Add normal NSEC3 (non opt-out) support.

diff --git a/.travis.yml b/.travis.yml
index 8908b4d3260e79deca606eb369c5d4692db11469..7a6627c3c1452a889510a077d84f60b0818abd1c 100644 (file)
--- a/.travis.yml
+++ b/.travis.yml
@@ -16,12 +16,16 @@ script:
  - ./start-test-stop 5300 bind-dnssec-presigned
  - ./start-test-stop 5300 bind-dnssec-nsec3
  - ./start-test-stop 5300 bind-dnssec-nsec3-presigned
+ - ./start-test-stop 5300 bind-dnssec-nsec3-optout
+ - ./start-test-stop 5300 bind-dnssec-nsec3-optout-presigned 
  - ./start-test-stop 5300 gmysql-nodnssec
  - ./start-test-stop 5300 gmysql-nodnssec-presigned
  - ./start-test-stop 5300 gmysql
  - ./start-test-stop 5300 gmysql-presigned
  - ./start-test-stop 5300 gmysql-nsec3
  - ./start-test-stop 5300 gmysql-nsec3-presigned
+ - ./start-test-stop 5300 gmysql-nsec3-optout
+ - ./start-test-stop 5300 gmysql-nsec3-optout-presigned 
  - ./start-test-stop 5300 gmysql-nsec3-narrow
 notifications:
   irc:

diff --git a/pdns/backends/bind/bindbackend2.cc b/pdns/backends/bind/bindbackend2.cc
index b4267a41ad124ff95fe19c3fe6026a71aa52af89..6e65847a6f90a1defe68dbc8294758227693b403 100644 (file)
--- a/pdns/backends/bind/bindbackend2.cc
+++ b/pdns/backends/bind/bindbackend2.cc
@@ -969,7 +969,7 @@ bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string
 //      cerr<<"Hash: "<<bdr.nsec3hash<<"\t"<< (lqname < bdr.nsec3hash) <<endl;
 //    }
     
-    records_by_hashindex_t::const_iterator iter = hashindex.lower_bound(lqname);
+    records_by_hashindex_t::const_iterator iter = hashindex.upper_bound(lqname);
 
     if(iter != hashindex.begin() && (iter == hashindex.end() || iter->nsec3hash > lqname))
     {
@@ -982,7 +982,7 @@ bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string
     }
 
     bool wraponce = false;
-    while(iter == hashindex.end() || !(iter->auth) || iter->nsec3hash.empty())
+    while(iter == hashindex.end() || (!iter->auth && !(iter->qtype == QType::NS && !pdns_iequals(iter->qname, auth) && !ns3pr.d_flags)) || iter->nsec3hash.empty())
     {
       iter--;
       if(iter == hashindex.begin()) {
@@ -1009,7 +1009,7 @@ bool Bind2Backend::getBeforeAndAfterNamesAbsolute(uint32_t id, const std::string
       iter = hashindex.begin();
     }
 
-    while(!(iter->auth) || iter->nsec3hash.empty())
+    while((!iter->auth && !(iter->qtype == QType::NS && !pdns_iequals(iter->qname, auth) && !ns3pr.d_flags)) || iter->nsec3hash.empty())
     {
       iter++;
       if(iter == hashindex.end())

diff --git a/pdns/packethandler.cc b/pdns/packethandler.cc
index 1fabbf49abb0c0c3ea901b8c09afe7e952561b93..4e8230c2ad3e7819e212befcf47259b4342284be 100644 (file)
--- a/pdns/packethandler.cc
+++ b/pdns/packethandler.cc
@@ -455,9 +455,9 @@ void emitNSEC3(DNSBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOADa
 
   DNSResourceRecord rr;
   if(!unhashed.empty()) {
-    B.lookup(QType(QType::ANY), unhashed);
+    B.lookup(QType(QType::ANY), unhashed, NULL, sd.domain_id);
     while(B.get(rr)) {
-      if(rr.domain_id == sd.domain_id && rr.qtype.getCode()) // skip out of zone data and empty non-terminals
+      if(rr.qtype.getCode() && (rr.qtype.getCode() == QType::NS || rr.auth)) // skip empty non-terminals
         n3rc.d_set.insert(rr.qtype.getCode());
     }
 
@@ -467,7 +467,7 @@ void emitNSEC3(DNSBackend& B, const NSEC3PARAMRecordContent& ns3prc, const SOADa
     }
   }
 
-  if (n3rc.d_set.size())
+  if (n3rc.d_set.size() && !(n3rc.d_set.size() == 1 && n3rc.d_set.count(QType::NS)))
     n3rc.d_set.insert(QType::RRSIG);
   
   n3rc.d_nexthash=end;
@@ -567,7 +567,7 @@ bool getNSEC3Hashes(bool narrow, DNSBackend* db, int id, const std::string& hash
 
 void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, const string& wildcard, const string& auth, const NSEC3PARAMRecordContent& ns3rc, bool narrow, int mode)
 {
-  // L<<"mode="<<mode<<" target="<<target<<" wildcard="<<wildcard<<" auth="<<auth<<endl;
+  DLOG(L<<"mode="<<mode<<" target="<<target<<" wildcard="<<wildcard<<" auth="<<auth<<endl);
   
   SOAData sd;
   sd.db = (DNSBackend*)-1;
@@ -600,7 +600,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
     unhashed=(mode == 0 || mode == 5) ? target : closest;
 
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
-    // L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl;
+    DLOG(L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
   
     getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, false, unhashed, before, after);
     DLOG(L<<"Done calling for matching, hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
@@ -616,7 +616,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
     while( chopOff( next ) && !pdns_iequals(next, closest));
 
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
-    // L<<"2 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl;
+    DLOG(L<<"2 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
 
     getNSEC3Hashes(narrow, sd.db,sd.domain_id,  hashed, true, unhashed, before, after);
     DLOG(L<<"Done calling for covering, hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
@@ -628,7 +628,7 @@ void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, c
     unhashed=dotConcat("*", closest);
 
     hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
-    // L<<"3 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl;
+    DLOG(L<<"3 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl);
     
     getNSEC3Hashes(narrow, sd.db, sd.domain_id,  hashed, (mode != 2), unhashed, before, after);
     DLOG(L<<"Done calling for '*', hashed: '"<<toBase32Hex(hashed)<<"' before='"<<toBase32Hex(before)<<"', after='"<<toBase32Hex(after)<<"'"<<endl);
@@ -1006,7 +1006,6 @@ bool PacketHandler::addDSforNS(DNSPacket* p, DNSPacket* r, SOAData& sd, const st
   while(B.get(rr)) {
     gotOne=true;
     rr.d_place = DNSResourceRecord::AUTHORITY;
-    rr.auth=true; // please sign it!
     r->addRecord(rr);
   }
   return gotOne;
@@ -1265,8 +1264,6 @@ DNSPacket *PacketHandler::questionOrRecurse(DNSPacket *p, bool *shouldRecurse)
       if (p->qtype.getCode() == QType::ANY && rr.qtype.getCode() == QType::RRSIG) // RRSIGS are added later any way.
         continue; //TODO: this actually means addRRSig should check if the RRSig is already there.
 
-      if(rr.qtype.getCode() == QType::DS)
-        rr.auth = 1;
       // cerr<<"Auth: "<<rr.auth<<", "<<(rr.qtype == p->qtype)<<", "<<rr.qtype.getName()<<endl;
       if((p->qtype.getCode() == QType::ANY || rr.qtype == p->qtype) && rr.auth) 
         weDone=1;

diff --git a/pdns/pdnssec.cc b/pdns/pdnssec.cc
index b115dc559a0ca7fa36eb54a8f70ca9385f1523fc..796eb5c9cf2c9533fdb77eb126e501f4254875ac 100644 (file)
--- a/pdns/pdnssec.cc
+++ b/pdns/pdnssec.cc
@@ -199,56 +199,47 @@ void rectifyZone(DNSSECKeeper& dk, const std::string& zone)
       }
       else
         sd.db->nullifyDNSSECOrderNameAndUpdateAuth(sd.domain_id, qname, auth);
-      if(realrr)
-      {
-        if (dsnames.count(qname))
-          sd.db->setDNSSECAuthOnDsRecord(sd.domain_id, qname);
-        if (!auth || nsset.count(qname)) {
-          sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "NS");
-          sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A");
-          sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA");
-        }
-      }
     }
     else // NSEC
     {
-      if(realrr)
-      {
-        sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, auth);
-        if (dsnames.count(qname))
-          sd.db->setDNSSECAuthOnDsRecord(sd.domain_id, qname);
-        if (!auth || nsset.count(qname)) {
-          sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A");
-          sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA");
-        }
-      }
-      else
-      {
+      sd.db->updateDNSSECOrderAndAuth(sd.domain_id, zone, qname, auth);
+      if (!realrr)
         sd.db->nullifyDNSSECOrderNameAndUpdateAuth(sd.domain_id, qname, auth);
-      }
     }
 
-    if(auth && realrr && doent)
+    if(realrr)
     {
-      shorter=qname;
-      while(!pdns_iequals(shorter, zone) && chopOff(shorter))
+      if (dsnames.count(qname))
+        sd.db->setDNSSECAuthOnDsRecord(sd.domain_id, qname);
+      if (!auth || nsset.count(qname)) {
+        if(haveNSEC3 && ns3pr.d_flags)
+          sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "NS");
+        sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "A");
+        sd.db->nullifyDNSSECOrderNameAndAuth(sd.domain_id, qname, "AAAA");
+      }
+
+      if(auth && doent)
       {
-        if(!qnames.count(shorter) && !nonterm.count(shorter))
+        shorter=qname;
+        while(!pdns_iequals(shorter, zone) && chopOff(shorter))
         {
-          if(!(maxent))
+          if(!qnames.count(shorter) && !nonterm.count(shorter))
           {
-            cerr<<"Zone '"<<zone<<"' has too many empty non terminals."<<endl;
-            insnonterm.clear();
-            delnonterm.clear();
-            doent=false;
-            break;
+            if(!(maxent))
+            {
+              cerr<<"Zone '"<<zone<<"' has too many empty non terminals."<<endl;
+              insnonterm.clear();
+              delnonterm.clear();
+              doent=false;
+              break;
+            }
+            nonterm.insert(shorter);
+            if (!delnonterm.count(shorter))
+              insnonterm.insert(shorter);
+            else
+              delnonterm.erase(shorter);
+            --maxent;
           }
-          nonterm.insert(shorter);
-          if (!delnonterm.count(shorter))
-            insnonterm.insert(shorter);
-          else
-            delnonterm.erase(shorter);
-          --maxent;
         }
       }
     }
@@ -1061,16 +1052,14 @@ try
       cerr<<"Syntax: pdnssec set-nsec3 ZONE 'params' [narrow]"<<endl;
       return 0;
     }
-    string nsec3params =  cmds.size() > 2 ? cmds[2] : "1 1 1 ab";
+    string nsec3params =  cmds.size() > 2 ? cmds[2] : "1 0 1 ab";
     bool narrow = cmds.size() > 3 && cmds[3]=="narrow";
     NSEC3PARAMRecordContent ns3pr(nsec3params);
-    if(!ns3pr.d_flags) {
-      cerr<<"PowerDNS only implements opt-out zones, please set the second parameter to '1' (example, '1 1 1 ab')"<<endl;
-      return 0;
-    }
-    
     dk.setNSEC3PARAM(cmds[1], ns3pr, narrow);
-    cerr<<"NSEC3 set, please rectify-zone if your backend needs it"<<endl;
+    if (!ns3pr.d_flags)
+      cerr<<"NSEC3 set, please rectify-zone if your backend needs it"<<endl;
+    else
+      cerr<<"NSEC3 (opt-out) set, please rectify-zone if your backend needs it"<<endl;
   }
   else if(cmds[0]=="set-presigned") {
     if(cmds.size() < 2) {

diff --git a/pdns/sdig.cc b/pdns/sdig.cc
index 7462adf73adbcc898f82132167fb47bf2b4be73b..f610d0036a8705df2fbebbb29c10836a571911a0 100644 (file)
--- a/pdns/sdig.cc
+++ b/pdns/sdig.cc
@@ -13,11 +13,12 @@ try
   bool dnssec=false;
   bool recurse=false;
   bool tcp=false;
+  bool showflags=false;
 
   reportAllTypes();
 
   if(argc < 5) {
-    cerr<<"Syntax: sdig IP-address port question question-type [dnssec|recurse]\n";
+    cerr<<"Syntax: sdig IP-address port question question-type [dnssec|dnssec-tcp|recurse] [showflags]\n";
     exit(EXIT_FAILURE);
   }
 
@@ -38,6 +39,11 @@ try
     recurse=true;
   }
 
+  if((argc > 5 && strcmp(argv[5], "showflags")==0) || (argc > 6 && strcmp(argv[6], "showflags")==0))
+  {
+    showflags=true;
+  }
+
   vector<uint8_t> packet;
   
   DNSPacketWriter pw(packet, argv[3], DNSRecordContent::TypeToNumber(argv[4]));
@@ -132,6 +138,16 @@ try
       stringtok(parts, zoneRep);
       cout<<"\t"<<i->first.d_ttl<<"\t"<< parts[0]<<" "<<parts[1]<<" "<<parts[2]<<" "<<parts[3]<<" [expiry] [inception] [keytag] "<<parts[7]<<" ...\n";
     }
+    else if(!showflags && i->first.d_type == QType::NSEC3)
+    {
+      string zoneRep = i->first.d_content->getZoneRepresentation();
+      vector<string> parts;
+      stringtok(parts, zoneRep);
+      cout<<"\t"<<i->first.d_ttl<<"\t"<< parts[0]<<" [flags] "<<parts[2]<<" "<<parts[3]<<" "<<parts[4];
+      for(vector<string>::iterator iter = parts.begin()+5; iter != parts.end(); ++iter)
+        cout<<" "<<*iter;
+      cout<<"\n";
+    }
     else if(i->first.d_type == QType::DNSKEY)
     {
       string zoneRep = i->first.d_content->getZoneRepresentation();

diff --git a/pdns/slavecommunicator.cc b/pdns/slavecommunicator.cc
index fd92f4934f2cb46db37ab5f2d3be25fd55f21451..e20d033e279cd4ec70c430104e5ba9996b8aa902 100644 (file)
--- a/pdns/slavecommunicator.cc
+++ b/pdns/slavecommunicator.cc
@@ -260,7 +260,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
         }while(chopOff(shorter));
       }
 
-      if(dnssecZone && haveNSEC3)
+      if(haveNSEC3)
       {
         if(!narrow) { 
           hashed=toLower(toBase32Hex(hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, qname)));
@@ -268,47 +268,42 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
         }
         else
           di.backend->nullifyDNSSECOrderNameAndUpdateAuth(domain_id, qname, auth);
-        if(realrr)
-        {
-          if (dsnames.count(qname))
-            di.backend->setDNSSECAuthOnDsRecord(domain_id, qname);
-          if (!auth || nsset.count(qname)) {
-            di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "NS");
-            di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A");
-            di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA");
-          }
-        }
       }
       else // NSEC
       {
-        if(realrr)
-        {
-          di.backend->updateDNSSECOrderAndAuth(domain_id, domain, qname, auth);
-          if (dsnames.count(qname))
-            di.backend->setDNSSECAuthOnDsRecord(domain_id, qname);
-          if (!auth || nsset.count(qname)) {
-            di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A");
-            di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA");
-          }
-        }
+        di.backend->updateDNSSECOrderAndAuth(domain_id, domain, qname, auth);
+        if (!realrr)
+          di.backend->nullifyDNSSECOrderNameAndUpdateAuth(domain_id, qname, auth);
       }
 
-      if(auth && realrr && doent)
+      if(realrr)
       {
-        shorter=qname;
-        while(!pdns_iequals(shorter, domain) && chopOff(shorter))
+        if (dsnames.count(qname))
+          di.backend->setDNSSECAuthOnDsRecord(domain_id, qname);
+        if (!auth || nsset.count(qname)) {
+          if(haveNSEC3 && gotOptOutFlag)
+            di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "NS");
+          di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "A");
+          di.backend->nullifyDNSSECOrderNameAndAuth(domain_id, qname, "AAAA");
+        }
+
+        if(auth && doent)
         {
-          if(!qnames.count(shorter) && !nonterm.count(shorter))
+          shorter=qname;
+          while(!pdns_iequals(shorter, domain) && chopOff(shorter))
           {
-            if(!(maxent))
+            if(!qnames.count(shorter) && !nonterm.count(shorter))
             {
-              L<<Logger::Error<<"AXFR zone "<<domain<<" has too many empty non terminals."<<endl;
-              nonterm.empty();
-              doent=false;
-              break;
+              if(!(maxent))
+              {
+                L<<Logger::Error<<"AXFR zone "<<domain<<" has too many empty non terminals."<<endl;
+                nonterm.empty();
+                doent=false;
+                break;
+              }
+              nonterm.insert(shorter);
+              --maxent;
             }
-            nonterm.insert(shorter);
-            --maxent;
           }
         }
       }

diff --git a/pdns/tcpreceiver.cc b/pdns/tcpreceiver.cc
index b8691d592883e001097806cd6be966f38f76ab78..2df867ff8bdab6ac21266fd297826774fed1f220 100644 (file)
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -616,11 +616,14 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
     }
   }
 
+  uint8_t flags;
+
   if(NSEC3Zone) { // now stuff in the NSEC3PARAM
+    flags = ns3pr.d_flags;
     rr.qtype = QType(QType::NSEC3PARAM);
     ns3pr.d_flags = 0;
     rr.content = ns3pr.getZoneRepresentation();
-    ns3pr.d_flags = 1;
+    ns3pr.d_flags = flags;
     string keyname = hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname);
     NSECXEntry& ne = nsecxrepo[keyname];
     
@@ -657,7 +660,7 @@ int TCPNameserver::doAXFR(const string &target, shared_ptr<DNSPacket> q, int out
         keyname = NSEC3Zone ? hashQNameWithSalt(ns3pr.d_iterations, ns3pr.d_salt, rr.qname) : labelReverse(rr.qname);
         NSECXEntry& ne = nsecxrepo[keyname];
         ne.d_ttl = sd.default_ttl;
-        ne.d_auth = (ne.d_auth || rr.auth);
+        ne.d_auth = (ne.d_auth || rr.auth || (NSEC3Zone && !ns3pr.d_flags));
         if (rr.qtype.getCode()) {
           ne.d_set.insert(rr.qtype.getCode());
         }

diff --git a/regression-tests/00dnssec-grabkeys/command b/regression-tests/00dnssec-grabkeys/command
index 414b72d3f795f0c5237c9663c6bd30933612b58e..3dba73aa48f98581853413c0ff42bab7c71e345d 100755 (executable)
--- a/regression-tests/00dnssec-grabkeys/command
+++ b/regression-tests/00dnssec-grabkeys/command
@@ -4,7 +4,10 @@ rm -f trustedkeys
 rm -f unbound-host.conf
 for zone in $(grep zone named.conf  | cut -f2 -d\")
 do
+    if [ "${zone: 0:16}" != "secure-delegated" ]
+    then
        drill -p $port -o rd -D dnskey $zone @$nameserver | grep -v '^;' | grep -v AwEAAarTiHhPgvD28WCN8UBXcEcf8f >> trustedkeys
+    fi
        echo "stub-zone:" >> unbound-host.conf
        echo "  name: $zone" >> unbound-host.conf
        echo "  stub-addr: $nameserver@$port" >> unbound-host.conf

diff --git a/regression-tests/any-nxdomain/expected_result.narrow b/regression-tests/any-nxdomain/expected_result.narrow
index b491f36ff5d6a1a7bec9a463a31ca03d1309a2ff..5d8a786cf01d11095d5da14990b39344f040d64c 100644 (file)
--- a/regression-tests/any-nxdomain/expected_result.narrow
+++ b/regression-tests/any-nxdomain/expected_result.narrow
@@ -1,10 +1,10 @@
-1      9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.   IN      NSEC3   86400   1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
+1      9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
 1      9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      onnhv82alu3om3l4fkfes49n0j2c71ba.example.com.   IN      NSEC3   86400   1 1 1 abcd ONNHV82ALU3OM3L4FKFES49N0J2C71BC
+1      onnhv82alu3om3l4fkfes49n0j2c71ba.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd ONNHV82ALU3OM3L4FKFES49N0J2C71BC
 1      onnhv82alu3om3l4fkfes49n0j2c71ba.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/any-nxdomain/expected_result.nsec3 b/regression-tests/any-nxdomain/expected_result.nsec3
index f14bfaef14db30303c358b5d6e62fc8c4bdd5dd7..ffa08f320f5f4a819c1d8c44dfb1a22f4af5ddf4 100644 (file)
--- a/regression-tests/any-nxdomain/expected_result.nsec3
+++ b/regression-tests/any-nxdomain/expected_result.nsec3
@@ -1,10 +1,10 @@
-1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      NSEC3   86400   1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
 1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com.   IN      NSEC3   86400   1 1 1 abcd ONNU1VP51T2LDROTDVQ10HVLRQQV2UAA A RRSIG
+1      onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd ONNU1VP51T2LDROTDVQ10HVLRQQV2UAA A RRSIG
 1      onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/any-wildcard-dnssec/expected_result.narrow b/regression-tests/any-wildcard-dnssec/expected_result.narrow
index 198d560cce72ee6abce2e8d93a000f00f36da7a2..dc937bb7ca2c9bd9ccfa4cb53efd040324dd13d8 100644 (file)
--- a/regression-tests/any-wildcard-dnssec/expected_result.narrow
+++ b/regression-tests/any-wildcard-dnssec/expected_result.narrow
@@ -1,6 +1,6 @@
 0      www.something.wtest.com.        IN      A       3600    4.3.2.1
 0      www.something.wtest.com.        IN      RRSIG   3600    A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1      7q60llva2bt9ucubvn553q9s2pf8ho38.wtest.com.     IN      NSEC3   86400   1 1 1 abcd 7Q60LLVA2BT9UCUBVN553Q9S2PF8HO3A
+1      7q60llva2bt9ucubvn553q9s2pf8ho38.wtest.com.     IN      NSEC3   86400   1 [flags] 1 abcd 7Q60LLVA2BT9UCUBVN553Q9S2PF8HO3A
 1      7q60llva2bt9ucubvn553q9s2pf8ho38.wtest.com.     IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2      .       IN      OPT     32768   
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/any-wildcard-dnssec/expected_result.nsec3 b/regression-tests/any-wildcard-dnssec/expected_result.nsec3
index 779c6ab8bad87ec07c64e4637899e5305c0d39d5..5d117598ef00050bb33ec9470fce1e49cfb6b76e 100644 (file)
--- a/regression-tests/any-wildcard-dnssec/expected_result.nsec3
+++ b/regression-tests/any-wildcard-dnssec/expected_result.nsec3
@@ -1,6 +1,6 @@
 0      www.something.wtest.com.        IN      A       3600    4.3.2.1
 0      www.something.wtest.com.        IN      RRSIG   3600    A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1      7k2dfhl64f0ndftst8u5rr5euminddvb.wtest.com.     IN      NSEC3   86400   1 1 1 abcd 95QOQ246KN3VM7HL8KVG8O45JIHMNLNG A RRSIG
+1      7k2dfhl64f0ndftst8u5rr5euminddvb.wtest.com.     IN      NSEC3   86400   1 [flags] 1 abcd 95QOQ246KN3VM7HL8KVG8O45JIHMNLNG A RRSIG
 1      7k2dfhl64f0ndftst8u5rr5euminddvb.wtest.com.     IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2      .       IN      OPT     32768   
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/bind-dnssec-setup b/regression-tests/bind-dnssec-setup
index 5246823c186948e32acd17b171f10708ce86e3c8..8dac036a1f040add413695e2917d2228871024c1 100755 (executable)
--- a/regression-tests/bind-dnssec-setup
+++ b/regression-tests/bind-dnssec-setup
@@ -3,5 +3,14 @@ rm -f dnssec.sqlite3
 ../pdns/pdnssec --config-dir=. create-bind-db dnssec.sqlite3
 for zone in $(grep zone named.conf  | cut -f2 -d\")
 do
-       ../pdns/pdnssec --config-dir=. secure-zone $zone 2>&1
+    if [ "${zone: 0:16}" = "secure-delegated" ]
+    then
+        ../pdns/pdnssec --config-dir=. import-zone-key $zone $zone.key ksk 2>&1
+        ../pdns/pdnssec --config-dir=. add-zone-key $zone 1024 zsk 2>&1
+        keyid=`../pdns/pdnssec --config-dir=. show-zone delegated.dnssec-parent.com | grep ZSK | cut -d' ' -f3`
+        ../pdns/pdnssec --config-dir=. activate-zone-key $zone $keyid 2>&1
+        ../pdns/pdnssec --config-dir=. add-zone-key $zone 1024 zsk 2>&1
+    else
+        ../pdns/pdnssec --config-dir=. secure-zone $zone 2>&1
+    fi
 done

diff --git a/regression-tests/cleandig b/regression-tests/cleandig
index 68bc42721505cdc7014a8dd9e34c6dc643e56429..be9def6d39bd662aed9291f7b272fc8cc4a734bc 100755 (executable)
--- a/regression-tests/cleandig
+++ b/regression-tests/cleandig
@@ -1,7 +1,7 @@
 #!/bin/sh
 if [ ! -e ${testsdir}/${testname}/use.drill ]
 then
-../pdns/sdig $nameserver $port "$1" $2 $3 | LC_ALL=C sort
+../pdns/sdig $nameserver $port "$1" $2 $3 $4 | LC_ALL=C sort
 fi
 ../pdns/nsec3dig $nameserver $port "$1" $2 > ${testsdir}/${testname}/nsec3dig.out 2>&1
 drill -a -p $port -o rd -D -S -k trustedkeys "$1" $2 @$nameserver > ${testsdir}/${testname}/drillchase.out 2>&1 

diff --git a/regression-tests/cname-to-nxdomain/expected_result.narrow b/regression-tests/cname-to-nxdomain/expected_result.narrow
index f94d05dc93fd8ccb4f0ff2147606c6d95d8556a0..b6e20e70f2f97272992489a7c3fdc3376ba23e22 100644 (file)
--- a/regression-tests/cname-to-nxdomain/expected_result.narrow
+++ b/regression-tests/cname-to-nxdomain/expected_result.narrow
@@ -1,12 +1,12 @@
 0      nxd.example.com.        IN      CNAME   120     nxdomain.example.com.
 0      nxd.example.com.        IN      RRSIG   120     CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
-1      9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.   IN      NSEC3   86400   1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
+1      9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
 1      9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      onnhv82alu3om3l4fkfes49n0j2c71ba.example.com.   IN      NSEC3   86400   1 1 1 abcd ONNHV82ALU3OM3L4FKFES49N0J2C71BC
+1      onnhv82alu3om3l4fkfes49n0j2c71ba.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd ONNHV82ALU3OM3L4FKFES49N0J2C71BC
 1      onnhv82alu3om3l4fkfes49n0j2c71ba.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/cname-to-nxdomain/expected_result.nsec3 b/regression-tests/cname-to-nxdomain/expected_result.nsec3
index cb50420a35c4b04c7e30135002f43c15051b7c39..d66366861185b9428a8c9058817f39ef4090e34e 100644 (file)
--- a/regression-tests/cname-to-nxdomain/expected_result.nsec3
+++ b/regression-tests/cname-to-nxdomain/expected_result.nsec3
@@ -1,12 +1,12 @@
 0      nxd.example.com.        IN      CNAME   120     nxdomain.example.com.
 0      nxd.example.com.        IN      RRSIG   120     CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
-1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      NSEC3   86400   1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
 1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com.   IN      NSEC3   86400   1 1 1 abcd ONNU1VP51T2LDROTDVQ10HVLRQQV2UAA A RRSIG
+1      onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd ONNU1VP51T2LDROTDVQ10HVLRQQV2UAA A RRSIG
 1      onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/cname-wildcard-chain/expected_result.narrow b/regression-tests/cname-wildcard-chain/expected_result.narrow
index 0d97f8585d464346347230d2a29965d2eb3b6236..2b1a993a171c550ae0a6fe40dfcc9d9d83b64f00 100644 (file)
--- a/regression-tests/cname-wildcard-chain/expected_result.narrow
+++ b/regression-tests/cname-wildcard-chain/expected_result.narrow
@@ -10,15 +10,15 @@
 0      x.y.z.w4.example.com.   IN      RRSIG   120     CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
 0      x.y.z.w5.example.com.   IN      A       120     1.2.3.5
 0      x.y.z.w5.example.com.   IN      RRSIG   120     A 8 3 120 [expiry] [inception] [keytag] example.com. ...
-1      6jmrie0v0hnp2flflt36lur7c08n9h45.example.com.   IN      NSEC3   86400   1 1 1 abcd 6JMRIE0V0HNP2FLFLT36LUR7C08N9H47
+1      6jmrie0v0hnp2flflt36lur7c08n9h45.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 6JMRIE0V0HNP2FLFLT36LUR7C08N9H47
 1      6jmrie0v0hnp2flflt36lur7c08n9h45.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      atcf56s7ucntm82nht67p3g2nqteplou.example.com.   IN      NSEC3   86400   1 1 1 abcd ATCF56S7UCNTM82NHT67P3G2NQTEPLP0
+1      atcf56s7ucntm82nht67p3g2nqteplou.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd ATCF56S7UCNTM82NHT67P3G2NQTEPLP0
 1      atcf56s7ucntm82nht67p3g2nqteplou.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      b6drqdikagd74fa5eme4sdiek1s06343.example.com.   IN      NSEC3   86400   1 1 1 abcd B6DRQDIKAGD74FA5EME4SDIEK1S06345
+1      b6drqdikagd74fa5eme4sdiek1s06343.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd B6DRQDIKAGD74FA5EME4SDIEK1S06345
 1      b6drqdikagd74fa5eme4sdiek1s06343.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      lr0g3vnj9r0nvtlsjnf8eqa68sqj06qg.example.com.   IN      NSEC3   86400   1 1 1 abcd LR0G3VNJ9R0NVTLSJNF8EQA68SQJ06QI
+1      lr0g3vnj9r0nvtlsjnf8eqa68sqj06qg.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd LR0G3VNJ9R0NVTLSJNF8EQA68SQJ06QI
 1      lr0g3vnj9r0nvtlsjnf8eqa68sqj06qg.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      vsfa79vv78gd61567bkcai646ta0p276.example.com.   IN      NSEC3   86400   1 1 1 abcd VSFA79VV78GD61567BKCAI646TA0P278
+1      vsfa79vv78gd61567bkcai646ta0p276.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VSFA79VV78GD61567BKCAI646TA0P278
 1      vsfa79vv78gd61567bkcai646ta0p276.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/cname-wildcard-chain/expected_result.nsec3 b/regression-tests/cname-wildcard-chain/expected_result.nsec3
index ebe96a8f457021fcce9af0ceaff1d9a5372d727e..6d89b279f86cc554924fa7e931c23d9e72b3a6a6 100644 (file)
--- a/regression-tests/cname-wildcard-chain/expected_result.nsec3
+++ b/regression-tests/cname-wildcard-chain/expected_result.nsec3
@@ -10,15 +10,15 @@
 0      x.y.z.w4.example.com.   IN      RRSIG   120     CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
 0      x.y.z.w5.example.com.   IN      A       120     1.2.3.5
 0      x.y.z.w5.example.com.   IN      RRSIG   120     A 8 3 120 [expiry] [inception] [keytag] example.com. ...
-1      6jljjg5vg8ab1latv5khfq52jjpdlp9t.example.com.   IN      NSEC3   86400   1 1 1 abcd 6JNMPRJN08RFG8QRUMBN91V2UURTV527 A RRSIG
+1      6jljjg5vg8ab1latv5khfq52jjpdlp9t.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 6JNMPRJN08RFG8QRUMBN91V2UURTV527 A RRSIG
 1      6jljjg5vg8ab1latv5khfq52jjpdlp9t.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      atbcoh7l1gr1cbifhkt3ikmv2o60g8sc.example.com.   IN      NSEC3   86400   1 1 1 abcd ATEJUO2QMEO1FORSEB6KH9B0DMVFRK08 A RRSIG
+1      atbcoh7l1gr1cbifhkt3ikmv2o60g8sc.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd ATEJUO2QMEO1FORSEB6KH9B0DMVFRK08 A RRSIG
 1      atbcoh7l1gr1cbifhkt3ikmv2o60g8sc.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      b6cdleeregn514pnp2jgmtd67ig3q4qs.example.com.   IN      NSEC3   86400   1 1 1 abcd B6J68ESSIMG1HC5MGJ3B3OQUKL9PKEQB A RRSIG
+1      b6cdleeregn514pnp2jgmtd67ig3q4qs.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd B6J68ESSIMG1HC5MGJ3B3OQUKL9PKEQB A RRSIG
 1      b6cdleeregn514pnp2jgmtd67ig3q4qs.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      lqu3s8oae1ipc1iobnslma8igo1335a4.example.com.   IN      NSEC3   86400   1 1 1 abcd LR1LEP75CII4P0CLER3MLLQBO1TGKHDO A RRSIG
+1      lqu3s8oae1ipc1iobnslma8igo1335a4.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd LR1LEP75CII4P0CLER3MLLQBO1TGKHDO A RRSIG
 1      lqu3s8oae1ipc1iobnslma8igo1335a4.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      vscvfu442fdlbq07jpd7bdocd3ig7fo8.example.com.   IN      NSEC3   86400   1 1 1 abcd VSGNH606MUV7BFQFN3TRH1D5FKP1IPIV A RRSIG
+1      vscvfu442fdlbq07jpd7bdocd3ig7fo8.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VSGNH606MUV7BFQFN3TRH1D5FKP1IPIV A RRSIG
 1      vscvfu442fdlbq07jpd7bdocd3ig7fo8.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/ds-at-unsecure-delegation/command b/regression-tests/ds-at-unsecure-delegation/command
index 8eee2898cbebab1faea458ae525c6024ae104c04..5eebd9e02d48a692da824d4b0881936ca7e567ab 100755 (executable)
--- a/regression-tests/ds-at-unsecure-delegation/command
+++ b/regression-tests/ds-at-unsecure-delegation/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig usa.example.com DS dnssec
+cleandig usa.example.com DS dnssec showflags

diff --git a/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3 b/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3
index 6805539d8d24a8a583810f61e78f23cc278714ca..ee1c7ae721e17f9bead988978c63e8ae62f92191 100644 (file)
--- a/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3
+++ b/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3
@@ -1,8 +1,8 @@
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      t66sektb7egvs7s57m1qged4h6809g8s.example.com.   IN      NSEC3   86400   1 1 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO A RRSIG
-1      t66sektb7egvs7s57m1qged4h6809g8s.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com.   IN      NSEC3   86400   1 0 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO NS
+1      t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 0 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3-optout b/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3-optout
new file mode 100644 (file)
index 0000000..6805539
--- /dev/null
+++ b/regression-tests/ds-at-unsecure-delegation/expected_result.nsec3-optout
@@ -0,0 +1,9 @@
+1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1      t66sektb7egvs7s57m1qged4h6809g8s.example.com.   IN      NSEC3   86400   1 1 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO A RRSIG
+1      t66sektb7egvs7s57m1qged4h6809g8s.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2      .       IN      OPT     32768   
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='usa.example.com.', qtype=DS

diff --git a/regression-tests/ds-at-unsecure-zone-cut/command b/regression-tests/ds-at-unsecure-zone-cut/command
index 41c2cbd44bd40b9e7d1a39ccc3bdeefb4b07b1e8..2033c5af81f07c4fd4a2fc7ebc9a152b6e5a1002 100755 (executable)
--- a/regression-tests/ds-at-unsecure-zone-cut/command
+++ b/regression-tests/ds-at-unsecure-zone-cut/command
@@ -1,3 +1,3 @@
 #!/bin/sh
-cleandig delegated.dnssec-parent.com DS dnssec
+cleandig delegated.dnssec-parent.com DS dnssec showflags
 

diff --git a/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3 b/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3
index c8ccc4cba75b7a7a9046963f833cccfe7e61c3b8..1f701a8d3c617713e491bd7a5722064a24473228 100644 (file)
--- a/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3
+++ b/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3
@@ -1,8 +1,8 @@
-1      7on3vems0f8k9999ikei0ig4lfijekdr.dnssec-parent.com.     IN      NSEC3   86400   1 1 1 abcd DVKUO8KJA65GCSQ600E6DI9U719LSJ8U NS DS RRSIG
-1      7on3vems0f8k9999ikei0ig4lfijekdr.dnssec-parent.com.     IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1      be6iqh4fjrtdhacqk7g3iq96qcvf2qoj.dnssec-parent.com.     IN      NSEC3   86400   1 0 1 abcd DVKUO8KJA65GCSQ600E6DI9U719LSJ8U NS
+1      be6iqh4fjrtdhacqk7g3iq96qcvf2qoj.dnssec-parent.com.     IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 1      dnssec-parent.com.      IN      RRSIG   3600    SOA 8 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
 1      dnssec-parent.com.      IN      SOA     3600    ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
-1      dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.     IN      NSEC3   86400   1 1 1 abcd 1SCAQA30LQ0DO5EIRNE4KPJFBEBFGR54 A NS SOA RRSIG DNSKEY NSEC3PARAM
+1      dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.     IN      NSEC3   86400   1 0 1 abcd 1SCAQA30LQ0DO5EIRNE4KPJFBEBFGR54 A NS SOA RRSIG DNSKEY NSEC3PARAM
 1      dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.     IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
 2      .       IN      OPT     32768   
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3-optout b/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3-optout
new file mode 100644 (file)
index 0000000..c8ccc4c
--- /dev/null
+++ b/regression-tests/ds-at-unsecure-zone-cut/expected_result.nsec3-optout
@@ -0,0 +1,9 @@
+1      7on3vems0f8k9999ikei0ig4lfijekdr.dnssec-parent.com.     IN      NSEC3   86400   1 1 1 abcd DVKUO8KJA65GCSQ600E6DI9U719LSJ8U NS DS RRSIG
+1      7on3vems0f8k9999ikei0ig4lfijekdr.dnssec-parent.com.     IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1      dnssec-parent.com.      IN      RRSIG   3600    SOA 8 2 3600 [expiry] [inception] [keytag] dnssec-parent.com. ...
+1      dnssec-parent.com.      IN      SOA     3600    ns1.dnssec-parent.com. ahu.example.com. 2005092501 28800 7200 604800 86400
+1      dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.     IN      NSEC3   86400   1 1 1 abcd 1SCAQA30LQ0DO5EIRNE4KPJFBEBFGR54 A NS SOA RRSIG DNSKEY NSEC3PARAM
+1      dvkuo8kja65gcsq600e6di9u719lsj8u.dnssec-parent.com.     IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] dnssec-parent.com. ...
+2      .       IN      OPT     32768   
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='delegated.dnssec-parent.com.', qtype=DS

diff --git a/regression-tests/ds-inside-delegation/command b/regression-tests/ds-inside-delegation/command
index a410d8e60c7e55d7c852e825477e51bc0c188088..f6773179905a329ce84917617ebfaeba536d26ab 100755 (executable)
--- a/regression-tests/ds-inside-delegation/command
+++ b/regression-tests/ds-inside-delegation/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig sub.usa.example.com DS dnssec
+cleandig sub.usa.example.com DS dnssec showflags

diff --git a/regression-tests/ds-inside-delegation/expected_result.nsec3 b/regression-tests/ds-inside-delegation/expected_result.nsec3
index 2e04c2a0b3c2b80b10ef7d5345d6ec43e0d09164..c676fcb59bb8faf96b5ac8a5f6ab6da3c498d341 100644 (file)
--- a/regression-tests/ds-inside-delegation/expected_result.nsec3
+++ b/regression-tests/ds-inside-delegation/expected_result.nsec3
@@ -1,8 +1,8 @@
-1      t66sektb7egvs7s57m1qged4h6809g8s.example.com.   IN      NSEC3   86400   1 1 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO A RRSIG
-1      t66sektb7egvs7s57m1qged4h6809g8s.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1      t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com.   IN      NSEC3   86400   1 0 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO NS
+1      t67rqvqprigd7rtb5fah6c3o7g9th3j0.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      usa.example.com.        IN      NS      120     usa-ns1.usa.example.com.
 1      usa.example.com.        IN      NS      120     usa-ns2.usa.example.com.
-1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 0 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 2      usa-ns1.usa.example.com.        IN      A       120     192.168.4.1

diff --git a/regression-tests/ds-inside-delegation/expected_result.nsec3-optout b/regression-tests/ds-inside-delegation/expected_result.nsec3-optout
new file mode 100644 (file)
index 0000000..2e04c2a
--- /dev/null
+++ b/regression-tests/ds-inside-delegation/expected_result.nsec3-optout
@@ -0,0 +1,11 @@
+1      t66sektb7egvs7s57m1qged4h6809g8s.example.com.   IN      NSEC3   86400   1 1 1 abcd T6A44A7N1B90T5RIS4IBQKT51MMDL0LO A RRSIG
+1      t66sektb7egvs7s57m1qged4h6809g8s.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1      usa.example.com.        IN      NS      120     usa-ns1.usa.example.com.
+1      usa.example.com.        IN      NS      120     usa-ns2.usa.example.com.
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2      .       IN      OPT     32768   
+2      usa-ns1.usa.example.com.        IN      A       120     192.168.4.1
+2      usa-ns2.usa.example.com.        IN      A       120     192.168.4.2
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='sub.usa.example.com.', qtype=DS

diff --git a/regression-tests/ent-any/command b/regression-tests/ent-any/command
index 4c54b850e9340701a72a081fd65116e1a90936fa..bed6d9217601cc969830fd16c476c6dc8ddecffd 100755 (executable)
--- a/regression-tests/ent-any/command
+++ b/regression-tests/ent-any/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig c.test.com ANY dnssec
+cleandig c.test.com ANY dnssec showflags

diff --git a/regression-tests/ent-any/expected_result.nsec3 b/regression-tests/ent-any/expected_result.nsec3
index 1cc03b5611479fe7a1abb3173e5794aa7a87096c..15621e1f2497752e51d7c9b1d99130b63f2eefcf 100644 (file)
--- a/regression-tests/ent-any/expected_result.nsec3
+++ b/regression-tests/ent-any/expected_result.nsec3
@@ -1,4 +1,4 @@
-1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      NSEC3   86400   1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA
+1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      NSEC3   86400   1 0 1 abcd S96H2QICBT8D9I5AA43KP8SJJRESQ4KB
 1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 1      test.com.       IN      RRSIG   3600    SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
 1      test.com.       IN      SOA     3600    ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400

diff --git a/regression-tests/ent-any/expected_result.nsec3-optout b/regression-tests/ent-any/expected_result.nsec3-optout
new file mode 100644 (file)
index 0000000..1cc03b5
--- /dev/null
+++ b/regression-tests/ent-any/expected_result.nsec3-optout
@@ -0,0 +1,7 @@
+1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      NSEC3   86400   1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA
+1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+1      test.com.       IN      RRSIG   3600    SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
+1      test.com.       IN      SOA     3600    ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400
+2      .       IN      OPT     32768   
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='c.test.com.', qtype=ANY

diff --git a/regression-tests/ent-axfr/expected_result.nsec3 b/regression-tests/ent-axfr/expected_result.nsec3
index bdcaa78ab2a78677db5ecd8bcf841b1197a79d41..9ff0b4208a068fe48f6b29e4027ae43175c1d509 100644 (file)
--- a/regression-tests/ent-axfr/expected_result.nsec3
+++ b/regression-tests/ent-axfr/expected_result.nsec3
@@ -1,23 +1,25 @@
-2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.     86400   IN      NSEC3   1 1 1 abcd  2gks2n3jpqf62qohavfq1pholm3hr7ra NS SOA MX RRSIG DNSKEY NSEC3PARAM 
-2gks2n3jpqf62qohavfq1pholm3hr7ra.test.com.     86400   IN      NSEC3   1 1 1 abcd  79ra8k3g5kai1hg9jlhbr6p0tp933m7v TXT RRSIG 
-79ra8k3g5kai1hg9jlhbr6p0tp933m7v.test.com.     86400   IN      NSEC3   1 1 1 abcd  79u3das6ucctns1br3tvd8qkanni351l A RRSIG 
-79u3das6ucctns1br3tvd8qkanni351l.test.com.     86400   IN      NSEC3   1 1 1 abcd  7mmura8h40be5n4koan7rnmkursamh99
-7mmura8h40be5n4koan7rnmkursamh99.test.com.     86400   IN      NSEC3   1 1 1 abcd  88f1bqrb2iscvfel2sqqcksvflnekap6
-88f1bqrb2iscvfel2sqqcksvflnekap6.test.com.     86400   IN      NSEC3   1 1 1 abcd  a5labagjjevr86gh0hf3jg7nufhga5ar CNAME RRSIG 
-a5labagjjevr86gh0hf3jg7nufhga5ar.test.com.     86400   IN      NSEC3   1 1 1 abcd  aovp95mr44hqefrqus6nomsd944bm3vb A RRSIG 
-aovp95mr44hqefrqus6nomsd944bm3vb.test.com.     86400   IN      NSEC3   1 1 1 abcd  b022o9dksaj737fh77e7kqqtj3om56ki A RRSIG 
-b022o9dksaj737fh77e7kqqtj3om56ki.test.com.     86400   IN      NSEC3   1 1 1 abcd  dafc69cv5n2tfcf6ovbvtv94drgmqjo5
-dafc69cv5n2tfcf6ovbvtv94drgmqjo5.test.com.     86400   IN      NSEC3   1 1 1 abcd  eban51bjgugorb20unp5peec7s5d2eka TXT RRSIG 
-eban51bjgugorb20unp5peec7s5d2eka.test.com.     86400   IN      NSEC3   1 1 1 abcd  h5855rvon2aasm8qv1nk49i1b2mkbejp SRV RRSIG 
-h5855rvon2aasm8qv1nk49i1b2mkbejp.test.com.     86400   IN      NSEC3   1 1 1 abcd  iai9hin25meh689r5v5gtifk8om5di0e A RRSIG 
-iai9hin25meh689r5v5gtifk8om5di0e.test.com.     86400   IN      NSEC3   1 1 1 abcd  igf4m7otecach14p0a6ingi7dbuas5b2 A RRSIG 
-igf4m7otecach14p0a6ingi7dbuas5b2.test.com.     86400   IN      NSEC3   1 1 1 abcd  o1l0fb73hi3qp4a3fnqjsleanlc883i3 A RP RRSIG 
-o1l0fb73hi3qp4a3fnqjsleanlc883i3.test.com.     86400   IN      NSEC3   1 1 1 abcd  plud9qqecuril62gcfp8br44i7eoq7c9 TXT RRSIG 
-plud9qqecuril62gcfp8br44i7eoq7c9.test.com.     86400   IN      NSEC3   1 1 1 abcd  qd81ag9inqts1ocs7api0pji94k27btr SRV RRSIG 
-qd81ag9inqts1ocs7api0pji94k27btr.test.com.     86400   IN      NSEC3   1 1 1 abcd  s6g5shc1jvovl5fl9e943adlonqln7g4 CNAME RRSIG 
-s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.     86400   IN      NSEC3   1 1 1 abcd  sa5vvpqn1coejgj3hbkfekdnii8kksqa
-sa5vvpqn1coejgj3hbkfekdnii8kksqa.test.com.     86400   IN      NSEC3   1 1 1 abcd  sra2sm4pl136bultass7qqnlblipe8am NAPTR RRSIG 
-sra2sm4pl136bultass7qqnlblipe8am.test.com.     86400   IN      NSEC3   1 1 1 abcd  u02utt5q2bhjcq986f05mbap0pgamt5o CNAME RRSIG 
+2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.     86400   IN      NSEC3   1 0 1 abcd  2gks2n3jpqf62qohavfq1pholm3hr7ra NS SOA MX RRSIG DNSKEY NSEC3PARAM 
+2gks2n3jpqf62qohavfq1pholm3hr7ra.test.com.     86400   IN      NSEC3   1 0 1 abcd  79ra8k3g5kai1hg9jlhbr6p0tp933m7v TXT RRSIG 
+79ra8k3g5kai1hg9jlhbr6p0tp933m7v.test.com.     86400   IN      NSEC3   1 0 1 abcd  79u3das6ucctns1br3tvd8qkanni351l A RRSIG 
+79u3das6ucctns1br3tvd8qkanni351l.test.com.     86400   IN      NSEC3   1 0 1 abcd  7mmura8h40be5n4koan7rnmkursamh99
+7mmura8h40be5n4koan7rnmkursamh99.test.com.     86400   IN      NSEC3   1 0 1 abcd  88f1bqrb2iscvfel2sqqcksvflnekap6
+88f1bqrb2iscvfel2sqqcksvflnekap6.test.com.     86400   IN      NSEC3   1 0 1 abcd  a5labagjjevr86gh0hf3jg7nufhga5ar CNAME RRSIG 
+a5labagjjevr86gh0hf3jg7nufhga5ar.test.com.     86400   IN      NSEC3   1 0 1 abcd  aovp95mr44hqefrqus6nomsd944bm3vb A RRSIG 
+aovp95mr44hqefrqus6nomsd944bm3vb.test.com.     86400   IN      NSEC3   1 0 1 abcd  b022o9dksaj737fh77e7kqqtj3om56ki A RRSIG 
+b022o9dksaj737fh77e7kqqtj3om56ki.test.com.     86400   IN      NSEC3   1 0 1 abcd  dafc69cv5n2tfcf6ovbvtv94drgmqjo5
+dafc69cv5n2tfcf6ovbvtv94drgmqjo5.test.com.     86400   IN      NSEC3   1 0 1 abcd  de592k86u3hevdj57jpbt7j5kv7doo78 TXT RRSIG 
+de592k86u3hevdj57jpbt7j5kv7doo78.test.com.     86400   IN      NSEC3   1 0 1 abcd  eban51bjgugorb20unp5peec7s5d2eka NS 
+eban51bjgugorb20unp5peec7s5d2eka.test.com.     86400   IN      NSEC3   1 0 1 abcd  h5855rvon2aasm8qv1nk49i1b2mkbejp SRV RRSIG 
+h5855rvon2aasm8qv1nk49i1b2mkbejp.test.com.     86400   IN      NSEC3   1 0 1 abcd  iai9hin25meh689r5v5gtifk8om5di0e A RRSIG 
+iai9hin25meh689r5v5gtifk8om5di0e.test.com.     86400   IN      NSEC3   1 0 1 abcd  igf4m7otecach14p0a6ingi7dbuas5b2 A RRSIG 
+igf4m7otecach14p0a6ingi7dbuas5b2.test.com.     86400   IN      NSEC3   1 0 1 abcd  o1l0fb73hi3qp4a3fnqjsleanlc883i3 A RP RRSIG 
+o1l0fb73hi3qp4a3fnqjsleanlc883i3.test.com.     86400   IN      NSEC3   1 0 1 abcd  plud9qqecuril62gcfp8br44i7eoq7c9 TXT RRSIG 
+plud9qqecuril62gcfp8br44i7eoq7c9.test.com.     86400   IN      NSEC3   1 0 1 abcd  qd81ag9inqts1ocs7api0pji94k27btr SRV RRSIG 
+qd81ag9inqts1ocs7api0pji94k27btr.test.com.     86400   IN      NSEC3   1 0 1 abcd  s6g5shc1jvovl5fl9e943adlonqln7g4 CNAME RRSIG 
+s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.     86400   IN      NSEC3   1 0 1 abcd  s96h2qicbt8d9i5aa43kp8sjjresq4kb
+s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com.     86400   IN      NSEC3   1 0 1 abcd  sa5vvpqn1coejgj3hbkfekdnii8kksqa NS 
+sa5vvpqn1coejgj3hbkfekdnii8kksqa.test.com.     86400   IN      NSEC3   1 0 1 abcd  sra2sm4pl136bultass7qqnlblipe8am NAPTR RRSIG 
+sra2sm4pl136bultass7qqnlblipe8am.test.com.     86400   IN      NSEC3   1 0 1 abcd  u02utt5q2bhjcq986f05mbap0pgamt5o CNAME RRSIG 
 test.com.      86400   IN      NSEC3PARAM      1 0 1 abcd 
-u02utt5q2bhjcq986f05mbap0pgamt5o.test.com.     86400   IN      NSEC3   1 1 1 abcd  vlvujatanof6feajoesti9kq4s0crst3 A RRSIG 
-vlvujatanof6feajoesti9kq4s0crst3.test.com.     86400   IN      NSEC3   1 1 1 abcd  2eu2gulbu53h9uvhfalshpbo2a83t6l2
+u02utt5q2bhjcq986f05mbap0pgamt5o.test.com.     86400   IN      NSEC3   1 0 1 abcd  vlvujatanof6feajoesti9kq4s0crst3 A RRSIG 
+vlvujatanof6feajoesti9kq4s0crst3.test.com.     86400   IN      NSEC3   1 0 1 abcd  2eu2gulbu53h9uvhfalshpbo2a83t6l2

diff --git a/regression-tests/ent-axfr/expected_result.nsec3-optout b/regression-tests/ent-axfr/expected_result.nsec3-optout
new file mode 100644 (file)
index 0000000..bdcaa78
--- /dev/null
+++ b/regression-tests/ent-axfr/expected_result.nsec3-optout
@@ -0,0 +1,23 @@
+2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.     86400   IN      NSEC3   1 1 1 abcd  2gks2n3jpqf62qohavfq1pholm3hr7ra NS SOA MX RRSIG DNSKEY NSEC3PARAM 
+2gks2n3jpqf62qohavfq1pholm3hr7ra.test.com.     86400   IN      NSEC3   1 1 1 abcd  79ra8k3g5kai1hg9jlhbr6p0tp933m7v TXT RRSIG 
+79ra8k3g5kai1hg9jlhbr6p0tp933m7v.test.com.     86400   IN      NSEC3   1 1 1 abcd  79u3das6ucctns1br3tvd8qkanni351l A RRSIG 
+79u3das6ucctns1br3tvd8qkanni351l.test.com.     86400   IN      NSEC3   1 1 1 abcd  7mmura8h40be5n4koan7rnmkursamh99
+7mmura8h40be5n4koan7rnmkursamh99.test.com.     86400   IN      NSEC3   1 1 1 abcd  88f1bqrb2iscvfel2sqqcksvflnekap6
+88f1bqrb2iscvfel2sqqcksvflnekap6.test.com.     86400   IN      NSEC3   1 1 1 abcd  a5labagjjevr86gh0hf3jg7nufhga5ar CNAME RRSIG 
+a5labagjjevr86gh0hf3jg7nufhga5ar.test.com.     86400   IN      NSEC3   1 1 1 abcd  aovp95mr44hqefrqus6nomsd944bm3vb A RRSIG 
+aovp95mr44hqefrqus6nomsd944bm3vb.test.com.     86400   IN      NSEC3   1 1 1 abcd  b022o9dksaj737fh77e7kqqtj3om56ki A RRSIG 
+b022o9dksaj737fh77e7kqqtj3om56ki.test.com.     86400   IN      NSEC3   1 1 1 abcd  dafc69cv5n2tfcf6ovbvtv94drgmqjo5
+dafc69cv5n2tfcf6ovbvtv94drgmqjo5.test.com.     86400   IN      NSEC3   1 1 1 abcd  eban51bjgugorb20unp5peec7s5d2eka TXT RRSIG 
+eban51bjgugorb20unp5peec7s5d2eka.test.com.     86400   IN      NSEC3   1 1 1 abcd  h5855rvon2aasm8qv1nk49i1b2mkbejp SRV RRSIG 
+h5855rvon2aasm8qv1nk49i1b2mkbejp.test.com.     86400   IN      NSEC3   1 1 1 abcd  iai9hin25meh689r5v5gtifk8om5di0e A RRSIG 
+iai9hin25meh689r5v5gtifk8om5di0e.test.com.     86400   IN      NSEC3   1 1 1 abcd  igf4m7otecach14p0a6ingi7dbuas5b2 A RRSIG 
+igf4m7otecach14p0a6ingi7dbuas5b2.test.com.     86400   IN      NSEC3   1 1 1 abcd  o1l0fb73hi3qp4a3fnqjsleanlc883i3 A RP RRSIG 
+o1l0fb73hi3qp4a3fnqjsleanlc883i3.test.com.     86400   IN      NSEC3   1 1 1 abcd  plud9qqecuril62gcfp8br44i7eoq7c9 TXT RRSIG 
+plud9qqecuril62gcfp8br44i7eoq7c9.test.com.     86400   IN      NSEC3   1 1 1 abcd  qd81ag9inqts1ocs7api0pji94k27btr SRV RRSIG 
+qd81ag9inqts1ocs7api0pji94k27btr.test.com.     86400   IN      NSEC3   1 1 1 abcd  s6g5shc1jvovl5fl9e943adlonqln7g4 CNAME RRSIG 
+s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.     86400   IN      NSEC3   1 1 1 abcd  sa5vvpqn1coejgj3hbkfekdnii8kksqa
+sa5vvpqn1coejgj3hbkfekdnii8kksqa.test.com.     86400   IN      NSEC3   1 1 1 abcd  sra2sm4pl136bultass7qqnlblipe8am NAPTR RRSIG 
+sra2sm4pl136bultass7qqnlblipe8am.test.com.     86400   IN      NSEC3   1 1 1 abcd  u02utt5q2bhjcq986f05mbap0pgamt5o CNAME RRSIG 
+test.com.      86400   IN      NSEC3PARAM      1 0 1 abcd 
+u02utt5q2bhjcq986f05mbap0pgamt5o.test.com.     86400   IN      NSEC3   1 1 1 abcd  vlvujatanof6feajoesti9kq4s0crst3 A RRSIG 
+vlvujatanof6feajoesti9kq4s0crst3.test.com.     86400   IN      NSEC3   1 1 1 abcd  2eu2gulbu53h9uvhfalshpbo2a83t6l2

diff --git a/regression-tests/ent-rr-enclosed-in-ent/expected_result.narrow b/regression-tests/ent-rr-enclosed-in-ent/expected_result.narrow
index 1408e9b46696d759cae5cb90074855a81b828cd9..4e59952c11090c887ebeffccedd28cfe8cbcf16a 100644 (file)
--- a/regression-tests/ent-rr-enclosed-in-ent/expected_result.narrow
+++ b/regression-tests/ent-rr-enclosed-in-ent/expected_result.narrow
@@ -1,4 +1,4 @@
-1      a5labagjjevr86gh0hf3jg7nufhga5ar.test.com.      IN      NSEC3   86400   1 1 1 abcd A5LABAGJJEVR86GH0HF3JG7NUFHGA5AS A RRSIG
+1      a5labagjjevr86gh0hf3jg7nufhga5ar.test.com.      IN      NSEC3   86400   1 [flags] 1 abcd A5LABAGJJEVR86GH0HF3JG7NUFHGA5AS A RRSIG
 1      a5labagjjevr86gh0hf3jg7nufhga5ar.test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 1      test.com.       IN      RRSIG   3600    SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
 1      test.com.       IN      SOA     3600    ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400

diff --git a/regression-tests/ent-rr-enclosed-in-ent/expected_result.nsec3 b/regression-tests/ent-rr-enclosed-in-ent/expected_result.nsec3
index 9c10fb90cc438e41e281b5bcb7e5f8cf2677a5ef..3a6cf6f40b268f895655a9ee4aa082a4437ed8fb 100644 (file)
--- a/regression-tests/ent-rr-enclosed-in-ent/expected_result.nsec3
+++ b/regression-tests/ent-rr-enclosed-in-ent/expected_result.nsec3
@@ -1,4 +1,4 @@
-1      a5labagjjevr86gh0hf3jg7nufhga5ar.test.com.      IN      NSEC3   86400   1 1 1 abcd AOVP95MR44HQEFRQUS6NOMSD944BM3VB A RRSIG
+1      a5labagjjevr86gh0hf3jg7nufhga5ar.test.com.      IN      NSEC3   86400   1 [flags] 1 abcd AOVP95MR44HQEFRQUS6NOMSD944BM3VB A RRSIG
 1      a5labagjjevr86gh0hf3jg7nufhga5ar.test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 1      test.com.       IN      RRSIG   3600    SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
 1      test.com.       IN      SOA     3600    ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400

diff --git a/regression-tests/ent-soa/command b/regression-tests/ent-soa/command
index 554149de3bb58f63a3c3cf07a474de2add8e3f01..efed782f42dfeac20e3d116a6f8e27987080186a 100755 (executable)
--- a/regression-tests/ent-soa/command
+++ b/regression-tests/ent-soa/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig c.test.com SOA dnssec
+cleandig c.test.com SOA dnssec showflags

diff --git a/regression-tests/ent-soa/expected_result.nsec3 b/regression-tests/ent-soa/expected_result.nsec3
index a9eac7b7518671d9cb91ba4598934ac02da526b9..2483433def82dfcba1aa25d4d4458bcac049c322 100644 (file)
--- a/regression-tests/ent-soa/expected_result.nsec3
+++ b/regression-tests/ent-soa/expected_result.nsec3
@@ -1,4 +1,4 @@
-1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      NSEC3   86400   1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA
+1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      NSEC3   86400   1 0 1 abcd S96H2QICBT8D9I5AA43KP8SJJRESQ4KB
 1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 1      test.com.       IN      RRSIG   3600    SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
 1      test.com.       IN      SOA     3600    ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400

diff --git a/regression-tests/ent-soa/expected_result.nsec3-optout b/regression-tests/ent-soa/expected_result.nsec3-optout
new file mode 100644 (file)
index 0000000..a9eac7b
--- /dev/null
+++ b/regression-tests/ent-soa/expected_result.nsec3-optout
@@ -0,0 +1,7 @@
+1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      NSEC3   86400   1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA
+1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+1      test.com.       IN      RRSIG   3600    SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
+1      test.com.       IN      SOA     3600    ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400
+2      .       IN      OPT     32768   
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='c.test.com.', qtype=SOA

diff --git a/regression-tests/ent-wildcard-below-ent/expected_result.narrow b/regression-tests/ent-wildcard-below-ent/expected_result.narrow
index 431d99fe42753320b8fc7cdb24e2b606b211a9d3..d5143be0387d58512e7e0f97e24cfd85d06a253e 100644 (file)
--- a/regression-tests/ent-wildcard-below-ent/expected_result.narrow
+++ b/regression-tests/ent-wildcard-below-ent/expected_result.narrow
@@ -1,6 +1,6 @@
 0      something.a.b.c.test.com.       IN      A       3600    8.7.6.5
 0      something.a.b.c.test.com.       IN      RRSIG   3600    A 8 5 3600 [expiry] [inception] [keytag] test.com. ...
-1      qjeirdhb04ir4vbs5pbbhbue69dlq9nr.test.com.      IN      NSEC3   86400   1 1 1 abcd QJEIRDHB04IR4VBS5PBBHBUE69DLQ9NT
+1      qjeirdhb04ir4vbs5pbbhbue69dlq9nr.test.com.      IN      NSEC3   86400   1 [flags] 1 abcd QJEIRDHB04IR4VBS5PBBHBUE69DLQ9NT
 1      qjeirdhb04ir4vbs5pbbhbue69dlq9nr.test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 2      .       IN      OPT     32768   
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/ent-wildcard-below-ent/expected_result.nsec3 b/regression-tests/ent-wildcard-below-ent/expected_result.nsec3
index 45bd63917417945463c7a0dbaec12c91977b86f1..84c6ef54e5b2ae4b4548c7a81c9e218fb8bd1225 100644 (file)
--- a/regression-tests/ent-wildcard-below-ent/expected_result.nsec3
+++ b/regression-tests/ent-wildcard-below-ent/expected_result.nsec3
@@ -1,6 +1,6 @@
 0      something.a.b.c.test.com.       IN      A       3600    8.7.6.5
 0      something.a.b.c.test.com.       IN      RRSIG   3600    A 8 5 3600 [expiry] [inception] [keytag] test.com. ...
-1      qd81ag9inqts1ocs7api0pji94k27btr.test.com.      IN      NSEC3   86400   1 1 1 abcd S6G5SHC1JVOVL5FL9E943ADLONQLN7G4 CNAME RRSIG
+1      qd81ag9inqts1ocs7api0pji94k27btr.test.com.      IN      NSEC3   86400   1 [flags] 1 abcd S6G5SHC1JVOVL5FL9E943ADLONQLN7G4 CNAME RRSIG
 1      qd81ag9inqts1ocs7api0pji94k27btr.test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 2      .       IN      OPT     32768   
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/ent/command b/regression-tests/ent/command
index 2c9876bdf549e85ba00fa8d4684ec7a2e26ab2a6..09730d280fd02e531b4321c1970e62e55d5ea86b 100755 (executable)
--- a/regression-tests/ent/command
+++ b/regression-tests/ent/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig c.test.com A dnssec
+cleandig c.test.com A dnssec showflags

diff --git a/regression-tests/ent/expected_result.nsec3 b/regression-tests/ent/expected_result.nsec3
index a4e0734cec51a5e423627b03b016813f56e0f4ce..379fe8571fe67c06eb48635173ff9a7ab3b0e9a7 100644 (file)
--- a/regression-tests/ent/expected_result.nsec3
+++ b/regression-tests/ent/expected_result.nsec3
@@ -1,4 +1,4 @@
-1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      NSEC3   86400   1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA
+1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      NSEC3   86400   1 0 1 abcd S96H2QICBT8D9I5AA43KP8SJJRESQ4KB
 1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 1      test.com.       IN      RRSIG   3600    SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
 1      test.com.       IN      SOA     3600    ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400

diff --git a/regression-tests/ent/expected_result.nsec3-optout b/regression-tests/ent/expected_result.nsec3-optout
new file mode 100644 (file)
index 0000000..a4e0734
--- /dev/null
+++ b/regression-tests/ent/expected_result.nsec3-optout
@@ -0,0 +1,7 @@
+1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      NSEC3   86400   1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA
+1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+1      test.com.       IN      RRSIG   3600    SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
+1      test.com.       IN      SOA     3600    ns1.test.com. ahu.example.com. 2005092501 28800 7200 604800 86400
+2      .       IN      OPT     32768   
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='c.test.com.', qtype=A

diff --git a/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow b/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow
index c2928f31ac290a695dbe82a73d5529b56d0f392d..7283555c9fec4fbdceceddb3dfa525f1c13021b1 100644 (file)
--- a/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow
+++ b/regression-tests/five-levels-wildcard-one-below-apex/expected_result.narrow
@@ -1,6 +1,6 @@
 0      www.a.b.c.d.e.something.wtest.com.      IN      A       3600    4.3.2.1
 0      www.a.b.c.d.e.something.wtest.com.      IN      RRSIG   3600    A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1      pqgjjrj5si55uc1208gt1hp1k217fhqu.wtest.com.     IN      NSEC3   86400   1 1 1 abcd PQGJJRJ5SI55UC1208GT1HP1K217FHR0
+1      pqgjjrj5si55uc1208gt1hp1k217fhqu.wtest.com.     IN      NSEC3   86400   1 [flags] 1 abcd PQGJJRJ5SI55UC1208GT1HP1K217FHR0
 1      pqgjjrj5si55uc1208gt1hp1k217fhqu.wtest.com.     IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2      .       IN      OPT     32768   
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/five-levels-wildcard-one-below-apex/expected_result.nsec3 b/regression-tests/five-levels-wildcard-one-below-apex/expected_result.nsec3
index 8407a981ba467523b6911c17d654bbbbf2aae7da..3a4e9a1dceb89d9d362c4635807a971ad01d61aa 100644 (file)
--- a/regression-tests/five-levels-wildcard-one-below-apex/expected_result.nsec3
+++ b/regression-tests/five-levels-wildcard-one-below-apex/expected_result.nsec3
@@ -1,6 +1,6 @@
 0      www.a.b.c.d.e.something.wtest.com.      IN      A       3600    4.3.2.1
 0      www.a.b.c.d.e.something.wtest.com.      IN      RRSIG   3600    A 8 3 3600 [expiry] [inception] [keytag] wtest.com. ...
-1      pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.     IN      NSEC3   86400   1 1 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
+1      pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.     IN      NSEC3   86400   1 [flags] 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
 1      pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.     IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2      .       IN      OPT     32768   
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/five-levels-wildcard/expected_result.narrow b/regression-tests/five-levels-wildcard/expected_result.narrow
index 2c086cb3e212012b630cc8df6e68fec11960a3f0..2736694ec1f78aeec8fbe25e249eed62d930bb80 100644 (file)
--- a/regression-tests/five-levels-wildcard/expected_result.narrow
+++ b/regression-tests/five-levels-wildcard/expected_result.narrow
@@ -1,6 +1,6 @@
 0      www.a.b.c.d.e.wtest.com.        IN      A       3600    6.7.8.9
 0      www.a.b.c.d.e.wtest.com.        IN      RRSIG   3600    A 8 7 3600 [expiry] [inception] [keytag] wtest.com. ...
-1      pet5iqbgccga60p2n38nmuanrk50papg.wtest.com.     IN      NSEC3   86400   1 1 1 abcd PET5IQBGCCGA60P2N38NMUANRK50PAPI
+1      pet5iqbgccga60p2n38nmuanrk50papg.wtest.com.     IN      NSEC3   86400   1 [flags] 1 abcd PET5IQBGCCGA60P2N38NMUANRK50PAPI
 1      pet5iqbgccga60p2n38nmuanrk50papg.wtest.com.     IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2      .       IN      OPT     32768   
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/five-levels-wildcard/expected_result.nsec3 b/regression-tests/five-levels-wildcard/expected_result.nsec3
index 56bc239fab937f633a536fd037769db5b8c0ce19..28c063dcbe0bfcfbcd22fc256d2429a6bde0f4e1 100644 (file)
--- a/regression-tests/five-levels-wildcard/expected_result.nsec3
+++ b/regression-tests/five-levels-wildcard/expected_result.nsec3
@@ -1,6 +1,6 @@
 0      www.a.b.c.d.e.wtest.com.        IN      A       3600    6.7.8.9
 0      www.a.b.c.d.e.wtest.com.        IN      RRSIG   3600    A 8 7 3600 [expiry] [inception] [keytag] wtest.com. ...
-1      pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.     IN      NSEC3   86400   1 1 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
+1      pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.     IN      NSEC3   86400   1 [flags] 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
 1      pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.     IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 2      .       IN      OPT     32768   
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/minimal-noerror/expected_result.narrow b/regression-tests/minimal-noerror/expected_result.narrow
index c7c4ef9ecfe4b5f71fa46dd88a29de611ed5218b..f8e8714b34ae714f2b6a29923fbb48dd194b4ce8 100644 (file)
--- a/regression-tests/minimal-noerror/expected_result.narrow
+++ b/regression-tests/minimal-noerror/expected_result.narrow
@@ -1 +1 @@
-1      09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.   IN      NSEC3   86400   1 1 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9313 NS SOA RRSIG DNSKEY NSEC3PARAM
+1      09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.   IN      NSEC3   86400   1 [flags] 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9313 NS SOA RRSIG DNSKEY NSEC3PARAM

diff --git a/regression-tests/minimal-noerror/expected_result.nsec3 b/regression-tests/minimal-noerror/expected_result.nsec3
index d885980b1cc4a1bd405d7ce9db39f14b03db82fe..c930bce76af2dc6f8eeb0ecdcd026ffef58b878f 100644 (file)
--- a/regression-tests/minimal-noerror/expected_result.nsec3
+++ b/regression-tests/minimal-noerror/expected_result.nsec3
@@ -1 +1 @@
-1      09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.   IN      NSEC3   86400   1 1 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9312 NS SOA RRSIG DNSKEY NSEC3PARAM
+1      09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.   IN      NSEC3   86400   1 [flags] 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9312 NS SOA RRSIG DNSKEY NSEC3PARAM

diff --git a/regression-tests/minimal-nxdomain/expected_result.narrow b/regression-tests/minimal-nxdomain/expected_result.narrow
index ed29f92c1531c9acd3978a68c4a35ec13ea43246..c3dd67d07a8007821c13ffa5271e9da93f80bcee 100644 (file)
--- a/regression-tests/minimal-nxdomain/expected_result.narrow
+++ b/regression-tests/minimal-nxdomain/expected_result.narrow
@@ -1,3 +1,3 @@
-1      09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.   IN      NSEC3   86400   1 1 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9313 NS SOA RRSIG DNSKEY NSEC3PARAM
-1      8hki26qt36v6qs8cll4e4nvjit38uhap.minimal.com.   IN      NSEC3   86400   1 1 1 abcd 8HKI26QT36V6QS8CLL4E4NVJIT38UHAR
-1      9oadfe8c55evko75kb06spdl23p4fmrh.minimal.com.   IN      NSEC3   86400   1 1 1 abcd 9OADFE8C55EVKO75KB06SPDL23P4FMRJ
+1      09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.   IN      NSEC3   86400   1 [flags] 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9313 NS SOA RRSIG DNSKEY NSEC3PARAM
+1      8hki26qt36v6qs8cll4e4nvjit38uhap.minimal.com.   IN      NSEC3   86400   1 [flags] 1 abcd 8HKI26QT36V6QS8CLL4E4NVJIT38UHAR
+1      9oadfe8c55evko75kb06spdl23p4fmrh.minimal.com.   IN      NSEC3   86400   1 [flags] 1 abcd 9OADFE8C55EVKO75KB06SPDL23P4FMRJ

diff --git a/regression-tests/minimal-nxdomain/expected_result.nsec3 b/regression-tests/minimal-nxdomain/expected_result.nsec3
index d885980b1cc4a1bd405d7ce9db39f14b03db82fe..c930bce76af2dc6f8eeb0ecdcd026ffef58b878f 100644 (file)
--- a/regression-tests/minimal-nxdomain/expected_result.nsec3
+++ b/regression-tests/minimal-nxdomain/expected_result.nsec3
@@ -1 +1 @@
-1      09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.   IN      NSEC3   86400   1 1 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9312 NS SOA RRSIG DNSKEY NSEC3PARAM
+1      09lo11rs63u9b3d538a86ijvqcqt9312.minimal.com.   IN      NSEC3   86400   1 [flags] 1 abcd 09LO11RS63U9B3D538A86IJVQCQT9312 NS SOA RRSIG DNSKEY NSEC3PARAM

diff --git a/regression-tests/named.conf b/regression-tests/named.conf
index b98d6c2e739d9cc8efe9575a9d744f2d0ca0a904..4da1377575f71844b3fa3227f5f4dd4d7922fd30 100644 (file)
--- a/regression-tests/named.conf
+++ b/regression-tests/named.conf
@@ -33,6 +33,11 @@ zone "delegated.dnssec-parent.com"{
        file "./delegated.dnssec-parent.com";
 };
 
+zone "secure-delegated.dnssec-parent.com"{
+       type master;
+       file "./secure-delegated.dnssec-parent.com";
+};
+
 zone "minimal.com"{
        type master;
        file "./minimal.com";

diff --git a/regression-tests/nsec-bitmap/expected_result.narrow b/regression-tests/nsec-bitmap/expected_result.narrow
index d0460525a8837495ec3aafeedca340618caa8924..bf3f4cbf280e48aa3fb791f94d5cbcd466a802cb 100644 (file)
--- a/regression-tests/nsec-bitmap/expected_result.narrow
+++ b/regression-tests/nsec-bitmap/expected_result.narrow
@@ -1,4 +1,4 @@
-1      3v4it454kfh142bi7afagnuvigrpfptt.example.com.   IN      NSEC3   86400   1 1 1 abcd 3V4IT454KFH142BI7AFAGNUVIGRPFPTU A RRSIG TYPE65534
+1      3v4it454kfh142bi7afagnuvigrpfptt.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 3V4IT454KFH142BI7AFAGNUVIGRPFPTU A RRSIG TYPE65534
 1      3v4it454kfh142bi7afagnuvigrpfptt.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400

diff --git a/regression-tests/nsec-bitmap/expected_result.nsec3 b/regression-tests/nsec-bitmap/expected_result.nsec3
index 5bc4f6c20ede68742a55567d565b0d6b2a89c376..ae6d738ffb6955755ab7d5920f178f809b46aa1a 100644 (file)
--- a/regression-tests/nsec-bitmap/expected_result.nsec3
+++ b/regression-tests/nsec-bitmap/expected_result.nsec3
@@ -1,4 +1,4 @@
-1      3v4it454kfh142bi7afagnuvigrpfptt.example.com.   IN      NSEC3   86400   1 1 1 abcd 3V4S43RV1GT28N0F2PPJ8I8482ESMUOB A RRSIG TYPE65534
+1      3v4it454kfh142bi7afagnuvigrpfptt.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 3V4S43RV1GT28N0F2PPJ8I8482ESMUOB A RRSIG TYPE65534
 1      3v4it454kfh142bi7afagnuvigrpfptt.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400

diff --git a/regression-tests/nsec-glue-at-delegation/command b/regression-tests/nsec-glue-at-delegation/command
index b705a0b59528d306d63c6740c5bb131b159b7b45..72bbdb561944391832ab30594f35aac23bec25dc 100755 (executable)
--- a/regression-tests/nsec-glue-at-delegation/command
+++ b/regression-tests/nsec-glue-at-delegation/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig blah.test.com MX dnssec
+cleandig blah.test.com MX dnssec showflags

diff --git a/regression-tests/nsec-glue-at-delegation/expected_result.nsec3 b/regression-tests/nsec-glue-at-delegation/expected_result.nsec3
index c98c701371c549ba90fe186eaac80e2a361cf3bb..b018eb0f68d4a91dc494a9ed2ecf139d10ef5ce7 100644 (file)
--- a/regression-tests/nsec-glue-at-delegation/expected_result.nsec3
+++ b/regression-tests/nsec-glue-at-delegation/expected_result.nsec3
@@ -1,8 +1,8 @@
-1      2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.      IN      NSEC3   86400   1 1 1 abcd 2GKS2N3JPQF62QOHAVFQ1PHOLM3HR7RA NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.      IN      NSEC3   86400   1 0 1 abcd 2GKS2N3JPQF62QOHAVFQ1PHOLM3HR7RA NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 1      blah.test.com.  IN      NS      3600    blah.test.com.
-1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      NSEC3   86400   1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA
-1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+1      s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com.      IN      NSEC3   86400   1 0 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA NS
+1      s96h2qicbt8d9i5aa43kp8sjjresq4kb.test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 2      .       IN      OPT     32768   
 2      blah.test.com.  IN      A       3600    192.168.6.1
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0

diff --git a/regression-tests/nsec-glue-at-delegation/expected_result.nsec3-optout b/regression-tests/nsec-glue-at-delegation/expected_result.nsec3-optout
new file mode 100644 (file)
index 0000000..c98c701
--- /dev/null
+++ b/regression-tests/nsec-glue-at-delegation/expected_result.nsec3-optout
@@ -0,0 +1,9 @@
+1      2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.      IN      NSEC3   86400   1 1 1 abcd 2GKS2N3JPQF62QOHAVFQ1PHOLM3HR7RA NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+1      blah.test.com.  IN      NS      3600    blah.test.com.
+1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      NSEC3   86400   1 1 1 abcd SA5VVPQN1COEJGJ3HBKFEKDNII8KKSQA
+1      s6g5shc1jvovl5fl9e943adlonqln7g4.test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
+2      .       IN      OPT     32768   
+2      blah.test.com.  IN      A       3600    192.168.6.1
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='blah.test.com.', qtype=MX

diff --git a/regression-tests/nsec-glue/expected_result.narrow b/regression-tests/nsec-glue/expected_result.narrow
index a2bf76ad40b94353c4d9186b52cb4a68a25c07de..e462405a4830f52f12bbb9f2266ad89e7d451974 100644 (file)
--- a/regression-tests/nsec-glue/expected_result.narrow
+++ b/regression-tests/nsec-glue/expected_result.narrow
@@ -1,10 +1,10 @@
-1      9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.   IN      NSEC3   86400   1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
+1      9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
 1      9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      kt3ll2fgp7p2s71mk7frk5igi8pc8gl1.example.com.   IN      NSEC3   86400   1 1 1 abcd KT3LL2FGP7P2S71MK7FRK5IGI8PC8GL3
+1      kt3ll2fgp7p2s71mk7frk5igi8pc8gl1.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd KT3LL2FGP7P2S71MK7FRK5IGI8PC8GL3
 1      kt3ll2fgp7p2s71mk7frk5igi8pc8gl1.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/nsec-glue/expected_result.nsec3 b/regression-tests/nsec-glue/expected_result.nsec3
index 3fd9649f9e8d0ca45ceeca59d75ffefb8efdf100..5931ae0ebfcc523140185848bb1847bf577f27d4 100644 (file)
--- a/regression-tests/nsec-glue/expected_result.nsec3
+++ b/regression-tests/nsec-glue/expected_result.nsec3
@@ -1,10 +1,10 @@
-1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      NSEC3   86400   1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
 1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      kt0pu1qu9of4ek09a6amheu1l4c4dq6b.example.com.   IN      NSEC3   86400   1 1 1 abcd KT832M4L92B5MCUCJI8QJF16MM2DU3MK A RRSIG
+1      kt0pu1qu9of4ek09a6amheu1l4c4dq6b.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd KT832M4L92B5MCUCJI8QJF16MM2DU3MK A RRSIG
 1      kt0pu1qu9of4ek09a6amheu1l4c4dq6b.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/nsec-middle/expected_result.narrow b/regression-tests/nsec-middle/expected_result.narrow
index bd6a24a871d03e0f9c267495a251a0a0a20a5e75..1d1c05079afad4256702e332c72cd3bca586bbad 100644 (file)
--- a/regression-tests/nsec-middle/expected_result.narrow
+++ b/regression-tests/nsec-middle/expected_result.narrow
@@ -1,10 +1,10 @@
-1      9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.   IN      NSEC3   86400   1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
+1      9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
 1      9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      sthvu2kihc96kc1tu8v3curr8og5dghn.example.com.   IN      NSEC3   86400   1 1 1 abcd STHVU2KIHC96KC1TU8V3CURR8OG5DGHP
+1      sthvu2kihc96kc1tu8v3curr8og5dghn.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd STHVU2KIHC96KC1TU8V3CURR8OG5DGHP
 1      sthvu2kihc96kc1tu8v3curr8og5dghn.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/nsec-middle/expected_result.nsec3 b/regression-tests/nsec-middle/expected_result.nsec3
index 6cac84aaad5680f680b33fad5c50b7cccdfa5001..2d5e94760adc7272708cede31facfdba38a0d237 100644 (file)
--- a/regression-tests/nsec-middle/expected_result.nsec3
+++ b/regression-tests/nsec-middle/expected_result.nsec3
@@ -1,10 +1,10 @@
-1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      NSEC3   86400   1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
 1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      sthkgrndv06hbdrfe7a329lup4mctmqr.example.com.   IN      NSEC3   86400   1 1 1 abcd STKPKJBN0URUBBIM832MF33V5OGJR396 A RRSIG
+1      sthkgrndv06hbdrfe7a329lup4mctmqr.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd STKPKJBN0URUBBIM832MF33V5OGJR396 A RRSIG
 1      sthkgrndv06hbdrfe7a329lup4mctmqr.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/nsec-wildcard/expected_result.narrow b/regression-tests/nsec-wildcard/expected_result.narrow
index a9b175ee404e2df0fe9c82f0aaad59d615920546..2809aba98dcf08631e1b4150ede05d75c2f356fa 100644 (file)
--- a/regression-tests/nsec-wildcard/expected_result.narrow
+++ b/regression-tests/nsec-wildcard/expected_result.narrow
@@ -1,8 +1,8 @@
-1      368r0s1q794jmkdrcpf6f85v316hd9ak.wtest.com.     IN      NSEC3   86400   1 1 1 abcd 368R0S1Q794JMKDRCPF6F85V316HD9AM
+1      368r0s1q794jmkdrcpf6f85v316hd9ak.wtest.com.     IN      NSEC3   86400   1 [flags] 1 abcd 368R0S1Q794JMKDRCPF6F85V316HD9AM
 1      368r0s1q794jmkdrcpf6f85v316hd9ak.wtest.com.     IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
-1      54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.     IN      NSEC3   86400   1 1 1 abcd 54NJS65S8U96TKFFRFT6L7J1T1556VIL TXT RRSIG
+1      54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.     IN      NSEC3   86400   1 [flags] 1 abcd 54NJS65S8U96TKFFRFT6L7J1T1556VIL TXT RRSIG
 1      54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.     IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
-1      pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.     IN      NSEC3   86400   1 1 1 abcd PD15QDSJJBFOSU5FG2OQRNLB8R8OIFL7 A RRSIG
+1      pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.     IN      NSEC3   86400   1 [flags] 1 abcd PD15QDSJJBFOSU5FG2OQRNLB8R8OIFL7 A RRSIG
 1      pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.     IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 1      wtest.com.      IN      RRSIG   3600    SOA 8 2 3600 [expiry] [inception] [keytag] wtest.com. ...
 1      wtest.com.      IN      SOA     3600    ns1.wtest.com. ahu.example.com. 2005092501 28800 7200 604800 86400

diff --git a/regression-tests/nsec-wildcard/expected_result.nsec3 b/regression-tests/nsec-wildcard/expected_result.nsec3
index 3456f60769c88955f22db9fec236bd947874996c..0eab68eae600ae708f6afa0a1440e5f3f4a13770 100644 (file)
--- a/regression-tests/nsec-wildcard/expected_result.nsec3
+++ b/regression-tests/nsec-wildcard/expected_result.nsec3
@@ -1,8 +1,8 @@
-1      2uspqp0ldid6481h33c7lakfkk2g2rdq.wtest.com.     IN      NSEC3   86400   1 1 1 abcd 44PRS96U2Q7MTAV4DNQMOSMSSI0K7630 A RRSIG
+1      2uspqp0ldid6481h33c7lakfkk2g2rdq.wtest.com.     IN      NSEC3   86400   1 [flags] 1 abcd 44PRS96U2Q7MTAV4DNQMOSMSSI0K7630 A RRSIG
 1      2uspqp0ldid6481h33c7lakfkk2g2rdq.wtest.com.     IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
-1      54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.     IN      NSEC3   86400   1 1 1 abcd 67I2ESLUBOJ7DPG4263L3T8DV19G6D0G TXT RRSIG
+1      54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.     IN      NSEC3   86400   1 [flags] 1 abcd 67I2ESLUBOJ7DPG4263L3T8DV19G6D0G TXT RRSIG
 1      54njs65s8u96tkffrft6l7j1t1556vik.wtest.com.     IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
-1      pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.     IN      NSEC3   86400   1 1 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
+1      pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.     IN      NSEC3   86400   1 [flags] 1 abcd SHEGK154N8362AG22AR9VDDRF3127M6I A RRSIG
 1      pd15qdsjjbfosu5fg2oqrnlb8r8oifl6.wtest.com.     IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] wtest.com. ...
 1      wtest.com.      IN      RRSIG   3600    SOA 8 2 3600 [expiry] [inception] [keytag] wtest.com. ...
 1      wtest.com.      IN      SOA     3600    ns1.wtest.com. ahu.example.com. 2005092501 28800 7200 604800 86400

diff --git a/regression-tests/nsec-wraparound/expected_result.nsec3 b/regression-tests/nsec-wraparound/expected_result.nsec3
index a20b5458d212e90c2a801bfbcfa392b64c93c5e8..f54d2fb1236183d3cdcd31c3887b91d1a8813117 100644 (file)
--- a/regression-tests/nsec-wraparound/expected_result.nsec3
+++ b/regression-tests/nsec-wraparound/expected_result.nsec3
@@ -1,10 +1,10 @@
-1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      NSEC3   86400   1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
 1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      gnk5kv3h2h1h8ge405j6093608ukp3i5.example.com.   IN      NSEC3   86400   1 1 1 abcd GNO4LESKG6U7HKEJ9UL71SF1HD7F1P96 A RRSIG
+1      gnk5kv3h2h1h8ge405j6093608ukp3i5.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd GNO4LESKG6U7HKEJ9UL71SF1HD7F1P96 A RRSIG
 1      gnk5kv3h2h1h8ge405j6093608ukp3i5.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/nsec-wrong-type-at-apex/expected_result.narrow b/regression-tests/nsec-wrong-type-at-apex/expected_result.narrow
index 24164544dbf1b47ae00842af1d329523668bb07d..499548c1bca413ae2d55092da81a92af4ebd5ffb 100644 (file)
--- a/regression-tests/nsec-wrong-type-at-apex/expected_result.narrow
+++ b/regression-tests/nsec-wrong-type-at-apex/expected_result.narrow
@@ -1,6 +1,6 @@
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/nsec-wrong-type-at-apex/expected_result.nsec3 b/regression-tests/nsec-wrong-type-at-apex/expected_result.nsec3
index c85202e45d29ae30f02a82b62ffd40c212155282..06d27ca002c2a8eecd3ac98dfff7ca8d05ac2dd0 100644 (file)
--- a/regression-tests/nsec-wrong-type-at-apex/expected_result.nsec3
+++ b/regression-tests/nsec-wrong-type-at-apex/expected_result.nsec3
@@ -1,6 +1,6 @@
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/nsec-wrong-type/expected_result.narrow b/regression-tests/nsec-wrong-type/expected_result.narrow
index 3c8df4eb83933f29348d5d93d5c7a83dde077093..a736114f35a201bb8143fa26e6a7c3579afb596a 100644 (file)
--- a/regression-tests/nsec-wrong-type/expected_result.narrow
+++ b/regression-tests/nsec-wrong-type/expected_result.narrow
@@ -1,4 +1,4 @@
-1      5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.   IN      NSEC3   86400   1 1 1 abcd 5UVGFM2VJCJE09SVS7LFB22I1UUQJF99 A RRSIG
+1      5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 5UVGFM2VJCJE09SVS7LFB22I1UUQJF99 A RRSIG
 1      5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400

diff --git a/regression-tests/nsec-wrong-type/expected_result.nsec3 b/regression-tests/nsec-wrong-type/expected_result.nsec3
index 8d051e85fb0f5bc2193576b5a84bd2ab9ee24b05..6100512ae9bf23d09abc565c6b54e4f26ad1eb2a 100644 (file)
--- a/regression-tests/nsec-wrong-type/expected_result.nsec3
+++ b/regression-tests/nsec-wrong-type/expected_result.nsec3
@@ -1,4 +1,4 @@
-1      5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.   IN      NSEC3   86400   1 1 1 abcd 5V0S7HPRC5IAFH3C3RO0HHNH543D3UIU A RRSIG
+1      5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 5V0S7HPRC5IAFH3C3RO0HHNH543D3UIU A RRSIG
 1      5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400

diff --git a/regression-tests/nxdomain-below-nonempty-terminal/expected_result.narrow b/regression-tests/nxdomain-below-nonempty-terminal/expected_result.narrow
index eedcaaffb2ce0d3911717582af39cddcd4e0ccfe..155155a2a3a811c20507fcd15240c59efb78fe04 100644 (file)
--- a/regression-tests/nxdomain-below-nonempty-terminal/expected_result.narrow
+++ b/regression-tests/nxdomain-below-nonempty-terminal/expected_result.narrow
@@ -1,10 +1,10 @@
-1      5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.   IN      NSEC3   86400   1 1 1 abcd 5UVGFM2VJCJE09SVS7LFB22I1UUQJF99 A RRSIG
+1      5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 5UVGFM2VJCJE09SVS7LFB22I1UUQJF99 A RRSIG
 1      5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      sdgbafmjek5v4t8c89q9u0n03qmcslor.example.com.   IN      NSEC3   86400   1 1 1 abcd SDGBAFMJEK5V4T8C89Q9U0N03QMCSLOT
+1      sdgbafmjek5v4t8c89q9u0n03qmcslor.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd SDGBAFMJEK5V4T8C89Q9U0N03QMCSLOT
 1      sdgbafmjek5v4t8c89q9u0n03qmcslor.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com.   IN      NSEC3   86400   1 1 1 abcd TSDP8HAJLFGR90CV4IB634G1M25NC5UR
+1      tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd TSDP8HAJLFGR90CV4IB634G1M25NC5UR
 1      tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/nxdomain-below-nonempty-terminal/expected_result.nsec3 b/regression-tests/nxdomain-below-nonempty-terminal/expected_result.nsec3
index 9d7140b23e8697a27cecf8fb497aacb8d8e93530..81a1ae2fbba6474bd58f2bb9fde08346a57e5c4e 100644 (file)
--- a/regression-tests/nxdomain-below-nonempty-terminal/expected_result.nsec3
+++ b/regression-tests/nxdomain-below-nonempty-terminal/expected_result.nsec3
@@ -1,10 +1,10 @@
-1      5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.   IN      NSEC3   86400   1 1 1 abcd 5V0S7HPRC5IAFH3C3RO0HHNH543D3UIU A RRSIG
+1      5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 5V0S7HPRC5IAFH3C3RO0HHNH543D3UIU A RRSIG
 1      5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      sdeu4ba3b451gf8ijikm2tphu3bugl4g.example.com.   IN      NSEC3   86400   1 1 1 abcd SDH8FVJ6LQLSVCQCO8QP82I6JTR574H2 A RRSIG
+1      sdeu4ba3b451gf8ijikm2tphu3bugl4g.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd SDH8FVJ6LQLSVCQCO8QP82I6JTR574H2 A RRSIG
 1      sdeu4ba3b451gf8ijikm2tphu3bugl4g.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      tsbl3ev9tces1kjgto3qtn36ltlu0te1.example.com.   IN      NSEC3   86400   1 1 1 abcd TSIKPRKTT53V9ILUK08SMR9KADQ44TR1 A RRSIG
+1      tsbl3ev9tces1kjgto3qtn36ltlu0te1.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd TSIKPRKTT53V9ILUK08SMR9KADQ44TR1 A RRSIG
 1      tsbl3ev9tces1kjgto3qtn36ltlu0te1.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/second-level-nxdomain/expected_result.narrow b/regression-tests/second-level-nxdomain/expected_result.narrow
index 1145e1d9035516502cde969bc48461f8298ec3d5..f15b5e6eee5478311d91380ccb3381ba80c9a084 100644 (file)
--- a/regression-tests/second-level-nxdomain/expected_result.narrow
+++ b/regression-tests/second-level-nxdomain/expected_result.narrow
@@ -1,10 +1,10 @@
-1      5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.   IN      NSEC3   86400   1 1 1 abcd 5UVGFM2VJCJE09SVS7LFB22I1UUQJF99 A RRSIG
+1      5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 5UVGFM2VJCJE09SVS7LFB22I1UUQJF99 A RRSIG
 1      5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      k6ta8mhi455hk3jskn0b2st81j6fa1l0.example.com.   IN      NSEC3   86400   1 1 1 abcd K6TA8MHI455HK3JSKN0B2ST81J6FA1L2
+1      k6ta8mhi455hk3jskn0b2st81j6fa1l0.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd K6TA8MHI455HK3JSKN0B2ST81J6FA1L2
 1      k6ta8mhi455hk3jskn0b2st81j6fa1l0.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com.   IN      NSEC3   86400   1 1 1 abcd TSDP8HAJLFGR90CV4IB634G1M25NC5UR
+1      tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd TSDP8HAJLFGR90CV4IB634G1M25NC5UR
 1      tsdp8hajlfgr90cv4ib634g1m25nc5up.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/second-level-nxdomain/expected_result.nsec3 b/regression-tests/second-level-nxdomain/expected_result.nsec3
index d8b6253b3d9a0ae867ad117029c1634aa6d23e95..091a488a8669bce7ee4f351ad192ed106e2c8259 100644 (file)
--- a/regression-tests/second-level-nxdomain/expected_result.nsec3
+++ b/regression-tests/second-level-nxdomain/expected_result.nsec3
@@ -1,10 +1,10 @@
-1      5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.   IN      NSEC3   86400   1 1 1 abcd 5V0S7HPRC5IAFH3C3RO0HHNH543D3UIU A RRSIG
+1      5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 5V0S7HPRC5IAFH3C3RO0HHNH543D3UIU A RRSIG
 1      5uvgfm2vjcje09svs7lfb22i1uuqjf98.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      k6r6482mfo4upme9n407c2grb6opp1ip.example.com.   IN      NSEC3   86400   1 1 1 abcd K6TDMVV7BP54FEFUIVR0BVABIBUN0AV9 A RRSIG
+1      k6r6482mfo4upme9n407c2grb6opp1ip.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd K6TDMVV7BP54FEFUIVR0BVABIBUN0AV9 A RRSIG
 1      k6r6482mfo4upme9n407c2grb6opp1ip.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      tsbl3ev9tces1kjgto3qtn36ltlu0te1.example.com.   IN      NSEC3   86400   1 1 1 abcd TSIKPRKTT53V9ILUK08SMR9KADQ44TR1 A RRSIG
+1      tsbl3ev9tces1kjgto3qtn36ltlu0te1.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd TSIKPRKTT53V9ILUK08SMR9KADQ44TR1 A RRSIG
 1      tsbl3ev9tces1kjgto3qtn36ltlu0te1.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/secure-delegated.dnssec-parent.com b/regression-tests/secure-delegated.dnssec-parent.com
new file mode 100644 (file)
index 0000000..004c5b9
--- /dev/null
+++ b/regression-tests/secure-delegated.dnssec-parent.com
@@ -0,0 +1,16 @@
+$TTL 3600
+$ORIGIN secure-delegated.dnssec-parent.com.
+@              IN      SOA     ns1.secure-delegated.dnssec-parent.com. ahu.example.com. (  2005092501
+                       8H ; refresh
+                       2H ; retry
+                       1W ; expire
+                       1D ; default_ttl
+                       )
+
+@                      IN      NS      ns1
+@                      IN      NS      ns2
+@                      IN      A       9.9.9.9
+ns1                    IN      A       1.2.3.4
+ns2                    IN      A       5.6.7.8
+www                    IN      CNAME   @
+

diff --git a/regression-tests/secure-delegated.dnssec-parent.com.key b/regression-tests/secure-delegated.dnssec-parent.com.key
new file mode 100644 (file)
index 0000000..0a98e66
--- /dev/null
+++ b/regression-tests/secure-delegated.dnssec-parent.com.key
@@ -0,0 +1,11 @@
+Private-key-format: v1.2
+Algorithm: 8 (RSASHA256)
+Modulus: l31HtJZYaoDXagbsuz6HdvT8gDIyP8+qf9m4pYz852nFP9yfbHAsOGR2ao/+lSoDO/IU/J3iROquYt9uiEHADv7TukFVrip/+PGUeK90w1QPvYf51RioGWaEILqXd4b7wVmLa2R3CfyRShr2TIsy2sRoWc53+hRBuY28gOn7xVa/VxKdEnxRcp1cuXSyam8LuHUrYBSILmgYhhBMJhbBhEzXAJtv6rV9sUJ2Rsjs5Bb+Hs+PfR4uki7PRsmPi90pddkcrxyVJ1MwAWbqtCw0MjTDtB0KBoOZOfdvpMXZQmLh4OeHu4NtKlR3WYjldY3DgLpatSZ5sUt+KvLq+p2Ihw==
+PublicExponent: AQAB
+PrivateExponent: DZWxeXNGCH73Uk2+qufnk/ZSMljOAsTnoEFw+n+TKllk094/+aRxgrkXmWTCSrQSyCxkT2cFJHL7Imiw680hoPafHAPB4DV1dmiLjOsHCIEgTDnGYKKuaGC2Fo1FCfXz25nhE8dVmXKpwMB8N87/x3h3dx45yhZI8o/QSKsy5bZGqLISiYqiAlOs0Gqxdqt6t+r7akxeVcs8xitMtKgvf5bmgulJZQlqT5aL32yzTZud7Miy71vmlPGwWlWwzZxW7o2sVIWRptimGPflpmV/SRdD16SlLBUkvzUctchkT95kqXDqdgBchl2ff/UKyg5GuUeuwrAA0lwlOoPthvMfcQ==
+Prime1: 8qckzuOEAmauNtQBDShkOPjE8mH7f84K47TcDNb6Ye6X+xNyeqJQ/ceFuSWUOQJogIjAmfCRQxh7TiP/31EsW4fbr8K2bKq/mUR3xBKU7O2o2aR2hDUv/WiVKHusPgpNwYJouK5NJKw4lM9/1cis/DwINi007wJZ8wkYTyjVIuk=
+Prime2: n9JwmtfuLc/3X+nqkY2e6LqmA+GTXTk4+8epTCk3+8GClj07PWdI3iHkUH5EkfqOwYWQ0pyWaxylYNBIs8m7+cFbx94ShB42l2h45zISZEviVuuxSj1tiLk25WrTu4dq30xZcFtHVeu9+efLsl3FWG2q9B7B3YSa4LK5+wvRye8=
+Exponent1: tF19RLNlCovcbzDC307owFhZvHkMgoFbIsrqzjh1wJmjKqPX8kP4w8qtIWRHeuDJYNFFqKdismbeMMUdipdBy39+0nR/OOLqrDhydbICNOKrIavX1IncdBZq2L6k1zC9f1s6EByvhtTk8egS84vI2WyeBfcwY4Bx7+8QvLZzRxE=
+Exponent2: kr24UCPEd2HEQtdWXTAH4K1HMrcSA/0/OcXXxqrt0QSarvEnjDhh6jp6FAHrWZERM9Q75XSKk2wo2BxFNHYcVrPXXkqi+5V2EEyG/de2lUorVh1vmbeO84MDSV9tanhqgv3p/MSCWfxqYKMYHvwD7y46UYxP+eEAByFyq3Ltuxc=
+Coefficient: C/xjNwvVWlrWX/NCxT80eW09sWsqvxUlwsMlGK4irzRVSBz2u+/0qkNHoWAjaHlllHAjJAmkKoHgRdl7blxn2C5EOuCtTQJvKO0xcyZgtaCyJpKOwHE3kKv+TIErBPHYxPk0exkyEf4s9REhKlYdV8p92AZWLVwGOMRfAPNuryY=
+

diff --git a/regression-tests/secure-delegation-ds-ns/command b/regression-tests/secure-delegation-ds-ns/command
new file mode 100755 (executable)
index 0000000..aab6774
--- /dev/null
+++ b/regression-tests/secure-delegation-ds-ns/command
@@ -0,0 +1,2 @@
+#!/bin/sh
+cleandig www.dsdelegation.example.com A dnssec

diff --git a/regression-tests/secure-delegation-ds-ns/description b/regression-tests/secure-delegation-ds-ns/description
new file mode 100644 (file)
index 0000000..3ce51e8
--- /dev/null
+++ b/regression-tests/secure-delegation-ds-ns/description
@@ -0,0 +1,4 @@
+This test checks the DS/NS response for a secure referral.
+It was written specifically to verify that we do not sign NS records
+at secure delegations.
+

diff --git a/regression-tests/secure-delegation-ds-ns/expected_result b/regression-tests/secure-delegation-ds-ns/expected_result
new file mode 100644 (file)
index 0000000..4461cab
--- /dev/null
+++ b/regression-tests/secure-delegation-ds-ns/expected_result
@@ -0,0 +1,4 @@
+1      dsdelegation.example.com.       IN      NS      120     ns.example.com.
+2      .       IN      OPT     32768   
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='www.dsdelegation.example.com.', qtype=A

diff --git a/regression-tests/secure-delegation-ds-ns/expected_result.dnssec b/regression-tests/secure-delegation-ds-ns/expected_result.dnssec
new file mode 100644 (file)
index 0000000..a6a5e61
--- /dev/null
+++ b/regression-tests/secure-delegation-ds-ns/expected_result.dnssec
@@ -0,0 +1,6 @@
+1      dsdelegation.example.com.       IN      DS      120     28129 8 1 caf1eaaecdabe7616670788f9022454bf5fd9fda
+1      dsdelegation.example.com.       IN      NS      120     ns.example.com.
+1      dsdelegation.example.com.       IN      RRSIG   120     DS 8 3 120 [expiry] [inception] [keytag] example.com. ...
+2      .       IN      OPT     32768   
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='www.dsdelegation.example.com.', qtype=A

diff --git a/regression-tests/secure-delegation/command b/regression-tests/secure-delegation/command
index aab67748129510a0161e6106f00df2a2bc4bd9f8..d244966c8bc56a28d28800f882f8f5d3b52d6457 100755 (executable)
--- a/regression-tests/secure-delegation/command
+++ b/regression-tests/secure-delegation/command
@@ -1,2 +1,2 @@
 #!/bin/sh
-cleandig www.dsdelegation.example.com A dnssec
+cleandig secure-delegated.dnssec-parent.com A dnssec

diff --git a/regression-tests/secure-delegation/description b/regression-tests/secure-delegation/description
index 3ce51e86e86aa669f9f78a3d9c176544ce052169..3174f5dd07bce2026939ce4e51ec033d21a64f87 100644 (file)
--- a/regression-tests/secure-delegation/description
+++ b/regression-tests/secure-delegation/description
@@ -1,4 +1,2 @@
-This test checks the DS/NS response for a secure referral.
-It was written specifically to verify that we do not sign NS records
-at secure delegations.
+This test checks a secure delegations.
 

diff --git a/regression-tests/secure-delegation/expected_result b/regression-tests/secure-delegation/expected_result
index 4461cabf62ad0af49573ea791ba93712bed361b8..e488ce73d58ed5c13b130ccd34e57eec0261f78f 100644 (file)
--- a/regression-tests/secure-delegation/expected_result
+++ b/regression-tests/secure-delegation/expected_result
@@ -1,4 +1,4 @@
-1      dsdelegation.example.com.       IN      NS      120     ns.example.com.
+0      secure-delegated.dnssec-parent.com.     IN      A       3600    9.9.9.9
 2      .       IN      OPT     32768   
-Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
-Reply to question for qname='www.dsdelegation.example.com.', qtype=A
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='secure-delegated.dnssec-parent.com.', qtype=A

diff --git a/regression-tests/secure-delegation/expected_result.dnssec b/regression-tests/secure-delegation/expected_result.dnssec
index a6a5e61ca263af31f9c0ef92d3cb5cfa011d9eea..c371d59321901b0a0b5e2013db14c12151d0660d 100644 (file)
--- a/regression-tests/secure-delegation/expected_result.dnssec
+++ b/regression-tests/secure-delegation/expected_result.dnssec
@@ -1,6 +1,5 @@
-1      dsdelegation.example.com.       IN      DS      120     28129 8 1 caf1eaaecdabe7616670788f9022454bf5fd9fda
-1      dsdelegation.example.com.       IN      NS      120     ns.example.com.
-1      dsdelegation.example.com.       IN      RRSIG   120     DS 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0      secure-delegated.dnssec-parent.com.     IN      A       3600    9.9.9.9
+0      secure-delegated.dnssec-parent.com.     IN      RRSIG   3600    A 8 3 3600 [expiry] [inception] [keytag] secure-delegated.dnssec-parent.com. ...
 2      .       IN      OPT     32768   
-Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 0, opcode: 0
-Reply to question for qname='www.dsdelegation.example.com.', qtype=A
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='secure-delegated.dnssec-parent.com.', qtype=A

diff --git a/regression-tests/space-name/expected_result.narrow b/regression-tests/space-name/expected_result.narrow
index 6d1bdb6935d80c60b65023faaa3e4c469d9bfbae..949e28cb070a1f94af16356f63543983b51cb663 100644 (file)
--- a/regression-tests/space-name/expected_result.narrow
+++ b/regression-tests/space-name/expected_result.narrow
@@ -1,10 +1,10 @@
-1      9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.   IN      NSEC3   86400   1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
+1      9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
 1      9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      gl4qf9db2fkivonidgs9954bhkhpvviq.example.com.   IN      NSEC3   86400   1 1 1 abcd GL4QF9DB2FKIVONIDGS9954BHKHPVVIS
+1      gl4qf9db2fkivonidgs9954bhkhpvviq.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd GL4QF9DB2FKIVONIDGS9954BHKHPVVIS
 1      gl4qf9db2fkivonidgs9954bhkhpvviq.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/space-name/expected_result.nsec3 b/regression-tests/space-name/expected_result.nsec3
index 180b5ed4b2db31c65bc13cec4bce30c8c97de2b6..a5fe489886a86237320fd4a1ca345e6681884fe1 100644 (file)
--- a/regression-tests/space-name/expected_result.nsec3
+++ b/regression-tests/space-name/expected_result.nsec3
@@ -1,10 +1,10 @@
-1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      NSEC3   86400   1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
 1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      gl3vilecelbsri6t44urj9lp6m5853mq.example.com.   IN      NSEC3   86400   1 1 1 abcd GL5I9VH027O95O1M3UTE1A8KR1TJ253D A RRSIG
+1      gl3vilecelbsri6t44urj9lp6m5853mq.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd GL5I9VH027O95O1M3UTE1A8KR1TJ253D A RRSIG
 1      gl3vilecelbsri6t44urj9lp6m5853mq.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/start-test-stop b/regression-tests/start-test-stop
index 7e4cef396d0a66744827d766069a3e237c1843fc..92c60f0ba478dd5195bb0b4d44eeef1d52d14df8 100755 (executable)
--- a/regression-tests/start-test-stop
+++ b/regression-tests/start-test-stop
@@ -21,6 +21,27 @@ bindwait ()
        done
 }
 
+securezone ()
+{
+       local zone=$1
+       local configname=$2
+       if [ -n "$configname" ]
+       then
+               configname="--config-name=$configname"
+       fi
+       if [ "${zone: 0:16}" = "secure-delegated" ]
+       then
+               ../pdns/pdnssec --config-dir=. $configname import-zone-key $zone $zone.key ksk 2>&1
+               ../pdns/pdnssec --config-dir=. $configname add-zone-key $zone 1024 zsk 2>&1
+               keyid=`../pdns/pdnssec --config-dir=. $configname show-zone $zone | grep ZSK | cut -d' ' -f3`
+               ../pdns/pdnssec --config-dir=. $configname activate-zone-key $zone $keyid 2>&1
+               ../pdns/pdnssec --config-dir=. $configname add-zone-key $zone 1024 zsk 2>&1
+               ../pdns/pdnssec --config-dir=. $configname rectify-zone $zone 2>&1
+       else
+               ../pdns/pdnssec --config-dir=. $configname secure-zone $zone 2>&1
+       fi
+}
+
 port=$1
 [ -z "$port" ] && port=5300
 context=$2
@@ -37,8 +58,8 @@ then
 Usage: ./start-test-stop <port> [<context>] [wait]
 
 context is one of:
-bind bind-dnssec bind-dnssec-nsec3 bind-dnssec-nsec3-narrow
-gmysql-nodnssec gmysql gmysql-nsec3 gmysql-nsec3-narrow
+bind bind-dnssec bind-dnssec-nsec3 bind-dnssec-nsec3-optout bind-dnssec-nsec3-narrow
+gmysql-nodnssec gmysql gmysql-nsec3 gmysql-nsec3-optout gmysql-nsec3-narrow
 gpgsql-nodnssec gpgsql gpgsql-nsec3
 gsqlite3-nodnssec gsqlite3 gsqlite3-nsec3
 opendbx-sqlite3
@@ -71,6 +92,14 @@ then
        context=${context%-presigned}
 fi
 
+optout=0
+
+if [ "${context: -13}" = "-nsec3-optout" ]
+then
+       optout=1
+fi
+
+
 case $context in
                bind)
                        $RUNWRAPPER ../pdns/pdns_server --daemon=no --local-port=$port --socket-dir=./  \
@@ -81,13 +110,15 @@ case $context in
                        bindwait
                        ;;
 
-               bind-dnssec | bind-dnssec-nsec3 | bind-dnssec-nsec3-narrow)
-                       ./bind-dnssec-setup
+               bind-dnssec | bind-dnssec-nsec3 | bind-dnssec-nsec3-optout | bind-dnssec-nsec3-narrow)
+                       rm -f dnssec.sqlite3
+                       ../pdns/pdnssec --config-dir=. create-bind-db dnssec.sqlite3
                        for zone in $(grep zone named.conf  | cut -f2 -d\")
                        do
-                               if [ $context = bind-dnssec-nsec3 ]
+                               securezone $zone
+                               if [ $context = bind-dnssec-nsec3 ] || [ $context = bind-dnssec-nsec3-optout ]
                                then
-                                       ../pdns/pdnssec --config-dir=. set-nsec3 $zone '1 1 1 abcd' 2>&1
+                                       ../pdns/pdnssec --config-dir=. set-nsec3 $zone "1 $optout 1 abcd" 2>&1
                                elif [ $context = bind-dnssec-nsec3-narrow ]
                                then
                                        ../pdns/pdnssec --config-dir=. set-nsec3 $zone '1 1 1 abcd' narrow 2>&1
@@ -98,6 +129,10 @@ case $context in
                        then
                                extracontexts="bind dnssec nsec3"
                                skipreasons="nsec3"
+                       elif [ $context = bind-dnssec-nsec3-optout ]
+                       then
+                               extracontexts="bind dnssec nsec3 nsec3-optout"
+                               skipreasons="optout"
                        elif [ $context = bind-dnssec-nsec3-narrow ]
                        then
                                extracontexts="bind dnssec narrow"
@@ -186,7 +221,7 @@ __EOF__
                        skipreasons="nodnssec noent"
                        ;;
 
-               gmysql | gmysql-nsec3 | gmysql-nsec3-narrow)
+               gmysql | gmysql-nsec3 | gmysql-nsec3-optout |gmysql-nsec3-narrow)
                        [ -z "$GMYSQLDB" ] && GMYSQLDB=pdnstest
                        [ -z "$GMYSQLUSER" ] && GMYSQLUSER=root
                        [ -z "$GMYSQLHOST" ] && GMYSQLHOST=localhost
@@ -213,10 +248,10 @@ gmysql-dnssec
 __EOF__
                        for zone in $(grep zone named.conf  | cut -f2 -d\")
                        do
-                               ../pdns/pdnssec --config-dir=. --config-name=gmysql     secure-zone $zone 2>&1
-                               if [ $context = gmysql-nsec3 ]
+                               securezone $zone gmysql
+                               if [ $context = gmysql-nsec3 ] || [ $context = gmysql-nsec3-optout ]
                                then
-                                       ../pdns/pdnssec --config-dir=. --config-name=gmysql set-nsec3 $zone '1 1 1 abcd' 2>&1
+                                       ../pdns/pdnssec --config-dir=. --config-name=gmysql set-nsec3 $zone "1 $optout 1 abcd" 2>&1
                                        ../pdns/pdnssec --config-dir=. --config-name=gmysql rectify-zone $zone 2>&1
                                elif [ $context = gmysql-nsec3-narrow ]
                                then
@@ -239,6 +274,10 @@ __EOF__
                        then
                                extracontexts="dnssec nsec3"
                                skipreasons="nsec3"
+                       elif [ $context = gmysql-nsec3-optout ]
+                       then
+                               extracontexts="dnssec nsec3 nsec3-optout"
+                               skipreasons="optout"
                        elif [ $context = gmysql-nsec3-narrow ]
                        then
                                extracontexts="dnssec narrow"
@@ -248,7 +287,7 @@ __EOF__
                        fi
 
                        ;;      
-               gpgsql | gpgsql-nsec3)
+               gpgsql | gpgsql-nsec3 | gpgsql-nsec3-optout)
                        [ -z "$GPGSQLDB" ] && GPGSQLDB=pdnstest
                        [ -z "$GPGSQLUSER" ] && GPGSQLUSER=$(whoami)
 
@@ -267,10 +306,10 @@ gpgsql-dnssec
 __EOF__
                        for zone in $(grep zone named.conf  | cut -f2 -d\")
                        do
-                               ../pdns/pdnssec --config-dir=. --config-name=gpgsql secure-zone $zone 2>&1
-                               if [ $context = gpgsql-nsec3 ]
+                               securezone $zone gpgsql
+                               if [ $context = gpgsql-nsec3 ] || [ $context = gpgsql-nsec3-optout ]
                                then
-                                       ../pdns/pdnssec --config-dir=. --config-name=gpgsql set-nsec3 $zone '1 1 1 abcd' 2>&1
+                                       ../pdns/pdnssec --config-dir=. --config-name=gpgsql set-nsec3 $zone "1 $optout 1 abcd" 2>&1
                                        ../pdns/pdnssec --config-dir=. --config-name=gpgsql rectify-zone $zone 2>&1
                                fi
                        done
@@ -284,6 +323,9 @@ __EOF__
                        if [ $context = gpgsql-nsec3 ]
                        then
                                extracontexts="dnssec nsec3"
+                       elif [ $context = gpgsql-nsec3-optout ]
+                       then
+                               extracontexts="dnssec nsec3 nsec3-optout"
                        elif [ $context = gpgsql-nsec3-narrow ]
                        then
                                extracontexts="dnssec narrow"
@@ -363,7 +405,7 @@ __EOF__
                        skipreasons="nodnssec noent"
 
                        ;;                                                                      
-               gsqlite3 | gsqlite3-nsec3)
+               gsqlite3 | gsqlite3-nsec3 | gsqlite3-nsec3-optout)
                        rm -f pdns.sqlite3
                        sqlite3 pdns.sqlite3 < ../pdns/no-dnssec.schema.sqlite3.sql
                        sqlite3 pdns.sqlite3 < ../pdns/dnssec.schema.sqlite3.sql
@@ -377,10 +419,10 @@ gsqlite3-dnssec
 __EOF__
                        for zone in $(grep zone named.conf  | cut -f2 -d\")
                        do
-                               ../pdns/pdnssec --config-dir=. --config-name=gsqlite3   secure-zone $zone 2>&1
-                               if [ $context = gsqlite3-nsec3 ]
+                               securezone $zone gsqlite3
+                               if [ $context = gsqlite3-nsec3 ] || [ $context = gsqlite3-nsec3-optout ]
                                then
-                                       ../pdns/pdnssec --config-dir=. --config-name=gsqlite3 set-nsec3 $zone '1 1 1 abcd' 2>&1
+                                       ../pdns/pdnssec --config-dir=. --config-name=gsqlite3 set-nsec3 $zone "1 $optout 1 abcd" 2>&1
                                        ../pdns/pdnssec --config-dir=. --config-name=gsqlite3 rectify-zone $zone 2>&1
                                fi
                        done
@@ -393,6 +435,9 @@ __EOF__
                        if [ $context = gsqlite3-nsec3 ]
                        then
                                extracontexts="dnssec nsec3"
+                       elif [ $context = gsqlite3-nsec3-optout ]
+                       then
+                               extracontexts="dnssec nsec3 nsec3-optout"
                        else
                                extracontexts="dnssec"
                        fi

diff --git a/regression-tests/two-level-nxdomain/expected_result.narrow b/regression-tests/two-level-nxdomain/expected_result.narrow
index 1f16385a957875f0acb0d18498e16b5d312d8083..269776acf60d1778406ecb2c1ac6a6cad66cb4e6 100644 (file)
--- a/regression-tests/two-level-nxdomain/expected_result.narrow
+++ b/regression-tests/two-level-nxdomain/expected_result.narrow
@@ -1,10 +1,10 @@
-1      9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.   IN      NSEC3   86400   1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
+1      9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
 1      9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      ectnliqstqsjnnrpuhjj5h0j3c3odkk3.example.com.   IN      NSEC3   86400   1 1 1 abcd ECTNLIQSTQSJNNRPUHJJ5H0J3C3ODKK5
+1      ectnliqstqsjnnrpuhjj5h0j3c3odkk3.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd ECTNLIQSTQSJNNRPUHJJ5H0J3C3ODKK5
 1      ectnliqstqsjnnrpuhjj5h0j3c3odkk3.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/two-level-nxdomain/expected_result.nsec3 b/regression-tests/two-level-nxdomain/expected_result.nsec3
index f1d66fdb96357c211604a9b71a226eba3938deba..2c7e464af6ee5acaa813873cf6263a8f429e7558 100644 (file)
--- a/regression-tests/two-level-nxdomain/expected_result.nsec3
+++ b/regression-tests/two-level-nxdomain/expected_result.nsec3
@@ -1,10 +1,10 @@
-1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      NSEC3   86400   1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
 1      9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
-1      ecskkg9s6f7lap5qjrnns1bf8pjunshj.example.com.   IN      NSEC3   86400   1 1 1 abcd ECTPI4N8UNDE9GNVKHG28NJR512JBD4O A RRSIG
+1      ecskkg9s6f7lap5qjrnns1bf8pjunshj.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd ECTPI4N8UNDE9GNVKHG28NJR512JBD4O A RRSIG
 1      ecskkg9s6f7lap5qjrnns1bf8pjunshj.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      RRSIG   86400   SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
 1      example.com.    IN      SOA     86400   ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      NSEC3   86400   1 [flags] 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com.   IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/underscore-sorting/expected_result.narrow b/regression-tests/underscore-sorting/expected_result.narrow
index 8e1056a8ff34e180a6caf542c13b730cef3e47bf..27071b728665379e327e6b214ef537f1e7635d1f 100644 (file)
--- a/regression-tests/underscore-sorting/expected_result.narrow
+++ b/regression-tests/underscore-sorting/expected_result.narrow
@@ -1,3 +1,3 @@
-1      2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.      IN      NSEC3   86400   1 1 1 abcd 2EU2GULBU53H9UVHFALSHPBO2A83T6L3 NS SOA MX RRSIG DNSKEY NSEC3PARAM
-1      npce7etkesd3umcst08psfape1cnno5o.test.com.      IN      NSEC3   86400   1 1 1 abcd NPCE7ETKESD3UMCST08PSFAPE1CNNO5Q
-1      nqf0papl2qmp38upr87f930kmebc0o0n.test.com.      IN      NSEC3   86400   1 1 1 abcd NQF0PAPL2QMP38UPR87F930KMEBC0O0P
+1      2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.      IN      NSEC3   86400   1 [flags] 1 abcd 2EU2GULBU53H9UVHFALSHPBO2A83T6L3 NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      npce7etkesd3umcst08psfape1cnno5o.test.com.      IN      NSEC3   86400   1 [flags] 1 abcd NPCE7ETKESD3UMCST08PSFAPE1CNNO5Q
+1      nqf0papl2qmp38upr87f930kmebc0o0n.test.com.      IN      NSEC3   86400   1 [flags] 1 abcd NQF0PAPL2QMP38UPR87F930KMEBC0O0P

diff --git a/regression-tests/underscore-sorting/expected_result.nsec3 b/regression-tests/underscore-sorting/expected_result.nsec3
index 3f413032cde8442546e2973c5a27c05f9de71d1f..27092d57f7a655513b9b08da0705a0f553108d00 100644 (file)
--- a/regression-tests/underscore-sorting/expected_result.nsec3
+++ b/regression-tests/underscore-sorting/expected_result.nsec3
@@ -1,2 +1,2 @@
-1      2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.      IN      NSEC3   86400   1 1 1 abcd 2GKS2N3JPQF62QOHAVFQ1PHOLM3HR7RA NS SOA MX RRSIG DNSKEY NSEC3PARAM
-1      igf4m7otecach14p0a6ingi7dbuas5b2.test.com.      IN      NSEC3   86400   1 1 1 abcd O1L0FB73HI3QP4A3FNQJSLEANLC883I3 A RP RRSIG
+1      2eu2gulbu53h9uvhfalshpbo2a83t6l2.test.com.      IN      NSEC3   86400   1 [flags] 1 abcd 2GKS2N3JPQF62QOHAVFQ1PHOLM3HR7RA NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      igf4m7otecach14p0a6ingi7dbuas5b2.test.com.      IN      NSEC3   86400   1 [flags] 1 abcd O1L0FB73HI3QP4A3FNQJSLEANLC883I3 A RP RRSIG

diff --git a/regression-tests/uppercase-nsec/expected_result.narrow b/regression-tests/uppercase-nsec/expected_result.narrow
index 0733f6a5ed96367f6401383d872b1a9903b2eef8..34813f9a0561fd1c559c733ffebffb0a5199fb65 100644 (file)
--- a/regression-tests/uppercase-nsec/expected_result.narrow
+++ b/regression-tests/uppercase-nsec/expected_result.narrow
@@ -1,10 +1,10 @@
-1      2eu2gulbu53h9uvhfalshpbo2a83t6l2.Test.com.      IN      NSEC3   86400   1 1 1 abcd 2EU2GULBU53H9UVHFALSHPBO2A83T6L3 NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      2eu2gulbu53h9uvhfalshpbo2a83t6l2.Test.com.      IN      NSEC3   86400   1 [flags] 1 abcd 2EU2GULBU53H9UVHFALSHPBO2A83T6L3 NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      2eu2gulbu53h9uvhfalshpbo2a83t6l2.Test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 1      Test.com.       IN      RRSIG   3600    SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
 1      Test.com.       IN      SOA     3600    ns1.Test.com. ahu.example.com. 2005092501 28800 7200 604800 86400
-1      npce7etkesd3umcst08psfape1cnno5o.Test.com.      IN      NSEC3   86400   1 1 1 abcd NPCE7ETKESD3UMCST08PSFAPE1CNNO5Q
+1      npce7etkesd3umcst08psfape1cnno5o.Test.com.      IN      NSEC3   86400   1 [flags] 1 abcd NPCE7ETKESD3UMCST08PSFAPE1CNNO5Q
 1      npce7etkesd3umcst08psfape1cnno5o.Test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
-1      nqf0papl2qmp38upr87f930kmebc0o0n.Test.com.      IN      NSEC3   86400   1 1 1 abcd NQF0PAPL2QMP38UPR87F930KMEBC0O0P
+1      nqf0papl2qmp38upr87f930kmebc0o0n.Test.com.      IN      NSEC3   86400   1 [flags] 1 abcd NQF0PAPL2QMP38UPR87F930KMEBC0O0P
 1      nqf0papl2qmp38upr87f930kmebc0o0n.Test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/uppercase-nsec/expected_result.nsec3 b/regression-tests/uppercase-nsec/expected_result.nsec3
index 70c5e021e922a13446afe8ebb61a1c3ebff2d5e7..cfacf4041286fa5e4b19cdcd9fa78be03889385d 100644 (file)
--- a/regression-tests/uppercase-nsec/expected_result.nsec3
+++ b/regression-tests/uppercase-nsec/expected_result.nsec3
@@ -1,8 +1,8 @@
-1      2eu2gulbu53h9uvhfalshpbo2a83t6l2.Test.com.      IN      NSEC3   86400   1 1 1 abcd 2GKS2N3JPQF62QOHAVFQ1PHOLM3HR7RA NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1      2eu2gulbu53h9uvhfalshpbo2a83t6l2.Test.com.      IN      NSEC3   86400   1 [flags] 1 abcd 2GKS2N3JPQF62QOHAVFQ1PHOLM3HR7RA NS SOA MX RRSIG DNSKEY NSEC3PARAM
 1      2eu2gulbu53h9uvhfalshpbo2a83t6l2.Test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 1      Test.com.       IN      RRSIG   3600    SOA 8 2 3600 [expiry] [inception] [keytag] test.com. ...
 1      Test.com.       IN      SOA     3600    ns1.Test.com. ahu.example.com. 2005092501 28800 7200 604800 86400
-1      igf4m7otecach14p0a6ingi7dbuas5b2.Test.com.      IN      NSEC3   86400   1 1 1 abcd O1L0FB73HI3QP4A3FNQJSLEANLC883I3 A RP RRSIG
+1      igf4m7otecach14p0a6ingi7dbuas5b2.Test.com.      IN      NSEC3   86400   1 [flags] 1 abcd O1L0FB73HI3QP4A3FNQJSLEANLC883I3 A RP RRSIG
 1      igf4m7otecach14p0a6ingi7dbuas5b2.Test.com.      IN      RRSIG   86400   NSEC3 8 3 86400 [expiry] [inception] [keytag] test.com. ...
 2      .       IN      OPT     32768   
 Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0

diff --git a/regression-tests/verify-dnssec-zone/expected_result b/regression-tests/verify-dnssec-zone/expected_result
index 03808592192c8fc742dbc271645a0649258abe52..d8121304f3605c98738ff4ec10b4c0862759b329 100644 (file)
--- a/regression-tests/verify-dnssec-zone/expected_result
+++ b/regression-tests/verify-dnssec-zone/expected_result
@@ -61,6 +61,21 @@ zone delegated.dnssec-parent.com/IN: loaded serial 2005092501 (DNSSEC signed)
 OK
 RETVAL: 0
 
+--- ldns-verify-zone -V2 secure-delegated.dnssec-parent.com
+RETVAL: 0
+
+--- validns secure-delegated.dnssec-parent.com
+RETVAL: 0
+
+--- jdnssec-verifyzone secure-delegated.dnssec-parent.com
+zone verified.
+RETVAL: 0
+
+--- named-checkzone secure-delegated.dnssec-parent.com
+zone secure-delegated.dnssec-parent.com/IN: loaded serial 2005092501 (DNSSEC signed)
+OK
+RETVAL: 0
+
 --- ldns-verify-zone -V2 minimal.com
 RETVAL: 0