2 This file is part of systemd.
4 Copyright 2015 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 #include <arpa/inet.h>
21 #include <netinet/in.h>
22 #include <sys/socket.h>
24 #include "alloc-util.h"
25 #include "resolved-dns-dnssec.h"
26 #include "resolved-dns-rr.h"
27 #include "string-util.h"
28 #include "hexdecoct.h"
30 static void test_dnssec_canonicalize_one(const char *original
, const char *canonical
, int r
) {
31 char canonicalized
[DNSSEC_CANONICAL_HOSTNAME_MAX
];
33 assert_se(dnssec_canonicalize(original
, canonicalized
, sizeof(canonicalized
)) == r
);
37 assert_se(streq(canonicalized
, canonical
));
40 static void test_dnssec_canonicalize(void) {
41 test_dnssec_canonicalize_one("", ".", 1);
42 test_dnssec_canonicalize_one(".", ".", 1);
43 test_dnssec_canonicalize_one("foo", "foo.", 4);
44 test_dnssec_canonicalize_one("foo.", "foo.", 4);
45 test_dnssec_canonicalize_one("FOO.", "foo.", 4);
46 test_dnssec_canonicalize_one("FOO.bar.", "foo.bar.", 8);
47 test_dnssec_canonicalize_one("FOO..bar.", NULL
, -EINVAL
);
52 static void test_dnssec_verify_dns_key(void) {
54 static const uint8_t ds1_fprint
[] = {
55 0x46, 0x8B, 0xC8, 0xDD, 0xC7, 0xE8, 0x27, 0x03, 0x40, 0xBB, 0x8A, 0x1F, 0x3B, 0x2E, 0x45, 0x9D,
56 0x80, 0x67, 0x14, 0x01,
58 static const uint8_t ds2_fprint
[] = {
59 0x8A, 0xEE, 0x80, 0x47, 0x05, 0x5F, 0x83, 0xD1, 0x48, 0xBA, 0x8F, 0xF6, 0xDD, 0xA7, 0x60, 0xCE,
60 0x94, 0xF7, 0xC7, 0x5E, 0x52, 0x4C, 0xF2, 0xE9, 0x50, 0xB9, 0x2E, 0xCB, 0xEF, 0x96, 0xB9, 0x98,
62 static const uint8_t dnskey_blob
[] = {
63 0x03, 0x01, 0x00, 0x01, 0xa8, 0x12, 0xda, 0x4f, 0xd2, 0x7d, 0x54, 0x14, 0x0e, 0xcc, 0x5b, 0x5e,
64 0x45, 0x9c, 0x96, 0x98, 0xc0, 0xc0, 0x85, 0x81, 0xb1, 0x47, 0x8c, 0x7d, 0xe8, 0x39, 0x50, 0xcc,
65 0xc5, 0xd0, 0xf2, 0x00, 0x81, 0x67, 0x79, 0xf6, 0xcc, 0x9d, 0xad, 0x6c, 0xbb, 0x7b, 0x6f, 0x48,
66 0x97, 0x15, 0x1c, 0xfd, 0x0b, 0xfe, 0xd3, 0xd7, 0x7d, 0x9f, 0x81, 0x26, 0xd3, 0xc5, 0x65, 0x49,
67 0xcf, 0x46, 0x62, 0xb0, 0x55, 0x6e, 0x47, 0xc7, 0x30, 0xef, 0x51, 0xfb, 0x3e, 0xc6, 0xef, 0xde,
68 0x27, 0x3f, 0xfa, 0x57, 0x2d, 0xa7, 0x1d, 0x80, 0x46, 0x9a, 0x5f, 0x14, 0xb3, 0xb0, 0x2c, 0xbe,
69 0x72, 0xca, 0xdf, 0xb2, 0xff, 0x36, 0x5b, 0x4f, 0xec, 0x58, 0x8e, 0x8d, 0x01, 0xe9, 0xa9, 0xdf,
70 0xb5, 0x60, 0xad, 0x52, 0x4d, 0xfc, 0xa9, 0x3e, 0x8d, 0x35, 0x95, 0xb3, 0x4e, 0x0f, 0xca, 0x45,
71 0x1b, 0xf7, 0xef, 0x3a, 0x88, 0x25, 0x08, 0xc7, 0x4e, 0x06, 0xc1, 0x62, 0x1a, 0xce, 0xd8, 0x77,
72 0xbd, 0x02, 0x65, 0xf8, 0x49, 0xfb, 0xce, 0xf6, 0xa8, 0x09, 0xfc, 0xde, 0xb2, 0x09, 0x9d, 0x39,
73 0xf8, 0x63, 0x9c, 0x32, 0x42, 0x7c, 0xa0, 0x30, 0x86, 0x72, 0x7a, 0x4a, 0xc6, 0xd4, 0xb3, 0x2d,
74 0x24, 0xef, 0x96, 0x3f, 0xc2, 0xda, 0xd3, 0xf2, 0x15, 0x6f, 0xda, 0x65, 0x4b, 0x81, 0x28, 0x68,
75 0xf4, 0xfe, 0x3e, 0x71, 0x4f, 0x50, 0x96, 0x72, 0x58, 0xa1, 0x89, 0xdd, 0x01, 0x61, 0x39, 0x39,
76 0xc6, 0x76, 0xa4, 0xda, 0x02, 0x70, 0x3d, 0xc0, 0xdc, 0x8d, 0x70, 0x72, 0x04, 0x90, 0x79, 0xd4,
77 0xec, 0x65, 0xcf, 0x49, 0x35, 0x25, 0x3a, 0x14, 0x1a, 0x45, 0x20, 0xeb, 0x31, 0xaf, 0x92, 0xba,
78 0x20, 0xd3, 0xcd, 0xa7, 0x13, 0x44, 0xdc, 0xcf, 0xf0, 0x27, 0x34, 0xb9, 0xe7, 0x24, 0x6f, 0x73,
79 0xe7, 0xea, 0x77, 0x03,
82 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*dnskey
= NULL
, *ds1
= NULL
, *ds2
= NULL
;
84 /* The two DS RRs in effect for nasa.gov on 2015-12-01. */
85 ds1
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_DS
, "nasa.gov");
88 ds1
->ds
.key_tag
= 47857;
89 ds1
->ds
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
90 ds1
->ds
.digest_type
= DNSSEC_DIGEST_SHA1
;
91 ds1
->ds
.digest_size
= sizeof(ds1_fprint
);
92 ds1
->ds
.digest
= memdup(ds1_fprint
, ds1
->ds
.digest_size
);
93 assert_se(ds1
->ds
.digest
);
95 log_info("DS1: %s", strna(dns_resource_record_to_string(ds1
)));
97 ds2
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_DS
, "NASA.GOV");
100 ds2
->ds
.key_tag
= 47857;
101 ds2
->ds
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
102 ds2
->ds
.digest_type
= DNSSEC_DIGEST_SHA256
;
103 ds2
->ds
.digest_size
= sizeof(ds2_fprint
);
104 ds2
->ds
.digest
= memdup(ds2_fprint
, ds2
->ds
.digest_size
);
105 assert_se(ds2
->ds
.digest
);
107 log_info("DS2: %s", strna(dns_resource_record_to_string(ds2
)));
109 dnskey
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_DNSKEY
, "nasa.GOV");
112 dnskey
->dnskey
.flags
= 257;
113 dnskey
->dnskey
.protocol
= 3;
114 dnskey
->dnskey
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
115 dnskey
->dnskey
.key_size
= sizeof(dnskey_blob
);
116 dnskey
->dnskey
.key
= memdup(dnskey_blob
, sizeof(dnskey_blob
));
117 assert_se(dnskey
->dnskey
.key
);
119 log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey
)));
120 log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey
, false));
122 assert_se(dnssec_verify_dnskey_by_ds(dnskey
, ds1
, false) > 0);
123 assert_se(dnssec_verify_dnskey_by_ds(dnskey
, ds2
, false) > 0);
126 static void test_dnssec_verify_rrset(void) {
128 static const uint8_t signature_blob
[] = {
129 0x7f, 0x79, 0xdd, 0x5e, 0x89, 0x79, 0x18, 0xd0, 0x34, 0x86, 0x8c, 0x72, 0x77, 0x75, 0x48, 0x4d,
130 0xc3, 0x7d, 0x38, 0x04, 0xab, 0xcd, 0x9e, 0x4c, 0x82, 0xb0, 0x92, 0xca, 0xe9, 0x66, 0xe9, 0x6e,
131 0x47, 0xc7, 0x68, 0x8c, 0x94, 0xf6, 0x69, 0xcb, 0x75, 0x94, 0xe6, 0x30, 0xa6, 0xfb, 0x68, 0x64,
132 0x96, 0x1a, 0x84, 0xe1, 0xdc, 0x16, 0x4c, 0x83, 0x6c, 0x44, 0xf2, 0x74, 0x4d, 0x74, 0x79, 0x8f,
133 0xf3, 0xf4, 0x63, 0x0d, 0xef, 0x5a, 0xe7, 0xe2, 0xfd, 0xf2, 0x2b, 0x38, 0x7c, 0x28, 0x96, 0x9d,
134 0xb6, 0xcd, 0x5c, 0x3b, 0x57, 0xe2, 0x24, 0x78, 0x65, 0xd0, 0x9e, 0x77, 0x83, 0x09, 0x6c, 0xff,
135 0x3d, 0x52, 0x3f, 0x6e, 0xd1, 0xed, 0x2e, 0xf9, 0xee, 0x8e, 0xa6, 0xbe, 0x9a, 0xa8, 0x87, 0x76,
136 0xd8, 0x77, 0xcc, 0x96, 0xa0, 0x98, 0xa1, 0xd1, 0x68, 0x09, 0x43, 0xcf, 0x56, 0xd9, 0xd1, 0x66,
139 static const uint8_t dnskey_blob
[] = {
140 0x03, 0x01, 0x00, 0x01, 0x9b, 0x49, 0x9b, 0xc1, 0xf9, 0x9a, 0xe0, 0x4e, 0xcf, 0xcb, 0x14, 0x45,
141 0x2e, 0xc9, 0xf9, 0x74, 0xa7, 0x18, 0xb5, 0xf3, 0xde, 0x39, 0x49, 0xdf, 0x63, 0x33, 0x97, 0x52,
142 0xe0, 0x8e, 0xac, 0x50, 0x30, 0x8e, 0x09, 0xd5, 0x24, 0x3d, 0x26, 0xa4, 0x49, 0x37, 0x2b, 0xb0,
143 0x6b, 0x1b, 0xdf, 0xde, 0x85, 0x83, 0xcb, 0x22, 0x4e, 0x60, 0x0a, 0x91, 0x1a, 0x1f, 0xc5, 0x40,
144 0xb1, 0xc3, 0x15, 0xc1, 0x54, 0x77, 0x86, 0x65, 0x53, 0xec, 0x10, 0x90, 0x0c, 0x91, 0x00, 0x5e,
145 0x15, 0xdc, 0x08, 0x02, 0x4c, 0x8c, 0x0d, 0xc0, 0xac, 0x6e, 0xc4, 0x3e, 0x1b, 0x80, 0x19, 0xe4,
146 0xf7, 0x5f, 0x77, 0x51, 0x06, 0x87, 0x61, 0xde, 0xa2, 0x18, 0x0f, 0x40, 0x8b, 0x79, 0x72, 0xfa,
147 0x8d, 0x1a, 0x44, 0x47, 0x0d, 0x8e, 0x3a, 0x2d, 0xc7, 0x39, 0xbf, 0x56, 0x28, 0x97, 0xd9, 0x20,
148 0x4f, 0x00, 0x51, 0x3b,
151 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*a
= NULL
, *rrsig
= NULL
, *dnskey
= NULL
;
152 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
155 a
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_A
, "nAsA.gov");
158 a
->a
.in_addr
.s_addr
= inet_addr("52.0.14.116");
160 log_info("A: %s", strna(dns_resource_record_to_string(a
)));
162 rrsig
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_RRSIG
, "NaSa.GOV.");
165 rrsig
->rrsig
.type_covered
= DNS_TYPE_A
;
166 rrsig
->rrsig
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
167 rrsig
->rrsig
.labels
= 2;
168 rrsig
->rrsig
.original_ttl
= 600;
169 rrsig
->rrsig
.expiration
= 0x5683135c;
170 rrsig
->rrsig
.inception
= 0x565b7da8;
171 rrsig
->rrsig
.key_tag
= 63876;
172 rrsig
->rrsig
.signer
= strdup("Nasa.Gov.");
173 assert_se(rrsig
->rrsig
.signer
);
174 rrsig
->rrsig
.signature_size
= sizeof(signature_blob
);
175 rrsig
->rrsig
.signature
= memdup(signature_blob
, rrsig
->rrsig
.signature_size
);
176 assert_se(rrsig
->rrsig
.signature
);
178 log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig
)));
180 dnskey
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_DNSKEY
, "nASA.gOV");
183 dnskey
->dnskey
.flags
= 256;
184 dnskey
->dnskey
.protocol
= 3;
185 dnskey
->dnskey
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
186 dnskey
->dnskey
.key_size
= sizeof(dnskey_blob
);
187 dnskey
->dnskey
.key
= memdup(dnskey_blob
, sizeof(dnskey_blob
));
188 assert_se(dnskey
->dnskey
.key
);
190 log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey
)));
191 log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey
, false));
193 assert_se(dnssec_key_match_rrsig(a
->key
, rrsig
) > 0);
194 assert_se(dnssec_rrsig_match_dnskey(rrsig
, dnskey
, false) > 0);
196 answer
= dns_answer_new(1);
198 assert_se(dns_answer_add(answer
, a
, 0, DNS_ANSWER_AUTHENTICATED
) >= 0);
200 /* Validate the RR as it if was 2015-12-2 today */
201 assert_se(dnssec_verify_rrset(answer
, a
->key
, rrsig
, dnskey
, 1449092754*USEC_PER_SEC
, &result
) >= 0);
202 assert_se(result
== DNSSEC_VALIDATED
);
205 static void test_dnssec_verify_rrset2(void) {
207 static const uint8_t signature_blob
[] = {
208 0x48, 0x45, 0xc8, 0x8b, 0xc0, 0x14, 0x92, 0xf5, 0x15, 0xc6, 0x84, 0x9d, 0x2f, 0xe3, 0x32, 0x11,
209 0x7d, 0xf1, 0xe6, 0x87, 0xb9, 0x42, 0xd3, 0x8b, 0x9e, 0xaf, 0x92, 0x31, 0x0a, 0x53, 0xad, 0x8b,
210 0xa7, 0x5c, 0x83, 0x39, 0x8c, 0x28, 0xac, 0xce, 0x6e, 0x9c, 0x18, 0xe3, 0x31, 0x16, 0x6e, 0xca,
211 0x38, 0x31, 0xaf, 0xd9, 0x94, 0xf1, 0x84, 0xb1, 0xdf, 0x5a, 0xc2, 0x73, 0x22, 0xf6, 0xcb, 0xa2,
212 0xe7, 0x8c, 0x77, 0x0c, 0x74, 0x2f, 0xc2, 0x13, 0xb0, 0x93, 0x51, 0xa9, 0x4f, 0xae, 0x0a, 0xda,
213 0x45, 0xcc, 0xfd, 0x43, 0x99, 0x36, 0x9a, 0x0d, 0x21, 0xe0, 0xeb, 0x30, 0x65, 0xd4, 0xa0, 0x27,
214 0x37, 0x3b, 0xe4, 0xc1, 0xc5, 0xa1, 0x2a, 0xd1, 0x76, 0xc4, 0x7e, 0x64, 0x0e, 0x5a, 0xa6, 0x50,
215 0x24, 0xd5, 0x2c, 0xcc, 0x6d, 0xe5, 0x37, 0xea, 0xbd, 0x09, 0x34, 0xed, 0x24, 0x06, 0xa1, 0x22,
218 static const uint8_t dnskey_blob
[] = {
219 0x03, 0x01, 0x00, 0x01, 0xc3, 0x7f, 0x1d, 0xd1, 0x1c, 0x97, 0xb1, 0x13, 0x34, 0x3a, 0x9a, 0xea,
220 0xee, 0xd9, 0x5a, 0x11, 0x1b, 0x17, 0xc7, 0xe3, 0xd4, 0xda, 0x20, 0xbc, 0x5d, 0xba, 0x74, 0xe3,
221 0x37, 0x99, 0xec, 0x25, 0xce, 0x93, 0x7f, 0xbd, 0x22, 0x73, 0x7e, 0x14, 0x71, 0xe0, 0x60, 0x07,
222 0xd4, 0x39, 0x8b, 0x5e, 0xe9, 0xba, 0x25, 0xe8, 0x49, 0xe9, 0x34, 0xef, 0xfe, 0x04, 0x5c, 0xa5,
223 0x27, 0xcd, 0xa9, 0xda, 0x70, 0x05, 0x21, 0xab, 0x15, 0x82, 0x24, 0xc3, 0x94, 0xf5, 0xd7, 0xb7,
224 0xc4, 0x66, 0xcb, 0x32, 0x6e, 0x60, 0x2b, 0x55, 0x59, 0x28, 0x89, 0x8a, 0x72, 0xde, 0x88, 0x56,
225 0x27, 0x95, 0xd9, 0xac, 0x88, 0x4f, 0x65, 0x2b, 0x68, 0xfc, 0xe6, 0x41, 0xc1, 0x1b, 0xef, 0x4e,
226 0xd6, 0xc2, 0x0f, 0x64, 0x88, 0x95, 0x5e, 0xdd, 0x3a, 0x02, 0x07, 0x50, 0xa9, 0xda, 0xa4, 0x49,
227 0x74, 0x62, 0xfe, 0xd7,
230 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*nsec
= NULL
, *rrsig
= NULL
, *dnskey
= NULL
;
231 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
234 nsec
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_NSEC
, "nasa.gov");
237 nsec
->nsec
.next_domain_name
= strdup("3D-Printing.nasa.gov");
238 assert_se(nsec
->nsec
.next_domain_name
);
240 nsec
->nsec
.types
= bitmap_new();
241 assert_se(nsec
->nsec
.types
);
242 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_A
) >= 0);
243 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_NS
) >= 0);
244 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_SOA
) >= 0);
245 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_MX
) >= 0);
246 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_TXT
) >= 0);
247 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_RRSIG
) >= 0);
248 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_NSEC
) >= 0);
249 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_DNSKEY
) >= 0);
250 assert_se(bitmap_set(nsec
->nsec
.types
, 65534) >= 0);
252 log_info("NSEC: %s", strna(dns_resource_record_to_string(nsec
)));
254 rrsig
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_RRSIG
, "NaSa.GOV.");
257 rrsig
->rrsig
.type_covered
= DNS_TYPE_NSEC
;
258 rrsig
->rrsig
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
259 rrsig
->rrsig
.labels
= 2;
260 rrsig
->rrsig
.original_ttl
= 300;
261 rrsig
->rrsig
.expiration
= 0x5689002f;
262 rrsig
->rrsig
.inception
= 0x56617230;
263 rrsig
->rrsig
.key_tag
= 30390;
264 rrsig
->rrsig
.signer
= strdup("Nasa.Gov.");
265 assert_se(rrsig
->rrsig
.signer
);
266 rrsig
->rrsig
.signature_size
= sizeof(signature_blob
);
267 rrsig
->rrsig
.signature
= memdup(signature_blob
, rrsig
->rrsig
.signature_size
);
268 assert_se(rrsig
->rrsig
.signature
);
270 log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig
)));
272 dnskey
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_DNSKEY
, "nASA.gOV");
275 dnskey
->dnskey
.flags
= 256;
276 dnskey
->dnskey
.protocol
= 3;
277 dnskey
->dnskey
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
278 dnskey
->dnskey
.key_size
= sizeof(dnskey_blob
);
279 dnskey
->dnskey
.key
= memdup(dnskey_blob
, sizeof(dnskey_blob
));
280 assert_se(dnskey
->dnskey
.key
);
282 log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey
)));
283 log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey
, false));
285 assert_se(dnssec_key_match_rrsig(nsec
->key
, rrsig
) > 0);
286 assert_se(dnssec_rrsig_match_dnskey(rrsig
, dnskey
, false) > 0);
288 answer
= dns_answer_new(1);
290 assert_se(dns_answer_add(answer
, nsec
, 0, DNS_ANSWER_AUTHENTICATED
) >= 0);
292 /* Validate the RR as it if was 2015-12-11 today */
293 assert_se(dnssec_verify_rrset(answer
, nsec
->key
, rrsig
, dnskey
, 1449849318*USEC_PER_SEC
, &result
) >= 0);
294 assert_se(result
== DNSSEC_VALIDATED
);
297 static void test_dnssec_nsec3_hash(void) {
298 static const uint8_t salt
[] = { 0xB0, 0x1D, 0xFA, 0xCE };
299 static const uint8_t next_hashed_name
[] = { 0x84, 0x10, 0x26, 0x53, 0xc9, 0xfa, 0x4d, 0x85, 0x6c, 0x97, 0x82, 0xe2, 0x8f, 0xdf, 0x2d, 0x5e, 0x87, 0x69, 0xc4, 0x52 };
300 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
301 uint8_t h
[DNSSEC_HASH_SIZE_MAX
];
302 _cleanup_free_
char *b
= NULL
;
305 /* The NSEC3 RR for eurid.eu on 2015-12-14. */
306 rr
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_NSEC3
, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM.eurid.eu.");
309 rr
->nsec3
.algorithm
= DNSSEC_DIGEST_SHA1
;
311 rr
->nsec3
.iterations
= 1;
312 rr
->nsec3
.salt
= memdup(salt
, sizeof(salt
));
313 assert_se(rr
->nsec3
.salt
);
314 rr
->nsec3
.salt_size
= sizeof(salt
);
315 rr
->nsec3
.next_hashed_name
= memdup(next_hashed_name
, sizeof(next_hashed_name
));
316 assert_se(rr
->nsec3
.next_hashed_name
);
317 rr
->nsec3
.next_hashed_name_size
= sizeof(next_hashed_name
);
319 log_info("NSEC3: %s", strna(dns_resource_record_to_string(rr
)));
321 k
= dnssec_nsec3_hash(rr
, "eurid.eu", &h
);
324 b
= base32hexmem(h
, k
, false);
326 assert_se(strcasecmp(b
, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM") == 0);
331 int main(int argc
, char*argv
[]) {
333 test_dnssec_canonicalize();
336 test_dnssec_verify_dns_key();
337 test_dnssec_verify_rrset();
338 test_dnssec_verify_rrset2();
339 test_dnssec_nsec3_hash();