2 This file is part of systemd.
4 Copyright 2015 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20 #include <arpa/inet.h>
21 #include <netinet/in.h>
22 #include <sys/socket.h>
24 #include "alloc-util.h"
25 #include "resolved-dns-dnssec.h"
26 #include "resolved-dns-rr.h"
27 #include "string-util.h"
28 #include "hexdecoct.h"
30 static void test_dnssec_verify_rrset2(void) {
32 static const uint8_t signature_blob
[] = {
33 0x48, 0x45, 0xc8, 0x8b, 0xc0, 0x14, 0x92, 0xf5, 0x15, 0xc6, 0x84, 0x9d, 0x2f, 0xe3, 0x32, 0x11,
34 0x7d, 0xf1, 0xe6, 0x87, 0xb9, 0x42, 0xd3, 0x8b, 0x9e, 0xaf, 0x92, 0x31, 0x0a, 0x53, 0xad, 0x8b,
35 0xa7, 0x5c, 0x83, 0x39, 0x8c, 0x28, 0xac, 0xce, 0x6e, 0x9c, 0x18, 0xe3, 0x31, 0x16, 0x6e, 0xca,
36 0x38, 0x31, 0xaf, 0xd9, 0x94, 0xf1, 0x84, 0xb1, 0xdf, 0x5a, 0xc2, 0x73, 0x22, 0xf6, 0xcb, 0xa2,
37 0xe7, 0x8c, 0x77, 0x0c, 0x74, 0x2f, 0xc2, 0x13, 0xb0, 0x93, 0x51, 0xa9, 0x4f, 0xae, 0x0a, 0xda,
38 0x45, 0xcc, 0xfd, 0x43, 0x99, 0x36, 0x9a, 0x0d, 0x21, 0xe0, 0xeb, 0x30, 0x65, 0xd4, 0xa0, 0x27,
39 0x37, 0x3b, 0xe4, 0xc1, 0xc5, 0xa1, 0x2a, 0xd1, 0x76, 0xc4, 0x7e, 0x64, 0x0e, 0x5a, 0xa6, 0x50,
40 0x24, 0xd5, 0x2c, 0xcc, 0x6d, 0xe5, 0x37, 0xea, 0xbd, 0x09, 0x34, 0xed, 0x24, 0x06, 0xa1, 0x22,
43 static const uint8_t dnskey_blob
[] = {
44 0x03, 0x01, 0x00, 0x01, 0xc3, 0x7f, 0x1d, 0xd1, 0x1c, 0x97, 0xb1, 0x13, 0x34, 0x3a, 0x9a, 0xea,
45 0xee, 0xd9, 0x5a, 0x11, 0x1b, 0x17, 0xc7, 0xe3, 0xd4, 0xda, 0x20, 0xbc, 0x5d, 0xba, 0x74, 0xe3,
46 0x37, 0x99, 0xec, 0x25, 0xce, 0x93, 0x7f, 0xbd, 0x22, 0x73, 0x7e, 0x14, 0x71, 0xe0, 0x60, 0x07,
47 0xd4, 0x39, 0x8b, 0x5e, 0xe9, 0xba, 0x25, 0xe8, 0x49, 0xe9, 0x34, 0xef, 0xfe, 0x04, 0x5c, 0xa5,
48 0x27, 0xcd, 0xa9, 0xda, 0x70, 0x05, 0x21, 0xab, 0x15, 0x82, 0x24, 0xc3, 0x94, 0xf5, 0xd7, 0xb7,
49 0xc4, 0x66, 0xcb, 0x32, 0x6e, 0x60, 0x2b, 0x55, 0x59, 0x28, 0x89, 0x8a, 0x72, 0xde, 0x88, 0x56,
50 0x27, 0x95, 0xd9, 0xac, 0x88, 0x4f, 0x65, 0x2b, 0x68, 0xfc, 0xe6, 0x41, 0xc1, 0x1b, 0xef, 0x4e,
51 0xd6, 0xc2, 0x0f, 0x64, 0x88, 0x95, 0x5e, 0xdd, 0x3a, 0x02, 0x07, 0x50, 0xa9, 0xda, 0xa4, 0x49,
52 0x74, 0x62, 0xfe, 0xd7,
55 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*nsec
= NULL
, *rrsig
= NULL
, *dnskey
= NULL
;
56 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
59 nsec
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_NSEC
, "nasa.gov");
62 nsec
->nsec
.next_domain_name
= strdup("3D-Printing.nasa.gov");
63 assert_se(nsec
->nsec
.next_domain_name
);
65 nsec
->nsec
.types
= bitmap_new();
66 assert_se(nsec
->nsec
.types
);
67 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_A
) >= 0);
68 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_NS
) >= 0);
69 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_SOA
) >= 0);
70 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_MX
) >= 0);
71 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_TXT
) >= 0);
72 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_RRSIG
) >= 0);
73 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_NSEC
) >= 0);
74 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_DNSKEY
) >= 0);
75 assert_se(bitmap_set(nsec
->nsec
.types
, 65534) >= 0);
77 log_info("NSEC: %s", strna(dns_resource_record_to_string(nsec
)));
79 rrsig
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_RRSIG
, "NaSa.GOV.");
82 rrsig
->rrsig
.type_covered
= DNS_TYPE_NSEC
;
83 rrsig
->rrsig
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
84 rrsig
->rrsig
.labels
= 2;
85 rrsig
->rrsig
.original_ttl
= 300;
86 rrsig
->rrsig
.expiration
= 0x5689002f;
87 rrsig
->rrsig
.inception
= 0x56617230;
88 rrsig
->rrsig
.key_tag
= 30390;
89 rrsig
->rrsig
.signer
= strdup("Nasa.Gov.");
90 assert_se(rrsig
->rrsig
.signer
);
91 rrsig
->rrsig
.signature_size
= sizeof(signature_blob
);
92 rrsig
->rrsig
.signature
= memdup(signature_blob
, rrsig
->rrsig
.signature_size
);
93 assert_se(rrsig
->rrsig
.signature
);
95 log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig
)));
97 dnskey
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_DNSKEY
, "nASA.gOV");
100 dnskey
->dnskey
.flags
= 256;
101 dnskey
->dnskey
.protocol
= 3;
102 dnskey
->dnskey
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
103 dnskey
->dnskey
.key_size
= sizeof(dnskey_blob
);
104 dnskey
->dnskey
.key
= memdup(dnskey_blob
, sizeof(dnskey_blob
));
105 assert_se(dnskey
->dnskey
.key
);
107 log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey
)));
108 log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey
, false));
110 assert_se(dnssec_key_match_rrsig(nsec
->key
, rrsig
) > 0);
111 assert_se(dnssec_rrsig_match_dnskey(rrsig
, dnskey
, false) > 0);
113 answer
= dns_answer_new(1);
115 assert_se(dns_answer_add(answer
, nsec
, 0, DNS_ANSWER_AUTHENTICATED
) >= 0);
117 /* Validate the RR as it if was 2015-12-11 today */
118 assert_se(dnssec_verify_rrset(answer
, nsec
->key
, rrsig
, dnskey
, 1449849318*USEC_PER_SEC
, &result
) >= 0);
119 assert_se(result
== DNSSEC_VALIDATED
);
122 static void test_dnssec_verify_rrset(void) {
124 static const uint8_t signature_blob
[] = {
125 0x7f, 0x79, 0xdd, 0x5e, 0x89, 0x79, 0x18, 0xd0, 0x34, 0x86, 0x8c, 0x72, 0x77, 0x75, 0x48, 0x4d,
126 0xc3, 0x7d, 0x38, 0x04, 0xab, 0xcd, 0x9e, 0x4c, 0x82, 0xb0, 0x92, 0xca, 0xe9, 0x66, 0xe9, 0x6e,
127 0x47, 0xc7, 0x68, 0x8c, 0x94, 0xf6, 0x69, 0xcb, 0x75, 0x94, 0xe6, 0x30, 0xa6, 0xfb, 0x68, 0x64,
128 0x96, 0x1a, 0x84, 0xe1, 0xdc, 0x16, 0x4c, 0x83, 0x6c, 0x44, 0xf2, 0x74, 0x4d, 0x74, 0x79, 0x8f,
129 0xf3, 0xf4, 0x63, 0x0d, 0xef, 0x5a, 0xe7, 0xe2, 0xfd, 0xf2, 0x2b, 0x38, 0x7c, 0x28, 0x96, 0x9d,
130 0xb6, 0xcd, 0x5c, 0x3b, 0x57, 0xe2, 0x24, 0x78, 0x65, 0xd0, 0x9e, 0x77, 0x83, 0x09, 0x6c, 0xff,
131 0x3d, 0x52, 0x3f, 0x6e, 0xd1, 0xed, 0x2e, 0xf9, 0xee, 0x8e, 0xa6, 0xbe, 0x9a, 0xa8, 0x87, 0x76,
132 0xd8, 0x77, 0xcc, 0x96, 0xa0, 0x98, 0xa1, 0xd1, 0x68, 0x09, 0x43, 0xcf, 0x56, 0xd9, 0xd1, 0x66,
135 static const uint8_t dnskey_blob
[] = {
136 0x03, 0x01, 0x00, 0x01, 0x9b, 0x49, 0x9b, 0xc1, 0xf9, 0x9a, 0xe0, 0x4e, 0xcf, 0xcb, 0x14, 0x45,
137 0x2e, 0xc9, 0xf9, 0x74, 0xa7, 0x18, 0xb5, 0xf3, 0xde, 0x39, 0x49, 0xdf, 0x63, 0x33, 0x97, 0x52,
138 0xe0, 0x8e, 0xac, 0x50, 0x30, 0x8e, 0x09, 0xd5, 0x24, 0x3d, 0x26, 0xa4, 0x49, 0x37, 0x2b, 0xb0,
139 0x6b, 0x1b, 0xdf, 0xde, 0x85, 0x83, 0xcb, 0x22, 0x4e, 0x60, 0x0a, 0x91, 0x1a, 0x1f, 0xc5, 0x40,
140 0xb1, 0xc3, 0x15, 0xc1, 0x54, 0x77, 0x86, 0x65, 0x53, 0xec, 0x10, 0x90, 0x0c, 0x91, 0x00, 0x5e,
141 0x15, 0xdc, 0x08, 0x02, 0x4c, 0x8c, 0x0d, 0xc0, 0xac, 0x6e, 0xc4, 0x3e, 0x1b, 0x80, 0x19, 0xe4,
142 0xf7, 0x5f, 0x77, 0x51, 0x06, 0x87, 0x61, 0xde, 0xa2, 0x18, 0x0f, 0x40, 0x8b, 0x79, 0x72, 0xfa,
143 0x8d, 0x1a, 0x44, 0x47, 0x0d, 0x8e, 0x3a, 0x2d, 0xc7, 0x39, 0xbf, 0x56, 0x28, 0x97, 0xd9, 0x20,
144 0x4f, 0x00, 0x51, 0x3b,
147 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*a
= NULL
, *rrsig
= NULL
, *dnskey
= NULL
;
148 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
151 a
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_A
, "nAsA.gov");
154 a
->a
.in_addr
.s_addr
= inet_addr("52.0.14.116");
156 log_info("A: %s", strna(dns_resource_record_to_string(a
)));
158 rrsig
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_RRSIG
, "NaSa.GOV.");
161 rrsig
->rrsig
.type_covered
= DNS_TYPE_A
;
162 rrsig
->rrsig
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
163 rrsig
->rrsig
.labels
= 2;
164 rrsig
->rrsig
.original_ttl
= 600;
165 rrsig
->rrsig
.expiration
= 0x5683135c;
166 rrsig
->rrsig
.inception
= 0x565b7da8;
167 rrsig
->rrsig
.key_tag
= 63876;
168 rrsig
->rrsig
.signer
= strdup("Nasa.Gov.");
169 assert_se(rrsig
->rrsig
.signer
);
170 rrsig
->rrsig
.signature_size
= sizeof(signature_blob
);
171 rrsig
->rrsig
.signature
= memdup(signature_blob
, rrsig
->rrsig
.signature_size
);
172 assert_se(rrsig
->rrsig
.signature
);
174 log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig
)));
176 dnskey
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_DNSKEY
, "nASA.gOV");
179 dnskey
->dnskey
.flags
= 256;
180 dnskey
->dnskey
.protocol
= 3;
181 dnskey
->dnskey
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
182 dnskey
->dnskey
.key_size
= sizeof(dnskey_blob
);
183 dnskey
->dnskey
.key
= memdup(dnskey_blob
, sizeof(dnskey_blob
));
184 assert_se(dnskey
->dnskey
.key
);
186 log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey
)));
187 log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey
, false));
189 assert_se(dnssec_key_match_rrsig(a
->key
, rrsig
) > 0);
190 assert_se(dnssec_rrsig_match_dnskey(rrsig
, dnskey
, false) > 0);
192 answer
= dns_answer_new(1);
194 assert_se(dns_answer_add(answer
, a
, 0, DNS_ANSWER_AUTHENTICATED
) >= 0);
196 /* Validate the RR as it if was 2015-12-2 today */
197 assert_se(dnssec_verify_rrset(answer
, a
->key
, rrsig
, dnskey
, 1449092754*USEC_PER_SEC
, &result
) >= 0);
198 assert_se(result
== DNSSEC_VALIDATED
);
201 static void test_dnssec_verify_dns_key(void) {
203 static const uint8_t ds1_fprint
[] = {
204 0x46, 0x8B, 0xC8, 0xDD, 0xC7, 0xE8, 0x27, 0x03, 0x40, 0xBB, 0x8A, 0x1F, 0x3B, 0x2E, 0x45, 0x9D,
205 0x80, 0x67, 0x14, 0x01,
207 static const uint8_t ds2_fprint
[] = {
208 0x8A, 0xEE, 0x80, 0x47, 0x05, 0x5F, 0x83, 0xD1, 0x48, 0xBA, 0x8F, 0xF6, 0xDD, 0xA7, 0x60, 0xCE,
209 0x94, 0xF7, 0xC7, 0x5E, 0x52, 0x4C, 0xF2, 0xE9, 0x50, 0xB9, 0x2E, 0xCB, 0xEF, 0x96, 0xB9, 0x98,
211 static const uint8_t dnskey_blob
[] = {
212 0x03, 0x01, 0x00, 0x01, 0xa8, 0x12, 0xda, 0x4f, 0xd2, 0x7d, 0x54, 0x14, 0x0e, 0xcc, 0x5b, 0x5e,
213 0x45, 0x9c, 0x96, 0x98, 0xc0, 0xc0, 0x85, 0x81, 0xb1, 0x47, 0x8c, 0x7d, 0xe8, 0x39, 0x50, 0xcc,
214 0xc5, 0xd0, 0xf2, 0x00, 0x81, 0x67, 0x79, 0xf6, 0xcc, 0x9d, 0xad, 0x6c, 0xbb, 0x7b, 0x6f, 0x48,
215 0x97, 0x15, 0x1c, 0xfd, 0x0b, 0xfe, 0xd3, 0xd7, 0x7d, 0x9f, 0x81, 0x26, 0xd3, 0xc5, 0x65, 0x49,
216 0xcf, 0x46, 0x62, 0xb0, 0x55, 0x6e, 0x47, 0xc7, 0x30, 0xef, 0x51, 0xfb, 0x3e, 0xc6, 0xef, 0xde,
217 0x27, 0x3f, 0xfa, 0x57, 0x2d, 0xa7, 0x1d, 0x80, 0x46, 0x9a, 0x5f, 0x14, 0xb3, 0xb0, 0x2c, 0xbe,
218 0x72, 0xca, 0xdf, 0xb2, 0xff, 0x36, 0x5b, 0x4f, 0xec, 0x58, 0x8e, 0x8d, 0x01, 0xe9, 0xa9, 0xdf,
219 0xb5, 0x60, 0xad, 0x52, 0x4d, 0xfc, 0xa9, 0x3e, 0x8d, 0x35, 0x95, 0xb3, 0x4e, 0x0f, 0xca, 0x45,
220 0x1b, 0xf7, 0xef, 0x3a, 0x88, 0x25, 0x08, 0xc7, 0x4e, 0x06, 0xc1, 0x62, 0x1a, 0xce, 0xd8, 0x77,
221 0xbd, 0x02, 0x65, 0xf8, 0x49, 0xfb, 0xce, 0xf6, 0xa8, 0x09, 0xfc, 0xde, 0xb2, 0x09, 0x9d, 0x39,
222 0xf8, 0x63, 0x9c, 0x32, 0x42, 0x7c, 0xa0, 0x30, 0x86, 0x72, 0x7a, 0x4a, 0xc6, 0xd4, 0xb3, 0x2d,
223 0x24, 0xef, 0x96, 0x3f, 0xc2, 0xda, 0xd3, 0xf2, 0x15, 0x6f, 0xda, 0x65, 0x4b, 0x81, 0x28, 0x68,
224 0xf4, 0xfe, 0x3e, 0x71, 0x4f, 0x50, 0x96, 0x72, 0x58, 0xa1, 0x89, 0xdd, 0x01, 0x61, 0x39, 0x39,
225 0xc6, 0x76, 0xa4, 0xda, 0x02, 0x70, 0x3d, 0xc0, 0xdc, 0x8d, 0x70, 0x72, 0x04, 0x90, 0x79, 0xd4,
226 0xec, 0x65, 0xcf, 0x49, 0x35, 0x25, 0x3a, 0x14, 0x1a, 0x45, 0x20, 0xeb, 0x31, 0xaf, 0x92, 0xba,
227 0x20, 0xd3, 0xcd, 0xa7, 0x13, 0x44, 0xdc, 0xcf, 0xf0, 0x27, 0x34, 0xb9, 0xe7, 0x24, 0x6f, 0x73,
228 0xe7, 0xea, 0x77, 0x03,
231 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*dnskey
= NULL
, *ds1
= NULL
, *ds2
= NULL
;
233 /* The two DS RRs in effect for nasa.gov on 2015-12-01. */
234 ds1
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_DS
, "nasa.gov");
237 ds1
->ds
.key_tag
= 47857;
238 ds1
->ds
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
239 ds1
->ds
.digest_type
= DNSSEC_DIGEST_SHA1
;
240 ds1
->ds
.digest_size
= sizeof(ds1_fprint
);
241 ds1
->ds
.digest
= memdup(ds1_fprint
, ds1
->ds
.digest_size
);
242 assert_se(ds1
->ds
.digest
);
244 log_info("DS1: %s", strna(dns_resource_record_to_string(ds1
)));
246 ds2
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_DS
, "NASA.GOV");
249 ds2
->ds
.key_tag
= 47857;
250 ds2
->ds
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
251 ds2
->ds
.digest_type
= DNSSEC_DIGEST_SHA256
;
252 ds2
->ds
.digest_size
= sizeof(ds2_fprint
);
253 ds2
->ds
.digest
= memdup(ds2_fprint
, ds2
->ds
.digest_size
);
254 assert_se(ds2
->ds
.digest
);
256 log_info("DS2: %s", strna(dns_resource_record_to_string(ds2
)));
258 dnskey
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_DNSKEY
, "nasa.GOV");
261 dnskey
->dnskey
.flags
= 257;
262 dnskey
->dnskey
.protocol
= 3;
263 dnskey
->dnskey
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
264 dnskey
->dnskey
.key_size
= sizeof(dnskey_blob
);
265 dnskey
->dnskey
.key
= memdup(dnskey_blob
, sizeof(dnskey_blob
));
266 assert_se(dnskey
->dnskey
.key
);
268 log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey
)));
269 log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey
, false));
271 assert_se(dnssec_verify_dnskey_by_ds(dnskey
, ds1
, false) > 0);
272 assert_se(dnssec_verify_dnskey_by_ds(dnskey
, ds2
, false) > 0);
275 static void test_dnssec_canonicalize_one(const char *original
, const char *canonical
, int r
) {
276 char canonicalized
[DNSSEC_CANONICAL_HOSTNAME_MAX
];
278 assert_se(dnssec_canonicalize(original
, canonicalized
, sizeof(canonicalized
)) == r
);
282 assert_se(streq(canonicalized
, canonical
));
285 static void test_dnssec_canonicalize(void) {
286 test_dnssec_canonicalize_one("", ".", 1);
287 test_dnssec_canonicalize_one(".", ".", 1);
288 test_dnssec_canonicalize_one("foo", "foo.", 4);
289 test_dnssec_canonicalize_one("foo.", "foo.", 4);
290 test_dnssec_canonicalize_one("FOO.", "foo.", 4);
291 test_dnssec_canonicalize_one("FOO.bar.", "foo.bar.", 8);
292 test_dnssec_canonicalize_one("FOO..bar.", NULL
, -EINVAL
);
295 static void test_dnssec_nsec3_hash(void) {
296 static const uint8_t salt
[] = { 0xB0, 0x1D, 0xFA, 0xCE };
297 static const uint8_t next_hashed_name
[] = { 0x84, 0x10, 0x26, 0x53, 0xc9, 0xfa, 0x4d, 0x85, 0x6c, 0x97, 0x82, 0xe2, 0x8f, 0xdf, 0x2d, 0x5e, 0x87, 0x69, 0xc4, 0x52 };
298 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
299 uint8_t h
[DNSSEC_HASH_SIZE_MAX
];
300 _cleanup_free_
char *b
= NULL
;
303 /* The NSEC3 RR for eurid.eu on 2015-12-14. */
304 rr
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_NSEC3
, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM.eurid.eu.");
307 rr
->nsec3
.algorithm
= DNSSEC_DIGEST_SHA1
;
309 rr
->nsec3
.iterations
= 1;
310 rr
->nsec3
.salt
= memdup(salt
, sizeof(salt
));
311 assert_se(rr
->nsec3
.salt
);
312 rr
->nsec3
.salt_size
= sizeof(salt
);
313 rr
->nsec3
.next_hashed_name
= memdup(next_hashed_name
, sizeof(next_hashed_name
));
314 assert_se(rr
->nsec3
.next_hashed_name
);
315 rr
->nsec3
.next_hashed_name_size
= sizeof(next_hashed_name
);
317 log_info("NSEC3: %s", strna(dns_resource_record_to_string(rr
)));
319 k
= dnssec_nsec3_hash(rr
, "eurid.eu", &h
);
322 b
= base32hexmem(h
, k
, false);
324 assert_se(strcasecmp(b
, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM") == 0);
327 int main(int argc
, char*argv
[]) {
329 test_dnssec_canonicalize();
330 test_dnssec_verify_dns_key();
331 test_dnssec_verify_rrset();
332 test_dnssec_verify_rrset2();
333 test_dnssec_nsec3_hash();