From 3a741d7f949f3cd5ecdea05a38a8760eae79318c Mon Sep 17 00:00:00 2001 From: Kees Monshouwer Date: Fri, 20 Sep 2013 00:53:47 +0200 Subject: [PATCH] fix NSEC3s for DS no data (mode 1) --- pdns/packethandler.cc | 43 +++++++++++-------- pdns/packethandler.hh | 2 +- regression-tests/.gitignore | 4 +- .../expected_result.narrow | 12 ++---- .../expected_result.nsec3 | 4 -- .../expected_result.narrow | 6 +-- .../expected_result.nsec3 | 2 - .../expected_result.narrow | 6 +-- .../expected_result.nsec3 | 2 - .../expected_result.narrow | 6 +-- .../expected_result.nsec3 | 2 - .../expected_result.narrow | 6 +-- .../expected_result.nsec3 | 2 - 13 files changed, 41 insertions(+), 56 deletions(-) diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc index 3ca60de48c..c946f9d38d 100644 --- a/pdns/packethandler.cc +++ b/pdns/packethandler.cc @@ -550,7 +550,7 @@ static void decrementHash(std::string& raw) // I wonder if this is correct, cmou } -bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after) +bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after, int mode) { bool ret; if(narrow) { // nsec3-narrow @@ -564,7 +564,7 @@ bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hash incrementHash(after); } else { - if (decrement) + if (decrement || mode ==1) before.clear(); else before=' '; @@ -587,6 +587,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c return; } + bool doNextcloser = false; string unhashed, hashed, before, after; string closest; @@ -596,33 +597,41 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c } else closest=target; - if (mode == 1) { - DNSResourceRecord rr; - while( chopOff( closest ) && (closest != sd.qname)) { // stop at SOA - B.lookup(QType(QType::ANY), closest, p, sd.domain_id); - if (B.get(rr)) { - while(B.get(rr)); - break; - } - } - } - // add matching NSEC3 RR // we used to skip this one for mode 3, but old BIND needs it // see https://github.com/PowerDNS/pdns/issues/814 if (mode != 3 || g_addSuperfluousNSEC3) { - unhashed=(mode == 0 || mode == 5) ? target : closest; - + unhashed=(mode == 0 || mode == 1 || mode == 5) ? target : closest; hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed); DLOG(L<<"1 hash: "<= 2 && mode <= 4) || doNextcloser) { string next(target); do { unhashed=next; diff --git a/pdns/packethandler.hh b/pdns/packethandler.hh index ac60b36df9..b8f61a94cc 100644 --- a/pdns/packethandler.hh +++ b/pdns/packethandler.hh @@ -115,5 +115,5 @@ private: DNSSECKeeper d_dk; // same, might even share B? }; void emitNSEC3(DNSBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOAData& sd, const std::string& unhashed, const std::string& begin, const std::string& end, const std::string& toNSEC3, DNSPacket *r, int mode); -bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after); +bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hashed, bool decrement, string& unhashed, string& before, string& after, int mode=0); #endif /* PACKETHANDLER */ diff --git a/regression-tests/.gitignore b/regression-tests/.gitignore index 48dd9087f3..7e7cda0e77 100644 --- a/regression-tests/.gitignore +++ b/regression-tests/.gitignore @@ -31,8 +31,8 @@ real_result /nsd.* /nsd-slave.* /*.nsd -/ixfr-slave.db -/ixfr-slave.state +/ixfr*.db +/ixfr*.state /*.signed /*.bind /dsset-* diff --git a/regression-tests/1dyndns-update-delegate-in-between/expected_result.narrow b/regression-tests/1dyndns-update-delegate-in-between/expected_result.narrow index 008635edce..0d05ebcf97 100644 --- a/regression-tests/1dyndns-update-delegate-in-between/expected_result.narrow +++ b/regression-tests/1dyndns-update-delegate-in-between/expected_result.narrow @@ -136,10 +136,8 @@ Reply to question for qname='a.host.test.dyndns.', qtype=ANY Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='b.host.test.dyndns.', qtype=ANY 1 c.host.test.dyndns. IN NS 3600 ns1.c.host.test.dyndns. -1 fgun0ru4oe3g76tr551hg97mpu37b6mh.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd FGUN0RU4OE3G76TR551HG97MPU37B6MJ -1 fgun0ru4oe3g76tr551hg97mpu37b6mh.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ... -1 lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd LMRSADK2BB62QPRUAULES5I5AP06CP56 -1 lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ... +1 fgun0ru4oe3g76tr551hg97mpu37b6mi.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd FGUN0RU4OE3G76TR551HG97MPU37B6MJ NS +1 fgun0ru4oe3g76tr551hg97mpu37b6mi.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ... 2 . IN OPT 32768 2 ns1.c.host.test.dyndns. IN A 3600 192.168.0.1 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0 @@ -194,10 +192,8 @@ Reply to question for qname='a.a.host.test.dyndns.', qtype=ANY Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='b.b.host.test.dyndns.', qtype=ANY 1 c.host.test.dyndns. IN NS 3600 ns1.c.host.test.dyndns. -1 fgun0ru4oe3g76tr551hg97mpu37b6mh.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd FGUN0RU4OE3G76TR551HG97MPU37B6MJ -1 fgun0ru4oe3g76tr551hg97mpu37b6mh.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ... -1 lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd LMRSADK2BB62QPRUAULES5I5AP06CP56 -1 lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ... +1 fgun0ru4oe3g76tr551hg97mpu37b6mi.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd FGUN0RU4OE3G76TR551HG97MPU37B6MJ NS +1 fgun0ru4oe3g76tr551hg97mpu37b6mi.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ... 2 . IN OPT 32768 2 ns1.c.host.test.dyndns. IN A 3600 192.168.0.1 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0 diff --git a/regression-tests/1dyndns-update-delegate-in-between/expected_result.nsec3 b/regression-tests/1dyndns-update-delegate-in-between/expected_result.nsec3 index 67eafa690d..a81f3cf4c4 100644 --- a/regression-tests/1dyndns-update-delegate-in-between/expected_result.nsec3 +++ b/regression-tests/1dyndns-update-delegate-in-between/expected_result.nsec3 @@ -130,8 +130,6 @@ Reply to question for qname='b.host.test.dyndns.', qtype=ANY 1 c.host.test.dyndns. IN NS 3600 ns1.c.host.test.dyndns. 1 fgun0ru4oe3g76tr551hg97mpu37b6mi.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd FQU365VN7BR5CSV8CG6NE9V8HA6D008P NS 1 fgun0ru4oe3g76tr551hg97mpu37b6mi.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ... -1 lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd LRESBBP3LV8BLGJ9FSGTDMM4Q7VJ3D6J -1 lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ... 2 . IN OPT 32768 2 ns1.c.host.test.dyndns. IN A 3600 192.168.0.1 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0 @@ -184,8 +182,6 @@ Reply to question for qname='b.b.host.test.dyndns.', qtype=ANY 1 c.host.test.dyndns. IN NS 3600 ns1.c.host.test.dyndns. 1 fgun0ru4oe3g76tr551hg97mpu37b6mi.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd FQU365VN7BR5CSV8CG6NE9V8HA6D008P NS 1 fgun0ru4oe3g76tr551hg97mpu37b6mi.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ... -1 lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. IN NSEC3 86400 1 [flags] 1 abcd LRESBBP3LV8BLGJ9FSGTDMM4Q7VJ3D6J -1 lmrsadk2bb62qpruaules5i5ap06cp55.test.dyndns. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.dyndns. ... 2 . IN OPT 32768 2 ns1.c.host.test.dyndns. IN A 3600 192.168.0.1 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0 diff --git a/regression-tests/ds-at-unsecure-delegation/expected_result.narrow b/regression-tests/ds-at-unsecure-delegation/expected_result.narrow index 9f73d53902..d3ca5742fe 100644 --- a/regression-tests/ds-at-unsecure-delegation/expected_result.narrow +++ b/regression-tests/ds-at-unsecure-delegation/expected_result.narrow @@ -1,9 +1,7 @@ 1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ... 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 -1 t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com. IN NSEC3 86400 1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1 -1 t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... -1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM -1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... +1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN NSEC3 86400 1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1 NS +1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... 2 . IN OPT 32768 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='usa.example.com.', qtype=DS diff --git a/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3 b/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3 index ee1c7ae721..c530967deb 100644 --- a/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3 +++ b/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3 @@ -2,8 +2,6 @@ 1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400 1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN NSEC3 86400 1 0 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO NS 1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... -1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 0 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM -1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... 2 . IN OPT 32768 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='usa.example.com.', qtype=DS diff --git a/regression-tests/ds-at-unsecure-zone-cut/expected_result.narrow b/regression-tests/ds-at-unsecure-zone-cut/expected_result.narrow index 8b9130ea20..f9249b8438 100644 --- a/regression-tests/ds-at-unsecure-zone-cut/expected_result.narrow +++ b/regression-tests/ds-at-unsecure-zone-cut/expected_result.narrow @@ -1,9 +1,7 @@ -1 be6iqh4fjrtdhacqk7g3iq96qcvf2qoi.dnssec-parent.com. IN NSEC3 86400 1 1 1 abcd BE6IQH4FJRTDHACQK7G3IQ96QCVF2QOK -1 be6iqh4fjrtdhacqk7g3iq96qcvf2qoi.dnssec-parent.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... +1 be6iqh4fjrtdhacqk7g3iq96qcvf2qoj.dnssec-parent.com. IN NSEC3 86400 1 1 1 abcd BE6IQH4FJRTDHACQK7G3IQ96QCVF2QOK NS +1 be6iqh4fjrtdhacqk7g3iq96qcvf2qoj.dnssec-parent.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... 1 dnssec-parent.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... 1 dnssec-parent.com. IN SOA 3600 ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400 -1 dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com. IN NSEC3 86400 1 1 1 abcd DVKUO8KJA65GCSQ600E6DI9U719LSJ8V A NS SOA RRSIG DNSKEY NSEC3PARAM -1 dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... 2 . IN OPT 32768 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='delegated.dnssec-parent.com.', qtype=DS diff --git a/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3 b/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3 index 1f701a8d3c..2b43c449a7 100644 --- a/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3 +++ b/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3 @@ -2,8 +2,6 @@ 1 be6iqh4fjrtdhacqk7g3iq96qcvf2qoj.dnssec-parent.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... 1 dnssec-parent.com. IN RRSIG 3600 SOA 8 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ... 1 dnssec-parent.com. IN SOA 3600 ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400 -1 dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com. IN NSEC3 86400 1 0 1 abcd 1SCAQA30LQ0DO5EIRNE4KPJFBEBFGR54 A NS SOA RRSIG DNSKEY NSEC3PARAM -1 dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ... 2 . IN OPT 32768 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0 Reply to question for qname='delegated.dnssec-parent.com.', qtype=DS diff --git a/regression-tests/ds-inside-delegation/expected_result.narrow b/regression-tests/ds-inside-delegation/expected_result.narrow index 7a75ea1a07..791dc0cb82 100644 --- a/regression-tests/ds-inside-delegation/expected_result.narrow +++ b/regression-tests/ds-inside-delegation/expected_result.narrow @@ -1,9 +1,7 @@ -1 t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com. IN NSEC3 86400 1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1 -1 t67rqvqprigd7rtb5fah6c3o7g9th3iv.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... +1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN NSEC3 86400 1 1 1 abcd T67RQVQPRIGD7RTB5FAH6C3O7G9TH3J1 NS +1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... 1 usa.example.com. IN NS 120 usa-ns1.usa.example.com. 1 usa.example.com. IN NS 120 usa-ns2.usa.example.com. -1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM -1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... 2 . IN OPT 32768 2 usa-ns1.usa.example.com. IN A 120 192.168.4.1 2 usa-ns2.usa.example.com. IN A 120 192.168.4.2 diff --git a/regression-tests/ds-inside-delegation/expected_result.nsec3 b/regression-tests/ds-inside-delegation/expected_result.nsec3 index c676fcb59b..760c1dac4b 100644 --- a/regression-tests/ds-inside-delegation/expected_result.nsec3 +++ b/regression-tests/ds-inside-delegation/expected_result.nsec3 @@ -2,8 +2,6 @@ 1 t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... 1 usa.example.com. IN NS 120 usa-ns1.usa.example.com. 1 usa.example.com. IN NS 120 usa-ns2.usa.example.com. -1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 0 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM -1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ... 2 . IN OPT 32768 2 usa-ns1.usa.example.com. IN A 120 192.168.4.1 2 usa-ns2.usa.example.com. IN A 120 192.168.4.2 diff --git a/regression-tests/nsec-glue-at-delegation/expected_result.narrow b/regression-tests/nsec-glue-at-delegation/expected_result.narrow index 78cb4a2331..3f7a5a2160 100644 --- a/regression-tests/nsec-glue-at-delegation/expected_result.narrow +++ b/regression-tests/nsec-glue-at-delegation/expected_result.narrow @@ -1,8 +1,6 @@ -1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN NSEC3 86400 1 1 1 abcd 2EU2GULBU53H9UVHFALSHPBO2A83T6L3 NS SOA MX RRSIG DNSKEY NSEC3PARAM -1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... 1 blah.test.com. IN NS 3600 blah.test.com. -1 s96h2qicbt8d9i5aa43kp8sjjresq4ka.test.com. IN NSEC3 86400 1 1 1 abcd S96H2QICBT8D9I5AA43KP8SJJRESQ4KC -1 s96h2qicbt8d9i5aa43kp8sjjresq4ka.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... +1 s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com. IN NSEC3 86400 1 1 1 abcd S96H2QICBT8D9I5AA43KP8SJJRESQ4KC NS +1 s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... 2 . IN OPT 32768 2 blah.test.com. IN A 3600 192.168.6.1 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0 diff --git a/regression-tests/nsec-glue-at-delegation/expected_result.nsec3 b/regression-tests/nsec-glue-at-delegation/expected_result.nsec3 index b018eb0f68..d9e08e7947 100644 --- a/regression-tests/nsec-glue-at-delegation/expected_result.nsec3 +++ b/regression-tests/nsec-glue-at-delegation/expected_result.nsec3 @@ -1,5 +1,3 @@ -1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN NSEC3 86400 1 0 1 abcd 2GKS2N3JPQF62QOHAVFQ1PHOLM3HR7RA NS SOA MX RRSIG DNSKEY NSEC3PARAM -1 2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... 1 blah.test.com. IN NS 3600 blah.test.com. 1 s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com. IN NSEC3 86400 1 0 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA NS 1 s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ... -- 2.47.2