diff --git a/Changes b/Changes
index b9c4cab..068078a 100644
--- a/Changes
+++ b/Changes
@@ -1,5 +1,9 @@
Revision history for validns.
+0.6 - in progress
+ Support TLSA records.
+ Minor bug fixes.
+
0.5 Thu Jun 7 15:45:55 CEST 2012
Parallelize signature verification (-n option)
diff --git a/LICENSE b/LICENSE
index ce67f2e..74d6ee2 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,4 @@
-Copyright (c) 2011, Anton Berezin "<tobez@tobez.org>". All rights
+Copyright (c) 2011, 2012 Anton Berezin "<tobez@tobez.org>". All rights
reserved.
Redistribution and use in source and binary forms, with or without
diff --git a/Makefile b/Makefile
index 9f02db8..5a9ae86 100644
--- a/Makefile
+++ b/Makefile
@@ -9,7 +9,7 @@ validns: main.o carp.o mempool.o textparse.o base64.o base32hex.o \
naptr.o srv.o nsec3param.o nsec3.o ds.o \
hinfo.o loc.o nsec3checks.o ptr.o \
sshfp.o threads.o rp.o spf.o cert.o \
- dname.o
+ dname.o tlsa.o nid.o l32.o l64.o lp.o
$(CC) $(CFLAGS) $(OPTIMIZE) -o validns \
main.o carp.o mempool.o textparse.o base64.o base32hex.o \
rr.o soa.o a.o cname.o mx.o ns.o \
@@ -17,7 +17,7 @@ validns: main.o carp.o mempool.o textparse.o base64.o base32hex.o \
naptr.o srv.o nsec3param.o nsec3.o ds.o \
hinfo.o loc.o nsec3checks.o ptr.o \
sshfp.o threads.o rp.o spf.o cert.o \
- dname.o \
+ dname.o tlsa.o nid.o l32.o l64.o lp.o \
-L/usr/local/lib -L/opt/local/lib -lJudy -lcrypto
clean:
@@ -27,7 +27,8 @@ clean:
-rm -f naptr.o srv.o nsec3param.o nsec3.o ds.o
-rm -f hinfo.o loc.o nsec3checks.o ptr.o
-rm -f sshfp.o base32hex.o base64.o threads.o
- -rm -f rp.o spf.o cert.o dname.o
+ -rm -f rp.o spf.o cert.o dname.o tlsa.o
+ -rm -f nid.o l32.o l64.o lp.o
-rm -f validns.core core
@echo ':-)'
@@ -124,6 +125,21 @@ cert.o: cert.c common.h textparse.h mempool.h carp.h rr.h
dname.o: dname.c common.h textparse.h mempool.h carp.h rr.h
$(CC) $(CFLAGS) $(OPTIMIZE) -c -o dname.o dname.c $(INCPATH)
+tlsa.o: tlsa.c common.h textparse.h mempool.h carp.h rr.h
+ $(CC) $(CFLAGS) $(OPTIMIZE) -c -o tlsa.o tlsa.c $(INCPATH)
+
+nid.o: nid.c common.h textparse.h mempool.h carp.h rr.h
+ $(CC) $(CFLAGS) $(OPTIMIZE) -c -o nid.o nid.c $(INCPATH)
+
+l32.o: l32.c common.h textparse.h mempool.h carp.h rr.h
+ $(CC) $(CFLAGS) $(OPTIMIZE) -c -o l32.o l32.c $(INCPATH)
+
+l64.o: l64.c common.h textparse.h mempool.h carp.h rr.h
+ $(CC) $(CFLAGS) $(OPTIMIZE) -c -o l64.o l64.c $(INCPATH)
+
+lp.o: lp.c common.h textparse.h mempool.h carp.h rr.h
+ $(CC) $(CFLAGS) $(OPTIMIZE) -c -o lp.o lp.c $(INCPATH)
+
threads.o: threads.c
$(CC) $(CFLAGS) $(OPTIMIZE) -c -o threads.o threads.c $(INCPATH)
diff --git a/a.c b/a.c
index b2a6212..28c942d 100644
--- a/a.c
+++ b/a.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
diff --git a/aaaa.c b/aaaa.c
index 408ac45..e5a4fd0 100644
--- a/aaaa.c
+++ b/aaaa.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
diff --git a/base32hex.c b/base32hex.c
index b07c910..6e54774 100644
--- a/base32hex.c
+++ b/base32hex.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
diff --git a/base32hex.h b/base32hex.h
index 79118ca..d6bd24c 100644
--- a/base32hex.h
+++ b/base32hex.h
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
diff --git a/base64.c b/base64.c
index a3ebb04..4bed2c6 100644
--- a/base64.c
+++ b/base64.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
diff --git a/base64.h b/base64.h
index 02bd371..a8095ba 100644
--- a/base64.h
+++ b/base64.h
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
diff --git a/carp.c b/carp.c
index 0514cfb..c60cdf6 100644
--- a/carp.c
+++ b/carp.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
diff --git a/carp.h b/carp.h
index 2ecd9a4..ddd0c0c 100644
--- a/carp.h
+++ b/carp.h
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
diff --git a/cert.c b/cert.c
index 9b66f28..ee80e65 100644
--- a/cert.c
+++ b/cert.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -123,7 +123,7 @@ static char* cert_human(struct rr *rrv)
RRCAST(cert);
char s[1024];
- snprintf(s, 1024, "CERT %d %d %d ...",
+ snprintf(s, 1024, "%d %d %d ...",
rr->type, rr->key_tag, rr->algorithm);
return quickstrdup_temp(s);
}
diff --git a/cname.c b/cname.c
index 51e69f5..956f729 100644
--- a/cname.c
+++ b/cname.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -21,7 +21,7 @@ static struct rr *cname_parse(char *name, long ttl, int type, char *s)
{
struct rr_cname *rr = getmem(sizeof(*rr));
- rr->cname = extract_name(&s, "cname");
+ rr->cname = extract_name(&s, "cname", 0);
if (!rr->cname)
return NULL;
if (*s) {
diff --git a/common.h b/common.h
index 70c6f42..023af1a 100644
--- a/common.h
+++ b/common.h
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -21,7 +21,7 @@ struct file_info
extern struct file_info *file_info;
-#define N_POLICY_CHECKS 8
+#define N_POLICY_CHECKS 9
#define POLICY_SINGLE_NS 0
#define POLICY_CNAME_OTHER_DATA 1
@@ -31,6 +31,7 @@ extern struct file_info *file_info;
#define POLICY_RP_TXT_EXISTS 5
#define POLICY_DNAME 6
#define POLICY_DNSKEY 7
+#define POLICY_TLSA_HOST 8
struct globals {
struct stats {
@@ -65,4 +66,10 @@ struct globals {
extern struct globals G;
+#define SHA1_BYTES 20
+#define SHA256_BYTES 32
+#define SHA512_BYTES 64
+/* GOST R 34.11-94 - 32 bytes */
+#define GOST_BYTES 32
+
#endif
diff --git a/dname.c b/dname.c
index 10e31e3..c7bc061 100644
--- a/dname.c
+++ b/dname.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -23,7 +23,7 @@ static struct rr *dname_parse(char *name, long ttl, int type, char *s)
{
struct rr_dname *rr = getmem(sizeof(*rr));
- rr->target = extract_name(&s, "dname target");
+ rr->target = extract_name(&s, "dname target", 0);
if (!rr->target)
return NULL;
if (*s) {
diff --git a/dnskey.c b/dnskey.c
index f0bae0b..3ec6b4e 100644
--- a/dnskey.c
+++ b/dnskey.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
diff --git a/ds.c b/ds.c
index a7f4d26..7f3cdfa 100644
--- a/ds.c
+++ b/ds.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -39,25 +39,20 @@ static struct rr* ds_parse(char *name, long ttl, int type, char *s)
/* See http://www.iana.org/assignments/ds-rr-types/ds-rr-types.xml
* for valid digest types. */
- /*
- SHA-1 20 bytes
- SHA-256 32 bytes
- GOST R 34.11-94 32 bytes
- */
switch (digest_type) {
case 1:
- if (rr->digest.length != 20) {
- return bitch("wrong SHA-1 digest length: %d bytes found, %d bytes expected", rr->digest.length, 20);
+ if (rr->digest.length != SHA1_BYTES) {
+ return bitch("wrong SHA-1 digest length: %d bytes found, %d bytes expected", rr->digest.length, SHA1_BYTES);
}
break;
case 2:
- if (rr->digest.length != 32) {
- return bitch("wrong SHA-256 digest length: %d bytes found, %d bytes expected", rr->digest.length, 32);
+ if (rr->digest.length != SHA256_BYTES) {
+ return bitch("wrong SHA-256 digest length: %d bytes found, %d bytes expected", rr->digest.length, SHA256_BYTES);
}
break;
case 3:
- if (rr->digest.length != 32) {
- return bitch("wrong GOST R 34.11-94 digest length: %d bytes found, %d bytes expected", rr->digest.length, 32);
+ if (rr->digest.length != GOST_BYTES) {
+ return bitch("wrong GOST R 34.11-94 digest length: %d bytes found, %d bytes expected", rr->digest.length, GOST_BYTES);
}
break;
default:
diff --git a/hinfo.c b/hinfo.c
index 882e49c..980426e 100644
--- a/hinfo.c
+++ b/hinfo.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
diff --git a/l32.c b/l32.c
new file mode 100644
index 0000000..13e7bf6
--- /dev/null
+++ b/l32.c
@@ -0,0 +1,60 @@
+/*
+ * Part of DNS zone file validator `validns`.
+ *
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
+ * Modified BSD license.
+ * (See LICENSE file in the distribution.)
+ *
+ */
+#include <sys/types.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include "common.h"
+#include "textparse.h"
+#include "mempool.h"
+#include "carp.h"
+#include "rr.h"
+
+static struct rr *l32_parse(char *name, long ttl, int type, char *s)
+{
+ struct rr_l32 *rr = getmem(sizeof(*rr));
+ struct in_addr ipv4_like;
+ int preference;
+
+ rr->preference = preference = extract_integer(&s, "L32 preference");
+ if (preference < 0)
+ return NULL;
+ if (extract_ipv4(&s, "Locator32", &ipv4_like) <= 0)
+ return NULL;
+ rr->locator32 = ipv4_like.s_addr;
+
+ if (*s) {
+ return bitch("garbage after valid L32 data");
+ }
+
+ return store_record(type, name, ttl, rr);
+}
+
+static char* l32_human(struct rr *rrv)
+{
+ RRCAST(l32);
+ char s[1024];
+
+ snprintf(s, 1024, "%d %d.%d.%d.%d",
+ rr->preference,
+ (rr->locator32 >> 24) & 0xff,
+ (rr->locator32 >> 16) & 0xff,
+ (rr->locator32 >> 8) & 0xff,
+ (rr->locator32 >> 0) & 0xff);
+ return quickstrdup_temp(s);
+}
+
+static struct binary_data l32_wirerdata(struct rr *rrv)
+{
+ RRCAST(l32);
+ return compose_binary_data("24", 1, rr->preference, rr->locator32);
+}
+
+struct rr_methods l32_methods = { l32_parse, l32_human, l32_wirerdata, NULL, NULL };
diff --git a/l64.c b/l64.c
new file mode 100644
index 0000000..bccf25d
--- /dev/null
+++ b/l64.c
@@ -0,0 +1,58 @@
+/*
+ * Part of DNS zone file validator `validns`.
+ *
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
+ * Modified BSD license.
+ * (See LICENSE file in the distribution.)
+ *
+ */
+#include <sys/types.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include "common.h"
+#include "textparse.h"
+#include "mempool.h"
+#include "carp.h"
+#include "rr.h"
+
+static struct rr *l64_parse(char *name, long ttl, int type, char *s)
+{
+ struct rr_l64 *rr = getmem(sizeof(*rr));
+ int preference;
+
+ rr->preference = preference = extract_integer(&s, "L64 preference");
+ if (preference < 0)
+ return NULL;
+ if (extract_u64(&s, "Locator64", &rr->locator64) < 0)
+ return NULL;
+
+ if (*s) {
+ return bitch("garbage after valid L64 data");
+ }
+
+ return store_record(type, name, ttl, rr);
+}
+
+static char* l64_human(struct rr *rrv)
+{
+ RRCAST(l64);
+ char s[1024];
+
+ snprintf(s, 1024, "%d %x:%x:%x:%x",
+ rr->preference,
+ (unsigned)(rr->locator64 >> 48) & 0xffff,
+ (unsigned)(rr->locator64 >> 32) & 0xffff,
+ (unsigned)(rr->locator64 >> 16) & 0xffff,
+ (unsigned)(rr->locator64 >> 0) & 0xffff);
+ return quickstrdup_temp(s);
+}
+
+static struct binary_data l64_wirerdata(struct rr *rrv)
+{
+ RRCAST(l64);
+ return compose_binary_data("28", 1, rr->preference, rr->locator64);
+}
+
+struct rr_methods l64_methods = { l64_parse, l64_human, l64_wirerdata, NULL, NULL };
diff --git a/loc.c b/loc.c
index 079afa3..17a949b 100644
--- a/loc.c
+++ b/loc.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
diff --git a/lp.c b/lp.c
new file mode 100644
index 0000000..20f1eae
--- /dev/null
+++ b/lp.c
@@ -0,0 +1,56 @@
+/*
+ * Part of DNS zone file validator `validns`.
+ *
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
+ * Modified BSD license.
+ * (See LICENSE file in the distribution.)
+ *
+ */
+#include <sys/types.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include "common.h"
+#include "textparse.h"
+#include "mempool.h"
+#include "carp.h"
+#include "rr.h"
+
+static struct rr *lp_parse(char *name, long ttl, int type, char *s)
+{
+ struct rr_lp *rr = getmem(sizeof(*rr));
+ int preference;
+
+ rr->preference = preference = extract_integer(&s, "LP preference");
+ if (preference < 0)
+ return NULL;
+ rr->fqdn = extract_name(&s, "LP fqdn", 0);
+ if (!rr->fqdn)
+ return NULL;
+
+ if (*s) {
+ return bitch("garbage after valid LP data");
+ }
+
+ return store_record(type, name, ttl, rr);
+}
+
+static char* lp_human(struct rr *rrv)
+{
+ RRCAST(lp);
+ char s[1024];
+
+ snprintf(s, 1024, "%d %s",
+ rr->preference, rr->fqdn);
+ return quickstrdup_temp(s);
+}
+
+static struct binary_data lp_wirerdata(struct rr *rrv)
+{
+ RRCAST(lp);
+ return compose_binary_data("2d", 1,
+ rr->preference, name2wire_name(rr->fqdn));
+}
+
+struct rr_methods lp_methods = { lp_parse, lp_human, lp_wirerdata, NULL, NULL };
diff --git a/main.c b/main.c
index 98d8ce3..80005b1 100644
--- a/main.c
+++ b/main.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -41,7 +41,7 @@ static char *process_directive(char *s)
return bitch("bad $ORIGIN format");
}
s = skip_white_space(s);
- o = extract_name(&s, "$ORIGIN value");
+ o = extract_name(&s, "$ORIGIN value", 0);
if (!o) {
return NULL;
}
@@ -112,7 +112,7 @@ read_zone_file(void)
continue;
} else {
/* <domain-name> */
- name = extract_name(&s, "record name");
+ name = extract_name(&s, "record name", 0);
if (!name)
continue;
}
@@ -270,21 +270,25 @@ static void initialize_globals(void)
for (i = 0; i <= T_MAX; i++) {
rr_methods[i] = unknown_methods;
}
- rr_methods[T_A] = a_methods;
rr_methods[T_AAAA] = aaaa_methods;
+ rr_methods[T_A] = a_methods;
rr_methods[T_CERT] = cert_methods;
rr_methods[T_CNAME] = cname_methods;
rr_methods[T_DNAME] = dname_methods;
rr_methods[T_DNSKEY] = dnskey_methods;
rr_methods[T_DS] = ds_methods;
rr_methods[T_HINFO] = hinfo_methods;
+ rr_methods[T_L32] = l32_methods;
+ rr_methods[T_L64] = l64_methods;
rr_methods[T_LOC] = loc_methods;
+ rr_methods[T_LP] = lp_methods;
rr_methods[T_MX] = mx_methods;
rr_methods[T_NAPTR] = naptr_methods;
- rr_methods[T_NS] = ns_methods;
- rr_methods[T_NSEC] = nsec_methods;
- rr_methods[T_NSEC3] = nsec3_methods;
+ rr_methods[T_NID] = nid_methods;
rr_methods[T_NSEC3PARAM] = nsec3param_methods;
+ rr_methods[T_NSEC3] = nsec3_methods;
+ rr_methods[T_NSEC] = nsec_methods;
+ rr_methods[T_NS] = ns_methods;
rr_methods[T_PTR] = ptr_methods;
rr_methods[T_RP] = rp_methods;
rr_methods[T_RRSIG] = rrsig_methods;
@@ -292,6 +296,7 @@ static void initialize_globals(void)
rr_methods[T_SPF] = spf_methods;
rr_methods[T_SRV] = srv_methods;
rr_methods[T_SSHFP] = sshfp_methods;
+ rr_methods[T_TLSA] = tlsa_methods;
rr_methods[T_TXT] = txt_methods;
}
@@ -341,6 +346,8 @@ main(int argc, char **argv)
G.opt.policy_checks[POLICY_NS_ALIAS] = 1;
} else if (strcmp(optarg, "rp-txt-exists") == 0) {
G.opt.policy_checks[POLICY_RP_TXT_EXISTS] = 1;
+ } else if (strcmp(optarg, "tlsa-host") == 0) {
+ G.opt.policy_checks[POLICY_TLSA_HOST] = 1;
} else {
usage("unknown policy name");
}
diff --git a/mempool.c b/mempool.c
index 6e8ff96..2fbb6d0 100644
--- a/mempool.c
+++ b/mempool.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
diff --git a/mempool.h b/mempool.h
index bd653e9..c887aac 100644
--- a/mempool.h
+++ b/mempool.h
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
diff --git a/mx.c b/mx.c
index 6f89581..70f4b12 100644
--- a/mx.c
+++ b/mx.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -25,7 +25,7 @@ static struct rr *mx_parse(char *name, long ttl, int type, char *s)
if (rr->preference < 0)
return NULL;
/* XXX preference range check */
- rr->exchange = extract_name(&s, "MX exchange");
+ rr->exchange = extract_name(&s, "MX exchange", 0);
if (!rr->exchange)
return NULL;
if (*s) {
diff --git a/naptr.c b/naptr.c
index 457d549..4534ded 100644
--- a/naptr.c
+++ b/naptr.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -58,7 +58,7 @@ static struct rr *naptr_parse(char *name, long ttl, int type, char *s)
return NULL;
rr->regexp = text;
- rr->replacement = extract_name(&s, "replacement");
+ rr->replacement = extract_name(&s, "replacement", 0);
if (!rr->replacement)
return NULL;
diff --git a/nid.c b/nid.c
new file mode 100644
index 0000000..3cc8c41
--- /dev/null
+++ b/nid.c
@@ -0,0 +1,58 @@
+/*
+ * Part of DNS zone file validator `validns`.
+ *
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
+ * Modified BSD license.
+ * (See LICENSE file in the distribution.)
+ *
+ */
+#include <sys/types.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include "common.h"
+#include "textparse.h"
+#include "mempool.h"
+#include "carp.h"
+#include "rr.h"
+
+static struct rr *nid_parse(char *name, long ttl, int type, char *s)
+{
+ struct rr_nid *rr = getmem(sizeof(*rr));
+ int preference;
+
+ rr->preference = preference = extract_integer(&s, "NID preference");
+ if (preference < 0)
+ return NULL;
+ if (extract_u64(&s, "NodeID", &rr->node_id) < 0)
+ return NULL;
+
+ if (*s) {
+ return bitch("garbage after valid NID data");
+ }
+
+ return store_record(type, name, ttl, rr);
+}
+
+static char* nid_human(struct rr *rrv)
+{
+ RRCAST(nid);
+ char s[1024];
+
+ snprintf(s, 1024, "%d %x:%x:%x:%x",
+ rr->preference,
+ (unsigned)(rr->node_id >> 48) & 0xffff,
+ (unsigned)(rr->node_id >> 32) & 0xffff,
+ (unsigned)(rr->node_id >> 16) & 0xffff,
+ (unsigned)(rr->node_id >> 0) & 0xffff);
+ return quickstrdup_temp(s);
+}
+
+static struct binary_data nid_wirerdata(struct rr *rrv)
+{
+ RRCAST(nid);
+ return compose_binary_data("28", 1, rr->preference, rr->node_id);
+}
+
+struct rr_methods nid_methods = { nid_parse, nid_human, nid_wirerdata, NULL, NULL };
diff --git a/ns.c b/ns.c
index 3f486db..e920eae 100644
--- a/ns.c
+++ b/ns.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -22,7 +22,7 @@ static struct rr *ns_parse(char *name, long ttl, int type, char *s)
struct rr_ns *rr = getmem(sizeof(*rr));
struct rr *ret_rr;
- rr->nsdname = extract_name(&s, "name server domain name");
+ rr->nsdname = extract_name(&s, "name server domain name", 0);
if (!rr->nsdname)
return NULL;
if (*s) {
diff --git a/nsec.c b/nsec.c
index 789b29d..d76b6ad 100644
--- a/nsec.c
+++ b/nsec.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -25,7 +25,7 @@ static struct rr* nsec_parse(char *name, long ttl, int type, char *s)
char *str_type = NULL;
int ltype;
- rr->next_domain = extract_name(&s, "next domain");
+ rr->next_domain = extract_name(&s, "next domain", KEEP_CAPITALIZATION);
/* TODO: validate next_domain, http://tools.ietf.org/html/rfc4034#section-4.1.1 */
bitmap = new_set();
@@ -33,6 +33,8 @@ static struct rr* nsec_parse(char *name, long ttl, int type, char *s)
str_type = extract_label(&s, "type list", "temporary");
if (!str_type) return NULL;
ltype = str2rdtype(str_type);
+ if (ltype < 0)
+ return NULL;
add_bit_to_set(&bitmap, ltype);
}
if (!s)
diff --git a/nsec3.c b/nsec3.c
index c390cdc..a7b8acb 100644
--- a/nsec3.c
+++ b/nsec3.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -86,6 +86,8 @@ static struct rr* nsec3_parse(char *name, long ttl, int type, char *s)
str_type = extract_label(&s, "type list", "temporary");
if (!str_type) return NULL;
ltype = str2rdtype(str_type);
+ if (ltype < 0)
+ return NULL;
add_bit_to_set(&bitmap, ltype);
}
if (!s)
diff --git a/nsec3checks.c b/nsec3checks.c
index e9d157b..ef54ab2 100644
--- a/nsec3checks.c
+++ b/nsec3checks.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -91,6 +91,7 @@ void perform_remaining_nsec3checks(void)
while (named_rr_p) {
named_rr = *named_rr_p;
if ((named_rr->flags & mask) == NAME_FLAG_KIDS_WITH_RECORDS) {
+//fprintf(stderr, "--- need nsec3, kids with records: %s\n", named_rr->name);
needs_nsec3:
freeall_temp();
hash = name2hash(named_rr->name, nsec3param);
@@ -119,10 +120,24 @@ needs_nsec3:
(NAME_FLAG_NOT_AUTHORITATIVE|NAME_FLAG_SIGNED_DELEGATION)) ==
NAME_FLAG_SIGNED_DELEGATION)
{
+//fprintf(stderr, "--- need nsec3, signed delegation: %s\n", named_rr->name);
goto needs_nsec3;
- } else if (!G.nsec3_opt_out_present && (named_rr->flags & NAME_FLAG_DELEGATION))
+ } else if (!G.nsec3_opt_out_present && (named_rr->flags &
+ (NAME_FLAG_APEX_PARENT|NAME_FLAG_NOT_AUTHORITATIVE|NAME_FLAG_DELEGATION|NAME_FLAG_HAS_RECORDS)) ==
+ 0)
{
+//fprintf(stderr, "--- need nsec3, empty non-term: %s\n", named_rr->name);
goto needs_nsec3;
+ } else if (!G.nsec3_opt_out_present && (named_rr->flags & (NAME_FLAG_DELEGATION|NAME_FLAG_NOT_AUTHORITATIVE))==NAME_FLAG_DELEGATION)
+ {
+//fprintf(stderr, "--- need nsec3, no opt-out: %s\n", named_rr->name);
+ goto needs_nsec3;
+ } else if (!G.nsec3_opt_out_present && (named_rr->flags & (NAME_FLAG_THIS_WITH_RECORDS|NAME_FLAG_NOT_AUTHORITATIVE)) == NAME_FLAG_THIS_WITH_RECORDS)
+ {
+//fprintf(stderr, "--- need nsec3, this with records: %s\n", named_rr->name);
+ goto needs_nsec3;
+ } else {
+//fprintf(stderr, "--- NO need for nsec3: %s\n", named_rr->name);
}
next:
JSLN(named_rr_p, zone_data, sorted_name);
diff --git a/nsec3param.c b/nsec3param.c
index 3c24162..539ef80 100644
--- a/nsec3param.c
+++ b/nsec3param.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
diff --git a/ptr.c b/ptr.c
index 8cf1c96..8164ef2 100644
--- a/ptr.c
+++ b/ptr.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -21,7 +21,7 @@ static struct rr *ptr_parse(char *name, long ttl, int type, char *s)
{
struct rr_ptr *rr = getmem(sizeof(*rr));
- rr->ptrdname = extract_name(&s, "name server domain name");
+ rr->ptrdname = extract_name(&s, "name server domain name", 0);
if (!rr->ptrdname)
return NULL;
if (*s) {
diff --git a/rp.c b/rp.c
index 6c2a5fd..9f77c49 100644
--- a/rp.c
+++ b/rp.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -22,11 +22,11 @@ static struct rr *rp_parse(char *name, long ttl, int type, char *s)
{
struct rr_rp *rr = getmem(sizeof(*rr));
- rr->mbox_dname = extract_name(&s, "mbox domain name");
+ rr->mbox_dname = extract_name(&s, "mbox domain name", 0);
if (!rr->mbox_dname)
return NULL;
- rr->txt_dname = extract_name(&s, "txt domain name");
+ rr->txt_dname = extract_name(&s, "txt domain name", 0);
if (!rr->txt_dname)
return NULL;
diff --git a/rr.c b/rr.c
index 9ab475f..f47328d 100644
--- a/rr.c
+++ b/rr.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -71,12 +71,19 @@ static char* rdtype2str_map[T_MAX+1] = {
"DHCID",
"NSEC3", /* 50 */
"NSEC3PARAM",
- 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 60 */
+ "TLSA",
+ 0, 0, 0, 0, 0, 0, 0, 0, /* 60 */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 70 */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 80 */
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, /* 90 */
0, 0, 0, 0, 0, 0, 0, 0,
- "SPF"
+ "SPF",
+ 0, /* 100 */
+ 0, 0, 0,
+ "NID",
+ "L32",
+ "L64",
+ "LP",
};
void *zone_data = NULL;
char *zone_apex = NULL;
@@ -474,6 +481,12 @@ int str2rdtype(char *rdtype)
case 'l':
if (strcmp(rdtype, "loc") == 0) {
return T_LOC;
+ } else if (strcmp(rdtype, "l32") == 0) {
+ return T_L32;
+ } else if (strcmp(rdtype, "l64") == 0) {
+ return T_L64;
+ } else if (strcmp(rdtype, "lp") == 0) {
+ return T_LP;
}
break;
case 'm':
@@ -490,6 +503,8 @@ int str2rdtype(char *rdtype)
return T_NSEC;
} else if (strcmp(rdtype, "nsec3") == 0) {
return T_NSEC3;
+ } else if (strcmp(rdtype, "nid") == 0) {
+ return T_NID;
} else if (strcmp(rdtype, "nsec3param") == 0) {
return T_NSEC3PARAM;
}
@@ -520,6 +535,8 @@ int str2rdtype(char *rdtype)
case 't':
if (strcmp(rdtype, "txt") == 0) {
return T_TXT;
+ } else if (strcmp(rdtype, "tlsa") == 0) {
+ return T_TLSA;
} else if (strncmp(rdtype, "type", 4) == 0) {
long type = strtol(rdtype+4, NULL, 10);
if (type <= 0 || type > 65535)
@@ -560,12 +577,43 @@ void validate_rrset(struct rr_set *rr_set)
}
}
+void debug(struct named_rr *named_rr, char *s)
+{
+ fprintf(stderr, "%s %s", s, named_rr->name);
+ if ((named_rr->flags & NAME_FLAG_APEX))
+ fprintf(stderr, ", apex");
+ if ((named_rr->flags & NAME_FLAG_HAS_RECORDS))
+ fprintf(stderr, ", has records");
+ if ((named_rr->flags & NAME_FLAG_DELEGATION))
+ fprintf(stderr, ", delegation");
+ if ((named_rr->flags & NAME_FLAG_NOT_AUTHORITATIVE))
+ fprintf(stderr, ", not auth");
+ if ((named_rr->flags & NAME_FLAG_NSEC3_ONLY))
+ fprintf(stderr, ", nsec3 only");
+ if ((named_rr->flags & NAME_FLAG_KIDS_WITH_RECORDS))
+ fprintf(stderr, ", kid records");
+ if ((named_rr->flags & NAME_FLAG_SIGNED_DELEGATION))
+ fprintf(stderr, ", signed delegation");
+ if ((named_rr->flags & NAME_FLAG_APEX_PARENT))
+ fprintf(stderr, ", apex parent");
+ fprintf(stderr, "\n");
+}
+
void validate_named_rr(struct named_rr *named_rr)
{
Word_t rdtype;
struct rr_set **rr_set_p;
int nsec3_present = 0;
int nsec3_only = 1;
+ static int seen_apex = 0;
+
+ rdtype = 0;
+ JLF(rr_set_p, named_rr->rr_sets, rdtype);
+
+ if ((named_rr->flags & NAME_FLAG_APEX))
+ seen_apex = 1;
+ if (!seen_apex)
+ named_rr->flags |= NAME_FLAG_APEX_PARENT;
if (named_rr->parent && (named_rr->parent->flags & (NAME_FLAG_DELEGATION|NAME_FLAG_NOT_AUTHORITATIVE)) != 0) {
named_rr->flags |= NAME_FLAG_NOT_AUTHORITATIVE;
@@ -573,24 +621,30 @@ void validate_named_rr(struct named_rr *named_rr)
G.stats.not_authoritative++;
}
}
- rdtype = 0;
- JLF(rr_set_p, named_rr->rr_sets, rdtype);
+//debug(named_rr, ">>>>");
+
while (rr_set_p) {
validate_rrset(*rr_set_p);
if (rdtype == T_NSEC3)
nsec3_present = 1;
else if (rdtype != T_RRSIG)
nsec3_only = 0;
+ if (rdtype != T_NSEC3 && rdtype != T_RRSIG && rdtype != T_NS)
+ named_rr->flags |= NAME_FLAG_THIS_WITH_RECORDS;
if ((named_rr->flags & NAME_FLAG_NOT_AUTHORITATIVE) == 0 &&
rdtype != T_NS && rdtype != T_NSEC3 && rdtype != T_RRSIG)
{
struct named_rr *nrr = named_rr;
+ int skip_first = rdtype == T_NS;
+
while (nrr && (nrr->flags & NAME_FLAG_KIDS_WITH_RECORDS) == 0) {
if ((nrr->flags & NAME_FLAG_APEX_PARENT) || strlen(nrr->name) < zone_apex_l) {
nrr->flags |= NAME_FLAG_APEX_PARENT;
break;
}
- nrr->flags |= NAME_FLAG_KIDS_WITH_RECORDS;
+ if (!skip_first)
+ nrr->flags |= NAME_FLAG_KIDS_WITH_RECORDS;
+ skip_first = 0;
nrr = nrr->parent;
}
}
@@ -607,6 +661,7 @@ void validate_named_rr(struct named_rr *named_rr)
if (nsec3_present && nsec3_only) {
named_rr->flags |= NAME_FLAG_NSEC3_ONLY;
}
+//debug(named_rr, "<<<<");
}
@@ -633,7 +688,7 @@ static void* nsec_validate_pass2(struct rr *rrv)
break;
}
- if (strcmp(rr->next_domain, zone_apex) == 0) {
+ if (strcasecmp(rr->next_domain, zone_apex) == 0) {
if (next_named_rr) {
return moan(rr->rr.file_name, rr->rr.line, "NSEC says %s is the last name, but %s exists",
named_rr->name, next_named_rr->name);
@@ -642,7 +697,7 @@ static void* nsec_validate_pass2(struct rr *rrv)
if (!next_named_rr) {
return moan(rr->rr.file_name, rr->rr.line, "NSEC says %s comes after %s, but nothing does",
rr->next_domain, named_rr->name);
- } else if (strcmp(rr->next_domain, next_named_rr->name) != 0) {
+ } else if (strcasecmp(rr->next_domain, next_named_rr->name) != 0) {
return moan(rr->rr.file_name, rr->rr.line, "NSEC says %s comes after %s, but %s does",
rr->next_domain, named_rr->name, next_named_rr->name);
}
diff --git a/rr.h b/rr.h
index 35abd6d..7685eff 100644
--- a/rr.h
+++ b/rr.h
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -31,8 +31,13 @@
#define T_DNSKEY 48
#define T_NSEC3 50
#define T_NSEC3PARAM 51
+#define T_TLSA 52
#define T_SPF 99
-#define T_MAX 99
+#define T_NID 104
+#define T_L32 105
+#define T_L64 106
+#define T_LP 107
+#define T_MAX 107
#define ALG_DSA 3
#define ALG_RSASHA1 5
@@ -96,14 +101,15 @@ struct binary_data name2wire_name(char *s);
int algorithm_type(int alg);
int extract_algorithm(char **s, char *what);
-#define NAME_FLAG_APEX 1
-#define NAME_FLAG_HAS_RECORDS 2
-#define NAME_FLAG_DELEGATION 4
-#define NAME_FLAG_NOT_AUTHORITATIVE 8
-#define NAME_FLAG_NSEC3_ONLY 16
-#define NAME_FLAG_KIDS_WITH_RECORDS 32
-#define NAME_FLAG_SIGNED_DELEGATION 64
+#define NAME_FLAG_APEX 1
+#define NAME_FLAG_HAS_RECORDS 2
+#define NAME_FLAG_DELEGATION 4
+#define NAME_FLAG_NOT_AUTHORITATIVE 8
+#define NAME_FLAG_NSEC3_ONLY 16
+#define NAME_FLAG_KIDS_WITH_RECORDS 32
+#define NAME_FLAG_SIGNED_DELEGATION 64
#define NAME_FLAG_APEX_PARENT 128
+#define NAME_FLAG_THIS_WITH_RECORDS 256
struct named_rr
{
@@ -171,11 +177,53 @@ extern struct rr_methods ns_methods;
struct rr_txt
{
struct rr rr;
- int count;
+ int count;
struct binary_data txt[1];
};
extern struct rr_methods txt_methods;
+struct rr_tlsa
+{
+ struct rr rr;
+ uint8_t cert_usage;
+ uint8_t selector;
+ uint8_t matching_type;
+ struct binary_data association_data;
+};
+extern struct rr_methods tlsa_methods;
+
+struct rr_nid
+{
+ struct rr rr;
+ uint16_t preference;
+ uint64_t node_id;
+};
+extern struct rr_methods nid_methods;
+
+struct rr_l32
+{
+ struct rr rr;
+ uint16_t preference;
+ uint32_t locator32;
+};
+extern struct rr_methods l32_methods;
+
+struct rr_l64
+{
+ struct rr rr;
+ uint16_t preference;
+ uint64_t locator64;
+};
+extern struct rr_methods l64_methods;
+
+struct rr_lp
+{
+ struct rr rr;
+ uint16_t preference;
+ char *fqdn;
+};
+extern struct rr_methods lp_methods;
+
struct rr_naptr
{
struct rr rr;
diff --git a/rrsig.c b/rrsig.c
index 8e7930a..81befa6 100644
--- a/rrsig.c
+++ b/rrsig.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -84,7 +84,7 @@ static struct rr* rrsig_parse(char *name, long ttl, int type, char *s)
if (key_tag < 0) return NULL;
rr->key_tag = key_tag;
- rr->signer = extract_name(&s, "signer name");
+ rr->signer = extract_name(&s, "signer name", 0);
if (!rr->signer) return NULL;
/* TODO validate signer name, http://tools.ietf.org/html/rfc4034#section-3.1.7 */
diff --git a/soa.c b/soa.c
index 1bc9a42..9e70a09 100644
--- a/soa.c
+++ b/soa.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -22,9 +22,9 @@ static struct rr* soa_parse(char *name, long ttl, int type, char *s)
struct rr_soa *rr = getmem(sizeof(*rr));
long long i;
- rr->mname = extract_name(&s, "mname");
+ rr->mname = extract_name(&s, "mname", 0);
if (!rr->mname) return NULL;
- rr->rname = extract_name(&s, "rname");
+ rr->rname = extract_name(&s, "rname", 0);
if (!rr->rname) return NULL;
i = extract_integer(&s, "serial");
if (i < 0) return NULL;
diff --git a/spf.c b/spf.c
index efe76c5..5cb1c82 100644
--- a/spf.c
+++ b/spf.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
diff --git a/srv.c b/srv.c
index 4683003..e606354 100644
--- a/srv.c
+++ b/srv.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -45,7 +45,7 @@ static struct rr *srv_parse(char *name, long ttl, int type, char *s)
return bitch("port range is not valid");
rr->port = i;
- rr->target = extract_name(&s, "target");
+ rr->target = extract_name(&s, "target", 0);
if (!rr->target)
return NULL;
diff --git a/sshfp.c b/sshfp.c
index b10a5ff..ec9c03f 100644
--- a/sshfp.c
+++ b/sshfp.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -36,9 +36,9 @@ static struct rr* sshfp_parse(char *name, long ttl, int type, char *s)
rr->fingerprint = extract_hex_binary_data(&s, "fingerprint", EXTRACT_EAT_WHITESPACE);
if (rr->fingerprint.length < 0) return NULL;
- if (rr->fingerprint.length != 20) {
+ if (rr->fingerprint.length != SHA1_BYTES) {
return bitch("wrong SHA-1 fingerprint length: %d bytes found, %d bytes expected",
- rr->fingerprint.length, 20);
+ rr->fingerprint.length, SHA1_BYTES);
}
if (*s) {
diff --git a/t/issues/21-nsec3-without-corresponding/Kexample.sec.+008+48381.key b/t/issues/21-nsec3-without-corresponding/Kexample.sec.+008+48381.key
new file mode 100644
index 0000000..e9cd610
--- /dev/null
+++ b/t/issues/21-nsec3-without-corresponding/Kexample.sec.+008+48381.key
@@ -0,0 +1 @@
+example.sec. IN DNSKEY 256 3 8 AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg273Tp4oRpnmnmgizDFtLQh nIv1Mr3AuwSWVIDeavuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90yQwf C53hxyH10GzGnAx4Sutrdkh1w4HM1nMBdlTMa0g9yxjJ0vm/T7qHzj+3 dTUi84s8Du2mfMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB/QUuoY2F yThfidT+nhOQpzftVtLcta0E0Uv3PcVDp1d7vBXsAEYGHr54r2vb3eXd OTmoFyh/byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01u8SJYP6ULwx0 mZ0p5BmoMH8=
diff --git a/t/issues/21-nsec3-without-corresponding/Kexample.sec.+008+48381.private b/t/issues/21-nsec3-without-corresponding/Kexample.sec.+008+48381.private
new file mode 100644
index 0000000..5beec83
--- /dev/null
+++ b/t/issues/21-nsec3-without-corresponding/Kexample.sec.+008+48381.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 8 (RSASHA256)
+Modulus: 1k6+cu1N1CN90iqofey1vu8jpsmWDbvdOnihGmeaeaCLMMW0tCGci/UyvcC7BJZUgN5q+6LJYgC1+/DLR/cRgi/xizmQOIqzw8TWT3TJDB8LneHHIfXQbMacDHhK62t2SHXDgczWcwF2VMxrSD3LGMnS+b9PuofOP7d1NSLzizwO7aZ8wPqejL6V5nYi5fuUVxrxLMM2aFQ9ORe4WsH9BS6hjYXJOF+J1P6eE5CnN+1W0ty1rQTRS/c9xUOnV3u8FewARgYevniva9vd5d05OagXKH9vJ6FSU+rWAMQfSYFGVZtQepsacrKiXPR1HTW7xIlg/pQvDHSZnSnkGagwfw==
+PublicExponent: AQAB
+PrivateExponent: LOxwy9Km3/NYqre6fjsilhW3GX1kcRiSdXFYBBr3rMtUojKvgJsTH9uUeWZvTbTdne4B6yHiqSKRA3Eki79k8i9uqMq2SsP4ju8yJZHLmzjezIfJoHrQ6BxyFcMZoWPzdZkKFKmFwrHpxjjbvFcHvfiAu025Pta9C2o/rZXYC7V3BWQowqYBfukdpZkCEhzFzEtC1ROXN4jPJBwNIma52QTLH6jK5BOfOJ5DhS1SF+r/EkuvXnylApVfjPfUIC8ocVvpn5WLoabWL+eURIi6MvVT59ppzc6WRUT2PxDskT2WUWfw3zq5B7JCM8/qfYIDUHvt1h6JcJHTAOz9Hr2f4Q==
+Prime1: 8UNey2U7voMhZmVUMpH5C8q7+hp6PQ6dUYd+hjaQVnsDOLPBT+zZf8R3str7pY/xlOOHy+DxYmZ0e17OumSOXTeQR4VSdsr/tpWc/qd2jd1I5N58R4G/yZHgTm8pm6VRb7NwZ7Eg6o2z0G2UEykFeberyg4U6SHBDP6DZNvGrQk=
+Prime2: 42XeoQUBshFkTYekdeqPfGqC1YXsK0URLGAbPbk8HlOiG7ueVmUnsAS47lyuEJPzIUgqqBbDM+CCdW8AvPJFDXa09l4akfCrLRyAdkreGj3bgmUs5wUFbDZyOHvRFSxdUI8LOcAhXthy86l+wErKwm6sWfd1oPGvMmC1qiSsW0c=
+Exponent1: JpdjK1+3DcNF7W4Z6LjmwFceeGQR14Bl86ubtnY14k9s9X3zVwiIxeI0T1yt0g7TUsCOcTM7CUVgLne8053QE+MWZgpSZYQVISyPX0CEOy8BQPLBqGJ9vg1idslbO3VXMGngegWgQUSHVbihbesq4AxcI0bbW2s1yRFRDSoGfpk=
+Exponent2: NbR7bd/21I1S+RSN/ONW2/VzzOYCLv3y3l4cUOmMj0UFRjN7Y8AkLWgQHQt6eKPYigW3PVeS5o+hgAalT/qP4GwmtQDomYsTgmX22Pk5l00AqL0oa6895p69PyXO7Yc6yqnd5te/idzo2S8wpk2DsYPd5KmS+F3cGLPKc9KRekU=
+Coefficient: ev+8Aj3u6mICRe6Y0NqYTGrXSBMDXf92dI4+CZtwy43cyTvvZSABWvlLTTXf8XAlnnPxszSpG7+e8bQk4A7ZIagcDFSUjzwtVoLqKqbyLPMNjJKqvGW2iTwfpXAHTadd9EmvTPsEVCJnZAvkyn9XQ49phL9IkFzj9kmSrGqnN4Q=
diff --git a/t/issues/21-nsec3-without-corresponding/dsset-example.sec. b/t/issues/21-nsec3-without-corresponding/dsset-example.sec.
new file mode 100644
index 0000000..b4019ef
--- /dev/null
+++ b/t/issues/21-nsec3-without-corresponding/dsset-example.sec.
@@ -0,0 +1,2 @@
+example.sec. IN DS 48381 8 1 99477B577BF885AB2512B8DCA052D7B71DD968BA
+example.sec. IN DS 48381 8 2 E5411AAE0758711B164730F9069CCFA3CAB00391FDD76D04EB3E8610 CAA09E93
diff --git a/t/issues/21-nsec3-without-corresponding/example.sec b/t/issues/21-nsec3-without-corresponding/example.sec
new file mode 100644
index 0000000..352b4e6
--- /dev/null
+++ b/t/issues/21-nsec3-without-corresponding/example.sec
@@ -0,0 +1,17 @@
+$TTL 1d
+$INCLUDE Kexample.sec.+008+48381.key
+@ IN SOA ns.example.sec. hostmaster.example.sec. (
+ 1 ; Serial
+ 604800 ; Refresh
+ 86400 ; Retry
+ 2419200 ; Expire
+ 604800 ) ; Negative Cache TTL
+
+ IN NS ns1.example.net.
+1.1.1.1.1.1.1.1.1.1.33 IN NS ns1.example.net.
+
+6.5.4.3.2.33 IN NS ns1.example.net.
+9.8.7.6.5.4.3.2.33 IN NS ns1.example.net.
+
+
+bebe.meme IN A 1.2.3.4
diff --git a/t/issues/21-nsec3-without-corresponding/example.sec.signed b/t/issues/21-nsec3-without-corresponding/example.sec.signed
new file mode 100644
index 0000000..c574155
--- /dev/null
+++ b/t/issues/21-nsec3-without-corresponding/example.sec.signed
@@ -0,0 +1,334 @@
+; File written on Fri Aug 24 16:33:53 2012
+; dnssec_signzone version 9.8.3
+example.sec. 86400 IN SOA ns.example.sec. hostmaster.example.sec. (
+ 1 ; serial
+ 604800 ; refresh (1 week)
+ 86400 ; retry (1 day)
+ 2419200 ; expire (4 weeks)
+ 604800 ; minimum (1 week)
+ )
+ 86400 RRSIG SOA 8 2 86400 20120923133353 (
+ 20120824133353 48381 example.sec.
+ QySkSzvLPglLtsg976XY0GAdDCzZY9IEiVrn
+ PAsFloXokhd3sYDi+/Wg+XNNPasoqvUv75c9
+ JYbXyV9ZF0axe7TVvCmynNi2fn5xvfU3MbiX
+ bQqkoJq708xLtxkDjkKj4wo7aLfNXqItdvlG
+ 8MBNI7lUMd9V1EAp1+sKz4oCbAm67dUZsJTs
+ NNQewA2NTkZG8SLU12ueBoEm3SFIkDaGf3pr
+ BqFKnKo7Dpi5quPydRyZv23lDkAFv86eMBky
+ 7Ftz5JSnTrxQ96J5idVzc+8V2VJJLCMps/Lg
+ 0f8EWXU13oy8hVNHgsbMkMgwuhK0TpoAQ3Xu
+ 12I+iB9gXmOB7S1TWw== )
+ 86400 NS ns1.example.net.
+ 86400 RRSIG NS 8 2 86400 20120923133353 (
+ 20120824133353 48381 example.sec.
+ jq61ICTW2ofwSICLNMF5DiPO1wH6Y8t/oDO6
+ 5Rz07pV02fSbEZXHpap4MLne0ikOqKPtFhsP
+ qdircIdp9SccoXq1biKu+6yw0sGRwbR82Foq
+ 4LIgz9yoSr0W2bUICSaa7SZDtnqpTj9tyVVx
+ 9hFWM1DemqyU9k6wi3Qtvqyge9NRH2IbQstr
+ Z6IhlpKlxeNR9P+H0aoYEoqfYIb8rSlv9KFq
+ wB6HeBCgBl0rJ/EpHQI9P9SZzgvgVjzAgWzb
+ yXCmwkDUoFNDaIt+6rbWIWxTO3NETVOPcCRh
+ fWFJpahmKqy+7sQOdXYtOkUp4T48bMttktMN
+ jGx0TDN6hDUWPOGKrA== )
+ 86400 DNSKEY 256 3 8 (
+ AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg27
+ 3Tp4oRpnmnmgizDFtLQhnIv1Mr3AuwSWVIDe
+ avuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90
+ yQwfC53hxyH10GzGnAx4Sutrdkh1w4HM1nMB
+ dlTMa0g9yxjJ0vm/T7qHzj+3dTUi84s8Du2m
+ fMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB
+ /QUuoY2FyThfidT+nhOQpzftVtLcta0E0Uv3
+ PcVDp1d7vBXsAEYGHr54r2vb3eXdOTmoFyh/
+ byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01
+ u8SJYP6ULwx0mZ0p5BmoMH8=
+ ) ; key id = 48381
+ 86400 RRSIG DNSKEY 8 2 86400 20120923133353 (
+ 20120824133353 48381 example.sec.
+ CxJvtfEuhQr694uCQg6fyz2sAg+TqH242DnL
+ BSidvv9GzKZdHiZs+iFfcrGC4nJ3pTeWMv5/
+ zp2AXXkpJeCdW5Gy1xy9aexDRJuUMaFzE4xN
+ v/QTdDzBWJBujDNM1C/HstntlQvOGLLTFGsY
+ JCfVguYs0qqSPNd9fbDs7/edhMDe3f6v68+O
+ UISrEgfy2PJpGeg5idX+63G4GE0OOa08dwUw
+ LJQAGpobUjk3TjSh08jllQ21iQIdUV1pxfrC
+ qBu2HH8ZMlSpk4ZoTsDKCNGy5VMQcRxtOOa6
+ 9kTcmhNakfxnK+24Wu+xjqmmIWBPKxtmhYfw
+ IlzGSu2uuGd7PvwovA== )
+ 0 NSEC3PARAM 1 0 1 94CD
+ 0 RRSIG NSEC3PARAM 8 2 0 20120923133353 (
+ 20120824133353 48381 example.sec.
+ N5gosx8Suslg27+3wPYAP8gXeH91Wc4ebH5H
+ mZMkEL5b0ODgSvVgPhwTRRE1/SJGzXGWXSpW
+ VopGKMh6SLBNAmfi6gsRtIfPutJA6hmqRtqK
+ JiKEi6Sy3gRLKPJC1Hd/v8K2rslSoCFFsive
+ w5cZBonS85f7n+BA9VglfQmPqux2/LvykcGS
+ /tVGz5zZXWRdPPapj5e+TKrBfVglmcaIL9uk
+ c4uMHtSkdwlKrXV2SCPK6H9meYIsEg8SvIXN
+ Kx2Wfo3hvD9XINYRKwsN6FGFYrOvHpdJI/Mz
+ QUZ70+nUQU4sbV3Y4yoHhI9Y8Dn8khdCqjCg
+ ynbFt1GVrA0QobO9WQ== )
+9.8.7.6.5.4.3.2.33.example.sec. 86400 IN NS ns1.example.net.
+1.1.1.1.1.1.1.1.1.1.33.example.sec. 86400 IN NS ns1.example.net.
+6.5.4.3.2.33.example.sec. 86400 IN NS ns1.example.net.
+0A8475SNU6T5P84AMC4I7KAEAMKCMIAF.example.sec. 604800 IN NSEC3 1 0 1 94CD 1F02V227102AEBUICGPQNPFSMSQ56UNC
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ mipK0k5i2YVpsDosay3tcOBgvykaBn9gaDJN
+ /otEJTXurcfGkRria5C3AsTrq68PIhM9Ct5v
+ bJxgaz0ab1hBHhDe8AZNVzrqrYWmmSgpNrBk
+ VJTx3YnYUuO25MYEEh00/1/JYyHwaGdtjkoD
+ KAwAUt7NqlLZjEHWlZUap+2sxeq1T6l6owDu
+ xt/FNpb8QdUXYK5lsaqCWbNTHWQ3F8n49h1Y
+ ve+m5NtbFL8+7qxrBRSC68eBTPrQfsAym4oB
+ yU05KTFLgHgI7CrexI1dyx+mb19LA0IVKGas
+ bo8lD20VQdiGuEflZj04rihXmJYGU/rNrV4r
+ BhyABAvc26GMfGIa1w== )
+4H7F6LT6O2L8EJJEK17S0MPTF3G1GMS3.example.sec. 604800 IN NSEC3 1 0 1 94CD 6MMR4M238C6KQ7OL4J0HD33VSF2RBFE6
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ lX7thD4OK1v7YDU4waKvTR/YZN0c/jpLcZRh
+ vEw/wVY6o2ZjC4DPmFlhHNDGcNil1Dtwxxnq
+ iO4T6iNZOWWnnGy3WprLlO9hN6eZvC3c0jio
+ uDynQyHytpwNIUtLSiHEqhNZUUt2f4BK0C6o
+ oMFepT/+dKBuyK+FWWkjVswrhmPbpTvnKUOh
+ ob2ONOh1UcOhjtTjl8kr51DnDe6/xOACCi4L
+ a8UvTLRROvWUoQt4U7A8n4svrc7oYTh+lIfb
+ I/6NYX6loVa9g1hiipx+Kn7VkcGGSTWP5lFv
+ jx3nl9QyrqZYUMeCyF4FgYv2R029bxRJM4xN
+ e03+Kwof3LuK6RiRhg== )
+ANUH4A3TCIVO884LMD5SA3S1563VKCOG.example.sec. 604800 IN NSEC3 1 0 1 94CD B23STANUG8J6J7Q86S978IDEOHR9SKOK NS SOA RRSIG DNSKEY NSEC3PARAM
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ z8HofxVlX+519QE5aW0uywdOA6O+YP8y5Yr5
+ wJlyyLefw5Fti0dmU7qGzR5NoOxTfyH+lJDb
+ 7IPB5DaA4OI3wA6XCHJ1CVrNZJ7kKOt35L0N
+ vR1cq89V0wISlfVSMa4Lh6qOvfjEFcpZOziQ
+ +G9s2hYdKQIxHEAmX35H+ZK3yDuWKgGvZCiP
+ wARqDipOzAbsgMUXUFT4/q1YhXENU44yxMGv
+ QoZWskJ5bfrHWvZY/PDPQX18JziMM5zkL+sJ
+ 32HtIl2Ji3bPboqbGKrfXg35v6LR2oNl56Bq
+ TTFFmGwUr0GOhJhtJOHxtxJ7gc6JBkn6MdG0
+ Rm41tHPCdsJqi2eYZA== )
+B48FHI6PGSEKSCPQHI53K69GG9QPT86F.example.sec. 604800 IN NSEC3 1 0 1 94CD BUA7DPQPLLPMOFP3570HUGOCO0PMK9TI
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ ByAqe7JjTyKwuudzVHqZTQCtJLT3NSlKVGvQ
+ EcpOVPr6f4VXHCpJ2U0uw1SgdzZgw/trIo0z
+ MWY0MU94NDPZ0jt0G4Bz9CXF+MJSOmXF/G8D
+ +DEvC0rdeAi3tMupIGMyAkkeL3hLiyo7FCBx
+ SsuqWu0FQ5Gd2PTYUXiSX3ZG9NlTtDgjHtPS
+ doAfO5ZtIJyLXUK6hWgEdNrfJOM/yDh7AS0y
+ L7oHhk7xoGz+6U2ZoiScEIZ/wg2Ry02fvRgl
+ CdkfQUAWctgpeBybCkImdlE18Ww3jPmknTcw
+ fFpIsMGvdHW/yh7YMPibf9brn+l53DC52wQF
+ hXENXf1Igy5KfMIgDQ== )
+B23STANUG8J6J7Q86S978IDEOHR9SKOK.example.sec. 604800 IN NSEC3 1 0 1 94CD B48FHI6PGSEKSCPQHI53K69GG9QPT86F
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ YpjhuKP/CxZi1+/xsnYlq3Hb6KmxjXu7NaZ7
+ wL2+m1f5ffB8cu+1VMdMjXd9rA87KM+nZmIH
+ ZgkM13BjscZYfZrD1QxTHZOpK98DsP0BVjab
+ V3YxS99SrpWIWbsSGSnGuVnTIFg4Rc2Q7UY0
+ cPz2aPbTSjaYtmE+b4DS5KtZpsQUOc/mlPU5
+ 1RiMkMOJqSnflQY922C43Xg/DaywBWaI18b1
+ gyL5wMyZ2OU+I1EVK1e/Hgp3xTU+VZFfH981
+ ooZvbHxTqvR2RPN/CiRmkb1j8OR8rtzQlAUq
+ zE/N2G225694CXjbhnuxtMQDnARZ+YY59efI
+ qRVe3R3RVwiIvnxubQ== )
+1F02V227102AEBUICGPQNPFSMSQ56UNC.example.sec. 604800 IN NSEC3 1 0 1 94CD 4H7F6LT6O2L8EJJEK17S0MPTF3G1GMS3
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ Sl0o9shH2wSZ11t342nNF8umWjmCc6aFTPab
+ mhRnFDzzG2d++Cx4dXMsasDtUVspKQheiowA
+ j6HZZSGYEQfmW8XFs5Hf4h0NVkQ83i3euXGl
+ S1zbM0DiaGbNueIPSEyUBOyR1zzaBjzyhf6P
+ axvora+y5Yb/UeiFQgvZY6JKBib9RHT61Dpk
+ 8C30CK+KpBRIAa3nu+oESqP+qe+UDF6Gia8t
+ Mn/8BMP+j070A38lrMFjfGmKq5QzMKP86Jnl
+ dG88wXSmUe1EzvUM7Y/djimPvGfSfIFl7J8t
+ rhQ3Cfs/Etu92HfQEqAhCg94BCv95RJXf9rj
+ 6P2IRl7fn7tz8DPtcg== )
+71FH7088MFQ3GHCT8F0NKT9PF3BT46CC.example.sec. 604800 IN NSEC3 1 0 1 94CD ANUH4A3TCIVO884LMD5SA3S1563VKCOG
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ bFgJbtvnx6+ICYygvHrxhuCgZxcgUFA24pQl
+ XwVUJqVgP+t8AfJ0GNURvoli4sxAa1ujJH/1
+ pdDrSTUSswqBClKM+n0C5Z1ZVEDdGLMsjxfH
+ hRcnUaup5dwC2gwvxUg7ZYxUjxeCiLOc2UEA
+ 7A/ASY/qwtMunGeXKFycY93k0F6udeFqnIFG
+ jqR2yAoi271PbTkj7osSIJZJGi5bGIGlKDpu
+ ht30LBfG243IlZeAm2nxg2vE9d4Nd+ZRlMJ0
+ 8H9vahBubbT0yfJiREnILL14i4FvST++5i1y
+ iaSRJPH2rMUp4oSsTvh8W07LjiytOG8IJkyY
+ T1A2UFL/DOBxD2O8nw== )
+IR5OEOOO61L2NLSFRK4OLKUJ6FEARD1Q.example.sec. 604800 IN NSEC3 1 0 1 94CD K9KP0QD9J3T0F3DH2LQPPB37CPPNP3PF
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ scrCa9zRBY4h4gHoe/esvDALkI7c6x6vXY4F
+ pA7AnTb+L5WCrfp6tXiINwQ1Uvv16Olut162
+ QHdAe7GW1XQGdbuJ8tzBtQ9YkS6DvArSYYjb
+ KiHMFND1dvy5UBc7BWJwM7ysLwdjEfiYkKBs
+ WIZ/bfE3MbT3qRou/Kv8WQa33ELlkZ7x6sEs
+ 5Era4soZ7SRzN4jba5r9TBwJoP9VQn7uNl2r
+ h0hFclD4grfUcMZRcun3voVoVmpY/72xStsc
+ r7btSUfDrzbcJP9W1WYcPDbsmyobY4QrYSCO
+ VUzBP17DjEzIMztg+u5R7FhClb9lZ6qhrikW
+ KtcOq3+nKs2JauRM4Q== )
+BUA7DPQPLLPMOFP3570HUGOCO0PMK9TI.example.sec. 604800 IN NSEC3 1 0 1 94CD DGRBPEHGU29PPOAAQS0TK0K8KJLI60CF NS
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ EveB6krVUhecm3eWRh55oiDuHOfceimuJSAy
+ 4KNd59B/+8FBB7U6KyaLm9YGZDP5d3wyP5Py
+ 4G8z6j7vdTGbLTFsHyOxHwU1MGEqZU4vIB7N
+ LX3P42CjD9FKFfTLS8ig0HJaxa/wYRMoxvxa
+ fIPZZxuC/NR6ULLr6t7YIWp+rktew0vXAaPP
+ tgmfEU9zAMqYsnKhyTttTT543btuXfHBg9th
+ csf9dEz+p/lq1WZbyTTR4hs7ZkRYLA6TCI9q
+ vxee5Hsfhjv2k1B7YA1AFCikAt3xqbxcuhir
+ KpW66JXjbrp5ZxONejbYb3SLdY3PpWg2Al2W
+ WHSV6e0cVZ47QsIFzw== )
+K9KP0QD9J3T0F3DH2LQPPB37CPPNP3PF.example.sec. 604800 IN NSEC3 1 0 1 94CD MQAMDNGOIK8QUBPB4GDEG0EVOK91DQJ6
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ UFg9mb+GA3lmzuN/bJUdHf1o65i729zK0NUZ
+ wQGscZD8q6vY+cPuaCGZxPBdIe0Jaf2XXzjp
+ rJVyLwbdYVIR4IuoUZJLQbCfGOrBxp5BHTf8
+ ybft2+7foWAAQc8GNvhYKkmEpHdyfUWLrj8x
+ Z4U+NP1fdBvO43TN0upQyeYTNa6E4umgQtYa
+ zkMXeeQWf4+vf0Ue14rCEtCOFN2BDksL4mJF
+ c93c1MfRMkTYX/2L7dtAfDgwcywdU+ndqXJv
+ XC60MFEJfj/7oHO3LUQd1XdkNqg4gnyx6TgN
+ zBcUXgN40FUZzRTHf5sXikmhm1Jm5Akaaune
+ NB0mJ4DVzw8XLdDy2A== )
+MQAMDNGOIK8QUBPB4GDEG0EVOK91DQJ6.example.sec. 604800 IN NSEC3 1 0 1 94CD PFQHTQGF3T3O7NQ37E7APPJS4E7G6FQI
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ aREhBMyCg3PaF9cbN2jS8Imj3GrfwrM2C3gU
+ zVcJqD1SxPOGwr0UQq+IJxp2jf/4gKyGIU1V
+ TQ2jFkdNLuF4tHtu4OQCAYwG7ngtawm/bT5J
+ R7ecSVRQOmowEZa9/VbF8qN8EuTmB7L9wB2W
+ 2Efj6moE/Yt0SLJ5UIbRoKN5mJZaxjzWOif5
+ F+xE7yi2JVOve4mbAkxV/cqYInksWedvrKZt
+ SMBkIYbritHml3EHhI4MkDzAyDhw6rgY6P8I
+ tWCgVZf/8NSTW8J89hon9y4Z5CZuQHZigdkx
+ DVmcd6tsNyPlTP8HT4D+z5SaSD1GFKONjk5Z
+ vYu3LXMlw2OT+8UsXA== )
+6MMR4M238C6KQ7OL4J0HD33VSF2RBFE6.example.sec. 604800 IN NSEC3 1 0 1 94CD 71FH7088MFQ3GHCT8F0NKT9PF3BT46CC NS
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ gH3QQQEbhWs3lNZn7yL+BMg8jOeILxZCMW4e
+ 0iOBAfWpMxyxgvv9Jy3X9SQxui3zso6CfaoU
+ av6bMupDNYvGsRb2e9I9K3KQKv48wI8Z7UN+
+ /z1RqXy7izL4MX7Df4EYnKvhi0eLGI4hBJLq
+ my2AR4wswQiPG1tnBDa7lbx+o85GtHlX62lO
+ MD8lS5CvkSxDMBb5bChR5DYl8NChdtaSMxRD
+ yH7DZ6CI6t7ICUTKQs2aV8S6OTHmUQvDyA3U
+ KThFvxPdSv9Cf+FAQzN9kwNSGC4gxjJYQtjA
+ XjEIc+2ZPtOYI8+YJpAlNtR0kcy9TO5M9ioZ
+ tEvquxTTQooWNuxdTQ== )
+DGRBPEHGU29PPOAAQS0TK0K8KJLI60CF.example.sec. 604800 IN NSEC3 1 0 1 94CD E7Q5FM6A5MAMV8HQ7O6A8F5RIF1VJGMO
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ xH7j5GQt3bah8ezTmXZ7/LsWLHw2PDCrmBtA
+ bEuqpKS/O7HvwVkQ1tQp1xznzpifDye2TqKH
+ tnEY6sWJ+hbByDrP87j5oP6ZuRTnzCtwUU6c
+ qqfEUV0JrAptkx+kxC4kLGjdB1OvaAiXvRg0
+ fhBaY458MLwQh7AxFsqv9Jd4KtJeVtm7PcWK
+ VoHPckh2LdZJQyiUl7+5zUKhsGBzEqU7BZck
+ OLPd6ccVJrNkOXfyrsYHj5NXILFtjJ/+avaY
+ kiTYYp8ix9bSLG6LBbWuaDNcjgGV3hI2Woo2
+ onBRmHmuklKgmmmbZ+YRT94FZnkrQRtUlRo1
+ nRLQN21PBXCOfwYQAA== )
+GGTEST9KCG7P1MNV2U653M6CIGD9Q6UJ.example.sec. 604800 IN NSEC3 1 0 1 94CD IR5OEOOO61L2NLSFRK4OLKUJ6FEARD1Q A RRSIG
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ vAQghXrUpaoGUONOUjKRSxBIno5udi5R9GhP
+ L/ocMnuUYtIjtkPqFNmuIFpqMKOy34aox/TD
+ SPuZjfb4+OMcdHw0Zz9FT6U/jw2B2aAWcrDf
+ oU6HasH3e2lCUZizwiaCPPhFMuBdZjuwMqHN
+ BMCW9JfsJ9ohKl+OJ7i/eS0MgAWU7/o/hmAl
+ NRA4Q9fCUlivMQ+ZW+GUBLDzZh3tDMsIXhTK
+ EenhqSZdL563ZmRnxe9hg2+rjp7T42UxtzUu
+ MCt71MGnp+Q4ki8RjubLyDsjNbW9oXs02EwT
+ B7Exydd4GHGXBiYdUt2fFHp1pJ5sgObvSoue
+ FTw3xBWZ+TCnuohK/A== )
+E7Q5FM6A5MAMV8HQ7O6A8F5RIF1VJGMO.example.sec. 604800 IN NSEC3 1 0 1 94CD GGTEST9KCG7P1MNV2U653M6CIGD9Q6UJ
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ NtTit77tk2WR/L0n3LcBnzceSfceR0y8bJjx
+ 65oUXd+y+nu+c8I+OxmRDeoZHcHFvjH7TOpK
+ /bET+/KUbs/43wMYsq5pIRAq6iY+pNZnnkOQ
+ 8P4lhKm15dpFb4dO1y3rXQxhT278BMoRDrMH
+ sOTveerXFOVI7hi7dSXsZp34to7hhdVrsF36
+ u00ogWJERVIZll3sCQOvKWyfFI8f8M69vWw1
+ o0U4OR3iWmz9L0zgIgxxSHHKnBZmW7cP+zW9
+ D746pMchP2TAYB43LZAMotU6jPLgWCcF0olz
+ 73KJdziRJnko4ARx+iMgiWOUw0ujvCwK5kDo
+ lTmrDPe6/z8aXM/roQ== )
+VJ5SSNKSNS2CP5O6DCDDHK8HLH6N7CVC.example.sec. 604800 IN NSEC3 1 0 1 94CD 0A8475SNU6T5P84AMC4I7KAEAMKCMIAF
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ nP9dmjAs6A4GdtsD9Xk3S0WOt5Tg9cSXJQDT
+ Ff+bd95AJKUeDRk0L71iUa60CYAHfDLI60gp
+ M5JgO0YgCloLzV9UFvkDj7Fe+v7Ptyl9mdEk
+ e7KwLBSVJyRsKMbgB+BgvenXEOH9hIiG+8CE
+ uokdOvUEERaUYk3zaoA5SScFGoVy6v9GwCcq
+ adUC16d5/WyNuaO2InVl2ug8dX1WtnZzdl09
+ evjhKiDiLABJ4Z1sLvkJsaNrwFpYn+Xkdv/W
+ MIb08A9FypXXavAV3zJJZyB2eyQG2Ae8ozNs
+ r7H06agUsiZKKMYtusq8FI7ISmgHPKbOu3ZZ
+ dT6l4pFLmuXimm5LmQ== )
+PFQHTQGF3T3O7NQ37E7APPJS4E7G6FQI.example.sec. 604800 IN NSEC3 1 0 1 94CD PII3ACEVPP84TH3B1FCEUBN9E8R1PQT6
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ t3PvXIfG9zqm90xrzWhYYcvSB8ZO26ia3c71
+ uXs+3XS94BJF8cnvecAq26YTmbwCkm4y6AQg
+ 1P3VmM5fZqHHq5eGthdSMgACpGYk/1KL+ZtU
+ qJ08LbtGFLS/Ai1YNOu+xVFj7Z1D27rAghGb
+ 30z+qjkkgNKgF8RrtUrQtuZZHYljjypJ0bhU
+ ehZitu87s0tLIGZIK8EvZ1lkAr+RcdOau37x
+ HGIYSX262YOd7QZ/XytwhpnxjU6z99EefOKf
+ sP9e5U1Q76czO9iptn8m17lkEKIFEEP8jUtF
+ KGR1Qsb6PgDkAV82giZDxgFlq4WarIk6olu0
+ K03HV9skBS5BV2HqOg== )
+PII3ACEVPP84TH3B1FCEUBN9E8R1PQT6.example.sec. 604800 IN NSEC3 1 0 1 94CD UB3H790SAMOQSDHHGOFHG1SBHU35K00O
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ 0RfXq4uTIqZJQzcGQ4s1FzIyafMn8Y9gO7zp
+ Lf59a81Wr7feYG+KuOXc9sJC8Kk1Aerd1bSv
+ bAmskxHxBI2cjjI4S8JDSGVezymeqMsopoEH
+ c8jiACBjc9rCx2Z97YcXElo8PxE9AkC/a6/V
+ PHXGr0aS3P6QB1O9AHE1rIv5t9mrATJkE1TF
+ CH/ravS0ZaSZKPCLw7zSDObT9K4OazvRJHFO
+ VAqd1rX8J5SHBs3ss9p3kBfnedaMNb2GLfjo
+ Tky+WTIYoHexC2s4Kxdfj/8wWqlhw6JIcO9X
+ g7Tc500A4/58YU7JqmLfu7a3H0kVF2oXwxkA
+ KPlfulSsPGFYjB+5ng== )
+UB3H790SAMOQSDHHGOFHG1SBHU35K00O.example.sec. 604800 IN NSEC3 1 0 1 94CD VJ5SSNKSNS2CP5O6DCDDHK8HLH6N7CVC
+ 604800 RRSIG NSEC3 8 3 604800 20120923133353 (
+ 20120824133353 48381 example.sec.
+ kWKeBzW7N07cmtm7TtqzJfPJOcxNHqr7nQpJ
+ XqyRe2SvNlaUJpxqgTOQn3SjrsG4GUA5+j6Y
+ Y/MjScGeSME0xIWiPV1ZBGnm/9mB8FEePK58
+ PvBLa7SlKj2v3mvlMlZQzJa657NtV5hbaVcx
+ JP8YbK2W4zTGS8htg2VZMvRSfSV8gQwgKQlB
+ BGeIeM+xfYkrxvklRfLl6+ogZlJVfPH71SLO
+ PiEXrvfxU0HWbvej1HsNXdQDjv3Ix5vd8xZ9
+ QW4pyl+BHe22+Dx/TpAAoSXGdntuKuZqPF6P
+ bpBZrMZcqdPlODnEUBgzGB3ChaZvaf4BlHzs
+ vYqwsj87D5atXL3pOQ== )
+bebe.meme.example.sec. 86400 IN A 1.2.3.4
+ 86400 RRSIG A 8 4 86400 20120923133353 (
+ 20120824133353 48381 example.sec.
+ vIeL1Bu8xiDbEn25Uard5kbWnI44qm7zMm7c
+ ZRTHlvfBlEfo0uAqdOEsABmIDuj6bYfqifHC
+ 6YpsPU246RKOLwZ+FGZn9hTiWkixCu4gi/Cg
+ ynKCgRNprJdvRTiGTQ5glS2q0wNwn6SSgBAD
+ F5W6wu/R6k2MHCzJHoR45xLwwsDBqPAvPMlB
+ NgrtQh+L++zhvC5bw78WBnLY6h2wxlgby/6O
+ qwiYbHborqhQLzIYmneOluceptx5gk9F5B10
+ 8QTG8wDtACj2TcKUT5vQ8+ZzmC8l3CNKVoKO
+ B2PrrtfNEaCNfYIjfW5d9feZkjxxqLSzrMTg
+ FZT6ntGLpEOxDRgYxw== )
diff --git a/t/issues/24-delegated-nsec3/Kexample.sec.+008+48381.key b/t/issues/24-delegated-nsec3/Kexample.sec.+008+48381.key
new file mode 100644
index 0000000..e9cd610
--- /dev/null
+++ b/t/issues/24-delegated-nsec3/Kexample.sec.+008+48381.key
@@ -0,0 +1 @@
+example.sec. IN DNSKEY 256 3 8 AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg273Tp4oRpnmnmgizDFtLQh nIv1Mr3AuwSWVIDeavuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90yQwf C53hxyH10GzGnAx4Sutrdkh1w4HM1nMBdlTMa0g9yxjJ0vm/T7qHzj+3 dTUi84s8Du2mfMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB/QUuoY2F yThfidT+nhOQpzftVtLcta0E0Uv3PcVDp1d7vBXsAEYGHr54r2vb3eXd OTmoFyh/byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01u8SJYP6ULwx0 mZ0p5BmoMH8=
diff --git a/t/issues/24-delegated-nsec3/Kexample.sec.+008+48381.private b/t/issues/24-delegated-nsec3/Kexample.sec.+008+48381.private
new file mode 100644
index 0000000..5beec83
--- /dev/null
+++ b/t/issues/24-delegated-nsec3/Kexample.sec.+008+48381.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 8 (RSASHA256)
+Modulus: 1k6+cu1N1CN90iqofey1vu8jpsmWDbvdOnihGmeaeaCLMMW0tCGci/UyvcC7BJZUgN5q+6LJYgC1+/DLR/cRgi/xizmQOIqzw8TWT3TJDB8LneHHIfXQbMacDHhK62t2SHXDgczWcwF2VMxrSD3LGMnS+b9PuofOP7d1NSLzizwO7aZ8wPqejL6V5nYi5fuUVxrxLMM2aFQ9ORe4WsH9BS6hjYXJOF+J1P6eE5CnN+1W0ty1rQTRS/c9xUOnV3u8FewARgYevniva9vd5d05OagXKH9vJ6FSU+rWAMQfSYFGVZtQepsacrKiXPR1HTW7xIlg/pQvDHSZnSnkGagwfw==
+PublicExponent: AQAB
+PrivateExponent: LOxwy9Km3/NYqre6fjsilhW3GX1kcRiSdXFYBBr3rMtUojKvgJsTH9uUeWZvTbTdne4B6yHiqSKRA3Eki79k8i9uqMq2SsP4ju8yJZHLmzjezIfJoHrQ6BxyFcMZoWPzdZkKFKmFwrHpxjjbvFcHvfiAu025Pta9C2o/rZXYC7V3BWQowqYBfukdpZkCEhzFzEtC1ROXN4jPJBwNIma52QTLH6jK5BOfOJ5DhS1SF+r/EkuvXnylApVfjPfUIC8ocVvpn5WLoabWL+eURIi6MvVT59ppzc6WRUT2PxDskT2WUWfw3zq5B7JCM8/qfYIDUHvt1h6JcJHTAOz9Hr2f4Q==
+Prime1: 8UNey2U7voMhZmVUMpH5C8q7+hp6PQ6dUYd+hjaQVnsDOLPBT+zZf8R3str7pY/xlOOHy+DxYmZ0e17OumSOXTeQR4VSdsr/tpWc/qd2jd1I5N58R4G/yZHgTm8pm6VRb7NwZ7Eg6o2z0G2UEykFeberyg4U6SHBDP6DZNvGrQk=
+Prime2: 42XeoQUBshFkTYekdeqPfGqC1YXsK0URLGAbPbk8HlOiG7ueVmUnsAS47lyuEJPzIUgqqBbDM+CCdW8AvPJFDXa09l4akfCrLRyAdkreGj3bgmUs5wUFbDZyOHvRFSxdUI8LOcAhXthy86l+wErKwm6sWfd1oPGvMmC1qiSsW0c=
+Exponent1: JpdjK1+3DcNF7W4Z6LjmwFceeGQR14Bl86ubtnY14k9s9X3zVwiIxeI0T1yt0g7TUsCOcTM7CUVgLne8053QE+MWZgpSZYQVISyPX0CEOy8BQPLBqGJ9vg1idslbO3VXMGngegWgQUSHVbihbesq4AxcI0bbW2s1yRFRDSoGfpk=
+Exponent2: NbR7bd/21I1S+RSN/ONW2/VzzOYCLv3y3l4cUOmMj0UFRjN7Y8AkLWgQHQt6eKPYigW3PVeS5o+hgAalT/qP4GwmtQDomYsTgmX22Pk5l00AqL0oa6895p69PyXO7Yc6yqnd5te/idzo2S8wpk2DsYPd5KmS+F3cGLPKc9KRekU=
+Coefficient: ev+8Aj3u6mICRe6Y0NqYTGrXSBMDXf92dI4+CZtwy43cyTvvZSABWvlLTTXf8XAlnnPxszSpG7+e8bQk4A7ZIagcDFSUjzwtVoLqKqbyLPMNjJKqvGW2iTwfpXAHTadd9EmvTPsEVCJnZAvkyn9XQ49phL9IkFzj9kmSrGqnN4Q=
diff --git a/t/issues/24-delegated-nsec3/dsset-example.sec. b/t/issues/24-delegated-nsec3/dsset-example.sec.
new file mode 100644
index 0000000..b4019ef
--- /dev/null
+++ b/t/issues/24-delegated-nsec3/dsset-example.sec.
@@ -0,0 +1,2 @@
+example.sec. IN DS 48381 8 1 99477B577BF885AB2512B8DCA052D7B71DD968BA
+example.sec. IN DS 48381 8 2 E5411AAE0758711B164730F9069CCFA3CAB00391FDD76D04EB3E8610 CAA09E93
diff --git a/t/issues/24-delegated-nsec3/example.sec b/t/issues/24-delegated-nsec3/example.sec
new file mode 100644
index 0000000..659c640
--- /dev/null
+++ b/t/issues/24-delegated-nsec3/example.sec
@@ -0,0 +1,15 @@
+$TTL 1d
+$INCLUDE Kexample.sec.+008+48381.key
+@ IN SOA ns.example.sec. hostmaster.example.sec. (
+ 1 ; Serial
+ 604800 ; Refresh
+ 86400 ; Retry
+ 2419200 ; Expire
+ 604800 ) ; Negative Cache TTL
+
+ IN NS ns1.example.net.
+sub IN NS ns1.example.net.
+test.sub IN A 127.0.0.1
+
+sub2 IN NS ns1.sub2
+ns1.sub2 IN A 1.2.3.4
diff --git a/t/issues/24-delegated-nsec3/example.sec.signed b/t/issues/24-delegated-nsec3/example.sec.signed
new file mode 100644
index 0000000..0994375
--- /dev/null
+++ b/t/issues/24-delegated-nsec3/example.sec.signed
@@ -0,0 +1,114 @@
+; File written on Fri Aug 24 16:21:37 2012
+; dnssec_signzone version 9.8.3
+example.sec. 86400 IN SOA ns.example.sec. hostmaster.example.sec. (
+ 1 ; serial
+ 604800 ; refresh (1 week)
+ 86400 ; retry (1 day)
+ 2419200 ; expire (4 weeks)
+ 604800 ; minimum (1 week)
+ )
+ 86400 RRSIG SOA 8 2 86400 20120923132137 (
+ 20120824132137 48381 example.sec.
+ tbjigL7HBI1uY1R5m/QrGVGYv0pWNz0TJiMl
+ 5s600fiDV/0t4eZO0sLsa14gNWSycaHzZpeH
+ AA29ZV07g+i/WE2BrNj00JzqfGeX3r8hd+LP
+ vTF7pHAG4syGweqokn9F0ePG/HvW3263i3eN
+ OuFJS7yeo1ey0REsCpkaMvmiTGYy4Ns/J3ft
+ kIT92X7p9Ok4ECm2jvYUykXSa8oChWK65EIQ
+ 3VbMn+X7od686gw8disrBIgHYSlWO5cPHIe+
+ T60PqGB9RM6INT+8x8t1hyYDgZcWlL9J0bM+
+ QNp24ug1E3nKNgtg8Uf9jvA4HGzRxuB4L0PH
+ RCLY5Mv64LoNcuGmPA== )
+ 86400 NS ns1.example.net.
+ 86400 RRSIG NS 8 2 86400 20120923132137 (
+ 20120824132137 48381 example.sec.
+ uZ3XcCp2Ko/NqC184GE+3Vl0kaxFRs1QkpAB
+ cZRS3DvTlFTJQFpAOpBD3YBiP4QTz6weJh9W
+ seg0/ykNlfxzRJjLTMijsAK5M3CEIfIA+1hV
+ 5AiqEXIsD1VvwB4bmeMZY2HgYteyfP9waNmS
+ KE6hZG4VV4lHMdfxy6ovsi6UOGQrfA6+RdZ4
+ rRbMrQy4TofLPYWFA18TwcJRND+KMiLrbEB0
+ nsE7wtw09E6Fo/p9rfOJSId9zpkivSywvN60
+ dx5lH3RDM7dRKedLT26uWodoc+sm5ksma4b3
+ lVpkvVuRYsjx5380MC6Q3Ffi5lgGg+S6U+0x
+ BNsl65g/cBi52Mx3sg== )
+ 86400 DNSKEY 256 3 8 (
+ AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg27
+ 3Tp4oRpnmnmgizDFtLQhnIv1Mr3AuwSWVIDe
+ avuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90
+ yQwfC53hxyH10GzGnAx4Sutrdkh1w4HM1nMB
+ dlTMa0g9yxjJ0vm/T7qHzj+3dTUi84s8Du2m
+ fMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB
+ /QUuoY2FyThfidT+nhOQpzftVtLcta0E0Uv3
+ PcVDp1d7vBXsAEYGHr54r2vb3eXdOTmoFyh/
+ byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01
+ u8SJYP6ULwx0mZ0p5BmoMH8=
+ ) ; key id = 48381
+ 86400 RRSIG DNSKEY 8 2 86400 20120923132137 (
+ 20120824132137 48381 example.sec.
+ vMI5/h3OOEYXPyz2EuTd1UTuOXArx80fDXR3
+ aqAg0VXxuDj5aCNNtrumGac8VQJSbcOFS6en
+ zavsQbdF4GynuqVouq0+Cg+AKqbkf91mwoRo
+ 9FfYjD+FiCH3AsTgY1sivgx96jxbUJrwlheV
+ Aq0sRNt25oejEnytF7zkxg4gfAmwszym2iy9
+ eYUCo5J7lMd5PGWOeTaWM6B1dhTu3db70GNg
+ s994rEqv9OM87d4XS9U+CrCbwQbj8VtHjUWv
+ ne5eSVqIh0RgMkPaLISYE2MUG2JNcs6eqYuq
+ z4LgGJAK3EE4QzsMGs5tmIK7rLbdIwUpLhlH
+ gwW2y4E10Hz7KLOjAA== )
+ 0 NSEC3PARAM 1 0 1 94CD
+ 0 RRSIG NSEC3PARAM 8 2 0 20120923132137 (
+ 20120824132137 48381 example.sec.
+ TMvS8oUX2NkG/VZ1/LFh5NzGNgmuj1KORpjQ
+ 6xLuuZ5EFvV97L5lG/QIeqDYBaeYbbxx6PuO
+ q35aV3BRxcGkoDlWRC2cFyR3RNzeTjj1q50n
+ o3RgqtMkvJE/gyl1/oXL4IjSnlw5xYdYGa7n
+ G2mGQdc/0vh/De8VMh/n0Dq2WbuJ6vqsv3+i
+ M3oiMrapG91EYnAcFB4ymBbkbuBqTwu4Gwkf
+ dkweQRkufWI/d0WP8ziP6g3pX6uqJjwvDd4h
+ wcLgQgajZ7wOzfnsqS/v+CMc1Hu4B44PN7BB
+ 50IKaviAkYCftfyTIy1FSYnAt4MHFrrQBKzX
+ c9ymqDL681D6zTNQtg== )
+test.sub.example.sec. 86400 IN A 127.0.0.1
+ns1.sub2.example.sec. 86400 IN A 1.2.3.4
+sub.example.sec. 86400 IN NS ns1.example.net.
+sub2.example.sec. 86400 IN NS ns1.sub2.example.sec.
+VT6TVPSQUE085J73EUKCPVB32N894AUB.example.sec. 604800 IN NSEC3 1 0 1 94CD ANUH4A3TCIVO884LMD5SA3S1563VKCOG NS
+ 604800 RRSIG NSEC3 8 3 604800 20120923132137 (
+ 20120824132137 48381 example.sec.
+ eaQxYQX+q0DDG03cLYyG9L+WmleExeZWQLb4
+ rBCuJO1rRkzxtC3SAD6MLQ2NVpiv9c0IbbNQ
+ EUCDXaA4/McY+CemogZV0pumI/xhzJ5Pd5k8
+ s8jxY0JNaaQ5cHDpUjyu6sWOTn4BwcZJaPtn
+ fBESTP7cy6uVQWRXiT5TJ33bBk2CeFCgMxD9
+ x5yvl5fWH+ZBl7AVYXamh4TsU5l8kL+HD19v
+ vauj4kQVEapBaaUEN3oS7S5lkUJ01ANHf39L
+ D36sRF6cZ2BEjiv3axl5IW4uQVnmo46XSP9Y
+ dX+0gjLFwfzUnt6bKO59pfZ1kAQnkpjvXC/h
+ DFcnQ1TZMn+MjSimNg== )
+L2BLRUARIR23VEOTUN998OLLATNAI6EE.example.sec. 604800 IN NSEC3 1 0 1 94CD VT6TVPSQUE085J73EUKCPVB32N894AUB NS
+ 604800 RRSIG NSEC3 8 3 604800 20120923132137 (
+ 20120824132137 48381 example.sec.
+ AU3924oCXsSm2yxkSzikdMHrKBgOCnTPQ8QQ
+ Cv/+ROYGWedvkf5jivUuqRi4wqsx+dK6UAPB
+ cmxb3zmebGfbzZtO1FI51z9tGSFPvahvTVcK
+ LkMlbzDmdcNFUpl/npagQLz5FTumi8gD2Ozl
+ dCdPATDlpoL1Won8t2rBIqPGaClahCHeub+2
+ FwAuWzjiNMsSAqUpIwHbUrf03AEYafVsacnI
+ 1t6qELwFMIa2UUDXGsFSR4BIfAvDK3wFq/Pb
+ i4nzKyINGmCPTaUphh2+uLQ8CIUAArVtgAj3
+ WcIGO8p8fHE3R9CneWANo6jPEjURzMxFLUjA
+ RD31yV95Xj5SLwAGSg== )
+ANUH4A3TCIVO884LMD5SA3S1563VKCOG.example.sec. 604800 IN NSEC3 1 0 1 94CD L2BLRUARIR23VEOTUN998OLLATNAI6EE NS SOA RRSIG DNSKEY NSEC3PARAM
+ 604800 RRSIG NSEC3 8 3 604800 20120923132137 (
+ 20120824132137 48381 example.sec.
+ kTRt2QfhcT+N+2MyDWz1kFpu0fpqa8AyXH7l
+ GDgMUjILF6dSwSTH6OCYYk9HIrdleNwq352I
+ LerDlaOOszwVrdyGnSFnyT0MYhXFEFUVDibl
+ svZlpePqbHnMkCEWMGmZHa9k10xNa8e6lUd+
+ 8lpUhuNSdi7GihEmYo0ZNlDv3913cz7iqNmg
+ 0dZk1Vs5GFZGZp5R5y36zBgS8TS+OiYNXL+9
+ YSsJukXnW93WcEUSvT5saUoxWD24rP41w6ro
+ 9n9J5XUgNmfaLMFj0AiaAtlVz30q3Nbv5v2T
+ w18A7ybrH2AiuSoRvL8ISQyIrA8P0pDIyftA
+ 5e4wKXX9LZ/1E9laWw== )
diff --git a/t/issues/25-nsec/Kexample.sec.+008+48381.key b/t/issues/25-nsec/Kexample.sec.+008+48381.key
new file mode 100644
index 0000000..e9cd610
--- /dev/null
+++ b/t/issues/25-nsec/Kexample.sec.+008+48381.key
@@ -0,0 +1 @@
+example.sec. IN DNSKEY 256 3 8 AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg273Tp4oRpnmnmgizDFtLQh nIv1Mr3AuwSWVIDeavuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90yQwf C53hxyH10GzGnAx4Sutrdkh1w4HM1nMBdlTMa0g9yxjJ0vm/T7qHzj+3 dTUi84s8Du2mfMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB/QUuoY2F yThfidT+nhOQpzftVtLcta0E0Uv3PcVDp1d7vBXsAEYGHr54r2vb3eXd OTmoFyh/byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01u8SJYP6ULwx0 mZ0p5BmoMH8=
diff --git a/t/issues/25-nsec/Kexample.sec.+008+48381.private b/t/issues/25-nsec/Kexample.sec.+008+48381.private
new file mode 100644
index 0000000..5beec83
--- /dev/null
+++ b/t/issues/25-nsec/Kexample.sec.+008+48381.private
@@ -0,0 +1,10 @@
+Private-key-format: v1.2
+Algorithm: 8 (RSASHA256)
+Modulus: 1k6+cu1N1CN90iqofey1vu8jpsmWDbvdOnihGmeaeaCLMMW0tCGci/UyvcC7BJZUgN5q+6LJYgC1+/DLR/cRgi/xizmQOIqzw8TWT3TJDB8LneHHIfXQbMacDHhK62t2SHXDgczWcwF2VMxrSD3LGMnS+b9PuofOP7d1NSLzizwO7aZ8wPqejL6V5nYi5fuUVxrxLMM2aFQ9ORe4WsH9BS6hjYXJOF+J1P6eE5CnN+1W0ty1rQTRS/c9xUOnV3u8FewARgYevniva9vd5d05OagXKH9vJ6FSU+rWAMQfSYFGVZtQepsacrKiXPR1HTW7xIlg/pQvDHSZnSnkGagwfw==
+PublicExponent: AQAB
+PrivateExponent: LOxwy9Km3/NYqre6fjsilhW3GX1kcRiSdXFYBBr3rMtUojKvgJsTH9uUeWZvTbTdne4B6yHiqSKRA3Eki79k8i9uqMq2SsP4ju8yJZHLmzjezIfJoHrQ6BxyFcMZoWPzdZkKFKmFwrHpxjjbvFcHvfiAu025Pta9C2o/rZXYC7V3BWQowqYBfukdpZkCEhzFzEtC1ROXN4jPJBwNIma52QTLH6jK5BOfOJ5DhS1SF+r/EkuvXnylApVfjPfUIC8ocVvpn5WLoabWL+eURIi6MvVT59ppzc6WRUT2PxDskT2WUWfw3zq5B7JCM8/qfYIDUHvt1h6JcJHTAOz9Hr2f4Q==
+Prime1: 8UNey2U7voMhZmVUMpH5C8q7+hp6PQ6dUYd+hjaQVnsDOLPBT+zZf8R3str7pY/xlOOHy+DxYmZ0e17OumSOXTeQR4VSdsr/tpWc/qd2jd1I5N58R4G/yZHgTm8pm6VRb7NwZ7Eg6o2z0G2UEykFeberyg4U6SHBDP6DZNvGrQk=
+Prime2: 42XeoQUBshFkTYekdeqPfGqC1YXsK0URLGAbPbk8HlOiG7ueVmUnsAS47lyuEJPzIUgqqBbDM+CCdW8AvPJFDXa09l4akfCrLRyAdkreGj3bgmUs5wUFbDZyOHvRFSxdUI8LOcAhXthy86l+wErKwm6sWfd1oPGvMmC1qiSsW0c=
+Exponent1: JpdjK1+3DcNF7W4Z6LjmwFceeGQR14Bl86ubtnY14k9s9X3zVwiIxeI0T1yt0g7TUsCOcTM7CUVgLne8053QE+MWZgpSZYQVISyPX0CEOy8BQPLBqGJ9vg1idslbO3VXMGngegWgQUSHVbihbesq4AxcI0bbW2s1yRFRDSoGfpk=
+Exponent2: NbR7bd/21I1S+RSN/ONW2/VzzOYCLv3y3l4cUOmMj0UFRjN7Y8AkLWgQHQt6eKPYigW3PVeS5o+hgAalT/qP4GwmtQDomYsTgmX22Pk5l00AqL0oa6895p69PyXO7Yc6yqnd5te/idzo2S8wpk2DsYPd5KmS+F3cGLPKc9KRekU=
+Coefficient: ev+8Aj3u6mICRe6Y0NqYTGrXSBMDXf92dI4+CZtwy43cyTvvZSABWvlLTTXf8XAlnnPxszSpG7+e8bQk4A7ZIagcDFSUjzwtVoLqKqbyLPMNjJKqvGW2iTwfpXAHTadd9EmvTPsEVCJnZAvkyn9XQ49phL9IkFzj9kmSrGqnN4Q=
diff --git a/t/issues/25-nsec/dsset-example.sec. b/t/issues/25-nsec/dsset-example.sec.
new file mode 100644
index 0000000..b4019ef
--- /dev/null
+++ b/t/issues/25-nsec/dsset-example.sec.
@@ -0,0 +1,2 @@
+example.sec. IN DS 48381 8 1 99477B577BF885AB2512B8DCA052D7B71DD968BA
+example.sec. IN DS 48381 8 2 E5411AAE0758711B164730F9069CCFA3CAB00391FDD76D04EB3E8610 CAA09E93
diff --git a/t/issues/25-nsec/example.sec b/t/issues/25-nsec/example.sec
new file mode 100644
index 0000000..76922f5
--- /dev/null
+++ b/t/issues/25-nsec/example.sec
@@ -0,0 +1,13 @@
+$TTL 1d
+$INCLUDE Kexample.sec.+008+48381.key
+@ IN SOA ns.example.sec. hostmaster.example.sec. (
+ 1 ; Serial
+ 604800 ; Refresh
+ 86400 ; Retry
+ 2419200 ; Expire
+ 604800 ) ; Negative Cache TTL
+ IN NS ns1.example.net.
+subA IN NS ns1.example.net.
+subb IN NS ns1.example.net.
+subC IN NS ns1.example.net.
+myMX IN MX 5 mx.example.net.
diff --git a/t/issues/25-nsec/example.sec.signed b/t/issues/25-nsec/example.sec.signed
new file mode 100644
index 0000000..d51f828
--- /dev/null
+++ b/t/issues/25-nsec/example.sec.signed
@@ -0,0 +1,139 @@
+; File written on Fri Aug 24 15:30:38 2012
+; dnssec_signzone version 9.8.3-P2
+example.sec. 86400 IN SOA ns.example.sec. hostmaster.example.sec. (
+ 1 ; serial
+ 604800 ; refresh (1 week)
+ 86400 ; retry (1 day)
+ 2419200 ; expire (4 weeks)
+ 604800 ; minimum (1 week)
+ )
+ 86400 RRSIG SOA 8 2 86400 20121220000000 (
+ 20120820000000 48381 example.sec.
+ qzY4pxbPjaFEQyE960A1GD918TUlhq4RoJ+B
+ QT5pkYo8RvqsN5g2MnfCegfe6ZS2/kwTMmWC
+ XLFyP4bglatyq6YpSb/nCNLsp7GHvkA1lkzb
+ VhvenUbYIvOjUXx6ME165fZbpP0NaUETvG6P
+ LKncqB2ts+Ru7ZsXZqBeAokxvc0Nf3q7JKHO
+ SHIV97zEeGxEbUqnbAVkjJzDeaUuIK6BBL0d
+ 2cRpi385lVcAbDk0byH9l7nVzVeSf7NO06lX
+ j4Nr7kWvDrp3+8G0ArawsjwuSf8++B8fqxPH
+ hjvfw5hpvsKt99muko/gTsL/N3x7bAH9QQRe
+ U+jSnD27HBChCJSFXg== )
+ 86400 NS ns1.example.net.
+ 86400 RRSIG NS 8 2 86400 20121220000000 (
+ 20120820000000 48381 example.sec.
+ thEwFRgijT/clJZq37540NFYrb/qPEMXdiuM
+ z1QsNXzNumsuVmPyxTwv0YFOEh1yMesFQGhf
+ AEVS+V9AoE+xA/r+eM64p+OMrxHmd476jyAi
+ eEGUOiNx9sZBEIYXB8tr0RRadWzoRtovpJ72
+ S6mJ2vBT9BIHFt14BVbQayLwf9mqpD4zQ5MU
+ gL33OxNXRdSsxRIxTyeC9RSSUd5hmCkNxjdX
+ k2ZbY4AlCZPcFOcdI8ZhLWd1mBD+e3xBwPwn
+ OILFQ/VpL5BCTB8Zw4yGAX8W0O2g7eXITD1p
+ /WVKj8ssLW8mlEjBvTC7SBPiPo0T+wt7jJUT
+ kcQz/cwfgGcGBgY0oQ== )
+ 604800 NSEC myMX.example.sec. NS SOA RRSIG NSEC DNSKEY
+ 604800 RRSIG NSEC 8 2 604800 20121220000000 (
+ 20120820000000 48381 example.sec.
+ m3GzdLzAPvf5ZUUWISV5cKGyNgDUZSbtKm2K
+ vZ3Pm0vcBTvanrVsi4cyG9lpr0P+LnrRUgZ+
+ KgoBK3WG24vtLmPRHxdmRctYQ0HsxfEq474N
+ ifwQzaHenv70OTy4luViH1fbBtyUUH1AFeJ7
+ 28Jj9gf6bJ0ZdUNPg0nU5uxqUiP98dEHn6JX
+ MMBGRMWrKzLM0QF8BP5P2BQ89JHnHVxDrzog
+ CzG9Uf1+bbd4j4QVvWjk3m7Wqf4Cb/fezMsm
+ lyme5u4yo3phrPgYCWWCgd+IssU7dNaxMnWE
+ uaycDuVSRmBotgfm03ANUiEbKb9arcfukSbg
+ IgGDyvfpvTzcpYi7cQ== )
+ 86400 DNSKEY 256 3 8 (
+ AwEAAdZOvnLtTdQjfdIqqH3stb7vI6bJlg27
+ 3Tp4oRpnmnmgizDFtLQhnIv1Mr3AuwSWVIDe
+ avuiyWIAtfvwy0f3EYIv8Ys5kDiKs8PE1k90
+ yQwfC53hxyH10GzGnAx4Sutrdkh1w4HM1nMB
+ dlTMa0g9yxjJ0vm/T7qHzj+3dTUi84s8Du2m
+ fMD6noy+leZ2IuX7lFca8SzDNmhUPTkXuFrB
+ /QUuoY2FyThfidT+nhOQpzftVtLcta0E0Uv3
+ PcVDp1d7vBXsAEYGHr54r2vb3eXdOTmoFyh/
+ byehUlPq1gDEH0mBRlWbUHqbGnKyolz0dR01
+ u8SJYP6ULwx0mZ0p5BmoMH8=
+ ) ; key id = 48381
+ 86400 RRSIG DNSKEY 8 2 86400 20121220000000 (
+ 20120820000000 48381 example.sec.
+ G2GT1BOwgV/uTbJf93jmUvl7bmu9I9gaV3B9
+ Iol/FeOE8/GQhpKYCM6zF6gT8iZtFJ37IYgD
+ tF5Zi+9nWE6HfvVtB6cltAL5Ud0Tkzuwf2XY
+ XsqnwiBmFlkJJgzNG7po0gkCWWrUpv+kg0Mn
+ 0JJfmSOvo3srOyEg42pAWcEJ7dvAz/DgcOCk
+ ef9i4cxlRRtgWE4a4QkHH/V7pFDAOEvWkXg3
+ RUih5VIFM0POxnqgS/QRbca2Zm6FyCgkbHR1
+ QF+ojRSKGVKkE2VbIcPX7yUcBagg6WdkWjri
+ ZHZlwgF0bzbBNTc61MYiSK/PyDQpS1/m2JPd
+ OVidiTu6ajWJpUo6jQ== )
+myMX.example.sec. 86400 IN MX 5 mx.example.net.
+ 86400 RRSIG MX 8 3 86400 20121220000000 (
+ 20120820000000 48381 example.sec.
+ iDUsHGQ4Zj9vEDUsojq08tVxOG6s+wjs3Qtf
+ DFXVPeqXmThdaMIVALzUyJYwnU0a4RNaM0lQ
+ FcFiK3y8fGuvMYQVUhheKBDLc0MmAht9CjJi
+ faUNJaNSTw/rjWtduJidzEaWUk5lh75YV3hc
+ YPk54jEbgTYTEJKCbfgDfRVShxAk64TM++Sh
+ xKSSW+4s2jKr98coYCcWYsHE6WlJXi0EJuDb
+ o84YG0MKoaURNcvEwWBwHhpxLnzT+7Yg7/AN
+ 2bmogQLy40Yr8bS9DiyBZikXJt01Bj+2sTrw
+ t4JIxBPCPy08YayZzYcMLJ2M4FL0f633bWzX
+ 4CPKb0ZLimqsAPXbPQ== )
+ 604800 NSEC subA.example.sec. MX RRSIG NSEC
+ 604800 RRSIG NSEC 8 3 604800 20121220000000 (
+ 20120820000000 48381 example.sec.
+ ljtWqo0kh1F5NZ1vNGaLipgKCxEQ+c5deq0I
+ 0wK8xOUSCjT5q8Ac8tIX6B50NIjw65YpOfQu
+ wzPVJM8PSsBA6eZuKIBKKy0MzD+X+eirunvS
+ wpJ6PHix8C4/eChrNZlEJs4AX6Q6nVuCH4b4
+ rIDClNiOTC7cXiWSK3FWgCzWpgWpG5yusRdb
+ EzDCyb5UTfnzcCZdjBRjXRA1c22nODgIlgS2
+ rqEJqn2o79CU8bYMx/LCQ96CO9y4XyVwAayK
+ ekSo6f7w7YPcwb9aFURN2mQ7ZP1sGxWUifVx
+ zpLE7aqM4fhlanG8OGEyvCZd2uXbtkdlw2m9
+ LGN/2omLoKgBK77JCg== )
+subA.example.sec. 86400 IN NS ns1.example.net.
+ 604800 NSEC subb.example.sec. NS RRSIG NSEC
+ 604800 RRSIG NSEC 8 3 604800 20121220000000 (
+ 20120820000000 48381 example.sec.
+ t68GfTtpxY7WZ8TVWBEEQdcsORVdG8a7hgL2
+ MMQgMW5K2DmdURAW3mEf8m8uXU2AwKJ+xCWL
+ /LXVfkxqFMVI4dyn6YGLbCyVv8RggATIt6b1
+ saEFTvByo2WThWnJU3r8Sq4LV35NurjruZ/o
+ DJVhTc//zPSSIQpUrz2kuUcOsL+djG3hJi+/
+ TB7CsrLGdEaD9elTwwAk9lvy0ZvfVhN63w0Q
+ BPMtSRPkARNfsHLJS6m8zutcUIbAPBF7FZDp
+ PUly5LNvZYbUQvFwo7A8JaZBUOBjFZ1apagt
+ FV3dBVtRXuBIBraFwJjUuKIApX177uYpxD8l
+ kDTfWeD/JD95z3a9Gg== )
+subb.example.sec. 86400 IN NS ns1.example.net.
+ 604800 NSEC subC.example.sec. NS RRSIG NSEC
+ 604800 RRSIG NSEC 8 3 604800 20121220000000 (
+ 20120820000000 48381 example.sec.
+ LJZFwPB4Aw4dLfqUnjmv3zeoKm/3ZZyHRusN
+ NniNNct8zaH7rqfTZHQoSBMH//YyyeJwQ7uO
+ 7YIRIJvIi3z1iM2FpxuHihtUE9fIHPOGpjo/
+ t42bh611Lod+OReiukOaUOkhavg0wMfYEX99
+ Bw2V+Sk5z4UrLwJd/slQYjow4ZnFIubpJhqt
+ gw0fsygW6wb3XN9zs+nNo0XD1ksdQOyKu4tA
+ ZmYXWYCEbw/BIg8BDw3TnqUxbV44namLTSUg
+ 97rA/90Nh/s1tsDQ3RbL7iaCbBH8ylSyCz5m
+ av1L+WK51LUJNgzm/fNJvI9kFzUG8s9oespe
+ f+r2hqgomotK4WdxMQ== )
+subC.example.sec. 86400 IN NS ns1.example.net.
+ 604800 NSEC example.sec. NS RRSIG NSEC
+ 604800 RRSIG NSEC 8 3 604800 20121220000000 (
+ 20120820000000 48381 example.sec.
+ twkPkw069EOqYcUugvM2qD7+/Yk51+91WRnz
+ Cq8AR8P4KlaBvahWg997haey4q8wV1rXsAXu
+ lMc9iNgmX6TaIiHoq9kMXumELWzE8Oxa/ymH
+ vvQnMOk2j0zcKh/7lyGeTX7cpSvXhz450XH3
+ 3EfQeb6BLzlwyXgfnx/kGLS/lIez66Py/92v
+ 2M87By7Gx69dv1vbBleeVxsYKmKe+sal7Ayl
+ ZPP9+NlOqZqDBrCXvwOmn+ScfCbeYxgMzmcf
+ 2LMBEGxpDHRfBuV35hOzOVCce47CCip1Xian
+ Jmnh1A3dqZJXCrxFZidvAYVm7jEtAI8FS1OL
+ VjBf8zzsLfQKiMpeGA== )
diff --git a/t/test.pl b/t/test.pl
index 8ba2a66..29ff525 100644
--- a/t/test.pl
+++ b/t/test.pl
@@ -75,6 +75,26 @@ like(shift @e, qr/IPv6 address is not valid/, "not an IP in AAAA");
like(shift @e, qr/MX preference expected/, "empty MX");
like(shift @e, qr/MX exchange expected/, "MX without exchange");
like(shift @e, qr/garbage after valid MX data/, "bad MX");
+
+like(shift @e, qr/bad SHA-256 hash length/, "TLSA SHA-256");
+like(shift @e, qr/bad SHA-512 hash length/, "TLSA SHA-512");
+like(shift @e, qr/certificate association data: hex data does not represent whole number of bytes/, "TLSA nibbles");
+
+like(shift @e, qr/bad certificate usage field/, "TLSA certificate usage");
+like(shift @e, qr/TTL is not valid/, "TLSA certificate usage fallout");
+like(shift @e, qr/certificate usage field expected/, "TLSA certificate usage");
+like(shift @e, qr/TTL is not valid/, "TLSA certificate usage fallout");
+
+like(shift @e, qr/bad selector field/, "TLSA selector");
+like(shift @e, qr/TTL is not valid/, "TLSA selector fallout");
+like(shift @e, qr/selector field expected/, "TLSA selector");
+like(shift @e, qr/TTL is not valid/, "TLSA selector fallout");
+
+like(shift @e, qr/bad matching type field/, "TLSA matching type");
+like(shift @e, qr/TTL is not valid/, "TLSA matching type fallout");
+like(shift @e, qr/matching type field expected/, "TLSA matching type");
+like(shift @e, qr/TTL is not valid/, "TLSA matching type fallout");
+
like(shift @e, qr/outside.org. does not belong to zone galaxyplus.org./, "outsider");
like(shift @e, qr/long.outside.org. does not belong to zone galaxyplus.org./, "long outsider");
like(shift @e, qr/outsidegalaxyplus.org. does not belong to zone galaxyplus.org./, "tricky outsider");
@@ -97,6 +117,9 @@ like(shift @e, qr/garbage after valid DNAME data/, "DNAME garbage");
like(shift @e, qr/CNAME and other data/, "CNAME+CNAME");
like(shift @e, qr/CNAME and other data/, "CNAME+something else");
like(shift @e, qr/there should be at least two NS records/, "NS limit");
+like(shift @e, qr/not a proper prefixed DNS domain name/, "TLSA host 1");
+like(shift @e, qr/not a proper prefixed DNS domain name/, "TLSA host 2");
+
like(shift @e, qr/TTL values differ within an RR set/, "TTL conflict");
like(shift @e, qr/multiple DNAMEs/, "Multiple DNAMEs");
like(shift @e, qr/DNAME must not have any children \(but something.zzzz3.galaxyplus.org. exists\)/, "DNAME with children");
@@ -191,6 +214,19 @@ isnt(rc, 0, 'dnskey extra checks fail');
like(shift @e, qr/leading zero octets in public key exponent/, "leading zeroes in exponent 1");
like(shift @e, qr/leading zero octets in public key exponent/, "leading zeroes in exponent 2");
is(+@e, 0, "no unaccounted errors for DNSKEY policy checks");
+
+# issue 21: https://github.com/tobez/validns/issues/21
+run('./validns', @threads, '-t1345815800', 't/issues/21-nsec3-without-corresponding/example.sec.signed');
+is(rc, 0, 'issue 21 did not come back');
+
+# issue 24: https://github.com/tobez/validns/issues/24
+run('./validns', @threads, '-t1345815800', 't/issues/24-delegated-nsec3/example.sec.signed');
+is(rc, 0, 'issue 24 did not come back');
+
+# issue 25: https://github.com/tobez/validns/issues/25
+run('./validns', @threads, '-t1345815800', 't/issues/25-nsec/example.sec.signed');
+is(rc, 0, 'issue 25 did not come back');
+
}
done_testing;
diff --git a/t/zones/example.sec b/t/zones/example.sec
index fe4b300..e361a4d 100644
--- a/t/zones/example.sec
+++ b/t/zones/example.sec
@@ -20,6 +20,19 @@ ns2 A 5.6.7.8
mail A 2.3.4.5
www CNAME example.sec.
+_443._tcp.www IN TLSA (
+ 0 0 1 d2abde240d7cd3ee6b4b28c54df034b9
+ 7983a1d16e8a410e4561cb106618e971 )
+
+_8443._tcp.www.example.sec. IN TLSA (
+ 1 1 2 92003ba34942dc74152e2f2c408d29ec
+ a5a520e7f2e06bb944f4dca346baf63c
+ 1b177615d466f6c4b71c216a50292bd5
+ 8c9ebdd2f74e38fe51ffd48c43326cbc )
+
+_25._tcp.mail IN TLSA (
+ 3 0 0 30820307308201efa003020102020123 )
+
delegation NS ns1
delegation NS ns2
delegation DS 60485 5 1 ( 2BB183AF5F22588179A53B0A
@@ -51,3 +64,18 @@ cert CERT URI 0 0 V2Ugc2hhbGwgbmVlZCBhIG51bWJlciBvZiBtYXRoZW1hdGljYWwgaWRlYXMgYW
alias DNAME anotherone.sec.
+host1 IN NID 10 0014:4fff:ff20:ee64
+host1 IN NID 20 0015:5fff:ff21:ee65
+host2 IN NID 10 0016:6fff:ff22:ee66
+
+host1 IN L32 10 10.1.02.0
+host1 IN L32 20 10.1.04.0
+host2 IN L32 10 10.1.08.0
+
+host1 IN L64 10 2001:0DB8:1140:1000
+host1 IN L64 20 2001:0DB8:2140:2000
+host2 IN L64 10 2001:0DB8:4140:4000
+
+host1 IN LP 10 l64-subnet1.example.com.
+host1 IN LP 10 l64-subnet2.example.com.
+host1 IN LP 20 l32-subnet1.example.com.
diff --git a/t/zones/example.sec.signed b/t/zones/example.sec.signed
index 38d9732..5bb8b0c 100644
--- a/t/zones/example.sec.signed
+++ b/t/zones/example.sec.signed
@@ -1,5 +1,5 @@
-; File written on Thu Mar 22 15:19:14 2012
-; dnssec_signzone version 9.8.1-P1
+; File written on Tue Jul 17 12:11:38 2012
+; dnssec_signzone version 9.8.3
example.sec. 300 IN SOA ns1.example.sec. hostmaster.example.sec. (
42 ; serial
3600 ; refresh (1 hour)
@@ -372,39 +372,271 @@ delegation4.example.sec. 300 IN NS delegation4.example.sec.
gFnrAa3A1fLKuUf4G53MjTlu6BKYJQtEqxwo
0yE/8rePwZLK8Itgy3Io2V8MvHlU5NmUEWLq
At4YSicAUv2CpVOcqw== )
-delegation2.example.sec. 300 IN NS a.ns.delegation2.example.sec.
- 300 NSEC delegation3.example.sec. NS RRSIG NSEC
+delegation.example.sec. 300 IN NS ns1.example.sec.
+ 300 IN NS ns2.example.sec.
+ 300 DS 60485 5 1 (
+ 2BB183AF5F22588179A53B0A98631FAD1A29
+ 2118 )
+ 300 RRSIG DS 5 3 300 20121212121212 (
+ 20111010101010 516 example.sec.
+ uEf2xsca1/OJwovwMVGyFB4/6OUmutAWlWvG
+ qM9JDtvUPMhUV8dzRRiwpWfz3YkPU60Hqn8n
+ QX981RtNc23oiwjmo1ehp1DW7R9dqcqxH4KM
+ 5gYrdJT+lJAoN3ii43rQNl0N7OfObYxlZj+N
+ K7aMVBHESqQd5ZaRfkiut8XW49M= )
+ 300 RRSIG DS 5 3 300 20121212121212 (
+ 20111010101010 44427 example.sec.
+ GIx0C0s5HJdizOCjIFnqf3BvhIwKaJZW9id0
+ vcQAyd3qzbiiuWecM5pdyiJahFpnKmGxTdLM
+ ZCEwNczhZZf+RE6SlOu8j/VcFujTlaq47JMZ
+ uaU2KETUVZzOhFP6Vrddax35icNcO1Qfu2US
+ B501hzVzyAjr4QL9j0KKlYBe3n3/349dHIiT
+ trruNmkB0c/M8KOkApnUbO8/42Xaz5QCBvXT
+ nyx3jp2WHTCCLLC2o0LTD++w6LkqhTXvWcbo
+ oIMBUXD9hXm/NnYjPxR5+8IhIzPjgjL1vzw7
+ RZrtCBVuI6PIsCRhyXxJ2XoxB293M0GxOmnh
+ VBZ0feqy7wVmo+hklw== )
+ 300 RRSIG DS 8 3 300 20121212121212 (
+ 20111010101010 48381 example.sec.
+ D6eEY7RttRgccoDGLh1/JJ2Q8Xt8fbnNVzXG
+ WhLlMMeEc1S1FzJG8/SKUrvYVKtrU8wPZpLq
+ qV/2jEjHk81vOqj4S+NZh3hV94h5p27Pngqf
+ 3fNzd0aO940zkFC30aAiz0BBd7MX28AOowLL
+ 1UWoiTCuERpPAQTuRQRbAR2zf+205PJLjbU2
+ 764FVJYEzp6Kal66lWOYlB2EqGWdrv3irPpJ
+ lyTYMaFpNvh4qOkRaBgmT06lzGQuG6E/tUmF
+ nR6tQA4oFaGMs4QGWv05iMYYKleBBNlC6OYM
+ 0At5mmxZIfiC1viIGDTGvHaKDS3YjWO2YLIq
+ 4EQZCBQJAnbb3rHmWA== )
+ 300 NSEC delegation2.example.sec. NS DS RRSIG NSEC
300 RRSIG NSEC 5 3 300 20121212121212 (
20111010101010 516 example.sec.
- alXox/n3U8q3S7BezOkumPPVxQekZSPZ34nY
- w9JL0qX5h1NOuAR7SG0B/sKz8XKe1gpoTpZ6
- oCYSZ/4LAw1oWryRe1W4+K63fNHy1BpZJMGn
- 0toviZnfH8DrmTnwcDAXkPd6IhdX2Ok7ztef
- M3yeP8heSWCvyBukpa4EBvwv5mA= )
+ iG8wud8jrvX0STdk/BPdIHUCMgeIExOklQEO
+ Ah+K6e4LJakFKjuI+G1tTLdHOP2GauWkb3GQ
+ 0Ozj8r7+jQEz886ZQmCR8RigqW5/CsnwPc9V
+ oc7TbNntOs+M4NyOiqC9NfmafrpqIrmbLMBW
+ THN6XGPUMdc5riMr8miTKtLDMF0= )
300 RRSIG NSEC 5 3 300 20121212121212 (
20111010101010 44427 example.sec.
- 5e7KvcXLAy5uVdD/hAZuNl7mC+qITTiihlmU
- dh/KIachaEFMMqRoDsY61kjY+cSpkn/n2dp9
- OozcWUFfhfXY2D5EFaRmkWKtP4N37ryVWZUw
- maJ5ZDCLcRa/vWfJGWlTrG108ijGkfUPE3lE
- euYkc0d00yjmbcz72uAW8NUmixRUU+3Payly
- GZSDVcG7vZ/qaf1dXG6cToY2n0DDIf/526eC
- xH5NhhDJgq6O1ZCEtS9r6Hb9vpR9Ed9wJvgt
- a7VZltV0TlLaiFGSGZA+OgZV9l0HerOCh8uW
- nn3L8d+jMAOmrk8/Jn47uTpZub1/j8eZo5pA
- jFyHUZ1b0h957vC6XQ== )
+ Hw2H90l/QMOJYJPO+B1eCpGQXJGXOd5MoUfR
+ Fc4budW2eesImgWQ6TR8Bvwjz95niA8lpGyq
+ QEXjJ6cEf5JEKYw/4xOVlmFNDHyG//iQ1kpf
+ 2+aT8IuiM0evbBgiej/VhYZFScUQ4Ibslna/
+ BFMyoJ7ugLmLelYiolB9g30a3q/3ULYwfn1j
+ OKUbYUeWClKQ+l+i37wRuBIPX6aT6//CetOX
+ uCecmaDTXl94NKi2pw+fZKs504Ed7xT6FtJF
+ 9FYJAlsFloV7T6epZ/d5pl82QYaEshZpMePa
+ nqah+amBETh/kd3vokG1lzzFzSbwrWjxgtq8
+ XYCG9CbCOcJz1N0bXg== )
300 RRSIG NSEC 8 3 300 20121212121212 (
20111010101010 48381 example.sec.
- rQwfcCjBLlYDpe6DC2d1w2qVYAUYFqcfbwHy
- gbjXT4RI2nV4E5q34jwEgi3TFb5OmYZviGwF
- cJvyii25oYSt2qcKPlTGGnrD3vAMb9lgX9L2
- hyeHWcmOfB397CySJKMXNbWtZz2YLu4YLrc9
- K1e+2eQD9MZbVIBrn2f5Krf306FMNd9L4n/p
- yNrW/6EUfHmRtFsD5vGYytoRRBKoPv5Rxfoj
- pbhhuyC8MlntVH0IhDe1zvKAmzlBj6E6oB93
- zG8SqT/gNIuTUpa/qw37tcOw3fCRh7uG3TBk
- +ylUmRz+hcTUxjSqoQKxVT61hXcrKAogspaY
- QZ3Mctyg3Se9NhUd6A== )
+ yc2VoV4VVT+Wo/rVo6brdb7LfxMOslatW8Lo
+ ldBOGkVuiz21DskK5LUMGkH/4+NZ2L/aaDCt
+ JyiARZXabIqeMMY47QbNB1DouT1yKvR1Bc4D
+ Hgo7vK3eL4nf+3x0AXxTOdmdq6ZifxBkI5V/
+ fFKADNX1Mj1Xh1yVelJnXPLU/ZkAvtakWmJ5
+ Dj2I2EETshpkC19lqOP8i97jMR0OWfTCjbzT
+ SL8t0AcbDEWo/TFRXkMP0MaC8NMXmWtkSMH0
+ 96nYIS3YA35OeV+gr6LtEb0VJd6E0c+FnM2s
+ T3Up4g+99W8Fs+FIYxYisan296LXff0eNCgQ
+ fNw1Tj+4tWl4lh333w== )
+cert.example.sec. 300 IN CERT URI 0 0 (
+ V2Ugc2hhbGwgbmVlZCBhIG51bWJlciBvZiBt
+ YXRoZW1hdGljYWwgaWRlYXMgYW5kIG5vdGF0
+ aW9ucyBjb25jZXJuaW5nIGZ1bmN0aW9ucyBp
+ biBnZW5lcmFsLg== )
+ 300 RRSIG CERT 5 3 300 20121212121212 (
+ 20111010101010 516 example.sec.
+ kTmXaHROKWMOssXq+UTQZM8FOVyhgtqyZm81
+ LUHbIForbI6FSvZG5yw1U8us1WttnJ4w1oBI
+ m7gZjRD4O3RKgnD2PkV0JDS4y/itMeJ49Z5E
+ sLXSaPwkwuMJK81HfsmwTF1Mglzk0KgXOrBi
+ sdd5yLxCnngdncLqKIkLiYob+iA= )
+ 300 RRSIG CERT 5 3 300 20121212121212 (
+ 20111010101010 44427 example.sec.
+ rc8pVuuLiLEOiyR1SrD+Vos+1JEcqBUCVdaU
+ NtOU4jOM9jhJqEjfO6iRTPG5b+nIQcYX+4gw
+ MOsQwwsLHVtVmWnKZ1jml+M6npi/W+NmKy3I
+ Y2jOJz1I+JIFjlLu1UsEzxeV0tScIlyUCxx9
+ tMN/bUE2wNHnjZTLaJ+pmt5EvaK0VDulSKoD
+ PF6ThirWFt+K2W3oNtQATL3XjTNprhzgtRYX
+ Y4nfbHUOA3isbuP3jsH2Lp3IZfN+s2lg07mr
+ GaVkrYLNbgYaCGa6TM10cvTbrwgH4+c4ZjZ6
+ cBkrNa4LRh4cDEJEKgWqPQlRf5LGEiH+rrqv
+ KMtGiXSbW+4sVUCfFQ== )
+ 300 RRSIG CERT 8 3 300 20121212121212 (
+ 20111010101010 48381 example.sec.
+ Lmg2cuJHEQYh3JxJUT51BNu1ytK2AdHSo+Rj
+ cu7CTSgNv+JSv4JbhMLgEEOTN6nwL4uI9ZPa
+ TqdKUG4c0Ae8LF1LgDzbkpbpGpVaq0aaXMJf
+ EZuL8SvIANMm2mNItlrnU1cj5d3EVB1Rewj+
+ 4zuQawhJPNwbTkeVsj8TdUUr5VuBb7EbJ0JS
+ J8g/NS3SmL4L2Ifi25CxURcKr5pzcl/FDANL
+ BmTL1VE9vlqhjWbUTuiKhz2T7oQd/y139feA
+ oATbSx/6lel9pDVhxOXhf1kTDx3FdY3PS1Wh
+ W/FPUQkKQaxIGNkZH9dkKEEgNhnY5fVaP2MV
+ e9QK6ZMvhhx3IABwvA== )
+ 300 NSEC delegation.example.sec. CERT RRSIG NSEC
+ 300 RRSIG NSEC 5 3 300 20121212121212 (
+ 20111010101010 516 example.sec.
+ aCbWibwSZKkYONdUM5Uu6rYkUtPKARhA3LsP
+ yWRLhFYIVXcHpa5gG7mv8QD0jVqAAd7530tF
+ c/fdmoCri7qqELICwZz09FwRNhtgSj6wRCaF
+ vKGt7mPM4ODWKGpUvo/0Sf3l9PtWCV3QmcBi
+ OZbRi6V/znv3bwwXF7jpkVuEors= )
+ 300 RRSIG NSEC 5 3 300 20121212121212 (
+ 20111010101010 44427 example.sec.
+ vGaDvMuBuy18IzuDR17zAtYpDTDHaA8ZQe4R
+ 9pxpDdvLzzXAWHEnXaTmsDrNBHaD6a7lWpMd
+ ONWZH7l8iUSTQGTXsqCQPoQXGcVPdBJwojT0
+ Dk8CG+Hp7pbKututKnnQpZdxy6OTdxc43K+h
+ IZYgn+pS3i+NloM5eQQXvAoL0V05fDYTC+Z6
+ igN2b66Fc5jxG9Snu4VjbNKLn+3H41WiGm9S
+ YrmoLLMdHHxTnRggfOtxD43G3RM/sMjAelF4
+ vXqAetGWwoNWtt5fpC7IA8Vxbp2FYAa6dZ21
+ nCPaveB2Bo4V1tFwkn9C972NZ74+pWngOFSw
+ L6jY4rtMUyNQCALy+A== )
+ 300 RRSIG NSEC 8 3 300 20121212121212 (
+ 20111010101010 48381 example.sec.
+ xga8+N3U/2hEz/HkOL/paiHSYSK1tyFOSqIe
+ FbafrJB696y4lxf8IC6VMyop6gmVkYXPZD5m
+ v0ngdjQsfLqCz7nOlHmcvaW1SCQ1m0qN2Flp
+ tCMmhi6+baN59SYtP7iB/Kk9b1xi5M+y4eS3
+ pb0+Z9lZgD7C28oBcO0lzdxNr1Suz0sugiHN
+ tDG2tfodUKxsCbT6jortxAwX7D3gcJuNg5sW
+ RlFTfCfAWU45QKAqvIrjau4DgOSWWYLPpA3C
+ POF1Qx4+vM0VXvE21jIDQAehGeNXl092FHI3
+ NmFvnaCcVmYdC1Qbmuh0kk/jWChLK10Puhdr
+ bKqFTWsOUIdc83q8/A== )
+ns1.example.sec. 300 IN A 1.2.3.4
+ 300 RRSIG A 5 3 300 20121212121212 (
+ 20111010101010 516 example.sec.
+ Jz66qNND9eWmodjPcTD9VNb4G5BIqd1MPcMb
+ 9g+J69b1T21cNqAuIom5Y4cECyz/zNJOno89
+ b7KKcpItUnsdyBHb5WuDeJapT1s4FyEYDEms
+ diPzaEDEJCTmjyOx/5ADZ5L6I8EN8a3V+iWh
+ A2YMtWWWjZykqXHeVLPZwqbMJS8= )
+ 300 RRSIG A 5 3 300 20121212121212 (
+ 20111010101010 44427 example.sec.
+ RzfNZ0Pu4Vxk5xpCycv3ZSDDMViw+h6nR1uY
+ Jls1+oSygJfeQn0xeTcVzaZQvvZc0gtnecHT
+ 5UopyFB36R/qeNkPp5fFHGb+ZpMAaNmjrxGI
+ /1OhxvES4jwTaihetjVWEQyN0M0+Pgw0BNsN
+ tbz92zBczpUFTbe8FxldePwLcJFZ5CAvp8NC
+ VuzqAHVMGAt7DYvr9qTknrW/X8wszxwUuL0H
+ mwitcRF397E6H9SA06uDNum/s8RST9lsV1A2
+ GsssmglqqKICY8+g89SDqkSuxk1bsFJ+dvFx
+ kfXRlzBBvpuFt8sORt6LPJXSlFy/tgtRI1lq
+ oJi9S51V6XElb0vu1Q== )
+ 300 RRSIG A 8 3 300 20121212121212 (
+ 20111010101010 48381 example.sec.
+ Q2LBOCx0Ol+UX8yBrpWvoZEPu4bGDJfznS6d
+ uYWDHZc70kjSBipMO+vmzHTPXiax4LTXXznm
+ u6gtzSh05FTmQUx2QPctCwwLW3Lfa4xRBnQw
+ KV+HH0AyXUlKy8gNRBNgJmcQyvyKLr5T8UhP
+ PYQI60UZxU+vCa8Z38Wffy3X0+AraXFwMc3M
+ YClGU7HFn7cCKeIrdWl50PEYpa8qUj4ec5XS
+ 1QYZu2v8LE6GmChCCFIJsdkU+JzUJ9mOGYrr
+ l/aI8G+DPa17NxKwihgzQ6fQIS/AXOx0rUNq
+ ObP7mpqqn76X6BnfJFTGs9BUCms4W/sVNvra
+ hbAKFCLCNJAz9EO9Xw== )
+ 300 NSEC ns2.example.sec. A RRSIG NSEC
+ 300 RRSIG NSEC 5 3 300 20121212121212 (
+ 20111010101010 516 example.sec.
+ MPFeioCIJDe03C9RD6Kux0g08JgJYH7xtyFF
+ 4OOOZVHD1mrI+BmjxtWwhb1c7Uqd8+/J9NLF
+ qywR/OzLW58FsNjznhl3Btr6HsfIfLrEOrTf
+ kbFlOOSP7gA5ngsC4nMqrWDPjSJwjJ5b3XIT
+ 12C2Efq87MFneqOEzUzIpqDeSdM= )
+ 300 RRSIG NSEC 5 3 300 20121212121212 (
+ 20111010101010 44427 example.sec.
+ kUQ26M/bdHkAbREgxC8kBkgxEpnXkQldxwki
+ 0S9mvnmJToiGjnvBIkDixX9BWrx2s8Nzt5tc
+ xfWqmzlbdbea+BitXMN2o9hnAWNJ0uFmQFaN
+ M2li2EH5FlCFPpN40w9hazRY25cBvciUJzNE
+ CaMTtDPRB9GUmZKjE/ZP0N4QnrxvrOqIMJlu
+ dCsLQ3of+NyBWYpsQQfQvbAvx2WNpolOjqMt
+ woCsfZhjvedlAAszdaNKCm2qcxYuSKvkw9hl
+ n9RuZkgYCf+4o0k/DRP6zSwacMo1Rcb6S1D3
+ b/AXMhBxwtytfaKPh0gAFB2fWck0TLpc/5EG
+ AuCcy6aJR66j0frDBg== )
+ 300 RRSIG NSEC 8 3 300 20121212121212 (
+ 20111010101010 48381 example.sec.
+ Rktfcj5WkoW+7lt1iMFsQXr70zjRdHCUBDf5
+ zqet9JtQU6r9HSdto4gJAXwwH+gYVWU1zMAo
+ ZrurdsYhkCrUnUYdO/g6Q+xDIdvPQY4UeUaq
+ 1lZbumzCGAQD21l+nrjxwkD3kvyDtfnAnxU0
+ eL+/8TqZ/Oo/2cEf2hkuQbOfQqpXImig0n88
+ e1+xBTJV+fPeORGxnAVL0QMRRabTyOqCPiwj
+ rcuXpIxRjKWOAEseoFHJbdvFc3MNGwfBC/BR
+ qI5xzREGVG3yUpY6o1EVkJTNMHdtahZsMOWl
+ hb1dFARcQSFHUdEEwZwc1gtIa4snPxpplgCd
+ ZetiK9mOJTMhVhGQSA== )
+_25._tcp.mail.example.sec. 300 IN NSEC ns1.example.sec. RRSIG NSEC TLSA
+ 300 RRSIG NSEC 5 5 300 20121212121212 (
+ 20111010101010 516 example.sec.
+ br40QG5xW5g8hBGCPt2SJ7LPYfthNcwWVyHB
+ B7XLb3DyWsPIJgL53OmkBugwGGgDDEKHXz2O
+ mHcDEVk+ACBbswG0DFJfqM9uPPXoMbLl7k8P
+ L0E1dKO8eYZeyqE54O9xfYDWHx4nLwGP1vGp
+ tOIRXnuthA3HvEiNVNtRE7095S0= )
+ 300 RRSIG NSEC 5 5 300 20121212121212 (
+ 20111010101010 44427 example.sec.
+ xaRKCccf5698Uyq6+4qDG0IOGJRFP75JkQSz
+ BFbPQL48FS16pj1UdIjApO/a0zQZsqzOdZyM
+ ts4MK7g+qpzbCdi16OCQIoqN4PjtM6jGOjNw
+ Hnpq4qt1fE7FiVdW9g6vgmd3lqAtZxuDsyyJ
+ 3X116mOrLZhhO7TwuLhxTTip5IzHA5VVhXjH
+ 7MbhqN+P83180ghqpzXsu441rr+Xsk/aRfOy
+ /5/Ll0VzvO5842y8li8qfCnO2Bo6yXqZPDms
+ UTYQwlHPSux5L9Wng/Fxg5kCyzi+gvOuOJeT
+ 5xHerZUjG4OUdshMIisogVGp/HLO9T+4gTbR
+ CHgOG8y2yscno+R3sg== )
+ 300 RRSIG NSEC 8 5 300 20121212121212 (
+ 20111010101010 48381 example.sec.
+ xbsJoGws3mKDuU4TutUK/ewddXv34FKBGjg9
+ D8/96yj9eVjLUBhAwLZRS0KhH4Dg6PPsAIAJ
+ huvAd70rf/Ph6Zp3We7QjWAtZqyDAXA+4Fao
+ 165XRD/5ilnBNgvIaANDWWsxPUK61g7aoR4O
+ eTl09w/bxFt26w+zT+oDx85r19fDfH4F9iqE
+ koU/bMphpvCNIGEvLCe2fqGlI3wE5a8J3QXP
+ 36mizyKQQNcWS3ahujzpoEijESbizUSVMa29
+ bvhacwNS4afL7WgF3espHPknv1zmvowgsc7I
+ Y7LpC4nfxtmiUHP9kLvs7q1SkVoX2LBKdO6i
+ Df2mF2J6liXDNFdtQQ== )
+ 300 TLSA 3 0 0 (
+ 30820307308201EFA003020102020123 )
+ 300 RRSIG TLSA 5 5 300 20121212121212 (
+ 20111010101010 516 example.sec.
+ DnP6DjlWI+yDT0V/X+yDt09WWl+NYtDxPhD7
+ STjsEIXqSCr1v0IFykeAaqZ/GJP3vOQEh3Nb
+ g+5kjv51Bmc+Ax9IVGUhYTUyx7fVk7VaaCpq
+ Rhc0GgjMn+JtwkQT/PJ/jtwGubRW6tWQjjwu
+ RfMpVC1cWRJ/2hKMmRTHn9Y8ysI= )
+ 300 RRSIG TLSA 5 5 300 20121212121212 (
+ 20111010101010 44427 example.sec.
+ Dez59FOkjLV3Kbhwf5P8qxoVM20ibxQAdf/D
+ PH8FM5TqHpkFv/BZKzaMMuK5V/lUOG84t9Hh
+ MvoUSZoWXdFvS2emNJPCiMne2+ZjALLX8T0p
+ 1rN3OtowrDCejBWAK021dxqSEdHax/s0vLgG
+ NJvYp2pGt3zVSnKSU9+7lNHzJ/cVk1qtrdmG
+ FY8o7ifHXcmktVMq67L9rqC/DtYRR8kDBioG
+ NCBly0XfkUllftfdtaLC6RvsF0f0OTPndWwx
+ um7CeBOsGC28yFqnS1bW8p3icMqqEpg/UB3Q
+ 8s0tmItraLSW9NZzKhT5rqBDDr/05ZYzx6Pf
+ AY43VJ/OR0AY7LXWHg== )
+ 300 RRSIG TLSA 8 5 300 20121212121212 (
+ 20111010101010 48381 example.sec.
+ nRVrRC3Pqm4VD+j0n7syYhGB5uvxl2Y1rM1f
+ B9Tz933zRZP041JGLbWmZV6v2PaKzmF4C0Mr
+ WsLykDX2dCIKdvysgxcFKzkmHtXn9yommvaa
+ sVMAg/cKOwYfJgQYBi2R/bkiBdjRokyCxH+/
+ BB6hHNX8W1OgjNavsI5u/y2P7d2n3TBRNAkL
+ kzujqfwJZ+e2bLJ7Dbya22hzSr0ARmC1tufX
+ UfZTzV8BnPJpXwo1j+NNuX7u7kQ+UJpXJdsX
+ xRXq0Hq6dSeMwTDldHmy37rLCamtcY2MYrqw
+ j5mKV1c7Ag22KMq3yyQbNnk0FsgBbrUauiKz
+ UlUdXq/ySQnilm2SrA== )
alias.example.sec. 300 IN DNAME anotherone.sec.
300 RRSIG DNAME 5 3 300 20121212121212 (
20111010101010 516 example.sec.
@@ -469,6 +701,139 @@ alias.example.sec. 300 IN DNAME anotherone.sec.
enVIAG19JVA4/Zjqr59BC0+6qCNaFIlf6P+s
Tus52Ixc5MnPO3UuAah55oNwfvL0AU1Dl1al
ylAwck7ZX/jjQavikg== )
+_443._tcp.www.example.sec. 300 IN NSEC _8443._tcp.www.example.sec. RRSIG NSEC TLSA
+ 300 RRSIG NSEC 5 5 300 20121212121212 (
+ 20111010101010 516 example.sec.
+ DmW/7Gx7EvvU9gsoOxQssn9I5zBNq5gwGm+F
+ zwWZPfUxd+OeZFwfd+qCLXMpvWMN/JR5nu1p
+ Y68t+hqxAuiyLLwNF2D/wf69dSTunWPHKaXz
+ F1uMUkLmVDTaG11DtD5rz1Pfd/Mt8BX2/8OW
+ fXyqo53geg6GCfjAJv4pmY7BNZ4= )
+ 300 RRSIG NSEC 5 5 300 20121212121212 (
+ 20111010101010 44427 example.sec.
+ 1djWB8e86bYcMlr32K9gaAjFoiv3isY7mADC
+ FdJGu+AkyMG0qCR34qaDaK7EdM6fIMTVFdnE
+ FqF9OELcV1g/LhTKKHnLAoKrE0zHvrZktwMv
+ n5qh9j75eT8uf+6l0MtPhAcc/u74hcnDMz9f
+ hZvjbnpHBm3T9LGKVUeo2oX4n+Axh6N54cl1
+ 47y/dR6PoPbKb6Wg8BkUyfAIWkv2mBCWYDGJ
+ W4Du6oiQLdBOAxvieafX9Xk1PwBe5CxV6X86
+ OSIemzLcHDA+E892UaT+e9TegKNWjL1UX1OL
+ NJdV6gsajNbeghLPwMdgwMVmxjmI4uQBgraw
+ NbR4OrdbLRw0dSr1JA== )
+ 300 RRSIG NSEC 8 5 300 20121212121212 (
+ 20111010101010 48381 example.sec.
+ i+EVPPdKeaZAlNq9HPXz437Fs7PiCxHKKKFR
+ zVDf6M0UF0W7Wcl5jlnqllb6TwsB53Upf38v
+ PMJk/y7vE48On5wAb/XLmTUlBU+p+NJ2NiTP
+ 5/x8dklBdzS+6v2iF4yTpLfD3K970sB2j5oe
+ +GysOWnA5dJWzBHZPKY1V5SHbEH7Tann4Gll
+ c4F9A7PgY0t6jUfpckW5YuWKaV6p/5dqMWuP
+ SDctW12paRW5cqkZ4bIQn0ei3R/Y+DNcPeD8
+ XVK2mt6lRDipcp0LlCyXtFDtBrTjlyujbm62
+ MktmWWiZK4A1BfUY44ZFdQEzr01CxoSwCEuF
+ WdLSfG6b12XfNNQa6g== )
+ 300 TLSA 0 0 1 (
+ D2ABDE240D7CD3EE6B4B28C54DF034B97983
+ A1D16E8A410E4561CB106618E971 )
+ 300 RRSIG TLSA 5 5 300 20121212121212 (
+ 20111010101010 516 example.sec.
+ EFJLOkZjiBVrGSxCbNc5k0ip1Mc1se72wFsr
+ 0TYHg9TMpHRAB+8SU11r8f5V1KP5KXzF78kr
+ MDVrnp8ySCwCsYr++V9zh/Wt235OQ4KM8xMv
+ UfTiknkYuaVJkFnbS9C7CIVLxlThE+3vVg7l
+ sNiJIfUDh7SsD0+vO9N+00xIdlM= )
+ 300 RRSIG TLSA 5 5 300 20121212121212 (
+ 20111010101010 44427 example.sec.
+ mpxahn8nXkV7k4xWIDAGT2/kVir3Z4WaKJqI
+ X6kKnsR0gbgJq0T1OIbA6WP4xyiAaqM3q/sO
+ Q/6Y6Z4JhwnJZXdPAMmmWfVbKc52sV/tMp7d
+ L4h98ND9QugIffpW9WEMVGBZhrPiiAE7w3Ri
+ GOwluu3K6yfGZvHg7eTr4tYmALWCnU4f6JaG
+ Ye1bvo4IGi8AlE2qxg0sduzSRtc4+FmCiWj0
+ mhPiNmnQObonkGA3xpuPqRPtcaga95ecbfmT
+ P0QVV3yJoswaO0kaQjxo7Prmiev5xk/fdwko
+ WgONMbgkKzLoeAgKlsQWJ6FgNOD7g1ZIZnCw
+ YVAVgzyaHGPO62g4PQ== )
+ 300 RRSIG TLSA 8 5 300 20121212121212 (
+ 20111010101010 48381 example.sec.
+ pTd0fMqEiuKey73dCne7FCxjowMMuehhQ7dM
+ VRoPiuW51D33ay2gb6qisLoNUf8I5lUQPag1
+ Ia/7ArCJQr12aYhsoeQKU/3BqrMwkA+kpmhB
+ m5G+Lj6h+jtJ8LnqjYV5pPHL317abWiQN4th
+ mypwHhS9g9zu/RKExzzhHtmCJpH6R3exNOmx
+ S50REX6rvrTXiigRiI0D8yrRnJHfmeustTiG
+ OKdU+JNn21P7LDBYIT+C5gDfJ31zOejKEIpw
+ PX+XPdAZlWFtj8PEi9KerTyqLphhWCgxSM0z
+ 8KqGLri2YUt2JeQkZ/zaHvtvjdpB9zWGT42d
+ vFIOdbcFli55DAmW2A== )
+delegation2.example.sec. 300 IN NS a.ns.delegation2.example.sec.
+ 300 NSEC delegation3.example.sec. NS RRSIG NSEC
+ 300 RRSIG NSEC 5 3 300 20121212121212 (
+ 20111010101010 516 example.sec.
+ alXox/n3U8q3S7BezOkumPPVxQekZSPZ34nY
+ w9JL0qX5h1NOuAR7SG0B/sKz8XKe1gpoTpZ6
+ oCYSZ/4LAw1oWryRe1W4+K63fNHy1BpZJMGn
+ 0toviZnfH8DrmTnwcDAXkPd6IhdX2Ok7ztef
+ M3yeP8heSWCvyBukpa4EBvwv5mA= )
+ 300 RRSIG NSEC 5 3 300 20121212121212 (
+ 20111010101010 44427 example.sec.
+ 5e7KvcXLAy5uVdD/hAZuNl7mC+qITTiihlmU
+ dh/KIachaEFMMqRoDsY61kjY+cSpkn/n2dp9
+ OozcWUFfhfXY2D5EFaRmkWKtP4N37ryVWZUw
+ maJ5ZDCLcRa/vWfJGWlTrG108ijGkfUPE3lE
+ euYkc0d00yjmbcz72uAW8NUmixRUU+3Payly
+ GZSDVcG7vZ/qaf1dXG6cToY2n0DDIf/526eC
+ xH5NhhDJgq6O1ZCEtS9r6Hb9vpR9Ed9wJvgt
+ a7VZltV0TlLaiFGSGZA+OgZV9l0HerOCh8uW
+ nn3L8d+jMAOmrk8/Jn47uTpZub1/j8eZo5pA
+ jFyHUZ1b0h957vC6XQ== )
+ 300 RRSIG NSEC 8 3 300 20121212121212 (
+ 20111010101010 48381 example.sec.
+ rQwfcCjBLlYDpe6DC2d1w2qVYAUYFqcfbwHy
+ gbjXT4RI2nV4E5q34jwEgi3TFb5OmYZviGwF
+ cJvyii25oYSt2qcKPlTGGnrD3vAMb9lgX9L2
+ hyeHWcmOfB397CySJKMXNbWtZz2YLu4YLrc9
+ K1e+2eQD9MZbVIBrn2f5Krf306FMNd9L4n/p
+ yNrW/6EUfHmRtFsD5vGYytoRRBKoPv5Rxfoj
+ pbhhuyC8MlntVH0IhDe1zvKAmzlBj6E6oB93
+ zG8SqT/gNIuTUpa/qw37tcOw3fCRh7uG3TBk
+ +ylUmRz+hcTUxjSqoQKxVT61hXcrKAogspaY
+ QZ3Mctyg3Se9NhUd6A== )
+delegation3.example.sec. 300 IN NS delegation3.example.sec.
+ 300 A 1.2.9.253
+ 300 NSEC delegation4.example.sec. NS RRSIG NSEC
+ 300 RRSIG NSEC 5 3 300 20121212121212 (
+ 20111010101010 516 example.sec.
+ WuuwTT692DQs9iSoi8mMe3/r8IIrnKaKisRF
+ UZ5aC6qTb54FydtNsgWAOOwzN21EI/ucU0kX
+ iXRcaJ0jvNG30ICWk8oI3By1dXDhpMrZerZt
+ hMDvnitwa851ZjxGeDtyJsMf2NfAuN0p7V3W
+ UxEGVpiru6ZDNO2rqfwAd35+ixc= )
+ 300 RRSIG NSEC 5 3 300 20121212121212 (
+ 20111010101010 44427 example.sec.
+ Vt/wOn+RgrH7e1m/E7XqhoF85i3q1JMnZ96K
+ E0WMA40MOmClX4+1oHwmdfeu/9U8dqxp4mJf
+ iJ2nz8tMoYYcJwa/NhOZs8UZSILUV+ACyhOR
+ g923yYViY41pyV4DCXxa17Cbc1GWizqDPvZl
+ yksNQTjGfVslH3IXlkGS6OPHY8HImnPKK0HZ
+ M4si1bZjFg+SU447VokQvz4gKxVHca20R3wD
+ 8A9ZwPHN/97A8rQJzRBlEfAP0EqG8cjt7s5g
+ ku+ZoeK/sjeQoq3VGUxJWEZU2lXVYwCAv8Yh
+ 9M+6PZ+O1pG2nfIgqpR+MGHJ79LAdTdRe6MJ
+ nrnROvz2DumLzi9kcg== )
+ 300 RRSIG NSEC 8 3 300 20121212121212 (
+ 20111010101010 48381 example.sec.
+ bH5sNx6a1xTa4fafzO+Ur2CCz7W+RU8EiYhu
+ mRltM1GcqQ0Cz0k9VQyRzkCE9HGPkzb9lDIp
+ HiQS6zf70m5YyXVgMG3WBN0MteVb0/1ut3jq
+ JDkQkSMtjyYnJdZ363lpfI363eAI6c1l+XlN
+ mvEZrUbUWn6entMRj6ZQas2r/7dp61tkZj/x
+ PU+4SZeVZZPJIZdDf3QLzak+tXG/fs4OCDih
+ 47F8MhlJ3i+L11FawFVoGXVo2NZ/SOhLoh85
+ aEGPu6j/whxLR6pw6JueK0euQWEeH6nDfXgB
+ PA1IYI06aExyLN+n4R1wC0q5iAS0ssA+MY/Z
+ cXye1Yt7SWn5oGXE/Q== )
jumphost.example.sec. 300 IN SSHFP 2 1 (
123456789ABCDEF67890123456789ABCDEF6
7890 )
@@ -535,142 +900,202 @@ jumphost.example.sec. 300 IN SSHFP 2 1 (
8ijIr6Y/6vXt3/VjdLHI27nqtl5OIoB6ULtA
/GlkqlibigOI/isMnNhHRzb1IxmpvuhziqpC
m5cVXQkmoD9ubPphkA== )
-cert.example.sec. 300 IN CERT URI 0 0 (
- V2Ugc2hhbGwgbmVlZCBhIG51bWJlciBvZiBt
- YXRoZW1hdGljYWwgaWRlYXMgYW5kIG5vdGF0
- aW9ucyBjb25jZXJuaW5nIGZ1bmN0aW9ucyBp
- biBnZW5lcmFsLg== )
- 300 RRSIG CERT 5 3 300 20121212121212 (
+mail.example.sec. 300 IN A 2.3.4.5
+ 300 RRSIG A 5 3 300 20121212121212 (
20111010101010 516 example.sec.
- kTmXaHROKWMOssXq+UTQZM8FOVyhgtqyZm81
- LUHbIForbI6FSvZG5yw1U8us1WttnJ4w1oBI
- m7gZjRD4O3RKgnD2PkV0JDS4y/itMeJ49Z5E
- sLXSaPwkwuMJK81HfsmwTF1Mglzk0KgXOrBi
- sdd5yLxCnngdncLqKIkLiYob+iA= )
- 300 RRSIG CERT 5 3 300 20121212121212 (
+ LxovxXszIrJ0WqC4lryebK8Png85a1l62jvj
+ JHLNs25OP3I/CpsfLXmE2o+bGXdCoppA6k+u
+ +d0BmWG32UmOXQOkcu3haT5J8rJWPV1xynhJ
+ IsBCmF/UbEXp6PoAniCcytS4ZsHqrm31KBNI
+ i/ZXtU93D2CGrTDMpwX13xT4scE= )
+ 300 RRSIG A 5 3 300 20121212121212 (
20111010101010 44427 example.sec.
- rc8pVuuLiLEOiyR1SrD+Vos+1JEcqBUCVdaU
- NtOU4jOM9jhJqEjfO6iRTPG5b+nIQcYX+4gw
- MOsQwwsLHVtVmWnKZ1jml+M6npi/W+NmKy3I
- Y2jOJz1I+JIFjlLu1UsEzxeV0tScIlyUCxx9
- tMN/bUE2wNHnjZTLaJ+pmt5EvaK0VDulSKoD
- PF6ThirWFt+K2W3oNtQATL3XjTNprhzgtRYX
- Y4nfbHUOA3isbuP3jsH2Lp3IZfN+s2lg07mr
- GaVkrYLNbgYaCGa6TM10cvTbrwgH4+c4ZjZ6
- cBkrNa4LRh4cDEJEKgWqPQlRf5LGEiH+rrqv
- KMtGiXSbW+4sVUCfFQ== )
- 300 RRSIG CERT 8 3 300 20121212121212 (
+ LNe6/SJmAkohBYlRtofW0wYMPDVJ2ZTCmOwe
+ hwZBKvNrcxc8uYlzqSBqjD6Vtq4GpJSl+MV0
+ KY0GpsE2jz49l4ayUi5QIC8wRaJ1NeTDiwBp
+ EbA5ycNdzSpGtLFNs0qzDQntdrZdtvoaFCcV
+ WDPNGP4rvhvTMXfriPJuYJ2W5ZxmXp3DYNDZ
+ E+1xgJ3hvr6pdAy7UdROrhsOp3ohP15sE8/H
+ +sU/hmZ9hfBeodpGHhWYIc6FSMOca3pEBwQL
+ ifVL2Q06ijnqbh6iuJqJnqI++ZadCHIqEYNT
+ Tn96mylS3XQ4S3FZPPrXXhuM9HvKKxnDvvWX
+ ALsm728QZQi2keAKkg== )
+ 300 RRSIG A 8 3 300 20121212121212 (
20111010101010 48381 example.sec.
- Lmg2cuJHEQYh3JxJUT51BNu1ytK2AdHSo+Rj
- cu7CTSgNv+JSv4JbhMLgEEOTN6nwL4uI9ZPa
- TqdKUG4c0Ae8LF1LgDzbkpbpGpVaq0aaXMJf
- EZuL8SvIANMm2mNItlrnU1cj5d3EVB1Rewj+
- 4zuQawhJPNwbTkeVsj8TdUUr5VuBb7EbJ0JS
- J8g/NS3SmL4L2Ifi25CxURcKr5pzcl/FDANL
- BmTL1VE9vlqhjWbUTuiKhz2T7oQd/y139feA
- oATbSx/6lel9pDVhxOXhf1kTDx3FdY3PS1Wh
- W/FPUQkKQaxIGNkZH9dkKEEgNhnY5fVaP2MV
- e9QK6ZMvhhx3IABwvA== )
- 300 NSEC delegation.example.sec. CERT RRSIG NSEC
+ tyz/WG3TB1pdIqpToluADGocPccrMuT7v/a5
+ sQ9RY6QKAzdf9YU/ikEH2SeEPkC4EwD2pPp8
+ RmURKjzSvSc3D8Q6b1KbC6IHEy7+MDUouZCX
+ xbQSqRPxLvUQLc2WvK+M6CzpnoqVpOTNqouU
+ XbwrNA9FyXsHGKOURAGQ9Viu97VNaWUyAkzV
+ 9RoC2T5Y7C2T+Vd/pkhCdi8nvHWOvUxixyXA
+ mYekLx+TeEx1Ntr+Z7aT9kN1Hv0NsR19o5F7
+ JAwRTWZvYk/HpRavqbHTw76f1d0jOPq3WOKp
+ VtvqrklUy9GgPranPH8j7lplg6c1c0H5/7BQ
+ nFp6xgW2OVH137Hdwg== )
+ 300 NSEC _25._tcp.mail.example.sec. A RRSIG NSEC
300 RRSIG NSEC 5 3 300 20121212121212 (
20111010101010 516 example.sec.
- aCbWibwSZKkYONdUM5Uu6rYkUtPKARhA3LsP
- yWRLhFYIVXcHpa5gG7mv8QD0jVqAAd7530tF
- c/fdmoCri7qqELICwZz09FwRNhtgSj6wRCaF
- vKGt7mPM4ODWKGpUvo/0Sf3l9PtWCV3QmcBi
- OZbRi6V/znv3bwwXF7jpkVuEors= )
+ Vz4HOiryi66iURI6LgU9qFqv9a0X9U++uPJ8
+ Owp3vZivOaYm2rAc10WqsjV1Fb2qJeQL8ips
+ bSuwhhEOQgBBeez+tfJSOjusfAY9SpwGN5D7
+ 1zoLJl5VN6AAw7OLyEwrom0eO+8fltipfAUN
+ Ebff1fBbKiWta7Lk4ax6MowUSnI= )
300 RRSIG NSEC 5 3 300 20121212121212 (
20111010101010 44427 example.sec.
- vGaDvMuBuy18IzuDR17zAtYpDTDHaA8ZQe4R
- 9pxpDdvLzzXAWHEnXaTmsDrNBHaD6a7lWpMd
- ONWZH7l8iUSTQGTXsqCQPoQXGcVPdBJwojT0
- Dk8CG+Hp7pbKututKnnQpZdxy6OTdxc43K+h
- IZYgn+pS3i+NloM5eQQXvAoL0V05fDYTC+Z6
- igN2b66Fc5jxG9Snu4VjbNKLn+3H41WiGm9S
- YrmoLLMdHHxTnRggfOtxD43G3RM/sMjAelF4
- vXqAetGWwoNWtt5fpC7IA8Vxbp2FYAa6dZ21
- nCPaveB2Bo4V1tFwkn9C972NZ74+pWngOFSw
- L6jY4rtMUyNQCALy+A== )
+ fmn/QXc743TR/J5qs6DI+E+Kx3aq1KpQP/Gv
+ d2WleTSj0XFIyMwEjonZxmpSavFsLRqn8pl2
+ OFMe2q1aJxWUKFw2PUC/NfDVeJGqw/LwKjnv
+ Tz8V1Etn4feyidTB5W/fFNfCmXydgNaVcV5A
+ 4yd88QdXwm/Tz1JYPKUSpEaLsM8niO8CamGU
+ /6mvS2Ek3Akn57MmiqxKa2JfJuHZpBKHSJdU
+ RAlrkpf/pjIlEgyD/7vEHhwCC189T+YTz3mE
+ +jtDNMTH21cE20YVBvWC7gXbTc+UUa6UhRxM
+ VuVkH32PIsa+/GJlcCckDU1s7kX97hL6BNo5
+ HCVGRqXBxrsODj8qjQ== )
300 RRSIG NSEC 8 3 300 20121212121212 (
20111010101010 48381 example.sec.
- xga8+N3U/2hEz/HkOL/paiHSYSK1tyFOSqIe
- FbafrJB696y4lxf8IC6VMyop6gmVkYXPZD5m
- v0ngdjQsfLqCz7nOlHmcvaW1SCQ1m0qN2Flp
- tCMmhi6+baN59SYtP7iB/Kk9b1xi5M+y4eS3
- pb0+Z9lZgD7C28oBcO0lzdxNr1Suz0sugiHN
- tDG2tfodUKxsCbT6jortxAwX7D3gcJuNg5sW
- RlFTfCfAWU45QKAqvIrjau4DgOSWWYLPpA3C
- POF1Qx4+vM0VXvE21jIDQAehGeNXl092FHI3
- NmFvnaCcVmYdC1Qbmuh0kk/jWChLK10Puhdr
- bKqFTWsOUIdc83q8/A== )
-delegation.example.sec. 300 IN NS ns1.example.sec.
- 300 IN NS ns2.example.sec.
- 300 DS 60485 5 1 (
- 2BB183AF5F22588179A53B0A98631FAD1A29
- 2118 )
- 300 RRSIG DS 5 3 300 20121212121212 (
+ vGM8jJKJ+F7wnp5fadGlI1DR6uoa6pissW2z
+ by1iA3eLY+yVTCd2ZD0dxBEke3zVZ0ML8sAN
+ 69RoCXctvw1M9RR3ELUvNlebotQSl21NcwUS
+ KZYgv1/0QBa51EU/kCwJ9jsfLgFhvZRNKzSr
+ vdj/UTDp8vBsJXJ5KfdqMz2oOqz3dr1aSBuA
+ QYKzcIxkKI7pUpD6wWpl2BIHQNbavN58EvY8
+ ADz0KW8BRYMPuDmjSmRdWxQ5RrA2SSWnZpfL
+ Z7Z1EyrLU0lXD8ksviVQON1g/vD2iFK227iu
+ +0Poh9/WeiioJykRM9UJwHxwmzzXVU+nokUl
+ zc7nYxTMrxNvxFTvZg== )
+ns2.example.sec. 300 IN A 5.6.7.8
+ 300 RRSIG A 5 3 300 20121212121212 (
20111010101010 516 example.sec.
- uEf2xsca1/OJwovwMVGyFB4/6OUmutAWlWvG
- qM9JDtvUPMhUV8dzRRiwpWfz3YkPU60Hqn8n
- QX981RtNc23oiwjmo1ehp1DW7R9dqcqxH4KM
- 5gYrdJT+lJAoN3ii43rQNl0N7OfObYxlZj+N
- K7aMVBHESqQd5ZaRfkiut8XW49M= )
- 300 RRSIG DS 5 3 300 20121212121212 (
+ kDQQNP+l0TqJq8Kfn8VU7HqED4wX+CVswCEH
+ TCSo+ByoaMhG7cWfIzV9d7euMtDWbLvnp/5p
+ qmmDkhlWjmh8/jDH0eoM5LsYJG+hQfoDGBmt
+ L/2eEBHcdwahbr5zzgE/z1Kvk4cLInp8iveq
+ Nlh1br2rMpLuIWZtYYjkOziqKC0= )
+ 300 RRSIG A 5 3 300 20121212121212 (
20111010101010 44427 example.sec.
- GIx0C0s5HJdizOCjIFnqf3BvhIwKaJZW9id0
- vcQAyd3qzbiiuWecM5pdyiJahFpnKmGxTdLM
- ZCEwNczhZZf+RE6SlOu8j/VcFujTlaq47JMZ
- uaU2KETUVZzOhFP6Vrddax35icNcO1Qfu2US
- B501hzVzyAjr4QL9j0KKlYBe3n3/349dHIiT
- trruNmkB0c/M8KOkApnUbO8/42Xaz5QCBvXT
- nyx3jp2WHTCCLLC2o0LTD++w6LkqhTXvWcbo
- oIMBUXD9hXm/NnYjPxR5+8IhIzPjgjL1vzw7
- RZrtCBVuI6PIsCRhyXxJ2XoxB293M0GxOmnh
- VBZ0feqy7wVmo+hklw== )
- 300 RRSIG DS 8 3 300 20121212121212 (
+ G3ZnC5ZXkcqBbBXM7jDtZ3zLggKW8P++ryWA
+ McqvywLUWXNGqu1VB+/mcyaEoi66T74hQV4+
+ bsWhQRNU1zXmPyoKYVoDeLgtnNymQEUi7TFB
+ mp0iBGGdW/tcZKP+UxrKmtR9nQoo/wuz/RKD
+ cWGHVAEjnK9DCPIhNwHG3frFimVoc+eoBG/r
+ okHgI9IWQMJ4z+GGxKwHZ+qIvPTaIXJpBWl0
+ tiJhj15B+QeShvGK0Au8KvafqXgUEB7o0oh5
+ KiHTeTx00i7lP+ieneccJNGONhi1grVuarum
+ cqNrVR1ddGLjz5yvkmzxXtRBCZmcqgRaCzkD
+ Yr0pMzvhxNzSfQ03pw== )
+ 300 RRSIG A 8 3 300 20121212121212 (
20111010101010 48381 example.sec.
- D6eEY7RttRgccoDGLh1/JJ2Q8Xt8fbnNVzXG
- WhLlMMeEc1S1FzJG8/SKUrvYVKtrU8wPZpLq
- qV/2jEjHk81vOqj4S+NZh3hV94h5p27Pngqf
- 3fNzd0aO940zkFC30aAiz0BBd7MX28AOowLL
- 1UWoiTCuERpPAQTuRQRbAR2zf+205PJLjbU2
- 764FVJYEzp6Kal66lWOYlB2EqGWdrv3irPpJ
- lyTYMaFpNvh4qOkRaBgmT06lzGQuG6E/tUmF
- nR6tQA4oFaGMs4QGWv05iMYYKleBBNlC6OYM
- 0At5mmxZIfiC1viIGDTGvHaKDS3YjWO2YLIq
- 4EQZCBQJAnbb3rHmWA== )
- 300 NSEC delegation2.example.sec. NS DS RRSIG NSEC
+ WY7f+CDmncZvjqYEGlrgeRGuf06NZNc4vQ5h
+ 1j3Ux1yjTY22CTCaQafETI8+e8W35l0FPTgm
+ sTKVnTMD9nloIgghiwMBhbuTgQZjAmatj5TV
+ ymcNkz1vIWOB7J7eYA1eLdNQ9NARk1N9NrSE
+ X6pfGzjWydsAhRSQVig779Mz/PPAxG/7rBXM
+ j3g6+GZwFvbaMJata9HuKP9zgIbf19CG5MLe
+ nGSzquzAJEIvPXvwvddSQCGg6ADuHppYwOJq
+ rkqsKga2T73Nrn5k9KrCrt+1iC1LJvbws2R8
+ jkB/N+49IlkzZOZXtI/KgL9riaOnbFCyI3iI
+ lJB/LXjunEB1h1Nr2A== )
+ 300 NSEC public.example.sec. A RRSIG NSEC
300 RRSIG NSEC 5 3 300 20121212121212 (
20111010101010 516 example.sec.
- iG8wud8jrvX0STdk/BPdIHUCMgeIExOklQEO
- Ah+K6e4LJakFKjuI+G1tTLdHOP2GauWkb3GQ
- 0Ozj8r7+jQEz886ZQmCR8RigqW5/CsnwPc9V
- oc7TbNntOs+M4NyOiqC9NfmafrpqIrmbLMBW
- THN6XGPUMdc5riMr8miTKtLDMF0= )
+ RLH4xaCk4HFnbQOEGFM8xTBllDyNolLE6u6W
+ 5loi7NdPv+6F80w12oYENwVYRXC4cXa4x47l
+ aTAOTXEEf1LJeP6GT5hRUhRj3oTMC6InVlHq
+ ZfPONJgzsyaX958ha91Z2VkP8t1eliUA1mSc
+ PxbVOMzAsUkPbkHp8D2CRzHwMCo= )
300 RRSIG NSEC 5 3 300 20121212121212 (
20111010101010 44427 example.sec.
- Hw2H90l/QMOJYJPO+B1eCpGQXJGXOd5MoUfR
- Fc4budW2eesImgWQ6TR8Bvwjz95niA8lpGyq
- QEXjJ6cEf5JEKYw/4xOVlmFNDHyG//iQ1kpf
- 2+aT8IuiM0evbBgiej/VhYZFScUQ4Ibslna/
- BFMyoJ7ugLmLelYiolB9g30a3q/3ULYwfn1j
- OKUbYUeWClKQ+l+i37wRuBIPX6aT6//CetOX
- uCecmaDTXl94NKi2pw+fZKs504Ed7xT6FtJF
- 9FYJAlsFloV7T6epZ/d5pl82QYaEshZpMePa
- nqah+amBETh/kd3vokG1lzzFzSbwrWjxgtq8
- XYCG9CbCOcJz1N0bXg== )
+ zl2+IlLPn/ab3nK68sCXibCB+lu8EES0wgzd
+ Vs9FyyP62V4sqjCrPaiGHHeoq/wS+gQwwBQo
+ 6mRZ/gT0Y45RoQER4XgDi/HQWX7zaCeMJ4aH
+ P0qs9YfJ2odYPAYJbcV4uSRB25zxx+xPUtGQ
+ gIRKdyUTeXxjBujcraFxdDGMi4HGqFKS/qDg
+ 9x3YnQW4DeA8VQuSCdIoH0zWARyJLfaN01Yc
+ iAvRGt4QLzvE6Wb3YqxbOMinsLkrnMPTaUjq
+ gSiM3pvopj6HVI9ElQVQFb0SFmc4IOusc/1u
+ F1nYngdhGjS+8LVcCPdXJajqiozkGTGN5ISJ
+ KgWWmA7G51peHjXXzg== )
300 RRSIG NSEC 8 3 300 20121212121212 (
20111010101010 48381 example.sec.
- yc2VoV4VVT+Wo/rVo6brdb7LfxMOslatW8Lo
- ldBOGkVuiz21DskK5LUMGkH/4+NZ2L/aaDCt
- JyiARZXabIqeMMY47QbNB1DouT1yKvR1Bc4D
- Hgo7vK3eL4nf+3x0AXxTOdmdq6ZifxBkI5V/
- fFKADNX1Mj1Xh1yVelJnXPLU/ZkAvtakWmJ5
- Dj2I2EETshpkC19lqOP8i97jMR0OWfTCjbzT
- SL8t0AcbDEWo/TFRXkMP0MaC8NMXmWtkSMH0
- 96nYIS3YA35OeV+gr6LtEb0VJd6E0c+FnM2s
- T3Up4g+99W8Fs+FIYxYisan296LXff0eNCgQ
- fNw1Tj+4tWl4lh333w== )
+ F9HM6TzOjWpVtiDblqGvcDDcpU5/flAM8OLR
+ YEIVoAqTiMGwGKMQ5Mqs0Fvnlk6+fTnQu75c
+ OYvGM4JGucdyWNmzyIQ03L9qonEbBFm3FewR
+ fL/0COs1GJGeglcHFW9dBIK2Elo4Q9q5mtxY
+ JCseGHbmjZIs1busGdm/W+JyaCYiHBPJi8xf
+ ijfk06miRoGaLS7/CraajQmGQLF3iF94DzEU
+ OuOdWZX2z81VrbI2DbCVRYlokjKz7cc3mm+d
+ zhJAKHcMXN4PTqcWg5mgdulkGvqL2qFgi5e2
+ WJxUFZxEDn1Zbqte40CZHVqMdv4I76f8mSns
+ dFXZVw7n478EjuVj2Q== )
+_8443._tcp.www.example.sec. 300 IN NSEC example.sec. RRSIG NSEC TLSA
+ 300 RRSIG NSEC 5 5 300 20121212121212 (
+ 20111010101010 516 example.sec.
+ fnXPjf7r3kCoArvAvDDS3auZjPpx73h0J+DP
+ 4vcoRLlnw/EO22p637vl4qkr569ri5hgnfCp
+ 5by0mEHIwvuQkmthglMC18BUAZfFUIV1VMdS
+ 6ZSnRgalGiuUuisaVM1KzuGxrMiVdE3nUtBf
+ wL6eDaKZVje8bEKiyIx0k8b8RJU= )
+ 300 RRSIG NSEC 5 5 300 20121212121212 (
+ 20111010101010 44427 example.sec.
+ 5UlBCjG/8+046HNSKZnHLcMjdYsaghyD5nUy
+ kjzh4kg+hFw6buTLpCHEL9nun/912/2r75pw
+ kYQyRWeg37c1KAJg2j9V2c7zh5fqDHHPbpid
+ 7edtFcqE4UaC/x20/QO4F0l+kmhY7R0/fjvz
+ 9eDlnPpxBqVmYULgC4YGT0i003vQmB8zsASF
+ 7nKjSk3/a1zLG/SkEGD5ioG4ZcZc7WxW47ns
+ qEWKmtnuZScK/G4VmgrajiLst9/q3Pouoct1
+ OB7MHv5dOYFhQv0/hxhSqeDXrvGNJ93Vvd8J
+ qTm+6SgovkyJ/rYLAprb3pV1Ahlni3zP832O
+ 4Ulj151/xqih/93P1w== )
+ 300 RRSIG NSEC 8 5 300 20121212121212 (
+ 20111010101010 48381 example.sec.
+ RMag/BsXGLEMs7IgVCmcqhfImK0BFlRyzHMW
+ REcuYTvZVgmvUd+Yziiy960kXYFEbUEconb1
+ 6U57kpCYEnhQMb9hGDBUYlnt98jbFwBe/XN/
+ u7vxVQsojsD3MY7t9epqPaQ8CHfb55ldVuTK
+ p9GTOiAin3cwZoHN+t+wzLc+SI7O3ii1w84A
+ ZhCaugQlYtgCI/1WsGb0UitBtevcvDWK/u+6
+ 3wWlWnyR4rXhpz0Z1UJtqEk+r3W0dbSmwodk
+ 4zrkClRqM0ysE28mnoo8FFnlNa876dP2ErWv
+ hpeVPa30BD1hxwtdShL25VbDQ9lqJOmmYVuo
+ fQmf9uKqnvX+WS/lRg== )
+ 300 TLSA 1 1 2 (
+ 92003BA34942DC74152E2F2C408D29ECA5A5
+ 20E7F2E06BB944F4DCA346BAF63C1B177615
+ D466F6C4B71C216A50292BD58C9EBDD2F74E
+ 38FE51FFD48C43326CBC )
+ 300 RRSIG TLSA 5 5 300 20121212121212 (
+ 20111010101010 516 example.sec.
+ lkKqiYh4cunZ61uN4dW+LvCxh2ILzzlBLEdf
+ IQv4PCVZLzhbWheZBBSQWPPp9wEzTo/40/kZ
+ pqfer7aUu5cyHBxB5pGJDbfbPamlEgAa7fLE
+ t9mMJ6cAp27mu4D68t+cp8fialXk+fe5DByU
+ 47d6K5NMVoeQZTU4yv6L/sKAARc= )
+ 300 RRSIG TLSA 5 5 300 20121212121212 (
+ 20111010101010 44427 example.sec.
+ YDul3IDmxdIt5XSBV3lGDIVCIEtHto5lfVM/
+ 1+nYUd/z/LGvkoAMNieI7OFB+3/wEaDNGBzX
+ tZYPsCSGFZ3GGmI/FtOQ95LMC5zFEFkN7Run
+ xYokbrFrWeW78QkfiwbXsLWDewVxzJXEYo1H
+ 1TtjGdhAVq4R8khRdlAytLQfmQvZCZtryYKp
+ KOCqU6tdilKNG/WF8lhG27hDDUYj5J6+QFp3
+ 1x+Swah1biitJwQosXVVo+tUFquPQ0RJqWkr
+ zPVAgrb5FbtSieR5c5cP0usosUZaOpHzc2sJ
+ FepzF6xhdmgyDqaUqLnos8q3DyIHqM4Kaln3
+ Me4jWC1HRBnYaWecFw== )
+ 300 RRSIG TLSA 8 5 300 20121212121212 (
+ 20111010101010 48381 example.sec.
+ r9ehTiWmpcAfojfJWBruAfd2B5WXYVswI8bz
+ Xt0j7ELVPnXKM15oDFpYYmKSREoiyrM6Q+1M
+ mITFsJwsGt7UmrHn8lVxXxTmWpvA7C/v+/Zt
+ kUZQsRWSPtVOrEu50plnscsRZcV5PIqqaPgC
+ S/066uLAaWiT4mWV53ZRDebaXnAvQ10VQ//k
+ HkVJeJMGHJdJyyfYZfotPTetJJN0JccJpx0B
+ 3N/VSFlxWIyRZVn8VK2z4RADHuqzkXklynmM
+ 6feVrOi91YywFcSFNmOs84lr7UYKFFf2pKTZ
+ /RDbD0xCIQV+cKqizp2NI4v1FTbdBzsqTRoN
+ /DwAW5qleHlQb9TqNQ== )
ghost.example.sec. 300 IN NS ns1.example.sec.
300 IN NS ns2.example.sec.
300 DS 50458 12 3 (
@@ -835,168 +1260,6 @@ public.example.sec. 300 IN HINFO "i386" "FreeBSD"
DLIOZ1682IAviJ+htzGmCYTl6iZMlt8wJ5LO
Yfkzvd9UUt4w0OlOe26Kc/mBoVy2Lk3mn9BW
Ba3V48bTYWHHbIgOTQ== )
-mail.example.sec. 300 IN A 2.3.4.5
- 300 RRSIG A 5 3 300 20121212121212 (
- 20111010101010 516 example.sec.
- LxovxXszIrJ0WqC4lryebK8Png85a1l62jvj
- JHLNs25OP3I/CpsfLXmE2o+bGXdCoppA6k+u
- +d0BmWG32UmOXQOkcu3haT5J8rJWPV1xynhJ
- IsBCmF/UbEXp6PoAniCcytS4ZsHqrm31KBNI
- i/ZXtU93D2CGrTDMpwX13xT4scE= )
- 300 RRSIG A 5 3 300 20121212121212 (
- 20111010101010 44427 example.sec.
- LNe6/SJmAkohBYlRtofW0wYMPDVJ2ZTCmOwe
- hwZBKvNrcxc8uYlzqSBqjD6Vtq4GpJSl+MV0
- KY0GpsE2jz49l4ayUi5QIC8wRaJ1NeTDiwBp
- EbA5ycNdzSpGtLFNs0qzDQntdrZdtvoaFCcV
- WDPNGP4rvhvTMXfriPJuYJ2W5ZxmXp3DYNDZ
- E+1xgJ3hvr6pdAy7UdROrhsOp3ohP15sE8/H
- +sU/hmZ9hfBeodpGHhWYIc6FSMOca3pEBwQL
- ifVL2Q06ijnqbh6iuJqJnqI++ZadCHIqEYNT
- Tn96mylS3XQ4S3FZPPrXXhuM9HvKKxnDvvWX
- ALsm728QZQi2keAKkg== )
- 300 RRSIG A 8 3 300 20121212121212 (
- 20111010101010 48381 example.sec.
- tyz/WG3TB1pdIqpToluADGocPccrMuT7v/a5
- sQ9RY6QKAzdf9YU/ikEH2SeEPkC4EwD2pPp8
- RmURKjzSvSc3D8Q6b1KbC6IHEy7+MDUouZCX
- xbQSqRPxLvUQLc2WvK+M6CzpnoqVpOTNqouU
- XbwrNA9FyXsHGKOURAGQ9Viu97VNaWUyAkzV
- 9RoC2T5Y7C2T+Vd/pkhCdi8nvHWOvUxixyXA
- mYekLx+TeEx1Ntr+Z7aT9kN1Hv0NsR19o5F7
- JAwRTWZvYk/HpRavqbHTw76f1d0jOPq3WOKp
- VtvqrklUy9GgPranPH8j7lplg6c1c0H5/7BQ
- nFp6xgW2OVH137Hdwg== )
- 300 NSEC ns1.example.sec. A RRSIG NSEC
- 300 RRSIG NSEC 5 3 300 20121212121212 (
- 20111010101010 516 example.sec.
- CQt3t9eRRTC5mv5c46WsRDX6aZk4jW4RqsEg
- LWY5zSxShOBKsek/RiUzpcN+N+fu46NGKzpb
- Gmgu8Q6LfO49hIWv8Ng4VvAqPqTO6wXC+kIY
- p7VuVydrdHNI4lrz1Vb4Kb8B9x9bqopd7SDq
- w05X4E3NEnuEZpO4IBx0dq6WVtA= )
- 300 RRSIG NSEC 5 3 300 20121212121212 (
- 20111010101010 44427 example.sec.
- yg7PqCc01WBqcyCjmsdoeaThprboseA5DA5u
- N++BVVcX9fqLHRe3gEdPQjrhaSIcOD3mK1xi
- l5v7g+33R483h6yliN6u8SCYxao7o0sBNIub
- ZFyneOyaJYkL83I72sTkARovPIymfJ9n4gZu
- SGl2opcJunj1eQAa+vKuhc3RUvZrgOpH1dMr
- TXYHUpxMl7IO+o5x90rVbSSU2QImuxwitQ5b
- Mt6wrM5uAdFtsRC/wequhP1uARE52ZEh7u22
- zUqd8xyjfIdKFmSCIMLBCzIimuNuXaAqT4Hw
- gYtrTcinj1GPo0OcaBHcGc0DI99pwatUv6ds
- CqJNUumYaNeGf85jWg== )
- 300 RRSIG NSEC 8 3 300 20121212121212 (
- 20111010101010 48381 example.sec.
- acXn4lWozO7QD3vfPy+OV+WDFBUJXf1WGAl2
- FCWDf2IsOCHhlUNHEAwiHkORMY2AVlfZS9hG
- Z+RRW7b0uelYsmLPmfwZtN+9IsehcCjYg5F7
- ZfqiTXNGs9Er8IjV6Ogic9CiOYwWRHn+X2DP
- haE6UP4LYEqP2eFPTMVN/E5smm6SI4HVNrZW
- W9MgzvHdUl4RurWQYl8KyOTve1ElyJt+a2tw
- ydanT1Ncbi/limS5f61U4WckBMfyZ5vH+SfK
- fxMyIwpz9mWLGzy9wyBMYBLfSdNX0vI+wvR+
- /b0D0SDz11F1le+cERJhO4CBxEFEiVqQHpKG
- sR8RStNy8Bq0o6mpmw== )
-ns2.example.sec. 300 IN A 5.6.7.8
- 300 RRSIG A 5 3 300 20121212121212 (
- 20111010101010 516 example.sec.
- kDQQNP+l0TqJq8Kfn8VU7HqED4wX+CVswCEH
- TCSo+ByoaMhG7cWfIzV9d7euMtDWbLvnp/5p
- qmmDkhlWjmh8/jDH0eoM5LsYJG+hQfoDGBmt
- L/2eEBHcdwahbr5zzgE/z1Kvk4cLInp8iveq
- Nlh1br2rMpLuIWZtYYjkOziqKC0= )
- 300 RRSIG A 5 3 300 20121212121212 (
- 20111010101010 44427 example.sec.
- G3ZnC5ZXkcqBbBXM7jDtZ3zLggKW8P++ryWA
- McqvywLUWXNGqu1VB+/mcyaEoi66T74hQV4+
- bsWhQRNU1zXmPyoKYVoDeLgtnNymQEUi7TFB
- mp0iBGGdW/tcZKP+UxrKmtR9nQoo/wuz/RKD
- cWGHVAEjnK9DCPIhNwHG3frFimVoc+eoBG/r
- okHgI9IWQMJ4z+GGxKwHZ+qIvPTaIXJpBWl0
- tiJhj15B+QeShvGK0Au8KvafqXgUEB7o0oh5
- KiHTeTx00i7lP+ieneccJNGONhi1grVuarum
- cqNrVR1ddGLjz5yvkmzxXtRBCZmcqgRaCzkD
- Yr0pMzvhxNzSfQ03pw== )
- 300 RRSIG A 8 3 300 20121212121212 (
- 20111010101010 48381 example.sec.
- WY7f+CDmncZvjqYEGlrgeRGuf06NZNc4vQ5h
- 1j3Ux1yjTY22CTCaQafETI8+e8W35l0FPTgm
- sTKVnTMD9nloIgghiwMBhbuTgQZjAmatj5TV
- ymcNkz1vIWOB7J7eYA1eLdNQ9NARk1N9NrSE
- X6pfGzjWydsAhRSQVig779Mz/PPAxG/7rBXM
- j3g6+GZwFvbaMJata9HuKP9zgIbf19CG5MLe
- nGSzquzAJEIvPXvwvddSQCGg6ADuHppYwOJq
- rkqsKga2T73Nrn5k9KrCrt+1iC1LJvbws2R8
- jkB/N+49IlkzZOZXtI/KgL9riaOnbFCyI3iI
- lJB/LXjunEB1h1Nr2A== )
- 300 NSEC public.example.sec. A RRSIG NSEC
- 300 RRSIG NSEC 5 3 300 20121212121212 (
- 20111010101010 516 example.sec.
- RLH4xaCk4HFnbQOEGFM8xTBllDyNolLE6u6W
- 5loi7NdPv+6F80w12oYENwVYRXC4cXa4x47l
- aTAOTXEEf1LJeP6GT5hRUhRj3oTMC6InVlHq
- ZfPONJgzsyaX958ha91Z2VkP8t1eliUA1mSc
- PxbVOMzAsUkPbkHp8D2CRzHwMCo= )
- 300 RRSIG NSEC 5 3 300 20121212121212 (
- 20111010101010 44427 example.sec.
- zl2+IlLPn/ab3nK68sCXibCB+lu8EES0wgzd
- Vs9FyyP62V4sqjCrPaiGHHeoq/wS+gQwwBQo
- 6mRZ/gT0Y45RoQER4XgDi/HQWX7zaCeMJ4aH
- P0qs9YfJ2odYPAYJbcV4uSRB25zxx+xPUtGQ
- gIRKdyUTeXxjBujcraFxdDGMi4HGqFKS/qDg
- 9x3YnQW4DeA8VQuSCdIoH0zWARyJLfaN01Yc
- iAvRGt4QLzvE6Wb3YqxbOMinsLkrnMPTaUjq
- gSiM3pvopj6HVI9ElQVQFb0SFmc4IOusc/1u
- F1nYngdhGjS+8LVcCPdXJajqiozkGTGN5ISJ
- KgWWmA7G51peHjXXzg== )
- 300 RRSIG NSEC 8 3 300 20121212121212 (
- 20111010101010 48381 example.sec.
- F9HM6TzOjWpVtiDblqGvcDDcpU5/flAM8OLR
- YEIVoAqTiMGwGKMQ5Mqs0Fvnlk6+fTnQu75c
- OYvGM4JGucdyWNmzyIQ03L9qonEbBFm3FewR
- fL/0COs1GJGeglcHFW9dBIK2Elo4Q9q5mtxY
- JCseGHbmjZIs1busGdm/W+JyaCYiHBPJi8xf
- ijfk06miRoGaLS7/CraajQmGQLF3iF94DzEU
- OuOdWZX2z81VrbI2DbCVRYlokjKz7cc3mm+d
- zhJAKHcMXN4PTqcWg5mgdulkGvqL2qFgi5e2
- WJxUFZxEDn1Zbqte40CZHVqMdv4I76f8mSns
- dFXZVw7n478EjuVj2Q== )
-delegation3.example.sec. 300 IN NS delegation3.example.sec.
- 300 A 1.2.9.253
- 300 NSEC delegation4.example.sec. NS RRSIG NSEC
- 300 RRSIG NSEC 5 3 300 20121212121212 (
- 20111010101010 516 example.sec.
- WuuwTT692DQs9iSoi8mMe3/r8IIrnKaKisRF
- UZ5aC6qTb54FydtNsgWAOOwzN21EI/ucU0kX
- iXRcaJ0jvNG30ICWk8oI3By1dXDhpMrZerZt
- hMDvnitwa851ZjxGeDtyJsMf2NfAuN0p7V3W
- UxEGVpiru6ZDNO2rqfwAd35+ixc= )
- 300 RRSIG NSEC 5 3 300 20121212121212 (
- 20111010101010 44427 example.sec.
- Vt/wOn+RgrH7e1m/E7XqhoF85i3q1JMnZ96K
- E0WMA40MOmClX4+1oHwmdfeu/9U8dqxp4mJf
- iJ2nz8tMoYYcJwa/NhOZs8UZSILUV+ACyhOR
- g923yYViY41pyV4DCXxa17Cbc1GWizqDPvZl
- yksNQTjGfVslH3IXlkGS6OPHY8HImnPKK0HZ
- M4si1bZjFg+SU447VokQvz4gKxVHca20R3wD
- 8A9ZwPHN/97A8rQJzRBlEfAP0EqG8cjt7s5g
- ku+ZoeK/sjeQoq3VGUxJWEZU2lXVYwCAv8Yh
- 9M+6PZ+O1pG2nfIgqpR+MGHJ79LAdTdRe6MJ
- nrnROvz2DumLzi9kcg== )
- 300 RRSIG NSEC 8 3 300 20121212121212 (
- 20111010101010 48381 example.sec.
- bH5sNx6a1xTa4fafzO+Ur2CCz7W+RU8EiYhu
- mRltM1GcqQ0Cz0k9VQyRzkCE9HGPkzb9lDIp
- HiQS6zf70m5YyXVgMG3WBN0MteVb0/1ut3jq
- JDkQkSMtjyYnJdZ363lpfI363eAI6c1l+XlN
- mvEZrUbUWn6entMRj6ZQas2r/7dp61tkZj/x
- PU+4SZeVZZPJIZdDf3QLzak+tXG/fs4OCDih
- 47F8MhlJ3i+L11FawFVoGXVo2NZ/SOhLoh85
- aEGPu6j/whxLR6pw6JueK0euQWEeH6nDfXgB
- PA1IYI06aExyLN+n4R1wC0q5iAS0ssA+MY/Z
- cXye1Yt7SWn5oGXE/Q== )
www.example.sec. 300 IN CNAME example.sec.
300 RRSIG CNAME 5 3 300 20121212121212 (
20111010101010 516 example.sec.
@@ -1029,38 +1292,38 @@ www.example.sec. 300 IN CNAME example.sec.
8v9ej2F+rRBiwmJX5Td100sttLkHbQT+ltZr
Kp/IDck6EptYFdrTSiB9fnz4wiRWgMULdF8Y
Xo4310RHDB0R58Axew== )
- 300 NSEC example.sec. CNAME RRSIG NSEC
+ 300 NSEC _443._tcp.www.example.sec. CNAME RRSIG NSEC
300 RRSIG NSEC 5 3 300 20121212121212 (
20111010101010 516 example.sec.
- EIvFwBTbyqOgIVQNRFVpEiDCdOO9yB1Kw8li
- 7arpp2EC38D3cZh7fjf20cwrLNGjCL7s8UDH
- v5v5uE8iLm/nCTIBHjuKVlsAtuC8+cbBThhh
- S1ZO+lDraBcwBSjvZIClmzi9mcCy47z2jeEv
- xpmD8piD7LPObFZkocxp7x9wdYc= )
+ lC6797IgsOeBVWiBPVtc+BCFsk7uyFHLVlPm
+ Zi0T+3LkX7EeKKB3daEbYqIlEL9zzLDwzYTB
+ j2gXJ7+p5fMr/FsGKNvnCLTuY893GkZ7M+Fh
+ VjEIWQ0XsaFdsz3qHzaUUAF8ZXiGwGX9MV1u
+ Di6M3Kh69Hiu4vYeCoLBTwhIuO4= )
300 RRSIG NSEC 5 3 300 20121212121212 (
20111010101010 44427 example.sec.
- bsb5tRHbvH1amKiZvpbSjglaqY+5mOS1mA2z
- eeauX7TgvgS+mXys3ywGxTtT9V5zG78luWL5
- ux4TtBabLhOOcr+qXqWLcMDa8XcIYDwGeBHb
- nAbaHfG6yvudd5syQh3B87m7/IATqB5kwr1X
- S/37XceeD4NGZtPkryakR6t3pEQMIaKAEO8H
- Y5K2p+uXAJGLUdRqS43UBz6E5YfHUdQQiM4x
- BWJDG5lyQlAiAFQb3UWfarFFVh0eFXCFxHRK
- k55VMk/b8R4DsbAiXlhtmmz3s346UTOjV0Ae
- Fn03PRMsCm7sI7OAXef9lzA5zjwxY1+a/Vzw
- VREjp174PHtOcpAY+Q== )
+ tiaAXshAPsCWzGS8dNxZ1Odh6jt/mim39w7B
+ mQTyKpzYwrux8HBPeg+N8ko7gGblVKexL56b
+ dHOfhkh2qIHIhg73sMEVaVd8epRfpDcrpzZN
+ +o+haVN8/8RbqbY/9DbMiuUKwG9m3iWCAkeo
+ OhN6wNMRO6ijJ4nmoCOa2wzqKDLoTBjoUKMT
+ zG5HbuUMSZbBA6TRqv3Fe6gyZiS7iusYvq5/
+ Hu2m8r9tSfhLLSjbZNhDE/fvYMYak3auOdfm
+ 7idAue2oy1nsw131S4klMG2XlXm0pBKU4PVx
+ t0hELXyUVm99sO8hg2qKvdupWaxIQ0CC+hBK
+ kUc6BTdj/eEBMvLnaA== )
300 RRSIG NSEC 8 3 300 20121212121212 (
20111010101010 48381 example.sec.
- p3+B5Ye7vtdxqVC5WgxrSC5sRb3/4vLLpVcT
- SDKcHtT7TA30Xp2zO113pDiknKzUZMhQj0dY
- ZfmsMnqH7YEKR6auvZ1gkgsIAetk7D20rbgM
- yogDZaueIIS5PVqcrzw49P4XeIAPGevyq3Cp
- kB03H/oLvFYh50qIk7+CvP+G2uaUkv1AUwwJ
- vYjQVh13JK0lWvqUDoJbtpFGcEixH/Gr0A2y
- rkkv0B6kDUNYuZ8UGywrzOBVHS+2oGMKFKoS
- nzrIEt6gDdPxVwITa0mFHwBvEtmKjXSPS+gO
- z5dS/fmdVn0IjvZWZsHviaXB2cCJesJTxZZg
- OtZaIgJVIwQlKosFRA== )
+ ncNaPn7TqvJUjiW3N5ETQXo5Lu0+I215t6r5
+ 0fRAvh4FwZAgkbxzpKcHpobp3z4NVoMOZk21
+ 4SoX8WxQhrNTyfmmzMzJ6+t4xA7Uu2H0Zul+
+ nGQHg4xPUWuMFymkKc514ycn3EsSmeCgZQXi
+ i7+x/R6GlGQNIx83VYJ3LOEd7OEUvJizv59n
+ +jTdekurwD/foWdf2CqDj5HRpTT52Ki5Zvze
+ b3VLrHuQiojyLiBOeoC1NTyrZHS/PNHA2b5v
+ ZOweSzrOywMwS99STlwZ4dPYE4AUL05KEmF5
+ jJ35+UI8vPozKHN2T68cdTkGKtKR7eFuJ/PY
+ bHm0zQxDhf+zGbiX5Q== )
lets.introduce.some.empty.terminals.example.sec. 300 IN CNAME example.sec.
300 RRSIG CNAME 5 7 300 20121212121212 (
20111010101010 516 example.sec.
@@ -1125,67 +1388,3 @@ lets.introduce.some.empty.terminals.example.sec. 300 IN CNAME example.sec.
+EFtzyZVGt0DrFpEQHKmq8L5cjjleMsfJRPx
2+K170ejOuPI7bCWmdZ1uyqxrUCNEu4UlR3z
9anMEzjdb2UGUcCRCg== )
-ns1.example.sec. 300 IN A 1.2.3.4
- 300 RRSIG A 5 3 300 20121212121212 (
- 20111010101010 516 example.sec.
- Jz66qNND9eWmodjPcTD9VNb4G5BIqd1MPcMb
- 9g+J69b1T21cNqAuIom5Y4cECyz/zNJOno89
- b7KKcpItUnsdyBHb5WuDeJapT1s4FyEYDEms
- diPzaEDEJCTmjyOx/5ADZ5L6I8EN8a3V+iWh
- A2YMtWWWjZykqXHeVLPZwqbMJS8= )
- 300 RRSIG A 5 3 300 20121212121212 (
- 20111010101010 44427 example.sec.
- RzfNZ0Pu4Vxk5xpCycv3ZSDDMViw+h6nR1uY
- Jls1+oSygJfeQn0xeTcVzaZQvvZc0gtnecHT
- 5UopyFB36R/qeNkPp5fFHGb+ZpMAaNmjrxGI
- /1OhxvES4jwTaihetjVWEQyN0M0+Pgw0BNsN
- tbz92zBczpUFTbe8FxldePwLcJFZ5CAvp8NC
- VuzqAHVMGAt7DYvr9qTknrW/X8wszxwUuL0H
- mwitcRF397E6H9SA06uDNum/s8RST9lsV1A2
- GsssmglqqKICY8+g89SDqkSuxk1bsFJ+dvFx
- kfXRlzBBvpuFt8sORt6LPJXSlFy/tgtRI1lq
- oJi9S51V6XElb0vu1Q== )
- 300 RRSIG A 8 3 300 20121212121212 (
- 20111010101010 48381 example.sec.
- Q2LBOCx0Ol+UX8yBrpWvoZEPu4bGDJfznS6d
- uYWDHZc70kjSBipMO+vmzHTPXiax4LTXXznm
- u6gtzSh05FTmQUx2QPctCwwLW3Lfa4xRBnQw
- KV+HH0AyXUlKy8gNRBNgJmcQyvyKLr5T8UhP
- PYQI60UZxU+vCa8Z38Wffy3X0+AraXFwMc3M
- YClGU7HFn7cCKeIrdWl50PEYpa8qUj4ec5XS
- 1QYZu2v8LE6GmChCCFIJsdkU+JzUJ9mOGYrr
- l/aI8G+DPa17NxKwihgzQ6fQIS/AXOx0rUNq
- ObP7mpqqn76X6BnfJFTGs9BUCms4W/sVNvra
- hbAKFCLCNJAz9EO9Xw== )
- 300 NSEC ns2.example.sec. A RRSIG NSEC
- 300 RRSIG NSEC 5 3 300 20121212121212 (
- 20111010101010 516 example.sec.
- MPFeioCIJDe03C9RD6Kux0g08JgJYH7xtyFF
- 4OOOZVHD1mrI+BmjxtWwhb1c7Uqd8+/J9NLF
- qywR/OzLW58FsNjznhl3Btr6HsfIfLrEOrTf
- kbFlOOSP7gA5ngsC4nMqrWDPjSJwjJ5b3XIT
- 12C2Efq87MFneqOEzUzIpqDeSdM= )
- 300 RRSIG NSEC 5 3 300 20121212121212 (
- 20111010101010 44427 example.sec.
- kUQ26M/bdHkAbREgxC8kBkgxEpnXkQldxwki
- 0S9mvnmJToiGjnvBIkDixX9BWrx2s8Nzt5tc
- xfWqmzlbdbea+BitXMN2o9hnAWNJ0uFmQFaN
- M2li2EH5FlCFPpN40w9hazRY25cBvciUJzNE
- CaMTtDPRB9GUmZKjE/ZP0N4QnrxvrOqIMJlu
- dCsLQ3of+NyBWYpsQQfQvbAvx2WNpolOjqMt
- woCsfZhjvedlAAszdaNKCm2qcxYuSKvkw9hl
- n9RuZkgYCf+4o0k/DRP6zSwacMo1Rcb6S1D3
- b/AXMhBxwtytfaKPh0gAFB2fWck0TLpc/5EG
- AuCcy6aJR66j0frDBg== )
- 300 RRSIG NSEC 8 3 300 20121212121212 (
- 20111010101010 48381 example.sec.
- Rktfcj5WkoW+7lt1iMFsQXr70zjRdHCUBDf5
- zqet9JtQU6r9HSdto4gJAXwwH+gYVWU1zMAo
- ZrurdsYhkCrUnUYdO/g6Q+xDIdvPQY4UeUaq
- 1lZbumzCGAQD21l+nrjxwkD3kvyDtfnAnxU0
- eL+/8TqZ/Oo/2cEf2hkuQbOfQqpXImig0n88
- e1+xBTJV+fPeORGxnAVL0QMRRabTyOqCPiwj
- rcuXpIxRjKWOAEseoFHJbdvFc3MNGwfBC/BR
- qI5xzREGVG3yUpY6o1EVkJTNMHdtahZsMOWl
- hb1dFARcQSFHUdEEwZwc1gtIa4snPxpplgCd
- ZetiK9mOJTMhVhGQSA== )
diff --git a/t/zones/manyerrors.zone b/t/zones/manyerrors.zone
index 79aa287..6682983 100644
--- a/t/zones/manyerrors.zone
+++ b/t/zones/manyerrors.zone
@@ -64,6 +64,54 @@ singlens NS x.y.z
xy IN 300 A 194.28.255.11
xy IN 400 A 194.28.255.12
+; bad length for SHA-256
+_443._tcp.www IN TLSA (
+ 0 0 1 d2abde240d7cd3ee6b4b28c54df034b9
+ 7983a1d16e8a410e4561cb106618e9 )
+
+; bad length for SHA-512
+_8443._tcp.www IN TLSA (
+ 1 1 2 92003ba34942dc74152e2f2c408d29ec
+ a5a520e7f2e06bb944f4dca346baf63c
+ 1b177615d466f6c4b71c216a50292bd5
+ 8c9ebdd2f74e38fe51ffd48c43326cbcaa )
+
+; bad hex encoding
+_25._tcp.mail IN TLSA (
+ 3 0 0 30820307308201efa003020102020 )
+
+; bad certificate usage
+_1._tcp.www IN TLSA (
+ 4 0 1 d2abde240d7cd3ee6b4b28c54df034b9
+ 7983a1d16e8a410e4561cb106618e9 )
+_10._tcp.www IN TLSA (
+ x 0 1 d2abde240d7cd3ee6b4b28c54df034b9
+ 7983a1d16e8a410e4561cb106618e9 )
+
+; bad selector
+_2._tcp.www IN TLSA (
+ 0 2 1 d2abde240d7cd3ee6b4b28c54df034b9
+ 7983a1d16e8a410e4561cb106618e9 )
+_20._tcp.www IN TLSA (
+ 0 x 1 d2abde240d7cd3ee6b4b28c54df034b9
+ 7983a1d16e8a410e4561cb106618e9 )
+
+; bad matching type
+_3._tcp.www IN TLSA (
+ 0 0 3 d2abde240d7cd3ee6b4b28c54df034b9
+ 7983a1d16e8a410e4561cb106618e9 )
+_30._tcp.www IN TLSA (
+ 0 0 x d2abde240d7cd3ee6b4b28c54df034b9
+ 7983a1d16e8a410e4561cb106618e9 )
+
+; policy bad domain name for TLSA
+tlsa IN TLSA (
+ 0 0 1 d2abde240d7cd3ee6b4b28c54df034b9
+ 7983a1d16e8a410e4561cb106618e9aa )
+_30._xtp.www IN TLSA (
+ 0 0 1 d2abde240d7cd3ee6b4b28c54df034b9
+ 7983a1d16e8a410e4561cb106618e9aa )
+
outside.org. A 194.28.255.11
long.outside.org. A 194.28.255.11
outsidegalaxyplus.org. A 194.28.255.11
diff --git a/textparse.c b/textparse.c
index dc92ac2..78ab943 100644
--- a/textparse.c
+++ b/textparse.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -69,7 +69,7 @@ char *skip_white_space(char *s)
return s;
}
-static char *extract_name_slow(char **input, char *what)
+static char *extract_name_slow(char **input, char *what, int options)
{
char buf[1024];
char *t = buf;
@@ -152,17 +152,19 @@ static char *extract_name_slow(char **input, char *what)
*input = skip_white_space(s);
if (!*input)
return NULL; /* bitching's done elsewhere */
- t = buf;
- while (*t) {
- *t = tolower(*t);
- t++;
+ if (!(options & KEEP_CAPITALIZATION)) {
+ t = buf;
+ while (*t) {
+ *t = tolower(*t);
+ t++;
+ }
}
t = quickstrdup(buf);
return t;
}
-char *extract_name(char **input, char *what)
+char *extract_name(char **input, char *what, int options)
{
char *s = *input;
char *r = NULL;
@@ -185,7 +187,7 @@ char *extract_name(char **input, char *what)
wildcard = 1;
} else {
if (*s == '\\')
- return extract_name_slow(input, what);
+ return extract_name_slow(input, what, options);
return bitch("%s expected", what);
}
}
@@ -194,7 +196,7 @@ char *extract_name(char **input, char *what)
s++;
if (*s && !isspace(*s) && *s != ';' && *s != ')') {
if (*s == '\\')
- return extract_name_slow(input, what);
+ return extract_name_slow(input, what, options);
return bitch("%s is not valid", what);
}
if (!*s) end = s;
@@ -222,10 +224,12 @@ char *extract_name(char **input, char *what)
if (!*input)
return NULL; /* bitching's done elsewhere */
}
- s = r;
- while (*s) {
- *s = tolower(*s);
- s++;
+ if (!(options & KEEP_CAPITALIZATION)) {
+ s = r;
+ while (*s) {
+ *s = tolower(*s);
+ s++;
+ }
}
if (wildcard && r[1] != '.') {
return bitch("%s: bad wildcard", what);
@@ -570,6 +574,47 @@ int extract_ipv6(char **input, char *what, struct in6_addr *addr)
return 1;
}
+int extract_u64(char **input, char *what, uint64_t *r)
+{
+ char *s = *input;
+ uint8_t result = 0;
+ unsigned u;
+
+ #define GETHEXBLOCK if (!isxdigit(*s)) { bitch("%s is not valid", what); return -1; } \
+ u = 0; \
+ while (isxdigit(*s)) { \
+ if (isdigit(*s)) { \
+ u = (u << 4) | (*s - '0'); \
+ } else if (*s >= 'a' && *s <= 'f') { \
+ u = (u << 4) | (*s - 'a' + 10); \
+ } else { \
+ u = (u << 4) | (*s - 'A' + 10); \
+ } \
+ s++; \
+ } \
+ result = (result << 16) | u;
+ #define SKIPCOLON if (*s != ':') { bitch("%s is not valid", what); return -1; } s++;
+
+ GETHEXBLOCK; SKIPCOLON;
+ GETHEXBLOCK; SKIPCOLON;
+ GETHEXBLOCK; SKIPCOLON;
+ GETHEXBLOCK;
+ *r = result;
+
+ #undef GETHEXBLOCK
+ #undef SKIPCOLON
+
+ if (*s && !isspace(*s) && *s != ';' && *s != ')') {
+ bitch("%s is not valid", what);
+ return -1;
+ }
+ *input = skip_white_space(s);
+ if (!*input) {
+ return -1; /* bitching's done elsewhere */
+ }
+ return 1;
+}
+
struct binary_data bad_binary_data(void)
{
struct binary_data r;
@@ -759,16 +804,18 @@ struct binary_data extract_hex_binary_data(char **input, char *what, int eat_whi
}
*input = s;
} else {
- bitch("%s: internal: invalid eat_whitespace");
+ bitch("%s: internal: invalid eat_whitespace", what);
}
if (!*input)
return r; /* bitching's done elsewhere */
+ hb = hl % 2 ? 1 : 0;
+ if (hb == 0)
+ bitch("%s: hex data does not represent whole number of bytes", what);
r.data = getmem(hl/2);
r.length = hl/2;
bzero(r.data, r.length);
- hb = hl % 2 ? 1 : 0;
for (hi = 0; hi < hl-hb; hi++) {
r.data[hi/2] <<= 4;
r.data[hi/2] |= 0x0f & (isdigit(hex[hi+hb]) ? hex[hi+hb] - '0' : tolower(hex[hi+hb]) - 'a' + 10);
@@ -840,6 +887,7 @@ struct binary_data compose_binary_data(const char *fmt, int tmp, ...)
uint8_t b1;
uint16_t b2;
uint32_t b4;
+ uint64_t b8;
va_start(ap, tmp);
args = fmt;
@@ -858,6 +906,10 @@ struct binary_data compose_binary_data(const char *fmt, int tmp, ...)
va_arg(ap, unsigned int);
sz += 4;
break;
+ case '8':
+ va_arg(ap, uint64_t);
+ sz += 8;
+ break;
case 'd':
bd = va_arg(ap, struct binary_data);
sz += bd.length;
@@ -902,6 +954,11 @@ struct binary_data compose_binary_data(const char *fmt, int tmp, ...)
memcpy(t, &b4, 4);
t += 4;
break;
+ case '8':
+ b8 = htonl(va_arg(ap, uint64_t));
+ memcpy(t, &b8, 8);
+ t += 8;
+ break;
case 'd':
bd = va_arg(ap, struct binary_data);
memcpy(t, bd.data, bd.length);
diff --git a/textparse.h b/textparse.h
index b4f647a..3fe802f 100644
--- a/textparse.h
+++ b/textparse.h
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
@@ -9,6 +9,8 @@
#ifndef _TEXTPARSE_H_
#define _TEXTPARSE_H_
+#include <sys/types.h>
+
struct binary_data {
int length;
char *data;
@@ -30,15 +32,18 @@ struct binary_data compose_binary_data(const char *fmt, int tmp, ...);
*
*/
+#define KEEP_CAPITALIZATION 32
+
int empty_line_or_comment(char *s);
char *skip_white_space(char *s);
-char *extract_name(char **input, char *what);
+char *extract_name(char **input, char *what, int options);
char *extract_label(char **input, char *what, void *is_temporary);
long long extract_integer(char **input, char *what);
long extract_timevalue(char **input, char *what);
long long extract_timestamp(char **input, char *what);
int extract_ipv4(char **input, char *what, struct in_addr *addr);
int extract_ipv6(char **input, char *what, struct in6_addr *addr);
+int extract_u64(char **input, char *what, uint64_t *r);
int extract_double(char **input, char *what, double *val, int skip_m);
struct binary_data extract_base32hex_binary_data(char **input, char *what);
struct binary_data extract_base64_binary_data(char **input, char *what);
diff --git a/tlsa.c b/tlsa.c
new file mode 100644
index 0000000..d4cc53e
--- /dev/null
+++ b/tlsa.c
@@ -0,0 +1,121 @@
+/*
+ * Part of DNS zone file validator `validns`.
+ *
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
+ * Modified BSD license.
+ * (See LICENSE file in the distribution.)
+ *
+ */
+#include <sys/types.h>
+#include <stdio.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <string.h>
+#include <ctype.h>
+
+#include "common.h"
+#include "textparse.h"
+#include "mempool.h"
+#include "carp.h"
+#include "rr.h"
+
+/* See http://www.rfc-editor.org/internet-drafts/draft-ietf-dane-protocol-23.txt
+ * for TLSA description.
+ */
+
+static struct rr* tlsa_parse(char *name, long ttl, int type, char *s)
+{
+ struct rr_tlsa *rr = getmem(sizeof(*rr));
+ int cert_usage, selector, matching_type;
+
+ cert_usage = extract_integer(&s, "certificate usage field");
+ if (cert_usage < 0) return NULL;
+ if (cert_usage > 3)
+ return bitch("bad certificate usage field");
+ rr->cert_usage = cert_usage;
+
+ selector = extract_integer(&s, "selector field");
+ if (selector < 0) return NULL;
+ if (selector > 1)
+ return bitch("bad selector field");
+ rr->selector = selector;
+
+ matching_type = extract_integer(&s, "matching type field");
+ if (matching_type < 0) return NULL;
+ if (matching_type > 2)
+ return bitch("bad matching type field");
+ rr->matching_type = matching_type;
+
+ rr->association_data = extract_hex_binary_data(&s, "certificate association data", EXTRACT_EAT_WHITESPACE);
+ if (rr->association_data.length < 0) return NULL;
+ switch (rr->matching_type) {
+ case 1:
+ if (rr->association_data.length != SHA256_BYTES)
+ return bitch("bad SHA-256 hash length");
+ break;
+ case 2:
+ if (rr->association_data.length != SHA512_BYTES)
+ return bitch("bad SHA-512 hash length");
+ break;
+ }
+
+ if (*s) {
+ return bitch("garbage after valid TLSA data");
+ }
+ return store_record(type, name, ttl, rr);
+}
+
+static char* tlsa_human(struct rr *rrv)
+{
+ RRCAST(tlsa);
+ char s[1024];
+
+ snprintf(s, 1024, "%d %d %d ...",
+ rr->cert_usage, rr->selector, rr->matching_type);
+ return quickstrdup_temp(s);
+}
+
+static struct binary_data tlsa_wirerdata(struct rr *rrv)
+{
+ RRCAST(tlsa);
+
+ return compose_binary_data("111d", 1,
+ rr->cert_usage, rr->selector, rr->matching_type,
+ rr->association_data);
+}
+
+static void* tlsa_validate_set(struct rr_set *rr_set)
+{
+ struct rr *rr;
+ struct named_rr *named_rr;
+ char *s;
+ int port = 0;
+ int len;
+
+ if (G.opt.policy_checks[POLICY_TLSA_HOST]) {
+ rr = rr_set->tail;
+ named_rr = rr_set->named_rr;
+
+ /* _25._tcp.mail.example.com. */
+ s = named_rr->name;
+ if (*s != '_') {
+not_a_prefixed_domain_name:
+ return moan(rr->file_name, rr->line, "not a proper prefixed DNS domain name");
+ }
+ s++;
+ while (isdigit(*s)) {
+ port = port * 10 + *s - '0';
+ s++;
+ }
+ if (port <= 0 || port > 65535) goto not_a_prefixed_domain_name;
+ if (*s++ != '.') goto not_a_prefixed_domain_name;
+ len = strlen(s);
+ if (len < 6) goto not_a_prefixed_domain_name;
+ if (memcmp(s, "_tcp.", 5) != 0 &&
+ memcmp(s, "_udp.", 5) != 0 &&
+ memcmp(s, "_sctp.", 6) != 0) goto not_a_prefixed_domain_name;
+ }
+ return NULL;
+}
+
+struct rr_methods tlsa_methods = { tlsa_parse, tlsa_human, tlsa_wirerdata, tlsa_validate_set, NULL };
diff --git a/txt.c b/txt.c
index 188d768..a26fe56 100644
--- a/txt.c
+++ b/txt.c
@@ -1,7 +1,7 @@
/*
* Part of DNS zone file validator `validns`.
*
- * Copyright 2011, Anton Berezin <tobez@tobez.org>
+ * Copyright 2011, 2012 Anton Berezin <tobez@tobez.org>
* Modified BSD license.
* (See LICENSE file in the distribution.)
*
diff --git a/usage.mdwn b/usage.mdwn
index 33c0746..30a48c6 100644
--- a/usage.mdwn
+++ b/usage.mdwn
@@ -47,6 +47,7 @@ Coming soon.
- mx-alias
- ns-alias
- rp-txt-exists
+ - tlsa-host
- all
-n *N*
@@ -125,6 +126,7 @@ Other basic checks include:
- NS nsdname should not be an alias
- TXT domain name mentioned in RP record must have
a corresponding TXT record if it is within the zone
+- domain name of a TLSA record must be a proper prefixed DNS name
# BUGS
@@ -143,3 +145,31 @@ every unsigned delegation.
If this assumption is wrong for a zone,
`validns` will produce spurious validation
errors.
+
+# ACKNOWLEDGEMENTS
+
+Thanks go to
+Andy Holdaway,
+Daniel Stirnimann,
+Dennis Kjaer Jensen,
+Goran Bengtson,
+Hirohisa Yamaguchi,
+Hugo Salgado,
+Jakob Schlyter,
+Koh-ichi Ito,
+Mathieu Arnold,
+Miek Gieben,
+Patrik Wallstrom,
+Paul Wouters,
+Ryan Eby,
+Tony Finch,
+Willem Toorop,
+and YAMAGUCHI Takanori
+for bug reports, testing, discussions,
+and occasional patches.
+
+Special thanks to
+Stephane Bortzmeyer and Phil Regnauld.
+
+Thanks for AFNIC which funded major portion of the development.
+
diff --git a/validns.1 b/validns.1
index f6beb4f..ef645a6 100644
--- a/validns.1
+++ b/validns.1
@@ -51,6 +51,8 @@ ns-alias
.IP \[bu] 2
rp-txt-exists
.IP \[bu] 2
+tlsa-host
+.IP \[bu] 2
all
.RE
.TP
@@ -172,6 +174,8 @@ NS nsdname should not be an alias
.IP \[bu] 2
TXT domain name mentioned in RP record must have a corresponding TXT
record if it is within the zone
+.IP \[bu] 2
+domain name of a TLSA record must be a proper prefixed DNS name
.SH BUGS
.IP \[bu] 2
textual segments in \f[I]TXT\f[] and \f[I]HINFO\f[] must be enclosed in
@@ -190,5 +194,16 @@ This is done for reasons of efficiency, to avoid calculating
cryptographic hashes of every unsigned delegation.
If this assumption is wrong for a zone, \f[C]validns\f[] will produce
spurious validation errors.
+.SH ACKNOWLEDGEMENTS
+.PP
+Thanks go to Andy Holdaway, Daniel Stirnimann, Dennis Kjaer Jensen,
+Goran Bengtson, Hirohisa Yamaguchi, Hugo Salgado, Jakob Schlyter,
+Koh-ichi Ito, Mathieu Arnold, Miek Gieben, Patrik Wallstrom, Paul
+Wouters, Ryan Eby, Tony Finch, Willem Toorop, and YAMAGUCHI Takanori for
+bug reports, testing, discussions, and occasional patches.
+.PP
+Special thanks to Stephane Bortzmeyer and Phil Regnauld.
+.PP
+Thanks for AFNIC which funded major portion of the development.
.SH AUTHORS
Anton Berezin.