35615 86400 RRSIG DNSKEY 10 2 86400 20130321184221 ( 20130219184221 35615 example.com. Qx8EkBJQK08TIY9Ftt974UC788Nof2zwmCZM 203uXl/Pm6iDN/FgEigcl2IvtuhxrWiEvNJD dINpepPOkusX9apzG1pSs5rMj8RBxhEv60i1 OfBeC7F/jU6CY6f7JvQ+ULPwvQ2e3/r8P3jY 4ErC2rsxSJpAzKkWUWokNIS9e2VJA8FCpJCI oJbesCGXH7ydDFZ+x6+z60xGRIhK2/MoCzGu WbLRHww77y4q1ePC7v35hh4uoMPTwbtaD1P6 pw3ELhXuHMlh+A/K5v7gVfZWYEFipe/r2YhM dbjGdB9/ZTTiQddFBVll7G4EqhSqTA7+elTV RB9EkLCRntIpYCh9BQ== ) domain1.example.com. 86400 IN NS ns1.example.net. 86400 DS 2629 8 1 ( 422D2A1FEADD36337C719964637CA08EB4C6 BECB ) 86400 RRSIG DS 10 3 86400 20130321184221 ( 20130219184221 35615 example.com. cv4HDaasJ4SKii6DPbfHf+rRy/i4WBxRo4Uz 84B5Ta4tB5LaJF69c8T10mPC4jnwIFvcJ+1G h07mQZdt1FyPLMJM4lOEj9Nj+mKEtf25lRtT 58Rph6n95wwanRvuELtUEjeU+F7vMyCj2aFw NLXHIvyWvtbPCJOrSfyB7TPH+sIltOoMCziF 0kHHiMrVqV9CE8hjq5MgdbyZ2/LdF7vYNza3 btNmSJY0WpmoTyoHu9+bMQQdAKHfUx9u+MPJ jbF77yqBIzEkbV1j4eeQ5NLA6YlXmowuhhxF 8U+dko4h7TRxkmq0ih5XQJVoKnih76Dj7p/2 oHYE204X16iJXqKXLQ== ) 604800 NSEC example.com. NS DS RRSIG NSEC 604800 RRSIG NSEC 10 3 604800 20130321184221 ( 20130219184221 35615 example.com. WWg7EiYoY8Hp593I2i5Mkl2ezg7YuAnq0y75 oymTCuEfGwh4OxbMT/mWNqAFL5Y8f0YoQOOY wZP0m/sGK/EJN7ulNsfQyULY4WsyHIGlKMwT KdyDXJLrmrzlmRnGv7pFb0bo53n3osE0uFfH yMQYOkQRYfqa4yWXF9Nl48dy67frtVih0foy 9Mm76mmJSDUd/jGsYQmaoFGVU/a64rWapVQ9 O/mXPqr6Pw2ZCHecsF4ElMEp41YqG1DfR5QR khTjvTlg4aTKvgX1YuvDhjUygSHit47xn2NC 2WwEZF+vYXT9DIUCMcKdVeb4bjWwUXbWNFqz Ca3jb/mpOpUDFnrRPw== ) t/issues/nsec-chain/example.com.signed-without-last-nsec000066400000000000000000000066001265465626700236640ustar00rootroot00000000000000; File written on Tue Feb 19 20:42:21 2013 ; dnssec_signzone version 9.8.3-P4 example.com. 86400 IN SOA ns.example.com. hostmaster.example.com. ( 1 ; serial 604800 ; refresh (1 week) 86400 ; retry (1 day) 2419200 ; expire (4 weeks) 604800 ; minimum (1 week) ) 86400 RRSIG SOA 10 2 86400 20130321184221 ( 20130219184221 35615 example.com. fSRKU+K9f0tGSpUVNFtQc0TBufHSMhQ4yWZX fv1+osKrMVHxfluIwlYa5ExqFBvf2EwVvruF 2gk3KGR9WtM62Ub+MsBCRZCZeIrfEZ5tWPRf UHSbi7WwOD7ELQw6yeZLiG+8BRZSove8txHC N0GqaB3FeFRg1BRnErsmutfG/TvNS2ihjeTw IIjELjcHbe79tsvD+JIzSHghWt0b+7dHpD5A Z0mNAhBSgRwtwb2BtrLwJhtRX+spPlM6iy87 6pfADRZQCzAlv4aridie5pQzFG15FLyyfvbF 5/YtMZjuAaBNf+2KqhZbGWQFuPLB9C30Vqa0 qQ7o10OAn3QQGHE+iA== ) 86400 NS ns1.example.net. 86400 RRSIG NS 10 2 86400 20130321184221 ( 20130219184221 35615 example.com. B3H3TYnpWgpc4cqIS79F/GSxSrUTaDdJEtVj Ps4fj0ETKrjBxIkq8r36/srAD72VK8nGuVvW aC90q6hy+T5oRjnDGke8XcOZLTeSsdqSiElL DgEFhKhL80Sxr9sMd2V+N7KzSLlPKsYtAW+O 5ktr/21CSzE0lhDI8b/GO8Hjs9gZwyMzLzlx j3kVtMlsul5aJrCA2WtdKEBXTiFrhr4FU+hY moe3uwrUNR6MHhb+l1IVo2yKCDBD7ZZ1ToGz dl2XuHEWiuOKiUAizTcpnWbdMWzSJMkrKx1/ gXdAq1q1t8VIi9WJs4XyKEDuJG0Ep8BeUTmE 4QbwLrOe1Tabell4eQ== ) 604800 NSEC domain1.example.com. NS SOA RRSIG NSEC DNSKEY 604800 RRSIG NSEC 10 2 604800 20130321184221 ( 20130219184221 35615 example.com. fi1kPn544HwVk3M/BhM0g2oyLrRj6XfS+r14 qbVtMtT4s9Nk7hmtKlqCjSvPRl+ichW9cGRn pfYC6cDkKb6VX6RUqtCfN+A1s+f9iX/TPCkY mo4FgxioOG6ZUNBxsbgYsBjM08VwtOf+4VZV P+NvRpbMvmNRJux2Ftba+wB0GA4Bl/x1jx5R O4EI8/hENXxnc+ak/eJdBRy7yDFgBMVvp2ZI 8nt353uXhq+C/HpB8CmQO290GpUStpQlQ9aW e5usfRplUfHLSvF+YfJGBV+7WxfQa7REIdXw 7wmbHdS0iy4XtyGXVs9/cFipP5l82skYl4zb YZol9Opb28njTmdxtg== ) 86400 DNSKEY 256 3 10 ( AwEAAeYgLpfBmR2u+z7sm3aMjWVTGcfvLFIF BQ3zvplCeVrKPlEi0lN0FzjLRPHKsQF22TnS Fxjsu9DKGxj50f7sX9PsaZNRvOYXdVdnrh5Y IJgu5BcsTtpX+npQAAAqUC0nX+m3jJkvSvdW jtRIYF3ErHiCRam6rMDFGSA9IupK+Z7TJfz/ JRYxObYFoOZysVbTELPQjp+hk3QdSBDiYs5q 2KaxFYz9r18BlMUMmUwVNEDTisiF29iju44q n+pcqcRSUM1Fmse9CSjawltXhA0B/WbhYDQ2 kiKO5UQS4Qip3C0sA3KECirCMcJbXEoaIHzX OrkNGJbaCq0boHdytjdQSUM= ) ; key id = 35615 86400 RRSIG DNSKEY 10 2 86400 20130321184221 ( 20130219184221 35615 example.com. Qx8EkBJQK08TIY9Ftt974UC788Nof2zwmCZM 203uXl/Pm6iDN/FgEigcl2IvtuhxrWiEvNJD dINpepPOkusX9apzG1pSs5rMj8RBxhEv60i1 OfBeC7F/jU6CY6f7JvQ+ULPwvQ2e3/r8P3jY 4ErC2rsxSJpAzKkWUWokNIS9e2VJA8FCpJCI oJbesCGXH7ydDFZ+x6+z60xGRIhK2/MoCzGu WbLRHww77y4q1ePC7v35hh4uoMPTwbtaD1P6 pw3ELhXuHMlh+A/K5v7gVfZWYEFipe/r2YhM dbjGdB9/ZTTiQddFBVll7G4EqhSqTA7+elTV RB9EkLCRntIpYCh9BQ== ) domain1.example.com. 86400 IN NS ns1.example.net. 86400 DS 2629 8 1 ( 422D2A1FEADD36337C719964637CA08EB4C6 BECB ) 86400 RRSIG DS 10 3 86400 20130321184221 ( 20130219184221 35615 example.com. cv4HDaasJ4SKii6DPbfHf+rRy/i4WBxRo4Uz 84B5Ta4tB5LaJF69c8T10mPC4jnwIFvcJ+1G h07mQZdt1FyPLMJM4lOEj9Nj+mKEtf25lRtT 58Rph6n95wwanRvuELtUEjeU+F7vMyCj2aFw NLXHIvyWvtbPCJOrSfyB7TPH+sIltOoMCziF 0kHHiMrVqV9CE8hjq5MgdbyZ2/LdF7vYNza3 btNmSJY0WpmoTyoHu9+bMQQdAKHfUx9u+MPJ jbF77yqBIzEkbV1j4eeQ5NLA6YlXmowuhhxF 8U+dko4h7TRxkmq0ih5XQJVoKnih76Dj7p/2 oHYE204X16iJXqKXLQ== ) t/test.pl000066400000000000000000000437341265465626700126730ustar00rootroot00000000000000#! /usr/bin/perl use 5.006; use strict; use warnings; use Test::More; BEGIN { use_ok("Test::Command::Simple"); } unless (*run{CODE}) { done_testing; exit(0); } my @e; for my $threads ("", qw(-n2 -n4 -n6 -n8)) { my @threads; push @threads, $threads if $threads; run('./validns', @threads, 't/zones/galaxyplus.org'); is(rc, 0, 'valid zone parses ok'); run('./validns', @threads, '-t1381239017', 't/zones/example.sec.signed'); is(rc, 0, 'valid signed zone parses ok'); run('./validns', @threads, '-t1303720010', 't/zones/example.sec.signed'); isnt(rc, 0, 'valid signed zone with timestamps in the future'); @e = split /\n/, stderr; like(shift @e, qr/signature is too new/, "signature is too new"); run('./validns', @threads, '-t1421410832', 't/zones/example.sec.signed'); isnt(rc, 0, 'valid signed zone with timestamps in the past'); @e = split /\n/, stderr; like(shift @e, qr/signature is too old/, "signature is too old"); run('./validns', @threads, '-s', '-pall', 't/zones/manyerrors.zone'); isnt(rc, 0, 'bad zone returns an error'); @e = split /\n/, stderr; # main.c like(shift @e, qr/unrecognized directive: \$FUNNYDIRECTIVE/, "unrecognized directive 1"); like(shift @e, qr/unrecognized directive: \$ORIGINBUTNOTREALLY/, "unrecognized directive 2"); like(shift @e, qr/bad \$ORIGIN format/, "not really an origin"); like(shift @e, qr/\$ORIGIN value expected/, "empty origin"); like(shift @e, qr/garbage after valid \$ORIGIN/, "bad origin"); like(shift @e, qr/unrecognized directive: \$TTLAST/, "unrecognized directive 3"); like(shift @e, qr/bad \$TTL format/, "not really a TTL"); like(shift @e, qr/\$TTL value expected/, "empty TTL"); like(shift @e, qr/\$TTL value expected/, "funny TTL"); like(shift @e, qr/\$TTL value is not valid/, "bad TTL"); like(shift @e, qr/\$TTL value is not valid/, "bad TTL take 2"); like(shift @e, qr/garbage after valid \$TTL/, "bad TTL take 3"); like(shift @e, qr/unrecognized directive: \$INCLUDESSIMO/, "unrecognized directive 4"); like(shift @e, qr/bad \$INCLUDE format/, "not really an include"); like(shift @e, qr/unrecognized directive: \$/, "unrecognized directive 5"); like(shift @e, qr/unrecognized directive: \$/, "unrecognized directive 6"); # TODO once INCLUDE is implemented, add more tests ## TODO continue main.c at "cannot assume previous name" like(shift @e, qr/class or type expected/, "nonsense line"); like(shift @e, qr/the first record in the zone must be an SOA record/, "non-SOA 1"); like(shift @e, qr/the first record in the zone must be an SOA record/, "non-SOA 2"); like(shift @e, qr/serial is out of range/, "out of range serial"); like(shift @e, qr/there could only be one SOA in a zone/, "another SOA"); like(shift @e, qr/name server domain name expected/, "empty NS"); like(shift @e, qr/garbage after valid NS/, "bad NS"); like(shift @e, qr/IPv4 address is not valid/, "empty A"); like(shift @e, qr/garbage after valid A data/, "bad A"); like(shift @e, qr/cannot parse IPv4 address/, "bad A IP"); like(shift @e, qr/IPv4 address is not valid/, "not an IP in A"); like(shift @e, qr/IPv6 address is not valid/, "empty AAAA"); like(shift @e, qr/garbage after valid AAAA data/, "bad AAAA"); like(shift @e, qr/IPv6 address is not valid/, "bad AAAA IP"); like(shift @e, qr/IPv6 address is not valid/, "not an IP in AAAA"); like(shift @e, qr/MX preference expected/, "empty MX"); like(shift @e, qr/MX exchange expected/, "MX without exchange"); like(shift @e, qr/garbage after valid MX data/, "bad MX"); like(shift @e, qr/bad SHA-256 hash length/, "TLSA SHA-256"); like(shift @e, qr/bad SHA-512 hash length/, "TLSA SHA-512"); like(shift @e, qr/certificate association data: hex data does not represent whole number of bytes/, "TLSA nibbles"); like(shift @e, qr/bad certificate usage field/, "TLSA certificate usage"); like(shift @e, qr/TTL is not valid/, "TLSA certificate usage fallout"); like(shift @e, qr/certificate usage field expected/, "TLSA certificate usage"); like(shift @e, qr/TTL is not valid/, "TLSA certificate usage fallout"); like(shift @e, qr/bad selector field/, "TLSA selector"); like(shift @e, qr/TTL is not valid/, "TLSA selector fallout"); like(shift @e, qr/selector field expected/, "TLSA selector"); like(shift @e, qr/TTL is not valid/, "TLSA selector fallout"); like(shift @e, qr/bad matching type field/, "TLSA matching type"); like(shift @e, qr/TTL is not valid/, "TLSA matching type fallout"); like(shift @e, qr/matching type field expected/, "TLSA matching type"); like(shift @e, qr/TTL is not valid/, "TLSA matching type fallout"); like(shift @e, qr/outside.org. does not belong to zone galaxyplus.org./, "outsider"); like(shift @e, qr/long.outside.org. does not belong to zone galaxyplus.org./, "long outsider"); like(shift @e, qr/outsidegalaxyplus.org. does not belong to zone galaxyplus.org./, "tricky outsider"); like(shift @e, qr/bad algorithm 177/, "bad CERT algorithm"); like(shift @e, qr/bad or unsupported algorithm meow/, "bad CERT algorithm mnemonic"); like(shift @e, qr/bad certificate type 100000/, "bad CERT type"); like(shift @e, qr/is reserved by IANA/, "reserved CERT type"); like(shift @e, qr/certificate type 700 is unassigned/, "unassigned CERT type"); like(shift @e, qr/bad certificate type meow/, "bad CERT type"); like(shift @e, qr/bad key tag/, "bad key tag"); like(shift @e, qr/certificate expected/, "bad base64"); like(shift @e, qr/there could only be one SOA in a zone/, "another SOA at the end"); like(shift @e, qr/record name is not valid/, "wildcard is the middle"); like(shift @e, qr/record name: bad wildcard/, "bad wildcard"); like(shift @e, qr/name cannot start with a dot/, "dot-something"); like(shift @e, qr/name cannot start with a dot/, "dot-dot"); like(shift @e, qr/garbage after valid DNAME data/, "DNAME garbage"); ## actual validations done after parsing like(shift @e, qr/CNAME and other data/, "CNAME+CNAME"); like(shift @e, qr/CNAME and other data/, "CNAME+something else"); like(shift @e, qr/there should be at least two NS records/, "NS limit"); like(shift @e, qr/not a proper prefixed DNS domain name/, "TLSA host 1"); like(shift @e, qr/not a proper prefixed DNS domain name/, "TLSA host 2"); like(shift @e, qr/TTL values differ within an RR set/, "TTL conflict"); like(shift @e, qr/multiple DNAMEs/, "Multiple DNAMEs"); like(shift @e, qr/DNAME must not have any children \(but something.zzzz3.galaxyplus.org. exists\)/, "DNAME with children"); like(shift @e, qr/CNAME and other data/, "DNAME+CNAME"); like(shift @e, qr/DNAME must not have any children \(but z.zzzz5.galaxyplus.org. exists\)/, "DNAME with children 2"); is(+@e, 0, "no unaccounted errors"); #like(stdout, qr/validation errors: XX/, "error count"); run('./validns', @threads, '-s', '-t1320094109', 't/zones/example.sec.signed.with-errors'); isnt(rc, 0, 'bad signed zone returns an error'); @e = split /\n/, stderr; like(shift @e, qr/wrong GOST .* digest length/, "wrong GOST digest length"); like(shift @e, qr/MX exists, but NSEC does not mention it/, "NSEC incomplete"); like(shift @e, qr/NSEC mentions SRV, but no such record found/, "NSEC lists too much"); like(shift @e, qr/RRSIG exists for non-existing type NAPTR/, "RRSIG for absent"); like(shift @e, qr/RRSIG's original TTL differs from corresponding record's/, "RRSIG orig ttl bad"); like(shift @e, qr/RRSIG\(NSEC\): cannot find a signer key/, "unknown signer"); like(shift @e, qr/NSEC says mail.example.sec. comes after example.sec., but ghost.example.sec. does/, "NSEC chain error"); like(shift @e, qr/NSEC says ns1.example.sec. comes after mail.example.sec., but nosuch.example.sec. does/, "NSEC chain error"); like(shift @e, qr/NSEC says ns2.example.sec. comes after ns1.example.sec., but ns122.example.sec. does/, "NSEC chain error"); like(shift @e, qr/NSEC says www.example.sec. is the last name, but zzz.example.sec. exists/, "NSEC chain not the last"); like(shift @e, qr/NSEC says zzzz.example.sec. comes after zzz.example.sec., but nothing does/, "NSEC chain unexpected last"); like(shift @e, qr/RRSIG\(NSEC\): bad signature/, "NSEC incomplete fallout") for 1..4; like(shift @e, qr/RRSIG\(NSEC\): bad signature/, "NSEC lists too much fallout") for 1..4; is(+@e, 0, "no unaccounted errors"); # RFC 2181 policy checks run('./validns', @threads, '-p', 'all', '-z', 'example1.jp', 't/zones/mx-ns-alias'); is(rc, 0, 'parses OK if we cannot determine the fact of aliasing'); run('./validns', @threads, '-p', 'all', '-z', 'example.jp', 't/zones/mx-ns-alias'); isnt(rc, 0, 'RFC 2181 policy checks are active'); @e = split /\n/, stderr; like(shift @e, qr/NS data is an alias/, "NS data is an alias"); like(shift @e, qr/MX exchange is an alias/, "MX exchange is an alias"); is(+@e, 0, "no unaccounted errors for 2181 policy checks"); run('./validns', @threads, '-p', 'mx-alias', '-p', 'ns-alias', '-z', 'example.jp', 't/zones/mx-ns-alias'); isnt(rc, 0, 'RFC 2181 policy checks are active (individually activated)'); @e = split /\n/, stderr; like(shift @e, qr/NS data is an alias/, "NS data is an alias"); like(shift @e, qr/MX exchange is an alias/, "MX exchange is an alias"); is(+@e, 0, "no unaccounted errors for individually activated checks"); run('./validns', @threads, '-p', 'mx-alias', '-z', 'example.jp', 't/zones/mx-ns-alias'); isnt(rc, 0, 'mx-alias policy check'); @e = split /\n/, stderr; like(shift @e, qr/MX exchange is an alias/, "MX exchange is an alias"); is(+@e, 0, "no unaccounted errors for mx-alias check"); run('./validns', @threads, '-p', 'ns-alias', '-z', 'example.jp', 't/zones/mx-ns-alias'); isnt(rc, 0, 'ns-alias policy check'); @e = split /\n/, stderr; like(shift @e, qr/NS data is an alias/, "NS data is an alias"); is(+@e, 0, "no unaccounted errors for ns-alias check"); # RP policy run('./validns', @threads, '-p', 'all', '-z', 'example.jp', 't/zones/rp-policy'); isnt(rc, 0, 'RP policy check is active'); @e = split /\n/, stderr; like(shift @e, qr/RP TXT.*?does not exist/, "RP TXT is not there"); is(+@e, 0, "no unaccounted errors for RP policy checks"); run('./validns', @threads, '-z', 'example.jp', 't/zones/rp-policy'); is(rc, 0, 'RP policy check is inactive'); run('./validns', @threads, '-v', 't/zones/ttl-regression.zone'); is(rc, 0, 'ttl regression parses OK'); like(stderr, qr/ns\.example\.com\.\s+IN\s+600\s+A\s+192\.0\.2\.1/, "Default TTL changes correctly"); run('./validns', @threads, '-v', 't/zones/misc-regression.zone'); is(rc, 0, 'misc regression parses OK'); like(stderr, qr/"alias"/, "We parse \\nnn in text correctly"); like(stderr, qr/"";"/, "We parse \\\" in text correctly"); run('./validns', @threads, '-v', 't/zones/ttl.zone'); is(rc, 0, 'ttl test parses OK'); like(stderr, qr/ns\.example\.com\.\s+IN\s+600\s+A\s+192\.0\.2\.1/, "Default TTL changes correctly"); like(stderr, qr/\s+example\.com\.\s+IN\s+200\s+NS\s+ns\.example\.com\./, "TTL without default picked up correctly"); # DNSKEY extra checks run('./validns', @threads, 't/zones/dnskey-exponent.zone'); is(rc, 0, 'dnskey parses OK without policy checks'); run('./validns', @threads, '-p', 'all', 't/zones/dnskey-exponent.zone'); isnt(rc, 0, 'dnskey extra checks fail'); @e = split /\n/, stderr; like(shift @e, qr/leading zero octets in public key exponent/, "leading zeroes in exponent 1"); like(shift @e, qr/leading zero octets in public key exponent/, "leading zeroes in exponent 2"); is(+@e, 0, "no unaccounted errors for DNSKEY policy checks"); # issue 36: https://github.com/tobez/validns/issues/36 - $include implementation run('./validns', @threads, 't/issues/36-include/empty-include.zone'); isnt(rc, 0, 'empty include detected'); @e = split /\n/, stderr; like(shift @e, qr/\bINCLUDE directive with empty file name\b/, "Expected error with empty INCLUDE"); is(+@e, 0, "no unaccounted errors for empty include"); run('./validns', @threads, 't/issues/36-include/missing-include.zone'); isnt(rc, 0, 'missing include detected'); @e = split /\n/, stderr; like(shift @e, qr/\bNo such file or directory\b/, "Expected error with missing INCLUDE file"); is(+@e, 0, "no unaccounted errors for missing include"); run('./validns', @threads, '-v', 't/issues/36-include/include.zone'); is(rc, 0, 'zone with nested includes parses ok'); @e = split /\n/, stderr; for my $rx ((qr/\d:\s+example\.com\.\s+IN\s+\d+\s+NS\s+ns\.example\.com\./, qr/\d:\s+inc1\.example\.com\.\s+IN\s+\d+\s+A\s+11\.11\.11\.11/, qr/\d:\s+inc2\.inc1\.example\.com\.\s+IN\s+\d+\s+A\s+55\.55\.55\.55/, qr/\d:\s+inc1\.example\.com\.\s+IN\s+\d+\s+AAAA\s+1111::1111/, qr/\d:\s+example\.com\.\s+IN\s+\d+\s+A\s+99\.99\.99\.99/)) { my $ok = 0; for my $e (@e) { $ok = 1 if $e =~ $rx; } is($ok, 1, "found expected record with correct ORIGIN tracked across INCLUDEs"); } # issue 21: https://github.com/tobez/validns/issues/21 run('./validns', @threads, '-t1345815800', 't/issues/21-nsec3-without-corresponding/example.sec.signed'); is(rc, 0, 'issue 21 did not come back'); # issue 24: https://github.com/tobez/validns/issues/24 run('./validns', @threads, '-t1345815800', 't/issues/24-delegated-nsec3/example.sec.signed'); is(rc, 0, 'issue 24 did not come back'); # issue 25: https://github.com/tobez/validns/issues/25 run('./validns', @threads, '-t1345815800', 't/issues/25-nsec/example.sec.signed'); is(rc, 0, 'issue 25 did not come back'); # issue 41: https://github.com/tobez/validns/issues/41 run('./validns', @threads, '-t1345815800', '-pksk-exists', 't/issues/25-nsec/example.sec.signed'); isnt(rc, 0, 'KSK policy check fails'); @e = split /\n/, stderr; like(shift @e, qr/\bNo KSK found\b/, "KSK policy check produces expected error output"); is(+@e, 0, "no unaccounted errors for KSK policy check"); run('./validns', @threads, '-t1435671103', '-pksk-exists', 't/issues/41-ksk-policy-check/example.sec.signed'); is(rc, 0, 'signed zone with KSK parses ok when KSK policy check is active'); run('./validns', @threads, '-pksk-exists', 't/zones/galaxyplus.org'); is(rc, 0, 'unsigned zone ignores KSK policy checks'); # issue 26: https://github.com/tobez/validns/issues/26 run('./validns', @threads, '-t1349357570', 't/issues/26-spurios-glue/example.sec.signed.no-optout'); is(rc, 0, 'issue 26 did not come back (NSEC3 NO optout)'); run('./validns', @threads, '-t1349357570', 't/issues/26-spurios-glue/example.sec.signed.optout'); is(rc, 0, 'issue 26 did not come back (NSEC3 optout)'); run('./validns', @threads, '-t1349358570', 't/issues/26-spurios-glue/example.sec.signed.nsec'); is(rc, 0, 'issue 26 did not come back (NSEC)'); # issues about NSEC chain validation raised by Daniel Stirnimann run('./validns', @threads, '-t1361306089', 't/issues/nsec-chain/example.com.signed'); is(rc, 0, 'all is good when all NSEC are there'); run('./validns', @threads, '-t1361306089', 't/issues/nsec-chain/example.com.signed-without-first-nsec'); isnt(rc, 0, 'zone without first NSEC returns an error'); @e = split /\n/, stderr; is(scalar @e, 1, "only one error here"); like(shift @e, qr/apex NSEC not found/, "apex NSEC not found"); run('./validns', @threads, '-t1361306089', 't/issues/nsec-chain/example.com.signed-without-last-nsec'); isnt(rc, 0, 'zone without an NSEC returns an error'); @e = split /\n/, stderr; is(scalar @e, 1, "only one error here"); like(shift @e, qr/broken NSEC chain example.com. -> domain1.example.com./, "broken NSEC chain detected"); # IPSECKEY tests run('./validns', @threads, 't/zones/ipseckey-errors'); isnt(rc, 0, 'bad zone returns an error'); @e = split /\n/, stderr; like(shift @e, qr/precedence expected/, "bad-precedence 1"); like(shift @e, qr/precedence range is not valid/, "bad-precedence 2"); like(shift @e, qr/gateway type expected/, "bad-gw-type 1"); like(shift @e, qr/gateway type is not valid/, "bad-gw-type 2"); like(shift @e, qr/algorithm expected/, "bad-algo 1"); like(shift @e, qr/algorithm is not valid/, "bad-algo 2"); like(shift @e, qr/gateway must be "\." for gateway type 0/, "gw-not-dot"); like(shift @e, qr/cannot parse gateway\/IPv4/, "bad-ip4 1"); like(shift @e, qr/gateway\/IPv4 is not valid/, "bad-ip4 2"); like(shift @e, qr/gateway\/IPv4 is not valid/, "bad-ip4 3"); like(shift @e, qr/cannot parse gateway\/IPv6/, "bad-ip6 1"); like(shift @e, qr/gateway\/IPv6 is not valid/, "bad-ip6 2"); like(shift @e, qr/cannot parse gateway\/IPv6/, "bad-ip6 3"); like(shift @e, qr/cannot parse gateway\/IPv6/, "bad-ip6 4"); like(shift @e, qr/garbage after valid IPSECKEY data/, "garbage-key"); # Verify that "." is 00 and not 00 00 run('./validns', @threads, '-t1361306089', 't/issues/dot-is-single-zero/example.sec.signed'); is(rc, 0, 'dot is zero, all is good'); # Check rare RRs run('./validns', @threads, '-t1365591600', 't/issues/lots-of-rare-rrs/all.rr.org'); is(rc, 0, 'rare RRs are parsed correctly, all is good'); # Stuff containing '/' in various places (issue #29) run('./validns', @threads, 't/issues/29-slash/example.com'); isnt(rc, 0, 'zone with slashes returns an error'); @e = split /\n/, stderr; like(shift @e, qr/host name contains '\/'/, "slash-A"); like(shift @e, qr/host name contains '\/'/, "slash-MX"); like(shift @e, qr/host name contains '\/'/, "slash-AAAA"); like(shift @e, qr/NS data contains '\/'/, "NS-slash"); # DS does not mean the zone is signed run('./validns', @threads, 't/issues/ds-does-not-mean-signed/example.com'); is(rc, 0, 'DS does not mean zone is signed'); # issue 32: support ECDSA and SHA-256 for SSHFP: https://github.com/tobez/validns/issues/32 run('./validns', @threads, '-t1378203490', 't/issues/32-sshfp-ecdsa-sha-256/example.sec.signed'); is(rc, 0, 'issue 32: SSHFP supports ECDSA and SHA-256'); # issue 34: multiple time specifications run('./validns', @threads, ('-t1381239017') x 32, 't/zones/example.sec.signed'); is(rc, 0, 'valid signed zone parses ok'); run('./validns', @threads, ('-t1421410832') x 33, 't/zones/example.sec.signed'); isnt(rc, 0, 'too many time specs'); @e = split /\n/, stderr; like(shift @e, qr/too many -t/, "too many -t"); run('./validns', @threads, '-t1381239017', '-t1303720010', 't/zones/example.sec.signed'); isnt(rc, 0, 'multitime: valid signed zone with timestamps in the future'); @e = split /\n/, stderr; like(shift @e, qr/signature is too new/, "multitime: signature is too new"); run('./validns', @threads, '-t1381239017', '-t1421410832', 't/zones/example.sec.signed'); isnt(rc, 0, 'multitime: valid signed zone with timestamps in the past'); @e = split /\n/, stderr; like(shift @e, qr/signature is too old/, "multitime: signature is too old"); } done_testing; t/zones/000077500000000000000000000000001265465626700125025ustar00rootroot00000000000000t/zones/1035-with-include000066400000000000000000000011141265465626700154040ustar00rootroot00000000000000@ IN SOA VENERA Action\.domains ( 20 ; SERIAL 7200 ; REFRESH 600 ; RETRY 3600000; EXPIRE 60) ; MINIMUM NS A.ISI.EDU. NS VENERA NS VAXA MX 10 VENERA MX 20 VAXA A A 26.3.0.103 VENERA A 10.1.0.52 A 128.9.0.32 VAXA A 10.2.0.27 A 128.9.0.33 $INCLUDE isi-mailboxes.inc t/zones/Kexample.sec.+005+00516.key000066400000000000000000000003231265465626700165560ustar00rootroot00000000000000example.sec. IN DNSKEY 256 3 5 AwEAAbqjCxtmin71unORku1IrrQx2S49KTmw45jnlNdreCH40YmhDZo2 6CMiVXbq29rvUDW+ZEJqVT5fd5GrA1wEEGbrudd2LDr5AedBK7fYTsZf /LEm32/Bu//KzynrJqyB4HSN3GIPbp3KYyY/Hl7HawOvWAd+tUHgUtes 4trE/4pr t/zones/Kexample.sec.+005+00516.private000066400000000000000000000016511265465626700174450ustar00rootroot00000000000000Private-key-format: v1.2 Algorithm: 5 (RSASHA1) Modulus: uqMLG2aKfvW6c5GS7UiutDHZLj0pObDjmOeU12t4IfjRiaENmjboIyJVdurb2u9QNb5kQmpVPl93kasDXAQQZuu513YsOvkB50Ert9hOxl/8sSbfb8G7/8rPKesmrIHgdI3cYg9uncpjJj8eXsdrA69YB361QeBS16zi2sT/ims= PublicExponent: AQAB PrivateExponent: dCr3xt5UZiHdJAIASeFrnI1KeRVoi5gmkg3S/yLNa5fMFLZCGTMD2pqMR7B3mBZM/qa7EPvOgzw42FpxhNyit9y4K8QWkAzr3blNVXnK2OenAqNSn2zManKtaNXo6GCyUqdr0BouHA8c/Ef1rF2dG77t4AxImnvbzzz37O92h8E= Prime1: 4/Rh6A3I3ArSMN1twF3W5Y1Gsth64sJCMcZghELXQshmx9ULOElq7oB8SQwOOlxC24IRroRPc2A7DSTOKp8DfQ== Prime2: 0ZlTPN8Ce8eSJPiyLQaOqmHlZJS4hvDCLBafG5H1N7Jdo+X0jMBYlLyv2r9MD+KQQMXAB3a9rm1Lr+n3q8baBw== Exponent1: XFV2+vnqbEbt0OFAPXVFQIIzKupJDGTHT0YdfjVc4C4wg60l+Ey0xZrBvQznDniklClhZCEv1XobMT3BTL5QOQ== Exponent2: k3BsqjQh1hqkBlffVmb3colcyS0IxPuVS1g6YjWBLsXMsx9usJgZd79nYNQSWFZCrR2uIFH5yjpd9If7zh0afw== Coefficient: qFgbd33HSz3xZa+lgvNYBqnsybf6C/wDWO2RZSSxHtE8C/21VOZhr95VU0NSyWrifa0RueMOYJ59g1tk24uipA== t/zones/Kexample.sec.+005+44427.key000066400000000000000000000006021265465626700165670ustar00rootroot00000000000000example.sec. IN DNSKEY 256 3 5 AwEAAeluubFtl7Qtw4TpuZl85abGI+HXO4agqzv1kSLQ5tkYFGdpZyZw QcBU2znMrdw03o6dGOEQi+FeSymycLZmtsKiODsHNwgb6qdxnYm7+n3Z iPwVhMX3gxIG64FORibWcHAyBe5AAhQAZIqveqjnY4gwdKZJSmo9ihXB kKS4yJ6UlopkkSxL1Iq9oXvWrd1ZqjQiSmLF/3juvBGjHVP4CbPiXZ70 UDay6Ysa1to1tHZSQshkRTClB+Dct8er3cZ1y62yOSbPK0SlouSRplbz +ezNyqD3c5zvz6F2AcZ4NqaTZOMWZbOowujQj3FxElaZS+/ughQZKq3O tMN8bqc0tZ0= t/zones/Kexample.sec.+005+44427.private000066400000000000000000000032451265465626700174570ustar00rootroot00000000000000Private-key-format: v1.2 Algorithm: 5 (RSASHA1) Modulus: 6W65sW2XtC3DhOm5mXzlpsYj4dc7hqCrO/WRItDm2RgUZ2lnJnBBwFTbOcyt3DTejp0Y4RCL4V5LKbJwtma2wqI4Owc3CBvqp3Gdibv6fdmI/BWExfeDEgbrgU5GJtZwcDIF7kACFABkiq96qOdjiDB0pklKaj2KFcGQpLjInpSWimSRLEvUir2he9at3VmqNCJKYsX/eO68EaMdU/gJs+JdnvRQNrLpixrW2jW0dlJCyGRFMKUH4Ny3x6vdxnXLrbI5Js8rRKWi5JGmVvP57M3KoPdznO/PoXYBxng2ppNk4xZls6jC6NCPcXESVplL7+6CFBkqrc60w3xupzS1nQ== PublicExponent: AQAB PrivateExponent: IG46rDTOm8Cz5jZWi8V3XmkuuQSfB4Aw6f6e8FhXihe3Vfql0whLij3/yxLtoKdTuDqJJ1OWK3RfOubIk/7HK1lAOKsy8RR30FWPjoAoN+3OAz+2F47gjdOaSnemdWTbcCry+fu4jjDTxxTEFM043cXlnuiVxxbPpWAkCU6GyMkWB8i+VsDsuV8Yd/QF8XdobXdAcIZI/clzcy2X1duruF2L6AosZiupLcCL+lLkENCLLN8Fi45soa2IPqGFluk3APNP8mV4DeElNRAV0yD9cNxM87oJZ65/3uOQNwgZVtM+x3DcYVP+wgmzvtJqcnHg3wGFcG+Csb8q0NcQb1Oq/Q== Prime1: 9kXCiZIWsh6eyjJEvW0YEzw5wiBuK1z/C7EQvB15XJxTmjdKS/oH3mZQN+nbj3twMmoegfIMWMO/1OHYvTHD0izHy3P085HUWPUSE9PRLBaWgPFmf3lWwSykeglNHi0qadCCaYENyauh1lV4ygHvnA5noPf2gqCfdtFxTnU8auM= Prime2: 8qchj/P50tEB24DjrTLIqfqIPHas7CWKJ2eLIBUicCJ1l2oUc/ZDT+7YAwl2ule8BdAcQEpD/fo3O8wa0WSQvlBZjCgrqH3lliAMEr7GrbtmccA9VOx22fO5SnwR68Vy1ScALqIawqLPeILX4oZrdN4rhD4Z9v7Dw+RTdioJxX8= Exponent1: WjCoEvu2ZhsCqigItpq6Y2j9+hMoZacUHHMHHu1oYbs6ftLa2cJCmXc8z41MhFp/d2cXrx022lct7MedOYR9I36U2PSpc34nl0CBE1PSWeQX0DcYA30rgWlY/vxjCrcdvkzHRd4mb4H0rer1Zn2ZA7zexLuqwqISZFBFv6b9rmM= Exponent2: lXTXuUC+yViu2jJjCZTT/84uB3/ZNoJQu8CM8q/RzFuNLjvKaTpvb1Zfek9j75aGWtY58GdNxatOReiLRBm7BV2cKjW73kXdGUCX7xvOZ8eba8jKffo/ojL6F6SfrSaqehtRg2eZL/Tz8Pg2XHIK0areBs/xUi7NCWUi+w8dgaU= Coefficient: f9P8enqYy66oBCP06d3+meB0C6i6oMUKiya8FAj3g2rfTFzI07MrBcqDHzuOx0tGHM3EGDzYSwVYFXGvk7Pn8Wm8N1KpfYDQT4VnenKwV3Bo+7142Y4bsZLhTEpewgZUgkBBrFN5Ab22XudONPPXe6OqvY1aRHYVluWcJHjtyPQ= t/zones/Kexample.sec.+008+48381.key000066400000000000000000000006021265465626700165750ustar00rootroot00000000000000example.sec. IN DNSKEY 256 3 8 AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg273Tp4oRpnmnmgizDFtLQh nIv1Mr3AuwSWVIDeavuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90yQwf C53hxyH10GzGnAx4Sutrdkh1w4HM1nMBdlTMa0g9yxjJ0vm/T7qHzj+3 dTUi84s8Du2mfMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB/QUuoY2F yThfidT+nhOQpzftVtLcta0E0Uv3PcVDp1d7vBXsAEYGHr54r2vb3eXd OTmoFyh/byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01u8SJYP6ULwx0 mZ0p5BmoMH8= t/zones/Kexample.sec.+008+48381.private000066400000000000000000000032471265465626700174670ustar00rootroot00000000000000Private-key-format: v1.2 Algorithm: 8 (RSASHA256) Modulus: 1k6+cu1N1CN90iqofey1vu8jpsmWDbvdOnihGmeaeaCLMMW0tCGci/UyvcC7BJZUgN5q+6LJYgC1+/DLR/cRgi/xizmQOIqzw8TWT3TJDB8LneHHIfXQbMacDHhK62t2SHXDgczWcwF2VMxrSD3LGMnS+b9PuofOP7d1NSLzizwO7aZ8wPqejL6V5nYi5fuUVxrxLMM2aFQ9ORe4WsH9BS6hjYXJOF+J1P6eE5CnN+1W0ty1rQTRS/c9xUOnV3u8FewARgYevniva9vd5d05OagXKH9vJ6FSU+rWAMQfSYFGVZtQepsacrKiXPR1HTW7xIlg/pQvDHSZnSnkGagwfw== PublicExponent: AQAB PrivateExponent: LOxwy9Km3/NYqre6fjsilhW3GX1kcRiSdXFYBBr3rMtUojKvgJsTH9uUeWZvTbTdne4B6yHiqSKRA3Eki79k8i9uqMq2SsP4ju8yJZHLmzjezIfJoHrQ6BxyFcMZoWPzdZkKFKmFwrHpxjjbvFcHvfiAu025Pta9C2o/rZXYC7V3BWQowqYBfukdpZkCEhzFzEtC1ROXN4jPJBwNIma52QTLH6jK5BOfOJ5DhS1SF+r/EkuvXnylApVfjPfUIC8ocVvpn5WLoabWL+eURIi6MvVT59ppzc6WRUT2PxDskT2WUWfw3zq5B7JCM8/qfYIDUHvt1h6JcJHTAOz9Hr2f4Q== Prime1: 8UNey2U7voMhZmVUMpH5C8q7+hp6PQ6dUYd+hjaQVnsDOLPBT+zZf8R3str7pY/xlOOHy+DxYmZ0e17OumSOXTeQR4VSdsr/tpWc/qd2jd1I5N58R4G/yZHgTm8pm6VRb7NwZ7Eg6o2z0G2UEykFeberyg4U6SHBDP6DZNvGrQk= Prime2: 42XeoQUBshFkTYekdeqPfGqC1YXsK0URLGAbPbk8HlOiG7ueVmUnsAS47lyuEJPzIUgqqBbDM+CCdW8AvPJFDXa09l4akfCrLRyAdkreGj3bgmUs5wUFbDZyOHvRFSxdUI8LOcAhXthy86l+wErKwm6sWfd1oPGvMmC1qiSsW0c= Exponent1: JpdjK1+3DcNF7W4Z6LjmwFceeGQR14Bl86ubtnY14k9s9X3zVwiIxeI0T1yt0g7TUsCOcTM7CUVgLne8053QE+MWZgpSZYQVISyPX0CEOy8BQPLBqGJ9vg1idslbO3VXMGngegWgQUSHVbihbesq4AxcI0bbW2s1yRFRDSoGfpk= Exponent2: NbR7bd/21I1S+RSN/ONW2/VzzOYCLv3y3l4cUOmMj0UFRjN7Y8AkLWgQHQt6eKPYigW3PVeS5o+hgAalT/qP4GwmtQDomYsTgmX22Pk5l00AqL0oa6895p69PyXO7Yc6yqnd5te/idzo2S8wpk2DsYPd5KmS+F3cGLPKc9KRekU= Coefficient: ev+8Aj3u6mICRe6Y0NqYTGrXSBMDXf92dI4+CZtwy43cyTvvZSABWvlLTTXf8XAlnnPxszSpG7+e8bQk4A7ZIagcDFSUjzwtVoLqKqbyLPMNjJKqvGW2iTwfpXAHTadd9EmvTPsEVCJnZAvkyn9XQ49phL9IkFzj9kmSrGqnN4Q= t/zones/Kexample.sec.+010+01862.key000066400000000000000000000006031265465626700165600ustar00rootroot00000000000000example.sec. IN DNSKEY 256 3 10 AwEAAcZdPacjnWNuQKCF8CPmUW1/NUxI/G7xdbwrU9lOuAD3sw14rLw2 NTzpbC/bubt2aHQ0nc1duoK0x3DjhAURWki/1O1Yvr2ffQRVpWS+WjRK CqTjuPrrdImeKdWEdnDl3l5kQpsxx++EIHrDnqiVhBHJdVB70A/I7i5/ HiD8HgVooR3IXVyxbT4walrarrhHWEBcXcNbvadg2rc492wS86zbSmK8 iV1e7t6U5iBYmsQjc7TVhBT7xqarknECGC8L/9o/R1zfSzSN+ay+dI45 t+jOOLgWp5gmjsI/mXhoO6GqX8rbZoV7/DQyAR5rATJHW1eausJhOgE2 wBJgl6V0XbM= t/zones/Kexample.sec.+010+01862.private000066400000000000000000000032501265465626700174430ustar00rootroot00000000000000Private-key-format: v1.2 Algorithm: 10 (RSASHA512) Modulus: xl09pyOdY25AoIXwI+ZRbX81TEj8bvF1vCtT2U64APezDXisvDY1POlsL9u5u3ZodDSdzV26grTHcOOEBRFaSL/U7Vi+vZ99BFWlZL5aNEoKpOO4+ut0iZ4p1YR2cOXeXmRCmzHH74QgesOeqJWEEcl1UHvQD8juLn8eIPweBWihHchdXLFtPjBqWtquuEdYQFxdw1u9p2Datzj3bBLzrNtKYryJXV7u3pTmIFiaxCNztNWEFPvGpquScQIYLwv/2j9HXN9LNI35rL50jjm36M44uBanmCaOwj+ZeGg7oapfyttmhXv8NDIBHmsBMkdbV5q6wmE6ATbAEmCXpXRdsw== PublicExponent: AQAB PrivateExponent: Su1fY2nVgoBb0wakrbrK2TRqunT7PSDh2wD2vCe640qtDJKflLxZIbf+EJnLr17Ll9FkJfWYhNSqXR7jeFKUqtQjJsAV1GSRAXkkb0hjpEqveJc4ATe9Hlpq7OcLIhwCAd+XNS35mqRq7FRF8uH/MATL1mneLog0R8XmaIkzAdFYf8Sz/8v9F719QuUI7554HVbQ4tnzyfu5EannQ5fgvJAOxR6K1j3lWgIddPfXK5XBjRIN+NbQgWtQb9dTRjFpiEUMs1Wv/CcuL26NHc3HxvadVWN1X8nd5389w9kgQr7B/2rk78XLPpkxl624nb8LRlnCef3d/wcPWb5vHO7SqQ== Prime1: 5MYz2oYsBaoOgpz9rhOOMGKyflhpWxWwT5VzW1m8zPPhH89mayRZKXFJM7VkBIAF6hqJoaPmaiU336t/CedpXObYU3zlz9BnvyY0EPUNcEs/eRAlS4rEi7rVlu4gHPZHySv4vlWEH1cWUyGz2kyqrHclUa0zh3DRe39JDQjv0XU= Prime2: 3fiSdJ+xAT5VqeV8/sZ2f4gMXIKWu8DnJS7VVEmG3a1VwZP5bdUosBKzX9yqcCdgpsRhIrQ2GTZNoiF1lG7H0QZXa5UUGOmHwRygk28Idi9oa6ng+JOJ5CgCLht5r0tlhILZ4kSPhLXD3oqF50WqfRRCEUblaWEikpd6mkj7JYc= Exponent1: 5GE4wp3OtJjfg2RVmsHK4GKm7Zo1EsjECa6YSkl7QN71jlvtUmgm2khNW2FpR1TGkr2LR+Hm02/0J0V8vNZXSHbq3e2BPcQ+zYPF1mfL0p5L7v8/O/p720HYl6OAS2lQoHNVDi0wiFjX4IV0liiS+Ti3+KF/H2ZwuWiH9ItHXUE= Exponent2: mfX9F5lgO72Ry2sa/NiJfsHN2SjXBlmxue+3FmR9gCrnTYKmwpDUTPRbqIU1Tt9xQZr6yQh4cZph1LAijxcbz5b3ce6QZwssFz0U/85G7zrI0cyd96zWOwOpJ3P1PiosuvHL0Q6/AUzWE/i/EgAXVfSEMtma7DHsugMJjhRK5uc= Coefficient: COuG9MOOzI/18yIY4sNYvz/9G7GCwrMa48PQKtjj/NOTPb1+z3cuZCM57NYGYOBlEsj7rADSrQ8b/0lJph4qUSEefiDxyk0wGgmvh+QGPxNjMouqgy22Kf65k2NwbunBSo/ZrKpN0N6Pb06BRrKuhVLEw/Tvsfx/IrbhYFILLHQ= t/zones/Kexample.sec.+012+50458.ds000066400000000000000000000003071265465626700164060ustar00rootroot00000000000000example.sec. IN DS 50458 12 3 2e40b2a6ccd2760ec70af69d1c144064c8931e53a6b3eee78bdb9e0bafbb9c02 ; xerig-bosep-kufot-datib-vucob-petin-toluc-gubuk-gidyn-faleh-fenor-ferav-lydat-rolib-rirur-rulab-daxux t/zones/Kexample.sec.+012+50458.key000066400000000000000000000002321265465626700165650ustar00rootroot00000000000000example.sec. IN DNSKEY 256 3 12 XnGVpOY8yAhHyYXD50FS0oT6ncmCTbL0B8KoEuVraI8cy2Q6TXMlgMA5Vl10vE43EOWMVqRLr/0ETAGGNcvGlQ== ;{id = 50458 (zsk), size = 512b} t/zones/Kexample.sec.+012+50458.private000066400000000000000000000002351265465626700174520ustar00rootroot00000000000000Private-key-format: v1.2 Algorithm: 12 (ECC-GOST) GostAsn1: MEYCAQAwHAYGKoUDAgITMBIGByqFAwICIwEGByqFAwICHgEEIwIhAOaeDNwrAtYS5g7Qtk8qPiAbIl2r33YG1QYBUFXmphAI t/zones/dnskey-exponent.zone000066400000000000000000000023021265465626700165270ustar00rootroot00000000000000nz. 86400 IN SOA loopback.dns.net.nz. soa.nzrs.net.nz. 2012012024 900 300 604800 3600 nz. 86400 IN NS ns3.dns.net.nz. nz. 86400 IN NS ns4.dns.net.nz. nz. 86400 IN NS ns7.dns.net.nz. nz. 86400 IN NS ns6.dns.net.nz. nz. 86400 IN NS ns2.dns.net.nz. nz. 86400 IN NS ns5.dns.net.nz. nz. 86400 IN NS ns1.dns.net.nz. nz. 3600 IN DNSKEY 257 3 8 ( BAABAAGwfTiEoh71o6S55+Mdy1qqVRnpKY1VHznrv+wx rPfvRGB5VivFFPFN+33fsaTxJQTceOtOna7IKxTffj6p bBG4a9vtk2FqF551IwXomKWJnzRVKqYzuAx+Os/5gLIN BH7+qRWAkJwCdQXIaJGyGmshkO5Ci5Ex5Cm3EZCeVrie 0fLI03Ufjuhi6IJ7gLzjEWw84faLIxWHEj8w0UVcXfaI 2VL0oUC/R+9RaO7BJKv93ZqoZhTOSg9nH51qfubbK6FM svOWEyVcUNE6NESYEbuCiUByKfxanvzzYUUCzmm+JwV7 7Ebj3XZSBnWnA2ylLXQ4+HD84rnqb1SgGXu9HZYn ) ; key id = 2517 nz. 3600 IN DNSKEY 256 3 8 ( BAABAAGD+q3p2XDCb6SvAbACB/NPdljxhpBx2O9ZnvF2 OYb6kViMJ5dgxYDcFtvL5RW31Bc7UDvseoQPUK1wora3 BtUTylo1xd5PN/lV600mrNGRxfmw77Hen/MXH5GQrjaj O+rFP1xce1/jdyvCciJzrYRcPL9p4c/eGoJK3ZMubiu1 OQ== ) ; key id = 27212 t/zones/dsset-example.sec.000066400000000000000000000012301265465626700160230ustar00rootroot00000000000000example.sec. IN DS 516 5 1 E9EAC4E17B2C685DCBF22768F88F53FEACC9E6C7 example.sec. IN DS 516 5 2 C4829C804FA64A94CDAA4DF4B518BC04EBA481F8E9D942BCF6D16C7C 990CDD7A example.sec. IN DS 1862 10 1 79ABD351E694950578C959D64EE5BE8987A5C33B example.sec. IN DS 1862 10 2 9BDEA651EFD16EF8F24F281A2D179B74D63F53FE943A117F7E5BEFE6 BBDEE179 example.sec. IN DS 44427 5 1 5A3DC3A2174039C0879C28713CC99D3939448A53 example.sec. IN DS 44427 5 2 2D6952FA00E1478E3DFF55FF699ABE3E1A27555194375CA1EDB756C3 BD1EB462 example.sec. IN DS 48381 8 1 99477B577BF885AB2512B8DCA052D7B71DD968BA example.sec. IN DS 48381 8 2 E5411AAE0758711B164730F9069CCFA3CAB00391FDD76D04EB3E8610 CAA09E93 t/zones/example.sec000066400000000000000000000163051265465626700146360ustar00rootroot00000000000000$ORIGIN example.sec. $TTL 5M @ SOA ns1 hostmaster 42 1H 30M 1W 5M $INCLUDE Kexample.sec.+005+00516.key $INCLUDE Kexample.sec.+005+44427.key $INCLUDE Kexample.sec.+008+48381.key $INCLUDE Kexample.sec.+010+01862.key NS ns1 NS ns2 MX 5 mail SPF "v=spf1 a:mail.example.sec -all" A 3.4.5.6 RP some.mail.box @ TXT "Responsible person" ns1 A 1.2.3.4 ns2 A 5.6.7.8 mail A 2.3.4.5 www CNAME example.sec. _443._tcp.www IN TLSA ( 0 0 1 d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e971 ) _8443._tcp.www.example.sec. IN TLSA ( 1 1 2 92003ba34942dc74152e2f2c408d29ec a5a520e7f2e06bb944f4dca346baf63c 1b177615d466f6c4b71c216a50292bd5 8c9ebdd2f74e38fe51ffd48c43326cbc ) _25._tcp.mail IN TLSA ( 3 0 0 30820307308201efa003020102020123 ) delegation NS ns1 delegation NS ns2 delegation DS 60485 5 1 ( 2BB183AF5F22588179A53B0A 98631FAD1A292118 ) ghost NS ns1 ghost NS ns2 ghost DS 50458 12 3 2e40b2a6ccd2760ec70af69d1c144064c8931e53a6b3eee78bdb9e0bafbb9c02 ; xerig-bosep-kufot-datib-vucob-petin-toluc-gubuk-gidyn-faleh-fenor-ferav-lydat-rolib-rirur-rulab-daxux sha384 NS ns1 sha384 NS ns2 sha384 3600 IN DS 10771 14 4 ( 72d7b62976ce06438e9c0bf319013cf801f09ecc84b8 d7e9495f27e305c6a9b0563a9b5f4d288405c3008a94 6df983d6 ) ; and let's have some glue delegation2 NS a.ns.delegation2.example.sec. a.ns.delegation2.example.sec. A 8.8.1.1 ; more glue bugs to catch delegation3 NS delegation3 delegation3 A 1.2.9.253 ; more glue bugs to catch delegation4 NS delegation4 delegation4 AAAA 2001:2010:1::feef public HINFO "i386" "FreeBSD" LOC 55 40 15.258 N 12 41 56.378 E 9.57m 10.00m 10000.00m 10.00m lets.introduce.some.empty.terminals CNAME example.sec. jumphost SSHFP 2 1 123456789abcdef67890123456789abcdef67890 cert CERT URI 0 0 V2Ugc2hhbGwgbmVlZCBhIG51bWJlciBvZiBtYXRoZW1hdGljYWwgaWRlYXMgYW5kIG5vdGF0aW9ucyBjb25jZXJuaW5nIGZ1bmN0aW9ucyBpbiBnZW5lcmFsLg== alias DNAME anotherone.sec. ;; XXX BIND does not have those yet| host1 IN NID 10 0014:4fff:ff20:ee64 ;; XXX BIND does not have those yet| host1 IN NID 20 0015:5fff:ff21:ee65 ;; XXX BIND does not have those yet| host2 IN NID 10 0016:6fff:ff22:ee66 ;; XXX BIND does not have those yet| ;; XXX BIND does not have those yet| host1 IN L32 10 10.1.02.0 ;; XXX BIND does not have those yet| host1 IN L32 20 10.1.04.0 ;; XXX BIND does not have those yet| host2 IN L32 10 10.1.08.0 ;; XXX BIND does not have those yet| ;; XXX BIND does not have those yet| host1 IN L64 10 2001:0DB8:1140:1000 ;; XXX BIND does not have those yet| host1 IN L64 20 2001:0DB8:2140:2000 ;; XXX BIND does not have those yet| host2 IN L64 10 2001:0DB8:4140:4000 ;; XXX BIND does not have those yet| ;; XXX BIND does not have those yet| host1 IN LP 10 l64-subnet1.example.com. ;; XXX BIND does not have those yet| host1 IN LP 10 l64-subnet2.example.com. ;; XXX BIND does not have those yet| host1 IN LP 20 l32-subnet1.example.com. sec-00 IPSECKEY ( 10 0 0 . ) sec-01 IPSECKEY ( 10 0 1 . AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxoQqJP943gqs4QATtnJWHQ 1SDWiRE2aXl7SJoyJAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt3y6x ImvMjRqcobreI351nbop04aBtP7o+r0zrNQmy6FqkPiI657FMEdF1cWJ 2Q4lA0Pymgq/BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vcL17OvU1k sLs9/9hhAbYYedmbAAGmAqfICiLBdOPCbhsCUyq8dTa0FaEinyHCJSHJ WVZ8dBpbbr2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougsogj6kPdSSQYZ YayHzVnl8NFQ9uCwbRTryepPzZP5Vd2t ) sec-02 IPSECKEY ( 10 0 2 . AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxoQqJP943gqs4QATtnJWHQ 1SDWiRE2aXl7SJoyJAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt3y6x ImvMjRqcobreI351nbop04aBtP7o+r0zrNQmy6FqkPiI657FMEdF1cWJ 2Q4lA0Pymgq/BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vcL17OvU1k sLs9/9hhAbYYedmbAAGmAqfICiLBdOPCbhsCUyq8dTa0FaEinyHCJSHJ WVZ8dBpbbr2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougsogj6kPdSSQYZ YayHzVnl8NFQ9uCwbRTryepPzZP5Vd2t ) sec-10 IPSECKEY ( 10 1 0 192.168.1.10 ) sec-11 IPSECKEY ( 10 1 1 192.168.1.11 AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxoQqJP943gqs4QATtnJWHQ 1SDWiRE2aXl7SJoyJAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt3y6x ImvMjRqcobreI351nbop04aBtP7o+r0zrNQmy6FqkPiI657FMEdF1cWJ 2Q4lA0Pymgq/BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vcL17OvU1k sLs9/9hhAbYYedmbAAGmAqfICiLBdOPCbhsCUyq8dTa0FaEinyHCJSHJ WVZ8dBpbbr2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougsogj6kPdSSQYZ YayHzVnl8NFQ9uCwbRTryepPzZP5Vd2t ) sec-12 IPSECKEY ( 10 1 2 192.168.1.12 AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxoQqJP943gqs4QATtnJWHQ 1SDWiRE2aXl7SJoyJAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt3y6x ImvMjRqcobreI351nbop04aBtP7o+r0zrNQmy6FqkPiI657FMEdF1cWJ 2Q4lA0Pymgq/BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vcL17OvU1k sLs9/9hhAbYYedmbAAGmAqfICiLBdOPCbhsCUyq8dTa0FaEinyHCJSHJ WVZ8dBpbbr2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougsogj6kPdSSQYZ YayHzVnl8NFQ9uCwbRTryepPzZP5Vd2t ) sec-20 IPSECKEY ( 10 2 0 2001:2010:1::20 ) sec-21 IPSECKEY ( 10 2 1 2001:2010:1::21 AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxoQqJP943gqs4QATtnJWHQ 1SDWiRE2aXl7SJoyJAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt3y6x ImvMjRqcobreI351nbop04aBtP7o+r0zrNQmy6FqkPiI657FMEdF1cWJ 2Q4lA0Pymgq/BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vcL17OvU1k sLs9/9hhAbYYedmbAAGmAqfICiLBdOPCbhsCUyq8dTa0FaEinyHCJSHJ WVZ8dBpbbr2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougsogj6kPdSSQYZ YayHzVnl8NFQ9uCwbRTryepPzZP5Vd2t ) sec-22 IPSECKEY ( 10 2 2 2001:2010:1::22 AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxoQqJP943gqs4QATtnJWHQ 1SDWiRE2aXl7SJoyJAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt3y6x ImvMjRqcobreI351nbop04aBtP7o+r0zrNQmy6FqkPiI657FMEdF1cWJ 2Q4lA0Pymgq/BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vcL17OvU1k sLs9/9hhAbYYedmbAAGmAqfICiLBdOPCbhsCUyq8dTa0FaEinyHCJSHJ WVZ8dBpbbr2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougsogj6kPdSSQYZ YayHzVnl8NFQ9uCwbRTryepPzZP5Vd2t ) sec-30 IPSECKEY ( 10 3 0 some.name. ) sec-31 IPSECKEY ( 10 3 1 some.name. AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxoQqJP943gqs4QATtnJWHQ 1SDWiRE2aXl7SJoyJAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt3y6x ImvMjRqcobreI351nbop04aBtP7o+r0zrNQmy6FqkPiI657FMEdF1cWJ 2Q4lA0Pymgq/BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vcL17OvU1k sLs9/9hhAbYYedmbAAGmAqfICiLBdOPCbhsCUyq8dTa0FaEinyHCJSHJ WVZ8dBpbbr2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougsogj6kPdSSQYZ YayHzVnl8NFQ9uCwbRTryepPzZP5Vd2t ) sec-32 IPSECKEY ( 10 3 2 some.name. AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxoQqJP943gqs4QATtnJWHQ 1SDWiRE2aXl7SJoyJAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt3y6x ImvMjRqcobreI351nbop04aBtP7o+r0zrNQmy6FqkPiI657FMEdF1cWJ 2Q4lA0Pymgq/BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vcL17OvU1k sLs9/9hhAbYYedmbAAGmAqfICiLBdOPCbhsCUyq8dTa0FaEinyHCJSHJ WVZ8dBpbbr2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougsogj6kPdSSQYZ YayHzVnl8NFQ9uCwbRTryepPzZP5Vd2t ) sec-mixed-30 IPSECKEY ( 10 3 0 sOme.naMe. ) sec-mixed-31 IPSECKEY ( 10 3 1 Some.namE. AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxoQqJP943gqs4QATtnJWHQ 1SDWiRE2aXl7SJoyJAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt3y6x ImvMjRqcobreI351nbop04aBtP7o+r0zrNQmy6FqkPiI657FMEdF1cWJ 2Q4lA0Pymgq/BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vcL17OvU1k sLs9/9hhAbYYedmbAAGmAqfICiLBdOPCbhsCUyq8dTa0FaEinyHCJSHJ WVZ8dBpbbr2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougsogj6kPdSSQYZ YayHzVnl8NFQ9uCwbRTryepPzZP5Vd2t ) sec-mixed-32 IPSECKEY ( 10 3 2 soMe.NAme. AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxoQqJP943gqs4QATtnJWHQ 1SDWiRE2aXl7SJoyJAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt3y6x ImvMjRqcobreI351nbop04aBtP7o+r0zrNQmy6FqkPiI657FMEdF1cWJ 2Q4lA0Pymgq/BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vcL17OvU1k sLs9/9hhAbYYedmbAAGmAqfICiLBdOPCbhsCUyq8dTa0FaEinyHCJSHJ WVZ8dBpbbr2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougsogj6kPdSSQYZ YayHzVnl8NFQ9uCwbRTryepPzZP5Vd2t ) t/zones/example.sec.signed000066400000000000000000003114241265465626700161060ustar00rootroot00000000000000; File written on Tue Oct 8 15:28:55 2013 ; dnssec_signzone version 9.8.4-P2 example.sec. 300 IN SOA ns1.example.sec. hostmaster.example.sec. ( 42 ; serial 3600 ; refresh (1 hour) 1800 ; retry (30 minutes) 604800 ; expire (1 week) 300 ; minimum (5 minutes) ) 300 RRSIG SOA 5 2 300 20141212121212 ( 20121010101010 516 example.sec. L2S8qd2eLKNZZSLsCwPtfw6oDRyWSTTj9E7a 7kt2uCnwCpNFFYuNSJp8NgEUkjWHO2XWbTSt gpiz4jefzxG6wiLH7LjbDCNVhljKkwIlicP2 srahJ9oUGM+MdYXHKKHqAUsgzeQQi87psTQL KzDjN7dV9LfxBPXK1TybQg3ME6s= ) 300 RRSIG SOA 5 2 300 20141212121212 ( 20121010101010 44427 example.sec. HYXfJCuz0aBt+Ye/+vnk4H4EOHvhTCBB6+BE TJLzzSCuNtrOOdhftFi58IHBon10OSsbrp6W SmiCAte+JuijZ0VNK+90foCnW5qVJy/KagrV U8rhmUcL/vMsxEBHtKadu60UO0800FNi2PH2 nS+VvXjM5kKA+F0HiPTaLcc9Z8Ez0sQslhmI 9LHgV4kd/XvXJ5E7oJwnd0Ex5MCXUwnFjvgU t1iL7s8Lfryfy0av0y9z9+yHqRgywoyHiaF5 4UtIpQeezu5MoqbLDh8w94tfiAMxGJH20JOZ ObaYPtc887wpOlh+iDNvAl2xKqce5KbGbxuV 21Pm9R6zjhEFlKlcvw== ) 300 RRSIG SOA 8 2 300 20141212121212 ( 20121010101010 48381 example.sec. ICsoYt1gdoIS4d1VRon0e6DZ1c0nK3UDHlFr +or12x+W7I63ZwFz2dOtV4nW2CN44ElhkxG3 wpNzy2V5XKk5uHWrc0aMttwsOq7yguu3Ieee YahgmGBzbsPmwBszuMXyIyGH21DOx3cqe38f 6OT9RYiH8jYQtz7jhr/dR5eaLk3Tf54GrPQt c9ltFgwgb/Z6nkKsOTu6OnjGxCsS++hfwLM2 Dp25HeLxAfdwyDqvZn+tIBgqh7+SAtfrhZEU 7wv0YKD7GCuxhc1ci+CQpDuHJOSBc/Se30Kv EyPFRPCwIrH1IuVIU7SJ6UgNdDFcPGNiKmDF Sl1aeg1YIGONZtlV4g== ) 300 NS ns1.example.sec. 300 NS ns2.example.sec. 300 RRSIG NS 5 2 300 20141212121212 ( 20121010101010 516 example.sec. Is2FN6iXMylX2qYT7PVbW3jzSwLV9egXRxN3 Al8PGlBLZ55smhDdkDc64PiazFfK/u7FG6Qk cx8SCA6MEVaDALtSU6qzYYZ89X/QBmdeQCUb 5pb6A7rMuvxWKZ07NAZ+M+kNBrcasVSuX7m+ 7+95oWQo0gnaGegpP7UTB25zpM0= ) 300 RRSIG NS 5 2 300 20141212121212 ( 20121010101010 44427 example.sec. nTskckPf0Gaj3CFbzSZXRA6uBQ3hDGPXmJT8 HahnznWdnMq2w/gg0I2VSmTb8PZ84To8bGu+ 53hbxA1NBlAtydTFYrdh3H9qcAnP4ASJm8Pd NrXWEl6N1iGiPXUHawBpWy44MGu5mqVqUHUn tuO/ERBRNudhvp9zouLehgrtWcW5BMq2q8pK R8OZxkd4YJtbVjv/1N1yVyRGkNg6XJLqbbf9 pW/btCU+JPoOJ4g6G77T5v7m7PH3yYrk4rTz 97KMrLMqh6Q4pzwr/BjjAV2vs742ieo8UKKn tAL4GsBPOnd7EzFuadI37+EGrsSAHOMbnD09 yp7Gnu33Ql5f4Zr63Q== ) 300 RRSIG NS 8 2 300 20141212121212 ( 20121010101010 48381 example.sec. qifctVQsOnhFpUz+d0xcVK6nNu1F2IYwrUhM H+kwNTFYJByMGmiZ8Q7ezWD/g40SOBw5T/TP xwHyXHRMr8uqbMFQsEPhAM6Ly14bj4JygnIb 8iuVfnTWzNhZAJficuuLFaX5u1aJY4N9MZCD okYBI6AMIVuTI3GRQx857q1PxMdnUm5KmsAB GqwplhjhIAhHuDygJ/2ZR6aQeL8GJTF9CdmW 1av2rJzOdtRfgHmU056Fof8tvB73SbW9Mhb2 dECJ4vYJpp/VfywREcLzcG4EcWDmgHvNgbzs DhSEGXAj/ytIGRshPk8j8tIcHN//soqfV9dn 3Xv42NZTk7xt/Q+bOw== ) 300 A 3.4.5.6 300 RRSIG A 5 2 300 20141212121212 ( 20121010101010 516 example.sec. REruNlWPhPdn0OwDISrhCIYEHLpL/9RrAAAl JNlCRluGECUt4pKGBcNYsFl/BCu0ZSaGu0ol c5gvD9CsP92HoiWhFjmJG8epEiblcUnQmYfK cfqhRxb4Pwvaw5eP/p5ysBhhJhcklLs0eETu UsqFT0LbnDHkLZL7SX0EvlMCNWY= ) 300 RRSIG A 5 2 300 20141212121212 ( 20121010101010 44427 example.sec. Zs9ZU25qM+2tWswmMNbByYvJmFdC/x1Hzc0E 5kdb5Z7x8Su7Qir+sINQtqZ/CmPextOV746c bgH5Yax+G9sCJK7ssVQaCsNB4rcECELDpQRP 6ca7+dOQ3pMGX5a6FGO+b3zucLdexkWf9VKo zS0BTnjDl9R0sVr1FaN29YbjtRJpO65UVfKV FkYFIaBQCS+E5/cLzTzI6iP8ZThhzgDd6Mux cHxqGtb0fXKP5igpEcUHwh/+G5h5RthvSCn1 nlo35njMb4UR7q5WPUSrHCv1LB2KdqxHBq5u ckS96/q2X/grY4NnFr8f02+ZwhHy77VqPcpL SKoobHQkkMSaY8F6ww== ) 300 RRSIG A 8 2 300 20141212121212 ( 20121010101010 48381 example.sec. iYrO6bkdXX4d8SU6yay5yY1rm3RPcr6eQSbv NIZSiP4T9oM96uEXTeVt52RNFSH5E3FPctBY LJ4wgga8MemwCNi3N+SLtIKQztAFb1TxgrF4 1tJXnNEtsMSpJFxNSSDDWye1BgAMF6IE99Jb dGWGm+n/GV/UOCZrHTJs7cI+LtDgxJq+3dys ZD+ZO2uncAm0Z7o93HQqHpNzmZmhNOy6RTaC D2RIPo4fwSfI8LmbvOpCOUhdU8cKv/ruhuaW g9163lz3Nyxj30S2TX1Aj6QDAZbGYgi+t+Q8 ad1dOqTam5DZx3ksjyjGDz4UEufJKFa7SG5E UGLnRHbWGLZaMcGxcw== ) 300 MX 5 mail.example.sec. 300 RRSIG MX 5 2 300 20141212121212 ( 20121010101010 516 example.sec. gcagSolgEmDVIc5cU08Zt4K7abuJ5aXWxWbB xe4F6fz2slHoG09n8WUxUz4duF4omLAtnuB+ uW+79fdn7p+EwhzBZ8ds8WIlGSdtI5edU6cA A5SL2msnLqv512puF1wXxrVoNYBdkcBgFjlR VLpKMhBZR6dsYkr552R0qcJP0UQ= ) 300 RRSIG MX 5 2 300 20141212121212 ( 20121010101010 44427 example.sec. XXsoPIEF4nldBqzujYDPNefWYdo2BO31uXli nTd+bjPT5S5fhBcTGqWSSOW2/hTTdEjhd7sA 9crpwCNex1BV4WySdsctwwwxSi/uQDbV4Ld4 GBtef94RFwtAiDs4kE7J8LjDrM10DKmQxTTi KCU6u8LRyQCTS8f2XcX0HnM9z41z0y7USNz/ WTAJa0e4lVXv4wMPfQRel8TAgBc9RNUg9qyd c8JFGlpxL09tXA7n6LvBoqHFDZSHf2eSBwDk 2fwsqHw1FF1fcMkAvsv2R8P0yv+oJkbT5Dv8 AKzyw2OVTBygImCZpREtz3OBs8R4vSN6RF1K HTEnfuPVunKd89zctA== ) 300 RRSIG MX 8 2 300 20141212121212 ( 20121010101010 48381 example.sec. qcDxTb50zfqGgiIsk8x+0pDm6AAFdCXy1+Oa i3SfnVrUYKp+BUvvPPZasEj5+19O0Ih1jdPu 2zB/Af7jS0pp2LwdN5dh2fJGvf4yId1sZfD+ FjwRXli+F2MP+S9cEqiICk0aknEH8wEHNjJl DkxtCWtYvfbNOJ15PhtgspolbDh+WKNgq0fA JcCqkyaZIIQvV2YITqzXDHH0K+jZEqVIfa4m SCbYidkbBkeX1JsaY/RX0u4mM/CcugGfrVdL PxfeIZDJh9qJ+WxjR/tVSs1mhOBRTeBzlS3m zNnlHJovqj1KRPFaNWu2Bg7V/9cQMr7HnoyB hUkYh17aBRxZA50ttw== ) 300 TXT "Responsible person" 300 RRSIG TXT 5 2 300 20141212121212 ( 20121010101010 516 example.sec. W5OGt0M32rE9ap4wt0EOv2XYrHNL82jXfUHE f/NlLZBTrsZgOtv/kUig/mfynYY9UT+Nabrk GZ354v41yoMjRs8T8xYPW5d4U3CkeIGldzoj ccJYgvbd0kfirTLnFozQmq/NZ6XPDeSUvmPI zNzyu5MWG97toTkXWXwcoEcNOZw= ) 300 RRSIG TXT 5 2 300 20141212121212 ( 20121010101010 44427 example.sec. inApW4wPqSfEMEHSrT+X9yJt/V9GJdSu4h8r QvZurxth3xyqOezB1fdffF3Z37wd2tDdCwj4 f9vuTNlFYjVaQe5Q8555tnEpVTOjXxwe7FfP cPGJEj4ufh2R+k5PDLqLiom9HZuFMR7qO6+K iSHbnThFCwN99hX70YtHxlv+tohZdHpRJ+4+ 68bRfMkZ15gQLDRcaXG83zN4QBup/n73eSsw zWPi6ZUuMbK7tKXqLNupXS00QsIqhe4AucP4 7bjlHLo6a0g4ds73l6LSHr6Mxow968mM0dQ/ Uxhg6o4dFujGNjwEzv5bQ1LFnhgOyh2MG9ue DgOl1BUANskW35uuoQ== ) 300 RRSIG TXT 8 2 300 20141212121212 ( 20121010101010 48381 example.sec. QRfJNke6ca9HqkTzuIreT7bMmNbrEas3mArh K84gox4s4Y0Ud7JPn4iusX7JyaIsY5Yzbmr6 BtfHTM0DFC8WgCdO6i37l/illpJOJ1TEZ7Cs CT/HUSOVxvpOS94T2hEoDXzDZbnBhm0mRERC N7VWoio5zxzX7Gn/iyNeJiYOzyayKPQoOyrO KgfvlWnbk8MsN4a/KVHYAZ7xEYDCbWNw17dE zP49wVJTNK6mQ/inKXnzmdk2QVBoNhE+OPHo owIUzavwBUI0MiFMFtD9OULrH9JU+t2wja/u VNzHjz+i1Ka2u1Y879b1RHCTFcDaH725H6rN kQSSwyiCC5yemHP9Jw== ) 300 RP some.mail.box.example.sec. example.sec. 300 RRSIG RP 5 2 300 20141212121212 ( 20121010101010 516 example.sec. JuqZzfAFhs9gBrCGKSQPmq2cOzZSum4PzvfL mCXjZg5zYXZUoW3HKboRpCIkQzuKKZWJC4PA jWau/6mZCE1Fsk33AqkHB18mn+06fPtmFAZY UyRjfWmbyoKzqewbfLrCzdwqjfAVQEhCjPfl jarWyvCYn155l8dW/oW3/ib/d84= ) 300 RRSIG RP 5 2 300 20141212121212 ( 20121010101010 44427 example.sec. HfYsVtUxudMxdmeRXfXpjoJx7700b938l0GC rjHmH054yb7r/gwvQT/7ZSglHRiCeLINtu0u K+3ejMaADM1SIUS2X0/K/Wv9wO8i826CHjp/ EZ0X4GQLMKMqgvgpzVYldA1Vh2XUkPswu9Xi /zvp/5SrjBPEAD7QlyO6M5odBvqIGUv4ZIJR U6QaQakv0RB+gb1DLOwqwutpyPUZehMEGeIn SnSZZwq1KUyS0Cma3KNC4aYUL/SboSeBEHPq SXG8ueXAPNoa5fDP1DuiOB5haW4yomuRa0as wBaFLcjw2tD5jDNwvLfUxB8QpslaUY+Js2M2 F2m13hC8T8eZ6pC9zA== ) 300 RRSIG RP 8 2 300 20141212121212 ( 20121010101010 48381 example.sec. BfTyse4P2G1V/6L6JNZlEKT4OpNEXw4zIIDf xz1iMdFHyDCng53xlDrm4VLCcjkzMmllaPid HtZ65SfHpdJncaLFsFSSmeiSg/UAe485LSmD KGgTxCHBmFT+FFoFkimbn8L2Jr7V2FQQ2ILB /CAuWpBSogX5N6vssiLEbVcfIQlWzqod1qV4 TPC0xNinSmtD0eTep1L4ZVGJHq8ZI/+Mzzrp RvUCyWEEAD2H9BBxhXY/D/qHeQsvpFVsJUwY cahL/AIjdbksEMjkw/KDNTs6WZWRluskvVy9 NfkzBioZk0xGzryV8xfiBNbdVkei708PZDyE BfNPJodoCmqHS0w+Pw== ) 300 NSEC alias.example.sec. A NS SOA MX TXT RP RRSIG NSEC DNSKEY SPF 300 RRSIG NSEC 5 2 300 20141212121212 ( 20121010101010 516 example.sec. Q1MtdC/FeeI0yxUEuR2yE9LHjPdKttjFUPic BpX7FaxE0YKgk3rlodPoL5dRz3rQWI7I1Wfl EPQKOIZTWIFrRvjbDamwnsa25m8CCvIMUpbQ CvuDHn5ycbpbEpaHfJi17sCylGoj3niCehwg h/uOOigKQHLQK8DTgN0e0Ddxv9U= ) 300 RRSIG NSEC 5 2 300 20141212121212 ( 20121010101010 44427 example.sec. bTXEqJah647l0EOnVO6SXO/XIJ3bQcFN/Ci1 jFvtPipkyk2pQvkwuWlRUyt8ip4fjuHgCDPK D7ODTzMEiHVZNuh7bSv7LoW7bpM11ie5qnO6 TfyOYcHjR2lYHcDNjwGTUjadN8yiAFUBAXNq 84h34yKA3slx5DQLaNoA5a7XWr0ODsslDll+ Of9EwBGhjHvlyiJrXT3VMUg/SBGndxoIZrtN CGON0mkNI1Pk/ZSqyib29N1U8POiP/wPAz1C phG7IAlc6PUMiXegNDanaWQuPhOI4uV+f0tV ZDFa/9mIAgF3rZC0mqHDk3h0GjJn/Ocbp4sg RoGUCOcPuZnLlyJ9tw== ) 300 RRSIG NSEC 8 2 300 20141212121212 ( 20121010101010 48381 example.sec. g9vjezK5ony2cpKX7v/ISk/XEW9VHFUd99pH 4QV6SrX3J1OVQ5PzrKCyN/Ak1gWSVrETtIfv fLpvxHxBR8EWZdunUUTi0ElrhVY0xW/UT+/s GjaCTcuTHRhw/ee4bdcE8aH3S5FCFzZPa10E w8K597UiFyzZUF/LqjXqSoI0fUvRTSwMQ/ZV AoNtBi/3dP6ItrvIirJLMdI8QXR/X2segPyW DnVfK4m6OzyNbcAV/9NaycsU2L6MiUpwPTNy um5LdGwiUJXfVRMbD5+CI/UaXhozoNbAoy5K 1Zr7mZzjl9l8a3WAkeAUWxT9H1xLWX9ux0FC yO1REofyVJ0WPnGKJg== ) 300 DNSKEY 256 3 5 ( AwEAAbqjCxtmin71unORku1IrrQx2S49KTmw 45jnlNdreCH40YmhDZo26CMiVXbq29rvUDW+ ZEJqVT5fd5GrA1wEEGbrudd2LDr5AedBK7fY TsZf/LEm32/Bu//KzynrJqyB4HSN3GIPbp3K YyY/Hl7HawOvWAd+tUHgUtes4trE/4pr ) ; key id = 516 300 DNSKEY 256 3 5 ( AwEAAeluubFtl7Qtw4TpuZl85abGI+HXO4ag qzv1kSLQ5tkYFGdpZyZwQcBU2znMrdw03o6d GOEQi+FeSymycLZmtsKiODsHNwgb6qdxnYm7 +n3ZiPwVhMX3gxIG64FORibWcHAyBe5AAhQA ZIqveqjnY4gwdKZJSmo9ihXBkKS4yJ6Ulopk kSxL1Iq9oXvWrd1ZqjQiSmLF/3juvBGjHVP4 CbPiXZ70UDay6Ysa1to1tHZSQshkRTClB+Dc t8er3cZ1y62yOSbPK0SlouSRplbz+ezNyqD3 c5zvz6F2AcZ4NqaTZOMWZbOowujQj3FxElaZ S+/ughQZKq3OtMN8bqc0tZ0= ) ; key id = 44427 300 DNSKEY 256 3 8 ( AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg27 3Tp4oRpnmnmgizDFtLQhnIv1Mr3AuwSWVIDe avuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90 yQwfC53hxyH10GzGnAx4Sutrdkh1w4HM1nMB dlTMa0g9yxjJ0vm/T7qHzj+3dTUi84s8Du2m fMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB /QUuoY2FyThfidT+nhOQpzftVtLcta0E0Uv3 PcVDp1d7vBXsAEYGHr54r2vb3eXdOTmoFyh/ byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01 u8SJYP6ULwx0mZ0p5BmoMH8= ) ; key id = 48381 300 DNSKEY 256 3 10 ( AwEAAcZdPacjnWNuQKCF8CPmUW1/NUxI/G7x dbwrU9lOuAD3sw14rLw2NTzpbC/bubt2aHQ0 nc1duoK0x3DjhAURWki/1O1Yvr2ffQRVpWS+ WjRKCqTjuPrrdImeKdWEdnDl3l5kQpsxx++E IHrDnqiVhBHJdVB70A/I7i5/HiD8HgVooR3I XVyxbT4walrarrhHWEBcXcNbvadg2rc492wS 86zbSmK8iV1e7t6U5iBYmsQjc7TVhBT7xqar knECGC8L/9o/R1zfSzSN+ay+dI45t+jOOLgW p5gmjsI/mXhoO6GqX8rbZoV7/DQyAR5rATJH W1eausJhOgE2wBJgl6V0XbM= ) ; key id = 1862 300 RRSIG DNSKEY 5 2 300 20141212121212 ( 20121010101010 516 example.sec. RK/yubKLU0d+bs9z+qzPSNA+mSn+7Q7zDff+ uAzcd4tD0QvVO8jIQaVAxVWOfenQ0tovTzXH 39VuRH52UW0i4a9ylxlq1HFv96f9wsV6wGEb sNGGMebDESHUkfMLIiZzAx7hmjX+YjlrYLEY chOaBsoYc4pEtmWLHSL3Qc7TCxU= ) 300 RRSIG DNSKEY 5 2 300 20141212121212 ( 20121010101010 44427 example.sec. DM9TZSWvwPIKkg2oB7NDRqpDMYGvl3sX3/BZ 2MALATpbDPQqJt+4b2837rjXPR7hP6cGTl0l kjRc/wSqG8scYqQzhcUJ/j76jtFVwwggPycD u0pgzl9h8lvR7pFAEKlQHUz+MXtVs51eq3GQ NgqFVd2Nze717phEJJF0Vpw05jsZzqokl8Ep /Dps27AslVY9vyg8ZNfJ3rgCl/zSsAcuBVfv 22+t0Y/crI76AxhqHIgxjyoQ3Bd2pXKU/1Dn PI9Igw+1TzeKXoGQEHkN3ij+J8dL62EUgR27 RIFl3X4U2snEaznDXZdGd5x0Q1uv6V6+g1T+ rx3gnmitBrDbrhnV4g== ) 300 RRSIG DNSKEY 8 2 300 20141212121212 ( 20121010101010 48381 example.sec. lepL7TovQDjJN5c2g9jMnrOUqljp6qrVjmeG nSTWiTbxItUMzx6nWx+I44u8j9bpUYcPnx9T HZBjOtGTqzDx6eepB0mWoUbqkUsj2dk9r/F5 uSx/I75XeT7vma52K3TLTua5AsYwaXYFOoX0 rXWRS5rlCY4FeK5TZUgfjvLYQAFrvonRtVcW Tk/BdmDkKgvWm2FbJmCBEhQj5q6V8dIXnGPn d/7mRQ0OmnQtqKIMzWhdD9Lpkfda9B6vzmln tvOAUcHMgG9PGrEDAW/pp42douc2u0nDdpaA 0UkIFm60cDmMuDM8TOXZJQ2l6uLQGNiAWrsi z3e/fFbUIkccz2LxVg== ) 300 SPF "v=spf1 a:mail.example.sec -all" 300 RRSIG SPF 5 2 300 20141212121212 ( 20121010101010 516 example.sec. RWs0sDBYmiqAGzP2gfRP0p6BzzPh2XqDpCHZ LsDaCmlZI+XIdJy/dV9jGNwJ7+YWLNA/gIIG NcIj8HElceCzlv14z84hL+8gkvOU90RX/bH0 wIXMQDqo68JwQ+A65V498Hf5ouzKbRitAFu9 zEGiW3TXhWUilqfjFm3H+qoeS/M= ) 300 RRSIG SPF 5 2 300 20141212121212 ( 20121010101010 44427 example.sec. cpiGOZZZsTeROsxC22DEBjuCFs+GZOXwY6Wh le/jrshFrjjANERcA2TrQRFXS+GCxkXb7dI+ ZxnmaSx4uh8PHcJSn3cIJt0rZgPPGX12S0qI vj3iKPG73VHhBXiXC8tq5+mEi3/2u9+HJLCk Lfc3fFJUamhtsElaLsGX76qgnr2brb5bf9D5 avjPRA1mPQdxCb6Sh8iC28bfXQBWdLolNDNO EefhmVLU6H399dMD57mXzuBKWRrC6L+i5vIr KfNKRqodm8AVJybAZImBONQybIkpjMKWNC5z MoNqfYxskZS/W3N1jHAXFush9+MltyevFvxm VWQ14I31At06oQfong== ) 300 RRSIG SPF 8 2 300 20141212121212 ( 20121010101010 48381 example.sec. GILnbrIqzGeuNVHG0GigYP/SKkPvW55L2QYo /Jmd7/DauvShmxW3KWZu1QD2ibJi7evbpysL 4ktJ67dzhfTpWHFsKBPrMTG965iqcckIfWMk 5LPs6hqjvCyTS1qWcCxu7vYsNyp8Dyb1wWgO 5Y4zR0X5MYFVaDOZ3m/td3SFVKTgawkOtiWh 24paSPl+lzbknBaLtaG6TYFS4MTsdlwpApw2 V6s2zSaoKIXQbethxFAqWNUOmxp/Gcyusff/ UKi5NM6DAsrWfuLRkmGD09bWbtf0aPIzTVZT CaQ3Ys71cUBnJbb73qUCO3c9MGxIpJ9SU0wu UIBe5nLshMGnv4voEg== ) a.ns.delegation2.example.sec. 300 IN A 8.8.1.1 delegation3.example.sec. 300 IN NS delegation3.example.sec. 300 A 1.2.9.253 300 NSEC delegation4.example.sec. NS RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. CD0RsskZkRqESk9FFf6Xs6V05y34ogZVMQxb xFTmXwGXFJujPot8Y+r524aHtZ/TMT+5jmZC 272lf5THZa8L6GSmjOXEShEzE/NxK6QPi0A/ 41hyTDLfTdMeS434vEArzjCte8vFi3Gs1lke ALxfuXEPFlqShzRH049QIiKVb7E= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. aA3RBcFysyza0jCN2bN4fRv/K+NTvsseUw1p eM39ciePCxg20JhsGDWIMCqpSz5R3BLPemSg ll+B8CuHMCQPLWcb3vg1WOTpSPjIZxgt97I8 VRfGga9FWxyKk9qohvjVIBKOiROE15OKEnVl 1T5dk2I32BaWKvOxQEbjxYUcnLwPPsostvWQ L6e7vsDpFPh2boW/x7tc9oADCX770TPVtS7d 0Tn6eAganiw2SzgDHsRcOv3Y3PvNCuBxxUla dkOsPk0Aeho6Go50N6Pq5u9P0EXZQuMN9NMp cuwn3kotN0XoYBX5fIXnsEsZceiyCDntsPdf sOXRjg+PmWiM5L/nRw== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. bnK6CJhATrnBj+HNVW55je0rBI2Xsvqfhv/C IFNaesD3eRA5Sq23rZ+kRJuZb7JlndzPKfCt axjm3m/9GGXf0YVUvMp/vRvxgemllQn9ANyh d9KTnEK/L9Fn6KgeT+tti4RkIJB3ok2Yllv7 uYg3IUDKKrDjETppQeoFKuiflHbAnN3s9wta HgF5Q1/jI204i9Ausup4wBjFYpJTx1J2Z0ak zg7zjw5H0fgnKXDGcmT+ErWWMsYYsHMUx6CO qFrqpP1BnRdOBZ43Nt9OTgUQMTJ+fTJwC+pS Qxa9+P87gbXCGoV7vyCiYcla3oB9bP7Hnztc 3gxrjI1G4oUg2GdHbQ== ) delegation2.example.sec. 300 IN NS a.ns.delegation2.example.sec. 300 NSEC delegation3.example.sec. NS RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. fvrYyP2h+pG+7CEEE6CjzruLRi+9yentUTE+ AOxJs41pEs11Uw7MR1wO+TGPxanzJlJwvJCs 9xIBZE4PQta2AKqyAML/s1DeK4a392qPUHrQ 8N7evTS2KoOKH6F7pdXOPv6xOIhm54ufg7tb QSr2Ngn3jQFH+rqQqAQluTNXjys= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. SUDQwaDyaGV0a554BvxUbJzFjh9Jhp6Xr98B /pFXzUvJMcW9gvlAZiWh+Uu+h0w5449aFAFU I3DByimfOIJJG+iPQ8A8I9u5W6goVeeB6WzT QL24+e8vAjLrLCInHxlxAQGgkkX1hhFMceRW +pZyxsS2uBt11jCVM8y8qzVkQE+3gU/DODO8 8a7zd2gNNNJ5RIdigzvPxvVq69FGfl70nRLZ kMBnQQ1Ot/E5KysoprCbEeYSVF3wglFxCmcs QAJQ9Fj9jsTrBO4M3cQFJcB5KjM0BE7+R57c yxg7ZKMMMgqe/ubt9NvFJXQFQfQjSmB/3yR7 Zczk4Z8FScb4NQlAPA== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. ItHnrTkwSbhG9tYZQKAC9XCRmKkt4lSWrXjB fn5Vwm4cf66uVFkj6gHNGapR5w/Vg+snvffp gzAGUsgkLk6+xxbFcGGoeQ/VwflWsDWTtOau XsChTTVnOiQ5vTRhUOmDOHXGk/LF60FaBMBG R8p9kTtFe6sLtstuVvmMw/e7gfJrYMO8IZ1A Wy4rnBTzf1MMKZBpJJM8CAyDq3dzinjgFkA8 /cRwH0+7ODBbEo7r492VOLMzbMWXPBJjs0kR yZeI9lxr1Ah52WIw99mOAWQ6TW/w4RxsP8J2 Xj34MwPmIMR3Qy8sf+yeHeUD4cS0woHOlpyu ButVE7zeuDPgS+Bojg== ) delegation.example.sec. 300 IN NS ns1.example.sec. 300 IN NS ns2.example.sec. 300 DS 60485 5 1 ( 2BB183AF5F22588179A53B0A98631FAD1A29 2118 ) 300 RRSIG DS 5 3 300 20141212121212 ( 20121010101010 516 example.sec. HBXFIbzthhFqFB7YUceWeSHsb3jlbWvhJaqa xqhh4G58Ktbq/eD/ODKJWpTwDsrwK9neYp1P En/ZfvmBZe8jS8SmdTAWt0Ov3yMMN/lk3rEQ vE7xlsCFxk2MvJubUBaTGK8Ixf4mSJBKiew6 2lxjroBoK2AV84tScm2mxTS8GMg= ) 300 RRSIG DS 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. zf2WlfNwFRqt888jC5ORYqgHeMp0TLkO0bWP tPcw/hgyCF+JdqIXuEDyubiqGZD7QQM0xEoO jLprcOG8ZdTMjhW5JXBoyOY4B5MfD1Ucy8Of 4onnUcP4Pfm91xuXr2Rb3RbTDyfqCyJ1fNsA nAh7nOChJmxHJYz9oH0AfQvvClUWd16inwgn XIOdQxDmKkEtdU2u42FwAk6pSiOzR6zbJ1yo lXWeINVxL8TxWjVfq2XIzwXFEkWMftDQjTwH /LX2aueermN2xa5uqOqDVhsLG3PHR3sQMFTL heIY3Vietpxu0LMZgiL2IaNTLWEW+mhCvtmq aaxKq7kSKxjg+VU9pA== ) 300 RRSIG DS 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. RLaaahYnGiGwt0y3MapNhZ1wrmaK4pxp4fMx LgK60SNOGymW6JfnoLIEDLIYG3m8mLVhdEvA nt/5739u2Nu5HN3LQLNeeF4Kcd795Ns+Lggz bte1nVdvj79L4xd+5woTs4FgD+gO0iV/i93n Qy0MlnkNDN1js7VU1ONSb6GZu2ggVO6lY6hl +HeOX+9xIdD7lsJj2UDZWKV0SLLT5kBDxLvs I9ZA/u9tce30uEEpmZIopF0UABHzqZqm4vNs Qcr3jP85Kuw25E47Bpgg9RIirITAooac4jjs qVh/ydgLMzoklcPB3tISSIh0x1iKvnWVevMm aloA6DajwqBSlcA7nA== ) 300 NSEC delegation2.example.sec. NS DS RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. syy7tcQTts42hPpDms1kF92e/4duPtn5wuuS CXMw+C7aIIMEm2EJ5BHtjLfQ5Qh5QRieCgJC S6aT6hr9DXCfmXa1x+Ing97VBoYll1GxNDup xiRR4nXam9d8T9UM7I82L6pV4qF3NSVDGiVN VqW1wTPWEwRtGrrRBOdUvn2KyXI= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. EK6oHG96GEBKuirll3p35bCKrDylDYOj65gc 9G4AwWaayurXBAu4iHZhA3ZjBZXixobktlJL vK+B/KshG5zYwVeKDnqYNMuCxJ9+u2Py7u2x 9uqcQyp5KBF63aPbvS7+Xg6alNsaEKQEwWjc 7J3ZbvMgG4Q4fVR0LO7CeGcX/tlOc1WpBH1m txhACsZk+Qmy78hC++X9EVc3CA/AwLoGvdhe UMpclz6uk/C/ZklNyRH6aRZlJz834wBL1Ziz EskVYIosekKpA0ZCYl/V258dnetBE7lvQ9Nh qE5JngQyOQnM/SGPFwDQAfGcXIlOJWzhug43 EhL6uVCHe05lN072Dg== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. Mq68uAgzCUU9wD1ybPMBlyEFcICEkgLbS2iK ZlvdlYfN2GQeiBznSdg7y+Ss2eXoNfZd8ouT 9FIAEbWoKjg9k1B3/HXVtzW/QsdiLFSepgmL nusgNfgcSIwNbN12g8YMgETNLFnNon8te2Ry SWuSK6tJ8vKPGT9CA4AaF35qnouvAStYplKh EaJ//UGoWLvKxFPCmTP+RAyLgqidOvJTAZmf gLELI+A9SxWI1oB4tKd1Vc2Aq8NbNBx2Z19b cvOQwBuAuiHRmqiRzHPP6jVBBE+pZ/wI4izT c+1oSOo49QSpUUQlLIGGjnXgh3IRV229rSiF 0nPycKu/3BOUo5cxjQ== ) cert.example.sec. 300 IN CERT URI 0 0 ( V2Ugc2hhbGwgbmVlZCBhIG51bWJlciBvZiBt YXRoZW1hdGljYWwgaWRlYXMgYW5kIG5vdGF0 aW9ucyBjb25jZXJuaW5nIGZ1bmN0aW9ucyBp biBnZW5lcmFsLg== ) 300 RRSIG CERT 5 3 300 20141212121212 ( 20121010101010 516 example.sec. PdA5ui/NfwgzxQhNBSwqyniuI9QpQedtQqOm 7waMIAXEi4MWEeZurjJwA9ak6EZYHkR2V77Z n6YoD1gXUp9iE2iX50VRLjDMawHVUmovD59P /ArjKvm1msx+dtkgqLAXj4v2If3LLcyzO4s3 8mjrp8phLeGPISo17Fen+xUeaJ8= ) 300 RRSIG CERT 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. qFPPehUwkyZhjdJRqXk9ZMJ5ysPmR83af3hF 91OGr9i2wnC46II2o1sxfgiL5F+jNhOYyUv7 QnJWJn3+iqIomGnCHqSYy3JoGpG/fkZBSwek icxxnvyzEN73tf/EOJ5v9akWPOy2PPyd0L8p xQWJlqF6EZlAuC5a+OAbANZEF94/2YIGsoKg wXy2cwTZ701ujeMzvivyuuJG/rhrOZUXDexs FH/UvREmOLuqyKwelfB64BEJBuk+CuASeabt PE1b86qzs+rU9nm0O2EtUaImRDVJSWXP3x9b VflYJbj9rnzB/4edkLLNuMtcpLvViHb9FRVV XU9PQ7/uGgPyPRdnlg== ) 300 RRSIG CERT 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. Rf95qrkQoPedfcRlD7NfdpGeti7JdKouptkP YtLUrzwhsb4kEvcI0DC+Ua3jhpDhPKCPZfrN VBBhmeAeAIZdn/MT7wMKtChGA4VtgI61jmir 2/K2a2/HFqW1PRwWx8NqgFz77C0PbTpOesim qxsjYCyGJF6HOpKhQ1DBWb1+twt2n3o6lj3d wYBnveKohQBkK3Hl8LklRFjSkbAU0Qj6309h OZI4p+WQrZ34+92ZcgcZ9JLYDv2qXcaj4bOq E5lThX4NLRIjx44fTzrLxW10W7bEXPzgKZAH vKoRC6GHp6hh/xsGdTCX9GPNf6S0YkVzDsaZ ZrXvo2sNO9PmPNuBQg== ) 300 NSEC delegation.example.sec. CERT RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. njMBdqH1BnBZyawcmbUHT5WDDroJDBAwc/S7 YYUAUwoXwrPSRiW2aGYHdAKZCbH1M5wrynoz L4xfEkZlRD+w8m9bN56ydnY2y34RgoRZUq7V 2Pk0n/2P5f0wB/34J3KKkxH8ynxv1Jm8IA8g XY5PuJebRYA8mxXF73/R+NyR25o= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. lOgiQTRHuvOXU2k4XBQ50x693t6Tb5Hz18Lw tjrlZKsXHb86IbqP7pgD9c7GS2ov2RpQBh1q AYsmibLelbjFPppFh8EQz42WqjTL1PM7bunF KQSgd6pea32ewp7RMYfss69A+nsVD8t0HFNP JyzUkIAjM1knIYXGPeHfPBQu4XpOzVeF9783 ADEQs1c2oFAA7R+xmuoQh8jX/JDQJuUKEwHa u84k89GZukCr7pLssqLybZmAYvsH6ajR/NrA Gv4pjGZWz4wy2s5h1mNMkEFqm/qf5RWqsfKw kO40Yr2jfKOfTUrmsQjLdvjqBMzgzp+JnAqw tOzTeEWGtkxb5JVWyg== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. uRSh10E+hDBZH22j8jZqRoLvz/rzQQzcWR8Q /ayzqu+xizpC08tLr7SGBjqlqkFCvhvGoYkT X/C46ItvNtx5YDLMuZMeuxOd9RcaTPeVbhfe TjfQ7Smw3bCEx2PzZvC3urA5Owvi0/JnFvBW +lWGmDTnHxi632QrfEQ1DoL/dJCBkDUCcYRX 4lYqzXXO2vdJo0GrghtIor86jBy7C6nVrLb6 xe+oNfz7aBlXm8JGXTriXKa0LUbX/xu0Rox2 ETgm1G1e3HwfjXxQ+NCrHLUOxHYeq/GDi9NM 9r+jXTD1gNvMpMCTidufsGDpYMwuGEhCSXTr 0q4c+Z8Vv5GyEEb/Gg== ) alias.example.sec. 300 IN DNAME anotherone.sec. 300 RRSIG DNAME 5 3 300 20141212121212 ( 20121010101010 516 example.sec. hN5znng+AmkGWTmle6Vm+xCIEgGtZHOX7wu1 L5tQbdQygpRWAL3AEvI2B7zqOURAokvl9Dqp 2O6JhxtxxH7hTW8wk0ZeL8SAWXGe+Dmw7OYi lnDuO8DahBZmg3rMQHFo7jlWqRB2BYicSAmh 78e9JVIwZE1zsdJBpvFjVgYWWPw= ) 300 RRSIG DNAME 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. lQRMT04a7jSKtyoPyhCoa9cEJU0Psria1SqB fFq4pccSeBTjZcbiXs322ogGc3cmUO/4+YRC 742YEd9/iAiCILrEZXPpCprgymCIqZ2uJxIK Vk2QUNDHOaJOjbZ7U4/g9T9K6LlCqBwsUAuG euur4wDsiuEQPln5T+9hIwjS8Jbhx8jPRs1J QXe+G8zwg733I0GSU7F+IuNhzgt1N6O/8J5y OzLPLdUwLs9ty9B2rbyU2zMySQgiWaD+wSnp bZ5iJLrg192nxIZhaeOZ5Ig4mwk3UdF8baCq UpxAUddSdSLtd402+F/6dQV38mEeez4FOdv8 egjnfq59oLOSiQxA8Q== ) 300 RRSIG DNAME 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. nrFN+doVZOaYEk2HLbNCwBEreN2Z+nB86rfE u5f8Xb99sppDFsSrc5dnsNBsOyzmg3OhjmeN 5vXZ/dOTlaAD1AJwYPUEXZ+SPaF8nFusHib1 kVfcbUSMKaGBIaQJmIBQELL0E5u6Vx85PwwP gfujuUSs29VoDmXkRj2978PVihb7U1mX9fjw az0ZYmbMDKzlKEYKYEz7PnDIvl1HBmYxSZlx HLLLeImzszHMJMdzeH7wSmH+INj69bPpNREn SO1F1AJvFW5vjHtoa692Ggk8kUyYJhRFMNDV 1JDTQxNeEikvp5glE3ywPKRRVxVDWCXVFgJP m67Q3r6pfzRQbP9obA== ) 300 NSEC cert.example.sec. DNAME RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. arLwaxZ/s64IufkYQljXb1V49hgVY6aOA/4G CrFOB4KO/eEaHiinFBuXznKlE9ePiKKtGsbm ALz4gP/zeUEsYuDYbuFAYixWvhHG4wDMKF3y V3Hfxeue3PYulOreyPuRriK24sZJDhy7LVN3 Ps/z1TWJ+HWnMDeprU2qjj223YM= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. ew74MRufBg6jYSbb/cDx3f6kVpPxD7lfzp0G kPVIsgqaRARFbl4cLQIUCaAhRIIjwR0G56gl 2EqrjXKWr2hBDIsvhX8Pgdom5j4vGC1TS0wI 0YMrfuyuviNXnutdyxKqEPhgtnUa327/suTX Z/aoQoe4Um+EI7AFBpVuHdAYxgYF3qiDCNqO nzNxQCuW/Tx0NzocmRHxw3sl/MRknbQvKUgi 1inJQizjxtncLdjNPxn4UoJcb+QUE55letYO TuIDyaBc9kuPnT4l/1GsnbZuODDAiRI/f565 h3dw18WeoaDk7sJKdiGZISt9hj99ARrGgpn9 u1w4JRpoO6rXpgXopQ== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. Xzl+kKu9k2pjKyeg9hz06MD5ItGIt9SkWHf4 fXcNtSQ+GabNVNtSlCPbaIRycHSLf6/AluJe SSijB/dEaSSnPogAATefm6NlgF6Tc9NjRM6S dz0s1sFNP8pnGP89JSA6HTk/13hcAbIhkXUg aWMUpmTn78+g7LnzGmnCPTsEKr65x0IETfsh 06/0zjZJXLOmNr270cuj11SHNtEr5Y6qw0v+ FzSeWn5GySsgShj+q0ZZY7OJmdQFjW3j5ic5 YpHwaHGq8Fv/VoTiKUjE+Or7cZFW5nFkA2L9 KYR9z2bXY4uteKxU+VfpIn8+BGtnTBR+LE2k y8/ie58TOaga3W3yWQ== ) ghost.example.sec. 300 IN NS ns1.example.sec. 300 IN NS ns2.example.sec. 300 DS 50458 12 3 ( 2E40B2A6CCD2760EC70AF69D1C144064C893 1E53A6B3EEE78BDB9E0BAFBB9C02 ) 300 RRSIG DS 5 3 300 20141212121212 ( 20121010101010 516 example.sec. dbS4zOt4yPFQz+tp6SmfVPSgWF1bSkJBVq5b y13h2bZayms064FdTJmdGNErN29VVnZXiaFe 1gf7kmSdR2YLYoI2U740DD01NUC+3eH/E3cu IWmjQKkwhB9Iwe8UaX7jqaG00bxNaTJpb/Cq +zMy2gjMcG7KvQvuQ6SPzdmCUC8= ) 300 RRSIG DS 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. DsjOIOocYhuHZJWNijzIj02FOxQPXFlaUhPM u9hBsWEOA2CFyuAdpshG9EQJa4jISUT3Setz 9RZA5UZAV7/ERHsLdDKAZez+j5v2d/MqwiNA d6SdhSUWlZqPUMQluM81RfMCzqYbcNE5sw+N 0MzzBQz2iHdO2+tJ8Tvg+4ek0aaCAIJ+IrRT f7wiWgiUmiMkWTjjkuFxGtOKotTZp+W64KuW yEbt0ApmpahDlwSUKruXs76FVZPk9OLRM9zQ agLs4pVKpwP8OK3KUVUiR16W25JrycEd4TKU IuDAuodR0SRrXatBj3X/Qm63CT4gjQf3F/Ga nLDeZKDi7aL+86qPzw== ) 300 RRSIG DS 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. Ske9cNhh15n9cJxkozsENJtlTgnEPDIi/7Hx Q3nj3UPSx24JTiTHdddQAcFwmnDj2qVuVyoG sDq4GBdj20soTcP6+cGrQ8ELokXwZoQ8ddGy uaJnkqh4JBcSXNCv3OoimAj/tVxse9zjpFgl d9c/C2LF7/4rEtflLybmgLmlFwVVsDUCpQ9X S+Btx+fgQNvpK6BbeVaDEr57X9ysLBy6UxJM mXyV6/oDEcK/8enhqTIiExOi40yhx2woQRMy X4szYS/jwLrS/yUrUrtbpcOHwpW/ISqDFCuC LWqEfQtPAr6U/H3SXs73++cMAoBuEdbeRUcq OSZMxNY8m4uZvC2EOg== ) 300 NSEC jumphost.example.sec. NS DS RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. jcw7VqEW7YR70DJAV+oYAKxSHQ9H5vQBLve8 zcW1dge1L/EQppk5I0zRj7yr8f7pTrm7IhNn aPv0YbFGRGQJI6w0a/xVr965LyQt/LNyp56g UwLO07msGUvxr9br2bsYb+lI5esjmUeI38K/ GkO77+5iWuv4WcSfx3X0KtfKyRU= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. KDx7V+aqRbzoDaY7QB7PTsuH4IrtBimwJsfx Oth/fSUdmFfPpByVmY+Zln6HzAcCDMAapKEA D9QV9f8qPssd8uQpAVKylqfSRcYHkZzeGvvA ho4bmrNPz2wQEz9XFvB0hXJ8YI89a55HYN/s TzdNmGtK0WVZO/6A6nALCB96r5FMLTEhdn7s 8iLV1k1DojkWkD44Bojj3Vkq6r6o21h2FVHd /lOjUQSjEwQvt/1ctI7bJMHnFvMewVCt/oQO gu7oQijwsyFMGJZl7FDmIQXRLxywHhrTkysH d05krTNL7A1K6y+GFdw7/Zv2kfqrrVSyRoxH XF8zxi588nrfOuqcRA== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. Cao7WSRgcLLlQRSTUCB+1AMcfTpkzLAVqs1U zfz3o6xQHr4Eb6THmF29W4xEx5sYMC+9yLws sppmbfTRVISRXZe5MoajC8DWBC0lqEbQjMPM MG2xZ4kinEGPvzM7Xx5TFejV/n3yMRFm7QHp LBIB3pIfgXWMvpLNINCChUVdwBMXJ8vopULk rdTJ0ZMtnwO0iMo4W7YmgiWqCD4f8i8+6MWG 4WUFvsitaogroKkvOJgj5hxEL6OXLyAWNgfX lxF2jBpK+tLCJb8cTe91slIOkus83rCxVmAP wjwt57GQrn8REiw2bbfeXc+kZzoPC8ud7Hlz eOYtpW+EfZQhwqXyoQ== ) delegation4.example.sec. 300 IN NS delegation4.example.sec. 300 AAAA 2001:2010:1::feef 300 NSEC ghost.example.sec. NS RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. ck530M3oNpf6MB6IOEKlAG31GUvfMGvrnmvL mc3gFj4YkH4cr/Mue35C34JsOITZ4eCAr1qm 90I1ZZFirtznpK+XSoJ2OmpljD7ukp1v4fkr xcBi4DRVN33O9NvMGo5ByOq83y5Sr5DIZn5B K1xnLIeGNYNiNabKbvYsL63GNBw= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. KvynUaRjew0Llu0ir/Dae+y39m4n2hiFGEld U9/ka9ebYwbULECDoZlppm+1VQ7aPfyEtm/1 MulIQHWplHwjxGw10nk71XTLgeiSUsVYCdDN qK0dC5mJ/xnkaNgR7Q//e4YSg8Z7aVGojkh5 ewXCyVzqg+hLSWWe2TSQV5CeakjBkTmew8hS Ugg0vRepRtZ+VdFa6A3RX3/35Kj5YE1x+QiO RKpM6oIaeinSpNcJgOKAUIfsm0rMlGqYwun4 GqDJi+X3rqKmg3ooVNXjq6FqQr8hxtPkO52f mHQxeGyOczc6odQGMMrlpEEroTmcOLP+r25h zFicoZjtVpMCk3Im/w== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. u9kemCEEjLcWoyHLMgQiMESYDWJJosTnqbxR p/0wjbjjtcDCxheIMq1QVzgiM1dlEJhyGgry en4VD0ap+RAMP2LRTudtoTogAEGb6OuFYOM9 IBV8tYkq8AXAKKQeQ0HDiveQFC2Af66XJbZu ioTdNy9uJyPHSVQK1FPwyHrMpDkkMyc2pmJo T0qUGMHTZCDX/JcRkA/tuKpftpkaZq70/edG oK9ZRF3ke4YnrW8RiwUp64dSmzAWqth2ht0v W1BmNAoR/oCdBMmMYzPJxNDjJ1BDaZiNUH49 I19wMnvrFdYVz6VP5o/TfJ3wLyejKUMAQi0H AJcNAWb7T6czVkIXIw== ) sec-10.example.sec. 300 IN IPSECKEY ( 10 1 0 192.168.1.10 ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 516 example.sec. JzUbP5RijuruLZs7gOepWRrnChCfEGad6nPE np1kuc5cf1z1FpPDntbxYzgLeyc2sY3PDZ/j 35OWKuE9zNR/M+uqA29ehZMqegYPcJZYIFD7 bPOpacCiwnoB2OYa4y8FKhWIrrLMtUKoYHRA yKuAiduwr/7ndJXLsW348vbyKRc= ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. LbM/he+aYiOZUenKh0WA64OJaljec26uvxYf PS+NCp3Oe01KlRTvl1odasz+BO7hs2qo/IzK YezdKU6xyxnP20yqxmOaeQ52S7QNCQciKZm+ YcFfmmrYMMylC8ca4RRzH/lhzM37PSOixCk+ 3vUI0jfH/tnYpX0pWKTiU0cw1+yGqbY6yf6Z KEdTVyLR/x84XFkvEHumDMPLfYwDk1qkpNhC MqmSPqeRUHrui3DXUv2uhOn9McudB655IF0Q gEbAKFRZW8/ey+rp1YByJKJp0jlbewBBwKf4 LKTRk+1N0V0QYkObd5zkA0JnjYoLqjit7ckV wi7HwkcgQzBJ3scTBA== ) 300 RRSIG IPSECKEY 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. WMRM2N9um8rfzVrZDZlZpv4KWRf1unIS/99G WCyG2RjWGwMSEmOQ3BUaMKGIsd/2qyp8iUf/ NMLxu4L4KnkCbsh0tIujdfh3Y4NhhTLsI/CQ CbCJ3PBuAqEsQsBMtbQr6gPAVAqIdQRUGVf2 PTQWOoQ9iQVdHDoVUDrfWQjhvv9f0gov5VPQ M74urfDVM4IqSm6VInygAG1i8jNsZBHOLjgQ Xt1e97mkSbs3ZAqKUcIdDSzwem+HYo8dH9fG BiciNg1uR3gqis9mJ6mgYcWD1dielZ3113gx qd+s4+ZTVKEk79MP41RupkCjC7/lVT7mtKWM +3hnz+R7kkZVwuatFw== ) 300 NSEC sec-11.example.sec. IPSECKEY RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. tW2EHpJUeVBFWDDrFkXykskPkxFOY4BQY4K1 TKJKN7Q0b+Tkdfy7q7aQSfd1oISzZn0w5crz 0HGaTJzZKx2iMYK9E6HVH/FysCRge/p5lfpo +Y31X2ldA1al8TtjVCpXqh2hyJvkP5+gD0a5 BXhB3s/q0FkdEmM23SfGK4XqPwM= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. 0adnfzBJLo+kwjkPR9xFCAyY0J8EFzHgVYbg bob4jNAZpKEBpCIWivxlTGzN6gb49eWLefgy CdujmqzRwUCf2fXESYp4R0hLq8gVPbOF087/ 4cwajOTeDLGVo9OlQA/MF5hrya4DCDNC/wiB Mp1jFDDd3rPQIhVRW55UUAUcK67SazvxSSGB Tnca4Y/q7mXOV224n6E/m6n7drmL17A/rr/3 fJaMH9b9JOSK65k2eqSCbWBaLFt1uYqGJC4M 0bs+QWc4oXV2985AsZNqShtGnNKgEJzKDZDq h0zCspnlt1JgxzpQukXwrS9CbAYYlgRD4BvR 1i1P6OSSAT6XoJfkew== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. aIbGlRGSMBzpR3ZJDGHbbCjVFVUAoVSUjHLH Tssbx4zGbRQ+V7agcRsRznYgDxgzuhgiWjOA rYvjnXDXWGFx0HzWjQ+CbHouuF69eWJdHyUe RFPzZ/dzKLlo4ucrX1awAf+3DcreTuWe0KcA 33ptJSJGvYILxwOoKpnVk6iymlVpkw1jPQP6 Q7hAD5A9W8z7hXn5tu4qknqU9BjwekkIqm8V 1eoIkGqHogWQs86aFMgeNAHvmklBgSwzcLc+ NHI96eqzfvqkS03MtdKyldUjq9WiCRlLIBbc 2Ra5fHN4dEEaYIUCu6tMhUwNQSjgev+a3WU7 DLivnEX79tIEEyS5bQ== ) sec-11.example.sec. 300 IN IPSECKEY ( 10 1 1 192.168.1.11 AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxo QqJP943gqs4QATtnJWHQ1SDWiRE2aXl7SJoy JAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt 3y6xImvMjRqcobreI351nbop04aBtP7o+r0z rNQmy6FqkPiI657FMEdF1cWJ2Q4lA0Pymgq/ BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vc L17OvU1ksLs9/9hhAbYYedmbAAGmAqfICiLB dOPCbhsCUyq8dTa0FaEinyHCJSHJWVZ8dBpb br2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougs ogj6kPdSSQYZYayHzVnl8NFQ9uCwbRTryepP zZP5Vd2t ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 516 example.sec. EnEg1ej/+kvQzICpJiLxQG8cQ9/cIR+6R1oB aFIPxhIdoqWAvLGjAbZsgxajFsTK3nLrZ4V4 AknNa72DRIBsQ6CvLK+UHQU4nGnHg4933/zD OW7CAXg0dEUYUReiKxukUjJcGQvs7zL9tyq/ 1vk7gGxrNaR5hHurD9kpmwQB9Xs= ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. NTVi/tlizek1k2PbjlpU5aPI0U0c+zLsFHsM Kce2FHauoGuItfoRXRDryYw6hJ1xAdqhh657 SCsMYCXOfzmU6qsstKpTCMH+cM5TzuVzyIYL gmiA+y7qq68LVdArrb0ht762RpQZ8RrU/4MI YJKX4cqvqXvqHtenBXeqtsklZc9fuQCH2OKu wUxLNoXuv08FVEXGQb5BV3Pp8JjoTD7z/SL+ qicgqSQkyO+TdUOQjtQIC0yRaUw2evvh46cC pXc5uXRMukdMU7neSI7MMFoeDYTLip5xas2D oeecHXrqC3PWGgP8mrnOT7s8ztNZ3BtU42XP hx+ZYqumRqu6+zVtVw== ) 300 RRSIG IPSECKEY 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. UKuKZlAvsrmOd2k9PdEwz5x3TlVazEmfZEts iV4z7nhKECj0LFE0YjC9dVWXQrJ451ulpMhO RPWd1lKpJkx3rPWxphsFrP96cx+MnUOSaCxE FoeSNHc8ODtXBU8CR2oXQwMAHOABpfE0M7d+ laGQBtEj/izMuNwSVGNd9TAHv+v/1zARaz6n 0owOBRoXvszAvKkyEHvV/8LZMJ+aMZLvJmCj vb0E6Szky2dBgBKO3JEk73Avb6GLtxo1s6WL s8lYmQxpOlqY4pJi9jqCB5PeNa6BQbRbIyFh 6nIPgi/QT64MTPRzI12wcvqLDJczgtD23K78 hBDZRe5WoJHE7bnMbA== ) 300 NSEC sec-12.example.sec. IPSECKEY RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. ehNmR/L+tbSda5bN5mTUfSqUMd/OL66QnwXO v/m8msSR8bfEs2xVqkrWTVgXkw5C+UBBU+3b 2hfcsvseeaKxeOSiaS0zNNDTNLmK5AHE7r0l f4bo2QeCjcWr7BlToPUeqMCKoMNO0dQH374v VEFH2EKCLM1g+CF7bFhM33//sTQ= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. YuvKjeXvCexLL0JicGPIaKEo1PwTr+oS4p4w LuqZ0neZosi5dpelpmT0Jn5ZXJNstCS72cRZ 93DyIdvUNcgf10razoOsPPRnRMAMM0iGRN/7 JQu53DGHV8xHoRleyddNcre9/XHK/HYGAEbo w4cFlnzwxTtNLfx1tv3qEVjEIBSLxiZDDj1s VnfP/YHYhTxSQliakrrnKKKWe6fx4NMptJrp O6YMXD21vlajzqtt1aA4m8mIAMSNkNRcbTVf Dw2DJEe31agigtBRFZPICiZrq8YcH69rn5V7 rOy+InUYTozL8XOUTThiOvAE3gZqAB3J73PN LSACnFRq1Ntt3mqdNw== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. EJfIAFT8ihSZXxRlLLV/0vJ8S5P3ml/97dNW Loy2ifAL3+r1qVFIf8ZOGomN6ZF98OK4M1Cu Rk8TrXbplE4CiQFF7+vWwSes4NtcSMTJTA3Q V9Ehk/zjiEgrvUl8o6IEbMo6Li9Neo+/SKCw A+GmSmq8mr1QGbKmPuwgmpSkij6SDN//xuCw x2AMDppwnKahVYeeA/fn5d2Ja2KhEwoxkM9X GGVdPBKxdG6r25v5xImows4AWqDiJysBjT9P XrhA+7IEzh1oujMimZ4nV/f0h7rknxaGgkjr 9pweheUpI0xb2qGVf9+it36fHSJL7Y7BvFP/ H72Cci1DGCXAaZ38uQ== ) mail.example.sec. 300 IN A 2.3.4.5 300 RRSIG A 5 3 300 20141212121212 ( 20121010101010 516 example.sec. j3or3OPRZZcy93VY/A9mWcZkPxqi/NcPz52a X5jPjXoHVcpwM6/SbQmnkjv8H3PdfVaWwW7/ KOD2GOMEudZC/E1LiA09IGDtMR1Sz+7Ythq2 uGQ3JPlWAmFq7sWegWVSpIDeOKRuJN91/Y5F olyY0WTYk9LZu5Jhjp1YcD8FoxE= ) 300 RRSIG A 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. brufiALVyphNdDEA4NLWVi9iQUVEB63Af+Ro 2uig2q22XPTUOBLg1hrNJDUkdczG8vCUBBC6 ZKiCQ/z6d7cm2gBTrFBZZs+OzRKZjZDY5mfL wz0JJ6pH9befaznow5RUGOA9qvf6k8Ob0yWM /JWfN99n0e/RJxBqQeo82tYW23/O/RVinmZx TmabPHJYybSzlNAd6yBFgzqz/Rm5Qqz03re/ tghkgALM/H77NoWKzO79l4wChQqPrG5XNV29 TKQ9+p6tR/9HxR2SPeMHhBCQSR9WHcaZp4Wk jYXD1Bo8fnz0dka5D+R6nKCuT+TfuUezQmjK sJKM6/tRBryilBBMRQ== ) 300 RRSIG A 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. AhsXyz+TztaueevZHV3V1YC8kMsz1VisZ8Ja T4/LtB+ZaJYGgSqT66AovcGivXfhv73lM6cw Kp1VnlvBhr4f30sPkXuOsC80KSLAvsLp6yCS QnSMLT6XVCNgZwLc5WPpsOthAOjhNxiNbPz6 O+odMa/rW/EooC504a83KJkcLvvX1okacSG7 ljnVqtO1XCFozTi5aImXf3dO7+AzK/6Dl0Wi Os3bme2jb9gPuyjwtIYbC3ej6IwDYJ0upV6l G6ibkUWEPTQgoRPa5opBOod3vHd6sEEqr9V2 4pRuK9k17NujJrcgmPtI4Vhqmfy2eQmp29TY dgftgmEdr810yDlAFg== ) 300 NSEC _25._tcp.mail.example.sec. A RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. SFFAGKi+qM26llKMe4ePNYY7lXsqkbP2+pXd 6jCc1ID9R7QOGQlV9LqO5rsEUkWSXUEUg8hZ Z2R58go6jHpGIDltduVZ67ltG+jRqQM0VlAs EGVBkqlF5k9PHVHg0O5OF/6pIi341EvOYodF CF/9Ywwx+N9K6kquU2M4A1Hz+UU= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. ESaQbBc7BRAfQS0eqqjo8GHZs+D3UuEiah7T c24iuLvUODcZUCsabvxXReJBaVxX8eATuhdi chpLnjJKbqDM6/00lmMtnJD989d620L0Zbcn GhqEzOv/5sqCXZ1cdu3Og3Vm6UsN99xfEDcZ /FVEjAQqraDo0Lj/pDgmkpHX5gPEHR5l1bal JO6BWuHRmgr7t0HE6j+Sq3OFRnfGGlOAgMmJ BYZHOGrHKNgo8d4ToeGKY+Liw2+3+n2iFwQ3 u99v5E1jycps8gKWavQjfZ915LKkCmPljbSr SwMU5UBNvw+q/Amu4GafHOpJjMwxnnvIROER utFLORV0YcNBv2oKKg== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. Cgv9JsUZJziHfWwMWuHkcUgDcNWj5zEZZoDZ UbHZ5MGb/yRSaq9Ps2NT7yzWbTtKkHx4K/Kr kzVOWyRshHyHbzzRwmbC7tr6sTKJEsxZCoTd DtLf+V2xrQECP4oI012Pxcg27l4BnK/Hu2Or WYoPsZIWKcmd3NfDgBZW1M2/plhex4dIzXR/ 886+vjAjRCT2Its4ZD6IAexVhJsSQiej2SLm 0D7O+LAFlAs/NWYV8uwHVGslSb0QzB0Y9Ui9 O6UtL9ggc9Gz5I9S/mO4pbE+POqBInTk8kju BsJxi0ZcdxEg4Mg9ZYIFBO5BkeQZ/9c4Oi6k sg1GY4dE7xU6RB2eSw== ) sec-02.example.sec. 300 IN IPSECKEY ( 10 0 2 . AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxo QqJP943gqs4QATtnJWHQ1SDWiRE2aXl7SJoy JAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt 3y6xImvMjRqcobreI351nbop04aBtP7o+r0z rNQmy6FqkPiI657FMEdF1cWJ2Q4lA0Pymgq/ BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vc L17OvU1ksLs9/9hhAbYYedmbAAGmAqfICiLB dOPCbhsCUyq8dTa0FaEinyHCJSHJWVZ8dBpb br2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougs ogj6kPdSSQYZYayHzVnl8NFQ9uCwbRTryepP zZP5Vd2t ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 516 example.sec. srEElTd1pqezDk4QXaxCDonm3SDN2vSLfSV2 51LzIcLuWaAP8uLydQfk5j/EclOLq1RRpcNS QqGpH6pibLFEP17dzqBbPj/lpu3FC62u9mLE 3WIQm1rb//yX623M2pLmMLnXLdbXiDISwX/N 27brQ8xtg09uLo9NbIYX9CtA6+I= ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. SR/yF8wfPQwjqtzJF+XmZ+06sUz7drIUyCcJ 03iBBq65kMEMlglSf8qVboaCY2H7X0E3cNfs Jioc0uxmRbhMZrChMrPY4PR5eKQ+BP4GENLp SnBUAWeBGmPhfK0vwXuj9Pp6AgHrCZcgYxM7 AtZemWm07+BqiWwQWM1e9hy4BMjH8yCyTCAq a1y7KtYXWcAvs6YRgrI8GPMwDtI4E1JDBUR6 VN3aSFFfSXLGSO/Xt1ogVWeAMIifzm8at7xh OmHkkOJmw58lMRceaKH4DiNwgMe3Wn7d0wgO BHhh1awLYLXibzHDeH2WbfK83lMbPRPs6Ajh EJigKAIYWDGebUi7mQ== ) 300 RRSIG IPSECKEY 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. TWykLOTIRHVZaU/h4nnrfHWBE11dbknXM5Jj LWtXv1Eb6Z6r+b31uQCJDItjr+t6PotEDx3U c5yNnD1L+4REoWsTxdGj1J6rS+QE7h25kyBn FBD2y8X/c8NjqJy3zfYw7LOALrC11IaI03iH SpS4P62+B9mQa/QG7WFc0N9Bjr7QrcW9QI3r AGiu33yQ3BGx3sBXFFiGRxq+N4hGHx/LpUJU DW85qFE7Omq2Zd7kaLUkuo45fiwV9P/54G3e MvwHOmTjucJOZraKKoNibsyX0KtC9WROTgnf OwaWBFjR3xILtHOphvgjcDDU8Jj4Cbgo9Br8 USMYDy2MWtYapSuAuw== ) 300 NSEC sec-10.example.sec. IPSECKEY RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. s1KV6YbHSHFljDxAM+N0yWIbqBc3bV2nBEEw c7i3dLQgVALjyqItuthZNgI5AB8lBgcFstNR uM1+Lp8lS02lv0lQRu5fXzaeieg8l7LM4Cdj uRLhqdVZEzYuiCS4ZojnRjwzDTigF5ckXbMa g3Z1/x/WFcGhlBhwktrOVJXaJpQ= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. HD0pNArh0/sVcgLhfaJagHVPJ8+v7HMwmwE0 KrzvDBrRBKmcQOfZ1KK7JaJfv6lHdkHYizxm gkJFcSj0b+gHNZGi1S9la8M0967noVZoZjjX rY1F+VcxTq5LUu+IQVyMoY6hd8twvNK5LSPN zt51UKm9BB8yNrKwOQi0fYz0M4dYC3x/5Mij QiBMZrdUj7DjNP/mYpse3TOMip8ISKeEFEZe 7m6g01mjc3yPlsl+yNyRRdwXTv3HExGo0pGL JRio9dt600BP23yI4d/QPiLPOAiQ8lpNMrVu MsVqS/clsOg4fJMLLie2lqmGPjnJCkx9CUbS AFaOKXHgPwfRWj3vNA== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. ZOjgqUmmAgf+Q2dCVvoEhEGMOpQ6BYV9NkQg kJTY/b7sk3lolOH4D2sPNeJPXEn9IwWx2HVH 5ou9paYj9Bn3CffUPaEDBh5eX+1wiQKiv8SN FTVOYFds38i85PplVu8liY05P9eic8kXNoC5 clK3c8wWKZNtcewhJn+bH1YvSbJ+4qWgzSXi NSKXo+wFElkh+IJDLJXjxPe4f0tKPGA55j0Q 1/uTGoOW/1Igeb4zm2q3fLtsxn4bNwDdVbG6 /mQRjNm8X280bzzaIofdF00nXxpigOHwFLll Fh3OcZ/73IQlGUB/ZNljzjjI47aWWMilcEcZ 1JfN6sYJMPWWLiFoxw== ) sec-20.example.sec. 300 IN IPSECKEY ( 10 2 0 2001:2010:1::20 ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 516 example.sec. qJHEWMPK9AnL64sEGYj2CNF10HQWeTFdV4IU hU6O1/z9U4PVOIKmJNE71avxoKOSRBIfAB1f yR6BK3HBHcqsIB0GpGlsau9NQHHCYYDdypFX KlkgH0GR/vEnhTlkEO1KPK06fpx6C68Gr0dL 4B+vf+S0I6KbXnP10Cj6u0mO63I= ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. t6PoSUCO18D6svanlBKJhl811aei9SkFRuND RM+DV7hvdeWLIY7/qgZnlxIRD6m/Rzta41Is 3H8NFLXkIUrB+V/CpXMMN8PWiSgrsoh6Ovb0 K5EWOiEjZbh9TxMhgQzDBwwU7M7wXnUssWWY IVpWiEKvqGqKj9SCdV+Guig3SSt6yR16kRJL +63OJW59tA4/TSdyywTVfu3abQzZe1akZz7y cRkgwb204NAJCSLnU0AG9Ss5ic5Zzc3+ps6a Q4dv/7a1YLnvzTWf/WxeWy3V+naEVS9SOG83 3qqydc5VVI9dTM7dgUm+Gv0cf3JM+JXehYGK OkQUj5A0OQYk9XizTA== ) 300 RRSIG IPSECKEY 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. Ts3gkpxjiQ4DT0TxAPaYjCWfVyVg5a2QErWP YAd+8go4QDLmMz2hzg+ANapHzuht6LRNaaTU gQlhbT5xKrgBSwcu6WRyWx5YHrR1FaMoH8DN eq8xpzm+81A6TVpMWfzWYBd5YY2itftkiinq ke+QFp8rRtnN9ORY5G6jn0FOIzV5fHBiaxg/ oSVbR/Da2OP3XZlDxpzrijXJOCOkn8ROw1MM o8o7V1XH0HpU9sFrT+gb8wp3fg02IgfBKxLW WM7ytoZ8comdKy5HA5WzypVY7rRx49H0fVWb 3Lokqe1tubWBQeeJBVytDIgKMwyOETX2kAW3 SG2JJuT1qGSN5UAtog== ) 300 NSEC sec-21.example.sec. IPSECKEY RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. oj0HO+ZcjJeWeNJkf4R9kYx570wwEW9BKOJj Pf7lSydkpCusVfIlS69BBoBDEVKClw0Aofq0 h0KEQclUX7gj5rR0lWHJISHAA/70a2DJqRvB W3ItQ7RLen1q8zMGs7LyfNXPjrQjdrwZ80Zv s+tDaKtZVOUMG8XIIv8thbWarWQ= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. KJmUYgivZf5BE9CmPLcNAIfqRCkKhNbtUTuP vnc7hgEK/ifUBwGSUIlvwg72UuTZcd2TSykZ MUFfhWbBqcR4ejzye1IQaYEiNPW342zLnsaw rqzYENZOMkXSAV2fJo9NrNfh9tTqijtKKqy1 5fEhpz4mxecFakCmnWnqXPfsCujQ9a5qvbeg kUrBeto33SH5SG6SEnLqXlHNDc8VLLhETFzZ Ym9LFz5m9zcd5hlETjou6xCFhoXSxg/vfqQd joJmc7/YDGjaA+v2C6xIfPMgDke2BchoYN5V 3ylTQP96cuPb9OdgvgdS5VVnXhHjoxRCWjHg 7fjWU6QgASdP+1GkPw== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. ZxY4LUFxLnczFLHPP805TWHIkwE8PREHMEBf OAXV/F3LN5LRoG+m43ze+SelcuUkOa8JZWhO 5SYdLyV8yzpchrmX/+/uKfX0cS8meg7DwOpv s1vrfIxGhGGHagF/aSAlJx/chpTaS2iRLaUX AMasPRKnFaF5Hyi6mCjbA55wMn53l2xT/KEs dOqXqNr+oSE2BW1cnJv233K/J9kpS9mMeETV T6KfgEUMhyYH6lbGFmplhUxFlS/7eSWh05SF W7OMJv8oKMTZSp4EDqdEr/tc5dRwlV4RJk5C IGf6Gmk/SCkLrLzouLOBQGks9J31Ci7wE4ja mlcQ4CHD4osm+MCRDg== ) _25._tcp.mail.example.sec. 300 IN NSEC ns1.example.sec. RRSIG NSEC TLSA 300 RRSIG NSEC 5 5 300 20141212121212 ( 20121010101010 516 example.sec. GZUj441s800Vb4C0mUVvQfuEtkn6fhZ8+78Z O+nVsn/EcKBhJ3+qLomFDopFGIedDMDN0bfw 0DLFkZGlMJlYIOxhBDEmonbmmiFNiuotzlI7 7bBBWc881/qgSVVVP5BkZkZzCOgn/Er41aiO AZOXRlgIeGYjZ9OZKIMqtPnVTbY= ) 300 RRSIG NSEC 5 5 300 20141212121212 ( 20121010101010 44427 example.sec. T2KQtM2CUU8g1ylwdjMsIx7e2WI/j2qA/45o DMDnSlqGNpFMFgn4l4/5wJQALE+cskBFPx2w UTZC4W3qXBhrF/QJSW56HU0gYEq/bA7Yw3Bw T6ClJho2693XTBZDwu3j/BP21LExqNK0nQZ9 z074CiXUm1pTimc3K8wmrEBNT5G3dKOztd21 ktretO7gOFDkLLCHpvweWox6zpsUdMXqC5vV 0g4ibDzNOej28As13dtLc+7qrOphmIRYi0Gj +4WsCtiT48ybKfM9Xq4UsspxQg8fE3ztGfJy aKeIpW3GHehgu3Ja78udKUpGHKl9cIN8qL+8 x5g1nx8TjwrCSp38jQ== ) 300 RRSIG NSEC 8 5 300 20141212121212 ( 20121010101010 48381 example.sec. zK9ePGE0f6NcsUsrRWA73otHTWfD8uzY0yBY vlmYoQtbc5FtnHLUYb6I4xoqYL3C2ILbpvcC pUQxZ5daykW8mHd1iJXEsnPogqr0WBDyGOQf ad44CCcNiJ1C0Wtk3Mn44Qe4rQE7zpZ42+MM 1kBTMFF+dZ/1Ud+QbK9u1gAVagsutJZ2CmmE s+heNr2TEaED+FpUUbNdCw/Fd9Mk+I3OWFVG xrMr8Uh9g9W+d4iCVqgQ/iohGIwNBMTEsePe +odNGQBDgl9GTv2PpgMXETtcy5wDkTwan2/j 1DOqYiOdu4BPieVwPTfRWC1VrqI0XzQp91nV DoWdbSntdVtQBt9yWg== ) 300 TLSA 3 0 0 ( 30820307308201EFA003020102020123 ) 300 RRSIG TLSA 5 5 300 20141212121212 ( 20121010101010 516 example.sec. onpENNKVruacKg+VOesbEGIffNGUJlOyPqyI gZ1F4A/qLhyYCMqnkNOQSOYXDeYTCqB/UCn7 OzJIObaOmm5osmxlHlIALUzP2LQSnRr6qt1z aipTHTzmVAefB39lBgSXmsEI1xvJ9/6tnwUM EBz4oYroKxKkJjAGt/I24WOoSjg= ) 300 RRSIG TLSA 5 5 300 20141212121212 ( 20121010101010 44427 example.sec. kZKszgG8KVjZNdhfWIITRr0Z7Q20RPTNrrBZ b3Q1WXdRxAXK3w9UAcOmb7Yg6m+1y1arrmDQ 1MuestqGpHmJntvH4rnEtz8F4BsdxX8q2Cr0 fZ4ZzGNuH7F//0jkeSlNFPLZN9uHgQxQ0vaj flGcgB0r3B36DomI6uj2vMGN0f8CS53o04+B tJaqdbmR8BrRDP1KIWe968tq01yhPtrZqtYe +WXy9bJv76fb6N0s4Ak6RZ9vH0vjik+BsblL YIF8A1MV5kSDMzCqU4eoUvxHhc87XCUa/aC+ sxA11oyPhMJhY8mZeqZ2xJ84myPSiNGSEEhq OIsDfIdbQFHOCB4Qmg== ) 300 RRSIG TLSA 8 5 300 20141212121212 ( 20121010101010 48381 example.sec. IH5582QvSgX9COm/HqiI1bUu8XNew1RMdjXE leb05YrZIZ+eqoGbHOg41eCAjy830wu7qoXw yXoXDDGt3bYxYAgKAGIQryYT0rNXDOuSeZam /SFkd5EQmslbouQD1SMAQQ6ok331lgkIuUMq vbWxUv3gl38c65dEeP/hqsSgvN6U6INDuzeR tLLt5uvwC8XPBGI8O/0h39+x1GIaNpcR0mbq Gvw9arZtvQmaGwu7TQyKyctyXNWhWUNEL+1R TcIwbCxUbPQswgH8OZrazjs82WuPgSkdk8Vr bfQNXl+4ZZWp35Ah3zxCeRbrt0RspF2Vh1tN KhhMBu46kqIpDunK6Q== ) public.example.sec. 300 IN HINFO "i386" "FreeBSD" 300 RRSIG HINFO 5 3 300 20141212121212 ( 20121010101010 516 example.sec. uEfwWvVJN3COlaXZ4oM6PRnyLApSeLFyJOKf 9t1+Ds9dTTWg/6THtVRLYwMwd6MJduAKXNFS W8NgAv4el2gboXSGZSRFGkKDjZU/S6nLopvI MkCeYYQuN9w3/bvR/xHB8UJcaPopzFl4t+IG EKmKnFq6GEJOuq88Vr7VhRXxOpY= ) 300 RRSIG HINFO 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. p1RR/HJNu5mNCIDPE0JaJz8V6PgR3IGBF3mI aq/FuMlFVEuJ/CQnk6lzpRjI35WAtZpfYUl/ Vdj6WvTetDa49imIAn7zdM9pQ0LU1sZHKQ5z m2JdU/r/fmK8QExPYCLhPEMPDTGqOFRrz6up XiFGlmp3YA8pKxNbx69rfYELUsYbjA6+qwTQ AaBNtcSb1l2AdS4w7bedmdzgy/rAcLljbj6f hM2CLIoDmoIz3zO20PQ3g5l/ScSL+zZUW1NS uOec9dzMhiNdNzdqV9fImpySkbfjdvydFu5Z E5I3yrmNC+iTkB1ZeA4WgMSTQIOwuCo0tdup eWp96pY5cRdo4LC1ww== ) 300 RRSIG HINFO 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. v4+OOdw/M4MIsBXhX32TjtQJBmB+32CDc2DC LXqvd8g37QnMJHzEPIYAmvEsMRn1DRlB7nk6 7HSy2DwPNHtbu4swyYogCs7LGCbzk5aeEZbT Mkcac/ONSZjl+kEiJUav32dp4/IySt1dG795 nyjuzz3/4WSC/fv/QJrOWvU7eLqF/bbqQa0+ VDZ87U2exA1gq7iIg1rKken3yAL8l1BHBfRj oI+oozIBPInOm+wA3leZMmj2tcCzDvSGEgdf VRB4IIx/zzdVPP4WG/DNoVJ+otM6h1APHDRj PBKFDZhfQda8GT/R01fC8uxm8Tm5FyIgJnz7 IQfkHNcMAXCsPo9lDw== ) 300 LOC 55 40 15.258 N 12 41 56.378 E 9.57m 10m 10000m 10m 300 RRSIG LOC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. GHNspK9gS/zAz0cU8GZBU6P48xU5vOXYov+/ STQsf4jGW4Ikbog2ns3/+4kvZQsDNIhbOAgZ GdWMwRPGC1DWXzUw8PIpYe42Pql2O+wm0mTI yxso4A6sV3EhSofqh07dmX9L94N/Q/X1vQyL SPrncF+FMZCX1CnIee6iFUvDsls= ) 300 RRSIG LOC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. Lb1zNgN/yVV2ziP/bXacrsBdqDNH+LS63IZF t2R5SLbdLdSsrVlXcL+9jdNObCzqpC/H5qzQ 3j51B0mQ5JSN1mQrIXoNsomDUSM164+Dgbpc 76qHM4r7PNUeu5CAZ6zUGStgvfFleVC9M1Pg Z2Zgqo9QJnN6rZcYgOjqOZX2U2i8JYrzdPnt /e4/btWs5Im/j+4ZoAmCjjoFwsI2halDEdpZ tS8XA+garId2+OuzW090dPJZpaR8ldB7czOd QbPuwADNWYL98FlFA/+SOd+C5gD0Q08iBKdU ddIzuoyKcsYwLpWLpM/6Klg3Y+7mwMn46+43 wx5LzUkfIG97aAOk8A== ) 300 RRSIG LOC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. HvUQYw8WP9/DdbJeICJFxhIpUj7VK8LMIa+C ntxAO/1xGiq4ll449e7ylW3qdZMXo/5m8YZR SayHpvSsAhRlfaqf6UO6CBWs3C39jr1+pB7K dRL2RyzAs5I7kERvVR7OCqoWOXkBlqM/dSz5 ClaWQE3md+ZMXBi//9Ico/yK6noSzyM7Lrjn aBQUYwFJbS3xsT1rc0UtL4v4Pt5iHUjSdE/8 0kA9F1APb6LNZ/VTo/uGzKd5vaRFU1Z4zaN+ zyWxrwyauKHXg+JVNbYjlbSXa3LnmKs/xlci LzNvdXiUTHBQR+3w+s2GEMNQ7XDYtM2rYXIg J9KF8v1CU/iQXqqy+w== ) 300 NSEC sec-00.example.sec. HINFO LOC RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. qxNbV3M0mNEVBIWaQfMcf5jXPjsmKqC+bcLe 2kM+j22RhkRYmhvhJPvw5hNSVjAZDJlkhgHo Yu7hdpLC+xGFJ2TESRXBdiv+0+mxF0CnECJn i0Xn3ftldu5+RFyZRPLmh//S/eSZqTTgiZ3l nH1WrmGnM6U/ih2Z8RzdTzc97GY= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. Tu2X+rtzL9YbC7q/TxxtxCGxslGAUXUD1eKU +nhwSB1/p2A4ZTIVHxkKton+3OM/oCeuy/Mw n6sEkSJRioJcWIm8J56YtMF/v+Q119WDOF94 hf8YWuEDC0T+zB2XhLy8xcOye4K1K5wLv+UD leifQ5jgNWtkDeC1rWHd7QH4/GNXya1OrQ4u rMoIHn0uzuRFdP7t5KVIlqlr3I0HPdu6C5Fh FsQC6egvKRGbpNhOw6XgT3JOvloSicX7nlER 01roxOVY/mQGP223b6y9mgTqeekVwzrbr54Y zceMskVpa7zamkDcjb6BdavSb0dd9fmCrtjT xva8yelrjvIqtfYZcQ== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. TrcPcHA41scU0PInaREU5/6/yOx7OAB8t0Ch 96kMoEe2OXklnx8NTcX8mQs4QjEJ5ABijSoS z2OdKI/XX5xhS6BO1DQvv0TCK1HZ/y/1pO1j 50Q7YEUvtm3KsyABDL8ejwHgnHnJ3LE/gnrD fHU8m58uyEIXRVz/m5yScIn+fUD44VpMuQCa QMlUi/1yLiJfOjhUps0hcSSm/eAsa7A2wVZ1 YWvYh74OeZgP7oDr0dzUhM7r4HETzY502h62 97geaIxgZiciqcfxWaziDD8X+jV7XDSOsJC3 aSgYX8OzYibrA+F/MoumBu8sGK/Jok67qD2G hiV7F3NQIXu+MZZEzg== ) sec-01.example.sec. 300 IN IPSECKEY ( 10 0 1 . AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxo QqJP943gqs4QATtnJWHQ1SDWiRE2aXl7SJoy JAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt 3y6xImvMjRqcobreI351nbop04aBtP7o+r0z rNQmy6FqkPiI657FMEdF1cWJ2Q4lA0Pymgq/ BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vc L17OvU1ksLs9/9hhAbYYedmbAAGmAqfICiLB dOPCbhsCUyq8dTa0FaEinyHCJSHJWVZ8dBpb br2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougs ogj6kPdSSQYZYayHzVnl8NFQ9uCwbRTryepP zZP5Vd2t ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 516 example.sec. dYRRx1AlyU8o0KvNvy0mAK3jU6x+BnioMJ69 0YtKQdcakpyFUzlswYxhB/7YIm7CfZSFOoJA 3ae8CkzD4sSFthM3BZjvZZZX+nRvw4lju9oV 5SzgrhPDPnpnL9ifCtGVTWA/8vVh5dPHAZVU zh6vl8tnKQrwmiVApLRqZu5PFMw= ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. cxhg/Zu4Y7Why4ftvdVWip4dmqIqi8/qACa+ ZdalnAbGyRAGSWAEAG19tLBtYMFX2NFF6yM1 Em9M8e37tHmwyNLpEnTi9QWGTOs6MCkUAIIW teCAGiWu3MQMS5QiOCAiJBddLCrV5APi+Uwb wWavFe5RqvIPxZ1GVG0WcgdI3GabVEavPtyd 7zSeT34J7Bd4bJxpPgXQiRWZpJkgep1e7xDT MtEmhrUU8y2Bbt5WT3k0ARNYOh00dNjEDvpx e/pIThrE+xySXvmOUZrvuP8V8cT73IcsMw5I W0k2WvueLUDZEOHQrd3Yn0BFMnsVAnG/ciQB 92Ma1s0gM+SgZwOHRg== ) 300 RRSIG IPSECKEY 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. YdF5IyJaQVoYlRfuldCFW5CC1qICMS4Gjrve H5GeqLHReuDhRVe5T7X27MexaC8u5O0Z89Ua 4O5YV14rACPv2Atzk+4wlLmVtk4Oswu30yav NkdNIKDmvv8voJnjUkYTlDng7I7m9vNqCUn5 Nw1ciuawIzrL4JTdFUrKFWoOEYw/c8NHBhre 7RqJGzSbjr0Qo/Wcur4Kb2LkcuQtN9LSx9c6 wqNmOiX5WyKaS1DDNam2RuRXsdz1oTz1brV0 3LtIydp7F+AHrx2d5bhtjQK/v+tccNBsIpkO BqXrXJM0hbo7cZ0uNGSnlzjbGKzF4jqaX4pR xM/0wkKHe4MsnLg8hg== ) 300 NSEC sec-02.example.sec. IPSECKEY RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. Ny1BBKgi9V9hPIQSHbLcmLBsglGjGFiBzrCc tSaGM7UnbNjqiq9s1h7wBl9Y9CmnIUa0s3Hn wsf8KQkMQrg3Obq44f8a+YEs3m0Mb6KsvrMj 46QswOwr3bXm9DXzyCwYePQmeed/w5oaOhe4 lTVwFW7fxug5PcfIe89MLMkqIsA= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. jEHbUbVWirjrY1WkWHojuFXqw5Nhg8zax9jX eSQ49yBlwSnmhnEAA02IIYHyfrdnXEMztz31 r/bNqfHn5etXoPZvxxlj9hNxR1qBO/ZfR9Cq pzQNeAxrVP1f9xuhcZwqMPjEqFnOnkbjlcWz vLv9Ko1HOO/ifAhMQEwviR4yU3HEdca6r9uO tBGo+BTuoYVzQqPhIYpA4QRStWNOKgIe/cgV Fv+fvWnYzYXY21w4yRYv0AR4rxYXtSvX0/+u fV+/9r+fz5O6ZX23fO9GrV/P2wi64m+B84Wg AzdkstuI8eyNuLBymjlYcCgCDMJdE9W+E5ER ABXyXzjWDvig6jkAyw== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. P9DCOfUpee9rYTXyA1tLCYheQDSIN8FYPee1 9evOBiJooO56RXM1TOBz1NxpIyaarFFG43E/ ZheazaUogq4wPBuG6exJiNnPA/cPV/7oLRGs odaNXU3vKyTcX1EzhxGPvawZt33dxxGBdq7F YaCg7wAvmV0LM1oa3RVzzicdNLtBfNgO2Zzc ra+RE2mhtiiDjpFXeWP5kVd5ck7pVy4Y6yGT MtL1EfiMQROQj7KNsuRMbE0bIEaYmwbcv8yy PJcs5LAd/PYijHY7iat3eyjgGm+FTDnhsH3L VjZspLQaK9jDDZ9bWnfC7pBrMODPxkFHBFQO NWWQkJ5f96JrMutnPA== ) sec-31.example.sec. 300 IN IPSECKEY ( 10 3 1 some.name. AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxo QqJP943gqs4QATtnJWHQ1SDWiRE2aXl7SJoy JAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt 3y6xImvMjRqcobreI351nbop04aBtP7o+r0z rNQmy6FqkPiI657FMEdF1cWJ2Q4lA0Pymgq/ BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vc L17OvU1ksLs9/9hhAbYYedmbAAGmAqfICiLB dOPCbhsCUyq8dTa0FaEinyHCJSHJWVZ8dBpb br2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougs ogj6kPdSSQYZYayHzVnl8NFQ9uCwbRTryepP zZP5Vd2t ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 516 example.sec. ZAqqDBfAVkm5GAkLn0I+fY1Yh3q1P7c3953w DHdglMo5DnBal5ezQH7c0vrI8GvJJO8fG3T5 MUZMhTaG648LQJ1oGQdky9PREi4yrFvSQlta 6NQgsPuAcDgtEGrKsL2IC0dMV3lkBV8OOqpz JaI9HlxvLorGmLEEaBCNFLi4sk8= ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. UZMDwvoYhyTLYr6PATsXcuZCeuBkeRXmfH2X ishLwWnnYQ5ghMwkl4qtmn9/n5FDLwDkRtGv iLpBEo1VNxGU2G/PAYTNaUGcULQFeGVbbAsq v9427G8fNzGAPhqpBHRd8JRQ/eeoEA74/uKS phs8FNUO18hEKmzol4JqchzSSIFSW9/bBaKz Y6TkCYZtIutiBEHFRTlavgbyWqMxdXEji+Nn Xze2v+sRi2kyaQFS7zSWBHH6VFMh0KygxCND x5n00Sdl6aljlpuklNn75o/8iEkFdN2DsRI0 tkVQomX6js3SgTlQ2C2FUAo05jxlxzrIfcdO /DcAG9FRlPvHoEhOPQ== ) 300 RRSIG IPSECKEY 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. tnQ2kFyCF7LHz3BpVO0OVVQVkyjwq+POLBl9 2d7WjjkIOnpaXMQRl3PxloQ5+eaTrPejynKU Ck5BENCxzG7RyRMi4I5ewPBgrbVL+xEpVOJ7 9WsL2xKhkcFpIPcqWzPzo89szXreI++xEDex WuBWBQ5t6K0+RJROl/yoq7v/AGiIsQ0QvESH 19YnNaXmhjBQVnU+Z7+edwMbBCZzbrq72Qp1 PH+a4wUOeQqp0AvSm9iWrsmK0k4iKq14fHPy 17TlC3PanW3PnG8DcRA79rBxDf2UWOcj6C+S MVvDuJHjKHDXogWZHF4k3Np0lddMta5uTlfT i/sXL0nKu1Ld0FWtvQ== ) 300 NSEC sec-32.example.sec. IPSECKEY RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. YtGwkJFT45E5qfMwpUiGyqclXQTdgaANlprv c11f0o6hy2U8I9bbeji2sD35xRB/gJxbeKUU ASe5cdjJn7BuBRVpob3UItRDJMqTp1jihWEt Z+ZUp5s0BC7gwC4C+879+I0828Y+X06NwE4L PKt4eyZdl1EQLj1lyBKpKHxrMys= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. 5bW1ijtao7NmBEWHKgoUg7JXjKcpz53S+LRk vm2VG7Eo36H/3J+HZPPAwCSOLDJjh+CAa+E3 IZyuq+GIA+0EG7otHJVtc0dN/iQs1lPjdqFj 3qAtHIuftfcobQ5LDbFHh2r3VH0FLoaKvQYK 8nb4Uk43FRvK3MfUvUGX0VtkUggLSktYLdJN tqvJCKnR4ydhMwBudqiTnR61dJkTjJS+hhcs MqGNiAFFcbNF7WZZT88hXS3we3vyyAjfPUQi QKi2BHK6IhthQ8tDyDu0hwX7wpuTNp9++6z7 MTRc2HsPjSyHc/1xmNFIFC3jJwjJlfZDMl8Z 5FvTr3nq3OI4XwtKqg== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. nEZGkAFPbQFS6bLUu4O3SzHAe/DtJs4wTFRe LFN8SSp11JRcyPu5VdPjQ6EWNbHvmB3CWs3o dKmsmSWtpT+fPsLPDuYjijjwXe5fefr/wRC8 VRr3rGqC3aoXm+NuaXMEKHHOf4MeIGVCDK6D NEjPhagr96bv04SwrL4/LqclUlXrnMbHQe/f xvULs6IyvLMTdCgEMRQ64eJLZDIerZkEPEqb WYqy11ViCw+ASdN5lg/cwaXOAQ/Ao6S8Lsqm DLy1rXe4kRHgMsei7c8/X3Pre0ZU80Bv55/s vioJUwD1wihD41+dBCU8aPaxjuyRK2uqnyun MKn/jYFoyNLMy9+nOw== ) sec-32.example.sec. 300 IN IPSECKEY ( 10 3 2 some.name. AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxo QqJP943gqs4QATtnJWHQ1SDWiRE2aXl7SJoy JAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt 3y6xImvMjRqcobreI351nbop04aBtP7o+r0z rNQmy6FqkPiI657FMEdF1cWJ2Q4lA0Pymgq/ BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vc L17OvU1ksLs9/9hhAbYYedmbAAGmAqfICiLB dOPCbhsCUyq8dTa0FaEinyHCJSHJWVZ8dBpb br2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougs ogj6kPdSSQYZYayHzVnl8NFQ9uCwbRTryepP zZP5Vd2t ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 516 example.sec. CZJn5AslpFHB5i82KpADbin+ahFv+WkS04+x ghMl+/iKWel63pNkn6ROWFEiLYiRRcpI1R8x pkVHgoCocBQKioGtNRicqFzaiHWmcNwVLX6R W6mFdErpEzP67m2+dg9hrpsQ0E8dlAj29FGp LT5agAWqb+GL39advZ7+XeFYPhk= ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. JTi78vBkBuGJH+i6gjjq/7aVH0V7Lo1y/1nT OwJOaaQGvTszXtNEgnuaZWKRP7mmMMj/EDXw 4pY5t7uetwQsnoyBfNINevwgBvEv4xPNGly3 bazXmlPC9WL2pHIhH5OW5ktHs0n0C/oFxCcO IVtqBSvylx3cwN7unAFF5jSF1zgMHSubRjZL RzAwGQbpbPi3BXg3zT970wr1XIMsMnoU129K Ii4+mgYdxitLeLw7/eIxTYYrUMPBOpDkSQ2u k6GU+eqTXIzZCNhXWcXKnRe1CrrLkRtRwraQ JlCXh408v0lLo6Em0b3gjYpWxRWyAmMz+wVA CKoQo721i+2WURHytg== ) 300 RRSIG IPSECKEY 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. zvwNflQYyZDVLSjAGPb/NtE4D0vB48V17Pm2 nz2Snh63bllu4iCZwvO87DEl33L7me446rxH /G21XZoGz8cwN7ecF40SQUv/grdpqdMPhqCu 15+irjwTF0vthMxKJIuMRUr8xqHis/1KKxLG Wa6Rm28BFLfMKOti+o5wRyD7iB42UfK7dWlC SRAJxB3kk42LchLGydC12FehBE7rJl8z/O3l cULmW5UTB/4+AsNNQM7GrhGA/zvhrxGOGksV 0ncFq1I6na9XDYq7zZZQUAbTbaRWt/MhVcsV W8d1Vqa9XvfC3FLlyUZq2jjAv4VSupTE2CSZ OCx9JAqD7fMWUJU7dg== ) 300 NSEC sec-mixed-30.example.sec. IPSECKEY RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. p4fImnEiq0raswfRFbjM7d8CA6WhMtdIn7RR AmGcesf5xwgXlNcY4Uu8ac0UxxlqeNcf5+5A AIrRraMEOPZOAC7daWoRLFgsgdKqrmZYHMpO VxWcuyIc+5XXIFvfA5tHKUv47xq9wjJD+3+P mVaeY7/tyBAu4OYBAaw5WfW8020= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. HXA5QfVNaSkandKCqFcvBg0TYwdnAywDzAS4 McM11MXxI2AUnYnRmBg0+ambJRt67P2VYw4/ 3JlQftbTLd0r8b1Rb3yydEv0uUcfOe+AXn9f kd8kgwutMCNYg99TDPUAAjBk4cbMXsNqu+Qv xRPboSmONUiJ8TaHSLzLnNAOTIKbdnmq+p38 Dh3Xtfy2o9ZtxuHlqoldQmNHTN3opt3GJOO5 Ia/8mLJurOe9J5lDMjhSZQb/HYLRCM/1CRt0 C3TZnqP1RkOnSDqRP7petZcTWSsENjOFIBAL V7uCzYIQWdeRQu81V9MYFp9c4lQ6FTGElKWJ V7DQxTRpgjS5GkHu0g== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. dbdl0cBXuuV0G3mX7P1aMCGrJY+JXVVTVmBh P4k8hWEp0RDWPsNV2YV002L4vz1HYIJWysDr 58IWpQPqy+MafcippdH49we4zLIWkstE0vEA S3qWmymBnk/ZuhucDXF/HLGs6PXj0nw0h7Qx /6Fwnyys+pAe77k3E35Zb/+EaZ5hwFgueswm AwE5i94SUYATd0wljjzCcEB5ougB8epWmssY azJ608EPu6wZ3rxkgvj+bZm9oj9jpujbWzls 95fgDTJPn7FUoXySCwa+lB/2S4GfzoWsgjF0 ho9zhNrG1hnbjWw4GEp8rVJwsTiBxrxIcMdm DHHX0i9yF7DkxsDWXw== ) sec-mixed-30.example.sec. 300 IN IPSECKEY ( 10 3 0 sOme.naMe. ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 516 example.sec. Yn3qB+wu6No6XErby8iIjeIUWYG79xb28NWO v7hveY+Z6/sKErALFM5pJCJ44ih3hINUdYep HPcLh7ePz2iwdUVGvRD54fI48HTWMtj/dn1E qp8SsHB90wHXmIeUaTPndDhHbTtLrs6+SJWL ZyojgMongSZvbHNWisq2MOZMujM= ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. qk0vQIuCA2+o9nLprjIyyUtVOZ8Pu8UDRBYK e9/0s6VDQIFP1n81hM9ii8gdj1ETcYYEVUXw g4STWkNiRGtOF9x2AiZwGumgf31169sFk/jc 654gRUQDdxQnB+qHLX9HugTGZrSvsIR5WrFm eLe264dsniLc589N5JXWHV7iE9zEMj9zljDu rXwj/7FptwoxDyUt/QzG8RhVjGwRduFOHbd6 fJf/tqQ/QI4yZiYoG0S1GkkaFERX7fJSpqxd yI/B78KW31jWevGCdt7NsuifG0f2zJ5kkmUh jCHvKi/yiji39sGm0kSlqtaw7Q47Rx0Ihegf mylJPYx1cnzlibGVvA== ) 300 RRSIG IPSECKEY 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. wrzoKA22gia0sNq83CCag0ZjaraCbvE6Vi/J 7qeUXAuKhS0ekuYZx7SWp/hLgyUARrtQvoRM VQmuHON4rSbmsL4ds48IpeQqcP5QqSdhAXAU fDZSln9hvWpZpJC2dFBgE4H6tjPmZUe+116I De/67cYRpqF6Y1VDxVjkLPmN7Tzuyjf8FF5z prvaq21OTMBu3sBRnfAhFPwNZHf4q7+t+Lnl rfe+koj3SdLgwNkxAA62Dj4mMCdmUT6nfC/4 wdi2NiJzlIyzVstprwiL/ZjueOHPyKJcdeDK jR2f2P/6AF8//pCqTH2nmKGnX/nOHeKm7eBS h1c0ZvFhooU9N+2DJA== ) 300 NSEC sec-mixed-31.example.sec. IPSECKEY RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. AC8/yz3J6AdTfTvEy+VEyV1rH5fNfz1uxBs2 m+OHMBUZf6LpUmqf3HMRt4ymUEzZ4TXUFun+ BCRfuVl67ryfvU7Du1VIXaIjgq1NccJFPamX cy5bvn7VfB/XgTYCOhkirPAo4bUEN5UyP90I JZgfxjpy7/iSB7+Gn6rbefjRTJ0= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. lewi9S8lGbimRUFnQDXb0SG01qcbNbDbkSb+ zjyC/CcVBEYwwtl9+z4NDXp/tR/sgGZSHkeB bnfJD+LcQ5/GFOC2xAhbebtFZbtuhMbI2N/W oanScK2gH43sFgihjtE8L2c301cAIPjaLzyU p4FIMeEowVVu8louVwACKr8kMQ2txCIjMJVo 4GblPUhx7lSIQnyF+AiKBW7qiAmlqvchtqr4 djaCWoXIjPA9Se1Qb5V/zdrjAav0x7nSoJvI KaslX211RgodE7zlCb30bOk3KMmQ2jU2//se 6VhQO/qx6jKFkK4nSV4jXYpEACIhY/KrU115 qGNs9dnFv3q2ucCLtA== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. WW29gBQhuzzVjOwPWCwXIeewzcop7BMtMjzQ vA5lMYTta4EAemgUksP9aBoP9jZfFhbCIhjk WuAEE72t74236wxg3vAOfBCVVL7WrhjcXmiK euT2D0I5EfeWzOy/izl/NbBgYwDCfiYcJGpC 61V3XFkKR+vF//LeXQdQqf5Lhz49AeOqW5yW VSyWXi30DomFVM9m+94RUeefNq3MuZXa026r ON3Sui6Jfy7P2L5Nm/k3ITnYd8oz5H8UYJHp YwPc7uSC+Cu/sNpIow+eAneJt5TUj97KVxrk x0eDIqLmwW47vLw0kLFZ1+69vWoO06xcNDbC 4RWHAwI/K1A35QK0Qw== ) sec-21.example.sec. 300 IN IPSECKEY ( 10 2 1 2001:2010:1::21 AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxo QqJP943gqs4QATtnJWHQ1SDWiRE2aXl7SJoy JAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt 3y6xImvMjRqcobreI351nbop04aBtP7o+r0z rNQmy6FqkPiI657FMEdF1cWJ2Q4lA0Pymgq/ BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vc L17OvU1ksLs9/9hhAbYYedmbAAGmAqfICiLB dOPCbhsCUyq8dTa0FaEinyHCJSHJWVZ8dBpb br2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougs ogj6kPdSSQYZYayHzVnl8NFQ9uCwbRTryepP zZP5Vd2t ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 516 example.sec. h0+HIceO4TyqQTpyxId6XNOUib32igcXidZl 7UIiHygAtYQyofUkMoYwjOuCTd5pQJe6jXyF rcIslo9C1JDAyqcEewgLRi4/A2CEUhhmknxP 2qJBlQJ9GiWAzK05zS5g1+Q2y++Sp0gPYJFj VY8MXOH4C2i09/HKPb7AmGQHTMQ= ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. ccAqjClDisTOEK5baQDYScY87iFiQlQtbWjc VoI3EhQ/TUqNLwK0fIdJijxBoQtfDwhiYDHx Ban7hV/LWOBTC93AeJDM6aF2zIODDvGeSqWz a1z95di1mNcMLd+m/0wAc5VwscyaCSgID39v Az6ZoawlXo7LZ9JLeekx2UXcMS65ngUM78WT co42xwz7EC5YSR74roPBWb5Xcu6RjBa1YWrD 5RCwwEyAJUiD/+1GlokbmWXNJOQbC/Y5b7Em 2/DfFmYo3GvmN9mZEUSkPcXz88sazuPeMojM JJH5A0iM7FnZtEAMho7+UGvjbOdZEUr5GpKZ elwJ1748pZZSzeQUwg== ) 300 RRSIG IPSECKEY 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. dc9l4nstQkI6gbn9u78X4DfpJsvTqiswhR42 VLckznSlTYn5UNv+pFfcAWx9cQM5HGx899xM rzeEfXUegTZOQwCYmJWZrZsSrr4Lthigl8IW kJ4BGEVbast5W33BjlwNACX03o4ysKn28JYQ dhGB06g4Zfo7PNDKWMFh0Pbs2WjsvdTpk2ey OazJ0FPAlGc3r2Xq7OVt27zc+iTZutgG8yFt dYDuY8E525q7nlLwHAbx4zrZWyBRdg7Sw/l/ EsPBDv2wOo+0XIpnc0lipOICAhwzUoKf37rh Nb0TAyviQwWkhFJ6MRl7jxYivFHJQAWCU5Dq E4zy9dwoF3zHP1pj1g== ) 300 NSEC sec-22.example.sec. IPSECKEY RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. K0DNo+HfGohkx6Q2HJh6kLNEG+NW9rqVq1qy 5i4NyR7yU9PCn8BJDWyhoG/t3EKHPGjc47n9 ChyJi/XSywK05PiWptIb1ByL1NtocO9b64EV 0fvi2peCm/f3njyOvDlPSJO7HP+vPZMKITb3 heoiHXv0tX5wrV4VtJBhZcgxy6o= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. SXlyw5BASyyMehGz6QUMAkvfExmoPQLHt/w2 wgJ1fHXTI+SFZEV/8xeII+DjOvkUBoebEyxZ 6PalHCEv6K6GnPbpJGNGhNwuuOucHx6FVoc/ xmU7ArMwiZORhyoTec3izKavKG2T6mJk+rvG Xy9xi4K2g2CE7w1anGdA8oRPag1SIwhhB3AX Trxch8RptYk3Z19jDaHZUxCSZWrfh/oISNWn ycdERmHrQw8BMl87Hc2cICMLYWLSgvmor19z 4DYaqVa/IgDnS8kKwK2heUjNhhBrqOqxp3cO 7M3bCbSadHYH1yVuv2+7rYfhfAl6clkWftvX dqu8/+1eU3MHZw+6bQ== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. gBq4IJtDynwz9Lx25Uu+BP0CNlKgUpDvIHvs CYSVa8M2HvLury63U0YW6j1NP/5MMlr7Feky jPEzMmlyXhn8WsiJiyy9pvpK4vVtVX429DJe KwAtFjP29vpPZmjH0ZJqGTC7ojaBIE3GYiDw 7kGqGyxLFHC64kl8xJx7CFQtA3eicKAkwB5R uIu1d8lG3BBnjrx1i8xkdlRj2vp0YU8zjcSY K27gYKX3uZkY5R9Y/zbwyV5PhNb5DBfLNzFg 7lE28oevdOrlHQ/S2Tn5vEfja5bjo0Fmf1hC ekt4+sOtUsob1hCOeaRxkYcVb+hWB9jQITNI AibednFJmQEMr2Hn1w== ) ns1.example.sec. 300 IN A 1.2.3.4 300 RRSIG A 5 3 300 20141212121212 ( 20121010101010 516 example.sec. Hd5lXR86upb7H8fuiGZ0kcoO5h9s4R9Y98iL StU1pnXxG5KV/AxMlz5p3s4/u0gte7japaiN TFyASUxbTc8w6t79jyYMLlPauutggLPgPx5b 1DS3aFzrA/XKdTD9jJyKLkEgiYmHm1yRq9oW U3gl2lF9kq/JTC6vHTJ6VdfR3GE= ) 300 RRSIG A 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. IpzshcLIMj4iWcq6jPh9fRUdHpciA2KsRhDz 6F0SYMg9Baauc55pNMihqq5mhQvpJqGnKVHS GEgJbEUNAxI8OBwewVyMgDdTt8R1NK3ZjFGE 0VmtluwrEdKT9HyR45yVH0/SpFZeQTMKH9Ck yPAuD5s53nEGHALkFFadEalyLOCSvrU1+j++ tHCfa22+QYbh1nSQAdvzzx5jhX/mrl0Blj0t v91hb28yoClOzGzJIQisdfn6xPAdEGW9FP9M wENWiSO2bhIMZQNxiCpBCmAeMRdlQVPwP6BP SsH64WQJCIGVPrL+xiJQXaIXx6aZTBeLQKB9 RJQRDywk2cHNdji2Wg== ) 300 RRSIG A 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. vusjtNWhFBkOD/uIqtPS0tIByS/9SNIGDw+R +SxcvJ5ovwZrNe0083ZOZ9nkt2+k7nWdsAw8 MBF2Sb2EP966f4fxCI0HE/oygHvZJ6oqtF70 IyS1CrwU8QJqoYsLFXBtprulN0fYvJk1KYff RDfHtoae1Nmfn0tb375TBf01e+/ijpHdzlYL rRF6eduUMgXOjstdzZb4mQIQ/UPZ18Ij86Q8 CTSZ5BAv8EQNKPkblEUzB7IPiYlTTLIENx1p 1lWIeZvrfufCubg1uVQZ30g2yOyexNaMT2Le LVj00WsCuVcLRHEcxn5nQzBXZp8wZeVm9G0e wFAsrFzRnQz+ttQXaw== ) 300 NSEC ns2.example.sec. A RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. AzygrAd/tnGAb5LOZFZxs84u3VRBrHAN/z59 e5uy/OBSa/3P7dFwlwfFHkCA02NFV+2oLO6B WbwuK4hPwACrYZuJvw9rKa3rfYNZM1MF6fUx FQ2p17NkSKetFR25G1dzXMzM1MlbK87EfBWb ZXcw5e81JAvba8q6ZXCcXZz7DTk= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. zx0VjSCfOb9ajlaLpLD8gGahBk/GYwT3J2AT D8KZwlpCFN28TQRlPCIaqCBDlb35sTBiYU0S 3rcJMWUGrUaDON4jmeMZZbGSASNVd+D5hcEp hQpqN6Su8mFitflVMKIKdLnqACCXJUicb6g7 7SElAiesy1DuWEWMKwyyXV/X3bEHzmvdjIsB 9T4wsCcElDQbVItnPyms0No9xrgZmpNR3UTN yoA882da5Wi4TubusiYryzncZZQKzZzCGKZ9 HSl+5STjx+nBvHL9ud8rLkimlzLHO5BEHrN9 hvkzqEQkmOer+15f3iQtFoovDZhR0Qp1Ag34 agn/nh19LtgqBFT6pg== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. x7P+aGsZoDroKh/AaVkBzmXLIy+TC7iUzUAS M54UOWoGjlpU5gfyo6kL41dxRk2A77yYKxN7 HHSB/z+1u2IK0uXL/0teTgcUJ/yu+wTC21Z+ nKc4lPNr5koIsEMgdags9Coa90rMbLp8Nk1R mv07wjykShruY5o7q9sf+EV/slSFcUmCXfsb zmzfor0kUrwliqzgNPpwnI3eNIGkjUF4wW+u t1c/9Yyv25a2ViFF1V6I1BvNKFtVAkRff96p i2LPWjaH3/ISi+8T3Um1d63ALW+M6hvKdbh/ nrjG098f97DWL2+VrI+/bBVi1GPmzR9bdK+p Lptct6Fg11LSqj5QJw== ) ns2.example.sec. 300 IN A 5.6.7.8 300 RRSIG A 5 3 300 20141212121212 ( 20121010101010 516 example.sec. E99YjCcD6e1mGnx+Gxj6pFw5/ISt2SGlGoOb XHVaa0EWF4L8jZJGgzs1P+shE5miZqvhgGMo aUZ1RPywjUBZ4NOxZrXOIutPMi4DTcH649rx HWhbjgBJptfYVGI3fvnL/JustEQxchOCamdi ohnkMS8K/+9LdNcVoBbXmd2xSWw= ) 300 RRSIG A 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. f+xyLGM0FkJuvIsBsiOpD4S54PC78wJRGHlJ HGeOO9Rt0ZcuFP0zqqza+8J9ddYXxzAt74ut QhYxhoWp0Cwv/Ah2ekgX1c2SHXB7gaWiS1jm QInH+34hG/YOfDzdBmEvcghr0SA99mfSJPcM iTdlP6ripnqhjiaILF69P86Wp8DJgGQXeAzT bN26F+3YePj14TdO4d1W98nMolx3ASpE7Yzk L+v5TV86OdwnLB0qOsHEwch+NvglXLS7mDn2 XljFd8FX4DVElTTGaWW9cwLBwwhZpz6VMx4G mQw/nAEJ7Kp/2JYE9ma2H1dPoH7Yj/z/zRTY +4bgonvmTaVyg8MFVA== ) 300 RRSIG A 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. uTBym8cXJHSj7GxGFNzqX+NL/Ys49a36kWLw lEhjWH+z+CdEBuHRIfCQdPHe4XrUNsP9eWg9 TspzM+g4Fd/dh8Jz7WRQ9IEnEU0qnt7HagQW qfOsxve4ny1Pjm2oc/RICfsGTBJpqL5UwVNw u+4bCr2ZdJwz1VZeCaFQIG+iuaAWE/zQ+xJW e8mGvPM/VTCb3l7ZXePvE6ej3XFHfGIXqr1Q sB/c36gw4bkFajA9/U/Ni8Su4MjxkkvZnG8n aT7YrHXocZI0GyoQJMk3IVERc/khN00P6NO4 5FQR6X6U32tBn7ijOHmdd+ldt4ckdcqZB/oH 4yjM5N+K/gt2/E4puw== ) 300 NSEC public.example.sec. A RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. ldRLarLBSF8qLKnXpiWUK03lLnJ+OaDnWK1c 60K5LY98IJSuHHuMeVw3t/NMJMUjSMBz29Ih AJMViXc4BNr8U5kUryi3ryRtfc23PbPLGLK7 s7GDA2Mjd2dxx87MZwP0ER8l+o3dFjwqUBC5 jWfupB+Z12AkZtINb/BR9lAaOWg= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. fuH2T2IDBQ+QG1zc7cPrIVSm8Wk+phIDUhUn rT6yYtpYeAfzsDzKlAC2iqLLXIT3C4ydda7P vNlqS0W5Xl4SkVp3M796q1rOskBK3CqM/GvT zRcFg35bXA0GgclMKfT/N3hp4ksWA1nQokIN oeYNY9ChZVjEitJvxW2XdjxS8gWFvHpSJvr8 Qtk8/w0ghYl2WwmhwswDfQ6z//dgFrew9JXD to0UEMkloBOFpmTJY7rtv5+52nRMw5wBnrgd 4cIAeZ9Fy0QNZvXvk50DLBS+KpSzpHIs55n2 jSLGLP6iTYSYJp3EbprqgqHrcGqno66Kb2SJ fbtPtQo01WJn7FnWbw== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. imdOqDzfX3ecLJahnF8nCpHIAvL95A403DFb ccKYOYG1cdJzyYyINOcWx1WluUxQRT5PQ1Dp 00vM5SGPwVljomtJEfxYi1uuGlGN/arwiL/L 7bdC0TtVBBuRsxp7XWUeakJqIZNfKdA8NabR W9+16sdD1qQKrHZtmfyA8NRd9WuT0XuUqp9i KsMH7CvKY9X3fiym9bUz2otu1ZT/hvm22ny4 cGQSHyZ318HoTVmzuS0HUAtT4SjInHdZOrf/ 2HF+AMcF67HAGSQnmFVXJmpoZDowGt3HzPQ4 ztt7F4k6C+h4kMqeamrWmt/588OdfL1E+rAM AzXmWlHrVgaMQVw12g== ) sec-12.example.sec. 300 IN IPSECKEY ( 10 1 2 192.168.1.12 AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxo QqJP943gqs4QATtnJWHQ1SDWiRE2aXl7SJoy JAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt 3y6xImvMjRqcobreI351nbop04aBtP7o+r0z rNQmy6FqkPiI657FMEdF1cWJ2Q4lA0Pymgq/ BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vc L17OvU1ksLs9/9hhAbYYedmbAAGmAqfICiLB dOPCbhsCUyq8dTa0FaEinyHCJSHJWVZ8dBpb br2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougs ogj6kPdSSQYZYayHzVnl8NFQ9uCwbRTryepP zZP5Vd2t ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 516 example.sec. Bp3Y98+B6Rgsy39TcRw3TPRmbXBGGBQTaXvi oSywo/qBfkfoJgRYSxq0SffMHq9AstMAaoqT VY1dSGloMJeF4J/VV9m5XWTtLoSB9fPLLOM+ JFYHtpYGQBLrkDvlLR0mMyiHLMB58YJ4qgVY /swU//Bmf+ivf3OZAC9PAFJmh6k= ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. TEoklx8wcff5wNwRdU49/WvfLb6V/NiVbJuE 7oWtSL2Djp1w4/Mo+p/mLk/UzcbQLxBU3TUO jOWKsBxUrfhIn4O+6L27/7fKXlK4RbTsvWBI RhSlj9/bVzpJzHZY86BNWQLJ2XJg13foQkLh k2rm/s4lLvsdCJBhhf8yqhl9YpabrvvVKs8B riGfZtfJRq817quPoG3bEHj+FS3SlrSP+wVX aDlGrLJgMs2Jdo8koRnmq2bC14o7fB3Sb3C1 NqTyoVv4y4ORrfIUVfPHto5U4BJm1KNx7/6e qlP4BGkfYIseNRRAc0YHwTmY/qEh5OXh1VT+ hHzexvbXkSdaNvsFDA== ) 300 RRSIG IPSECKEY 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. oKaq8JJMlTF6r9L9UypicA5tJ1FZ6lgEKXVg yRjHyngziDDwetCumeu0spZ2gIYhlZ6+iO9e bzLyaisD2/cX1TTwtHpOXdnLBmazdDK0N2Nc thodwl/rn3Iw2IWUvArb7NFiM7G7H9XEy9Dc KPXYj3NwXlbx45dzlaWcfeOcrphFdQfjqch7 WiCpeGoF4iWYCdwPOUXkLmETwzn16x8f7t+A 5yr0ou8EuNquAvPFZ7238w7g0K+jJAkiPq9u PDzPEqf1XcFqhJtHgfOWSYtVY0BVF8gKmmdJ iDmEoHE/u1cuaUaXw8u1e0f+mqahIykFVXLN Hw1SuDZ692Rzej0JkA== ) 300 NSEC sec-20.example.sec. IPSECKEY RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. AkRa3kAjknF3xBG0FiCOWdgvKUXTsjJQYZ3w vH6hKtIw6iJLIHXBuw8ip09IXWvaYxYZboNV r4M4bsg7dOArDvwWvKxXVzY1qLv/l+CzpWLF H97Uhdv8oOvgfB50Va6zdwnm8NYWpSyZR8Sp sUNRN42iDIx68g4DC0iXY73l3kM= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. z9SmmJ/i05AcUl2tl/kWmOFrScWGIErE3xyP K6PJs/oFSH3qGsgS14Cx3nqARFkQujuxIVkX H1mtu3uWnMa5q35cVgBym3ud9BLPtQDx4sGI 1bmkl5xh3Bi90xfx5fz4e8ziV7BGn7mvEKSl l/ea7Gfa5yc3LmPUUbRHrHYJujuyX+d46hS7 KQ/haDf9shBoXt+/IWcQBT3azgwEZuiM+Csf uyn2YyXxDJZpmzfOCL5dO/Hjh7yBAi+rc4jL UdDrfplO2L3JDSXnY5abOwADAqbnUS7wUt9S 3EuGrQkmwDapvcph6dx5LXZRbsMMcJ3FwSJR /rTeK+ifClOZqxqbvQ== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. GIjekPGJYOhERvkHNWc9eHrhjjyZccZe29Hw MEgxNRnoGXrPEscbrR2L3JX0BqGdwp4DzoTn ho1sbUQ77W0TaI12r+h0/jQjVlIvBgFUNMgT 4myQiUK2ubBg1mMjNkq/QYbZmgfuLahPXor6 UmefhMkR8tfzPJT9kBTxtWiEgbuJhwMGydPZ zRoc9x+iH9xDu/nY8HFKAKmzoDtR/e6/AlPF SBeF4nJe/YdglvNKeDUl4QKtE2spGnQlhvaY eR9saXai7ErBF6q8oU7Bn0qDz0gI6qMFzBg2 IoJDqOe2PMg6OiNIm18Dwab80SiPggUxPhH1 XFwi/+vLRM+P30Lszg== ) sec-mixed-32.example.sec. 300 IN IPSECKEY ( 10 3 2 soMe.NAme. AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxo QqJP943gqs4QATtnJWHQ1SDWiRE2aXl7SJoy JAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt 3y6xImvMjRqcobreI351nbop04aBtP7o+r0z rNQmy6FqkPiI657FMEdF1cWJ2Q4lA0Pymgq/ BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vc L17OvU1ksLs9/9hhAbYYedmbAAGmAqfICiLB dOPCbhsCUyq8dTa0FaEinyHCJSHJWVZ8dBpb br2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougs ogj6kPdSSQYZYayHzVnl8NFQ9uCwbRTryepP zZP5Vd2t ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 516 example.sec. Q98uLQa4yiNx20mu2+eKuoDUIp1trGYoPIfh 2xjpF3LdJPKf7IWHRrKg/83mS/ZIUYMpubTc UReFmBU+H8m2cNT52dgy5J2HDzsi32oj+0c5 rryu8ukq4w3WVCNfMB40HryiJfpo0xyxOlcY pxA8T0H3pzxxF00PLsD6qEpzXLg= ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. huDnVbUefzBpcL2koVKRLUDwoT1xGgkNCCyC yreQ+VQyJPUOUPYmW76xSugebDPTus0l0dkO 6hzK2qH8WpTz48toCPndNLojiF2cIxZwAbDh h9A2icNe9ho3Hr30WlzRCqtTOPkOW9AOcGHZ wRANW/DQhwE4ibCUWx6BuXxlljcujJPfQqbr pzG+jLg9Dw6ZygpjpHXv71cbEEWWNnoJgbfm ijyE1R6mXBZWY6S2TPDfd4qyhWbnzH5caqfc 5TD5eAoDnnE1NmPKFg3+gQua/BTYaZeGksxr tmbNOo2QndPX60eeR1Kn4ujxBf0nKa7GfAse D7sX00LaW7kx/rXdaQ== ) 300 RRSIG IPSECKEY 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. xQIef/xGr81KqkEpNwIBHGKKg7c8Rup2Z116 60nevwq1tvbTSZCj7i88gVtgVAbdiDC21Tbb 4Kd7gTsvX2s9oDV5xYTxL/UHP8xbDjiTaAFz 201G5nCx+VLywFvUgjKr1Yu4YT9/aJ2XUkgj tLKXobQX9lNytKCBThPYrIxTdQmYaPzUy3D0 hxboqhEgJ2AiKD5qZLhWw0o2CrhoAwsdZIjJ rXsV68psRR7inaHQ3OdPtdwCIMx7MyZKECEZ JEGveLqrR+NU0RqgltL6tSfPSZin2suDX/sd otLdkc2RrLyAM/eYP8x9TS3hvhKy3pJKJiKB bLDYyfw0AFdS/Vfq4A== ) 300 NSEC sha384.example.sec. IPSECKEY RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. ZBIHK5XwJUX6lZIbqgOQWklBK9mls54IJ9T/ 2q295urzRl/qT9mJk+7NXNMpu97K6DttQu74 7g43pAvQNVORxsP0AfM7c/DeB41IZwXAJ+oy 3VjtID+jSd+6HUJhvOEbvrB36kCxXTMk/Kdv 5Zl+fiHzWLazPtJPtKTjyi6FZn4= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. vnAbysWbBoMXN/4Iy8KSlLHxhXRRbzHkZA9m q8VlXoyVjbz3xgmGsK87/ztkaAl8mHnYc2kS qUZ21JpX8vFgY8exGU4GszPK+AdfUfdVcxsk x2oNVtkpOqte0SVNtHd3IaatHywBdNE5571z /DhHJytQKOd8AbSOW1B277/mu6c9jKHZdYwu VEgboqW46QhKwyso7CjQYzUqi/9T2m8zN4iE z7qcSHac8Ro2F+FpcGxtIyu2Z41W7Czk37ck 4IE9psNkgb4rEyY2YbWTHKIcnuscmlhqT+vg g3boKmOV15rKH2NvJzgrAaWJsxcjW0p7zNzu oHvx1TH44vAXzXJZoA== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. dgFnpZutgO50gp4PhC0a5rHQyjPQorrKpMT2 bHElABlUdLlSZL2dyn8iQrDhT75M1c9iuGmO rnlq9jAEB4he88v3HPRW1EHNJFl3MFWBoSIH xYZHDrrq2DT1LFFwJrjCgiH7yg61L7FoV+T3 PpIPN8yUaM2zXmuOup0XT/oRFuB7T5liwvtG /M5v0G8ge4dbmRavN8mQSEwFDyE/ZQlGINXt llQVyw2GkXf8eMERQyGeNVvV+lRo/w2zWyQI XHE/3iA6atYJzk/YJooVTDskfbRjU/GaVgju DpzoA/gm8m2LRJk1F3FWYO86JG66XXCjcq0n 0kzyTrKi8iTNjaGbgQ== ) lets.introduce.some.empty.terminals.example.sec. 300 IN CNAME example.sec. 300 RRSIG CNAME 5 7 300 20141212121212 ( 20121010101010 516 example.sec. nKij8bJe39EFqF17wJ675A/Ez7cBoT6hHUW2 L6xdmeXOwyDsGI9e7PbVD54j8N3saCScDXz4 ItQqJIeAd0q22tGXFXQ+kQQRgLVPOTNS7IdH 957LABHKO21kZkzwVGF3/GL99RJqCYSfFZmz LX7DQ9Za4nBS4d9AUiMhXRyIgeE= ) 300 RRSIG CNAME 5 7 300 20141212121212 ( 20121010101010 44427 example.sec. Fp/KiTvkjNtPQh/qaR5EOvjKIc12ozI6sfg8 r4nPTi6JUFILNkfUTU9+47O0zk/0a7MmTrHZ iZY+6urd8H+nr8RVBgW6b768z0oYUCuJV41q GVuPooxRG5qfQLkNdUMehWIeGHPNFCKXGuYB VqZnzR1JYktVmk/X+IduNCVUdkikgjpCfz6y 7m2J41uauMjWDlynA5G7PZYUBFt+WwXv9Ck4 /t3+BJwdJZzAxHX1tM3U/vnkEFzNIxWu2dng U/A4F8YyPNff5Gfdbun4zq25Ex5mG20hCJDp TCWlcpCJfd5ROil4VWDNrirdklsVj9frkBc1 EOA4dQ7nb2FFz5ysTw== ) 300 RRSIG CNAME 8 7 300 20141212121212 ( 20121010101010 48381 example.sec. k6ck+Rrg0dFu8Z3TeskkbTbdLTTL8ByI6qhJ bRA8XimCd1qCO6Q8fUod2q2cq9KGfHc8z6S2 c/+5TFWjzHOxfZbLEnGrQj7HMXtcAK31YHWp SpZ9ucDWPbBU3NEfh4BQZmrB8NOkkCnZ/xDB mjIlWc0Y9tTa5gRePaC3IegPPTQENNhUuEOF DMvZKQsA+2pXSwrNtNvSXlRxGKLCPOvTF/al iEnxnYuLjCl0EdYmgbKoG2wuTdZcCqyamqL3 EYqJjr9OmTI0LPTy5oBGPrUxFyaYHhvGa4rC wXiLjK3KxpcYZfsDjr+nkrZXldHaCPX/KQ6w ANsJ7JyBxUXR4GJyYw== ) 300 NSEC www.example.sec. CNAME RRSIG NSEC 300 RRSIG NSEC 5 7 300 20141212121212 ( 20121010101010 516 example.sec. lYo1pIcvD8vscR0PVPNW45w6uOPEQGBrjr6N rKyygzb5h+dJiiZuUdQL03oxI0dl11Ezh/G3 ocF81ndZMHrEnG5ERuKftI9vvAvkYr+DnFDc D0N0tIfHzB35qp2AQnhNQY/RQ+i1ZSflOw9D /8rOkoBQSlPAnCpIyGbmddEVcFA= ) 300 RRSIG NSEC 5 7 300 20141212121212 ( 20121010101010 44427 example.sec. XmqQZjep1qmAHIYIQTnzVk4PTeKoqT2ih0yS O32LiLcnGTpJZ+y+cdlvLUs6LqZaThePOqtw foOCOYdMWSKWCCKXwonpwKEPocjt/C8v7tep so7KOdEX0suWxbDOJP8TMzdNht147RwMXP07 N/TedkKA9Hs14fEYEoiK/y73KKDz2ckxTRIX rxqeZ7ZJfGTXuK/PxAfAtgJS5nBkGJSDKM6f ykym+QKrBe0ANqVZdbykaP3I0WR21d29Wg9p qA+sh7SA2g/waj29e7Qd5NfbMis9AfU7lQrk me4g7N3u5U9e+FsDRsNItwASl8c/5e7CrA5A 5mkKaTua5ovvwkonxg== ) 300 RRSIG NSEC 8 7 300 20141212121212 ( 20121010101010 48381 example.sec. wtjR2qaqRvPjQBaTH2JgjhjWsnEZfN8qcPq2 Afjx1LqD3f1purYgNXtZhlqyHWs87qksqPbO rykcGMB8TZ2VpByJS6yXB7LtRaM6SO9yGfPy 8b3Ki9bDsRuXRC2Ie0HStJW2rDuELlBJj1Mp gKYUUCLrWJ4OCaF8/Xm72zmJDkzN3rMzThTZ /6XY8tYBnXwKgnrWn9J+VT720pDwFy7pok2B os2HTAO5WY3Zvl+20B/jkE/ebfkhTsWGHFob ENUAukxaaDbPtXuyg4MKreaje2wh+Iu3PWqb efFTG/pnsfLYTG+pXAnb4uzt75K50Ze0TUB3 +Y3ZTANyeYApZkXo1g== ) jumphost.example.sec. 300 IN SSHFP 2 1 ( 123456789ABCDEF67890123456789ABCDEF6 7890 ) 300 RRSIG SSHFP 5 3 300 20141212121212 ( 20121010101010 516 example.sec. WtF4ZiPXqdAu94QyYts0GKM31E2y8xOJg4wa jPpkZI7WEyQOx4uwILRnpmkSjC6cS+ksRBC5 lgnLtsR+ZsZNCcOIZMZrsMQcGm21/DI93HxR J+i2jCVQwiYws8hguupSahtrwGYlnwF0fn8l D5RJryJFZQGHQKii316GQWIJ5fc= ) 300 RRSIG SSHFP 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. PzecZqU6DRFSEWJ1dfx/CGlIlRFdgu+Wjgo+ s7SedJVgGCLrCxhx/lbBbcnExjTiCHDi6/Wt q0R8OtyUVXvqyKMUwr1f59AEBzWO9GbXs5fr eqRD2h229Y3o6aVMKHl8hsJUYjxyFCBqNuvR kFSPQuAJaUF+uQefB4pDiVl1aSJnZDCi6T5G +pTUyF6Ttr6b9VVsR2EUdwzqF01JyqRNgzZM hkmfwCQsBfJd9rGh3qCm/9iYVaCVEkNVX1T8 jVVhLm3UOhUEJwmi8IjRyCA7RJsLQmXkRrmw AX7nROqRienYjw0Ztm0/VGbJPw1HOm3zAuHu QtxtWTABc3j/C5hLdw== ) 300 RRSIG SSHFP 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. zhh18mu+feoq55Ddkkg03SIJQ/gbqN32ppia +WKE3jBbBaEaWLJ/wP65WHqIyDu25zctg5g0 m87Z1BbDaaH4WQK4Joh5tLd1bZzvMAUOPip+ X66G3vwE1PXBLJNzjB2c2WZhOXbsghdBXmm8 RJbysUS/vH7JMNRZUTF/tSRSGOtlJkDbqAeh KS7dd+m5StDlxP3Etv9zPW9tA+n0VxUhkCox 9kags6TtEPf6j8acS3HhYUhEJRqVjH3vEBy4 xhYhkX8Es1K1md5HY0RoKL3z5NSkVj32yMTk vaFYtg/yhKLlSQsX/Hn75rOjgCDoxTBCj9EH q/hHLW7UmO77w5RFvg== ) 300 NSEC mail.example.sec. SSHFP RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. L3vgFTbZOLeRq1I+RVhl5jOAPHTgKlKkr8Lk ChyFcsWnYoaNdNSkotTSKoWW85T0SRwktH4d BCexiVcc+pzODo9/SkCpFKgkZ+3Q3aC82mo8 rt3qjmgLOeeobCLj3X+lgLZRHqw96d+aRpq7 Jna2ZA963cUv5CGkRW1vUNDWwqo= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. Y07ocMMI0+fY8gCwsPEbdzDtwKdma7+JRKXT 9DMUx1hmcS7YxW53TrIMCW8gA9snXnSJjG0h /aP0OuFrJvZ2xUUAmpYAsdyw+HoeZtwFb3rg YJRL94Up6MVzNX89UsNYPvtvP7vEpebnYxzc gzbOcjnV9F9NPHj86Gr1hT1A8dOarbKVFLTs J3yXWalgG+qy51qhzThgimMUci3sNpFuKfG2 4SGCGIOt2rW8OulNuAFQzTg3zmR/mkVm+vip 2KVIZ6kre+Ka+fR0A7tZP+4U5xSaZXMh5h3K YiuDaxUmWZSc6sCU0nJHtsB/HIxTi958T0Am Scq72LK4IqpAfqSazQ== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. CbV2wVqT7r81G8rqWPnda5iHqPaUwVAqoDyW zKQhbAj8ydnufTHODju4PV98alGuQCC50yQ5 KBHZu5enOTQ/MKiAcL4O0QQ76/OQ1Lw8HIa4 FtkArpipm9h3AFnFoYfq9wS6xmweX21SrNmG phgrqYtR7pvjBXlh0O1kZG1h3fRaiF0nA8jt 1ZzkMhMCgiFubEDQCVhygbkucFmSSo31HSCC ChwGnjLXj40HKvpNg4TUE/f7eUnQDeq95A9N O8YoVcNkcVTxx0hbSlW6Q8O06Dryf6c/NEVj lXgHRwxIsLEC2AqPbNuXVCN7A1z0aVLfTFxF hNFwOEnZfExmu5BOsA== ) sha384.example.sec. 300 IN NS ns1.example.sec. 300 IN NS ns2.example.sec. 3600 DS 10771 14 4 ( 72D7B62976CE06438E9C0BF319013CF801F0 9ECC84B8D7E9495F27E305C6A9B0563A9B5F 4D288405C3008A946DF983D6 ) 3600 RRSIG DS 5 3 3600 20141212121212 ( 20121010101010 516 example.sec. RlSITzGdbUeiO/X6i7jPSTliXXzr/zw0l9MJ rc4VzGC0dcGGeDYG1ZWodAL+pM/VZmS1O1hJ 8qqgmih6wk/6J1Mo1xFHNOsdQydLPbhb6ziD aWc/yVfCUWH3bs972JM3VLCKRutNEu+aVrqH D4GBx6a1ydJtsbAzKmwZ6UntJTo= ) 3600 RRSIG DS 5 3 3600 20141212121212 ( 20121010101010 44427 example.sec. 5zkHCXkdljvaiL0IbpLxipLO/bs7qKegn4aS 3XY95f7aCH9jsuKh2uDBDveJkyU5TCLLjwq6 RxqPpYxykXvt9x7ezi2ErTxeJ+BPg6t7kBQ4 LkORMTBcZeGX8i8GDD3ENR5VcdyrTueDiWBx Pgcs8l1N8yXs9o9Z2e6yiWCP3dGpzUsjcTWF iIBuMdSROEoB4lTI5+uLPoYu13odCisP7f2n uZcCJyIrnmsUAO/3gYaP+Rn4tJ4f3rYyIFa+ 1dqimIVAlkPM48NWFLT+mQ9G0yJG2qApvjni xjjR7H8iZjfkokn7v8oYD+s659sZ1p+ZtQEa V/KtryLRnftxfi486A== ) 3600 RRSIG DS 8 3 3600 20141212121212 ( 20121010101010 48381 example.sec. oXm3VWAtTniky4PqghkkVdndrSxviZ9vWIeg k/bjcAKeMyFViCuYZNwtKyq/GiDPKTjK+43x iH5hFzBiMZ4xLfSZULvh6koONQN5UP/UyjGo oAqayihsnpAd3jNt9vDRwHvkD3Nj7eg/JTU2 kQIIIYzsmCbAj34mnglaSep0Ms/Az37lzPs5 hYWFeW4k9fvD5QNkIWM5lJ1BsdNwVBpgLJw8 r+oXjy+d217hTSU5BzsWrUH+GQT731pk1neN k3JWQ7zh3YgydJLjk5ajhj+hxfCgoCgE6Bc9 xlBKNJ6Rh1JfIRBt5IfHkheMTRD+xZO4hZVw +QDVTvnhNjmV2sQnFA== ) 300 NSEC lets.introduce.some.empty.terminals.example.sec. NS DS RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. rC7wuuLqhJ6l+bW/sKlAHte1NWIb/JwiNHAB wrGHvEIeEXH/qG1rKuMYK3QjeUkIC2oiMXjj xodTvxPHsSMxqwSavndf5bJeMdJjJ7UaY8KV EmcuUlXP5Mbb0TyxER07MVIbJW54X5DpM0bl 03Bgsnw7SpG+W2AlvwIWZqJ8Xwk= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. 57QM/Ng2WsIIgVJ9f8FMCB99pw2Q2zP8NBcl GWycLFxgEEIrpQ5+MZo6oORsChrvORQU7rlv xEaLgEkfO6vS9aqXxBP60TSOL5k5XXtQb1Kf dCvZTU6CHWjGy4ofynCMjEJWTaKAXe6lhaHn HBnKhnTw6Kd/CzimHJAhFOISyiBwN/bjjwcJ mzXZaYS7mZqw+syBbUmInFrxgfvmKMZvOjPm mEUPq23UdpDgL6NEHPsGEr6dt1ae//xCu7Y7 Nq/q4ZiB+eQ0A6u/FSo5NZo5b8+ndZfgsTTL dF3T5VUzvZ9LY1mMmda5+QtVMF3l+uM51Y3N oMCURZ8o9y1kRgOe8g== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. rkUcLynqN37zmLl+S5Yu47n4OAHo0NKRFLUW VIODdVqV+HNl2wimJpmkusOmZielq+O9xjWp erdffAJ24MYAXObqaFSHizIRoMZVW0HwGVV9 zhuAjqVFGESd5Leen7sJ/B2Ari9Q1SPFyejT YvLVeFNcqqYK4AZi64q56waNfA7kWKgyCx6a crsYPNIYzcZHVtmuv11PWH7xKsZwqpU2wFMR h8rtjJb8qEYo4MmNNtXCmdj80Cq0haTuqv7n ESJH17445IDjvrs49q3ibTqzDTh68IwpJhca G2VPTAWdtpdx/q/CIAuSHRLxU93OrMTUHPqi gPFvVeDTxcPucgzQIA== ) sec-mixed-31.example.sec. 300 IN IPSECKEY ( 10 3 1 Some.namE. AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxo QqJP943gqs4QATtnJWHQ1SDWiRE2aXl7SJoy JAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt 3y6xImvMjRqcobreI351nbop04aBtP7o+r0z rNQmy6FqkPiI657FMEdF1cWJ2Q4lA0Pymgq/ BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vc L17OvU1ksLs9/9hhAbYYedmbAAGmAqfICiLB dOPCbhsCUyq8dTa0FaEinyHCJSHJWVZ8dBpb br2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougs ogj6kPdSSQYZYayHzVnl8NFQ9uCwbRTryepP zZP5Vd2t ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 516 example.sec. l5GfjmKbBuz+kN5Zt6vXuI79OxxgUqd+CKMg HjuzrizNLaLgaI4zV/986SrnxiNn1Q7f6b/v IHKTfJCt0Cz7oZrz6e1feeAFeZJLDF4AWmhY nJmnAouu2bWXpRvGvEC20Jk8to3DaPKb+yvM pCXt1Pv8xZDIJEmUDx/aNpJGJNE= ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. yY6veWwWxEb5X1w0LSomZjGKsGegq3jpuAvy FNl29cLzk3O6FKCEQ61vb8st4661tCuFeYkw Llx8VN34VHVHZnE8Bf3AXURjJPAw1exTWM66 fd9/htwG2TcaTDp2Jb05HSkmI1fQwKsUpYwH cXDGmVe0ClD4oOJ4OsTnUMsP/DjvP+p8fb/b jFlpUxMUBzybbmSsfog1H0J63l5jL266sB+b 8eCofztUfcX9omPZycT1p6qJ/ZaLYe0GnWeL JeMVHLVkP+iwIge5LcfNIZMXeeEtZ3YrnSAf WxKdWNh88OLO7vC9XTgnxDXRKyxPXSH4BwmR Rb1IsKIqtFvDli76Ug== ) 300 RRSIG IPSECKEY 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. yfAMmCbwB2JXh6PAjJxPIWVloV90O4VaJTiy DeVrY7QAI4iTHFFxPlPD0L//UY1Xf86X+ZT2 lD3X15tlOEbyZ72OhA/+miQNd3rHxVAip37q Hrkrmi6CtDNRHbxdExjE+NUNTUZH+zn7B/Za kZP+iT/eeV9lhbaExwk6+ACCxD8w1Achdo92 tLzH6cA6dVzFPKu0+IeD40gN4d8t2ghJgjJS D0g4xHhYmzwtHA6m5TJHJ2e4P4YuIgp/DCKK FARapMyEjBUQxS8q8Mn7D+ezGjnA6y07rmLx Ov2WoqgdmdI/Xbhpo/U0SrL0lghXARe6PucV cq5x9fCOuT8lSsc9Kw== ) 300 NSEC sec-mixed-32.example.sec. IPSECKEY RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. l0YvQfuMnpBx9CSQd50J/SFIky8BoS/Xpl9a dCV8GF79Etl6S4/fY7k2VCr2CqB0bR3+Qj02 BtTJCqHMrPUjZHL4ug1AUOfPLlsWoE5k0NDm TJi6Fb8f0kPcdpLOSA8ig60b+zMVsyp2GK9i d3d/imAL1SUWNkob2B0g3CoIRM4= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. RnNJWYZ4RSDCxNkn2HgcT3/rIjaZZ/2ZkKRp 6tX+ZeWxqk+sRaCvL/mgM8eFCTifi053609l c6OASaUGfcJJwF5amQoU4icYOZV7UJdnz83Y ZVEnUD0ndY2Ix++UOeRCjk2I8H5GfhkL+Kaa Acf7Eg1CXN6PthcSDb2S1ver2QlOm0yuM6A6 kJ4CMMWoEtjRAigUGldTQG5Y3ZLoDjhbSQ3v T3e7nncVkLib7NdTHmkpA8uiV9WIIC7fchpA KjIkNC2OHFQaF7f1EbyzbLQ0oJuXEYwcANWX WP9b+nkXhlIXmVEtpHMtoM+L5enYwfqNs8WC NfzISWHmX+GO966T6w== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. wLPBkQlHUAzWgeLiU0w2fe4eCJBJOU32KCPN +7Dnvv6ulBgcuABIZPNg3QSB/RoMt8RqIOSF DOJ4sWB9Q632AXVLQ0zjfWRxj9oNvlFtKI02 n0zK3t7azjjAYNDiB2nHwT5HPaBrOnT8Ucel whayIs6iArpERLbk3IuLgux0VRjIfiC8eYG9 CyYQZL/lPtaJOe8bmXpoJTPGj/jJLFDwSIU9 pID+nedbWSkS0O8fVYHLj8evvNLQqAGhXJLI UKrlGw+siO6VrNp4iFo3k84XJm0ZBDon6Nbf 8q/6wN4xrJmZkRH6Ljvn4HVAamFUXvG62apQ EV3rjNRYeQNSbWa0gg== ) sec-30.example.sec. 300 IN IPSECKEY ( 10 3 0 some.name. ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 516 example.sec. rAqWyT3TmNObsQxO0Q2FnG3ZlGAwYkZRCYMv EYuVBhlaaYA7ZDD4RprckK43l/MGPcJkT5h9 U4vtJQXnNztWRMpH4Z8jb2LOU1tZzsBiHNjs mQcYlCGmBRXAZ5yi8DsXZTXsjo3iSKUxYNQF GoxS17+zY7P2GrGdVxDZz3K6kXw= ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. AfB4UY/rL+H/dMztnW9/Ajhv7e0DTQ+f6hAk PiA0CphU2yQL1Lv6R3X4p4iKWz9CDs/sa37C QlEAoBiUGMqVpHO8vKHREcfn7v8RJCtvzhOz ZmuMiqWsCOhVkS/EJJtxIAyeYVeD2fABWwV3 DfmG1sAslzN1SrGj9DY2LiZch3FbyXJRzvTt s5wO/8lnGSj4ws5DaiNMWKt5vvkZneU2otiw 9EXGBJGIAyUpGblzvlsasMQ8j6ixrXiva/yX 4KSUCa5fNWJfgYllNIzTaEBZkXwcdUYbWvJe bA0ZN6J8ObsnHd2hBLDV2QBl+tV63J4d4EP5 tMw/XynRxYFKW1cMRg== ) 300 RRSIG IPSECKEY 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. tMBxGjqgyirIdIZidMt74conTmA1ZmTDZKKP 9m5HxBTOG3+oMHsi4KOETVUujTlRFMQruL01 Ii4enuob2MJuZQ8Uw7I0q100KaZzBzcAdSaK IIcNWGEThNw5fE9VTOMLMnVxJoJZFwlpDnZP MF26aP+apom2VLMx6t0TYpKAkKYjln+TW0Xb TaKf5lTW9CnOEVLEa9YOUojGFt5HWyz4X0cc LrjH5f1OV3H/TCIpNENr7u+iMBUqt0gfF8l/ V3Xa8sm+R4YDII8Zkmj4rIbPzAKmqO5uDFMx shYjiTxued2fAw2a+4dqWMgCbOm1utqEDE2Q dp70f7dYLTy4scQy9g== ) 300 NSEC sec-31.example.sec. IPSECKEY RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. IM5xqIiOsST2LlMPAdvfmwhXiM4xBsVEOMnK z7W6bYj/R22EzvC1P87j1RlleeHX/rzd1jvR FaDTOWu3vbRO+Z4tfY/TGZOJaocIVqidsPsO M2yWDhRdWhhgq49D0RlfHeSQb7VCIM+Sao0R tQcOqb0HoXsCd1JXdaVmLL7MRG8= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. r+pgljSgBNKaECIwN+MfiquQ557TXPfsYxUA 1efqX2cbAlYTFVZPuPsTXSb1frWtdCHzCUeh QhU0oJlDqmgT4nvPyXBnpmvgM691TnZz8Zmw qZP/kE/m4bjgs3KwKXlUsDcW7iTmI2XPfZmX f7BxuBrvV87DS2x4YbHhfshXhLiDdV5od/nC aNLHrbQlYKaV9uWMcdggcMuaGxHn6Q6VgFMX IAXhA6Bl7jnogVjtbE4rCE/E2OaPNoxJMIJ2 TnNEvroZxtW8ctZURG9Q8H4riIfaqerPb6hg x9wFi/eujNlQpE/L1RF+EMmyRn38mlm4W1z0 10kjKRjbQOWUphDG4Q== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. lFP+AFHKPP4KOaZXDM6yiQp/OYodqhojrTkA ZBdLSGoAZQAGMbb3uzcQUQwFuua9mBPANnsw kHYeyKa67i8CXiVfWFN1bGQ7KCxcCJrRYm5o ePKAf2zoI8aoTtnjROS6CpG6lS2XK7zuc/FB 7oBiAG/QPl1gyAWwvk2kRTjxpVoDwyAQnSqe hVxQtdOt7ahOmW+xl9xUQcrLURbv0lanjjyO L0PCnr/LbWi5q7a0VO27QgvOReGJCzm8sCdb 3aZOIz8c6rpahqy9WR/u3mA2WkN9OxMsrxHi oETHOaKPzg0ZojW68LAoh2YxSjWaiw6P41RQ 5qL9Hh4i9iU5rUrLag== ) www.example.sec. 300 IN CNAME example.sec. 300 RRSIG CNAME 5 3 300 20141212121212 ( 20121010101010 516 example.sec. M4e9BUzl1pzv5jJ7jrIxpIgU6UhUnyFJOGs7 5LNW93WKd4Edqh5eeStwAdpKzLUN7eVQaYcD +wCaQ7MfazDqC8TaVGRRVGmhmsZkBpZXgQ7I 2eETGSY57rMqQqmDYs1dYHIi0AVDDA0/yhFj BlaXl0aqceouM61vU2ovtYI3EIA= ) 300 RRSIG CNAME 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. cLYw1vhsQYUI6NSqvwTT8s2CV3atwm/rhekg nUc1MVFZFYGYrxgPT2KAZ0LHg9onbays2kZL wrn2X5VW94eOwhDaA4Kd2wpO0hbuKSbLWn+D HxUtAjdLDjQyXH0s1nfjYSMrjY6BeQWsOIWi 2Jt6SCEEt3oZhDWmNflKk30wejR/03eRAdqn BE3X7eZPw6koEKQQV+djGv5dK5d6D9ywcAnA tdiE1cCQt1n8daOuVNB8G2ab3NrlPGQ+yzHF 8rdLiNS4OCiopSrk4x5m3mQykzJcExbR3Gb9 VSP5wEWkl+GP9a6eEcY6AHWb0ZAL6bnyvUFS XbIX82ewQvjLzbahbw== ) 300 RRSIG CNAME 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. U84nYJ9iha0zulQtgH79h4BZy4vRQL57Y13P e+yGYb29AAwJTR3euJWwtKtWRxyXbssyGiBM KaLEEjd29VXLai2ZnWPVDJ48TWHMORj8G4uJ Li0oEZMuBBhIUgYXXEZTQ+u9hw46hiIGGzhF A3QEDOfxXPzi5gqgVtULXbTaaxRptHoSToX+ 6eANmce7lN5O/bjGWANG2ngf2qbhOBAjFVSW UjFQJyZOME9/VVfqoLXmlvP7sBWSwJCIdVkl CkrYUgcLYT6gF3Ym1FgHqVnYOiNHL24PeI09 1kg+SOG5gU24RIBWG14zSpuztU1XCSsje/D3 OW1jEQO9VvTQ79pK/w== ) 300 NSEC _443._tcp.www.example.sec. CNAME RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. SFkcGKNRIqjuOPIyR7rPoEmNj/1FmJ1KISfL zFVnW4zFsGMRAimqX7H3WhVj3JRqtglEA2M8 4RCU2gr2Moqk29Ef0Ab/t8lxCocR0VTtd/ui 5f6ZPCoNls/cVc0F2shAFy9uACtg/vOQ0JOQ 7pL3DVLCBEeFwaUwohlgMEdyg7c= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. uCFXDUkjfk1oFOep8G8zz3Gzcy9ERqRH8Y59 syns+HIL3BvcTE1/Ay53hojkljKeQljnvIZQ dzluDtJEj+BlMNjWgfem08VSHQ54eaGEWZvT yFSAPp0SuXbXPeDrIxNzg0kjAKinkVv9rWef p6WEukS6exUJfWkIcFhYI8/tFT+YQUxxQE6s 7xi0IPOldV2re3pJnH0xsptQlTaVZzeVgbCB j+hbATX4vv6arYcRbJf5RMmpqU6Hx439VQyg i7bxwElezV07BmHPG4D5wcKW80NYnONQRfBU xVCx4bmeE5aLnTJB4PitOVH/t+FCrCywboMC FkcNbOeM0uBvx9xePg== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. eclin/1XUGbVezE0CIM3sNn2pESSAonyfnyi EosJopPabPNoucHsW1mXa391ErLx5ua7nxL6 2cLdZwxCamGiBWxj9p3ulM9tweJ+BRkEQTNu YjwkphZlCo278m2ZSbVz3wA456AUNyid6tqc jzXUG7xkKcLIqNGJGuPR3Gc+M1ouLZ/6MsNn 2VnbsRJg+bqFrccd3F0TUul02td5OBI4FlMn xB77ltqZo3mkIUgwskgoTrNRb0otJoxlYGVq 8V1qO0g9Gi4LCzanK+s8CYaE+ImIOV4oJz7G UXS0LAuqIEJJNRWdpeLvRMipYNLzAppAZN4j IaCXa9pE7/iStJGRjw== ) _8443._tcp.www.example.sec. 300 IN NSEC example.sec. RRSIG NSEC TLSA 300 RRSIG NSEC 5 5 300 20141212121212 ( 20121010101010 516 example.sec. rT7/LuOh9UQtWIl1QJ5d/Qcy/YJH+kFRI2rF nEII1DR3yEuAuz/IQBwAbN/Q9RUXdt98Zza0 KobvN8o3QVPUkXouJiS5D0GJbmnhU9YUvJoP gxU/ONagplm4eLB8Ehqn0U2z3sOPFuf9nrKH MnadGiVdYMSeqwM8IzWDhluk0GA= ) 300 RRSIG NSEC 5 5 300 20141212121212 ( 20121010101010 44427 example.sec. vZ9JMfyjj1tPn8z1y+87J93N5ZfJIxl2ULyl huGe3agDcbcvCoqW1G3g5j1Rpno2WYF8O40w KVySTltRQtf7EuiEVsvYw2NqgfUaYXbv+xLx wQ3XX0iqBQslY/5GmptTTqKoYyQ0ooWseN1u prLpoNucpKu0k+muBU9tRk6v0NGU/FZz4lwp ozQNVakLHeZlXQZvyZWerg63/dxhmJgaTMeX TGorae+9X8DSEvLxk/CWbEaFHWXlLyPYnat0 njeN5leMB15JJfA4Hfa6IrMuRyVkO4GPL8CX DB7YcwELt3A8PCGds6FT6l2Oe8GIcdb4qRQa 4aSgi6kwgAXvnHPnZA== ) 300 RRSIG NSEC 8 5 300 20141212121212 ( 20121010101010 48381 example.sec. aeVnnhP5UQu0xtDzs0uq/2kcvsAo2lXiBsqV 4dAmwnsdTQFkWQxa1JyqZar6AxRpPEJOTSOB rmuOApn9YbsTbfHhG1/Seh+kKyJdoEQT/oiZ xb6x1tZPPtoyzD5cjIlEVK/mp6e+C8l5sXIi EnonJxeKmtPpC6L+V3wFpTnpNG0OQ8dmcwZF mm/8yKZoT2P3fTmwgQ7IIO3hJ2hmAJJh88aj IxORQd3UK3A1lPcXLXBFKmi2hPCWPLR2oTF5 zG0sc5yGmqDtAA8Y9U5Gjfh88fbdiQu0ZGLz MtyaK9PrwLJUoY3+KX8YXQC1WrYOjmYZYgGI LEgtHHbWKUZuzdAihw== ) 300 TLSA 1 1 2 ( 92003BA34942DC74152E2F2C408D29ECA5A5 20E7F2E06BB944F4DCA346BAF63C1B177615 D466F6C4B71C216A50292BD58C9EBDD2F74E 38FE51FFD48C43326CBC ) 300 RRSIG TLSA 5 5 300 20141212121212 ( 20121010101010 516 example.sec. a6fW+/Hv5PA5jluWFZTSn66JYhM/cKlfWcrB ZtSqAVvqYrMxbARcqMkVkQN8W0eFiZ+6Pqpz cm2jpDLPn9MafMBsM3rc0VxhHPssxghDXAO6 eYcyf6HOkw5tNimo7GNXfxsVy0W69994+m6z wWKMTm4gLS8ABjpndjxQpPDSkdM= ) 300 RRSIG TLSA 5 5 300 20141212121212 ( 20121010101010 44427 example.sec. CqUhSqFjikCArbLTOacgjB+RK9d1p20eu7ni kiQx/P0evcYvvLwePeMJZntWcaDx+slpqf1G YoCpNGfV1T61JALjrwyjz10hdEmFNQJ3H7yf Xp29pkK7AqUaDDhk9gvZ7vGyaYUOhLUcdb6O zr4ZFn/T2W1vN9Qj+KklxGTJg9jIIdxeUJOo lAx6UiKE4xDD0bS8sQqG4Ec8+P07/oKyjZR4 Wemsrh0TzysiOWW8l944GX3oNQVHA0Cl1RaN HWDp/OhMY9+dsPVtP0kQ3tivyFV/ZgDJGyQi nZWgeLtDhdUo6fHDTWTgz4tOtNnhPC0GgLwB S1IOHv28cPRkn4Mc9A== ) 300 RRSIG TLSA 8 5 300 20141212121212 ( 20121010101010 48381 example.sec. OJTlC1aiTM9UwKHbSFe3q3a1oYdRRMW10lT8 gD4boY8aP2dgWDtaMG3khRjSmSessmvHGw7x wUnOnk0M3sY4HnXwK3mioWRNdyPC8jYuZJJ5 w9QBEDVvpXwYISm1hi+WD+Q62VeEQ+9Du0uB qKSQKiFi5FE51mYNKmnjQUkoJ25aZ8ykGjk9 LStfwcxX/uE1oYpsW1eo73ry2YSxAcUQNMli 3BiKHnWV9uLz7Z+YBlSkBylQposQfKCVVv9W Ipq3wyL67dGXRNJ/zdOFVT4FYX5k6Aw8QOkl QLhF1yPx+fVsuM1Ae7Cmq2Bjkr+JAVvRVSBE sxWTVdJmkaTv2lK3Jg== ) _443._tcp.www.example.sec. 300 IN NSEC _8443._tcp.www.example.sec. RRSIG NSEC TLSA 300 RRSIG NSEC 5 5 300 20141212121212 ( 20121010101010 516 example.sec. oKnCz9oWOO9OcUxeeOOPe1pxPnLVRq8k4UKz M5utgsqU687xWJBRtzRwDz4agyT1TPtDMdvm Df2v1pXvx8GgdDYTJZmZTv3lDJ9Nbwrr80AO lGQZgajAbKrMUiwoE9kI5vkPogx/Pnh2JAgu q8hpapOMtMdKdidkshH7RlW2lDY= ) 300 RRSIG NSEC 5 5 300 20141212121212 ( 20121010101010 44427 example.sec. kNbqHCDsVwRs+7jMZ9Q5XwbeDr9xmEg5VZxU 9NViIHZHqVd/JJQGCwWGkY5jcToQuLTJ06js 2nBsPzzAWNDJGv3HU8Zp4ktYu9HZ0OooE4Fa zN3j1uuqqHqPQGzb8neeKzEcqbV8m3KIWtBI viSSQuoXK/c2zERyed56rGJb2J+TCKIlMa82 ZLJpzVVrBFPWuKVtpG2lN6ffs5/HqE4+7JiI UmEhqukUPMeXFcYoXDFx95VyzuIUf3mvhLDN 5iXsYTrbcXEN1rybnrfO6esraV983hxvx65S TuEiC+4us9O73NzQQGQVg/FnziSBIPayU5eB 9Qj010JsT8TuBImc4A== ) 300 RRSIG NSEC 8 5 300 20141212121212 ( 20121010101010 48381 example.sec. sY1MZuqEvrzYlOCuw8GKrupB1W+E2djH+hYF b8NWkS4deq21EEXNF6KM66npXaALn+e6Jt5p DCTWdxmJzg1V7QXD3++zLREp5L8ICH5OUdgX Xl5YNwxWYj94UcO64oATbLdJ1Y2OM9TMDRvO pVa5OOAh58On24zJqm9BowvGGo13nJN1ibIV lCQc4VThk32kYcn3o9/urzIF02iovp+UPb9e 1GYLuCiOgqYqq1te9UAHv965Dz7VKOSG3MuE Ni1lZdOQnZ5LBe2VyVCq9+oV3Zw74S1hevWk Fq8ixFLR+fc+mylEeIVbKEhpGfWvvJE93lk6 Vg9n5kpwhkeM1Edbzg== ) 300 TLSA 0 0 1 ( D2ABDE240D7CD3EE6B4B28C54DF034B97983 A1D16E8A410E4561CB106618E971 ) 300 RRSIG TLSA 5 5 300 20141212121212 ( 20121010101010 516 example.sec. Q1nMaEHS/5pGGOmds2suU9kHpm5oInEQU29Z JNZ20BWMq2hb1C7GMGJCmB/18IvnxTTCPzLV m0T+9lQo7UPdmNatQlBRFLM1YjPw5KT8CP6m 4uWbSbVZWtGN+rx3gon8OFnTcgh667OBOkQg kPBd0yTQY+rTjaMfTcP9EunJm8c= ) 300 RRSIG TLSA 5 5 300 20141212121212 ( 20121010101010 44427 example.sec. d9kmVufd0Y+v0RQ2zAOffwc3kzfcHoh/ejYn NobWJB+jrGM+VyG76BiTd862+Ij67kKOVYY2 w4ToTGDvRqCw4ZaGfRt6vcCnfrg9FlCOjwEZ tpJsuf3BtzQXa1bSwJwNC5UBHiGhpD7LN7W0 G4YHussYcu4w2iFZTif0TvXN/gSYSDMliTHA 5759FTb+MfKb84Ccp/YSKKebHataTXQAYWd4 6dr3IeYfjVyqQg6VYEA2qHCIJfsRxN9gDR5K oCzN1bDfatwSO5eV1KVuRgV/adHiPApxpfpR 8wPf1Z6Z3RnplVJdT/jnY3SVA/PLzsS8mfOF BF37wLnLKc+Rp9qjbA== ) 300 RRSIG TLSA 8 5 300 20141212121212 ( 20121010101010 48381 example.sec. FTCh6C5jbvXb67BRf3nJgL8iStbsNMe+It0K 2v0GKePaE5gzsrJToZpzWhytVA+OpgBdWkAP IYWubejwoGXYp/EDU1FH3SAA3zV5N2W25lfn XULsEWLAr7gCpdeamG6Zg10qOVnfWYB6iSaq xisMO90+luZz61i0J0/wy6aVtraTrn7s+Kpo KHuZdV9hWZzNl+1Uuw+hEzBiWxEQK+0VAh5X 3mMqD6f9LgfqaD2L9pmyZI3Un1UBFn6qbbfu zl0Ff149O/9dfRHFrmtrNJBnHindLFh1sRMZ yNXbUcoNrzwfQ/Q9Uzq/ZCGKntrWLB5mHWBx bJj+v7003y9raae4vQ== ) sec-22.example.sec. 300 IN IPSECKEY ( 10 2 2 2001:2010:1::22 AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxo QqJP943gqs4QATtnJWHQ1SDWiRE2aXl7SJoy JAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt 3y6xImvMjRqcobreI351nbop04aBtP7o+r0z rNQmy6FqkPiI657FMEdF1cWJ2Q4lA0Pymgq/ BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vc L17OvU1ksLs9/9hhAbYYedmbAAGmAqfICiLB dOPCbhsCUyq8dTa0FaEinyHCJSHJWVZ8dBpb br2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougs ogj6kPdSSQYZYayHzVnl8NFQ9uCwbRTryepP zZP5Vd2t ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 516 example.sec. LVpb6IWrv/fkkbRP+/U/4i3za41GlD4BKBgc U8Q272YAusl5Kq0qvRoOvjFqRwbz0BVgtdj2 C+BkaKiPs75iw8+pGct96WQHHPCitNxtWod8 ZtV39PgnRO2XqkeUDxXjih179ax8Po8LFMyP aqUkkXHUaOyCVA6pmukDDN0JaGo= ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. 4UrsGwZictKFk5BcOJTTMtg6VADhPm6v9CHl S3czYvvqFxAmV38go7uWorWhgQJhAYSF1p08 Rc2M21ou5JQK2M1ifJU7CoT3iyMicRyYgMJl qpa2O4s8wjf4Ikp5n3E7ir34F7uOkLHGDj6P Ll04UNf+5sZnMTqXErJPkxFDG6OBeR8PWQvF DXlbeqlPRL2P1+AmA++tr912JZPTNTsykWtv 7pcsv++MB6MZ0c1bMzqza7HAh9zXiKFyS0tL FpWIUN88zdau7QimsIDXSr5rYJ2qRS2UP/JJ RHdCGsjNPkw/wEhGTnvkh7XW5c7c+pG3pt5E ytiqkkeoM7XLUCSj/w== ) 300 RRSIG IPSECKEY 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. qXvlXC9E4JCVNKb40BfrvSW1DYkb5MaqQ6o7 ds41koCGdmRSPsFp9W3Ut8/mOGZDLQvU+0sM mRGDuz5CJBHFCUuIy0RqrTcd1Hvb27aptkhr 0t40iaRQr3nTZpYFwV+3dp47ux4qhbIg0s09 8GB0VZSfmdqvdy4Y5d5p/QzSka/F7it05nWJ IewpgrKf3aa3O0srNwwVUi2ZXzPelibx1J6r o73nxNmNYp8uWkY2tXTvYAfbqvq0+rdUv8H/ LxNzKDElvOcat4mX7Wp+Uftp7jgizblFtqHg cASPgfKyNZYGPx5pjVPKbffz8o8XtXZHbtOf 3rftFlPcw8fnCSMCLw== ) 300 NSEC sec-30.example.sec. IPSECKEY RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. IevfxPqRcQEP4aKs8xesSnChDAE/33+a7v9x Uh7eb5CzHJ1PGqwcjDAeJyO6Y2dU5BzwAXv8 gNm9MsxRYz2PQxy1rmqYB0aBt+vWHbRUpksP FWOHeDN7KNpszF3r9DO4d593gbckjfC4a9t6 wpkvsxy8bv654YWQAlzSe4X1UN8= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. FDC0BlhPEF+0WO1Ft3C+cnUSn0Hl5P7Uc+Ar ukmVZgYVY9ChaujthxcFwwJ+fuNIfk6fuu2L Lr0ya+iuuOpUrMxF/xWxSnMNTOhrysjA6DrQ svSGZGHJPfRcTR1hPZQBiz6wl3oxwwUE9uTR O1J7IDHsL2sZ10jGVIj9YPFhPtcAFUHGMEIt qeauxyZYOP/IZ0AxpXClQ5+zYepHnbcigebE cn3FDSgxDDYHJDz3C9ebuXYzmO4+X6s3wmbQ JDgSFSz2hHdYTv/vPkIkBYBJ4fOMSV+LgltC LnyE9u7m4pR8Q+kijkOD8LU2Bh9++SR4uC2+ Et80y6CO/wAbDGJR6Q== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. S1mlTix9jV3mDmRk795AWNBC+ylzCsWXkArn CK6wW7xXdi6vtSnvvhXzov+zVHZNAMwwBkhJ 8YLHZcjANtrYHxgre59bAYahwpTUR8lqjJYA RnKvVjGcGZFZPV8CUcY42A4iGCgvl1UiO7Z8 m9VzxPJ7LjaLBLhYzdXBqC+SFSyjpz4fAJDf J7juj1rPhb5OnH4Ca2nEWlwQGn7enesNWkU1 Yd8QslOMrvbfzmlzB6JKrDecO1aMz+soYbmr TeW7A0VxVvFNdudFtU0fjRgM7lf+IbGEPf5z oQT8kYhBG60XHITDaEcqTQFVN2wPayYUcPji JoTeGda5m0g35bZPjw== ) sec-00.example.sec. 300 IN IPSECKEY ( 10 0 0 . ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 516 example.sec. enZEx05BNsmnCvan+Bhirxn9/GJel5bTDM42 eQV7dH0VV11kD/QM3JdhpCmJASFOo1P7puXN WWvRkCnSyokSMwDkOiBBHqzA+XBVKCZMoLNV M9M5OJbXCaOByzHPlJEfEOisNsXHNqgFJzXb 8NuNuTLUOHd+z7vAt2/y2rsvmCk= ) 300 RRSIG IPSECKEY 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. Q/uFwU74dwroyXluozzM/VZfPm5YIslvHYJ6 IPoVOVWkaM8hiYHlN+IxZMuaCtRK9SWyHGZ6 ++/hqeBW6KezUcpBeOpE49tqNS1lFa2TQCIN o602Z+Uq1ZaNsxNRzCen8nh6aPk+Ma3VMQeZ pjifEf3LKrPNOqcocr+vBrb/yTP4Ns9aMywK Whj18XkkUvZ3Qwc5dmkY24Tr//YlOKieyqNv k2k1HtU7i1igtIa8/EZ1LSID3P1l6MhnSoAc vHmqcEo50kZiHPEBRuP9vMxeLo03C5ogetcA 4qSlUsz3PyDKSNXLTn5Oy6WzdnrlZsaQZml5 tqE5oOqMAn14NWkZYA== ) 300 RRSIG IPSECKEY 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. sWztwS0jdkc+wToR+bYvyH46tiotZ3W/YdsD b30HDNZovIjbKXNLofxglzpvg6EeRnuZi4qD xlC38uoE7Poud7N4l0d7hQbQkz5gdSbHlcII 1TmOAmNNyYiE/7kQHYyfpHPPC48p90bSjPOJ S9bHdKKW925Vp3RN3MfI4dhNNH+o4xqPIiLY ZB8jwUHh7zbs0EgWbFiBCtiPsaAq01pAwWp7 RCKfJ9w8wE6dq505icDTLhBrWf15QYPNDgXC zjLn9pmT+YGWhs6hgPiW5/y28nbiwID2771P qXy56JjbqSgGBsgHTxE7iBnXr1nyOFrOEyUH V+YrBe5waLIpgn3MxQ== ) 300 NSEC sec-01.example.sec. IPSECKEY RRSIG NSEC 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 516 example.sec. L/At1YRILr1Obw284RFZlWU5m1MCYtjJNg/B XUOlcATRaiCPCA4ugZSJz5EWO3j0VFcgMIHN ynyXm9Ng3SoSO67r5KI/DrjhqdXQDWZ5JNBM VrJixQpE3Q6pV3CXvHd9e5z5WZnwB1Ns4p1e S1K/FdSp8uLotwOpedUPS8TEb5o= ) 300 RRSIG NSEC 5 3 300 20141212121212 ( 20121010101010 44427 example.sec. zkP9awQpTKHAzBEAY61Lvbhnn2gEtk4EPYkm 4qxVfs9Hcf12X6qRtyK2j1Hb/WuynyhLaZ9O 71Zp6isKaG7+gTBGSz1RF+oEcRJRl6r3iRPz 0xzL90PcGtREtbUUz/N9BXDbYT2/w3kB89up KewS0/Eb8zV/63YcJqRdurzk4FgJdo5kUb+I Rs4XdZMHMIF5UEvNuKocsevLn1ldP1hpN3a9 SFhUL7nsA2XdKRcEPA63MUS6VYYv8OWCKPds z1c+/wvBHksDiGe2+0peC2f7rS6XMoULl1hL czlYssdSkiQveN/K4pQQmUssBhtldKIRq/63 adQouGFFSMuEdPL9yg== ) 300 RRSIG NSEC 8 3 300 20141212121212 ( 20121010101010 48381 example.sec. Lt4gdhFZgltCfgukt7w00G/Cg//MJBLSAKSd gxtXMP20hvZ4QvSCQ9KSGwLq5ntnRMzQFYSv Ew28bIl7SGW4fAPALl9WrXMyQ+WG4Bja6E7U 99iYx39j8ZqmTZO/Z2OsH6xM5TPJFO0x/uRY QEBeLl7mFVljPh1wA5NmMw9fRJxSsR27t0ne oelM7uZGYPFaPYis1fWLeH+xheLOXeV5QvHr MZ8H6xsrSXFhdr09q9+SRuWIFI7LG8DLeiAV UaeiJwd5HTbFOEL/x3KcMH5dUISseyYZmr4+ RdE8KbTgv/c0xG97k3q5bne9tiBnaYsI+0Z8 hBy+OVaiQ83HIRpMZA== ) t/zones/example.sec.signed.with-errors000066400000000000000000000675201265465626700203770ustar00rootroot00000000000000; File written on Mon Mar 21 21:09:05 2011 ; dnssec_signzone version 9.6.3 example.sec. 300 IN SOA ns1.example.sec. hostmaster.example.sec. ( 42 ; serial 3600 ; refresh (1 hour) 1800 ; retry (30 minutes) 604800 ; expire (1 week) 300 ; minimum (5 minutes) ) 300 RRSIG SOA 5 2 300 20121212121212 ( 20110321190904 516 example.sec. JMRbXaDnvv39FoonWE688oliqrw7xe6ZNi1r AQUkgjlZGmuNcCDlarDiQHUu1O2GBizRpv2o nh+TFfgqn7FrT7mPDCj5J04BuLl4x9+CayG3 jgdtZ+UW8UUu6jUO/woEsbmdB3HrVjI/UWGC 7qFMaz+i7IxCkMLTS2Qh65Dq74U= ) 300 RRSIG SOA 5 2 300 20121212121212 ( 20110321190904 44427 example.sec. Iek/aYQDuBxFERq5RvLC991ZBqghy83rWaQl xZBz7qd57A6niAWEeA3K4/pfo8VxTVT4EyNw DHWrwDgrW6UxL8mPV7a41XadM7pRPy0zdfrz 1WXrE4sW8miKmpgJ0F1/1Nvtb1oGlCOjTQph IZj/HDrhGBByswk74Rbdfruffbk1H5jM7Fl9 OzaVA0acR0eU2bZwQGIFRXWMqNAlf39noOYb L1fXmiFiwZvWAHdowkwas3Ud4xN2DsR+7QbG XHhU9xvQ9kI+06/RnS5gjAPqUZT7jVn4ipnt TejDrDnc6Ie3YnhvevSpwEMdbJF74NyF6Cfc kbxB0eE1wGt1+0CF9g== ) 300 RRSIG SOA 8 2 300 20121212121212 ( 20110321190904 48381 example.sec. V67XuvoMw+ah8RND4CPMS8HRDPlgVAYg64Ut zT88oQqHQi03GLYR5DU153G7GbqsI9+k7RKu By3by0VKk6eV8ELiI12D+QObEbfzF5tGf6JL 1MlN7K8UGOZ8rhw90FYwFQrlleSDeBkQbHpk 1I/FEe8/RQZDuuxFTxCm2+VQfC406wAQbQDw 85p265NDEtWdOb4fYNziWuHDy2HPEsX4g1BC Rs/9azG9+JV3DAcIh1OhVqVSVRlKEn5e7DQz g2BO2kuOnSmiwqFdDwtjgHekfeai6kNHkL8F zWBlzMgulNLG0Px71FdtLyOzFV2Pt3Gumald gre9Z+7uX+q2uIH32g== ) 300 RRSIG SOA 10 2 300 20121212121212 ( 20110321190904 1862 example.sec. eSWdDs8UBqO139MIjl1DEzuaMiXxeys4Rmxc 3NNVonB6wF1wOLecYY88fxl5q2En9/Qx5BfW bTYPeRsyy+o1u99xRqP3nhQaSKhqFTuxE+nN YKX0CcrvlD4Z5mGtgbNSSnRiCXeLyYdCgYCY e1EoxSybp+3elsZU59/GBgWDXWybcQ2X+4id ZwdCvIKphJGvgCjg31shT3HRfzloasH/ur+C yzCIDW5VJ0atzI6m14dcYeX67DzrvjwwXHOw IgSYuQJrNBODfhHl5DIl3FNTICah4tJdJaZ7 Qnm8xKmiHcwGuLGIA1BG1psbwA5QUuRwNWmB imQyoXTAgDWVb6blJw== ) 300 NS ns1.example.sec. 300 NS ns2.example.sec. 300 RRSIG NS 5 2 300 20121212121212 ( 20110321190904 516 example.sec. TuA7snYtya2rLvT4a5kUsSufYqU0PvzaKqrs Rbwii1zaCezF+E88GeL3Q8mx2pvpIpxVoiou GniJvvDy+aV2DW1t36Yw3CR0dq/+WPjvGV7I rpQEc0E/ezr9m1bfzKq8+m6tr4clMMgm4wAM f+ydfBQ0l0r8KzVlhsQs0h1eMHU= ) 300 RRSIG NS 5 2 300 20121212121212 ( 20110321190904 44427 example.sec. TGMqywohvD/l4jhHM3dyw41dIu7QqPW1lK1T iXqUuFyRgns4twJicCrMAceWJDnWQKScTNDV M11pcpiQAvIqSC8BiX4ARP14z+UblQixJB8u VzpHAWY9Sz4PCu82su1ZkS6RGXyuzuyk/uYd qykUfrFe5YwrDamnmcPCKMomleWdbXlfYQhW TbmF+ZkIQ4jAlPnA7YCIM3fsEFNjbFhX3FqO uC1JWO6NMrOSHRnqGSieATXKaTzuTY1m5N37 YEIsvZM2xu2spGJ4uZL8iab6gQPBkEjwWbU6 bG6pgJBB2MR70RfknaUDSmc/3RDGtBA+qcFb AsYeT9b3OkH8aVXACw== ) 300 RRSIG NS 8 2 300 20121212121212 ( 20110321190904 48381 example.sec. nQFmWKSC8DMsTfeADlp0EYZh5z3nQ3N4QPl3 CdUbxP+T08z/FD5n6gf0EsGbsP9XAwWk2zCq rlykEcm9K5Y8tI8l4isMuCd3yc5M83/zutjJ O+eoRRPTGWisaaGiHavDxUuBUQ7ZeqNcbX4y RPn3zCkfyB01hFIxi7VBiH8XEZlcSHpanwA3 euMje7SjFk8Tz7o/wrKibo/l7sEycWvOH5nS NmaWboyvOnEGdxfSp+PHTmagN/yYIqNHO6eC SNtnDr2EuPWI+VSyHJDm0s8x3eHWPTO4LEDc fhh/OGTVzanN+Vlkj5x/GNpT0Mth7s+G9Y0v 0zaRM2KbMyJVFpMVlA== ) 300 RRSIG NS 10 2 300 20121212121212 ( 20110321190904 1862 example.sec. X+hqBTENZf9j37ts7EdXWFE9kVB372XNLcFk kPlGB72HhLCgk5qQPId71CgaZ2yTva2hH42r FGhB5DzsLfh1nxRhzcEGvEq49ATuGqsxm8HA XXpE5gEfwnmByLoj0/b7MeIorbANGLGdxgpC ZB/KFz4DQuNeE/CBNVhTLiPiOOqqCVTDcqZx IslFUiLCXS0GZ62ns/W/lqZ5uWomVyhS+KCZ KSx9CmopMLTUBOR5j6zjC/A4ZT6mdCHHotvy N+Cgm6PJYPSF+sNI2zbAYtDGhJevIchQWtCr HQB9KgcqBHOVF206PrTbkld0g9KQkNkZxqkA PkVdUCLWIPLXNO5xbw== ) 300 A 3.4.5.6 300 RRSIG A 5 2 300 20121212121212 ( 20110321190904 516 example.sec. AChk/3WsdJmFRecdw0c5W4Fe4i0KQn7udc0x UuXMXQj75pGfDOIoXL3NgZfCBsQemWg2D60D 61z0aps4NYjGEPy51nLhGWX3K8YG+BhEia5T I54qcxevzkYyG1Bzk5RSrpctvs1Y0CuxwnTt 3kGqArAUxWmxAvia7WqSn13/r5s= ) 300 RRSIG A 5 2 300 20121212121212 ( 20110321190904 44427 example.sec. bdr3QPLEGKOTRWa+8QiuoHpMYbS64feik7ZN ro2B/ueKxRuPnqj8YKaF8sgmWbYWxaL9MLA9 H85BfVYEH3EtU9QajbXy5zpiXki/qz/Zts9w B6/rWMvDhlHFFh+peEAjH9YbNGChcw20fgQI 5OGf1f7PIFFZsm8Gm+kWS6XQkwyLX8kY7//S 4kYtWfVKffYJjAXTflgNAfIJXyDrFvXa1XNe 3lbCsmdDoGNJW4FOo4KaJ2rc3OH39+3BMDk9 Xl4hxjCkNNT3QnITRJ97Vo9DngXsTyFYXK/5 ijkl++xhaDVOgU0QkLwbcITbqO91hqI6JE7U fDmdNHzRL6XgLUwqcw== ) 300 RRSIG A 8 2 300 20121212121212 ( 20110321190904 48381 example.sec. PV2SmMFdLY5MSbSOlpLhxTlEv3p0M5PSbTKZ rdM8Edd6D55uE1YOTcSuugFpwlB7LVzCtONv ucmVUrzGzJUT0JbtlWd/Hx0axCLO4hboedkr EoFnGsEmQv2CwHienE0y2KRyLYqcxGeOiZ2l OnVofupTl7TfmVjotatVMKWurcdE9u5lrk5x RHwYgonNr1Lo+qO+3sCUONVYpLWU72dcPJVt aBUrqHQN8vfreSCKE/ifIH99c5s+N2fgtal/ xiO1c60afq6RMvlDxzm+n7KweVHgRSKeBujL rO8JT/yvMernVM5VvoPFZe2LigEayubRPj41 ZKuxSuNsTB553Au8IQ== ) 300 RRSIG A 10 2 300 20121212121212 ( 20110321190904 1862 example.sec. ixJG2UmtG8MzRs4d3sUB0JTldTzDhrEln8DP rOskf3a6qFgwn1V51TgdDSLmy9YTqE6WXOpn elh6r2CEclgqBd2iuunwKfTN8AxOr16Fr/4e vSrzWcEWN5tQoYs1NHCSR65gDN8cl5Fj/v5k oBWKZRVzsKJuy4hpLhvKWpPCPysqW3DUPi3h 4wGElM0DMrqi+27t3kzQel1/MfT4gBb8vljN w72kwYV5cFYnrVWXjffi7+yTeRJoEuKdGRON 21lVmIHv+9XOkTampgoHPI2x1kkYstOlonKl 8lNoPMCVEv/FTsh2jpQa//lHivCIZ9hOBXIg YN5f0ZvBgvKvtRNrlg== ) 300 MX 5 mail.example.sec. 300 RRSIG MX 5 2 300 20121212121212 ( 20110321190904 516 example.sec. fWO25W4rEgnACvegskuIVnF9GQuoQWIlDGzr 99hkO9/LLKd2tQgIgtEPN1APrkcoonFWzJRl WpmpJuYimWFFMfuJ9jkkEfjYrUzR3K1chgSM gmYvAfMr/d8l6BjiFqRCVLZ8kvfzwjIlEx0S +drySAidQV2u/V7yk5/G+5K5wjk= ) 300 RRSIG MX 5 2 300 20121212121212 ( 20110321190904 44427 example.sec. yix4Opq7le5BrNllC9CROkYuJp3/ntKdNheC ydWk6PyL4OV95oroMXmjqFi+f0jDjNbIIr1O GeIb0gD+BVi4mujA4GX9Uddfv07PgSOcQoxf qfNWgdOm9DwmqK+26U/q8o9ko0cLaKNtJF1U BH25MkwYch+/xV+EX5U0cMdHaTUX3/i8Obb5 rRJZo0GiHKiWwFP7akb2LN3NoFrwGO3rwx/t UEY+LfE98jFpsGB7Me8CI3xAehLV74VYAO3R 73mt4Zj/QeTOxST/bR8bBbPPIyWhBRssfI+7 W7DNVr9gSURySCj13+jv3p208AsZWe37Iiby 4epKfZlPr7c4dVsA4g== ) 300 RRSIG MX 8 2 300 20121212121212 ( 20110321190904 48381 example.sec. ACKBdVN2BJ9a91rHFPIHsycu84g1R6LFOPrt gN4qwL4w3NiNMTRSLpvzhvREcPXgyQjWUBzk 2vCWkAKQcwWyk/evALPsX5FmdB4kUacOygBU M35+Y9P2R9ikbiUk2fF0sUlPi1QXCwEVgDab 2Y6FRMvtXkXSvZ5GPZVx4aG2hQlrzXctTOOb HPsdRNuoAmusjiphFJRCLsB9cD2hqvd37hTj QJGhu60qt2zbG925kxlllCJHcDHhgh4mX1CH +sgFsWcTteTk4t67ypldWu+pzZPjs0ABUAp7 8TEe36KkL9Qn9flCcEycm830oa4apo/9iSca 2a7+kf9dvrbuJAKcKA== ) 300 RRSIG MX 10 2 300 20121212121212 ( 20110321190904 1862 example.sec. K6clO4PPzBKN4ALHsZPY7rNvVnbJ8TiSd0l6 s+jHDNyFFjKD7l5N5ofo9olDpG7csJTQHJYt gM9RZNJibk9Rp2ObSQOVr3DKQEUeFD5x0U4d 5P55/4rWta25POwgbAOxT0sInI8f9dw4Pl8Q 7g+xEVssTdOl8NdUGsgMNqaxqOF5vZczQpmn nHMlUdcDlq1udk3O6FT++IpR3mvm60KVY7Dz xXfth2FCvuTqecBGAfILsNch882ODD5iw4Vg rpT07UDWcPivBC64Nj8pyW4pqKkIk00f1dXI tLbECa2mar7uiN1SkFYrofbbSXAH2Adic4p+ OPjDJiSb0qIhbi3Biw== ) 300 NSEC mail.example.sec. A NS SOA RRSIG NSEC DNSKEY 300 RRSIG NSEC 5 2 300 20121212121212 ( 20110321190904 516 example.sec. NzQ6/OI3Lb97qiSV1GSI2Z+7KZl+d7cfejS4 EEOHNKs3plSwgEzMdaJr2LHfWwyEO3mn7RY5 JiqTXUfoeTXugcn5MZcG1aa3sdskEJEClI8V Dq9HMwFMXxSJ5LeRPdSQA1gXMMuqKOtKXajb DKpCwr3yLYho1L6vuo+bOExelPM= ) 300 RRSIG NSEC 5 2 300 20121212121212 ( 20110321190904 44427 example.sec. idXRv7E4VzNoE6OjxQ4jnqsnvx5pjhrfkbXC JApP8GVpxGLqS/pPaTePaL9OgckwvFsnd2J5 PJstTv26WNGkijxkaNe4t4BNhmQymBksTXqh 0hU9oXyLX52pb1VALcvai/sVWfkANFnk0ss9 GEps2MOsM0Rpnc9lS26JmkgCr+8tUZBWizOq 30YmCPLI931MThIMA8cKaXfZehJ+aUMceUc3 DvPNM47OB5W9Syu4QbAsrU50tNkyNbkMJVmC NmNDQ1Uk0th5fU0rcZykIqCH756YFWzchYBS Jofz8JYNUxUho3+hzSNH5YLvMyquzM05lXeb 6TNi5wjOG9xhW/X/gQ== ) 300 RRSIG NSEC 8 2 300 20121212121212 ( 20110321190904 48381 example.sec. CWmDzJop+g5+bPmvwwuvmP0X6gsd81dw9xH4 RzTVRJ49gt6I6Tx7k/oA1Hs3UFJGt6QSgtVz 7NKSn3X4lXMb1ByhyQsefLCV/vtAO4UxY69L 0DsKso111pIkKxFP7Y/oJKgn1bBC6FMIJ7N7 LkMFzRIl2uetDFq2JIwauFy6BCs/CTaIx7uR tVgGe+TRDLjbPlPtYdESEpb9zKLQUQsIGz+N NfwWbp9R/oWx6lwxvy26JvvJhq8n46lm6ZUy /+zm0qAmE4YhMbHm3qdLesof8qVCI3VAPfT6 AMdqe62eo9WdFa6/9x/wlcJNK43CTloTD9bg 2gAVqJqfknKfR94dYw== ) 300 RRSIG NSEC 10 2 300 20121212121212 ( 20110321190904 1862 example.sec. Q6WeIbTOIMaIMEvCHqGiPwlqvwDH+mlyHgmK 08FvdpG5t6TFB8QPzyMQufN/Ti5e8K0IiAv8 JPUb+ZqLq++72qrgyEhUOFG7+66LIHwcdEaF k08GwUFNpcn2W0/+QuVEVe68xHtluyTkCEFJ 4gHY7kd1zn6NrQCvt4U3KQAAr0suxNZ8mHuD hgO4ECYZBrqmpctNYD++Ny5spyzMzqHjUoin k3qj3XLjXKhfVhrmayjPxOFH1F4YH797JGF7 Yiubt5CH87rFl9jT+rDf7YvIHXwRpvq4xyPJ uS/CRvNCZpDS/0Ma3k7noD1c+m9U7/DeZq+e wwmoFYz1e+d0QEufNA== ) 300 DNSKEY 256 3 5 ( AwEAAbqjCxtmin71unORku1IrrQx2S49KTmw 45jnlNdreCH40YmhDZo26CMiVXbq29rvUDW+ ZEJqVT5fd5GrA1wEEGbrudd2LDr5AedBK7fY TsZf/LEm32/Bu//KzynrJqyB4HSN3GIPbp3K YyY/Hl7HawOvWAd+tUHgUtes4trE/4pr ) ; key id = 516 300 DNSKEY 256 3 5 ( AwEAAeluubFtl7Qtw4TpuZl85abGI+HXO4ag qzv1kSLQ5tkYFGdpZyZwQcBU2znMrdw03o6d GOEQi+FeSymycLZmtsKiODsHNwgb6qdxnYm7 +n3ZiPwVhMX3gxIG64FORibWcHAyBe5AAhQA ZIqveqjnY4gwdKZJSmo9ihXBkKS4yJ6Ulopk kSxL1Iq9oXvWrd1ZqjQiSmLF/3juvBGjHVP4 CbPiXZ70UDay6Ysa1to1tHZSQshkRTClB+Dc t8er3cZ1y62yOSbPK0SlouSRplbz+ezNyqD3 c5zvz6F2AcZ4NqaTZOMWZbOowujQj3FxElaZ S+/ughQZKq3OtMN8bqc0tZ0= ) ; key id = 44427 300 DNSKEY 256 3 8 ( AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg27 3Tp4oRpnmnmgizDFtLQhnIv1Mr3AuwSWVIDe avuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90 yQwfC53hxyH10GzGnAx4Sutrdkh1w4HM1nMB dlTMa0g9yxjJ0vm/T7qHzj+3dTUi84s8Du2m fMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB /QUuoY2FyThfidT+nhOQpzftVtLcta0E0Uv3 PcVDp1d7vBXsAEYGHr54r2vb3eXdOTmoFyh/ byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01 u8SJYP6ULwx0mZ0p5BmoMH8= ) ; key id = 48381 300 DNSKEY 256 3 10 ( AwEAAcZdPacjnWNuQKCF8CPmUW1/NUxI/G7x dbwrU9lOuAD3sw14rLw2NTzpbC/bubt2aHQ0 nc1duoK0x3DjhAURWki/1O1Yvr2ffQRVpWS+ WjRKCqTjuPrrdImeKdWEdnDl3l5kQpsxx++E IHrDnqiVhBHJdVB70A/I7i5/HiD8HgVooR3I XVyxbT4walrarrhHWEBcXcNbvadg2rc492wS 86zbSmK8iV1e7t6U5iBYmsQjc7TVhBT7xqar knECGC8L/9o/R1zfSzSN+ay+dI45t+jOOLgW p5gmjsI/mXhoO6GqX8rbZoV7/DQyAR5rATJH W1eausJhOgE2wBJgl6V0XbM= ) ; key id = 1862 300 RRSIG DNSKEY 5 2 300 20121212121212 ( 20110321190904 516 example.sec. twpGirC+tYDotLYKaRvJfOaSI+K0RPNTwFpw UXl7l4OKQen1MvmiIo8XI9kY+C+X0oSWnqEk BvGiYkhUF69mNe4N7joDQxKO3uSfuvaoKwV9 qAZ3vgSNl4MT3LROsSsZLlDen4SpSxvkXtLp cKcrJghOvkzhz3iXVrg/w6bXjYA= ) 300 RRSIG DNSKEY 5 2 300 20121212121212 ( 20110321190904 44427 example.sec. k8/IGKAGrXm4nrq8bl1q/wwsGuSNzwqsm9xV CQljrZ8dYw3+fhWJnCHbq5fGXkzSpAGzRl6z MwIzpQa9+seXctjZYB7rwMCXaLGB/Q3a1ALx LBNM7Dg9aCoSff8msyL6d+c2VVy8zDOD1TwR UkLYMxYPt/iOXubTHQjl1ZiB7NgCKCImThCF DySgwHQiKIIx2718uUlbgpmiubEkpFuyxkvZ PwhRBoqITD6THmZT8rNtJPrSNfsq47U5hwRq LSQZqKlzqjdZOW4ZTs3bQ8+AAWTlw8JrtL6F oCJncBW+nIu0bkjLEmdjD4H6xoL7DikgLI1j bD6SAOoebcYMxOx+Ew== ) 300 RRSIG DNSKEY 8 2 300 20121212121212 ( 20110321190904 48381 example.sec. D0bZ2H0Nh67jbc7rJbmie9trcwpAF+S96ldr fTbPKzpEvhBA7nL0X9ZP4Gfzi+c0U/l0O6c/ cFeo+VSKqMkwt5podbGiqEgvUzGpPPnwT2uB sD2N5G34OvuQ9j0wmlKOqO2WmP/i9hJWfon2 FiFqAyVtJJScMnYOgrtx2bWQNCcys3JnA7I/ K2eGfbDRDH5fGGIpCAaIU+XoLACmLLh4v0X5 mQU83+EX9mSQLY6z8eOGr/gTAbW09p9vllcS 8lqEsmubC86aOWcufb7MHEXiMQwytbIXdraY T+wcMehzRzYVmRPe7jRa/ALkNYdUhVzKX1Ol h3e2i935lGUu6ZWOcQ== ) 300 RRSIG DNSKEY 10 2 300 20121212121212 ( 20110321190904 1862 example.sec. POpWaOMkZkn+bz7cfrZ3Qkt1hxW4r8xoAEma LsQF/PuVGjLsvlR1TjmqUuSACJnorx5vFYUT 43LolixZ8vT6Sw+MxMRVHcWdnFLQppmAe1RR g8J9c/9fWmAbo39AoHfX4LpAjGuJ/+R6Cs0y sVNHVS29hhIieJ6GjD2GqApcQ+saNqKBm+4D VxXDroO7NhQgu1XpZBcMSFVozCtdzPgvN+BE afMXOXVYAh51/hRfTVqP6n8fRjrQPCyOQ4NT GO8ILtAu90KGy2GPjng6ZjqlnXEH5CuNC1sh xXf5f0PbyUo++Lx0NNk65Qzi25mDSDTMlMqA OnkowvuLgdmROw9qiA== ) mail.example.sec. 300 IN A 2.3.4.5 300 RRSIG A 5 3 300 20121212121212 ( 20110321190904 516 example.sec. ZY/dLHB6hV62KnA+mpK8bw2l4312JKyOAJky vHCo2R7+lDumTb0wgFSLd/novxtkurnVgUMt K7G1mOLUaqM6hnWKHrJMjivBrDtrfHmPNNe9 Re6SeB1fKPin4+XgrpHUCnuqmIbD0tmsxYq3 DBLGqvYVKCQwyAyouRFiNeIW0eo= ) 300 RRSIG A 5 3 300 20121212121212 ( 20110321190904 44427 example.sec. QWSep452ST8xRmCMptGQuAt/J+mwA8yKUHCR upe4zuXVojch0CcOY5A/ge3cqS4yINxHTTgm HP3MlcoS3uei5w/LfAs8tQpUCWhF4pEZjEuP XpQ6ARi51JkmXBSF5aKDQH2bJ+PTEUmaNmLC n5mApz4Voo9YdS9ufIs2S7dusyOpdTDoDE/7 drMQj6EurENB0a+y5/yxcHR5j8YjSlqtY45k HVz2G2xe0zpopE3mSvIDz0jDUrRsKz3vpx+P DG3VDlMRiensfmO/rfGycDGkvqo4FIm4nl2+ 0UaTINnqhseE3Effz0XDn4glB8KcZJctul6w Ae1iDYc23Z8t6XEVOQ== ) 300 RRSIG A 8 3 300 20121212121212 ( 20110321190904 48381 example.sec. 1gYbEZMy84ynTBpBxjSb6FAdNsOZQtHUVFRs +Xf3yhGKeQRiRxyGzNfT+nGz01LKdICGMcsd dqhjovq90J6beAllwwoyw72cxFPLb1JTBIdf xE1to+HI84luqtgZQ4Tbrcm7Q+HKN9FPkHDG g/dbhfLJNffKj0AWL8aWhxEXj5HxXXP/bW6l yv1iJtf5axrOTUcBCRY/LllnOMNyRviJuosZ Hg1QbaMuNqNueRB/b7ng4TGRP67KDhg9ZQDv VgVa0DeUuCbo6jyYfrC0J653t3IJmICKPJvP TnWhwqYYT65O3BvmGl5zvpxTWw052UCVuUz9 ClrJYpTE4/mpo/elgA== ) 300 RRSIG A 10 3 300 20121212121212 ( 20110321190904 1862 example.sec. Cq59fLZ78qxYgFwlb8RDsRj4nyP0lYUKbafX jnNIz5Kd3I3IhZhT7PN+wcpZthv7h9rM59JO BJE8Qsl0M7Dd/4ncowdqwrGG9gif3yRnSvFs db1NxuRkn+syGXO8zzEdcb9wjK6gCoq8ulLJ b1EylyDyRcR5929/uCCFEIP6WnlDVXmArFMd ol2NTky759aSS6YMsfgAgZnymOKgesTWmg+z Thr5R80zUG97USWbH2qG1SHhIozWkQeeTtnZ 0/cOKaal6+xEao7r7vVLB11NDgrIH2smeMSU QrqFMPAtIxQgQVqk4urc6YTtfe8p1HIDzDVf /7xqj3WpVcLa0+s7rA== ) 300 NSEC ns1.example.sec. A RRSIG NSEC SRV 300 RRSIG NSEC 5 3 300 20121212121212 ( 20110321190904 516 example.sec. PGsq/tTtjx+oeDoZTZhLrWFF+EkQ8MjBpmVF O88U/MqnjY58f1exv1H+ry2rZO76/DZ9hAmT nlBu7mRsodOHxmkj2iAwEQY4wPwtDsYJAqfL iKiLbZ4lhQWq2I/PG7sbBKf40E+OUa2H0SUp umJ8vNd8is6L1RrKQX9Tpk7WTuU= ) 300 RRSIG NSEC 5 3 300 20121212121212 ( 20110321190904 44427 example.sec. bRK1zV4xNg9tPwy6gE5nvTG53O29GWKQn+Ho qOzuN4865me4xP682b9fCkP2YfanyAf1joUm ++OShdVeczfx0NohnRJRg4eQEHG7VSaFrUCF 6YIUXy9xcX9RtHHp0wE4nOe3va5OIWjCM/Yu iCTRNWkh4Q42yXsSTQKlKyXYRZCyJFITfP5T gJ2nZqVM/5V9rkNvAV6KPrZ9AeWmkwrX+t2v A8miQzS9PZKWVrtDhmLkbeHeM+6T2fHALfAJ iwqgI9QBsX+pKyrGvIlfqdeyMs+q/kFntV+L 6X9wOYz8mEK4BMvr//B/1UsFkZmy8+jrvNNG wtt/1B81q7tPA/yF5g== ) 300 RRSIG NSEC 8 3 300 20121212121212 ( 20110321190904 48381 example.sec. uEW8IXojJOkAssm3Lp09z9QIbP8NQgR4QmYN gtAhRvwYES2OvKVCX25fyAl3u8w08GCCj4BC B5WGHLjrPz116EfuDh2nqiLUJt64UekZRbqx mvtM6zTMdOc6ICCKPnyg4eUiXoMkyKhinsz7 KDSzN3W4z3kqXszj7vbbtkz81Ps8g/DU/g9y 5CqEOrd6r/i+A88/w5LL35+M9Gjoyj2U6pCX EQtEp6LPA6eTM+YL56rgOHEWPDb4QI65BBGM mBygA5pSJ1ZPUMTr+BNgGrywZJIRdQevEUW7 2p8+PPHp5Wbm+d0+o08ZzHB8sjgLEKH6mXyV /TF4ufzu7HfTfjl+eg== ) 300 RRSIG NSEC 10 3 300 20121212121212 ( 20110321190904 1862 example.sec. fjMYa4kw8rNtj8y/IRmD3Z7IxRfv8DLS6+Ew uc39UPTVW/c/JqHy/XHu05xdP4SXf6zbF92J p5VjWC408SixMs8gwGS2ihPINY2ptbv+nqBo a+XTB0U4bTb1YrufiNb5jyY7UPLuUfMSeKl7 CHCTY8RlC4G3Ac3pH/b31d2msVzZ+kuO1i1/ lXlkU8olU1jHuzaXOL5+ztjNYad5p7fyI9c7 XpB2hDhrDB9KsMYjk+wxzawx2N9DmqM42X3k O83wTJ4VDcIeZ7fCiRchaaH99hEo0HtaTdCp d/dGkG6Gz6tl4ufGOyQuLpbnfnd+v5D3IDyX CXDWmxtw4xYMcY2mrg== ) ns1.example.sec. 300 IN A 1.2.3.4 300 RRSIG A 5 3 300 20121212121212 ( 20110321190904 516 example.sec. q88manDDkCIzUXoF0BxY71gt2o9s0kTTMGMV MQlKcPDZPckOJfVqbvPlSQXmheOkmOYp4+VZ YFP/JwoMJDOtd6xNlBaC0FYmg8mxwd7uXiwE cbBeqG4SZ/4An7eWiOI8R3J6Y43N0fuG+3nC GndytHwRrmjWT1cHNdew2ShiMHg= ) 300 RRSIG A 5 3 300 20121212121212 ( 20110321190904 44427 example.sec. sRkfaRLf62D7K5bLlC60JkAbkze3ShxCrvf0 VoEzGER/06NXOB6TIL2KDKMnzZw4h2mD+X2D YA7IqO9H9tAbF7TNMiLMdEYUFCL3cPkPchyY MvtseHlT0LRlhwW344Ar8P9S+vkvt/P4uwkN u6Sc0ctDjHtVBpVhMA3rVlxZl8qwYt24XVCZ enxOSQQQH0Nb0TmAS7sHw2927gbC1voW2y9j PakzCXs5y0TKLhAUW2ArE1sTlq0qiTn9JrU7 h0sL7uxku+hFsq2kpx1NW6a89l2pD2aS86Ys IdAY/xVATGWdvV3OLmVBfqXvNWwOuPHVfSmy hyA8kCgEN7TlpHPV0Q== ) 300 RRSIG A 8 3 300 20121212121212 ( 20110321190904 48381 example.sec. bv0FRbTFq9xVa8/jq2dIKmoSh+n55s8nHS1+ wN11khtVqAyUv6fJeZ3GLR3aUluZf+kgkXCs 2e+gL0K+L4/z+9dE2rgeIQU14TsmaAvMN37X ZjcSIwGFtVBr4WvFQLO9VzPe9Gntu2kzG40Y qTKUIyAkME9kIR+ikalKXSX7zOrKj3/rTPBz M1qVFU9FZy8qBCrk2IRvW2029s+kEDyymfIV /OrUFCUskDx/EaczOAzAItiUCIvdJ1FariPK pWFCFzMVXhjX4jhs6F2NgoiK0aofBebU6SGs PA8Ag4l54GGX8hNaGHNmWO+sOk64yHTMgR+9 1gjd4g6hzf9loJ4ljQ== ) 300 RRSIG A 10 3 300 20121212121212 ( 20110321190904 1862 example.sec. sNSj6dl0kRRhG4E5A8V87JEqQX2vW1TBXWuM KuRiYhEfNqGp9Y50ca84Tqgb0sEOnk4EAtzF AMJKEVQS4mAlS9O+R7et/QVJKFLCn8D+wrRD ly5Bb8C7gMbGYMkjnap1eQg4gaNVVpU2tR/W wZGzFCK1fDluY4CPm4a75DNH977uDBV63AuV c0beAhJh8dSHhqRQJm9Rm3pAU8uQv4FRBwXf i8JU8ddvqQMYbEuOkmR17pLKu5127MaO0+No NpFHvjeMNAFYYx7et9IWSGB0o3aoIM2pHLLq JXtC2e2DXiXXQ8rS+C9LRtDAto7USU4xDMPm Wj412ruoUXZfo1Jvbg== ) 300 NSEC ns2.example.sec. A RRSIG NSEC 300 RRSIG NSEC 5 3 300 20121212121212 ( 20110321190904 516 example.sec. TgF67yndlSPf6vetm1VLWWi5C3zRJR2LWMPD FO5Duw1otZGVxIsbq2bM7Qabw5omSG1OWomf GJ6bEthwev7o7eq0DBlDGi1yvSghg36ww96l Zj3EdFgmnp+qxAPfRD3Jk30Q7bp+5e15xxxD R/Pug2q/OIUV4cfURCBmjohfIJs= ) 300 RRSIG NSEC 5 3 300 20121212121212 ( 20110321190904 44427 example.sec. GayKxJJyVoFrEKEEn4YiG0w3F8AAIaXf9HrY ZlSrPCeSlWKvRrPISzeEFz8TMQUOGD3K1n7R fpwH0BCBeoKIxqYPXL/kFcKfb7t7KwgJXJKV wSd015RwXCmUEpdUbhDzBD+Apewcd1D8AUmg MHwRrt06Q7nJdmehrP7jzNLEfBZBEGRF1TOI hgobjVyeplEW7tPgnI51+cTKHJ9zhJ1UKDPp r3RQt7MxdL61SzsGzBSyVcKdcx9tJ1e2NbgY mKPylMk/NOfSKLdQeaC2avtQ5E/IR8o8r4Ua BLkwaH8bFnZ/1dx3I10dylJZMKrXXlcYxS/v BNcKo8DGC62xI2UaNw== ) 300 RRSIG NSEC 8 3 300 20121212121212 ( 20110321190904 48381 example.sec. xuANn6jCFHhuvWqf8/dNcUNTc0uh1046iuEz CjJZ1wgE+oXusIilWDhgTvR/H/bvLjh0phLX mxhg4G3SQvG0Wvvdv2VBo7f5CriIzndJjodc h2W6wqvggE9ijc4q7uDHWwbRM0qN3DkghNWq pbNVeRD0Ci273J6nfP0nH9m0Wes8rX1JnSxq Iw0vMWgD28dOsn9TPpk3kDM3U8zSjYASja12 mZURoF0sXVvp+aC68JTW20/e2yJFF6e+68om GuOeVFUlglKZ6VZAa5goAohruGZbyMFvlJPJ daGhycpybeGcF7fbxpCrNCnwiiBDGKBR1mut MyytVKIFb/iMsw3g2g== ) 300 RRSIG NSEC 10 3 300 20121212121212 ( 20110321190904 1862 example.sec. Z9QQ8kcwWdayNrUuUebNq/Oy2ftLUmc7EGSh 0HWylvMgOWPQlC+NMOF2dowO/NWPY9skwvck tsNrZ0dMtvzt6MAAxC9UsJsQ+iirOB2U/tVI pUAjIdTbxLlMhsmLJOW8xy3MYVBdf3u+IpQK 90/a3Ngwft0Zy6KXBP7BndMXmISWSi+0QWwI 5yF8qBbUx6iwmC5x30TIywBl6yggB7GG4MBv v2CoszyNH5GjtqY3272z6VUd8XB3MyDu4an4 5HCsQ0IKKATmkbPnBS3JhJ1zcEtZkFqiOSw+ wgwWv+2hIpKrq0RR9qX/vYUEYjCADsadjbEE CWO/9GT27DcUegbMrw== ) ns122.example.sec. 300 IN A 7.7.7.7 ; this is outside of NSEC ns2.example.sec. 300 IN A 5.6.7.8 300 RRSIG A 5 3 300 20121212121212 ( 20110321190904 516 example.sec. VVI8nK3F3BfMlyZlEPw1emkSJez0asH/ZvaW OjAgJNg+YlgfwAYFz/zcX0xH/njX037KtCXZ RaF1igpXvcPEW55pS921Qq2aOEY/9HvFdrsr 34jfLPu6PuVPiJLJJELXVjkBwOxXyMARAd58 TggMOlw58KCCd/2h1OLZ4Ky5Er8= ) 300 RRSIG A 5 3 300 20121212121212 ( 20110321190904 44427 example.sec. GeEgzMqBdc+lrdThCik5veRQ0GPERifkCgJB Tb6Asx2Vn4k6+K8kMGl7OxMbGtluoH1nzjYT Ro6QuhPk5ft7pCP0xZPBwOcl0hJsZ+k1oA9K BX7vXXg7qtpYy9RXHhJ58i5dfRN8TsPbMJtf ZrmwQyUMw5HjY0Nc4BPZGbocR2xOBSYBn/A5 3zMFcn0lrKiC0J/TeFtTv8HVCmZ1Bhfn6gTK 0ezQtRQDmEaWEGR7JQas7h1y5+qWrtKVu1eQ 5n0zmamD26sdwBcrbHKqUa9x+bbdz3cfWnze k31jZGwAcMvLAWi1w4kZWvVdxYEd7WkxLYfu TkvjObzS0C9cGtxwcA== ) 300 RRSIG A 8 3 300 20121212121212 ( 20110321190904 48381 example.sec. OuKzAU6DTB88xG8F/UZDDhCopgDqqXBtrCNW UzejdSnlOkWCWyhoqNdDVUmP8RsKyvbHgMll DFsrE8EOU2dFJc94i8uX+VOOQ9XX7I7Figny i1KiFuG5M/BhJJ8yoLhT2c7gG80Tt7oHJpDP 4UEZkBP4Lplna7rySMPubY62zprvV5xIO+gM qwFqL5U2D90nrHl5NDwEw2ruCZYPv684Bmce 5Rslh/6J7VxTjJaVGUr8T81HKnE5Xw1MQ2x1 VtrsCBIRrwL2YxfdRf6j2GR5JDozk49mQUm8 BPIvC69Kijr3JhP1CakJFMfDRCEyj01UjBKz QisQOEDJP4tRVNo1CA== ) 300 RRSIG A 10 3 300 20121212121212 ( 20110321190904 1862 example.sec. Noj04flBhck+sWYKhMYJdm34qfdCUtHZC9a1 iRgEaI4AgKjyJJjbKxXwxlpveoztFiQEnt+e ZZUSVpaR7UmhmX+F8uOlxr50+W9xwrlYpjsv D038kUpQkapSd9ukjte4A5/jCQrrxfxa9R1/ XJ2nHfTJXpHZjujjdj7Uavv5g1c3KaRien75 3zniwYp1rQq+RgCbtqtCYRf31Qc6h9BGt2ul z2GJaGfJH65FHuZtkOy+pT9vEJWc8GK61GVO UaHN6UcR3RtrzCeY/8nGkaDFFYc0YvhD7bOF 7+GB1dhTf/sFR6uC6mlWlirGyTj+JYb8jCMd OwI7kW7fzjgSPB1cgw== ) 300 NSEC www.example.sec. A RRSIG NSEC 300 RRSIG NSEC 5 3 300 20121212121212 ( 20110321190904 516 example.sec. Qak5r5ieUDezQdqLu4FWvQRIP/VG6MdE/ziz HddAkuVa4jlBAarWpt8X6ChABhexVPmK/f4x qORf8qvaVYz0PzvuTHpEgGAiqHpiwK4V4z09 JaSlxDjsGCl41uceNFGfMkH+Q6Gj3dIeJ19f k2DYjZ/t+1nMd01SKJAFsTpmiRg= ) 300 RRSIG NSEC 5 3 300 20121212121212 ( 20110321190904 44427 example.sec. RkQuxEi+JUN9LVxZZ5VBspPxF5U5g5rASBj1 yrDBJQIRdGIDITYeiBP4xw9rAHO9bo83yn30 VNZOWdCqWaG2NOxyfilhURpPlVo1vTmWd7p/ 4xeMcGBs8LsM6t3Z9U1Ecc+sLEgsccHf+363 a6N5+HYIRE0BjvIo75EoJy4UIZrTVrMBJwYZ W0OjWjfQH2ce39q7lc9NshKY/2MZLJ35HHLK 4WI1e+IB7rSPKGTRhLSiwbA4rjharxqv4xvt XUDsphQoMqXYLn4H2d7rkPGKLa1+2BsMYV+v DoBFNysVcIAOJErDpKqBorLLuL8Qi+DKwsZe EDz746YkVj3LoOCRCA== ) 300 RRSIG NSEC 8 3 300 20121212121212 ( 20110321190904 48381 example.sec. oa3kWJRq6dlRomWXjxJAp0xPXkEF9t/3uw+U yAYm72kZfeOCMZcTxQRyUSvT8aDsLxhphq7+ H0R43HUh4GYpGtZXBOcTMUiNIDHxFJYwp5xL pYCvHZ8m2mwDNeEkJ2mWcxYwg8wghxZjf0sG ivB9ufyOCl1V+R4PLkAFZXctUEsZvP05Ukdm NwdTFGcj+RO8vzz1UT82L23hBc/ZBcv7+/2j OiH0j3g/gM2ko0o2G5Cte5746zmvs7MQW1N2 KxDbHxuy8/Aym8Q8CyYEze0VTBZjopiYXmjM taslp9pQUH6lsTA/I0XeWcL+z4Y+L8gGmr6o lHpSE0c/pN5thXjbeg== ) 300 RRSIG NSEC 10 3 300 20121212121212 ( 20110321190904 1862 example.sec. BbEEJ/Su2CoQiuFq1ufsJlJmKQEHOZioW4LF nrQtLPbFMTDUhgxxkog9J8nS6IVrElQaiZLH CjqGaSNXk7YStRpyLpz+Yb/TEt4T6CrBRphU havGpG6IZY51I7msyyHbkJXNXvrYY9uqCvdf 3Qea2x+9bTXhGvg/4r7QcqH1jfbqXyl+yzo0 QyYCNw3oc/MSrwWpDWktpWjMiXnJ8HhVfoqe j+PHuoTiCkL6QniPhrBzWfhzkVg3pH2qSo+0 Oz6YRaL0Mihhn/8dpvle6X74joQ6tdWaxluP 9WqXHTYauei7jT+hDtiB4jqH87tcV6msQbxc sv/EuM7dBcF3vNr9vw== ) www.example.sec. 300 IN CNAME example.sec. 300 RRSIG CNAME 5 3 300 20121212121212 ( 20110321190904 516 example.sec. Wser36d8n6h3zg09EXM+ZeF7aODFbm04YFCf RERKgKV7F+H/Ma4xGSxve7vIoMgSkIqVeFSo 8yLYZV5AxSCz2J9YFMdldW47nW3kPkV8aUw6 kJtPjugDFgJFFN3G7lCBXrUnywMZAhyO62Zm 50VCggbj+13J64ByTEEL47Jmd+8= ) 300 RRSIG CNAME 5 3 300 20121212121212 ( 20110321190904 44427 example.sec. 49nOsxfIImn4sYwc/giAdVJGjnw/sOxGOQhp UMJqwiKtoaADw0s6FMsv5ApDN7QbV10UBuHt Jmy/H9e+5Hbth+/VsAoCKI9HYfiw9qNqHk4q hKu7VBTd1ITgMObglOrPf39Xik3jq6miYCXi lyvXLoyeDl7yKszuDQbyGwGnw9PyMWe1BK/A 24ZO93NRAfQRRvYkH0QLzXPM7sewJbij9MZP 72AlcsB+MfKxgNVzPTS4pyD0H7ER/PMW3ESP eU7yz4ewpOi5rLCsztqHpim7s4ky3ub4ttJO 4J03h46ic2bv4ogsvShR2wFzeAr38B5C3cXc hYuKQOvXPGleGyH55A== ) 300 RRSIG CNAME 8 3 300 20121212121212 ( 20110321190904 48381 example.sec. eoGO0lF77s/0ujZ24CvJ6F45oqryxInpfLA5 B8HROJbU7TJ/hERgl6r3EAAc75uP2yn0TY7R 2Q5Wh+RWsQjh6NwvbLcKpOvX3EpOxg2oSLBb P46G8TiMGCaydR0Xx21Hxk4DmRHTjNu4o56z Y3Gm1eHJ5To1V39ThJMaUvuMFwpSdGgBq8L8 WoOHz23W94tO0AS5QwtCAFpUjSG05rgjBJdL Y/00Q9ry15ZwZXIRizmBoRrZ8eSxW3Dn6J8B kPN7W9z4Z7VVciQuZFfoIk8Mvl8vlCdUqWt+ t/2bcfgrxrlnHhFqOJG31XRjJOVc28FDI85Z KZ9tQTiOxdC7H0d8YA== ) 300 RRSIG CNAME 10 3 300 20121212121212 ( 20110321190904 1862 example.sec. v50k8qrOxI9UowuANOSnAGF00R7yxlD2dNsa HtHONDM89jMMs4S721SVvm9HHxVCieESyuou G/K/u54MwIFA3AgKrV446Ns3M0aZJeOPANap sjfdIqfs0hQwZ3Jth7GMpNGG5rLSmIkn943l 6XrRSewQPoVT3ZD8jeLQKGXY59KlIkra5Hfr fGLiBqpFOpeb7IxHcPed01vjgGgButOAxsFj xiudVrX5FpcgZ5/DX1o//cAdgqcvIoiiWhfZ jJEEQ6Kw4DkwFJKXEhItEtaTaciOIqlQkq5n G2xqghKBxlcl9D15yKTHkozKhLXJJKGAn6p8 oz8iSw3f9iWejBsrfw== ) 300 NSEC example.sec. CNAME RRSIG NSEC 300 RRSIG NSEC 5 3 300 20121212121212 ( 20110321190904 516 example.sec. hNtegxDTYwygt81ZbwX04aHE/M5cQILPAwMH Om9dHodMiddnFQhLTBOxfn16vuCP4UeIRUwH WvqqGElVMyWuGGtJxe7r8IaSm1JeBv4TQ0rd snu2zH8TCY6QlPBi067ukq54po/f85wtreem PrruWM3347d/EVYhA07Pi9Jqkug= ) 300 RRSIG NSEC 5 3 300 20121212121212 ( 20110321190904 44427 example.sec. ArFauCuLgUvbz2ALhiNoqgBiUgZlGeZwk/37 ZwqN59DrExfUxAuFEPmBSLLd4W4KDmyR8og8 RDZ1kWZjKuXB9Vh/Etx6Tkha0bUukEzc9UQk KwF6GUTjdO5MOkMUU9sJO6ecAkWxmfcpvG8z 6wg4BxfL/QfkodMyeTkr93PnZPDhIFA/jRpB mDDCUfXHY40shfR5AaIQwMnVIacd+d7rOB9z k8BSZeex7vzHbKoQGgR93woGq766C5EYhVi5 BivAbtda+QXarXD1VkQKZ4BVtG034iOkGBJ0 v9983Yqu9bvAINvlj9wtOk9Br8mDUKpbdnlM sMCCMaHWvHkUu5qlZQ== ) 300 RRSIG NSEC 8 3 300 20121212121212 ( 20110321190904 48381 example.sec. q6/Bry1OxPs3NSd8gjHVA5dZkKn+khj12ZJY iAQl2KNQZ2g0P8+1T4V4Vs21pdQzVSupIucE BN62FiEuGwp3NEYiYW7E9pU77j0GudveoMyK LsI9G8K27bnsMdJG+wizGNkIbmX+lHhBQNpO sSHyyldubyyJymdPy2mhg93iIofRPM7ljuJ/ W7zZkt29d41/su5Uk8sDMhjgRrw2AC0EPzVl Q/B/SJZ9Rzx/5Dj7QHcG/FkAd4WGQ9XI93SF LMQn6OQVWXRvXYVgTDMNzXV+YKey5ia9bnDL yXKu+BdkrjXyrmbVS+LQ4SEbL+MwjOawCab/ pHbGIhMYL9q2sI+PDQ== ) 300 RRSIG NSEC 10 3 300 20121212121212 ( 20110321190904 1862 example.sec. T1Y1W3dghJKxZzjGnJaoFIuuA0qu8xebm5Vj j8V3W6tdtgnfmIGfHles5wIP8djWMPCYcA4X yco/dhyVW+6xHgW6DtIWFp6w6maoLzASXf4J upwQZaBsFTbu/BPaEna0H8RWV8bo34zdh2qD Uve6XcdosNAkObfLNs7JPBJhEVxwu/ms3Z6h 9IpdoeNDBi3DoBC8GA+m7KW61GnxMd0KGj0H QnK1sS2mZe5lGKCoZDViG4ttTl3ctWoLw5R3 ukb4JEiS3zkuLTMX59PqJ+sw6y3QBgKOSnbv k18XsducRJhqpwfUGOsmAn6/qGw0HC9XN+rO jE94zVw/whela3Q7vA== ) 300 RRSIG NSEC 10 3 256 20121212121212 ( 20110321190904 1862 example.sec. T1Y1W3dghJKxZzjGnJaoFIuuA0qu8xebm5Vj j8V3W6tdtgnfmIGfHles5wIP8djWMPCYcA4X yco/dhyVW+6xHgW6DtIWFp6w6maoLzASXf4J upwQZaBsFTbu/BPaEna0H8RWV8bo34zdh2qD Uve6XcdosNAkObfLNs7JPBJhEVxwu/ms3Z6h 9IpdoeNDBi3DoBC8GA+m7KW61GnxMd0KGj0H QnK1sS2mZe5lGKCoZDViG4ttTl3ctWoLw5R3 ukb4JEiS3zkuLTMX59PqJ+sw6y3QBgKOSnbv k18XsducRJhqpwfUGOsmAn6/qGw0HC9XN+rO jE94zVw/whela3Q7vA== ) 300 RRSIG NSEC 10 3 300 20121212121212 ( 20110321190904 1862 nosuch.sec. T1Y1W3dghJKxZzjGnJaoFIuuA0qu8xebm5Vj j8V3W6tdtgnfmIGfHles5wIP8djWMPCYcA4X yco/dhyVW+6xHgW6DtIWFp6w6maoLzASXf4J upwQZaBsFTbu/BPaEna0H8RWV8bo34zdh2qD Uve6XcdosNAkObfLNs7JPBJhEVxwu/ms3Z6h 9IpdoeNDBi3DoBC8GA+m7KW61GnxMd0KGj0H QnK1sS2mZe5lGKCoZDViG4ttTl3ctWoLw5R3 ukb4JEiS3zkuLTMX59PqJ+sw6y3QBgKOSnbv k18XsducRJhqpwfUGOsmAn6/qGw0HC9XN+rO jE94zVw/whela3Q7vA== ) ghost.example.sec. 300 IN NS ns1.example.sec. 300 IN NS ns2.example.sec. 300 DS 50458 12 3 ( 2E40B2A6CCD2760EC70AF69D1C144064C8 1E53A6B3EEE78BDB9E0BAFBB9C02 ) zzz.example.sec. 300 IN CNAME example.sec. ; previous NSEC should bitch about it 300 NSEC zzzz.example.sec. CNAME NSEC ; this one will also bitch nosuch.example.sec. 300 RRSIG NAPTR 5 2 300 20121212121212 ( 20110321190904 516 example.sec. JMRbXaDnvv39FoonWE688oliqrw7xe6ZNi1r AQUkgjlZGmuNcCDlarDiQHUu1O2GBizRpv2o nh+TFfgqn7FrT7mPDCj5J04BuLl4x9+CayG3 jgdtZ+UW8UUu6jUO/woEsbmdB3HrVjI/UWGC 7qFMaz+i7IxCkMLTS2Qh65Dq74U= ) t/zones/galaxyplus.org000066400000000000000000000012441265465626700154050ustar00rootroot00000000000000$ORIGIN galaxyplus.org. $TTL 5M @ SOA ns1.catpipe.net. hostmaster.catpipe.net. ( 2011011400 ; Serial 1H ; Refresh 30M ; Retry 1W ; Expire 5M ) ; Minimum TTL NS ns1.catpipe.net. NS ns2.catpipe.net. A 194.28.255.11 MX 5 horch.tobez.org. $ORIGIN . www.galaxyplus.org A 194.28.255.11 $ORIGIN galaxyplus.org. cvs A 194.28.255.11 v6 AAAA 2001:2010:1::feef text TXT "text1" "Another text" "One more" bigtext TXT "1" "2" "3" "4" "5" "6" "7" "8" "9" "10" "11" "12" "13" "14" "15" "16" "17" "18" "19" "20" "21" "22" "what is the meaning of this" *.meow CNAME www t/zones/ipseckey-errors000066400000000000000000000020721265465626700155540ustar00rootroot00000000000000$ORIGIN example.sec. $TTL 5M @ SOA ns1 hostmaster 42 1H 30M 1W 5M NS ns1 NS ns2 ns1 A 1.2.3.4 ns2 A 5.6.7.8 bad-precedence IPSECKEY ( xyz 0 0 . ) bad-precedence IPSECKEY ( 256 0 0 . ) bad-gw-type IPSECKEY ( 10 xyz 0 . ) bad-gw-type IPSECKEY ( 10 4 0 . ) bad-algo IPSECKEY ( 10 0 xyz . ) bad-algo IPSECKEY ( 10 0 3 . ) gw-not-dot IPSECKEY ( 10 0 0 some.name. ) bad-ip4 IPSECKEY ( 10 1 0 192.168.1 ) bad-ip4 IPSECKEY ( 10 1 0 moocow ) bad-ip4 IPSECKEY ( 10 1 0 2001:2010:1::20 ) bad-ip6 IPSECKEY ( 10 2 0 192.168.1.20 ) bad-ip6 IPSECKEY ( 10 2 0 moocow ) bad-ip6 IPSECKEY ( 10 2 0 2001:2010:1::::20 ) bad-ip6 IPSECKEY ( 10 2 0 2001:2010:1:20 ) garbage-key IPSECKEY ( 10 0 0 . AQO/C76MVA5WN743YYeE537SLNffRZvQ9yxoQqJP943gqs4QATtnJWHQ 1SDWiRE2aXl7SJoyJAu7jaUTGKWXzStD2wpkBIJ1IZ+avxf8zxRt3y6x ImvMjRqcobreI351nbop04aBtP7o+r0zrNQmy6FqkPiI657FMEdF1cWJ 2Q4lA0Pymgq/BadXymj/LZXpmCtnTNU6laUUGuxxaf0Fj+vcL17OvU1k sLs9/9hhAbYYedmbAAGmAqfICiLBdOPCbhsCUyq8dTa0FaEinyHCJSHJ WVZ8dBpbbr2pQnZ5ul5NCgkhhcr26IPPiZm2eww6ougsogj6kPdSSQYZ YayHzVnl8NFQ9uCwbRTryepPzZP5Vd2t ) t/zones/isi-mailboxes.inc000066400000000000000000000002521265465626700157410ustar00rootroot00000000000000 MOE MB A.ISI.EDU. LARRY MB A.ISI.EDU. CURLEY MB A.ISI.EDU. STOOGES MG MOE MG LARRY MG CURLEY t/zones/keyset-example.sec.000066400000000000000000000031641265465626700162150ustar00rootroot00000000000000$ORIGIN . example.sec 300 IN DNSKEY 256 3 5 ( AwEAAbqjCxtmin71unORku1IrrQx2S49KTmw 45jnlNdreCH40YmhDZo26CMiVXbq29rvUDW+ ZEJqVT5fd5GrA1wEEGbrudd2LDr5AedBK7fY TsZf/LEm32/Bu//KzynrJqyB4HSN3GIPbp3K YyY/Hl7HawOvWAd+tUHgUtes4trE/4pr ) ; key id = 516 300 IN DNSKEY 256 3 5 ( AwEAAeluubFtl7Qtw4TpuZl85abGI+HXO4ag qzv1kSLQ5tkYFGdpZyZwQcBU2znMrdw03o6d GOEQi+FeSymycLZmtsKiODsHNwgb6qdxnYm7 +n3ZiPwVhMX3gxIG64FORibWcHAyBe5AAhQA ZIqveqjnY4gwdKZJSmo9ihXBkKS4yJ6Ulopk kSxL1Iq9oXvWrd1ZqjQiSmLF/3juvBGjHVP4 CbPiXZ70UDay6Ysa1to1tHZSQshkRTClB+Dc t8er3cZ1y62yOSbPK0SlouSRplbz+ezNyqD3 c5zvz6F2AcZ4NqaTZOMWZbOowujQj3FxElaZ S+/ughQZKq3OtMN8bqc0tZ0= ) ; key id = 44427 300 IN DNSKEY 256 3 8 ( AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg27 3Tp4oRpnmnmgizDFtLQhnIv1Mr3AuwSWVIDe avuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90 yQwfC53hxyH10GzGnAx4Sutrdkh1w4HM1nMB dlTMa0g9yxjJ0vm/T7qHzj+3dTUi84s8Du2m fMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB /QUuoY2FyThfidT+nhOQpzftVtLcta0E0Uv3 PcVDp1d7vBXsAEYGHr54r2vb3eXdOTmoFyh/ byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01 u8SJYP6ULwx0mZ0p5BmoMH8= ) ; key id = 48381 300 IN DNSKEY 256 3 10 ( AwEAAcZdPacjnWNuQKCF8CPmUW1/NUxI/G7x dbwrU9lOuAD3sw14rLw2NTzpbC/bubt2aHQ0 nc1duoK0x3DjhAURWki/1O1Yvr2ffQRVpWS+ WjRKCqTjuPrrdImeKdWEdnDl3l5kQpsxx++E IHrDnqiVhBHJdVB70A/I7i5/HiD8HgVooR3I XVyxbT4walrarrhHWEBcXcNbvadg2rc492wS 86zbSmK8iV1e7t6U5iBYmsQjc7TVhBT7xqar knECGC8L/9o/R1zfSzSN+ay+dI45t+jOOLgW p5gmjsI/mXhoO6GqX8rbZoV7/DQyAR5rATJH W1eausJhOgE2wBJgl6V0XbM= ) ; key id = 1862 t/zones/manyerrors.zone000066400000000000000000000133561265465626700156100ustar00rootroot00000000000000$FUNNYDIRECTIVE $ORIGIN galaxyplus.org. $ORIGINBUTNOTREALLY $ORIGIN?BUTNOTREALLY $ORIGIN ; no origin $ORIGIN galaxyplus.org. muhaha. $TTL 5M $TTLAST $TTL.AST $TTL ; no ttl $TTL not a number $TTL 1z $TTL 1mz $TTL 1m z $INCLUDESSIMO x.yz $INCLUDE\SSIMO x.yz $ $%^&$# something @ A 1.2.3.4 ; SOA must be the first @ NS some.ns.ws. ; SOA must be the first @ SOA meow. grau. 201101144500 1H 30M 1W 5M ; the serial is honestly too large @ SOA ns1.catpipe.net. hostmaster.catpipe.net. ( 2011011400 ; Serial 1H ; Refresh 30M ; Retry 1W ; Expire 5M ) ; Minimum TTL SOA ns1.catpipe.net. hostmaster.catpipe.net. ( ; this will be skipped 2011011400 ; Serial 1H ; Refresh 30M ; Retry 1W ; Expire 5M ) ; Minimum TTL SOA ns1.catpipe.net. hostmaster.catpipe.net. ( ; this will be an error 2011011401 ; Serial 1H ; Refresh 30M ; Retry 1W ; Expire 5M ) ; Minimum TTL NS ns1.catpipe.net. NS ns2.catpipe.net. NS NS ns2.catpipe.net. garbage A 194.28.255.11 A A 194.28.255.11 garbage A 257.17.81.54 A this.is.not.an.a. AAAA 2001:2010:1::feef AAAA AAAA 2001:2010:1::feef garbage AAAA 2001:2010:1::feeL AAAA this.is.not.an.aaaa. MX 5 horch.tobez.org. MX MX 5 MX 5 horch.tobez.org. garbage singlens NS x.y.z xy IN 300 A 194.28.255.11 xy IN 400 A 194.28.255.12 ; bad length for SHA-256 _443._tcp.www IN TLSA ( 0 0 1 d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e9 ) ; bad length for SHA-512 _8443._tcp.www IN TLSA ( 1 1 2 92003ba34942dc74152e2f2c408d29ec a5a520e7f2e06bb944f4dca346baf63c 1b177615d466f6c4b71c216a50292bd5 8c9ebdd2f74e38fe51ffd48c43326cbcaa ) ; bad hex encoding _25._tcp.mail IN TLSA ( 3 0 0 30820307308201efa003020102020 ) ; bad certificate usage _1._tcp.www IN TLSA ( 4 0 1 d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e9 ) _10._tcp.www IN TLSA ( x 0 1 d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e9 ) ; bad selector _2._tcp.www IN TLSA ( 0 2 1 d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e9 ) _20._tcp.www IN TLSA ( 0 x 1 d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e9 ) ; bad matching type _3._tcp.www IN TLSA ( 0 0 3 d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e9 ) _30._tcp.www IN TLSA ( 0 0 x d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e9 ) ; policy bad domain name for TLSA tlsa IN TLSA ( 0 0 1 d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e9aa ) _30._xtp.www IN TLSA ( 0 0 1 d2abde240d7cd3ee6b4b28c54df034b9 7983a1d16e8a410e4561cb106618e9aa ) outside.org. A 194.28.255.11 long.outside.org. A 194.28.255.11 outsidegalaxyplus.org. A 194.28.255.11 insidegalaxyplus.org.galaxyplus.org. A 194.28.255.11 www A 194.28.255.11 cvs A 194.28.255.11 v6 AAAA 2001:2010:1::feef otherdata1 CNAME a.b.c. otherdata1 CNAME x.y.z. otherdata2 CNAME a.b.c. otherdata2 A 1.2.3.4 cert CERT 3 3 177 V2Ugc2hhbGwgbmVlZCBhIG51bWJlciBvZiBtYXRoZW1hdGljYWwgaWRlYXMgYW5kIG5vdGF0aW9ucyBjb25jZXJuaW5nIGZ1bmN0aW9ucyBpbiBnZW5lcmFsLg== cert CERT 3 3 MEOW V2Ugc2hhbGwgbmVlZCBhIG51bWJlciBvZiBtYXRoZW1hdGljYWwgaWRlYXMgYW5kIG5vdGF0aW9ucyBjb25jZXJuaW5nIGZ1bmN0aW9ucyBpbiBnZW5lcmFsLg== cert CERT 100000 3 0 V2Ugc2hhbGwgbmVlZCBhIG51bWJlciBvZiBtYXRoZW1hdGljYWwgaWRlYXMgYW5kIG5vdGF0aW9ucyBjb25jZXJuaW5nIGZ1bmN0aW9ucyBpbiBnZW5lcmFsLg== cert CERT 255 3 0 V2Ugc2hhbGwgbmVlZCBhIG51bWJlciBvZiBtYXRoZW1hdGljYWwgaWRlYXMgYW5kIG5vdGF0aW9ucyBjb25jZXJuaW5nIGZ1bmN0aW9ucyBpbiBnZW5lcmFsLg== cert CERT 700 3 0 V2Ugc2hhbGwgbmVlZCBhIG51bWJlciBvZiBtYXRoZW1hdGljYWwgaWRlYXMgYW5kIG5vdGF0aW9ucyBjb25jZXJuaW5nIGZ1bmN0aW9ucyBpbiBnZW5lcmFsLg== cert CERT MEOW 3 0 V2Ugc2hhbGwgbmVlZCBhIG51bWJlciBvZiBtYXRoZW1hdGljYWwgaWRlYXMgYW5kIG5vdGF0aW9ucyBjb25jZXJuaW5nIGZ1bmN0aW9ucyBpbiBnZW5lcmFsLg== cert CERT pgp 100000 0 V2Ugc2hhbGwgbmVlZCBhIG51bWJlciBvZiBtYXRoZW1hdGljYWwgaWRlYXMgYW5kIG5vdGF0aW9ucyBjb25jZXJuaW5nIGZ1bmN0aW9ucyBpbiBnZW5lcmFsLg== cert CERT pgp 0 0 aha!oho,== ; but this one and the next are fine cert CERT URI 0 0 V2Ugc2hhbGwgbmVlZCBhIG51bWJlciBvZiBtYXRoZW1hdGljYWwgaWRlYXMgYW5kIG5vdGF0aW9ucyBjb25jZXJuaW5nIGZ1bmN0aW9ucyBpbiBnZW5lcmFsLg== cert CERT 254 1234 dsa V2Ugc2hhbGwgbmVlZCBhIG51bWJlciBvZiBtYXRoZW1hdGljYWwgaWRlYXMgYW5kIG5vdGF0aW9ucyBjb25jZXJuaW5nIGZ1bmN0aW9ucyBpbiBnZW5lcmFsLg== zzz SOA ns1.catpipe.net. hostmaster.catpipe.net. ( ; this will be an error 2011011400 ; Serial 1H ; Refresh 30M ; Retry 1W ; Expire 5M ) ; Minimum TTL xy*z A 12.13.14.15 ; name is not valid *z A 12.13.14.15 ; name: bad wildcard .xyz A 34.45.56.78 ; name cannot start with a dot .. A 34.45.56.78 ; name cannot start with a dot zzzz1 DNAME x.y.dk. blah ; garbage after valid DNAME zzzz2 DNAME x.y.dk. ; fine zzzz2 DNAME a.b.org. ; multiple DNAMEs zzzz3 DNAME a.b.org. ; fine something.zzzz3 A 1.2.3.4 ; DNAME must not have any children (but something.zzzz3.galaxyplus.org exists) zzzz4 DNAME a.b.org. ; fine zzzz4 CNAME zzzz4.a.b.org. ; CNAME and other data zzzz5 DNAME a.b.org. ; fine x.y.z.zzzz5 A 5.6.7.8 ; DNAME must not have any children (but z.zzzz5.galaxyplus.org exists) - yuck zzzz6 DNAME x.y.dk. ; fine, no induced error @ SOA ns1.catpipe.net. hostmaster.catpipe.net. ( ; skipped again 2011011400 ; Serial 1H ; Refresh 30M ; Retry 1W ; Expire 5M ) ; Minimum TTL t/zones/misc-regression.zone000066400000000000000000000003021265465626700165030ustar00rootroot00000000000000$ORIGIN example.com. $TTL 86400 @ IN SOA ns hostmaster 1 10800 3600 2592000 1200 IN NS ns ns IN A 192.0.2.1 xx IN TXT "a\108ias" yy IN TXT "\";" t/zones/mx-ns-alias000066400000000000000000000033161265465626700145610ustar00rootroot00000000000000$TTL 1d @ IN SOA ns1.example.jp. hostmaster.example.jp. ( 1 20m 15m 4w 15m ) NS ns1.example.jp. NS ns2.examPle.jp. MX 10 maIl.example.jp. ns1 A 192.0.2.53 Ns2 CNAME ns1.example.jp. maiL CNAME ns1.example.jp. t/zones/rp-policy000066400000000000000000000025441265465626700143500ustar00rootroot00000000000000$TTL 1d @ IN SOA ns1.example.jp. hostmaster.example.jp. ( 1 20m 15m 4w 15m ) NS ns1.example.jp. NS ns2.examPle.jp. ns1 A 192.0.2.53 Ns2 A 192.168.1.1 x RP mail.box y t/zones/simple-1035000066400000000000000000000010601265465626700143010ustar00rootroot00000000000000@ IN SOA VENERA Action\.domains ( 20 ; SERIAL 7200 ; REFRESH 600 ; RETRY 3600000; EXPIRE 60) ; MINIMUM NS A.ISI.EDU. NS VENERA NS VAXA MX 10 VENERA MX 20 VAXA A A 26.3.0.103 VENERA A 10.1.0.52 A 128.9.0.32 VAXA A 10.2.0.27 A 128.9.0.33 t/zones/ttl-regression.zone000066400000000000000000000002461265465626700163620ustar00rootroot00000000000000$ORIGIN example.com. $TTL 86400 @ IN SOA ns hostmaster 1 10800 3600 2592000 1200 IN NS ns $TTL 600 ns IN A 192.0.2.1 t/zones/ttl.zone000066400000000000000000000002361265465626700142030ustar00rootroot00000000000000$ORIGIN example.com. @ IN 200 SOA ns hostmaster 1 10800 3600 2592000 1200 IN NS ns $TTL 600 ns IN A 192.0.2.1 technical-notes.mdwn000066400000000000000000000053021265465626700150500ustar00rootroot00000000000000# validns technical notes ## Data structures considerations - the whole parsed zone must be loaded into memory - some validations work on individual records - thus, whole zone traversal is needed - some validations work on records sorted in a particular way - the "canonical order" described here http://tools.ietf.org/html/rfc4034#section-6.1 - thus, this traversal should be in this canonical order - Judy is a good way to quickly find and iterate over string-indexed data - but it uses normal lexicographic sort order - is it possible to map the names in such a way that the result, sorted lexicographically, will correspond to the canonical order? - if we agree that labels cannot contain chr(0) - this, strictly speaking, is possible - but we ignore that this can be seen in practice - and, if we agree that labels cannot contain chr(1) - same as above - possible, but it's not within "IN" class - then we can reverse the name and use chr(1) as the label separator - we could just use chr(0) as the label separator, but then we cannot use normal C-style strings, so the code will be somewhat more complex - some validations apply to given names - need quick retrieval of all records with a given name - some validations require complete RR sets - need quick retrieval of all records in a given RR set ## Memory requirements and execution speed Naturally, memory usage is much higher on 64-bit platforms. For a 4 million records zone, it eats around 700 MB on a 64-bit platform, and only around 400 MB on a 32-bit platform. It also looks that 32-bit version is somewhat faster than 64-bit one, although I did not do a strict comparison - the tested machines were not the same. ## TODO The todo list is not complete by its nature. - proper manual page - a test for every error message - zone validations specified in RFC 1035 - multiple verboseness levels (`-v` option repeated) - include file support - `-I` option - embedding lua for flexible validations - "policy validations" - `-p policy-file` option - `-r policy-rule` option (maybe?) - better platform support - `stpcpy()` might not be everywhere ## DONE The done list is not complete. - (./) usage() function - (./) options support (`getopt`) - (./) $TTL support - (./) $ORIGIN support - (./) `-z` option for initial ORIGIN - (./) master file support (RFC 1035, section 5) - (./) see whether there were changes to it - `-v` option for verbose - (./) `-q` option for extra quiet - (./) `-f` option (die on first error) - (./) `-s` option - produce validation summary/statistics - (./) nice CPAN module for external programs output testing? - (./) looks like Test::Command::Simple is what I want - (./) wire RDATA format - (./) NSEC3 parsing textparse.c000066400000000000000000000515641265465626700132770ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include "common.h" #include "carp.h" #include "mempool.h" #include "textparse.h" #include "base64.h" #include "base32hex.h" int empty_line_or_comment(char *s) { while (isspace(*s)) s++; if (!*s) return 1; if (*s == ';') return 1; return 0; } char *skip_white_space(char *s) { while (isspace(*s)) s++; if (*s == ';') { while (*s) s++; } if (*s == 0) { if (file_info->paren_mode) { if (read_zone_line()) { return skip_white_space(file_info->buf); } else { return bitch("unexpected end of file"); } } } if (*s == '(') { if (file_info->paren_mode) { return bitch("unexpected opening parenthesis"); } else { file_info->paren_mode = 1; s++; return skip_white_space(s); } } if (*s == ')') { if (file_info->paren_mode) { file_info->paren_mode = 0; s++; return skip_white_space(s); } else { return bitch("unexpected closing parenthesis"); } } return s; } static char *extract_name_slow(char **input, char *what, int options) { char buf[1024]; char *t = buf; char *s = *input; int d, l, ol; while (1) { if (isalnum(*s) || *s == '_' || *s == '.' || *s == '-' || *s == '/' || ((options & DOLLAR_OK_IN_NAMES) && *s == '$')) { if (t-buf >= 1022) return bitch("name too long"); *t++ = *s++; } else if (*s == '\\') { s++; if (isdigit(*s)) { d = *s - '0'; s++; if (!isdigit(*s)) return bitch("bad escape sequence"); d = d*10 + *s - '0'; s++; if (!isdigit(*s)) return bitch("bad escape sequence"); d = d*10 + *s - '0'; s++; if (d > 255) return bitch("bad escape sequence"); if (d == '.') return bitch("a dot within a label is not currently supported"); *((unsigned char *)t) = (unsigned char)d; if (t-buf >= 1022) return bitch("name too long"); t++; } else if (*s == '.') { return bitch("a dot within a label is not currently supported"); } else if (*s) { if (t-buf >= 1022) return bitch("name too long"); *t++ = *s++; } else { return bitch("backslash in the end of the line not parsable"); } } else { break; } } if (*s && !isspace(*s) && *s != ';' && *s != ')') { return bitch("%s is not valid", what); } *t = '\0'; l = strlen(buf); if (!l) return bitch("%s should not be empty", what); if (buf[l-1] != '.') { if (!file_info->current_origin) { return bitch("do not know origin to determine %s", what); } ol = strlen(file_info->current_origin); if (file_info->current_origin[0] == '.') { if (l + ol >= 1023) return bitch("name too long"); strcat(buf, file_info->current_origin); } else { if (l + ol >= 1022) return bitch("name too long"); strcat(buf, "."); strcat(buf, file_info->current_origin); } } t = strchr(buf, '*'); if (t && (t != buf || t[1] != '.')) return bitch("%s: bad wildcard", what); if (buf[0] == '.' && buf[1] != '\0') return bitch("%s: name cannot start with a dot", what); if (strstr(buf, "..")) return bitch("%s: empty label in a name", what); *input = skip_white_space(s); if (!*input) return NULL; /* bitching's done elsewhere */ if (!(options & KEEP_CAPITALIZATION)) { t = buf; while (*t) { *t = tolower(*t); t++; } } t = quickstrdup(buf); return t; } char *extract_name(char **input, char *what, int options) { char *s = *input; char *r = NULL; char *end = NULL; char c; int wildcard = 0; if (*s == '@') { s++; if (*s && !isspace(*s) && *s != ';' && *s != ')') { return bitch("literal @ in %s is not all by itself", what); } if (!file_info->current_origin) { return bitch("do not know origin to expand @ in %s", what); } r = quickstrdup(file_info->current_origin); } else { if (!(isalnum(*s) || *s == '_' || *s == '.' || *s == '/' || ((options & DOLLAR_OK_IN_NAMES) && *s == '$'))) { if (*s == '*') { wildcard = 1; } else { if (*s == '\\') return extract_name_slow(input, what, options); return bitch("%s expected", what); } } s++; while (isalnum(*s) || *s == '.' || *s == '-' || *s == '_' || *s == '/' || ((options & DOLLAR_OK_IN_NAMES) && *s == '$')) s++; if (*s && !isspace(*s) && *s != ';' && *s != ')') { if (*s == '\\') return extract_name_slow(input, what, options); return bitch("%s is not valid", what); } if (!*s) end = s; c = *s; *s = '\0'; if (*(s-1) == '.') { r = quickstrdup(*input); } else { if (!file_info->current_origin) { return bitch("do not know origin to determine %s", what); } r = getmem(strlen(*input) + 1 + strlen(file_info->current_origin) + 1); if (file_info->current_origin[0] == '.') { strcpy(mystpcpy(r, *input), file_info->current_origin); } else { strcpy(mystpcpy(mystpcpy(r, *input), "."), file_info->current_origin); } } *s = c; } if (end) { *input = end; } else { *input = skip_white_space(s); if (!*input) return NULL; /* bitching's done elsewhere */ } if (!(options & KEEP_CAPITALIZATION)) { s = r; while (*s) { *s = tolower(*s); s++; } } if (wildcard && r[1] != '.') { return bitch("%s: bad wildcard", what); } else if (r[0] == '.' && r[1] != '\0') { return bitch("%s: name cannot start with a dot", what); } return r; } char *extract_label(char **input, char *what, void *is_temporary) { char *s = *input; char *r = NULL; char *end = NULL; if (!isalpha(*s)) { return bitch("%s expected", what); } s++; while (isalnum(*s)) s++; if (*s && !isspace(*s)) { return bitch("%s is not valid", what); } if (!*s) end = s; *s++ = '\0'; if (is_temporary) { r = quickstrdup_temp(*input); } else { r = quickstrdup(*input); } if (end) { *input = end; } else { *input = skip_white_space(s); if (!*input) return NULL; /* bitching's done elsewhere */ } s = r; while (*s) { *s = tolower(*s); s++; } return r; } long long extract_integer(char **input, char *what, const char *extra_delimiters) { char *s = *input; long long r = -1; char *end = NULL; char c; if (!isdigit(*s)) { bitch("%s expected", what); return -1; } s++; while (isdigit(*s)) s++; if (*s && !isspace(*s) && *s != ';' && *s != ')') { if (!extra_delimiters || strchr(extra_delimiters, *s) == NULL) { bitch("%s is not valid", what); return -1; } } if (!*s) end = s; c = *s; *s = '\0'; r = strtoll(*input, NULL, 10); *s = c; if (end) { *input = end; } else { *input = skip_white_space(s); if (!*input) return -1; /* bitching's done elsewhere */ } return r; } int extract_double(char **input, char *what, double *val, int skip_m) { char *s = *input; char *end = NULL; char *stop; char c; int saw_m = 0; while (isdigit(*s) || *s == '+' || *s == '-' || *s == '.') s++; if (*s && !isspace(*s) && *s != ';' && *s != ')') { if (skip_m && (*s == 'm' || *s == 'M')) { saw_m = 1; } else { bitch("%s is not valid", what); return -1; } } if (!*s) end = s; c = *s; *s = '\0'; *val = strtod(*input, &stop); if (*stop != '\0') { *s = c; bitch("%s is not valid", what); return -1; } *s = c; if (saw_m) { s++; if (*s && !isspace(*s) && *s != ';' && *s != ')') { bitch("%s is not valid", what); return -1; } } if (end) { *input = end; } else { *input = skip_white_space(s); if (!*input) return -1; /* bitching's done elsewhere */ } return 1; } long extract_timevalue(char **input, char *what) { char *s = *input; int r = 0, acc = 0; if (!isdigit(*s)) { bitch("%s expected", what); return -1; } next_component: r = 0; while (isdigit(*s)) { r *= 10; r += *s - '0'; s++; } if (tolower(*s) == 's') { s++; } else if (tolower(*s) == 'm') { r *= 60; s++; } else if (tolower(*s) == 'h') { r *= 3600; s++; } else if (tolower(*s) == 'd') { r *= 86400; s++; } else if (tolower(*s) == 'w') { r *= 604800; s++; } acc += r; if (isdigit(*s)) goto next_component; if (*s && !isspace(*s) && *s != ';' && *s != ')') { bitch("%s is not valid", what); return -1; } *input = skip_white_space(s); if (!*input) return -1; /* bitching's done elsewhere */ return acc; } long long extract_timestamp(char **input, char *what) { char *s = *input; int year = 0; int month = 0; int day = 0; int hour = 0; int minute = 0; int second = 0; long long epoch = 0; struct tm tm; if (!isdigit(*s)) { bitch("%s expected", what); return -1; } year = year*10 + *s - '0'; epoch = epoch*10 + *s - '0'; s++; if (!isdigit(*s)) goto looks_like_epoch; year = year*10 + *s - '0'; epoch = epoch*10 + *s - '0'; s++; if (!isdigit(*s)) goto looks_like_epoch; year = year*10 + *s - '0'; epoch = epoch*10 + *s - '0'; s++; if (!isdigit(*s)) goto looks_like_epoch; year = year*10 + *s - '0'; epoch = epoch*10 + *s - '0'; s++; if (!isdigit(*s)) goto looks_like_epoch; month = month*10 + *s - '0'; epoch = epoch*10 + *s - '0'; s++; if (!isdigit(*s)) goto looks_like_epoch; month = month*10 + *s - '0'; epoch = epoch*10 + *s - '0'; s++; if (!isdigit(*s)) goto looks_like_epoch; day = day*10 + *s - '0'; epoch = epoch*10 + *s - '0'; s++; if (!isdigit(*s)) goto looks_like_epoch; day = day*10 + *s - '0'; epoch = epoch*10 + *s - '0'; s++; if (!isdigit(*s)) goto looks_like_epoch; hour = hour*10 + *s - '0'; epoch = epoch*10 + *s - '0'; s++; if (!isdigit(*s)) goto looks_like_epoch; hour = hour*10 + *s - '0'; epoch = epoch*10 + *s - '0'; s++; if (!isdigit(*s)) goto looks_like_epoch; minute = minute*10 + *s - '0'; epoch = epoch*10 + *s - '0'; s++; if (!isdigit(*s)) goto looks_like_epoch; minute = minute*10 + *s - '0'; epoch = epoch*10 + *s - '0'; s++; if (!isdigit(*s)) goto looks_like_epoch; second = second*10 + *s - '0'; epoch = epoch*10 + *s - '0'; s++; if (!isdigit(*s)) goto looks_like_epoch; second = second*10 + *s - '0'; epoch = epoch*10 + *s - '0'; s++; if (*s && !isspace(*s) && *s != ';' && *s != ')') { bitch("%s is not valid", what); return -1; } if (second > 60 || minute > 59 || hour > 23 || day < 1 || day > 31 || month > 12 || year < 1900 || year > 2037) { bitch("%s is not valid", what); return -1; } memset(&tm, 0, sizeof(tm)); tm.tm_sec = second; tm.tm_min = minute; tm.tm_hour = hour; tm.tm_mday = day; tm.tm_mon = month - 1; tm.tm_year = year - 1900; epoch = mktime(&tm); if (epoch < 0) { bitch("%s is not valid", what); return -1; } goto done; looks_like_epoch: if (*s && !isspace(*s) && *s != ';' && *s != ')') { bitch("%s is not valid", what); return -1; } done: *input = skip_white_space(s); if (!*input) return -1; /* bitching's done elsewhere */ return epoch; } int extract_ipv4(char **input, char *what, struct in_addr *addr) { char *s = *input; char c; while (isdigit(*s) || *s == '.') { s++; } if (s == *input) { bitch("%s is not valid", what); return -1; } if (*s && !isspace(*s) && *s != ';' && *s != ')') { bitch("%s is not valid", what); return -1; } c = *s; *s = 0; if (inet_pton(AF_INET, *input, addr) != 1) { *s = c; bitch("cannot parse %s", what); return -1; } *s = c; *input = skip_white_space(s); if (!*input) { return -1; /* bitching's done elsewhere */ } return 1; } int extract_ipv6(char **input, char *what, struct in6_addr *addr) { char *s = *input; char c; while (isdigit(*s) || *s == ':' || *s == '.' || (*s >= 'a' && *s <= 'f') || (*s >= 'A' && *s <= 'F')) { s++; } if (s == *input) { bitch("%s is not valid", what); return -1; } if (*s && !isspace(*s) && *s != ';' && *s != ')') { bitch("%s is not valid", what); return -1; } c = *s; *s = 0; if (inet_pton(AF_INET6, *input, addr) != 1) { *s = c; bitch("cannot parse %s", what); return -1; } *s = c; *input = skip_white_space(s); if (!*input) { return -1; /* bitching's done elsewhere */ } return 1; } int extract_u64(char **input, char *what, uint64_t *r) { char *s = *input; uint8_t result = 0; unsigned u; #define GETHEXBLOCK if (!isxdigit(*s)) { bitch("%s is not valid", what); return -1; } \ u = 0; \ while (isxdigit(*s)) { \ if (isdigit(*s)) { \ u = (u << 4) | (*s - '0'); \ } else if (*s >= 'a' && *s <= 'f') { \ u = (u << 4) | (*s - 'a' + 10); \ } else { \ u = (u << 4) | (*s - 'A' + 10); \ } \ s++; \ } \ if (u > 0xffff) { bitch("%s is not valid, hex out of range", what); return -1; } \ result = (result << 16) | u; #define SKIPCOLON if (*s != ':') { bitch("%s is not valid", what); return -1; } s++; GETHEXBLOCK; SKIPCOLON; GETHEXBLOCK; SKIPCOLON; GETHEXBLOCK; SKIPCOLON; GETHEXBLOCK; *r = result; #undef GETHEXBLOCK #undef SKIPCOLON if (*s && !isspace(*s) && *s != ';' && *s != ')') { bitch("%s is not valid", what); return -1; } *input = skip_white_space(s); if (!*input) { return -1; /* bitching's done elsewhere */ } return 1; } struct binary_data bad_binary_data(void) { struct binary_data r; r.length = -1; r.data = NULL; return r; } struct binary_data extract_base64_binary_data(char **input, char *what) { char b64[4096]; int l64 = 0; char *s = *input; struct binary_data r = bad_binary_data(); int bl; while (s && *s) { if (!isalnum(*s) && *s != '=' && *s != '+' && *s != '/') { bitch("%s expected", what); return r; } while (isalnum(*s) || *s == '=' || *s == '+' || *s == '/') { if (l64 >= 4095) { bitch("%s is too long", what); return r; } b64[l64++] = *s++; } s = skip_white_space(s); } *input = s; if (!s) return r; b64[l64] = 0; bl = (l64 * 3 + 3)/4; r.data = getmem(bl); r.length = decode_base64(r.data, b64, bl); if (r.length < 0) { bitch("error decoding base64 %s", what); return r; } return r; } struct binary_data extract_base32hex_binary_data(char **input, char *what) { char b32[4096]; int l32 = 0; char *s = *input; struct binary_data r = bad_binary_data(); int bl; while ( (*s >= 'A' && *s <= 'V') || (*s >= 'a' && *s <= 'v') || (*s >= '0' && *s <= '9') || *s == '=') { if (l32 >= 4095) { bitch("%s is too long", what); return r; } b32[l32++] = *s++; } if (l32 <= 0) { bitch("%s expected", what); return r; } s = skip_white_space(s); *input = s; if (!s) return r; b32[l32] = 0; bl = (l32 * 5 + 7)/8; r.data = getmem(bl); r.length = decode_base32hex(r.data, b32, bl); if (r.length < 0) { bitch("error decoding base32hex %s", what); return r; } return r; } struct binary_data extract_text(char **input, char *what) { char *s = *input; struct binary_data r = bad_binary_data(); char *o = getmem_temp(65536); int l = 0; int c; if (*s != '"') { while (*s && !isspace(*s)) { o[l++] = *s++; } *input = skip_white_space(s); if (!*input) return r; /* bitching's done elsewhere */ o[l] = 0; r.data = getmem(l+1); r.length = l; memcpy(r.data, o, l+1); return r; } s++; more_text: while (*s && *s != '"') { if (*s == '\\') { s++; if (*s == 0) { bitch("bad backslash quoting of %s", what); return r; } else if (isdigit(*s)) { c = 0; while (isdigit(*s)) { c = c*10 + *s - '0'; s++; } o[l++] = (unsigned char)c; } else { o[l] = *s; goto new_char; } } else { o[l] = *s; new_char: if (l >= 65534) { bitch("%s string too long", what); return r; } l++; s++; } } if (!*s) { if (read_zone_line()) { s = file_info->buf; goto more_text; } else { bitch("closing quote not found while parsing %s", what); return r; } } s++; *input = skip_white_space(s); if (!*input) return r; /* bitching's done elsewhere */ o[l] = 0; r.data = getmem(l+1); r.length = l; memcpy(r.data, o, l+1); return r; } struct binary_data extract_hex_binary_data(char **input, char *what, int eat_whitespace) { char hex[4096]; char *s = *input; struct binary_data r = bad_binary_data(); int hl, hi, hb; hex[0] = '0'; hl = 1; if (s[0] == '0' && (s[1] == 'x' || s[1] == 'X')) s += 2; if (eat_whitespace == EXTRACT_DONT_EAT_WHITESPACE) { while (isxdigit(*s)) { if (hl >= 4095) { bitch("%s is too long", what); return r; } hex[hl] = *s; s++; hl++; } if (*s && !isspace(*s) && *s != ';' && *s != ')') { bitch("%s is not valid", what); return r; } *input = skip_white_space(s); } else if (eat_whitespace == EXTRACT_EAT_WHITESPACE) { while (s && *s) { if (!isxdigit(*s)) { bitch("%s expected", what); return r; } while (isxdigit(*s)) { if (hl >= 4095) { bitch("%s is too long", what); return r; } hex[hl++] = *s++; } s = skip_white_space(s); } *input = s; } else { bitch("%s: internal: invalid eat_whitespace", what); } if (!*input) return r; /* bitching's done elsewhere */ hb = hl % 2 ? 1 : 0; if (hb == 0) bitch("%s: hex data does not represent whole number of bytes", what); r.data = getmem(hl/2); r.length = hl/2; memset(r.data, 0, r.length); for (hi = 0; hi < hl-hb; hi++) { r.data[hi/2] <<= 4; r.data[hi/2] |= 0x0f & (isdigit(hex[hi+hb]) ? hex[hi+hb] - '0' : tolower(hex[hi+hb]) - 'a' + 10); } return r; } struct binary_data new_set(void) { struct binary_data set; set.length = 256*(1+1+32); set.data = getmem_temp(set.length); memset(set.data, 0, set.length); return set; } void add_bit_to_set(struct binary_data *set, int bit) { int map; int map_base; int byte; if (bit < 0 || bit > 65535) croakx(1, "bitmap index out of range"); map = bit / 256; map_base = map*(1+1+32); set->data[map_base] = map; bit = bit & 0xff; byte = bit / 8; if (set->data[map_base + 1] <= byte) set->data[map_base + 1] = byte+1; set->data[map_base + 2 + byte] |= 0x80 >> (bit & 0x07); } struct binary_data compressed_set(struct binary_data *set) { int len = 0; int map; int map_base; struct binary_data r; for (map = 0; map <= 255; map++) { map_base = map*(1+1+32); if (set->data[map_base+1]) { len += 2 + set->data[map_base+1]; } } r.length = len; r.data = getmem(r.length); len = 0; for (map = 0; map <= 255; map++) { map_base = map*(1+1+32); if (set->data[map_base+1]) { memcpy(&r.data[len], &set->data[map_base], 2 + set->data[map_base+1]); len += 2 + set->data[map_base+1]; } } return r; } struct binary_data compose_binary_data(const char *fmt, int tmp, ...) { va_list ap; const char *args; int sz; struct binary_data bd; struct binary_data r; char *t; uint8_t b1; uint16_t b2; uint32_t b4; uint64_t b8; va_start(ap, tmp); args = fmt; sz = 0; while (*args) { switch (*args++) { case '1': va_arg(ap, unsigned int); sz += 1; break; case '2': va_arg(ap, unsigned int); sz += 2; break; case '4': va_arg(ap, unsigned int); sz += 4; break; case '8': va_arg(ap, uint64_t); sz += 8; break; case 'd': bd = va_arg(ap, struct binary_data); sz += bd.length; break; case 'b': bd = va_arg(ap, struct binary_data); if (bd.length > 255) croak(5, "compose_binary_data: 'b' data too long"); sz += bd.length + 1; break; case 'B': bd = va_arg(ap, struct binary_data); if (bd.length > 65535) croak(5, "compose_binary_data: 'B' data too long"); sz += bd.length + 2; break; default: croak(5, "compose_binary_data: bad format"); } } va_end(ap); r.length = sz; r.data = tmp ? getmem_temp(sz) : getmem(sz); t = r.data; va_start(ap, tmp); args = fmt; while (*args) { switch (*args++) { case '1': b1 = (uint8_t)va_arg(ap, unsigned int); memcpy(t, &b1, 1); t += 1; break; case '2': b2 = htons(va_arg(ap, unsigned int)); memcpy(t, &b2, 2); t += 2; break; case '4': b4 = htonl(va_arg(ap, unsigned int)); memcpy(t, &b4, 4); t += 4; break; case '8': b8 = htonl(va_arg(ap, uint64_t)); memcpy(t, &b8, 8); t += 8; break; case 'd': bd = va_arg(ap, struct binary_data); memcpy(t, bd.data, bd.length); t += bd.length; break; case 'b': bd = va_arg(ap, struct binary_data); b1 = (uint8_t)bd.length; memcpy(t, &b1, 1); t += 1; memcpy(t, bd.data, bd.length); t += bd.length; break; case 'B': bd = va_arg(ap, struct binary_data); b2 = htons(bd.length); memcpy(t, &b2, 2); t += 2; memcpy(t, bd.data, bd.length); t += bd.length; break; default: croak(5, "compose_binary_data: bad format"); } } va_end(ap); return r; } /* implementation taken from FreeBSD's libc (minus the __restrict keyword) */ char * mystpcpy(char *to, const char *from) { for (; (*to = *from); ++from, ++to); return(to); } size_t mystrlcat(char *dst, const char *src, size_t siz) { char *d = dst; const char *s = src; size_t n = siz; size_t dlen; /* Find the end of dst and adjust bytes left but don't go past end */ while (n-- != 0 && *d != '\0') d++; dlen = d - dst; n = siz - dlen; if (n == 0) return(dlen + strlen(s)); while (*s != '\0') { if (n != 1) { *d++ = *s; n--; } s++; } *d = '\0'; return(dlen + (s - src)); /* count does not include NUL */ } textparse.h000066400000000000000000000045331265465626700132760ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #ifndef _TEXTPARSE_H_ #define _TEXTPARSE_H_ #include struct binary_data { int length; char *data; }; struct binary_data compose_binary_data(const char *fmt, int tmp, ...); /* * Format: * 1 - byte * 2 - 16-bit, will convert to network byte order * 4 - 32-bit, will convert to network byte order * d - another binary structure, will incorporate its data * b - another binary structure, will incorporate its data, * and prepend the length as a byte (fatal error on overflow) * B - another binary structure, will incorporate its data, * and prepend the length as a 16-bit word in NBO, * fatal error on overflow * tmp : allocate temp storage if true, permanent if false * */ #define KEEP_CAPITALIZATION 32 #define DOLLAR_OK_IN_NAMES 64 int empty_line_or_comment(char *s); char *skip_white_space(char *s); char *extract_name(char **input, char *what, int options); char *extract_label(char **input, char *what, void *is_temporary); long long extract_integer(char **input, char *what, const char *extra_delimiters); long extract_timevalue(char **input, char *what); long long extract_timestamp(char **input, char *what); int extract_ipv4(char **input, char *what, struct in_addr *addr); int extract_ipv6(char **input, char *what, struct in6_addr *addr); int extract_u64(char **input, char *what, uint64_t *r); int extract_double(char **input, char *what, double *val, int skip_m); struct binary_data extract_base32hex_binary_data(char **input, char *what); struct binary_data extract_base64_binary_data(char **input, char *what); struct binary_data extract_text(char **input, char *what); #define EXTRACT_DONT_EAT_WHITESPACE 0 #define EXTRACT_EAT_WHITESPACE 1 struct binary_data extract_hex_binary_data(char **input, char *what, int eat_whitespace); struct binary_data bad_binary_data(void); /* for NSEC/NSEC3 sets */ struct binary_data new_set(void); void add_bit_to_set(struct binary_data *set, int bit); struct binary_data compressed_set(struct binary_data *set); char *mystpcpy(char *to, const char *from); /* stpcpy(3) is not available everywhere */ size_t mystrlcat(char *dst, const char *src, size_t siz); /* so is strlcat */ char *read_zone_line(void); #endif threads.c000066400000000000000000000014221265465626700126760ustar00rootroot00000000000000#include #include #ifdef __GLIBC__ #include #elif defined(__APPLE__) || defined(__FreeBSD__) #include #include #endif /* supposedly, #if defined(PTW32_VERSION) || defined(__hpux) return pthread_num_processors_np(); but I cannot verify that at the moment */ #if defined(__GLIBC__) int ncpus(void) { return get_nprocs(); } #elif defined(__APPLE__) || defined(__FreeBSD__) int ncpus(void) { int count; size_t size=sizeof(count); return sysctlbyname("hw.ncpu",&count,&size,NULL,0) ? 0 : count; } #else int ncpus(void) { return 0; } /* "Don't know */ #endif /* Supposedly, sysconf() can also be used in some cases: #include int const count=sysconf(_SC_NPROCESSORS_ONLN); return (count>0)?count:0; */ tlsa.c000066400000000000000000000060661265465626700122200ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" /* See http://www.rfc-editor.org/internet-drafts/draft-ietf-dane-protocol-23.txt * for TLSA description. */ static struct rr* tlsa_parse(char *name, long ttl, int type, char *s) { struct rr_tlsa *rr = getmem(sizeof(*rr)); int cert_usage, selector, matching_type; cert_usage = extract_integer(&s, "certificate usage field", NULL); if (cert_usage < 0) return NULL; if (cert_usage > 3) return bitch("bad certificate usage field"); rr->cert_usage = cert_usage; selector = extract_integer(&s, "selector field", NULL); if (selector < 0) return NULL; if (selector > 1) return bitch("bad selector field"); rr->selector = selector; matching_type = extract_integer(&s, "matching type field", NULL); if (matching_type < 0) return NULL; if (matching_type > 2) return bitch("bad matching type field"); rr->matching_type = matching_type; rr->association_data = extract_hex_binary_data(&s, "certificate association data", EXTRACT_EAT_WHITESPACE); if (rr->association_data.length < 0) return NULL; switch (rr->matching_type) { case 1: if (rr->association_data.length != SHA256_BYTES) return bitch("bad SHA-256 hash length"); break; case 2: if (rr->association_data.length != SHA512_BYTES) return bitch("bad SHA-512 hash length"); break; } if (*s) { return bitch("garbage after valid TLSA data"); } return store_record(type, name, ttl, rr); } static char* tlsa_human(struct rr *rrv) { RRCAST(tlsa); char s[1024]; snprintf(s, 1024, "%d %d %d ...", rr->cert_usage, rr->selector, rr->matching_type); return quickstrdup_temp(s); } static struct binary_data tlsa_wirerdata(struct rr *rrv) { RRCAST(tlsa); return compose_binary_data("111d", 1, rr->cert_usage, rr->selector, rr->matching_type, rr->association_data); } static void* tlsa_validate_set(struct rr_set *rr_set) { struct rr *rr; struct named_rr *named_rr; char *s; int port = 0; int len; if (G.opt.policy_checks[POLICY_TLSA_HOST]) { rr = rr_set->tail; named_rr = rr_set->named_rr; /* _25._tcp.mail.example.com. */ s = named_rr->name; if (*s != '_') { not_a_prefixed_domain_name: return moan(rr->file_name, rr->line, "not a proper prefixed DNS domain name"); } s++; while (isdigit(*s)) { port = port * 10 + *s - '0'; s++; } if (port <= 0 || port > 65535) goto not_a_prefixed_domain_name; if (*s++ != '.') goto not_a_prefixed_domain_name; len = strlen(s); if (len < 6) goto not_a_prefixed_domain_name; if (memcmp(s, "_tcp.", 5) != 0 && memcmp(s, "_udp.", 5) != 0 && memcmp(s, "_sctp.", 6) != 0) goto not_a_prefixed_domain_name; } return NULL; } struct rr_methods tlsa_methods = { tlsa_parse, tlsa_human, tlsa_wirerdata, tlsa_validate_set, NULL }; todo.mdwn000066400000000000000000000033161265465626700127400ustar00rootroot00000000000000Goals / development milestones / features for validns: 1. Requirements for an initial public release (missing functionality/doc) Task/feature/functionality % done Descr ----------------------------------------------------------------------------- - understand all standard rdtypes 80 - currently missing: AFSDB, APL, CERT, DHCID, DLV, DNAME, HIP, IPSECKEY, KEY, KX, SIG, SPF, TA, TKEY - initial user documentation 30 2. Performance and other non-critical enhancements - speed up signature verification 0 - the initial parsing cannot (and possibly other operations) be easily parallelized, via using multiple threads but signature checks can - add an incremental checks mode 0 - store hashes of succesfully (do not do expensive verified records verifications which were done previously, provided the records did not change) 3. Nice to have features, for post-release - user-defined policy checks via 0 - lua API shall provide lua embedding (split out convenient means to access syntactical and policy validation) and search records, so that policy checks involving relationships between records can be implemented by the user - speed up signature verification 0 - requires significan via GPU crypto offload amount of experimentation txt.c000066400000000000000000000035661265465626700120760ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" /* XXX Does not accept multiple character-strings */ static struct rr *txt_parse(char *name, long ttl, int type, char *s) { struct rr_txt *rr; struct binary_data txt; struct rr_txt_segment *first = NULL; struct rr_txt_segment *last = NULL; struct rr_txt_segment *cur = NULL; int i; i = 0; while (*s) { freeall_temp(); txt = extract_text(&s, "text segment"); if (txt.length < 0) return NULL; if (txt.length > 255) return bitch("TXT segment too long"); i++; cur = getmem(sizeof(*cur)); cur->txt = txt; cur->next = NULL; if (!first) first = cur; if (last) last->next = cur; last = cur; } if (i == 0) return bitch("empty text record"); rr = getmem(sizeof(*rr)); rr->count = i; rr->txt = first; return store_record(type, name, ttl, rr); } static char* txt_human(struct rr *rrv) { RRCAST(txt); char ss[1024]; char *s = ss; int l; struct rr_txt_segment *seg = rr->txt; while (seg) { /* XXX would be nice to escape " with \ in strings */ l = snprintf(s, 1024-(s-ss), "\"%s\" ", seg->txt.data); s += l; seg = seg->next; } return quickstrdup_temp(ss); } static struct binary_data txt_wirerdata(struct rr *rrv) { RRCAST(txt); struct binary_data r, t; struct rr_txt_segment *seg = rr->txt; r = bad_binary_data(); t.length = 0; t.data = NULL; while (seg) { r = compose_binary_data("db", 1, t, seg->txt); t = r; seg = seg->next; } return r; } struct rr_methods txt_methods = { txt_parse, txt_human, txt_wirerdata, NULL, NULL }; usage.mdwn000066400000000000000000000114061265465626700130760ustar00rootroot00000000000000% VALIDNS(1) % Anton Berezin % April 2011 # NAME validns - DNS and DSNSEC zone file validator # VERSION This document describes validns version 0.8 # SYNOPSIS validns *-h* validns [*options*] *zone-file* For validating stdin, specify "-" in place of *zone-file*. # DESCRIPTION Coming soon. # OPTIONS -h : Produce usage text and quit. -f : Quit on first validation error. Normally, `validns` continues working on a zone after encountering a parsing or validation error. -p *name* : Activate policy check *name*. By default, only basic checks and DNSSEC checks are performed. This option can be specified multiple times. See **POLICY CHECKS**, below, for details. The following names are understood: - single-ns - cname-other-data - dname - dnskey - nsec3param-not-apex - mx-alias - ns-alias - rp-txt-exists - tlsa-host - ksk-exists - all -n *N* : Use N worker threads for parallelizable operations. The default is 0, meaning no parallelization. Currently only signature verification is parallelizable. -q : quiet - do not produce any output -s : print validation summary/stats -v : be extra verbose -M : use SOA MINTTL as the default TTL when no TTL specified -I *path* : use this path for $INCLUDE files -z *origin* : use this origin as initial $ORIGIN -t *epoch-time* : Use specified time instead of the current time when verifying validity of the signatures. This option may be specified multiple times, in which case every signature is checked against all specified times. # BASIC CHECKS Every record and every supported directive should be parsable, which consitutes the most basic check of all. The `validns` program will report the exact reason why it cannot parse a record or a directive. Other basic checks include: - there could only be one SOA in a zone; - the first record in the zone must be an SOA record; - a record outside the apex; - TTL values differ within an RR set (excepting *RRSIG*); # DNSSEC CHECKS - *type* exists, but NSEC does not mention it for *name*; - NSEC mentions *type*, but no such record found for *name*; - NSEC says *x* is the last name, but *z* exists; - NSEC says *z* comes after *x*, but nothing does; - NSEC says *z* comes after *x*, but *y* does; - signature is too new; - signature is too old; - RRSIG exists for non-existing type *type*; - RRSIG's original TTL differs from corresponding record's; - RRSIG(*type*): cannot find a signer key; - RRSIG(*type*): cannot verify the signature; - RRSIG(*type*): cannot find the right signer key; - NSEC3 record name is not valid; - multiple NSEC3 with the same record name; - no corresponding NSEC3 found for *name*; - *type* exists, but NSEC3 does not mention it for *name*; - NSEC3 mentions *type*, but no such record found for *name*; - there are more record types than NSEC3 mentions for *name*; - broken NSEC3 chain, expected *name*, but nothing found; - broken NSEC3 chain, expected *name1*, but found *name2*; - NSEC3 without a corresponding record (or empty non-terminal). # POLICY CHECKS - there should be at least two NS records per name (or zero); - CNAME and other data (excluding possible RRSIG and NSEC); - DNAME checks: no multiple DNAMEs, no descendants of a node with a DNAME; please note that DNAME/CNAME clash is handled by CNAME and other data check already; - DNSKEY checks: public key too short, leading zero octets in public key exponent or modulus; - NSEC3PARAM, if present, should only be at the zone apex. - MX exchange should not be an alias - NS nsdname should not be an alias - TXT domain name mentioned in RP record must have a corresponding TXT record if it is within the zone - domain name of a TLSA record must be a proper prefixed DNS name - a KSK key must exist in a signed zone # BUGS - textual segments in *TXT* and *HINFO* must be enclosed in double quotes; - a dot within a label is not currently supported; If at least one NSEC3 record uses opt-out flag, `validns` assumes it is used as much as possible, that is, every unsigned delegation does not have a corresponding NSEC3 record. This is done for reasons of efficiency, to avoid calculating cryptographic hashes of every unsigned delegation. If this assumption is wrong for a zone, `validns` will produce spurious validation errors. # ACKNOWLEDGEMENTS Thanks go to Andy Holdaway, Daniel Stirnimann, Dennis Kjaer Jensen, Goran Bengtson, Hirohisa Yamaguchi, Hugo Salgado, Jake Zack, Jakob Schlyter, Koh-ichi Ito, Mathieu Arnold, Miek Gieben, Patrik Wallstrom, Paul Wouters, Ryan Eby, Tony Finch, Willem Toorop, and YAMAGUCHI Takanori for bug reports, testing, discussions, and occasional patches. Special thanks to Stephane Bortzmeyer and Phil Regnauld. Thanks for AFNIC which funded major portion of the development. Thanks for SWITCH for additional funding. validns.1000066400000000000000000000132241265465626700126250ustar00rootroot00000000000000.TH "VALIDNS" "1" "April 2011" "" "" .SH NAME .PP validns \- DNS and DSNSEC zone file validator .SH VERSION .PP This document describes validns version 0.8 .SH SYNOPSIS .PP validns \f[I]\-h\f[] validns [\f[I]options\f[]] \f[I]zone\-file\f[] .PP For validating stdin, specify "\-" in place of \f[I]zone\-file\f[]. .SH DESCRIPTION .PP Coming soon. .SH OPTIONS .TP .B \-h Produce usage text and quit. .RS .RE .TP .B \-f Quit on first validation error. Normally, \f[C]validns\f[] continues working on a zone after encountering a parsing or validation error. .RS .RE .TP .B \-p \f[I]name\f[] Activate policy check \f[I]name\f[]. By default, only basic checks and DNSSEC checks are performed. This option can be specified multiple times. See \f[B]POLICY CHECKS\f[], below, for details. The following names are understood: .RS .IP \[bu] 2 single\-ns .IP \[bu] 2 cname\-other\-data .IP \[bu] 2 dname .IP \[bu] 2 dnskey .IP \[bu] 2 nsec3param\-not\-apex .IP \[bu] 2 mx\-alias .IP \[bu] 2 ns\-alias .IP \[bu] 2 rp\-txt\-exists .IP \[bu] 2 tlsa\-host .IP \[bu] 2 ksk\-exists .IP \[bu] 2 all .RE .TP .B \-n \f[I]N\f[] Use N worker threads for parallelizable operations. The default is 0, meaning no parallelization. Currently only signature verification is parallelizable. .RS .RE .TP .B \-q quiet \- do not produce any output .RS .RE .TP .B \-s print validation summary/stats .RS .RE .TP .B \-v be extra verbose .RS .RE .TP .B \-M use SOA MINTTL as the default TTL when no TTL specified .RS .RE .TP .B \-I \f[I]path\f[] use this path for $INCLUDE files .RS .RE .TP .B \-z \f[I]origin\f[] use this origin as initial $ORIGIN .RS .RE .TP .B \-t \f[I]epoch\-time\f[] Use specified time instead of the current time when verifying validity of the signatures. This option may be specified multiple times, in which case every signature is checked against all specified times. .RS .RE .SH BASIC CHECKS .PP Every record and every supported directive should be parsable, which consitutes the most basic check of all. The \f[C]validns\f[] program will report the exact reason why it cannot parse a record or a directive. .PP Other basic checks include: .IP \[bu] 2 there could only be one SOA in a zone; .IP \[bu] 2 the first record in the zone must be an SOA record; .IP \[bu] 2 a record outside the apex; .IP \[bu] 2 TTL values differ within an RR set (excepting \f[I]RRSIG\f[]); .SH DNSSEC CHECKS .IP \[bu] 2 \f[I]type\f[] exists, but NSEC does not mention it for \f[I]name\f[]; .IP \[bu] 2 NSEC mentions \f[I]type\f[], but no such record found for \f[I]name\f[]; .IP \[bu] 2 NSEC says \f[I]x\f[] is the last name, but \f[I]z\f[] exists; .IP \[bu] 2 NSEC says \f[I]z\f[] comes after \f[I]x\f[], but nothing does; .IP \[bu] 2 NSEC says \f[I]z\f[] comes after \f[I]x\f[], but \f[I]y\f[] does; .IP \[bu] 2 signature is too new; .IP \[bu] 2 signature is too old; .IP \[bu] 2 RRSIG exists for non\-existing type \f[I]type\f[]; .IP \[bu] 2 RRSIG\[aq]s original TTL differs from corresponding record\[aq]s; .IP \[bu] 2 RRSIG(\f[I]type\f[]): cannot find a signer key; .IP \[bu] 2 RRSIG(\f[I]type\f[]): cannot verify the signature; .IP \[bu] 2 RRSIG(\f[I]type\f[]): cannot find the right signer key; .IP \[bu] 2 NSEC3 record name is not valid; .IP \[bu] 2 multiple NSEC3 with the same record name; .IP \[bu] 2 no corresponding NSEC3 found for \f[I]name\f[]; .IP \[bu] 2 \f[I]type\f[] exists, but NSEC3 does not mention it for \f[I]name\f[]; .IP \[bu] 2 NSEC3 mentions \f[I]type\f[], but no such record found for \f[I]name\f[]; .IP \[bu] 2 there are more record types than NSEC3 mentions for \f[I]name\f[]; .IP \[bu] 2 broken NSEC3 chain, expected \f[I]name\f[], but nothing found; .IP \[bu] 2 broken NSEC3 chain, expected \f[I]name1\f[], but found \f[I]name2\f[]; .IP \[bu] 2 NSEC3 without a corresponding record (or empty non\-terminal). .SH POLICY CHECKS .IP \[bu] 2 there should be at least two NS records per name (or zero); .IP \[bu] 2 CNAME and other data (excluding possible RRSIG and NSEC); .IP \[bu] 2 DNAME checks: no multiple DNAMEs, no descendants of a node with a DNAME; please note that DNAME/CNAME clash is handled by CNAME and other data check already; .IP \[bu] 2 DNSKEY checks: public key too short, leading zero octets in public key exponent or modulus; .IP \[bu] 2 NSEC3PARAM, if present, should only be at the zone apex. .IP \[bu] 2 MX exchange should not be an alias .IP \[bu] 2 NS nsdname should not be an alias .IP \[bu] 2 TXT domain name mentioned in RP record must have a corresponding TXT record if it is within the zone .IP \[bu] 2 domain name of a TLSA record must be a proper prefixed DNS name .IP \[bu] 2 a KSK key must exist in a signed zone .SH BUGS .IP \[bu] 2 textual segments in \f[I]TXT\f[] and \f[I]HINFO\f[] must be enclosed in double quotes; .IP \[bu] 2 a dot within a label is not currently supported; .PP If at least one NSEC3 record uses opt\-out flag, \f[C]validns\f[] assumes it is used as much as possible, that is, every unsigned delegation does not have a corresponding NSEC3 record. This is done for reasons of efficiency, to avoid calculating cryptographic hashes of every unsigned delegation. If this assumption is wrong for a zone, \f[C]validns\f[] will produce spurious validation errors. .SH ACKNOWLEDGEMENTS .PP Thanks go to Andy Holdaway, Daniel Stirnimann, Dennis Kjaer Jensen, Goran Bengtson, Hirohisa Yamaguchi, Hugo Salgado, Jake Zack, Jakob Schlyter, Koh\-ichi Ito, Mathieu Arnold, Miek Gieben, Patrik Wallstrom, Paul Wouters, Ryan Eby, Tony Finch, Willem Toorop, and YAMAGUCHI Takanori for bug reports, testing, discussions, and occasional patches. .PP Special thanks to Stephane Bortzmeyer and Phil Regnauld. .PP Thanks for AFNIC which funded major portion of the development. Thanks for SWITCH for additional funding. .SH AUTHORS Anton Berezin. x25.c000066400000000000000000000026001265465626700116610ustar00rootroot00000000000000/* * Part of DNS zone file validator `validns`. * * Copyright 2011-2014 Anton Berezin * Modified BSD license. * (See LICENSE file in the distribution.) * */ #include #include #include #include #include #include #include "common.h" #include "textparse.h" #include "mempool.h" #include "carp.h" #include "rr.h" /* XXX Does not accept multiple character-strings */ static struct rr *x25_parse(char *name, long ttl, int type, char *s) { struct rr_x25 *rr = getmem(sizeof(*rr)); int i; rr->psdn_address = extract_text(&s, "PSDN-address"); if (rr->psdn_address.length < 0) return NULL; if (rr->psdn_address.length > 255) return bitch("PSDN-address too long"); if (rr->psdn_address.length < 4) return bitch("PSDN-address too short"); for (i = 0; i < rr->psdn_address.length; i++) { if (!isdigit(rr->psdn_address.data[i])) return bitch("PSDN-address contains non-digits"); } if (*s) { return bitch("garbage after valid X25 data"); } return store_record(type, name, ttl, rr); } static char* x25_human(struct rr *rrv) { RRCAST(x25); return rr->psdn_address.data; } static struct binary_data x25_wirerdata(struct rr *rrv) { RRCAST(x25); return compose_binary_data("b", 1, rr->psdn_address); } struct rr_methods x25_methods = { x25_parse, x25_human, x25_wirerdata, NULL, NULL };