diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt index a5aad5cb2b84..3fc8b3da3c17 100644 --- a/.github/actions/spell-check/expect.txt +++ b/.github/actions/spell-check/expect.txt @@ -1916,6 +1916,7 @@ zilopbg Zmd zonecryptokey zonefile +zonemd zonemetadata zonename zoneparser diff --git a/docs/manpages/pdnsutil.1.rst b/docs/manpages/pdnsutil.1.rst index ca086d6112bc..42a233274323 100644 --- a/docs/manpages/pdnsutil.1.rst +++ b/docs/manpages/pdnsutil.1.rst @@ -251,6 +251,8 @@ unset-presigned *ZONE* Disables presigned operation for *ZONE*. raw-lua-from-content *TYPE* *CONTENT* Display record contents in a form suitable for dnsdist's `SpoofRawAction`. +zonemd-verify-file *ZONE* *FILE* + Validate ZONEMD for *ZONE* read from *FILE*. DEBUGGING TOOLS --------------- diff --git a/pdns/Makefile.am b/pdns/Makefile.am index 004c8becfedc..431ff8cfd698 100644 --- a/pdns/Makefile.am +++ b/pdns/Makefile.am @@ -378,6 +378,7 @@ pdnsutil_SOURCES = \ tsigutils.hh tsigutils.cc \ ueberbackend.cc \ unix_utility.cc \ + zonemd.hh zonemd.cc \ zoneparser-tng.cc pdnsutil_LDFLAGS = \ @@ -1405,6 +1406,7 @@ testrunner_SOURCES = \ test-trusted-notification-proxy_cc.cc \ test-tsig.cc \ test-ueberbackend_cc.cc \ + test-zonemd_cc.cc \ test-zoneparser_tng_cc.cc \ testrunner.cc \ threadname.hh threadname.cc \ @@ -1412,6 +1414,7 @@ testrunner_SOURCES = \ tsigverifier.cc tsigverifier.hh \ ueberbackend.cc ueberbackend.hh \ unix_utility.cc \ + zonemd.cc zonemd.hh \ zoneparser-tng.cc zoneparser-tng.hh testrunner_LDFLAGS = \ diff --git a/pdns/dnsrecords.cc b/pdns/dnsrecords.cc index d3f5741ecf3e..eac821493c4d 100644 --- a/pdns/dnsrecords.cc +++ b/pdns/dnsrecords.cc @@ -305,6 +305,13 @@ boilerplate_conv(KEY, conv.xfrBlob(d_certificate); ); +boilerplate_conv(ZONEMD, + conv.xfr32BitInt(d_serial); + conv.xfr8BitInt(d_scheme); + conv.xfr8BitInt(d_hashalgo); + conv.xfrHexBlob(d_digest, true); // keep reading across spaces + ); + boilerplate_conv(CERT, conv.xfr16BitInt(d_type); if (d_type == 0) throw MOADNSException("CERT type 0 is reserved"); @@ -963,6 +970,7 @@ void reportOtherTypes() L32RecordContent::report(); L64RecordContent::report(); LPRecordContent::report(); + ZONEMDRecordContent::report(); } void reportAllTypes() diff --git a/pdns/dnsrecords.hh b/pdns/dnsrecords.hh index 7f0a057437a2..7a2315f51761 100644 --- a/pdns/dnsrecords.hh +++ b/pdns/dnsrecords.hh @@ -586,6 +586,18 @@ public: struct soatimes d_st; }; +class ZONEMDRecordContent : public DNSRecordContent +{ +public: + includeboilerplate(ZONEMD) + //ZONEMDRecordContent(uint32_t serial, uint8_t scheme, uint8_t hashalgo, string digest); + + uint32_t d_serial; + uint8_t d_scheme; + uint8_t d_hashalgo; + string d_digest; +}; + class NSECBitmap { public: diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc index df008fc97a43..7c31f965e66b 100644 --- a/pdns/dnssecinfra.cc +++ b/pdns/dnssecinfra.cc @@ -400,12 +400,21 @@ std::unique_ptr DNSCryptoKeyEngine::makeFromPEMString(DNSKEY * purposes, as the authoritative server correctly * sets qname to the wildcard. */ -string getMessageForRRSET(const DNSName& qname, const RRSIGRecordContent& rrc, const sortedRecords_t& signRecords, bool processRRSIGLabels) +string getMessageForRRSET(const DNSName& qname, const RRSIGRecordContent& rrc, const sortedRecords_t& signRecords, bool processRRSIGLabels, bool includeRRSIG_RDATA) { string toHash; - toHash.append(const_cast(rrc).serialize(g_rootdnsname, true, true)); - toHash.resize(toHash.size() - rrc.d_signature.length()); // chop off the end, don't sign the signature! + // dnssec: signature = sign(RRSIG_RDATA | RR(1) | RR(2)... ) + // From RFC 4034 + // RRSIG_RDATA is the wire format of the RRSIG RDATA fields + // with the Signer's Name field in canonical form and + // the Signature field excluded; + // zonemd: digest = hash( RR(1) | RR(2) | RR(3) | ... ), so skip RRSIG_RDATA + + if (includeRRSIG_RDATA) { + toHash.append(const_cast(rrc).serialize(g_rootdnsname, true, true)); + toHash.resize(toHash.size() - rrc.d_signature.length()); // chop off the end, don't sign the signature! + } string nameToHash(qname.toDNSStringLC()); if (processRRSIGLabels) { diff --git a/pdns/dnssecinfra.hh b/pdns/dnssecinfra.hh index 00f3befc061f..627c68349943 100644 --- a/pdns/dnssecinfra.hh +++ b/pdns/dnssecinfra.hh @@ -160,7 +160,7 @@ struct sharedDNSSECRecordCompare { typedef std::set, sharedDNSSECRecordCompare> sortedRecords_t; -string getMessageForRRSET(const DNSName& qname, const RRSIGRecordContent& rrc, const sortedRecords_t& signRecords, bool processRRSIGLabels = false); +string getMessageForRRSET(const DNSName& qname, const RRSIGRecordContent& rrc, const sortedRecords_t& signRecords, bool processRRSIGLabels = false, bool includeRRSIG_RDATA = true); DSRecordContent makeDSFromDNSKey(const DNSName& qname, const DNSKEYRecordContent& drc, uint8_t digest); diff --git a/pdns/pdnsutil.cc b/pdns/pdnsutil.cc index 130fc2a4ee88..25fb93c4336c 100644 --- a/pdns/pdnsutil.cc +++ b/pdns/pdnsutil.cc @@ -27,6 +27,7 @@ #include "dns_random.hh" #include "ipcipher.hh" #include "misc.hh" +#include "zonemd.hh" #include #include #include //termios, TCSANOW, ECHO, ICANON @@ -1359,6 +1360,38 @@ static int xcryptIP(const std::string& cmd, const std::string& ip, const std::st } +static int zonemdVerifyFile(const DNSName& zone, const string& fname) { + ZoneParserTNG zpt(fname, zone); + zpt.setMaxGenerateSteps(::arg().asNum("max-generate-steps")); + + bool validationDone, validationOK; + + try { + pdns::zonemdVerify(zone, zpt, validationDone, validationOK); + } + catch (const PDNSException& ex) { + cerr << "zonemd-verify-file: " << ex.reason << endl; + return EXIT_FAILURE; + } + catch (const std::exception& ex) { + cerr << "zonemd-verify-file: " << ex.what() << endl; + return EXIT_FAILURE; + } + + if (validationDone) { + if (validationOK) { + cout << "zonemd-verify-file: Verification of ZONEMD record succeeded" << endl; + return EXIT_SUCCESS; + } else { + cerr << "zonemd-verify-file: Verification of ZONEMD record(s) failed" << endl; + } + } + else { + cerr << "zonemd-verify-file: No suitable ZONEMD record found to verify against" << endl; + } + return EXIT_FAILURE; +} + static int loadZone(const DNSName& zone, const string& fname) { UeberBackend B; DomainInfo di; @@ -2413,6 +2446,7 @@ try cout<<"unset-publish-cds ZONE Disable sending CDS responses for ZONE"< QType::names = { {"CDNSKEY", 60}, {"OPENPGPKEY", 61}, {"CSYNC", 62}, + {"ZONEMD", 63}, {"SVCB", 64}, {"HTTPS", 65}, {"SPF", 99}, diff --git a/pdns/qtype.hh b/pdns/qtype.hh index d76ccfcbe378..f1d4baa3b60d 100644 --- a/pdns/qtype.hh +++ b/pdns/qtype.hh @@ -102,6 +102,7 @@ public: CDNSKEY = 60, OPENPGPKEY = 61, CSYNC = 62, + ZONEMD = 63, SVCB = 64, HTTPS = 65, SPF = 99, diff --git a/pdns/sha.hh b/pdns/sha.hh index 06bace9ab7b1..bf8cc4eaf9dd 100644 --- a/pdns/sha.hh +++ b/pdns/sha.hh @@ -20,9 +20,10 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #pragma once + #include -#include #include +#include inline std::string pdns_sha1sum(const std::string& input) { @@ -51,3 +52,64 @@ inline std::string pdns_sha512sum(const std::string& input) SHA512(reinterpret_cast(input.c_str()), input.length(), result); return std::string(result, result + sizeof result); } + +namespace pdns +{ +class SHADigest +{ +public: + SHADigest(unsigned int bits) : + mdctx(std::unique_ptr(EVP_MD_CTX_new(), EVP_MD_CTX_free)) + { + if (mdctx == nullptr) { + throw std::runtime_error("SHADigest: EVP_MD_CTX_new failed"); + } + switch (bits) { + case 256: + md = EVP_sha256(); + break; + case 384: + md = EVP_sha384(); + break; + case 512: + md = EVP_sha512(); + break; + default: + throw std::invalid_argument("SHADigest: unsupported size"); + } + if (EVP_DigestInit_ex(mdctx.get(), md, NULL) == 0) { + throw std::runtime_error("SHADigest: init error"); + } + } + + ~SHADigest() + { + // No free of md needed and mdctx is cleaned up by unique_ptr + } + + void process(const std::string& msg) + { + if (EVP_DigestUpdate(mdctx.get(), msg.data(), msg.size()) == 0) { + throw std::runtime_error("SHADigest: update error"); + } + } + + std::string digest() + { + std::string md_value; + md_value.resize(EVP_MD_size(md)); + unsigned int md_len; + if (EVP_DigestFinal_ex(mdctx.get(), reinterpret_cast(md_value.data()), &md_len) == 0) { + throw std::runtime_error("SHADigest: finalize error"); + } + if (md_len != md_value.size()) { + throw std::runtime_error("SHADigest: inconsistent size"); + } + return md_value; + } + +private: + std::unique_ptr mdctx; + const EVP_MD* md; +}; +} diff --git a/pdns/test-dnsrecords_cc.cc b/pdns/test-dnsrecords_cc.cc index 9079c6ed5779..cb028c4bf503 100644 --- a/pdns/test-dnsrecords_cc.cc +++ b/pdns/test-dnsrecords_cc.cc @@ -206,6 +206,10 @@ BOOST_AUTO_TEST_CASE(test_record_types) { (CASE_S(QType::CSYNC, "66 3 A NS AAAA", "\x00\x00\x00\x42\x00\x03\x00\x04\x60\x00\x00\x08")) + // ZONEMD + (CASE_S(QType::ZONEMD, "2018031900 1 1 a3b69bad980a3504e1cffcb0fd6397f93848071c93151f552ae2f6b1711d4bd2d8b39808226d7b9db71e34b72077f8fe", "\x78\x48\xb9\x1c\x01\x01\xa3\xb6\x9b\xad\x98\x0a\x35\x04\xe1\xcf\xfc\xb0\xfd\x63\x97\xf9\x38\x48\x07\x1c\x93\x15\x1f\x55\x2a\xe2\xf6\xb1\x71\x1d\x4b\xd2\xd8\xb3\x98\x08\x22\x6d\x7b\x9d\xb7\x1e\x34\xb7\x20\x77\xf8\xfe")) + (CASE_L(QType::ZONEMD, " 2018031900 1 1 ( 616c6c6f77656420 6275742069676e6f \n 7265642e20616c6c \n6f77656420627574\n 2069676e6f726564 \n2e20616c6c6f7765 \n)", "2018031900 1 1 616c6c6f776564206275742069676e6f7265642e20616c6c6f776564206275742069676e6f7265642e20616c6c6f7765", "\x78\x48\xb9\x1c\x01\x01\x61\x6c\x6c\x6f\x77\x65\x64\x20\x62\x75\x74\x20\x69\x67\x6e\x6f\x72\x65\x64\x2e\x20\x61\x6c\x6c\x6f\x77\x65\x64\x20\x62\x75\x74\x20\x69\x67\x6e\x6f\x72\x65\x64\x2e\x20\x61\x6c\x6c\x6f\x77\x65")) + // Alias mode (CASE_S(QType::SVCB, "0 foo.powerdns.org.", "\0\0\3foo\x08powerdns\x03org\x00")) (CASE_L(QType::SVCB, "0 foo.powerdns.org", "0 foo.powerdns.org.", "\0\0\3foo\x08powerdns\x03org\x00")) diff --git a/pdns/test-zonemd_cc.cc b/pdns/test-zonemd_cc.cc new file mode 100644 index 000000000000..bbea09d7df3e --- /dev/null +++ b/pdns/test-zonemd_cc.cc @@ -0,0 +1,103 @@ +#define BOOST_TEST_DYN_LINK +#define BOOST_TEST_NO_MAIN +#include + +#include "zonemd.hh" +#include "dnsrecords.hh" +#include "zoneparser-tng.hh" + +BOOST_AUTO_TEST_SUITE(test_zonemd_cc) + +static void testZoneMD(const std::string& zone, const std::string& file, bool ex, bool done, bool ok) +{ + const char* p = std::getenv("SRCDIR"); + if (!p) { + p = "."; + } + DNSName z(zone); + std::ostringstream pathbuf; + pathbuf << p << "/../regression-tests/zones/" + file; + ZoneParserTNG zpt(pathbuf.str(), z); + + bool validationDone, validationOK; + + try { + pdns::zonemdVerify(z, zpt, validationDone, validationOK); + } + catch (const PDNSException& e) { + BOOST_CHECK(ex); + } + catch (const std::exception& e) { + BOOST_CHECK(ex); + } + + BOOST_CHECK(validationDone == done); + BOOST_CHECK(validationOK == ok); +} + +BOOST_AUTO_TEST_CASE(test_zonemd1) +{ + testZoneMD("example", "zonemd1.zone", false, true, true); +} + +BOOST_AUTO_TEST_CASE(test_zonemd2) +{ + testZoneMD("example", "zonemd2.zone", false, true, true); +} + +BOOST_AUTO_TEST_CASE(test_zonemd3) +{ + testZoneMD("example", "zonemd3.zone", false, true, true); +} + +BOOST_AUTO_TEST_CASE(test_zonemd4) +{ + testZoneMD("uri.arpa", "zonemd4.zone", false, true, true); +} + +BOOST_AUTO_TEST_CASE(test_zonemd5) +{ + testZoneMD("root-servers.net", "zonemd5.zone", false, true, true); +} + +BOOST_AUTO_TEST_CASE(test_zonemd6) +{ + testZoneMD("example", "zonemd-invalid.zone", false, true, false); +} + +BOOST_AUTO_TEST_CASE(test_zonemd7) +{ + testZoneMD("example", "zonemd-nozonemd.zone", false, false, false); +} + +BOOST_AUTO_TEST_CASE(test_zonemd8) +{ + testZoneMD("example", "zonemd-allunsup.zone", false, false, false); +} + +BOOST_AUTO_TEST_CASE(test_zonemd9) +{ + testZoneMD("example", "zonemd-sha512.zone", false, true, true); +} + +BOOST_AUTO_TEST_CASE(test_zonemd10) +{ + testZoneMD("example", "zonemd-serialmismatch.zone", false, false, false); +} + +BOOST_AUTO_TEST_CASE(test_zonemd11) +{ + testZoneMD("example", "zonemd-duplicate.zone", false, false, false); +} + +BOOST_AUTO_TEST_CASE(test_zonemd12) +{ + testZoneMD("root-servers.net", "zonemd-syntax.zone", true, false, false); +} + +BOOST_AUTO_TEST_CASE(test_zonemd13) +{ + testZoneMD("xxx", "zonemd1.zone", false, false, false); +} + +BOOST_AUTO_TEST_SUITE_END() diff --git a/pdns/zonemd.cc b/pdns/zonemd.cc new file mode 100644 index 000000000000..51ac3d00ceef --- /dev/null +++ b/pdns/zonemd.cc @@ -0,0 +1,186 @@ +#include "zonemd.hh" + +#include "dnsrecords.hh" +#include "dnssecinfra.hh" +#include "sha.hh" +#include "zoneparser-tng.hh" + +typedef std::pair RRSetKey_t; +typedef std::vector> RRVector_t; + +struct CanonRRSetKeyCompare : public std::binary_function +{ + bool operator()(const RRSetKey_t& a, const RRSetKey_t& b) const + { + // FIXME surely we can be smarter here + if (a.first.canonCompare(b.first)) { + return true; + } + if (b.first.canonCompare(a.first)) { + return false; + } + return a.second < b.second; + } +}; + +typedef std::map RRSetMap_t; + +void pdns::zonemdVerify(const DNSName& zone, ZoneParserTNG& zpt, bool& validationDone, bool& validationOK) +{ + validationDone = false; + validationOK = false; + + // scheme,hashalgo -> zonemdrecord,duplicate + struct ZoneMDAndDuplicateFlag + { + std::shared_ptr record; + bool duplicate; + }; + + std::map, ZoneMDAndDuplicateFlag> zonemdRecords; + std::shared_ptr soaRecordContent; + + RRSetMap_t resourceRecordSets; + std::map resourceRecordSetTTLs; + + DNSResourceRecord dnsResourceRecord; + + // Get all records and remember RRSets and TTLs + while (zpt.get(dnsResourceRecord)) { + if (!dnsResourceRecord.qname.isPartOf(zone) && dnsResourceRecord.qname != zone) { + continue; + } + if (dnsResourceRecord.qtype == QType::SOA && soaRecordContent) { + continue; + } + std::shared_ptr drc; + try { + drc = DNSRecordContent::mastermake(dnsResourceRecord.qtype, QClass::IN, dnsResourceRecord.content); + } + catch (const PDNSException& pe) { + std::string err = "Bad record content in record for '" + dnsResourceRecord.qname.toStringNoDot() + "'|" + dnsResourceRecord.qtype.toString() + ": " + pe.reason; + throw PDNSException(err); + } + catch (const std::exception& e) { + std::string err = "Bad record content in record for '" + dnsResourceRecord.qname.toStringNoDot() + "|" + dnsResourceRecord.qtype.toString() + "': " + e.what(); + throw PDNSException(err); + } + if (dnsResourceRecord.qtype == QType::SOA && dnsResourceRecord.qname == zone) { + soaRecordContent = std::dynamic_pointer_cast(drc); + } + if (dnsResourceRecord.qtype == QType::ZONEMD && dnsResourceRecord.qname == zone) { + auto zonemd = std::dynamic_pointer_cast(drc); + auto inserted = zonemdRecords.insert({pair(zonemd->d_scheme, zonemd->d_hashalgo), {zonemd, false}}); + if (!inserted.second) { + // Mark as duplicate + inserted.first->second.duplicate = true; + } + } + RRSetKey_t key = std::pair(dnsResourceRecord.qname, dnsResourceRecord.qtype); + resourceRecordSets[key].push_back(drc); + resourceRecordSetTTLs[key] = dnsResourceRecord.ttl; + } + + // Determine which digests to compute based on accepted zonemd records present + unique_ptr sha384digest{nullptr}, sha512digest{nullptr}; + + for (auto it = zonemdRecords.begin(); it != zonemdRecords.end();) { + // The SOA Serial field MUST exactly match the ZONEMD Serial + // field. If the fields do not match, digest verification MUST + // NOT be considered successful with this ZONEMD RR. + + // The Scheme field MUST be checked. If the verifier does not + // support the given scheme, verification MUST NOT be considered + // successful with this ZONEMD RR. + + // The Hash Algorithm field MUST be checked. If the verifier does + // not support the given hash algorithm, verification MUST NOT be + // considered successful with this ZONEMD RR. + const auto duplicate = it->second.duplicate; + const auto& r = it->second.record; + if (!duplicate && r->d_serial == soaRecordContent->d_st.serial && r->d_scheme == 1 && (r->d_hashalgo == 1 || r->d_hashalgo == 2)) { + // A supported ZONEMD record + if (r->d_hashalgo == 1) { + sha384digest = make_unique(384); + } + else if (r->d_hashalgo == 2) { + sha512digest = make_unique(512); + } + ++it; + } + else { + it = zonemdRecords.erase(it); + } + } + + // A little helper + auto hash = [&sha384digest, &sha512digest](const std::string& msg) { + if (sha384digest) { + sha384digest->process(msg); + } + if (sha512digest) { + sha512digest->process(msg); + } + }; + + // Compute requested digests + for (auto& rrset : resourceRecordSets) { + const auto& qname = rrset.first.first; + const auto& qtype = rrset.first.second; + if (qtype == QType::ZONEMD && qname == zone) { + continue; // the apex ZONEMD is not digested + } + + sortedRecords_t sorted; + for (auto& rr : rrset.second) { + if (qtype == QType::RRSIG) { + const auto rrsig = std::dynamic_pointer_cast(rr); + if (rrsig->d_type == QType::ZONEMD && qname == zone) { + continue; + } + } + sorted.insert(rr); + } + + if (qtype != QType::RRSIG) { + RRSIGRecordContent rrc; + rrc.d_originalttl = resourceRecordSetTTLs[rrset.first]; + rrc.d_type = qtype; + auto msg = getMessageForRRSET(qname, rrc, sorted, false, false); + hash(msg); + } + else { + // RRSIG is special, since original TTL depends on qtype covered by RRSIG + // which can be different per record + for (const auto& rrsig : sorted) { + auto rrsigc = std::dynamic_pointer_cast(rrsig); + RRSIGRecordContent rrc; + rrc.d_originalttl = resourceRecordSetTTLs[pair(rrset.first.first, rrsigc->d_type)]; + rrc.d_type = qtype; + auto msg = getMessageForRRSET(qname, rrc, {rrsigc}, false, false); + hash(msg); + } + } + } + + // Final verify, we know we only have supported candidate ZONEDMD records + for (const auto& [k, v] : zonemdRecords) { + auto [zonemd, duplicate] = v; + if (zonemd->d_hashalgo == 1) { + validationDone = true; + auto computed = sha384digest->digest(); + if (constantTimeStringEquals(zonemd->d_digest, computed)) { + validationOK = true; + break; // Per RFC: a single succeeding validation is enough + } + } + else if (zonemd->d_hashalgo == 2) { + validationDone = true; + auto computed = sha512digest->digest(); + if (constantTimeStringEquals(zonemd->d_digest, computed)) { + validationOK = true; + break; // Per RFC: a single succeeding validation is enough + } + } + } +} diff --git a/pdns/zonemd.hh b/pdns/zonemd.hh new file mode 100644 index 000000000000..30917566888b --- /dev/null +++ b/pdns/zonemd.hh @@ -0,0 +1,33 @@ +/* + * This file is part of PowerDNS or dnsdist. + * Copyright -- PowerDNS.COM B.V. and its contributors + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as + * published by the Free Software Foundation. + * + * In addition, for the avoidance of any doubt, permission is granted to + * link this program with OpenSSL and to (re)distribute the binaries + * produced as the result of such linking. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ +#pragma once + +#include "config.h" + +class DNSName; +class ZoneParserTNG; + +namespace pdns +{ +void zonemdVerify(const DNSName& zone, ZoneParserTNG& zpt, bool& validationDone, bool& validationOK); + +} diff --git a/regression-tests/zones/zonemd-allunsup.zone b/regression-tests/zones/zonemd-allunsup.zone new file mode 100644 index 000000000000..e6d19d1690f8 --- /dev/null +++ b/regression-tests/zones/zonemd-allunsup.zone @@ -0,0 +1,14 @@ +example. 86400 IN SOA ns1 admin 2018031900 ( + 1800 900 604800 86400 ) +example. 86400 IN NS ns1.example. +example. 86400 IN NS ns2.example. +example. 86400 IN ZONEMD 2018031900 1 240 ( + e2d523f654b9422a + 96c5a8f44607bbee ) +example. 86400 IN ZONEMD 2018031900 241 1 ( + e1846540e33a9e41 + 89792d18d5d131f6 + 05fc283e ) +ns1.example. 3600 IN A 203.0.113.63 +ns2.example. 86400 IN TXT "This example has multiple digests" +NS2.EXAMPLE. 3600 IN AAAA 2001:db8::63 diff --git a/regression-tests/zones/zonemd-duplicate.zone b/regression-tests/zones/zonemd-duplicate.zone new file mode 100644 index 000000000000..7416e949adf1 --- /dev/null +++ b/regression-tests/zones/zonemd-duplicate.zone @@ -0,0 +1,41 @@ +example. 86400 IN SOA ns1 admin 2018031900 ( + 1800 900 604800 86400 ) + 86400 IN NS ns1 + 86400 IN NS ns2 + 86400 IN ZONEMD 2018031900 1 1 ( + a3b69bad980a3504 + e1cffcb0fd6397f9 + 3848071c93151f55 + 2ae2f6b1711d4bd2 + d8b39808226d7b9d + b71e34b72077f8fe ) + 86400 IN ZONEMD 2018031900 1 1 ( + a3b69bad980a3504 + e1cffcb0fd6397f9 + 3848071c93151f55 + 2ae2f6b1711d4bd2 + d8b39808226d7b9d + b71e34b72077f8fe ) +ns1 3600 IN A 203.0.113.63 +NS2 3600 IN AAAA 2001:db8::63 +occluded.sub 7200 IN TXT "I'm occluded but must be digested" +sub 7200 IN NS ns1 +duplicate 300 IN TXT "I must be digested just once" +duplicate 300 IN TXT "I must be digested just once" +foo.test. 555 IN TXT "out-of-zone data must be excluded" +UPPERCASE 3600 IN TXT "canonicalize uppercase owner names" +* 777 IN PTR dont-forget-about-wildcards +mail 3600 IN MX 20 MAIL1 +mail 3600 IN MX 10 Mail2.Example. +sortme 3600 IN AAAA 2001:db8::5:61 +sortme 3600 IN AAAA 2001:db8::3:62 +sortme 3600 IN AAAA 2001:db8::4:63 +sortme 3600 IN AAAA 2001:db8::1:65 +sortme 3600 IN AAAA 2001:db8::2:64 +non-apex 900 IN ZONEMD 2018031900 1 1 ( + 616c6c6f77656420 + 6275742069676e6f + 7265642e20616c6c + 6f77656420627574 + 2069676e6f726564 + 2e20616c6c6f7765 ) diff --git a/regression-tests/zones/zonemd-invalid.zone b/regression-tests/zones/zonemd-invalid.zone new file mode 100644 index 000000000000..c44416e1b44a --- /dev/null +++ b/regression-tests/zones/zonemd-invalid.zone @@ -0,0 +1,13 @@ +example. 86400 IN SOA ns1 admin 2018031900 ( + 1800 900 604800 86400 ) + 86400 IN NS ns1 + 86400 IN NS ns2 + 86400 IN ZONEMD 2018031900 1 1 ( + d68090d90a7aed71 + 6bc459f9340e3d7c + 1370d4d24b7e2fc3 + a1ddc0b9a87153b9 + a9713b3c9ae5cc27 + 777f98b8e730044c ) +ns1 3600 IN A 203.0.113.63 +ns2 3600 IN AAAA 2001:db8::63 diff --git a/regression-tests/zones/zonemd-nozonemd.zone b/regression-tests/zones/zonemd-nozonemd.zone new file mode 100644 index 000000000000..09e4ddbed661 --- /dev/null +++ b/regression-tests/zones/zonemd-nozonemd.zone @@ -0,0 +1,6 @@ +example. 86400 IN SOA ns1 admin 2018031900 ( + 1800 900 604800 86400 ) + 86400 IN NS ns1 + 86400 IN NS ns2 +ns1 3600 IN A 203.0.113.63 +ns2 3600 IN AAAA 2001:db8::63 diff --git a/regression-tests/zones/zonemd-serialmismatch.zone b/regression-tests/zones/zonemd-serialmismatch.zone new file mode 100644 index 000000000000..3d94984dea3e --- /dev/null +++ b/regression-tests/zones/zonemd-serialmismatch.zone @@ -0,0 +1,129 @@ +uri.arpa. 3600 IN SOA sns.dns.icann.org. ( + noc.dns.icann.org. 2018100702 10800 3600 1209600 3600 ) +uri.arpa. 3600 IN RRSIG SOA 8 2 3600 ( + 20210217232440 20210120232440 37444 uri.arpa. + GzQw+QzwLDJr13REPGVmpEChjD1D2XlX0ie1DnWHpgaEw1E/dhs3lCN3+B + mHd4Kx3tffTRgiyq65HxR6feQ5v7VmAifjyXUYB1DZur1eP5q0Ms2ygCB3 + byoeMgCNsFS1oKZ2LdzNBRpy3oace8xQn1SpmHGfyrsgg+WbHKCT1dY= ) +uri.arpa. 86400 IN NS a.iana-servers.net. +uri.arpa. 86400 IN NS b.iana-servers.net. +uri.arpa. 86400 IN NS c.iana-servers.net. +uri.arpa. 86400 IN NS ns2.lacnic.net. +uri.arpa. 86400 IN NS sec3.apnic.net. +uri.arpa. 86400 IN RRSIG NS 8 2 86400 ( + 20210217232440 20210120232440 37444 uri.arpa. + M+Iei2lcewWGaMtkPlrhM9FpUAHXFkCHTVpeyrjxjEONeNgKtHZor5e4V4 + qJBOzNqo8go/qJpWlFBm+T5Hn3asaBZVstFIYky38/C8UeRLPKq1hTTHAR + YUlFrexr5fMtSUAVOgOQPSBfH3xBq/BgSccTdRb9clD+HE7djpqrLS4= ) +uri.arpa. 600 IN MX 10 pechora.icann.org. +uri.arpa. 600 IN RRSIG MX 8 2 600 ( + 20210217232440 20210120232440 37444 uri.arpa. + kQAJQivmv6A5hqYBK8h6Z13ESY69gmosXwKI6WE09I8RFetfrxr24ecdnY + d0lpnDtgNNSoHkYRSOoB+C4+zuJsoyAAzGo9uoWMWj97/2xeGhf3PTC9me + Q9Ohi6hul9By7OR76XYmGhdWX8PBi60RUmZ1guslFBfQ8izwPqzuphs= ) +uri.arpa. 3600 IN DNSKEY 256 3 8 ( + AwEAAbMxuFuLeVDuOwIMzYOTD/bTREjLflo7wOi6ieIJhqltEzgjNzmWJf + 9kGwwDmzxU7kbthMEhBNBZNn84zmcyRSCMzuStWveL7xmqqUlE3swL8kLO + vdZvc75XnmpHrk3ndTyEb6eZM7slh2C63Oh6K8VR5VkiZAkEGg0uZIT3Nj + sF ) +uri.arpa. 3600 IN DNSKEY 257 3 8 ( + AwEAAdkTaWkZtZuRh7/OobBUFxM+ytTst+bCu0r9w+rEwXD7GbDs0pIMhM + enrZzoAvmv1fQxw2MGs6Ri6yPKfNULcFOSt9l8i6BVBLI+SKTY6XXeDUQp + SEmSaxohHeRPMQFzpysfjxINp/L2rGtZ7yPmxY/XRiFPSO0myqwGJa9r06 + Zw9CHM5UDHKWV/E+zxPFq/I7CfPbrrzbUotBX7Z6Vh3Sarllbe8cGUB2UF + NaTRgwB0TwDBPRD5ER3w2Dzbry9NhbElTr7vVfhaGWeOGuqAUXwlXEg6Cr + NkmJXJ2F1Rzr9WHUzhp7uWxhAbmJREGfi2dEyPAbUAyCjBqhFaqglknvc= ) +uri.arpa. 3600 IN DNSKEY 257 3 8 ( + AwEAAenQaBoFmDmvRT+/H5oNbm0Tr5FmNRNDEun0Jpj/ELkzeUrTWhNpQm + ZeIMC8I0kZ185tEvOnRvn8OvV39B17QIdrvvKGIh2HlgeDRCLolhaojfn2 + QM0DStjF/WWHpxJOmE6CIuvhqYEU37yoJscGAPpPVPzNvnL1HhYTaao1VR + YWQ/maMrJ+bfHg+YX1N6M/8MnRjIKBif1FWjbCKvsn6dnuGGL9oCWYUFJ3 + DwofXuhgPyZMkzPc88YkJj5EMvbMH4wtelbCwC+ivx732l0w/rXJn0ciQS + OgoeVvDio8dIJmWQITWQAuP+q/ZHFEFHPlrP3gvQh5mcVS48eLX71Bq7c= ) +uri.arpa. 3600 IN RRSIG DNSKEY 8 2 3600 ( + 20210217232440 20210120232440 12670 uri.arpa. + DBE2gkKAoxJCfz47KKxzoImN/0AKArhIVHE7TyTwy0DdRPo44V5R+vL6th + UxlQ1CJi2Rw0jwAXymx5Y3Q873pOEllH+4bJoIT4dmoBmPXfYWW7Clvw9U + PKHRP0igKHmCVwIeBYDTU3gfLcMTbR4nEWPDN0GxlL1Mf7ITaC2Ioabo79 + Ip3M/MR8I3Vx/xZ4ZKKPHtLn3xUuJluPNanqJrED2gTslL2xWZ1tqjsAjJ + v7JnJo2HJ8XVRB5zBto0IaJ2oBlqcjdcQ/0VlyoM8uOy1pDwHQ2BJl7322 + gNMHBP9HSiUPIOaIDNUCwW8eUcW6DIUk+s9u3GN1uTqwWzsYB/rA== ) +uri.arpa. 3600 IN RRSIG DNSKEY 8 2 3600 ( + 20210217232440 20210120232440 30577 uri.arpa. + Kx6HwP4UlkGc1UZ7SERXtQjPajOF4iUvkwDj7MEG1xbQFB1KoJiEb/eiW0 + qmSWdIhMDv8myhgauejRLyJxwxz8HDRV4xOeHWnRGfWBk4XGYwkejVzOHz + oIArVdUVRbr2JKigcTOoyFN+uu52cNB7hRYu7dH5y1hlc6UbOnzRpMtGxc + gVyKQ+/ARbIqGG3pegdEOvV49wTPWEiyY65P2urqhvnRg5ok/jzwAdMx4X + Gshiib7Ojq0sRVl2ZIzj4rFgY/qsSO8SEXEhMo2VuSkoJNiofVzYoqpxEe + GnANkIT7Tx2xJL1BWyJxyc7E8Wr2QSgCcc+rYL6IkHDtJGHy7TaQ== ) +uri.arpa. 3600 IN ZONEMD 3018100702 1 1 ( + 0dbc3c4dbfd75777c12ca19c337854b1577799901307c482e9d91d5d15 + cd934d16319d98e30c4201cf25a1d5a0254960 ) +uri.arpa. 3600 IN RRSIG ZONEMD 8 2 3600 ( + 20210217232440 20210120232440 37444 uri.arpa. + QDo4XZcL3HMyn8aAHyCUsu/Tqj4Gkth8xY1EqByOb8XOTwVtA4ZNQORE1s + iqNqjtJUbeJPtJSbLNqCL7rCq0CzNNnBscv6IIf4gnqJZjlGtHO30ohXtK + vEc4z7SU3IASsi6bB3nLmEAyERdYSeU6UBfx8vatQDIRhkgEnnWUTh4= ) +uri.arpa. 3600 IN NSEC ftp.uri.arpa. ( + NS SOA MX RRSIG NSEC DNSKEY ZONEMD ) +uri.arpa. 3600 IN RRSIG NSEC 8 2 3600 ( + 20210217232440 20210120232440 37444 uri.arpa. + dU/rXLM/naWd1+1PiWiYVaNJyCkiuyZJSccr91pJI673T8r3685B4ODMYF + afZRboVgwnl3ZrXddY6xOhZL3n9V9nxXZwjLJ2HJUojFoKcXTlpnUyYUYv + VQ2kj4GHAo6fcGCEp5QFJ2KbCpeJoS+PhKGRRx28icCiNT4/uXQvO2E= ) +ftp.uri.arpa. 604800 IN NAPTR 0 0 "" "" ( + "!^ftp://([^:/?#]*).*$!\\1!i" . ) +ftp.uri.arpa. 604800 IN RRSIG NAPTR 8 3 604800 ( + 20210217232440 20210120232440 37444 uri.arpa. + EygekDgl+Lyyq4NMSEpPyOrOywYf9Y3FAB4v1DT44J3R5QGidaH8l7ZFjH + oYFI8sY64iYOCV4sBnX/dh6C1L5NgpY+8l5065Xu3vvjyzbtuJ2k6YYwJr + rCbvl5DDn53zAhhO2hL9uLgyLraZGi9i7TFGd0sm3zNyUF/EVL0CcxU= ) +ftp.uri.arpa. 3600 IN NSEC http.uri.arpa. ( + NAPTR RRSIG NSEC ) +ftp.uri.arpa. 3600 IN RRSIG NSEC 8 3 3600 ( + 20210217232440 20210120232440 37444 uri.arpa. + pbP4KxevPXCu/bDqcvXiuBppXyFEmtHyiy0eAN5gS7mi6mp9Z9bWFjx/Ld + H9+6oFGYa5vGmJ5itu/4EDMe8iQeZbI8yrpM4TquB7RR/MGfBnTd8S+sjy + QtlRYG7yqEu77Vd78Fme22BKPJ+MVqjS0JHMUE/YUGomPkAjLJJwwGw= ) +http.uri.arpa. 604800 IN NAPTR 0 0 "" "" ( + "!^http://([^:/?#]*).*$!\\1!i" . ) +http.uri.arpa. 604800 IN RRSIG NAPTR 8 3 604800 ( + 20210217232440 20210120232440 37444 uri.arpa. + eTqbWvt1GvTeXozuvm4ebaAfkXFQKrtdu0cEiExto80sHIiCbO0WL8UDa/ + J3cDivtQca7LgUbOb6c17NESsrsVkc6zNPx5RK2tG7ZQYmhYmtqtfg1oU5 + BRdHZ5TyqIXcHlw9Blo2pir1Y9IQgshhD7UOGkbkEmvB1Lrd0aHhAAg= ) +http.uri.arpa. 3600 IN NSEC mailto.uri.arpa. ( + NAPTR RRSIG NSEC ) +http.uri.arpa. 3600 IN RRSIG NSEC 8 3 3600 ( + 20210217232440 20210120232440 37444 uri.arpa. + R9rlNzw1CVz2N08q6DhULzcsuUm0UKcPaGAWEU40tr81jEDHsFHNM+khCd + OI8nDstzA42aee4rwCEgijxJpRCcY9hrO1Ysrrr2fdqNz60JikMdarvU5O + 0p0VXeaaJDfJQT44+o+YXaBwI7Qod3FTMx7aRib8i7istvPm1Rr7ixA= ) +mailto.uri.arpa. 604800 IN NAPTR 0 0 "" "" ( + "!^mailto:(.*)@(.*)$!\\2!i" . ) +mailto.uri.arpa. 604800 IN RRSIG NAPTR 8 3 604800 ( + 20210217232440 20210120232440 37444 uri.arpa. + Ch2zTG2F1plEvQPyIH4Yd80XXLjXOPvMbiqDjpJBcnCJsV8QF7kr0wTLnU + T3dB+asQudOjPyzaHGwFlMzmrrAsszN4XAMJ6htDtFJdsgTMP/NkHhYRSm + Vv6rLeAhd+mVfObY12M//b/GGVTjeUI/gJaLW0fLVZxr1Fp5U5CRjyw= ) +mailto.uri.arpa. 3600 IN NSEC urn.uri.arpa. ( + NAPTR RRSIG NSEC ) +mailto.uri.arpa. 3600 IN RRSIG NSEC 8 3 3600 ( + 20210217232440 20210120232440 37444 uri.arpa. + fQUbSIE6E7JDi2rosah4SpCOTrKufeszFyj5YEavbQuYlQ5cNFvtm8KuE2 + xXMRgRI4RGvM2leVqcoDw5hS3m2pOJLxH8l2WE72YjYvWhvnwc5Rofe/8y + B/vaSK9WCnqN8y2q6Vmy73AGP0fuiwmuBra7LlkOiqmyx3amSFizwms= ) +urn.uri.arpa. 604800 IN NAPTR 0 0 "" "" ( + "/urn:([^:]+)/\\1/i" . ) +urn.uri.arpa. 604800 IN RRSIG NAPTR 8 3 604800 ( + 20210217232440 20210120232440 37444 uri.arpa. + CVt2Tgz0e5ZmaSXqRfNys/8OtVCk9nfP0zhezhN8Bo6MDt6yyKZ2kEEWJP + jkN7PCYHjO8fGjnUn0AHZI2qBNv7PKHcpR42VY03q927q85a65weOO1YE0 + vPYMzACpua9TOtfNnynM2Ws0uN9URxUyvYkXBdqOC81N3sx1dVELcwc= ) +urn.uri.arpa. 3600 IN NSEC uri.arpa. NAPTR RRSIG NSEC +urn.uri.arpa. 3600 IN RRSIG NSEC 8 3 3600 ( + 20210217232440 20210120232440 37444 uri.arpa. + JuKkMiC3/j9iM3V8/izcouXWAVGnSZjkOgEgFPhutMqoylQNRcSkbEZQzF + K8B/PIVdzZF0Y5xkO6zaKQjOzz6OkSaNPIo1a7Vyyl3wDY/uLCRRAHRJfp + knuY7O+AUNXvVVIEYJqZggd4kl/Rjh1GTzPYZTRrVi5eQidI1LqCOeg= ) + diff --git a/regression-tests/zones/zonemd-sha512.zone b/regression-tests/zones/zonemd-sha512.zone new file mode 100644 index 000000000000..617f1c4a6098 --- /dev/null +++ b/regression-tests/zones/zonemd-sha512.zone @@ -0,0 +1,30 @@ +example. 86400 IN SOA ns1 admin 2018031900 ( + 1800 900 604800 86400 ) +example. 86400 IN NS ns1.example. +example. 86400 IN NS ns2.example. +example. 86400 IN ZONEMD 2018031900 1 1 ( + 62e6cf51b02e54b9 + b5f967d547ce4313 + 6792901f9f88e637 + 493daaf401c92c27 + 9dd10f0edb1c56f8 + 080211f8480ee306 ) +example. 86400 IN ZONEMD 2018031900 1 2 ( + 08cfa1115c7b948c + 4163a901270395ea + 226a930cd2cbcf2f + a9a5e6eb85f37c8a + 4e114d884e66f176 + eab121cb02db7d65 + 2e0cc4827e7a3204 + f166b47e5613fd27 ) +example. 86400 IN ZONEMD 2018031900 1 240 ( + e2d523f654b9422a + 96c5a8f44607bbee ) +example. 86400 IN ZONEMD 2018031900 241 1 ( + e1846540e33a9e41 + 89792d18d5d131f6 + 05fc283e ) +ns1.example. 3600 IN A 203.0.113.63 +ns2.example. 86400 IN TXT "This example has multiple digests" +NS2.EXAMPLE. 3600 IN AAAA 2001:db8::63 diff --git a/regression-tests/zones/zonemd-syntax.zone b/regression-tests/zones/zonemd-syntax.zone new file mode 100644 index 000000000000..49a96442cfe9 --- /dev/null +++ b/regression-tests/zones/zonemd-syntax.zone @@ -0,0 +1,48 @@ +root-servers.net. 3600000 IN SOA a.root-servers.net. ( + nstld.verisign-grs.com. 2018091100 14400 7200 1209600 3600000 ) +root-servers.net. 3600000 IN NS a.root-servers.net. +root-servers.net. 3600000 IN NS b.root-servers.net. +root-servers.net. 3600000 IN NS c.root-servers.net. +root-servers.net. 3600000 IN NS d.root-servers.net. +root-servers.net. 3600000 IN NS e.root-servers.net. +root-servers.net. 3600000 IN NS f.root-servers.net. +root-servers.net. 3600000 IN NS g.root-servers.net. +root-servers.net. 3600000 IN NS h.root-servers.net. +root-servers.net. 3600000 IN NS i.root-servers.net. +root-servers.net. 3600000 IN NS j.root-servers.net. +root-servers.net. 3600000 IN NS k.root-servers.net. +root-servers.net. 3600000 IN NS l.root-servers.net. +root-servers.net. 3600000 IN NS m.root-servers.net. +a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30 +a.root-servers.net. 3600000 IN A 198.41.0.4 +b.root-servers.net. 3600000 IN MX 20 mail.isi.edu. +b.root-servers.net. 3600000 IN AAAA 2001:500:200::b +b.root-servers.net. 3600000 IN A 199.9.14.201 +c.root-servers.net. 3600000 IN AAAA 2001:500:2::c +c.root-servers.net. 3600000 IN A 192.33.4.12 +d.root-servers.net. 3600000 IN AAAA 2001:500:2d::d +d.root-servers.net. 3600000 IN A 199.7.91.13 +e.root-servers.net. 3600000 IN AAAA 2001:500:a8::e +e.root-servers.net. 3600000 IN A 192.203.230.10 +f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f +f.root-servers.net. 3600000 IN A 192.5.5.241 +g.root-servers.net. 3600000 IN AAAA 2001:500:12::d0d +g.root-servers.net. 3600000 IN A 192.112.36.4 +h.root-servers.net. 3600000 IN AAAA 2001:500:1::53 +h.root-servers.net. 3600000 IN A 198.97.190.53 +i.root-servers.net. 3600000 IN MX 10 mx.i.root-servers.org. +i.root-servers.net. 3600000 IN AAAA 2001:7fe::53 +i.root-servers.net. 3600000 IN A 192.36.148.17 +j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:30 +j.root-servers.net. 3600000 IN A 192.58.128.30 +k.root-servers.net. 3600000 IN AAAA 2001:7fd::1 +k.root-servers.net. 3600000 IN A 193.0.14.129 +l.root-servers.net. 3600000 IN AAAA 2001:500:9f::42 +l.root-servers.net. 3600000 IN A 199.7.83.42 +m.root-servers.net. 3600000 IN AAAA 2001:dc3::35 +m.root-servers.net. 3600000 IN A +root-servers.net. 3600000 IN SOA a.root-servers.net. ( + nstld.verisign-grs.com. 2018091100 14400 7200 1209600 3600000 ) +root-servers.net. 3600000 IN ZONEMD 2018091100 1 1 ( + f1ca0ccd91bd5573d9f431c00ee0101b2545c97602be0a97 + 8a3b11dbfc1c776d5b3e86ae3d973d6b5349ba7f04340f79 ) diff --git a/regression-tests/zones/zonemd1.zone b/regression-tests/zones/zonemd1.zone new file mode 100644 index 000000000000..42aaea71f1ed --- /dev/null +++ b/regression-tests/zones/zonemd1.zone @@ -0,0 +1,13 @@ +example. 86400 IN SOA ns1 admin 2018031900 ( + 1800 900 604800 86400 ) + 86400 IN NS ns1 + 86400 IN NS ns2 + 86400 IN ZONEMD 2018031900 1 1 ( + c68090d90a7aed71 + 6bc459f9340e3d7c + 1370d4d24b7e2fc3 + a1ddc0b9a87153b9 + a9713b3c9ae5cc27 + 777f98b8e730044c ) +ns1 3600 IN A 203.0.113.63 +ns2 3600 IN AAAA 2001:db8::63 diff --git a/regression-tests/zones/zonemd2.zone b/regression-tests/zones/zonemd2.zone new file mode 100644 index 000000000000..bac6fa38b84d --- /dev/null +++ b/regression-tests/zones/zonemd2.zone @@ -0,0 +1,34 @@ +example. 86400 IN SOA ns1 admin 2018031900 ( + 1800 900 604800 86400 ) + 86400 IN NS ns1 + 86400 IN NS ns2 + 86400 IN ZONEMD 2018031900 1 1 ( + a3b69bad980a3504 + e1cffcb0fd6397f9 + 3848071c93151f55 + 2ae2f6b1711d4bd2 + d8b39808226d7b9d + b71e34b72077f8fe ) +ns1 3600 IN A 203.0.113.63 +NS2 3600 IN AAAA 2001:db8::63 +occluded.sub 7200 IN TXT "I'm occluded but must be digested" +sub 7200 IN NS ns1 +duplicate 300 IN TXT "I must be digested just once" +duplicate 300 IN TXT "I must be digested just once" +foo.test. 555 IN TXT "out-of-zone data must be excluded" +UPPERCASE 3600 IN TXT "canonicalize uppercase owner names" +* 777 IN PTR dont-forget-about-wildcards +mail 3600 IN MX 20 MAIL1 +mail 3600 IN MX 10 Mail2.Example. +sortme 3600 IN AAAA 2001:db8::5:61 +sortme 3600 IN AAAA 2001:db8::3:62 +sortme 3600 IN AAAA 2001:db8::4:63 +sortme 3600 IN AAAA 2001:db8::1:65 +sortme 3600 IN AAAA 2001:db8::2:64 +non-apex 900 IN ZONEMD 2018031900 1 1 ( + 616c6c6f77656420 + 6275742069676e6f + 7265642e20616c6c + 6f77656420627574 + 2069676e6f726564 + 2e20616c6c6f7765 ) diff --git a/regression-tests/zones/zonemd3.zone b/regression-tests/zones/zonemd3.zone new file mode 100644 index 000000000000..217c7d68cab9 --- /dev/null +++ b/regression-tests/zones/zonemd3.zone @@ -0,0 +1,23 @@ +example. 86400 IN SOA ns1 admin 2018031900 ( + 1800 900 604800 86400 ) +example. 86400 IN NS ns1.example. +example. 86400 IN NS ns2.example. +example. 86400 IN ZONEMD 2018031900 1 2 ( + 08cfa1115c7b948c + 4163a901270395ea + 226a930cd2cbcf2f + a9a5e6eb85f37c8a + 4e114d884e66f176 + eab121cb02db7d65 + 2e0cc4827e7a3204 + f166b47e5613fd27 ) +example. 86400 IN ZONEMD 2018031900 1 240 ( + e2d523f654b9422a + 96c5a8f44607bbee ) +example. 86400 IN ZONEMD 2018031900 241 1 ( + e1846540e33a9e41 + 89792d18d5d131f6 + 05fc283e ) +ns1.example. 3600 IN A 203.0.113.63 +ns2.example. 86400 IN TXT "This example has multiple digests" +NS2.EXAMPLE. 3600 IN AAAA 2001:db8::63 diff --git a/regression-tests/zones/zonemd4.zone b/regression-tests/zones/zonemd4.zone new file mode 100644 index 000000000000..ef8e91bf8fda --- /dev/null +++ b/regression-tests/zones/zonemd4.zone @@ -0,0 +1,129 @@ +uri.arpa. 3600 IN SOA sns.dns.icann.org. ( + noc.dns.icann.org. 2018100702 10800 3600 1209600 3600 ) +uri.arpa. 3600 IN RRSIG SOA 8 2 3600 ( + 20210217232440 20210120232440 37444 uri.arpa. + GzQw+QzwLDJr13REPGVmpEChjD1D2XlX0ie1DnWHpgaEw1E/dhs3lCN3+B + mHd4Kx3tffTRgiyq65HxR6feQ5v7VmAifjyXUYB1DZur1eP5q0Ms2ygCB3 + byoeMgCNsFS1oKZ2LdzNBRpy3oace8xQn1SpmHGfyrsgg+WbHKCT1dY= ) +uri.arpa. 86400 IN NS a.iana-servers.net. +uri.arpa. 86400 IN NS b.iana-servers.net. +uri.arpa. 86400 IN NS c.iana-servers.net. +uri.arpa. 86400 IN NS ns2.lacnic.net. +uri.arpa. 86400 IN NS sec3.apnic.net. +uri.arpa. 86400 IN RRSIG NS 8 2 86400 ( + 20210217232440 20210120232440 37444 uri.arpa. + M+Iei2lcewWGaMtkPlrhM9FpUAHXFkCHTVpeyrjxjEONeNgKtHZor5e4V4 + qJBOzNqo8go/qJpWlFBm+T5Hn3asaBZVstFIYky38/C8UeRLPKq1hTTHAR + YUlFrexr5fMtSUAVOgOQPSBfH3xBq/BgSccTdRb9clD+HE7djpqrLS4= ) +uri.arpa. 600 IN MX 10 pechora.icann.org. +uri.arpa. 600 IN RRSIG MX 8 2 600 ( + 20210217232440 20210120232440 37444 uri.arpa. + kQAJQivmv6A5hqYBK8h6Z13ESY69gmosXwKI6WE09I8RFetfrxr24ecdnY + d0lpnDtgNNSoHkYRSOoB+C4+zuJsoyAAzGo9uoWMWj97/2xeGhf3PTC9me + Q9Ohi6hul9By7OR76XYmGhdWX8PBi60RUmZ1guslFBfQ8izwPqzuphs= ) +uri.arpa. 3600 IN DNSKEY 256 3 8 ( + AwEAAbMxuFuLeVDuOwIMzYOTD/bTREjLflo7wOi6ieIJhqltEzgjNzmWJf + 9kGwwDmzxU7kbthMEhBNBZNn84zmcyRSCMzuStWveL7xmqqUlE3swL8kLO + vdZvc75XnmpHrk3ndTyEb6eZM7slh2C63Oh6K8VR5VkiZAkEGg0uZIT3Nj + sF ) +uri.arpa. 3600 IN DNSKEY 257 3 8 ( + AwEAAdkTaWkZtZuRh7/OobBUFxM+ytTst+bCu0r9w+rEwXD7GbDs0pIMhM + enrZzoAvmv1fQxw2MGs6Ri6yPKfNULcFOSt9l8i6BVBLI+SKTY6XXeDUQp + SEmSaxohHeRPMQFzpysfjxINp/L2rGtZ7yPmxY/XRiFPSO0myqwGJa9r06 + Zw9CHM5UDHKWV/E+zxPFq/I7CfPbrrzbUotBX7Z6Vh3Sarllbe8cGUB2UF + NaTRgwB0TwDBPRD5ER3w2Dzbry9NhbElTr7vVfhaGWeOGuqAUXwlXEg6Cr + NkmJXJ2F1Rzr9WHUzhp7uWxhAbmJREGfi2dEyPAbUAyCjBqhFaqglknvc= ) +uri.arpa. 3600 IN DNSKEY 257 3 8 ( + AwEAAenQaBoFmDmvRT+/H5oNbm0Tr5FmNRNDEun0Jpj/ELkzeUrTWhNpQm + ZeIMC8I0kZ185tEvOnRvn8OvV39B17QIdrvvKGIh2HlgeDRCLolhaojfn2 + QM0DStjF/WWHpxJOmE6CIuvhqYEU37yoJscGAPpPVPzNvnL1HhYTaao1VR + YWQ/maMrJ+bfHg+YX1N6M/8MnRjIKBif1FWjbCKvsn6dnuGGL9oCWYUFJ3 + DwofXuhgPyZMkzPc88YkJj5EMvbMH4wtelbCwC+ivx732l0w/rXJn0ciQS + OgoeVvDio8dIJmWQITWQAuP+q/ZHFEFHPlrP3gvQh5mcVS48eLX71Bq7c= ) +uri.arpa. 3600 IN RRSIG DNSKEY 8 2 3600 ( + 20210217232440 20210120232440 12670 uri.arpa. + DBE2gkKAoxJCfz47KKxzoImN/0AKArhIVHE7TyTwy0DdRPo44V5R+vL6th + UxlQ1CJi2Rw0jwAXymx5Y3Q873pOEllH+4bJoIT4dmoBmPXfYWW7Clvw9U + PKHRP0igKHmCVwIeBYDTU3gfLcMTbR4nEWPDN0GxlL1Mf7ITaC2Ioabo79 + Ip3M/MR8I3Vx/xZ4ZKKPHtLn3xUuJluPNanqJrED2gTslL2xWZ1tqjsAjJ + v7JnJo2HJ8XVRB5zBto0IaJ2oBlqcjdcQ/0VlyoM8uOy1pDwHQ2BJl7322 + gNMHBP9HSiUPIOaIDNUCwW8eUcW6DIUk+s9u3GN1uTqwWzsYB/rA== ) +uri.arpa. 3600 IN RRSIG DNSKEY 8 2 3600 ( + 20210217232440 20210120232440 30577 uri.arpa. + Kx6HwP4UlkGc1UZ7SERXtQjPajOF4iUvkwDj7MEG1xbQFB1KoJiEb/eiW0 + qmSWdIhMDv8myhgauejRLyJxwxz8HDRV4xOeHWnRGfWBk4XGYwkejVzOHz + oIArVdUVRbr2JKigcTOoyFN+uu52cNB7hRYu7dH5y1hlc6UbOnzRpMtGxc + gVyKQ+/ARbIqGG3pegdEOvV49wTPWEiyY65P2urqhvnRg5ok/jzwAdMx4X + Gshiib7Ojq0sRVl2ZIzj4rFgY/qsSO8SEXEhMo2VuSkoJNiofVzYoqpxEe + GnANkIT7Tx2xJL1BWyJxyc7E8Wr2QSgCcc+rYL6IkHDtJGHy7TaQ== ) +uri.arpa. 3600 IN ZONEMD 2018100702 1 1 ( + 0dbc3c4dbfd75777c12ca19c337854b1577799901307c482e9d91d5d15 + cd934d16319d98e30c4201cf25a1d5a0254960 ) +uri.arpa. 3600 IN RRSIG ZONEMD 8 2 3600 ( + 20210217232440 20210120232440 37444 uri.arpa. + QDo4XZcL3HMyn8aAHyCUsu/Tqj4Gkth8xY1EqByOb8XOTwVtA4ZNQORE1s + iqNqjtJUbeJPtJSbLNqCL7rCq0CzNNnBscv6IIf4gnqJZjlGtHO30ohXtK + vEc4z7SU3IASsi6bB3nLmEAyERdYSeU6UBfx8vatQDIRhkgEnnWUTh4= ) +uri.arpa. 3600 IN NSEC ftp.uri.arpa. ( + NS SOA MX RRSIG NSEC DNSKEY ZONEMD ) +uri.arpa. 3600 IN RRSIG NSEC 8 2 3600 ( + 20210217232440 20210120232440 37444 uri.arpa. + dU/rXLM/naWd1+1PiWiYVaNJyCkiuyZJSccr91pJI673T8r3685B4ODMYF + afZRboVgwnl3ZrXddY6xOhZL3n9V9nxXZwjLJ2HJUojFoKcXTlpnUyYUYv + VQ2kj4GHAo6fcGCEp5QFJ2KbCpeJoS+PhKGRRx28icCiNT4/uXQvO2E= ) +ftp.uri.arpa. 604800 IN NAPTR 0 0 "" "" ( + "!^ftp://([^:/?#]*).*$!\\1!i" . ) +ftp.uri.arpa. 604800 IN RRSIG NAPTR 8 3 604800 ( + 20210217232440 20210120232440 37444 uri.arpa. + EygekDgl+Lyyq4NMSEpPyOrOywYf9Y3FAB4v1DT44J3R5QGidaH8l7ZFjH + oYFI8sY64iYOCV4sBnX/dh6C1L5NgpY+8l5065Xu3vvjyzbtuJ2k6YYwJr + rCbvl5DDn53zAhhO2hL9uLgyLraZGi9i7TFGd0sm3zNyUF/EVL0CcxU= ) +ftp.uri.arpa. 3600 IN NSEC http.uri.arpa. ( + NAPTR RRSIG NSEC ) +ftp.uri.arpa. 3600 IN RRSIG NSEC 8 3 3600 ( + 20210217232440 20210120232440 37444 uri.arpa. + pbP4KxevPXCu/bDqcvXiuBppXyFEmtHyiy0eAN5gS7mi6mp9Z9bWFjx/Ld + H9+6oFGYa5vGmJ5itu/4EDMe8iQeZbI8yrpM4TquB7RR/MGfBnTd8S+sjy + QtlRYG7yqEu77Vd78Fme22BKPJ+MVqjS0JHMUE/YUGomPkAjLJJwwGw= ) +http.uri.arpa. 604800 IN NAPTR 0 0 "" "" ( + "!^http://([^:/?#]*).*$!\\1!i" . ) +http.uri.arpa. 604800 IN RRSIG NAPTR 8 3 604800 ( + 20210217232440 20210120232440 37444 uri.arpa. + eTqbWvt1GvTeXozuvm4ebaAfkXFQKrtdu0cEiExto80sHIiCbO0WL8UDa/ + J3cDivtQca7LgUbOb6c17NESsrsVkc6zNPx5RK2tG7ZQYmhYmtqtfg1oU5 + BRdHZ5TyqIXcHlw9Blo2pir1Y9IQgshhD7UOGkbkEmvB1Lrd0aHhAAg= ) +http.uri.arpa. 3600 IN NSEC mailto.uri.arpa. ( + NAPTR RRSIG NSEC ) +http.uri.arpa. 3600 IN RRSIG NSEC 8 3 3600 ( + 20210217232440 20210120232440 37444 uri.arpa. + R9rlNzw1CVz2N08q6DhULzcsuUm0UKcPaGAWEU40tr81jEDHsFHNM+khCd + OI8nDstzA42aee4rwCEgijxJpRCcY9hrO1Ysrrr2fdqNz60JikMdarvU5O + 0p0VXeaaJDfJQT44+o+YXaBwI7Qod3FTMx7aRib8i7istvPm1Rr7ixA= ) +mailto.uri.arpa. 604800 IN NAPTR 0 0 "" "" ( + "!^mailto:(.*)@(.*)$!\\2!i" . ) +mailto.uri.arpa. 604800 IN RRSIG NAPTR 8 3 604800 ( + 20210217232440 20210120232440 37444 uri.arpa. + Ch2zTG2F1plEvQPyIH4Yd80XXLjXOPvMbiqDjpJBcnCJsV8QF7kr0wTLnU + T3dB+asQudOjPyzaHGwFlMzmrrAsszN4XAMJ6htDtFJdsgTMP/NkHhYRSm + Vv6rLeAhd+mVfObY12M//b/GGVTjeUI/gJaLW0fLVZxr1Fp5U5CRjyw= ) +mailto.uri.arpa. 3600 IN NSEC urn.uri.arpa. ( + NAPTR RRSIG NSEC ) +mailto.uri.arpa. 3600 IN RRSIG NSEC 8 3 3600 ( + 20210217232440 20210120232440 37444 uri.arpa. + fQUbSIE6E7JDi2rosah4SpCOTrKufeszFyj5YEavbQuYlQ5cNFvtm8KuE2 + xXMRgRI4RGvM2leVqcoDw5hS3m2pOJLxH8l2WE72YjYvWhvnwc5Rofe/8y + B/vaSK9WCnqN8y2q6Vmy73AGP0fuiwmuBra7LlkOiqmyx3amSFizwms= ) +urn.uri.arpa. 604800 IN NAPTR 0 0 "" "" ( + "/urn:([^:]+)/\\1/i" . ) +urn.uri.arpa. 604800 IN RRSIG NAPTR 8 3 604800 ( + 20210217232440 20210120232440 37444 uri.arpa. + CVt2Tgz0e5ZmaSXqRfNys/8OtVCk9nfP0zhezhN8Bo6MDt6yyKZ2kEEWJP + jkN7PCYHjO8fGjnUn0AHZI2qBNv7PKHcpR42VY03q927q85a65weOO1YE0 + vPYMzACpua9TOtfNnynM2Ws0uN9URxUyvYkXBdqOC81N3sx1dVELcwc= ) +urn.uri.arpa. 3600 IN NSEC uri.arpa. NAPTR RRSIG NSEC +urn.uri.arpa. 3600 IN RRSIG NSEC 8 3 3600 ( + 20210217232440 20210120232440 37444 uri.arpa. + JuKkMiC3/j9iM3V8/izcouXWAVGnSZjkOgEgFPhutMqoylQNRcSkbEZQzF + K8B/PIVdzZF0Y5xkO6zaKQjOzz6OkSaNPIo1a7Vyyl3wDY/uLCRRAHRJfp + knuY7O+AUNXvVVIEYJqZggd4kl/Rjh1GTzPYZTRrVi5eQidI1LqCOeg= ) + diff --git a/regression-tests/zones/zonemd5.zone b/regression-tests/zones/zonemd5.zone new file mode 100644 index 000000000000..246f5e2376db --- /dev/null +++ b/regression-tests/zones/zonemd5.zone @@ -0,0 +1,48 @@ +root-servers.net. 3600000 IN SOA a.root-servers.net. ( + nstld.verisign-grs.com. 2018091100 14400 7200 1209600 3600000 ) +root-servers.net. 3600000 IN NS a.root-servers.net. +root-servers.net. 3600000 IN NS b.root-servers.net. +root-servers.net. 3600000 IN NS c.root-servers.net. +root-servers.net. 3600000 IN NS d.root-servers.net. +root-servers.net. 3600000 IN NS e.root-servers.net. +root-servers.net. 3600000 IN NS f.root-servers.net. +root-servers.net. 3600000 IN NS g.root-servers.net. +root-servers.net. 3600000 IN NS h.root-servers.net. +root-servers.net. 3600000 IN NS i.root-servers.net. +root-servers.net. 3600000 IN NS j.root-servers.net. +root-servers.net. 3600000 IN NS k.root-servers.net. +root-servers.net. 3600000 IN NS l.root-servers.net. +root-servers.net. 3600000 IN NS m.root-servers.net. +a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30 +a.root-servers.net. 3600000 IN A 198.41.0.4 +b.root-servers.net. 3600000 IN MX 20 mail.isi.edu. +b.root-servers.net. 3600000 IN AAAA 2001:500:200::b +b.root-servers.net. 3600000 IN A 199.9.14.201 +c.root-servers.net. 3600000 IN AAAA 2001:500:2::c +c.root-servers.net. 3600000 IN A 192.33.4.12 +d.root-servers.net. 3600000 IN AAAA 2001:500:2d::d +d.root-servers.net. 3600000 IN A 199.7.91.13 +e.root-servers.net. 3600000 IN AAAA 2001:500:a8::e +e.root-servers.net. 3600000 IN A 192.203.230.10 +f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f +f.root-servers.net. 3600000 IN A 192.5.5.241 +g.root-servers.net. 3600000 IN AAAA 2001:500:12::d0d +g.root-servers.net. 3600000 IN A 192.112.36.4 +h.root-servers.net. 3600000 IN AAAA 2001:500:1::53 +h.root-servers.net. 3600000 IN A 198.97.190.53 +i.root-servers.net. 3600000 IN MX 10 mx.i.root-servers.org. +i.root-servers.net. 3600000 IN AAAA 2001:7fe::53 +i.root-servers.net. 3600000 IN A 192.36.148.17 +j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:30 +j.root-servers.net. 3600000 IN A 192.58.128.30 +k.root-servers.net. 3600000 IN AAAA 2001:7fd::1 +k.root-servers.net. 3600000 IN A 193.0.14.129 +l.root-servers.net. 3600000 IN AAAA 2001:500:9f::42 +l.root-servers.net. 3600000 IN A 199.7.83.42 +m.root-servers.net. 3600000 IN AAAA 2001:dc3::35 +m.root-servers.net. 3600000 IN A 202.12.27.33 +root-servers.net. 3600000 IN SOA a.root-servers.net. ( + nstld.verisign-grs.com. 2018091100 14400 7200 1209600 3600000 ) +root-servers.net. 3600000 IN ZONEMD 2018091100 1 1 ( + f1ca0ccd91bd5573d9f431c00ee0101b2545c97602be0a97 + 8a3b11dbfc1c776d5b3e86ae3d973d6b5349ba7f04340f79 )