1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 This file is part of systemd.
5 Copyright 2015 Lennart Poettering
7 systemd is free software; you can redistribute it and/or modify it
8 under the terms of the GNU Lesser General Public License as published by
9 the Free Software Foundation; either version 2.1 of the License, or
10 (at your option) any later version.
12 systemd is distributed in the hope that it will be useful, but
13 WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
17 You should have received a copy of the GNU Lesser General Public License
18 along with systemd; If not, see <http://www.gnu.org/licenses/>.
21 #include <arpa/inet.h>
22 #include <netinet/in.h>
23 #include <sys/socket.h>
25 #include "alloc-util.h"
26 #include "resolved-dns-dnssec.h"
27 #include "resolved-dns-rr.h"
28 #include "string-util.h"
29 #include "hexdecoct.h"
31 static void test_dnssec_canonicalize_one(const char *original
, const char *canonical
, int r
) {
32 char canonicalized
[DNSSEC_CANONICAL_HOSTNAME_MAX
];
34 assert_se(dnssec_canonicalize(original
, canonicalized
, sizeof(canonicalized
)) == r
);
38 assert_se(streq(canonicalized
, canonical
));
41 static void test_dnssec_canonicalize(void) {
42 test_dnssec_canonicalize_one("", ".", 1);
43 test_dnssec_canonicalize_one(".", ".", 1);
44 test_dnssec_canonicalize_one("foo", "foo.", 4);
45 test_dnssec_canonicalize_one("foo.", "foo.", 4);
46 test_dnssec_canonicalize_one("FOO.", "foo.", 4);
47 test_dnssec_canonicalize_one("FOO.bar.", "foo.bar.", 8);
48 test_dnssec_canonicalize_one("FOO..bar.", NULL
, -EINVAL
);
53 static void test_dnssec_verify_dns_key(void) {
55 static const uint8_t ds1_fprint
[] = {
56 0x46, 0x8B, 0xC8, 0xDD, 0xC7, 0xE8, 0x27, 0x03, 0x40, 0xBB, 0x8A, 0x1F, 0x3B, 0x2E, 0x45, 0x9D,
57 0x80, 0x67, 0x14, 0x01,
59 static const uint8_t ds2_fprint
[] = {
60 0x8A, 0xEE, 0x80, 0x47, 0x05, 0x5F, 0x83, 0xD1, 0x48, 0xBA, 0x8F, 0xF6, 0xDD, 0xA7, 0x60, 0xCE,
61 0x94, 0xF7, 0xC7, 0x5E, 0x52, 0x4C, 0xF2, 0xE9, 0x50, 0xB9, 0x2E, 0xCB, 0xEF, 0x96, 0xB9, 0x98,
63 static const uint8_t dnskey_blob
[] = {
64 0x03, 0x01, 0x00, 0x01, 0xa8, 0x12, 0xda, 0x4f, 0xd2, 0x7d, 0x54, 0x14, 0x0e, 0xcc, 0x5b, 0x5e,
65 0x45, 0x9c, 0x96, 0x98, 0xc0, 0xc0, 0x85, 0x81, 0xb1, 0x47, 0x8c, 0x7d, 0xe8, 0x39, 0x50, 0xcc,
66 0xc5, 0xd0, 0xf2, 0x00, 0x81, 0x67, 0x79, 0xf6, 0xcc, 0x9d, 0xad, 0x6c, 0xbb, 0x7b, 0x6f, 0x48,
67 0x97, 0x15, 0x1c, 0xfd, 0x0b, 0xfe, 0xd3, 0xd7, 0x7d, 0x9f, 0x81, 0x26, 0xd3, 0xc5, 0x65, 0x49,
68 0xcf, 0x46, 0x62, 0xb0, 0x55, 0x6e, 0x47, 0xc7, 0x30, 0xef, 0x51, 0xfb, 0x3e, 0xc6, 0xef, 0xde,
69 0x27, 0x3f, 0xfa, 0x57, 0x2d, 0xa7, 0x1d, 0x80, 0x46, 0x9a, 0x5f, 0x14, 0xb3, 0xb0, 0x2c, 0xbe,
70 0x72, 0xca, 0xdf, 0xb2, 0xff, 0x36, 0x5b, 0x4f, 0xec, 0x58, 0x8e, 0x8d, 0x01, 0xe9, 0xa9, 0xdf,
71 0xb5, 0x60, 0xad, 0x52, 0x4d, 0xfc, 0xa9, 0x3e, 0x8d, 0x35, 0x95, 0xb3, 0x4e, 0x0f, 0xca, 0x45,
72 0x1b, 0xf7, 0xef, 0x3a, 0x88, 0x25, 0x08, 0xc7, 0x4e, 0x06, 0xc1, 0x62, 0x1a, 0xce, 0xd8, 0x77,
73 0xbd, 0x02, 0x65, 0xf8, 0x49, 0xfb, 0xce, 0xf6, 0xa8, 0x09, 0xfc, 0xde, 0xb2, 0x09, 0x9d, 0x39,
74 0xf8, 0x63, 0x9c, 0x32, 0x42, 0x7c, 0xa0, 0x30, 0x86, 0x72, 0x7a, 0x4a, 0xc6, 0xd4, 0xb3, 0x2d,
75 0x24, 0xef, 0x96, 0x3f, 0xc2, 0xda, 0xd3, 0xf2, 0x15, 0x6f, 0xda, 0x65, 0x4b, 0x81, 0x28, 0x68,
76 0xf4, 0xfe, 0x3e, 0x71, 0x4f, 0x50, 0x96, 0x72, 0x58, 0xa1, 0x89, 0xdd, 0x01, 0x61, 0x39, 0x39,
77 0xc6, 0x76, 0xa4, 0xda, 0x02, 0x70, 0x3d, 0xc0, 0xdc, 0x8d, 0x70, 0x72, 0x04, 0x90, 0x79, 0xd4,
78 0xec, 0x65, 0xcf, 0x49, 0x35, 0x25, 0x3a, 0x14, 0x1a, 0x45, 0x20, 0xeb, 0x31, 0xaf, 0x92, 0xba,
79 0x20, 0xd3, 0xcd, 0xa7, 0x13, 0x44, 0xdc, 0xcf, 0xf0, 0x27, 0x34, 0xb9, 0xe7, 0x24, 0x6f, 0x73,
80 0xe7, 0xea, 0x77, 0x03,
83 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*dnskey
= NULL
, *ds1
= NULL
, *ds2
= NULL
;
85 /* The two DS RRs in effect for nasa.gov on 2015-12-01. */
86 ds1
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_DS
, "nasa.gov");
89 ds1
->ds
.key_tag
= 47857;
90 ds1
->ds
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
91 ds1
->ds
.digest_type
= DNSSEC_DIGEST_SHA1
;
92 ds1
->ds
.digest_size
= sizeof(ds1_fprint
);
93 ds1
->ds
.digest
= memdup(ds1_fprint
, ds1
->ds
.digest_size
);
94 assert_se(ds1
->ds
.digest
);
96 log_info("DS1: %s", strna(dns_resource_record_to_string(ds1
)));
98 ds2
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_DS
, "NASA.GOV");
101 ds2
->ds
.key_tag
= 47857;
102 ds2
->ds
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
103 ds2
->ds
.digest_type
= DNSSEC_DIGEST_SHA256
;
104 ds2
->ds
.digest_size
= sizeof(ds2_fprint
);
105 ds2
->ds
.digest
= memdup(ds2_fprint
, ds2
->ds
.digest_size
);
106 assert_se(ds2
->ds
.digest
);
108 log_info("DS2: %s", strna(dns_resource_record_to_string(ds2
)));
110 dnskey
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_DNSKEY
, "nasa.GOV");
113 dnskey
->dnskey
.flags
= 257;
114 dnskey
->dnskey
.protocol
= 3;
115 dnskey
->dnskey
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
116 dnskey
->dnskey
.key_size
= sizeof(dnskey_blob
);
117 dnskey
->dnskey
.key
= memdup(dnskey_blob
, sizeof(dnskey_blob
));
118 assert_se(dnskey
->dnskey
.key
);
120 log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey
)));
121 log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey
, false));
123 assert_se(dnssec_verify_dnskey_by_ds(dnskey
, ds1
, false) > 0);
124 assert_se(dnssec_verify_dnskey_by_ds(dnskey
, ds2
, false) > 0);
127 static void test_dnssec_verify_rrset(void) {
129 static const uint8_t signature_blob
[] = {
130 0x7f, 0x79, 0xdd, 0x5e, 0x89, 0x79, 0x18, 0xd0, 0x34, 0x86, 0x8c, 0x72, 0x77, 0x75, 0x48, 0x4d,
131 0xc3, 0x7d, 0x38, 0x04, 0xab, 0xcd, 0x9e, 0x4c, 0x82, 0xb0, 0x92, 0xca, 0xe9, 0x66, 0xe9, 0x6e,
132 0x47, 0xc7, 0x68, 0x8c, 0x94, 0xf6, 0x69, 0xcb, 0x75, 0x94, 0xe6, 0x30, 0xa6, 0xfb, 0x68, 0x64,
133 0x96, 0x1a, 0x84, 0xe1, 0xdc, 0x16, 0x4c, 0x83, 0x6c, 0x44, 0xf2, 0x74, 0x4d, 0x74, 0x79, 0x8f,
134 0xf3, 0xf4, 0x63, 0x0d, 0xef, 0x5a, 0xe7, 0xe2, 0xfd, 0xf2, 0x2b, 0x38, 0x7c, 0x28, 0x96, 0x9d,
135 0xb6, 0xcd, 0x5c, 0x3b, 0x57, 0xe2, 0x24, 0x78, 0x65, 0xd0, 0x9e, 0x77, 0x83, 0x09, 0x6c, 0xff,
136 0x3d, 0x52, 0x3f, 0x6e, 0xd1, 0xed, 0x2e, 0xf9, 0xee, 0x8e, 0xa6, 0xbe, 0x9a, 0xa8, 0x87, 0x76,
137 0xd8, 0x77, 0xcc, 0x96, 0xa0, 0x98, 0xa1, 0xd1, 0x68, 0x09, 0x43, 0xcf, 0x56, 0xd9, 0xd1, 0x66,
140 static const uint8_t dnskey_blob
[] = {
141 0x03, 0x01, 0x00, 0x01, 0x9b, 0x49, 0x9b, 0xc1, 0xf9, 0x9a, 0xe0, 0x4e, 0xcf, 0xcb, 0x14, 0x45,
142 0x2e, 0xc9, 0xf9, 0x74, 0xa7, 0x18, 0xb5, 0xf3, 0xde, 0x39, 0x49, 0xdf, 0x63, 0x33, 0x97, 0x52,
143 0xe0, 0x8e, 0xac, 0x50, 0x30, 0x8e, 0x09, 0xd5, 0x24, 0x3d, 0x26, 0xa4, 0x49, 0x37, 0x2b, 0xb0,
144 0x6b, 0x1b, 0xdf, 0xde, 0x85, 0x83, 0xcb, 0x22, 0x4e, 0x60, 0x0a, 0x91, 0x1a, 0x1f, 0xc5, 0x40,
145 0xb1, 0xc3, 0x15, 0xc1, 0x54, 0x77, 0x86, 0x65, 0x53, 0xec, 0x10, 0x90, 0x0c, 0x91, 0x00, 0x5e,
146 0x15, 0xdc, 0x08, 0x02, 0x4c, 0x8c, 0x0d, 0xc0, 0xac, 0x6e, 0xc4, 0x3e, 0x1b, 0x80, 0x19, 0xe4,
147 0xf7, 0x5f, 0x77, 0x51, 0x06, 0x87, 0x61, 0xde, 0xa2, 0x18, 0x0f, 0x40, 0x8b, 0x79, 0x72, 0xfa,
148 0x8d, 0x1a, 0x44, 0x47, 0x0d, 0x8e, 0x3a, 0x2d, 0xc7, 0x39, 0xbf, 0x56, 0x28, 0x97, 0xd9, 0x20,
149 0x4f, 0x00, 0x51, 0x3b,
152 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*a
= NULL
, *rrsig
= NULL
, *dnskey
= NULL
;
153 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
156 a
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_A
, "nAsA.gov");
159 a
->a
.in_addr
.s_addr
= inet_addr("52.0.14.116");
161 log_info("A: %s", strna(dns_resource_record_to_string(a
)));
163 rrsig
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_RRSIG
, "NaSa.GOV.");
166 rrsig
->rrsig
.type_covered
= DNS_TYPE_A
;
167 rrsig
->rrsig
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
168 rrsig
->rrsig
.labels
= 2;
169 rrsig
->rrsig
.original_ttl
= 600;
170 rrsig
->rrsig
.expiration
= 0x5683135c;
171 rrsig
->rrsig
.inception
= 0x565b7da8;
172 rrsig
->rrsig
.key_tag
= 63876;
173 rrsig
->rrsig
.signer
= strdup("Nasa.Gov.");
174 assert_se(rrsig
->rrsig
.signer
);
175 rrsig
->rrsig
.signature_size
= sizeof(signature_blob
);
176 rrsig
->rrsig
.signature
= memdup(signature_blob
, rrsig
->rrsig
.signature_size
);
177 assert_se(rrsig
->rrsig
.signature
);
179 log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig
)));
181 dnskey
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_DNSKEY
, "nASA.gOV");
184 dnskey
->dnskey
.flags
= 256;
185 dnskey
->dnskey
.protocol
= 3;
186 dnskey
->dnskey
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
187 dnskey
->dnskey
.key_size
= sizeof(dnskey_blob
);
188 dnskey
->dnskey
.key
= memdup(dnskey_blob
, sizeof(dnskey_blob
));
189 assert_se(dnskey
->dnskey
.key
);
191 log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey
)));
192 log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey
, false));
194 assert_se(dnssec_key_match_rrsig(a
->key
, rrsig
) > 0);
195 assert_se(dnssec_rrsig_match_dnskey(rrsig
, dnskey
, false) > 0);
197 answer
= dns_answer_new(1);
199 assert_se(dns_answer_add(answer
, a
, 0, DNS_ANSWER_AUTHENTICATED
) >= 0);
201 /* Validate the RR as it if was 2015-12-2 today */
202 assert_se(dnssec_verify_rrset(answer
, a
->key
, rrsig
, dnskey
, 1449092754*USEC_PER_SEC
, &result
) >= 0);
203 assert_se(result
== DNSSEC_VALIDATED
);
206 static void test_dnssec_verify_rrset2(void) {
208 static const uint8_t signature_blob
[] = {
209 0x48, 0x45, 0xc8, 0x8b, 0xc0, 0x14, 0x92, 0xf5, 0x15, 0xc6, 0x84, 0x9d, 0x2f, 0xe3, 0x32, 0x11,
210 0x7d, 0xf1, 0xe6, 0x87, 0xb9, 0x42, 0xd3, 0x8b, 0x9e, 0xaf, 0x92, 0x31, 0x0a, 0x53, 0xad, 0x8b,
211 0xa7, 0x5c, 0x83, 0x39, 0x8c, 0x28, 0xac, 0xce, 0x6e, 0x9c, 0x18, 0xe3, 0x31, 0x16, 0x6e, 0xca,
212 0x38, 0x31, 0xaf, 0xd9, 0x94, 0xf1, 0x84, 0xb1, 0xdf, 0x5a, 0xc2, 0x73, 0x22, 0xf6, 0xcb, 0xa2,
213 0xe7, 0x8c, 0x77, 0x0c, 0x74, 0x2f, 0xc2, 0x13, 0xb0, 0x93, 0x51, 0xa9, 0x4f, 0xae, 0x0a, 0xda,
214 0x45, 0xcc, 0xfd, 0x43, 0x99, 0x36, 0x9a, 0x0d, 0x21, 0xe0, 0xeb, 0x30, 0x65, 0xd4, 0xa0, 0x27,
215 0x37, 0x3b, 0xe4, 0xc1, 0xc5, 0xa1, 0x2a, 0xd1, 0x76, 0xc4, 0x7e, 0x64, 0x0e, 0x5a, 0xa6, 0x50,
216 0x24, 0xd5, 0x2c, 0xcc, 0x6d, 0xe5, 0x37, 0xea, 0xbd, 0x09, 0x34, 0xed, 0x24, 0x06, 0xa1, 0x22,
219 static const uint8_t dnskey_blob
[] = {
220 0x03, 0x01, 0x00, 0x01, 0xc3, 0x7f, 0x1d, 0xd1, 0x1c, 0x97, 0xb1, 0x13, 0x34, 0x3a, 0x9a, 0xea,
221 0xee, 0xd9, 0x5a, 0x11, 0x1b, 0x17, 0xc7, 0xe3, 0xd4, 0xda, 0x20, 0xbc, 0x5d, 0xba, 0x74, 0xe3,
222 0x37, 0x99, 0xec, 0x25, 0xce, 0x93, 0x7f, 0xbd, 0x22, 0x73, 0x7e, 0x14, 0x71, 0xe0, 0x60, 0x07,
223 0xd4, 0x39, 0x8b, 0x5e, 0xe9, 0xba, 0x25, 0xe8, 0x49, 0xe9, 0x34, 0xef, 0xfe, 0x04, 0x5c, 0xa5,
224 0x27, 0xcd, 0xa9, 0xda, 0x70, 0x05, 0x21, 0xab, 0x15, 0x82, 0x24, 0xc3, 0x94, 0xf5, 0xd7, 0xb7,
225 0xc4, 0x66, 0xcb, 0x32, 0x6e, 0x60, 0x2b, 0x55, 0x59, 0x28, 0x89, 0x8a, 0x72, 0xde, 0x88, 0x56,
226 0x27, 0x95, 0xd9, 0xac, 0x88, 0x4f, 0x65, 0x2b, 0x68, 0xfc, 0xe6, 0x41, 0xc1, 0x1b, 0xef, 0x4e,
227 0xd6, 0xc2, 0x0f, 0x64, 0x88, 0x95, 0x5e, 0xdd, 0x3a, 0x02, 0x07, 0x50, 0xa9, 0xda, 0xa4, 0x49,
228 0x74, 0x62, 0xfe, 0xd7,
231 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*nsec
= NULL
, *rrsig
= NULL
, *dnskey
= NULL
;
232 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
235 nsec
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_NSEC
, "nasa.gov");
238 nsec
->nsec
.next_domain_name
= strdup("3D-Printing.nasa.gov");
239 assert_se(nsec
->nsec
.next_domain_name
);
241 nsec
->nsec
.types
= bitmap_new();
242 assert_se(nsec
->nsec
.types
);
243 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_A
) >= 0);
244 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_NS
) >= 0);
245 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_SOA
) >= 0);
246 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_MX
) >= 0);
247 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_TXT
) >= 0);
248 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_RRSIG
) >= 0);
249 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_NSEC
) >= 0);
250 assert_se(bitmap_set(nsec
->nsec
.types
, DNS_TYPE_DNSKEY
) >= 0);
251 assert_se(bitmap_set(nsec
->nsec
.types
, 65534) >= 0);
253 log_info("NSEC: %s", strna(dns_resource_record_to_string(nsec
)));
255 rrsig
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_RRSIG
, "NaSa.GOV.");
258 rrsig
->rrsig
.type_covered
= DNS_TYPE_NSEC
;
259 rrsig
->rrsig
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
260 rrsig
->rrsig
.labels
= 2;
261 rrsig
->rrsig
.original_ttl
= 300;
262 rrsig
->rrsig
.expiration
= 0x5689002f;
263 rrsig
->rrsig
.inception
= 0x56617230;
264 rrsig
->rrsig
.key_tag
= 30390;
265 rrsig
->rrsig
.signer
= strdup("Nasa.Gov.");
266 assert_se(rrsig
->rrsig
.signer
);
267 rrsig
->rrsig
.signature_size
= sizeof(signature_blob
);
268 rrsig
->rrsig
.signature
= memdup(signature_blob
, rrsig
->rrsig
.signature_size
);
269 assert_se(rrsig
->rrsig
.signature
);
271 log_info("RRSIG: %s", strna(dns_resource_record_to_string(rrsig
)));
273 dnskey
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_DNSKEY
, "nASA.gOV");
276 dnskey
->dnskey
.flags
= 256;
277 dnskey
->dnskey
.protocol
= 3;
278 dnskey
->dnskey
.algorithm
= DNSSEC_ALGORITHM_RSASHA256
;
279 dnskey
->dnskey
.key_size
= sizeof(dnskey_blob
);
280 dnskey
->dnskey
.key
= memdup(dnskey_blob
, sizeof(dnskey_blob
));
281 assert_se(dnskey
->dnskey
.key
);
283 log_info("DNSKEY: %s", strna(dns_resource_record_to_string(dnskey
)));
284 log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey
, false));
286 assert_se(dnssec_key_match_rrsig(nsec
->key
, rrsig
) > 0);
287 assert_se(dnssec_rrsig_match_dnskey(rrsig
, dnskey
, false) > 0);
289 answer
= dns_answer_new(1);
291 assert_se(dns_answer_add(answer
, nsec
, 0, DNS_ANSWER_AUTHENTICATED
) >= 0);
293 /* Validate the RR as it if was 2015-12-11 today */
294 assert_se(dnssec_verify_rrset(answer
, nsec
->key
, rrsig
, dnskey
, 1449849318*USEC_PER_SEC
, &result
) >= 0);
295 assert_se(result
== DNSSEC_VALIDATED
);
298 static void test_dnssec_nsec3_hash(void) {
299 static const uint8_t salt
[] = { 0xB0, 0x1D, 0xFA, 0xCE };
300 static const uint8_t next_hashed_name
[] = { 0x84, 0x10, 0x26, 0x53, 0xc9, 0xfa, 0x4d, 0x85, 0x6c, 0x97, 0x82, 0xe2, 0x8f, 0xdf, 0x2d, 0x5e, 0x87, 0x69, 0xc4, 0x52 };
301 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
302 uint8_t h
[DNSSEC_HASH_SIZE_MAX
];
303 _cleanup_free_
char *b
= NULL
;
306 /* The NSEC3 RR for eurid.eu on 2015-12-14. */
307 rr
= dns_resource_record_new_full(DNS_CLASS_IN
, DNS_TYPE_NSEC3
, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM.eurid.eu.");
310 rr
->nsec3
.algorithm
= DNSSEC_DIGEST_SHA1
;
312 rr
->nsec3
.iterations
= 1;
313 rr
->nsec3
.salt
= memdup(salt
, sizeof(salt
));
314 assert_se(rr
->nsec3
.salt
);
315 rr
->nsec3
.salt_size
= sizeof(salt
);
316 rr
->nsec3
.next_hashed_name
= memdup(next_hashed_name
, sizeof(next_hashed_name
));
317 assert_se(rr
->nsec3
.next_hashed_name
);
318 rr
->nsec3
.next_hashed_name_size
= sizeof(next_hashed_name
);
320 log_info("NSEC3: %s", strna(dns_resource_record_to_string(rr
)));
322 k
= dnssec_nsec3_hash(rr
, "eurid.eu", &h
);
325 b
= base32hexmem(h
, k
, false);
327 assert_se(strcasecmp(b
, "PJ8S08RR45VIQDAQGE7EN3VHKNROTBMM") == 0);
332 int main(int argc
, char*argv
[]) {
334 test_dnssec_canonicalize();
337 test_dnssec_verify_dns_key();
338 test_dnssec_verify_rrset();
339 test_dnssec_verify_rrset2();
340 test_dnssec_nsec3_hash();