Skip to content

Commit

Permalink
Stop setting auth=1 on NS records of secure delegations. Spotted by G…
Browse files Browse the repository at this point in the history 
…eorge Notaras, patch by Kees Monshouwer. Fixes #605

git-svn-id: svn://svn.powerdns.com/pdns/trunk/pdns@2831 d19b8d6e-7fed-0310-83ef-9ca221ded41b
  • Loading branch information
Peter van Dijk committed Oct 29, 2012
1 parent 9af87ad commit c2df797
Show file tree
Hide file tree
Showing 26 changed files with 110 additions and 44 deletions.
3 changes: 2 additions & 1 deletion modules/gmysqlbackend/gmysqlbackend.cc
View file
Expand Up @@ -100,8 +100,9 @@ class gMySQLFactory : public BackendFactory
declare(suffix,"get-order-after-query","DNSSEC Ordering Query, after", "select min(ordername) from records where ordername > '%s' and domain_id=%d and ordername is not null");
declare(suffix,"get-order-last-query","DNSSEC Ordering Query, last", "select ordername, name from records where ordername != '' and domain_id=%d and ordername is not null order by 1 desc limit 1");
declare(suffix,"set-order-and-auth-query", "DNSSEC set ordering query", "update records set ordername='%s',auth=%d where name='%s' and domain_id='%d'");
declare(suffix,"nullify-ordername-query", "DNSSEC nullify ordername query", "update records set ordername=NULL where domain_id='%d' and name='%s' and type is null");
declare(suffix,"nullify-ordername-and-update-auth-query", "DNSSEC nullify ordername and update auth query", "update records set ordername=NULL,auth=%d where domain_id='%d' and name='%s'");
declare(suffix,"nullify-ordername-and-auth-query", "DNSSEC nullify ordername and auth query", "update records set ordername=NULL,auth=0 where name='%s' and type='%s' and domain_id='%d'");
declare(suffix,"set-auth-on-ds-record-query", "DNSSEC set auth on a DS record", "update records set auth=1 where domain_id='%d' and name='%s' and type='DS'");

declare(suffix,"update-serial-query","", "update domains set notified_serial=%d where id=%d");
declare(suffix,"update-lastcheck-query","", "update domains set last_check=%d where id=%d");
Expand Down
3 changes: 2 additions & 1 deletion modules/gpgsqlbackend/gpgsqlbackend.cc
View file
Expand Up @@ -95,8 +95,9 @@ class gPgSQLFactory : public BackendFactory
declare(suffix,"get-order-after-query","DNSSEC Ordering Query, after", "select ordername from records where ordername ~>~ E'%s' and domain_id=%d and ordername is not null order by 1 using ~<~ limit 1");
declare(suffix,"get-order-last-query","DNSSEC Ordering Query, last", "select ordername, name from records where ordername != '' and domain_id=%d and ordername is not null order by 1 using ~>~ limit 1");
declare(suffix,"set-order-and-auth-query", "DNSSEC set ordering query", "update records set ordername=E'%s',auth=(%d = 1) where name=E'%s' and domain_id='%d'");
declare(suffix,"set-auth-on-ds-record-query", "DNSSEC set auth on a DS record", "update records set auth=true where domain_id='%d' and name='%s' and type='DS'");

declare(suffix,"nullify-ordername-query", "DNSSEC nullify ordername query", "update records set ordername=NULL where domain_id='%d' and name='%s' and type is null");
declare(suffix,"nullify-ordername-and-update-auth-query", "DNSSEC nullify ordername and update auth query", "update records set ordername=NULL,auth=(%d = 1) where domain_id='%d' and name='%s'");
declare(suffix,"nullify-ordername-and-auth-query", "DNSSEC nullify ordername and auth query", "update records set ordername=NULL,auth=false where name=E'%s' and type=E'%s' and domain_id='%d'");

declare(suffix,"update-serial-query","", "update domains set notified_serial=%d where id=%d");
Expand Down
3 changes: 2 additions & 1 deletion modules/gsqlite3backend/gsqlite3backend.cc
View file
Expand Up @@ -95,8 +95,9 @@ class gSQLite3Factory : public BackendFactory
declare(suffix,"get-order-last-query","DNSSEC Ordering Query, last", "select ordername, name from records where ordername != '' and domain_id=%d and ordername is not null order by 1 desc limit 1");
declare(suffix,"set-order-and-auth-query", "DNSSEC set ordering query", "update records set ordername='%s',auth=%d where name='%s' and domain_id='%d'");

declare(suffix,"nullify-ordername-query", "DNSSEC nullify ordername query", "update records set ordername=NULL where domain_id='%d' and name='%s' and type is null");
declare(suffix,"nullify-ordername-and-update-auth-query", "DNSSEC nullify ordername and update auth query", "update records set ordername=NULL,auth=%d where domain_id='%d' and name='%s'");
declare(suffix,"nullify-ordername-and-auth-query", "DNSSEC nullify ordername and auth query", "update records set ordername=NULL,auth=0 where name='%s' and type='%s' and domain_id='%d'");
declare(suffix,"set-auth-on-ds-record-query", "DNSSEC set auth on a DS record", "update records set auth=1 where domain_id='%d' and name='%s' and type='DS'");

declare( suffix, "master-zone-query", "Data", "select master from domains where name='%s' and type='SLAVE'");

Expand Down
30 changes: 22 additions & 8 deletions pdns/backends/gsql/gsqlbackend.cc
View file
Expand Up @@ -291,8 +291,9 @@ GSQLBackend::GSQLBackend(const string &mode, const string &suffix)
d_afterOrderQuery = getArg("get-order-after-query");
d_lastOrderQuery = getArg("get-order-last-query");
d_setOrderAuthQuery = getArg("set-order-and-auth-query");
d_nullifyOrderNameQuery = getArg("nullify-ordername-query");
d_nullifyOrderNameAndUpdateAuthQuery = getArg("nullify-ordername-and-update-auth-query");
d_nullifyOrderNameAndAuthQuery = getArg("nullify-ordername-and-auth-query");
d_setAuthOnDsRecordQuery = getArg("set-auth-on-ds-record-query");

d_AddDomainKeyQuery = getArg("add-domain-key-query");
d_ListDomainKeysQuery = getArg("list-domain-keys-query");
Expand Down Expand Up @@ -322,11 +323,8 @@ bool GSQLBackend::updateDNSSECOrderAndAuthAbsolute(uint32_t domain_id, const std
if(!d_dnssecQueries)
return false;
char output[1024];
// ordername='%s',auth=%d where name='%s' and domain_id='%d'


snprintf(output, sizeof(output)-1, d_setOrderAuthQuery.c_str(), sqlEscape(ordername).c_str(), auth, sqlEscape(qname).c_str(), domain_id);
// cerr<<"sql: '"<<output<<"'\n";

try {
d_db->doCommand(output);
}
Expand All @@ -336,18 +334,18 @@ bool GSQLBackend::updateDNSSECOrderAndAuthAbsolute(uint32_t domain_id, const std
return true;
}

bool GSQLBackend::nullifyDNSSECOrderName(uint32_t domain_id, const std::string& qname)
bool GSQLBackend::nullifyDNSSECOrderNameAndUpdateAuth(uint32_t domain_id, const std::string& qname, bool auth)
{
if(!d_dnssecQueries)
return false;
char output[1024];

snprintf(output, sizeof(output)-1, d_nullifyOrderNameQuery.c_str(), domain_id, sqlEscape(qname).c_str());
snprintf(output, sizeof(output)-1, d_nullifyOrderNameAndUpdateAuthQuery.c_str(), auth, domain_id, sqlEscape(qname).c_str());
try {
d_db->doCommand(output);
}
catch(SSqlException &e) {
throw AhuException("GSQLBackend unable to nullify ordername for domain_id "+itoa(domain_id)+": "+e.txtReason());
throw AhuException("GSQLBackend unable to nullify ordername and update auth for domain_id "+itoa(domain_id)+": "+e.txtReason());
}
return true;
}
Expand All @@ -368,6 +366,22 @@ bool GSQLBackend::nullifyDNSSECOrderNameAndAuth(uint32_t domain_id, const std::s
return true;
}

bool GSQLBackend::setDNSSECAuthOnDsRecord(uint32_t domain_id, const std::string& qname)
{
if(!d_dnssecQueries)
return false;
char output[1024];

snprintf(output, sizeof(output)-1, d_setAuthOnDsRecordQuery.c_str(), domain_id, sqlEscape(qname).c_str());
try {
d_db->doCommand(output);
}
catch(SSqlException &e) {
throw AhuException("GSQLBackend unable to set auth on DS record "+qname+" for domain_id "+itoa(domain_id)+": "+e.txtReason());
}
return true;
}

bool GSQLBackend::updateEmptyNonTerminals(uint32_t domain_id, const std::string& zonename, set<string>& insert, set<string>& erase, bool remove)
{
char output[1024];
Expand Down
6 changes: 4 additions & 2 deletions pdns/backends/gsql/gsqlbackend.hh
View file
Expand Up @@ -43,8 +43,9 @@ public:
virtual bool getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string& qname, std::string& unhashed, std::string& before, std::string& after);
bool updateDNSSECOrderAndAuth(uint32_t domain_id, const std::string& zonename, const std::string& qname, bool auth);
virtual bool updateDNSSECOrderAndAuthAbsolute(uint32_t domain_id, const std::string& qname, const std::string& ordername, bool auth);
virtual bool nullifyDNSSECOrderName(uint32_t domain_id, const std::string& qname);
virtual bool nullifyDNSSECOrderNameAndUpdateAuth(uint32_t domain_id, const std::string& qname, bool auth);
virtual bool nullifyDNSSECOrderNameAndAuth(uint32_t domain_id, const std::string& qname, const std::string& type);
virtual bool setDNSSECAuthOnDsRecord(uint32_t domain_id, const std::string& qname);
virtual bool updateEmptyNonTerminals(uint32_t domain_id, const std::string& zonename, set<string>& insert ,set<string>& erase, bool remove);
virtual bool doesDNSSEC();

Expand Down Expand Up @@ -95,8 +96,9 @@ private:
string d_afterOrderQuery;
string d_lastOrderQuery;
string d_setOrderAuthQuery;
string d_nullifyOrderNameQuery;
string d_nullifyOrderNameAndUpdateAuthQuery;
string d_nullifyOrderNameAndAuthQuery;
string d_setAuthOnDsRecordQuery;
string d_removeEmptyNonTerminalsFromZoneQuery;
string d_insertEmptyNonTerminalQuery;
string d_deleteEmptyNonTerminalQuery;
Expand Down
7 changes: 6 additions & 1 deletion pdns/dnsbackend.hh
View file
Expand Up @@ -141,7 +141,7 @@ public:
return false;
}

virtual bool nullifyDNSSECOrderName(uint32_t domain_id, const std::string& qname)
virtual bool nullifyDNSSECOrderNameAndUpdateAuth(uint32_t domain_id, const std::string& qname, bool auth)
{
return false;
}
Expand All @@ -151,6 +151,11 @@ public:
return false;
}

virtual bool setDNSSECAuthOnDsRecord(uint32_t domain_id, const std::string& qname)
{
return false;
}

virtual bool doesDNSSEC()
{
return false;
Expand Down
26 changes: 15 additions & 11 deletions pdns/pdnssec.cc
View file
Expand Up @@ -164,9 +164,6 @@ void rectifyZone(DNSSECKeeper& dk, const std::string& zone)
break;
}
} while(chopOff(shorter));

if(dsnames.count(qname))
auth=true;
}

if(haveNSEC3)
Expand All @@ -175,29 +172,36 @@ void rectifyZone(DNSSECKeeper& dk, const std::string& zone)
hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname)));
if(g_verbose)
cerr<<"'"<<qname<<"' -> '"<< hashed <<"'"<<endl;
sd.db->updateDNSSECOrderAndAuthAbsolute(sd.domain_id, qname, hashed, auth);
}
sd.db->updateDNSSECOrderAndAuthAbsolute(sd.domain_id, qname, hashed, auth);
if((!auth || dsnames.count(qname)) && realrr)
else
sd.db->nullifyDNSSECOrderNameAndUpdateAuth(sd.domain_id, qname, auth);
if(realrr)
{
sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "NS");
sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A");
sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA");
if (dsnames.count(qname))
sd.db->setDNSSECAuthOnDsRecord(sd.domain_id, qname);
if (!auth || nsset.count(qname)) {
sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "NS");
sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A");
sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA");
}
}
}
else // NSEC
{
if(realrr)
{
sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, auth);
if(!auth || dsnames.count(qname))
{
if (dsnames.count(qname))
sd.db->setDNSSECAuthOnDsRecord(sd.domain_id, qname);
if (!auth || nsset.count(qname)) {
sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A");
sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA");
}
}
else
{
sd.db->nullifyDNSSECOrderName(sd.domain_id, qname);
sd.db->nullifyDNSSECOrderNameAndUpdateAuth(sd.domain_id, qname, auth);
}
}

Expand Down
24 changes: 14 additions & 10 deletions pdns/slavecommunicator.cc
View file
Expand Up @@ -258,31 +258,35 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
break;
}
}while(chopOff(shorter));

if(dsnames.count(qname))
auth=true;
}

if(dnssecZone && haveNSEC3)
{
if(!narrow) {
hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname)));
di.backend->updateDNSSECOrderAndAuthAbsolute(domain_id, qname, hashed, auth);
}
di.backend->updateDNSSECOrderAndAuthAbsolute(domain_id, qname, hashed, auth); // this should always be done
if((!auth || dsnames.count(qname)) && realrr)
else
di.backend->nullifyDNSSECOrderNameAndUpdateAuth(domain_id, qname, auth);
if(realrr)
{
di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "NS");
di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A");
di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA");
if (dsnames.count(qname))
di.backend->setDNSSECAuthOnDsRecord(domain_id, qname);
if (!auth || nsset.count(qname)) {
di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "NS");
di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A");
di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA");
}
}
}
else // NSEC
{
if(realrr)
{
di.backend->updateDNSSECOrderAndAuth(domain_id, domain, qname, auth);
if(!auth || dsnames.count(qname))
{
if (dsnames.count(qname))
di.backend->setDNSSECAuthOnDsRecord(domain_id, qname);
if (!auth || nsset.count(qname)) {
di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A");
di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA");
}
Expand Down
2 changes: 1 addition & 1 deletion regression-tests/any-nxdomain/expected_result.dnssec
View file
@@ -1,4 +1,4 @@
1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
1 example.com. IN NSEC 86400 dsdelegation.example.com. NS SOA MX RRSIG NSEC DNSKEY
1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
Expand Down
2 changes: 1 addition & 1 deletion regression-tests/cname-to-nxdomain/expected_result.dnssec
View file
@@ -1,6 +1,6 @@
0 nxd.example.com. IN CNAME 120 nxdomain.example.com.
0 nxd.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
1 example.com. IN NSEC 86400 dsdelegation.example.com. NS SOA MX RRSIG NSEC DNSKEY
1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
Expand Down
2 changes: 2 additions & 0 deletions regression-tests/ds-at-secure-delegation/command
View file
@@ -0,0 +1,2 @@
#!/bin/sh
cleandig dsdelegation.example.com DS dnssec
4 changes: 4 additions & 0 deletions regression-tests/ds-at-secure-delegation/description
View file
@@ -0,0 +1,4 @@
This test tries to resolve a DS question at a secure delegation.
It was written specifically to verify that we do not sign NS records
at secure delegations.

4 changes: 4 additions & 0 deletions regression-tests/ds-at-secure-delegation/expected_result
View file
@@ -0,0 +1,4 @@
0 dsdelegation.example.com. IN DS 120 28129 8 1 caf1eaaecdabe7616670788f9022454bf5fd9fda
2 . IN OPT 32768
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='dsdelegation.example.com.', qtype=DS
5 changes: 5 additions & 0 deletions regression-tests/ds-at-secure-delegation/expected_result.dnssec
View file
@@ -0,0 +1,5 @@
0 dsdelegation.example.com. IN DS 120 28129 8 1 caf1eaaecdabe7616670788f9022454bf5fd9fda
0 dsdelegation.example.com. IN RRSIG 120 DS 8 3 120 [expiry] [inception] [keytag] example.com. ...
2 . IN OPT 32768
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='dsdelegation.example.com.', qtype=DS
3 changes: 3 additions & 0 deletions regression-tests/example.com
View file
Expand Up @@ -30,6 +30,9 @@ location IN LOC 51 56 0.123 N 5 54 0.000 E 4.00m 1.00m 10000.00m 10.00m
;
unauth IN CNAME no-idea.example.org.
;
dsdelegation IN NS ns.example.com.
IN DS 28129 8 1 caf1eaaecdabe7616670788f9022454bf5fd9fda
;
nxd IN CNAME nxdomain.example.com.
;
hwinfo IN HINFO "abc" "def"
Expand Down
2 changes: 1 addition & 1 deletion regression-tests/nsec-glue/expected_result
View file
@@ -1,4 +1,4 @@
1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
1 example.com. IN NSEC 86400 dsdelegation.example.com. NS SOA MX RRSIG NSEC DNSKEY
1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
Expand Down
2 changes: 1 addition & 1 deletion regression-tests/nsec-middle/expected_result
View file
@@ -1,4 +1,4 @@
1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
1 example.com. IN NSEC 86400 dsdelegation.example.com. NS SOA MX RRSIG NSEC DNSKEY
1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
Expand Down
2 changes: 1 addition & 1 deletion regression-tests/nsec-wraparound/expected_result
View file
@@ -1,4 +1,4 @@
1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
1 example.com. IN NSEC 86400 dsdelegation.example.com. NS SOA MX RRSIG NSEC DNSKEY
1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
Expand Down
2 changes: 1 addition & 1 deletion regression-tests/nsec-wrong-type-at-apex/expected_result
View file
@@ -1,4 +1,4 @@
1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
1 example.com. IN NSEC 86400 dsdelegation.example.com. NS SOA MX RRSIG NSEC DNSKEY
1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
Expand Down
2 changes: 1 addition & 1 deletion regression-tests/nxdomain-below-nonempty-terminal/expected_result
View file
@@ -1,4 +1,4 @@
1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
1 example.com. IN NSEC 86400 dsdelegation.example.com. NS SOA MX RRSIG NSEC DNSKEY
1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
Expand Down
2 changes: 1 addition & 1 deletion regression-tests/second-level-nxdomain/expected_result
View file
@@ -1,4 +1,4 @@
1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
1 example.com. IN NSEC 86400 dsdelegation.example.com. NS SOA MX RRSIG NSEC DNSKEY
1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
Expand Down
2 changes: 2 additions & 0 deletions regression-tests/secure-delegation/command
View file
@@ -0,0 +1,2 @@
#!/bin/sh
cleandig www.dsdelegation.example.com A dnssec
4 changes: 4 additions & 0 deletions regression-tests/secure-delegation/description
View file
@@ -0,0 +1,4 @@
This test checks the DS/NS response for a secure referral.
It was written specifically to verify that we do not sign NS records
at secure delegations.

4 changes: 4 additions & 0 deletions regression-tests/secure-delegation/expected_result
View file
@@ -0,0 +1,4 @@
1 dsdelegation.example.com. IN NS 120 ns.example.com.
2 . IN OPT 32768
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
Reply to question for qname='www.dsdelegation.example.com.', qtype=A
6 changes: 6 additions & 0 deletions regression-tests/secure-delegation/expected_result.dnssec
View file
@@ -0,0 +1,6 @@
1 dsdelegation.example.com. IN DS 120 28129 8 1 caf1eaaecdabe7616670788f9022454bf5fd9fda
1 dsdelegation.example.com. IN NS 120 ns.example.com.
1 dsdelegation.example.com. IN RRSIG 120 DS 8 3 120 [expiry] [inception] [keytag] example.com. ...
2 . IN OPT 32768
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
Reply to question for qname='www.dsdelegation.example.com.', qtype=A
2 changes: 1 addition & 1 deletion regression-tests/two-level-nxdomain/expected_result
View file
@@ -1,4 +1,4 @@
1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
1 example.com. IN NSEC 86400 dsdelegation.example.com. NS SOA MX RRSIG NSEC DNSKEY
1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
Expand Down

0 comments on commit c2df797

Please sign in to comment.