:multitext.example.com:16:\015text\040part\040one\015text\040part\040two\017text\040part\040three:120
+ns1.example.com:192.168.1.1:120
+ns2.example.com:192.168.1.2:120
+Cnxd.example.com:nxdomain.example.com.:120
+outpost.example.com:192.168.2.1:120
Csemi-external.example.com:bla.something.wtest.com.:120
Cserver1.example.com:server1.france.example.com.:120
+smtp-servers.example.com:192.168.0.3:120
+smtp-servers.example.com:192.168.0.4:120
Csmtp1.example.com:outpost.example.com.:120
+Cstart.example.com:x.y.z.w1.example.com.:120
Cstart1.example.com:start2.example.com.:120
Cstart2.example.com:start3.example.com.:120
Cstart3.example.com:start4.example.com.:120
+toomuchinfo-b.example.com:192.168.99.88:120
+toomuchinfo-b.example.com:192.168.99.89:120
+toomuchinfo-b.example.com:192.168.99.90:120
+Cunauth.example.com:no-idea.example.org.:120
&usa.example.com::usa-ns1.usa.example.com.:120
&usa.example.com::usa-ns2.usa.example.com.:120
+usa-ns1.usa.example.com:192.168.4.1:120
+usa-ns2.usa.example.com:192.168.4.2:120
+C\052.w1.example.com:x.y.z.w2.example.com.:120
+C\052.w2.example.com:x.y.z.w3.example.com.:120
+C\052.w3.example.com:x.y.z.w4.example.com.:120
+C\052.w4.example.com:x.y.z.w5.example.com.:120
++\052.w5.example.com:1.2.3.5:120
Cwww.example.com:outpost.example.com.:120
#2005092501 auto axfr-get
Ztest.com:ns1.test.com.:ahu.example.com.:2005092501:28800:7200:604800:86400:3600
drc->toPacket(pw);
if(pw.size() + 20U > (d_tcp ? 65535 : getMaxReplyLen())) { // 20 = room for EDNS0
pw.rollback();
- if(pos->d_place == DNSResourceRecord::ANSWER) {
+ if(pos->d_place == DNSResourceRecord::ANSWER || pos->d_place == DNSResourceRecord::AUTHORITY) {
pw.getHeader()->tc=1;
}
goto noCommit;
pw.addOpt(2800, 0, EDNSOpts::DNSSECOK);
pw.commit();
- Socket sock(InterNetwork, Datagram);
+ Socket sock(InterNetwork, Stream);
ComboAddress dest(argv[1] + (*argv[1]=='@'), atoi(argv[2]));
- sock.sendTo(string((char*)&*packet.begin(), (char*)&*packet.end()), dest);
+ sock.connect(dest);
+ uint16_t len;
+ len = htons(packet.size());
+ if(sock.write((char *) &len, 2) != 2)
+ throw AhuException("tcp write failed");
+
+ sock.writen(string((char*)&*packet.begin(), (char*)&*packet.end()));
- string reply;
- sock.recvFrom(reply, dest);
+ if(sock.read((char *) &len, 2) != 2)
+ throw AhuException("tcp read failed");
+
+ len=ntohs(len);
+ char *creply = new char[len];
+ int n=0;
+ int numread;
+ while(n<len) {
+ numread=sock.read(creply+n, len-n);
+ if(numread<0)
+ throw AhuException("tcp read failed");
+ n+=numread;
+ }
+
+ string reply(creply, len);
+ delete[] creply;
MOADNSParser mdp(reply);
cout<<"Reply to question for qname='"<<mdp.d_qname<<"', qtype="<<DNSRecordContent::NumberToType(mdp.d_qtype)<<endl;
else
{
// cerr<<"namesseen.insert('"<<i->first.d_label<<"')"<<endl;
- names.insert(i->first.d_label);
- namesseen.insert(i->first.d_label);
+ names.insert(stripDot(i->first.d_label));
+ namesseen.insert(stripDot(i->first.d_label));
+ }
+
+ if(i->first.d_type == QType::CNAME)
+ {
+ namesseen.insert(stripDot(i->first.d_content->getZoneRepresentation()));
}
cout<<i->first.d_place-1<<"\t"<<i->first.d_label<<"\tIN\t"<<DNSRecordContent::NumberToType(i->first.d_type);
cout<<"== nsec3 prove/deny report follows =="<<endl;
set<string> proven;
set<string> denied;
+ namesseen.insert(stripDot(qname));
BOOST_FOREACH(string n, namesseen)
{
string shorter(n);
mode 4 = Name Error Responses
mode 5 = ANY or direct NSEC request
*/
-void PacketHandler::addNSECX(DNSPacket *p, DNSPacket *r, const string& target, const string& target3, const string& auth, int mode)
+void PacketHandler::addNSECX(DNSPacket *p, DNSPacket *r, const string& target, const string& wildcard, const string& auth, int mode)
{
NSEC3PARAMRecordContent ns3rc;
// cerr<<"Doing NSEC3PARAM lookup for '"<<auth<<"', "<<p->qdomain<<"|"<<p->qtype.getName()<<": ";
bool narrow;
if(d_dk.getNSEC3PARAM(auth, &ns3rc, &narrow)) {
// cerr<<"Present, narrow="<<narrow<<endl;
- addNSEC3(p, r, target3, auth, ns3rc, narrow, mode);
+ addNSEC3(p, r, target, wildcard, auth, ns3rc, narrow, mode);
}
else {
// cerr<<"Not present"<<endl;
- addNSEC(p, r, target, auth, mode);
+ addNSEC(p, r, target, wildcard, auth, mode);
}
}
return ret;
}
-void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, const NSEC3PARAMRecordContent& ns3rc, bool narrow, int mode)
+void PacketHandler::addNSEC3(DNSPacket *p, DNSPacket *r, const string& target, const string& wildcard, const string& auth, const NSEC3PARAMRecordContent& ns3rc, bool narrow, int mode)
{
- // L<<"mode="<<mode<<" target="<<target<<" auth="<<auth<<endl;
+ // L<<"mode="<<mode<<" target="<<target<<" wildcard="<<wildcard<<" auth="<<auth<<endl;
SOAData sd;
sd.db = (DNSBackend*)-1;
return;
}
// cerr<<"salt in ph: '"<<makeHexDump(ns3rc.d_salt)<<"', narrow="<<narrow<<endl;
+
string unhashed, hashed, before, after;
- string closest(target);
+ string closest=(mode == 3 || mode == 4) ? wildcard : target;
if (mode == 2 || mode == 3 || mode == 4) {
chopOff(closest);
// add matching NSEC3 RR
if (mode != 3) {
- if (mode == 0 || mode == 5) {
- unhashed=target;
- }
- else {
- unhashed=closest;
- }
+ unhashed=(mode == 0 || mode == 5) ? target : closest;
hashed=hashQNameWithSalt(ns3rc.d_iterations, ns3rc.d_salt, unhashed);
// L<<"1 hash: "<<toBase32Hex(hashed)<<" "<<unhashed<<endl;
// add covering NSEC3 RR
if (mode != 0 && mode != 5) {
- string next(p->qdomain);
+ string next(target);
do {
unhashed=next;
}
}
}
-void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const string& target, const string& auth, int mode)
+void PacketHandler::addNSEC(DNSPacket *p, DNSPacket *r, const string& target, const string& wildcard, const string& auth, int mode)
{
if(!p->d_dnssecOk)
return;
if (mode == 2) {
// wildcard NO-DATA
- sd.db->getBeforeAndAfterNames(sd.domain_id, auth, p->qdomain, before, after);
- emitNSEC(before, after, target, sd, r, mode);
sd.db->getBeforeAndAfterNames(sd.domain_id, auth, target, before, after);
+ emitNSEC(before, after, target, sd, r, mode);
+ sd.db->getBeforeAndAfterNames(sd.domain_id, auth, wildcard, before, after);
}
- else {
+ else
sd.db->getBeforeAndAfterNames(sd.domain_id, auth, target, before, after);
- }
emitNSEC(before, after, target, sd, r, mode);
-
+
if (mode == 4) {
// this one does wildcard denial, if applicable
sd.db->getBeforeAndAfterNames(sd.domain_id, auth, auth, before, after);
}
}
-void PacketHandler::makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string& target, const std::string& nextcloser, SOAData& sd)
+void PacketHandler::makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string& target, const std::string& wildcard, SOAData& sd)
{
DNSResourceRecord rr;
rr.qname=sd.qname;
r->addRecord(rr);
if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname))
- addNSECX(p, r, target, nextcloser, sd.qname, 4);
+ addNSECX(p, r, target, wildcard, sd.qname, 4);
r->setRcode(RCode::NXDomain);
S.ringAccount("nxdomain-queries",p->qdomain+"/"+p->qtype.getName());
}
-void PacketHandler::makeNOError(DNSPacket* p, DNSPacket* r, const std::string& target, SOAData& sd, int mode)
+void PacketHandler::makeNOError(DNSPacket* p, DNSPacket* r, const std::string& target, const std::string& wildcard, SOAData& sd, int mode)
{
DNSResourceRecord rr;
rr.qname=sd.qname;
r->addRecord(rr);
if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname))
- addNSECX(p, r, target, target, sd.qname, mode);
+ addNSECX(p, r, target, wildcard, sd.qname, mode);
S.ringAccount("noerror-queries",p->qdomain+"/"+p->qtype.getName());
}
r->setA(false);
if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname) && !addDSforNS(p, r, sd, rrset.begin()->qname))
- addNSECX(p, r, rrset.begin()->qname, rrset.begin()->qname, sd.qname, 1);
+ addNSECX(p, r, rrset.begin()->qname, "", sd.qname, 1);
return true;
}
if(!d_dk.isSecuredZone(sd.qname))
return;
- addNSECX(p, r, target, target, sd.qname, 5);
+ addNSECX(p, r, target, "", sd.qname, 5);
if(pdns_iequals(sd.qname, p->qdomain)) {
addDNSKEY(p, r, sd);
addNSEC3PARAM(p, r, sd);
bool PacketHandler::tryWildcard(DNSPacket *p, DNSPacket*r, SOAData& sd, string &target, string &wildcard, bool& retargeted, bool& nodata)
{
retargeted = nodata = false;
+ string bestmatch;
vector<DNSResourceRecord> rrset;
if(!getBestWildcard(p, sd, target, wildcard, &rrset))
DLOG(L<<"The best wildcard match: "<<rrset.begin()->qname<<endl);
BOOST_FOREACH(DNSResourceRecord rr, rrset) {
rr.wildcardname = rr.qname;
- rr.qname=target;
+ rr.qname=bestmatch=target;
if(rr.qtype.getCode() == QType::CNAME) {
retargeted=true;
}
}
if(p->d_dnssecOk && d_dk.isSecuredZone(sd.qname) && !nodata) {
- addNSECX(p, r, p->qdomain, wildcard, sd.qname, 3);
+ addNSECX(p, r, bestmatch, wildcard, sd.qname, 3);
}
return true;
}
// this TRUMPS a cname!
if(p->qtype.getCode() == QType::NSEC && p->d_dnssecOk && d_dk.isSecuredZone(sd.qname) && !d_dk.getNSEC3PARAM(sd.qname, 0)) {
- addNSEC(p, r, target, sd.qname, 5); // only NSEC please
+ addNSEC(p, r, target, "", sd.qname, 5); // only NSEC please
goto sendit;
}
DLOG(L<<"After first ANY query for '"<<target<<"', id="<<sd.domain_id<<": weDone="<<weDone<<", weHaveUnauth="<<weHaveUnauth<<", weRedirected="<<weRedirected<<endl);
if(p->qtype.getCode() == QType::DS && weHaveUnauth && !weDone && !weRedirected && d_dk.isSecuredZone(sd.qname)) {
DLOG(L<<"Q for DS of a name for which we do have NS, but for which we don't have on a zone with DNSSEC need to provide an AUTH answer that proves we don't"<<endl);
- makeNOError(p, r, target, sd, 1);
+ makeNOError(p, r, target, "", sd, 1);
goto sendit;
}
retargetcount++;
goto retargeted;
}
- if(nodata) {
- target=wildcard;
- makeNOError(p, r, target, sd, 2);
- }
+ if(nodata)
+ makeNOError(p, r, target, wildcard, sd, 2);
+
goto sendit;
}
else
{
- makeNXDomain(p, r, target, wildcard, sd);
+ if (!(((p->qtype.getCode() == QType::CNAME) || (p->qtype.getCode() == QType::ANY)) && retargetcount > 0))
+ makeNXDomain(p, r, target, wildcard, sd);
}
goto sendit;
completeANYRecords(p, r, sd, target);
}
else
- makeNOError(p, r, rr.qname, sd, 0);
+ makeNOError(p, r, rr.qname, "", sd, 0);
goto sendit;
}
}
else {
DLOG(L<<"Have some data, but not the right data"<<endl);
- makeNOError(p, r, target, sd, 0);
+ makeNOError(p, r, target, "", sd, 0);
}
sendit:;
bool getTLDAuth(DNSPacket *p, SOAData *sd, const string &target, int *zoneId);
int doAdditionalProcessingAndDropAA(DNSPacket *p, DNSPacket *r, const SOAData& sd);
bool doDNSSECProcessing(DNSPacket* p, DNSPacket *r);
- void addNSECX(DNSPacket *p, DNSPacket* r, const string &target, const string& target3, const std::string& auth, int mode);
- void addNSEC(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, int mode);
- void addNSEC3(DNSPacket *p, DNSPacket* r, const string &target, const std::string& auth, const NSEC3PARAMRecordContent& nsec3param, bool narrow, int mode);
+ void addNSECX(DNSPacket *p, DNSPacket* r, const string &target, const string &wildcard, const std::string &auth, int mode);
+ void addNSEC(DNSPacket *p, DNSPacket* r, const string &target, const string &wildcard, const std::string& auth, int mode);
+ void addNSEC3(DNSPacket *p, DNSPacket* r, const string &target, const string &wildcard, const std::string& auth, const NSEC3PARAMRecordContent& nsec3param, bool narrow, int mode);
void emitNSEC(const std::string& before, const std::string& after, const std::string& toNSEC, const SOAData& sd, DNSPacket *r, int mode);
void emitNSEC3(const NSEC3PARAMRecordContent &ns3rc, const SOAData& sd, const std::string& unhashed, const std::string& begin, const std::string& end, const std::string& toNSEC3, DNSPacket *r, int mode);
void synthesiseRRSIGs(DNSPacket* p, DNSPacket* r);
- void makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string& target, const std::string& nextcloser, SOAData& sd);
- void makeNOError(DNSPacket* p, DNSPacket* r, const std::string& target, SOAData& sd, int mode);
+ void makeNXDomain(DNSPacket* p, DNSPacket* r, const std::string& target, const std::string& wildcard, SOAData& sd);
+ void makeNOError(DNSPacket* p, DNSPacket* r, const std::string& target, const std::string& wildcard, SOAData& sd, int mode);
vector<DNSResourceRecord> getBestReferralNS(DNSPacket *p, SOAData& sd, const string &target);
bool tryReferral(DNSPacket *p, DNSPacket*r, SOAData& sd, const string &target);
#include "dnswriter.hh"
#include "dnsrecords.hh"
#include "statbag.hh"
+#include <boost/array.hpp>
StatBag S;
int main(int argc, char** argv)
{
bool dnssec=false;
bool recurse=false;
+ bool tcp=false;
reportAllTypes();
{
dnssec=true;
}
+
+ if(argc > 5 && strcmp(argv[5], "dnssec-tcp")==0)
+ {
+ dnssec=true;
+ tcp=true;
+ }
if(argc > 5 && strcmp(argv[5], "recurse")==0)
{
// pw.addOpt(5200, 0, 0);
// pw.commit();
- Socket sock(InterNetwork, Datagram);
- ComboAddress dest(argv[1] + (*argv[1]=='@'), atoi(argv[2]));
- sock.sendTo(string((char*)&*packet.begin(), (char*)&*packet.end()), dest);
-
string reply;
- sock.recvFrom(reply, dest);
+ if(tcp) {
+ Socket sock(InterNetwork, Stream);
+ ComboAddress dest(argv[1] + (*argv[1]=='@'), atoi(argv[2]));
+ sock.connect(dest);
+ uint16_t len;
+ len = htons(packet.size());
+ if(sock.write((char *) &len, 2) != 2)
+ throw AhuException("tcp write failed");
+
+ sock.writen(string((char*)&*packet.begin(), (char*)&*packet.end()));
+
+ if(sock.read((char *) &len, 2) != 2)
+ throw AhuException("tcp read failed");
+
+ len=ntohs(len);
+ char *creply = new char[len];
+ int n=0;
+ int numread;
+ while(n<len) {
+ numread=sock.read(creply+n, len-n);
+ if(numread<0)
+ throw AhuException("tcp read failed");
+ n+=numread;
+ }
+
+ reply=string(creply, len);
+ delete[] creply;
+ }
+ else //udp
+ {
+ Socket sock(InterNetwork, Datagram);
+ ComboAddress dest(argv[1] + (*argv[1]=='@'), atoi(argv[2]));
+ sock.sendTo(string((char*)&*packet.begin(), (char*)&*packet.end()), dest);
+
+ sock.recvFrom(reply, dest);
+ }
MOADNSParser mdp(reply);
cout<<"Reply to question for qname='"<<mdp.d_qname<<"', qtype="<<DNSRecordContent::NumberToType(mdp.d_qtype)<<endl;
cout<<"Rcode: "<<mdp.d_header.rcode<<", RD: "<<mdp.d_header.rd<<", QR: "<<mdp.d_header.qr;
-b6d1c64a890e3f3ce40970724a12eb0b ../regression-tests/example.com
+237fd1b570f3a2361ded22427754e57e ../regression-tests/example.com
66e79fb95029616572d1a100489d6b92 ../regression-tests/test.com
7d726bc367bf5e6ee5f1689994c6b6d4 ../regression-tests/wtest.com
a0670eef8fba3e16908057af8de2c2f2 ../regression-tests/dnssec-parent.com
42dd3a56c7d268e75836371878819ec4 ../regression-tests/delegated.dnssec-parent.com
24514dc104b22206daeb973ff9303545 ../regression-tests/minimal.com
-8c74a6295048b826a3cfcb15d0c72644 ../modules/tinydnsbackend/data.cdb
+77e4eaed54f3fee0fa8006c7a190750d ../modules/tinydnsbackend/data.cdb
--- /dev/null
+#!/bin/sh
+
+cleandig nxdomain.example.com ANY dnssec
+
--- /dev/null
+Make sure a ANY query generates the correct statuscode and NSEC(3) denial.
--- /dev/null
+1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+2 . IN OPT 32768
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxdomain.example.com.', qtype=ANY
--- /dev/null
+1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
+1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
+1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1 nxd.example.com. IN NSEC 86400 outpost.example.com. CNAME RRSIG NSEC
+1 nxd.example.com. IN RRSIG 86400 NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2 . IN OPT 32768
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxdomain.example.com.', qtype=ANY
--- /dev/null
+1 9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com. IN NSEC3 86400 1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
+1 9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1 onnhv82alu3om3l4fkfes49n0j2c71ba.example.com. IN NSEC3 86400 1 1 1 abcd ONNHV82ALU3OM3L4FKFES49N0J2C71BC
+1 onnhv82alu3om3l4fkfes49n0j2c71ba.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2 . IN OPT 32768
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxdomain.example.com.', qtype=ANY
--- /dev/null
+1 9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com. IN NSEC3 86400 1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1 9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1 onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com. IN NSEC3 86400 1 1 1 abcd ONNU1VP51T2LDROTDVQ10HVLRQQV2UAA A RRSIG
+1 onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2 . IN OPT 32768
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxdomain.example.com.', qtype=ANY
--- /dev/null
+#!/bin/sh
+cleandig nxd.example.com ANY dnssec
+
--- /dev/null
+ANY query for a CNAME to a local NXDOMAIN.
--- /dev/null
+0 nxd.example.com. IN CNAME 120 nxdomain.example.com.
+2 . IN OPT 32768
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxd.example.com.', qtype=ANY
--- /dev/null
+0 nxd.example.com. IN CNAME 120 nxdomain.example.com.
+0 nxd.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+2 . IN OPT 32768
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxd.example.com.', qtype=ANY
--- /dev/null
+0 nxd.example.com. IN CNAME 120 nxdomain.example.com.
+0 nxd.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+2 . IN OPT 32768
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxd.example.com.', qtype=ANY
--- /dev/null
+0 nxd.example.com. IN CNAME 120 nxdomain.example.com.
+0 nxd.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+2 . IN OPT 32768
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxd.example.com.', qtype=ANY
--- /dev/null
+#!/bin/sh
+cleandig nxd.example.com A dnssec
+
--- /dev/null
+CNAME to a local NXDOMAIN.
--- /dev/null
+0 nxd.example.com. IN CNAME 120 nxdomain.example.com.
+1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+2 . IN OPT 32768
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxd.example.com.', qtype=A
--- /dev/null
+0 nxd.example.com. IN CNAME 120 nxdomain.example.com.
+0 nxd.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+1 example.com. IN NSEC 86400 escapedtext.example.com. NS SOA MX RRSIG NSEC DNSKEY
+1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
+1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1 nxd.example.com. IN NSEC 86400 outpost.example.com. CNAME RRSIG NSEC
+1 nxd.example.com. IN RRSIG 86400 NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2 . IN OPT 32768
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxd.example.com.', qtype=A
--- /dev/null
+0 nxd.example.com. IN CNAME 120 nxdomain.example.com.
+0 nxd.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+1 9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com. IN NSEC3 86400 1 1 1 abcd 9FAG9508OQU3M22QAC0U5EQGG45V8CF2
+1 9fag9508oqu3m22qac0u5eqgg45v8cf0.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1 onnhv82alu3om3l4fkfes49n0j2c71ba.example.com. IN NSEC3 86400 1 1 1 abcd ONNHV82ALU3OM3L4FKFES49N0J2C71BC
+1 onnhv82alu3om3l4fkfes49n0j2c71ba.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 1 1 abcd VTNQ6OCN2VKUIV3NJU14OQTAEN2MT5SL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2 . IN OPT 32768
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxd.example.com.', qtype=A
--- /dev/null
+0 nxd.example.com. IN CNAME 120 nxdomain.example.com.
+0 nxd.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+1 9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com. IN NSEC3 86400 1 1 1 abcd 9FDAOFPLLN0FQFU9DP274GOU59QFHSLD A RRSIG
+1 9f8hti7cc7oqnqjv84klnp89glqrss3r.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
+1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
+1 onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com. IN NSEC3 86400 1 1 1 abcd ONNU1VP51T2LDROTDVQ10HVLRQQV2UAA A RRSIG
+1 onn5kjcskcfqisao7tmqpjkp5kkh111o.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN NSEC3 86400 1 1 1 abcd VTP9NUQBEH436S7J0K8TI2A32MMKCUUL NS SOA MX RRSIG DNSKEY NSEC3PARAM
+1 vtnq6ocn2vkuiv3nju14oqtaen2mt5sk.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2 . IN OPT 32768
+Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='nxd.example.com.', qtype=A
--- /dev/null
+#!/bin/sh
+cleandig unauth.example.com ANY dnssec
+
--- /dev/null
+CNAME to a name we are not authoritative for. (ANY query)
--- /dev/null
+0 unauth.example.com. IN CNAME 120 no-idea.example.org.
+1 . IN NS 518400 a.root-servers.net.
+1 . IN NS 518400 b.root-servers.net.
+1 . IN NS 518400 c.root-servers.net.
+1 . IN NS 518400 d.root-servers.net.
+1 . IN NS 518400 e.root-servers.net.
+1 . IN NS 518400 f.root-servers.net.
+1 . IN NS 518400 g.root-servers.net.
+1 . IN NS 518400 h.root-servers.net.
+1 . IN NS 518400 i.root-servers.net.
+1 . IN NS 518400 j.root-servers.net.
+1 . IN NS 518400 k.root-servers.net.
+1 . IN NS 518400 l.root-servers.net.
+1 . IN NS 518400 m.root-servers.net.
+2 . IN OPT 32768
+2 a.root-servers.net. IN A 3600000 198.41.0.4
+2 b.root-servers.net. IN A 3600000 192.228.79.201
+2 c.root-servers.net. IN A 3600000 192.33.4.12
+2 d.root-servers.net. IN A 3600000 128.8.10.90
+2 e.root-servers.net. IN A 3600000 192.203.230.10
+2 f.root-servers.net. IN A 3600000 192.5.5.241
+2 g.root-servers.net. IN A 3600000 192.112.36.4
+2 h.root-servers.net. IN A 3600000 128.63.2.53
+2 i.root-servers.net. IN A 3600000 192.36.148.17
+2 j.root-servers.net. IN A 3600000 192.58.128.30
+2 k.root-servers.net. IN A 3600000 193.0.14.129
+2 l.root-servers.net. IN A 3600000 198.32.64.12
+2 m.root-servers.net. IN A 3600000 202.12.27.33
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='unauth.example.com.', qtype=ANY
--- /dev/null
+0 unauth.example.com. IN CNAME 120 no-idea.example.org.
+0 unauth.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+1 . IN NS 518400 a.root-servers.net.
+1 . IN NS 518400 b.root-servers.net.
+1 . IN NS 518400 c.root-servers.net.
+1 . IN NS 518400 d.root-servers.net.
+1 . IN NS 518400 e.root-servers.net.
+1 . IN NS 518400 f.root-servers.net.
+1 . IN NS 518400 g.root-servers.net.
+1 . IN NS 518400 h.root-servers.net.
+1 . IN NS 518400 i.root-servers.net.
+1 . IN NS 518400 j.root-servers.net.
+1 . IN NS 518400 k.root-servers.net.
+1 . IN NS 518400 l.root-servers.net.
+1 . IN NS 518400 m.root-servers.net.
+2 . IN OPT 32768
+2 a.root-servers.net. IN A 3600000 198.41.0.4
+2 b.root-servers.net. IN A 3600000 192.228.79.201
+2 c.root-servers.net. IN A 3600000 192.33.4.12
+2 d.root-servers.net. IN A 3600000 128.8.10.90
+2 e.root-servers.net. IN A 3600000 192.203.230.10
+2 f.root-servers.net. IN A 3600000 192.5.5.241
+2 g.root-servers.net. IN A 3600000 192.112.36.4
+2 h.root-servers.net. IN A 3600000 128.63.2.53
+2 i.root-servers.net. IN A 3600000 192.36.148.17
+2 j.root-servers.net. IN A 3600000 192.58.128.30
+2 k.root-servers.net. IN A 3600000 193.0.14.129
+2 l.root-servers.net. IN A 3600000 198.32.64.12
+2 m.root-servers.net. IN A 3600000 202.12.27.33
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='unauth.example.com.', qtype=ANY
--- /dev/null
+#!/bin/sh
+cleandig unauth.example.com A dnssec
+
--- /dev/null
+CNAME to a name we are not authoritative for.
--- /dev/null
+0 unauth.example.com. IN CNAME 120 no-idea.example.org.
+1 . IN NS 518400 a.root-servers.net.
+1 . IN NS 518400 b.root-servers.net.
+1 . IN NS 518400 c.root-servers.net.
+1 . IN NS 518400 d.root-servers.net.
+1 . IN NS 518400 e.root-servers.net.
+1 . IN NS 518400 f.root-servers.net.
+1 . IN NS 518400 g.root-servers.net.
+1 . IN NS 518400 h.root-servers.net.
+1 . IN NS 518400 i.root-servers.net.
+1 . IN NS 518400 j.root-servers.net.
+1 . IN NS 518400 k.root-servers.net.
+1 . IN NS 518400 l.root-servers.net.
+1 . IN NS 518400 m.root-servers.net.
+2 . IN OPT 32768
+2 a.root-servers.net. IN A 3600000 198.41.0.4
+2 b.root-servers.net. IN A 3600000 192.228.79.201
+2 c.root-servers.net. IN A 3600000 192.33.4.12
+2 d.root-servers.net. IN A 3600000 128.8.10.90
+2 e.root-servers.net. IN A 3600000 192.203.230.10
+2 f.root-servers.net. IN A 3600000 192.5.5.241
+2 g.root-servers.net. IN A 3600000 192.112.36.4
+2 h.root-servers.net. IN A 3600000 128.63.2.53
+2 i.root-servers.net. IN A 3600000 192.36.148.17
+2 j.root-servers.net. IN A 3600000 192.58.128.30
+2 k.root-servers.net. IN A 3600000 193.0.14.129
+2 l.root-servers.net. IN A 3600000 198.32.64.12
+2 m.root-servers.net. IN A 3600000 202.12.27.33
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='unauth.example.com.', qtype=A
--- /dev/null
+0 unauth.example.com. IN CNAME 120 no-idea.example.org.
+0 unauth.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+1 . IN NS 518400 a.root-servers.net.
+1 . IN NS 518400 b.root-servers.net.
+1 . IN NS 518400 c.root-servers.net.
+1 . IN NS 518400 d.root-servers.net.
+1 . IN NS 518400 e.root-servers.net.
+1 . IN NS 518400 f.root-servers.net.
+1 . IN NS 518400 g.root-servers.net.
+1 . IN NS 518400 h.root-servers.net.
+1 . IN NS 518400 i.root-servers.net.
+1 . IN NS 518400 j.root-servers.net.
+1 . IN NS 518400 k.root-servers.net.
+1 . IN NS 518400 l.root-servers.net.
+1 . IN NS 518400 m.root-servers.net.
+2 . IN OPT 32768
+2 a.root-servers.net. IN A 3600000 198.41.0.4
+2 b.root-servers.net. IN A 3600000 192.228.79.201
+2 c.root-servers.net. IN A 3600000 192.33.4.12
+2 d.root-servers.net. IN A 3600000 128.8.10.90
+2 e.root-servers.net. IN A 3600000 192.203.230.10
+2 f.root-servers.net. IN A 3600000 192.5.5.241
+2 g.root-servers.net. IN A 3600000 192.112.36.4
+2 h.root-servers.net. IN A 3600000 128.63.2.53
+2 i.root-servers.net. IN A 3600000 192.36.148.17
+2 j.root-servers.net. IN A 3600000 192.58.128.30
+2 k.root-servers.net. IN A 3600000 193.0.14.129
+2 l.root-servers.net. IN A 3600000 198.32.64.12
+2 m.root-servers.net. IN A 3600000 202.12.27.33
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='unauth.example.com.', qtype=A
--- /dev/null
+#!/bin/sh
+cleandig start.example.com A dnssec-tcp
+
--- /dev/null
+A five-long CNAME chain involving wildcards at every step
--- /dev/null
+0 start.example.com. IN CNAME 120 x.y.z.w1.example.com.
+0 x.y.z.w1.example.com. IN CNAME 120 x.y.z.w2.example.com.
+0 x.y.z.w2.example.com. IN CNAME 120 x.y.z.w3.example.com.
+0 x.y.z.w3.example.com. IN CNAME 120 x.y.z.w4.example.com.
+0 x.y.z.w4.example.com. IN CNAME 120 x.y.z.w5.example.com.
+0 x.y.z.w5.example.com. IN A 120 1.2.3.5
+2 . IN OPT 32768
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='start.example.com.', qtype=A
--- /dev/null
+0 start.example.com. IN CNAME 120 x.y.z.w1.example.com.
+0 start.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0 x.y.z.w1.example.com. IN CNAME 120 x.y.z.w2.example.com.
+0 x.y.z.w1.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0 x.y.z.w2.example.com. IN CNAME 120 x.y.z.w3.example.com.
+0 x.y.z.w2.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0 x.y.z.w3.example.com. IN CNAME 120 x.y.z.w4.example.com.
+0 x.y.z.w3.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0 x.y.z.w4.example.com. IN CNAME 120 x.y.z.w5.example.com.
+0 x.y.z.w4.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0 x.y.z.w5.example.com. IN A 120 1.2.3.5
+0 x.y.z.w5.example.com. IN RRSIG 120 A 8 3 120 [expiry] [inception] [keytag] example.com. ...
+1 *.w1.example.com. IN NSEC 86400 *.w2.example.com. CNAME RRSIG NSEC
+1 *.w1.example.com. IN RRSIG 86400 NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 *.w2.example.com. IN NSEC 86400 *.w3.example.com. CNAME RRSIG NSEC
+1 *.w2.example.com. IN RRSIG 86400 NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 *.w3.example.com. IN NSEC 86400 *.w4.example.com. CNAME RRSIG NSEC
+1 *.w3.example.com. IN RRSIG 86400 NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 *.w4.example.com. IN NSEC 86400 *.w5.example.com. CNAME RRSIG NSEC
+1 *.w4.example.com. IN RRSIG 86400 NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 *.w5.example.com. IN NSEC 86400 www.example.com. A RRSIG NSEC
+1 *.w5.example.com. IN RRSIG 86400 NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2 . IN OPT 32768
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='start.example.com.', qtype=A
--- /dev/null
+0 start.example.com. IN CNAME 120 x.y.z.w1.example.com.
+0 start.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0 x.y.z.w1.example.com. IN CNAME 120 x.y.z.w2.example.com.
+0 x.y.z.w1.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0 x.y.z.w2.example.com. IN CNAME 120 x.y.z.w3.example.com.
+0 x.y.z.w2.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0 x.y.z.w3.example.com. IN CNAME 120 x.y.z.w4.example.com.
+0 x.y.z.w3.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0 x.y.z.w4.example.com. IN CNAME 120 x.y.z.w5.example.com.
+0 x.y.z.w4.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0 x.y.z.w5.example.com. IN A 120 1.2.3.5
+0 x.y.z.w5.example.com. IN RRSIG 120 A 8 3 120 [expiry] [inception] [keytag] example.com. ...
+1 6jmrie0v0hnp2flflt36lur7c08n9h45.example.com. IN NSEC3 86400 1 1 1 abcd 6JMRIE0V0HNP2FLFLT36LUR7C08N9H47
+1 6jmrie0v0hnp2flflt36lur7c08n9h45.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 atcf56s7ucntm82nht67p3g2nqteplou.example.com. IN NSEC3 86400 1 1 1 abcd ATCF56S7UCNTM82NHT67P3G2NQTEPLP0
+1 atcf56s7ucntm82nht67p3g2nqteplou.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 b6drqdikagd74fa5eme4sdiek1s06343.example.com. IN NSEC3 86400 1 1 1 abcd B6DRQDIKAGD74FA5EME4SDIEK1S06345
+1 b6drqdikagd74fa5eme4sdiek1s06343.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 lr0g3vnj9r0nvtlsjnf8eqa68sqj06qg.example.com. IN NSEC3 86400 1 1 1 abcd LR0G3VNJ9R0NVTLSJNF8EQA68SQJ06QI
+1 lr0g3vnj9r0nvtlsjnf8eqa68sqj06qg.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 vsfa79vv78gd61567bkcai646ta0p276.example.com. IN NSEC3 86400 1 1 1 abcd VSFA79VV78GD61567BKCAI646TA0P278
+1 vsfa79vv78gd61567bkcai646ta0p276.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2 . IN OPT 32768
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='start.example.com.', qtype=A
--- /dev/null
+0 start.example.com. IN CNAME 120 x.y.z.w1.example.com.
+0 start.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0 x.y.z.w1.example.com. IN CNAME 120 x.y.z.w2.example.com.
+0 x.y.z.w1.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0 x.y.z.w2.example.com. IN CNAME 120 x.y.z.w3.example.com.
+0 x.y.z.w2.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0 x.y.z.w3.example.com. IN CNAME 120 x.y.z.w4.example.com.
+0 x.y.z.w3.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0 x.y.z.w4.example.com. IN CNAME 120 x.y.z.w5.example.com.
+0 x.y.z.w4.example.com. IN RRSIG 120 CNAME 8 3 120 [expiry] [inception] [keytag] example.com. ...
+0 x.y.z.w5.example.com. IN A 120 1.2.3.5
+0 x.y.z.w5.example.com. IN RRSIG 120 A 8 3 120 [expiry] [inception] [keytag] example.com. ...
+1 6jljjg5vg8ab1latv5khfq52jjpdlp9t.example.com. IN NSEC3 86400 1 1 1 abcd 6JNMPRJN08RFG8QRUMBN91V2UURTV527 A RRSIG
+1 6jljjg5vg8ab1latv5khfq52jjpdlp9t.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 atbcoh7l1gr1cbifhkt3ikmv2o60g8sc.example.com. IN NSEC3 86400 1 1 1 abcd ATEJUO2QMEO1FORSEB6KH9B0DMVFRK08 A RRSIG
+1 atbcoh7l1gr1cbifhkt3ikmv2o60g8sc.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 b6cdleeregn514pnp2jgmtd67ig3q4qs.example.com. IN NSEC3 86400 1 1 1 abcd B6J68ESSIMG1HC5MGJ3B3OQUKL9PKEQB A RRSIG
+1 b6cdleeregn514pnp2jgmtd67ig3q4qs.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 lqu3s8oae1ipc1iobnslma8igo1335a4.example.com. IN NSEC3 86400 1 1 1 abcd LR1LEP75CII4P0CLER3MLLQBO1TGKHDO A RRSIG
+1 lqu3s8oae1ipc1iobnslma8igo1335a4.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 vscvfu442fdlbq07jpd7bdocd3ig7fo8.example.com. IN NSEC3 86400 1 1 1 abcd VSGNH606MUV7BFQFN3TRH1D5FKP1IPIV A RRSIG
+1 vscvfu442fdlbq07jpd7bdocd3ig7fo8.example.com. IN RRSIG 86400 NSEC3 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+2 . IN OPT 32768
+Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
+Reply to question for qname='start.example.com.', qtype=A
1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1 usa.example.com. IN NSEC 86400 www.example.com. NS RRSIG NSEC
+1 usa.example.com. IN NSEC 86400 *.w1.example.com. NS RRSIG NSEC
1 usa.example.com. IN RRSIG 86400 NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
2 . IN OPT 32768
Rcode: 0, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
1 usa.example.com. IN NS 120 usa-ns1.usa.example.com.
1 usa.example.com. IN NS 120 usa-ns2.usa.example.com.
-1 usa.example.com. IN NSEC 86400 www.example.com. NS RRSIG NSEC
+1 usa.example.com. IN NSEC 86400 *.w1.example.com. NS RRSIG NSEC
2 . IN OPT 32768
2 usa-ns1.usa.example.com. IN A 120 192.168.4.1
2 usa-ns2.usa.example.com. IN A 120 192.168.4.2
IN LOC 51 56 2.789 N 5 54 0.000 W 4.00m 3.00m 10000.00m 10.00m
IN LOC 51 56 3.012 S 5 54 0.000 W 4.00m 4.00m 10000.00m 10.00m
;
+unauth IN CNAME no-idea.example.org.
+;
+nxd IN CNAME nxdomain.example.com.
+;
hwinfo IN HINFO "abc" "def"
;
smtp-servers IN A 192.168.0.2
smtp-servers IN A 192.168.0.4
;
outpost IN A 192.168.2.1
+
+start IN CNAME x.y.z.w1
+*.w1 IN CNAME x.y.z.w2
+*.w2 IN CNAME x.y.z.w3
+*.w3 IN CNAME x.y.z.w4
+*.w4 IN CNAME x.y.z.w5
+*.w5 IN A 1.2.3.5
+
;
start1 IN CNAME start2
start2 IN CNAME start3
1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1 usa.example.com. IN NSEC 86400 www.example.com. NS RRSIG NSEC
+1 usa.example.com. IN NSEC 86400 *.w1.example.com. NS RRSIG NSEC
1 usa.example.com. IN RRSIG 86400 NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
2 . IN OPT 32768
Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1 ns2.example.com. IN NSEC 86400 outpost.example.com. A RRSIG NSEC
-1 ns2.example.com. IN RRSIG 86400 NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
+1 nxd.example.com. IN NSEC 86400 outpost.example.com. CNAME RRSIG NSEC
+1 nxd.example.com. IN RRSIG 86400 NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
2 . IN OPT 32768
Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0
Reply to question for qname='outerpost.example.com.', qtype=A
1 example.com. IN RRSIG 86400 NSEC 8 2 86400 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN RRSIG 86400 SOA 8 2 100000 [expiry] [inception] [keytag] example.com. ...
1 example.com. IN SOA 86400 ns1.example.com. ahu.example.com. 2000081501 28800 7200 604800 86400
-1 ns2.example.com. IN NSEC 86400 outpost.example.com. A RRSIG NSEC
+1 ns2.example.com. IN NSEC 86400 nxd.example.com. A RRSIG NSEC
1 ns2.example.com. IN RRSIG 86400 NSEC 8 3 86400 [expiry] [inception] [keytag] example.com. ...
2 . IN OPT 32768
Rcode: 3, RD: 0, QR: 1, TC: 0, AA: 1, opcode: 0