idnits 2.17.1 draft-dukhovni-tls-dnssec-chain-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The document has examples using IPv4 documentation addresses according to RFC6890, but does not use any IPv6 documentation addresses. Maybe there should be IPv6 examples, too? Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 943 has weird spacing: '...1 d3 bc e3 a2...' == Line 969 has weird spacing: '...3 fb cc d4 d8...' == Line 975 has weird spacing: '...6 43 bb de 68...' == Line 991 has weird spacing: '...5 b4 ea e5 14...' -- The document date (December 17, 2019) is 1591 days in the past. Is this intentional? Checking references for intended status: Experimental ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group V. Dukhovni 3 Internet-Draft Two Sigma 4 Intended status: Experimental S. Huque 5 Expires: June 19, 2020 Salesforce 6 W. Toorop 7 NLnet Labs 8 P. Wouters 9 Red Hat 10 M. Shore 11 Fastly 12 December 17, 2019 14 The DANE Authentication Chain Extension for TLS 15 draft-dukhovni-tls-dnssec-chain-01 17 Abstract 19 This draft describes a new TLS extension for in-band transport of the 20 complete set of DNSSEC validated records needed to perform DANE 21 authentication of a TLS server without the need to perform separate 22 out-of-band DNS lookups. When the requisite DNS records do not 23 exist, the extension conveys a validated denial of existence proof. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at https://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on June 19, 2020. 42 Copyright Notice 44 Copyright (c) 2019 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (https://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Requirements Notation . . . . . . . . . . . . . . . . . . . . 2 60 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 61 3. DNSSEC Authentication Chain Extension . . . . . . . . . . . . 4 62 3.1. Protocol, TLS 1.2 . . . . . . . . . . . . . . . . . . . . 4 63 3.2. Protocol, TLS 1.3 . . . . . . . . . . . . . . . . . . . . 4 64 3.3. DNSSEC Authentication Chain Data . . . . . . . . . . . . 5 65 3.3.1. Authenticated Denial of Existence . . . . . . . . . . 8 66 4. Construction of Serialized Authentication Chains . . . . . . 8 67 5. Caching and Regeneration of the Authentication Chain . . . . 9 68 6. Verification . . . . . . . . . . . . . . . . . . . . . . . . 9 69 7. Extension pinning . . . . . . . . . . . . . . . . . . . . . . 10 70 8. Trust Anchor Maintenance . . . . . . . . . . . . . . . . . . 12 71 9. Virtual Hosting . . . . . . . . . . . . . . . . . . . . . . . 12 72 10. Operational Considerations . . . . . . . . . . . . . . . . . 13 73 11. Security Considerations . . . . . . . . . . . . . . . . . . . 14 74 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 75 13. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15 76 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 77 14.1. Normative References . . . . . . . . . . . . . . . . . . 15 78 14.2. Informative References . . . . . . . . . . . . . . . . . 16 79 Appendix A. Test vectors . . . . . . . . . . . . . . . . . . . . 18 80 A.1. _443._tcp.www.example.com . . . . . . . . . . . . . . . . 19 81 A.2. _25._tcp.example.com NSEC wildcard . . . . . . . . . . . 23 82 A.3. _25._tcp.example.org NSEC3 wildcard . . . . . . . . . . . 24 83 A.4. _443._tcp.www.example.org CNAME . . . . . . . . . . . . . 26 84 A.5. _443._tcp.www.example.net DNAME . . . . . . . . . . . . . 27 85 A.6. _25._tcp.smtp.example.com NSEC Denial of Existence . . . 29 86 A.7. _25._tcp.smtp.example.org NSEC3 Denial of Existence . . . 31 87 A.8. _443._tcp.www.insecure.example NSEC3 opt-out insecure 88 delegation . . . . . . . . . . . . . . . . . . . . . . . 33 89 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 35 91 1. Requirements Notation 93 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 94 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 95 "OPTIONAL" in this document are to be interpreted as described in BCP 96 14 [RFC2119] [RFC8174] when, and only when, they appear in all 97 capitals, as shown here. 99 2. Introduction 101 This document describes a new TLS [RFC5246] [RFC8446] extension for 102 in-band transport of the complete set of DNSSEC [RFC4033] validated 103 Resource Records (RRs) that enable a TLS client to perform DANE 104 Authentication [RFC6698] [RFC7671] of a TLS server without the need 105 to perform out-of-band DNS lookups. Retrieval of the required DNS 106 records may be unavailable to the client ([HAMPERING]), or may incur 107 undesirable additional latency. 109 The extension described here allows a TLS client to request that the 110 TLS server return the DNSSEC authentication chain corresponding to 111 its DNSSEC-validated DANE TLSA Resource Record set (RRset), or 112 authenticated denial of existence of such an RRset (as described in 113 Section 3.3.1). If the server supports this extension it performs 114 the appropriate DNS queries, builds the authentication chain, and 115 returns it to the client. The server will typically use a previously 116 cached authentication chain, but it will need to rebuild it 117 periodically as described in Section 5. The client then 118 authenticates the chain using a pre-configured DNSSEC trust anchor. 120 In the absense of TLSA records, this extension conveys the required 121 authenticated denial of existence. Such proofs are needed to 122 securely signal that specified TLSA records are not available so that 123 TLS clients can safely fall back to WebPKI based authentication if 124 allowed by local policy. These proofs are also needed to avoid 125 downgrade from opportunistic authenticated TLS (when DANE TLSA 126 records are present) to unauthenticated opportunistic TLS (in the 127 absence of DANE). Denial of existence records are also used by the 128 TLS client to clear no longer relevant extension pins, as described 129 in Section 7. 131 This extension supports DANE authentication of either X.509 132 certificates or raw public keys as described in the DANE 133 specification [RFC6698] [RFC7671] and [RFC7250]. 135 This extension also mitigates against an unknown key share (UKS) 136 attack [I-D.barnes-dane-uks] when using raw public keys, since the 137 server commits to its DNS name (normally found in its certificate) 138 via the content of the returned TLSA RRset. 140 3. DNSSEC Authentication Chain Extension 142 3.1. Protocol, TLS 1.2 144 A client MAY include an extension of type "dnssec_chain" in the 145 (extended) ClientHello. The "extension_data" field of this extension 146 consists of the server's 16-bit TCP port number in network (big- 147 endian) byte order. Clients sending this extension MUST also send 148 the Server Name Identification (SNI, [RFC6066]) extension. Together, 149 these make it possible for the server to determine which 150 authenticated TLSA RRset chain needs to be used for the 151 "dnssec_chain" extension. 153 When a server that implements (and is configured to enable the use 154 of) this extension receives a "dnssec_chain" extension in the 155 ClientHello, it MUST first check whether the requested TLSA RRset 156 (based on the port number in this extension and hostname in the SNI 157 extension) is associated with the server. If the extension, the SNI 158 hostname or the port number is unsupported, the server's extended 159 ServerHello message MUST NOT include the dnssec_chain extension. 161 Otherwise, the server's extended ServerHello message MUST contain a 162 serialized authentication chain using the format described below. If 163 the server does not have access to the requested DNS chain - for 164 example due to a misconfiguration or expired chain - the server MUST 165 omit the extension rather than send an incomplete chain. Clients 166 that are expecting this extension MUST interpret this as a downgrade 167 attack and MUST abort the TLS session. Therefore, servers MUST send 168 denial of existence proofs, unless, for the particular application 169 protocol or service, clients are expected to continue even in the 170 absence of such a proof. As with all TLS extensions, if the server 171 does not support this extension it will not return any authentication 172 chain. 174 3.2. Protocol, TLS 1.3 176 In TLS 1.3, the server adds its dnssec_chain extension to the 177 extension block of the Certificate message containing the end entity 178 certificate being validated, rather than to the extended ServerHello 179 message. 181 The extension protocol behavior otherwise follows that specified for 182 TLS version 1.2. 184 3.3. DNSSEC Authentication Chain Data 186 The "extension_data" field of the client's "dnssec_chain" extension 187 MUST contain the server's 16-bit TCP port number in network (big- 188 endian) byte order: 190 struct { 191 uint16 PortNumber; 192 } DnssecChainExtension; 194 The "extension_data" field of the server's "dnssec_chain" extension 195 MUST contain a DNSSEC Authentication Chain encoded in the following 196 form: 198 struct { 199 uint16 ExtSupportLifetime; 200 opaque AuthenticationChain<1..2^16-1> 201 } DnssecChainExtension; 203 The ExtSupportLifetime value is the number of hours for which the TLS 204 server has committed itself to serving this extension. A value of 205 zero prohibits the client from unilaterally requiring ongoing use of 206 the extension based on prior observation of its use (extension 207 pinning). This is further described in Section 7. 209 The AuthenticationChain is composed of a sequence of uncompressed 210 wire format DNS RRs (including all requisite RRSIG [RFC4034] RRs) in 211 no particular order. The format of the Resource Record is described 212 in [RFC1035], Section 3.2.1. 214 RR = owner | type | class | TTL | RDATA length | RDATA 216 The order of returned RRs is unspecified and a TLS client MUST NOT 217 assume any ordering of RRs. 219 Use of native DNS wire format records enables easier generation of 220 the data structure on the server and easier verification of the data 221 on client by means of existing DNS library functions. 223 The returned RRsets MUST contain either the requested TLSA RRset, or 224 else the associated denial of existence proof. In either case, the 225 chain of RRs MUST be accompanied with the full set of DNS records 226 needed to authenticate the TLSA record set or its denial of existence 227 up the DNS hierarchy to either the Root Zone or another trust anchor 228 mutually configured by the TLS server and client. 230 When some subtree in the chain is subject to redirection via DNAME 231 records, the associated inferred CNAME records need not be included, 232 they can be inferred by the DNS validation code in the client. Any 233 applicable ordinary CNAME records that are not sythesized from DNAME 234 records MUST be included along with their RRSIGs. 236 Clients MUST be prepared to encounter (validated) alias loops, and 237 MAY then conclude that the requested TLSA RRset therefore does not 238 exist. Servers MUST NOT assume that clients will handle CNAME alias 239 loops gracefully. In case of a server-side DNS problem, servers may 240 be unable to construct the authentication chain and would then have 241 no choice but to omit the extension. 243 In the case of a denial of existence response, the authentication 244 chain MUST include all DNSSEC signed records from the trust-anchor 245 zone to a proof of non-existence of either the (possibly redirected 246 via aliases) TLSA records or else of an insecure delegation above or 247 at the (possibly redirected) owner name of the requested TLSA RRset. 249 Names that are aliased via CNAME and/or DNAME records may involve 250 multiple branches of the DNS tree. In this case, the authentication 251 chain structure needs to include DS and DNSKEY record sets that cover 252 all the necessary branches. 254 The topmost DNSKEY RRset in the authentication chain corresponds to 255 the trust anchor (typically the DNS root). This trust anchor is also 256 preconfigured in the TLS client, but including it in the response 257 from the server permits TLS clients to use the automated trust anchor 258 rollover mechanism defined in RFC 5011 [RFC5011] to update their 259 configured trust anchor. 261 The following is an example of the records in the AuthenticationChain 262 structure for the HTTPS server at www.example.com, where there are 263 zone cuts at "com." and "example.com." (record data are omitted here 264 for brevity): 266 _443._tcp.www.example.com. TLSA 267 RRSIG(_443._tcp.www.example.com. TLSA) 268 example.com. DNSKEY 269 RRSIG(example.com. DNSKEY) 270 example.com. DS 271 RRSIG(example.com. DS) 272 com. DNSKEY 273 RRSIG(com. DNSKEY) 274 com. DS 275 RRSIG(com. DS) 276 . DNSKEY 277 RRSIG(. DNSKEY) 278 The following is an example of denial of existence for a TLSA RRset 279 at "_443._tcp.www.example.com". The NSEC record in this example 280 asserts the non-existence of both the requested RRset and any 281 potentially relevant wildcard records. 283 example.com. IN SOA 284 RRSIG(example.com. SOA) 285 www.example.com. IN NSEC example.com. A NSEC RRSIG 286 RRSIG(www.example.com. NSEC) 287 example.com. DNSKEY 288 RRSIG(example.com. DNSKEY) 289 example.com. DS 290 RRSIG(example.com. DS) 291 com. DNSKEY 292 RRSIG(com. DNSKEY) 293 com. DS 294 RRSIG(com. DS) 295 . DNSKEY 296 RRSIG(. DNSKEY) 298 The following is an example of (hypothetical) insecure delegation of 299 "example.com" from the ".com" zone. This example shows NSEC3 records 300 with opt-out. 302 com. IN SOA 303 RRSIG(com. SOA) 304 ; covers example.com 305 onib9mgub9h0rml3cdf5bgrj59dkjhvj.com. NSEC3 (1 1 0 - 306 onib9mgub9h0rml3cdf5bgrj59dkjhvl NS DS RRSIG) 307 RRSIG(onib9mgub9h0rml3cdf5bgrj59dkjhvj.com. NSEC3) 308 ; covers *.com 309 3rl2r262eg0n1ap5olhae7mah2ah09hi.com. NSEC3 (1 1 0 - 310 3rl2r262eg0n1ap5olhae7mah2ah09hk NS DS RRSIG) 311 RRSIG(3rl2r262eg0n1ap5olhae7mah2ah09hj.com. NSEC3) 312 ; closest-encloser "com" 313 ck0pojmg874ljref7efn8430qvit8bsm.com. NSEC3 (1 1 0 - 314 ck0pojmg874ljref7efn8430qvit8bsm.com 315 NS SOA RRSIG DNSKEY NSEC3PARAM) 316 RRSIG(ck0pojmg874ljref7efn8430qvit8bsm.com. NSEC3) 317 com. DNSKEY 318 RRSIG(com. DNSKEY) 319 com. DS 320 RRSIG(com. DS) 321 . DNSKEY 322 RRSIG(. DNSKEY) 324 3.3.1. Authenticated Denial of Existence 326 TLS servers supporting this extension that do not have a signed TLSA 327 record MUST instead return a DNSSEC chain that provides authenticated 328 denial of existence. A TLS client receiving proof of authenticated 329 denial of existence MUST use an alternative method to verify the TLS 330 server identity or close the connection. Such an alternative could 331 be the classic WebPKI model of preinstalled root CA's. 333 Authenticated denial chains include NSEC or NSEC3 records that 334 demonstrate one of the following facts: 336 o The TLSA record (after any DNSSEC validated alias redirection) 337 does not exist. 339 o There is no signed delegation to a DNS zone which is either an 340 ancestor of, or the same as, the TLSA record name (after any 341 DNSSEC validated alias redirection). 343 4. Construction of Serialized Authentication Chains 345 This section describes a possible procedure for the server to use to 346 build the serialized DNSSEC chain. 348 When the goal is to perform DANE authentication [RFC6698] [RFC7671] 349 of the server, the DNS record set to be serialized is a TLSA record 350 set corresponding to the server's domain name, protocol, and port 351 number. 353 The domain name of the server MUST be that included in the TLS 354 server_name (SNI) extension [RFC6066]. If the server does not 355 recognize the SNI name as one if its own names, but wishes to proceed 356 with the handshake rather than to abort the connection, the server 357 MUST NOT send a dnssec_chain extension to the client. 359 The name in client's SNI extension MUST NOT be CNAME-expanded by the 360 server. The TLSA base domain (Section 3 of [RFC6698]) SHALL be the 361 hostname from the client's SNI extension and the guidance in 362 Section 7 of [RFC7671] does not apply. See Section 9 for further 363 discussion. 365 The TLSA record to be queried is constructed by prepending the _port 366 and _transport labels to the domain name as described in [RFC6698], 367 where "port" is the port number taken from the client's dnssec_chain 368 extension. The transport is "tcp" for TLS servers, and "udp" for 369 DTLS servers. The port number label is the left-most label, followed 370 by the transport, followed by the server domain name (from SNI). 372 The components of the authentication chain are typically built by 373 starting at the target record set and its corresponding RRSIG. Then 374 traversing the DNS tree upwards towards the trust anchor zone 375 (normally the DNS root). For each zone cut, the DNSKEY and DS RRsets 376 and their signatures are added. However, see Section 3.3 for 377 specific processing needed for aliases. If DNS response messages 378 contain any domain names utilizing name compression [RFC1035], then 379 they MUST be uncompressed prior to inclusion in the chain. 381 Implementations of EDNS Chain Query Requests as specified in 382 [RFC7901] may offer an easier way to obtain all of the chain data in 383 one transaction with an upstream DNSSEC aware recursive server. 385 5. Caching and Regeneration of the Authentication Chain 387 DNS records have Time To Live (TTL) parameters, and DNSSEC signatures 388 have validity periods (specifically signature expiration times). 389 After the TLS server constructs the serialized authentication chain, 390 it SHOULD cache and reuse it in multiple TLS connection handshakes. 391 However, it MUST refresh and rebuild the chain as TTLs and signature 392 validity periods dictate. A server implementation could carefully 393 track these parameters and requery component records in the chain 394 correspondingly. Alternatively, it could be configured to rebuild 395 the entire chain at some predefined periodic interval that does not 396 exceed the DNS TTLs or signature validity periods of the component 397 records in the chain. 399 6. Verification 401 A TLS client performing DANE based verification might not need to use 402 this extension. For example, the TLS client could perform native DNS 403 lookups and perform DANE verification without this extension. Or it 404 could fetch authentication chains via another protocol. If the TLS 405 client already possesses a valid TLSA record, it MAY omit using this 406 extension. However, if it includes this extension, it MUST use the 407 TLS server reply to update the extension pinning status of the TLS 408 server's extension lifetime. See Section 7. 410 A TLS client making use of this specification, and which receives a 411 valid DNSSEC authentication chain extension from a server, MUST use 412 this information to perform DANE authentication of the server. In 413 order to perform the validation, it uses the mechanism specified by 414 the DNSSEC protocol [RFC4035] [RFC5155]. This mechanism is sometimes 415 implemented in a DNSSEC validation engine or library. 417 If the authentication chain validates, the client then performs DANE 418 authentication of the server according to the DANE TLS protocol 419 [RFC6698] [RFC7671]. 421 Clients MAY cache the server's validated TLSA RRset to ammortize the 422 cost of receiving and validating the chain over multiple connections. 423 The period of such caching MUST NOT exceed the TTL associated with 424 those records. A client that possesses a validated and unexpired 425 TLSA RRset or the full chain in its cache does not need to send the 426 dnssec_chain extension for subsequent connections to the same TLS 427 server. It can use the cached information to perform DANE 428 authentication. 430 Note that when a client and server perform TLS session resumption the 431 server sends no "dnssec_chain". This is particularly clear with TLS 432 1.3, where the certificate message to which the chain might be 433 attached is also not sent on resumption. 435 7. Extension pinning 437 TLS applications can be designed to unconditionally mandate this 438 extension. Such TLS clients requesting this extension would abort a 439 connection to a TLS server that does not respond with a validatable 440 extension reply. 442 However, in a mixed-use deployment of WebPKI and DANE, there is the 443 possibility that the security of a TLS client is downgraded from DANE 444 to WebPKI. This can happen when a TLS client connection is 445 intercepted and redirected to a rogue TLS server presenting a TLS 446 certificate that is considered valid from a WebPKI point of view, but 447 one that does not match the legitimate server's TLSA records. By 448 omitting this extension, such a rogue TLS server could downgrade the 449 TLS client to validate the mis-issued certificate using only the 450 WebPKI and not via DANE, provided the TLS client is also not able to 451 fetch the TLSA records directly from DNS. 453 The ExtSupportLifetime element of the extension provides a counter- 454 measure against such downgrade attacks. It's value represents the 455 number of hours that the TLS server (or cluster of servers serving 456 the same Server Name) commit to serving this extension in the future. 457 This is referred to as the "pinning time" or "extension pin" of the 458 extension. A non-zero extenion pin value received MUST ONLY be used 459 if the extention also contains a valid TLSA authentication chain that 460 matches the server's certificate chain (the server passes DANE 461 authentication based on the enclosed TLSA RRset). 463 Any existing extension pin for the server instance (name and port) 464 MUST be cleared on receipt of a valid denial of existence for the 465 associated TLSA RRset. The same also applies if the client obtained 466 the denial of existence proof via another method, such as through 467 direct DNS queries. Based on the TLS client's local policy, it MAY 468 then terminate the connection or MAY continue using WebPKI based 469 server authentication. 471 Extension pins MUST also be cleared upon the completion of a DANE 472 authenticated handshake with a server that returns a dnssec_chain 473 extension with a zero ExtSupportLifetime. 475 Upon completion of a full validated hanshake with a server that 476 returns a dnssec_chain extension with a non-zero ExtSupport lifetime, 477 the client MUST update any existing pin lifetime for the service 478 (name and port) to a value that is no longer than that indicated by 479 the server. The client MAY, subject to local policy, create a 480 previously non-existent pin, again for a lifetime that is not longer 481 than that indicated by the server. The extension support lifetime is 482 not constrained by any DNS TTLs or RRSIG expirations in the returned 483 chain. 485 Clients MAY implement support for a subset of DANE certificate 486 usages. For example, clients may support only DANE-EE(3) and DANE- 487 TA(2) ([RFC7218]), only PKIX-EE(1) and PKIX-TA(0) or all four. 488 Clients that implement DANE-EE(3) and DANE-TA(2) MUST implement the 489 relevant updates in [RFC7671]. 491 For a non-zero saved value of the ExtSupportLifetime element of the 492 extension, TLS clients MUST mandate ("pin") the use of this extension 493 by the corresponding TLS servers for the time period specified by the 494 pinning value. If during this time, the TLS client does not have a 495 valid TLSA record and connects to a TLS server using this extension 496 for the associated name and port, and it does not obtain a valid 497 authentication chain in this extension, it MUST either abort the 498 connection or delay communication with the server via the TLS session 499 until it is able to obtain valid TLSA records (or non-existence 500 proof) out of band, such as via direct DNS lookups. If attempts to 501 obtain the TLSA RRset out of band fail, the client MUST abort the TLS 502 session. 504 Note that requiring the extension is NOT the same as requiring the 505 use of DANE TLSA records or even DNSSEC. A DNS zone operator may at 506 any time delete the TLSA records, or even remove the DS records to 507 disable the secure delegation of the server's DNS zone. The TLS 508 server will, when it updates its cached TLSA authentication chain, 509 replace the chain with the corresponding denial of existence chain. 510 The server's only obligation is continued support for this extension. 512 8. Trust Anchor Maintenance 514 The trust anchor may change periodically, e.g. when the operator of 515 the trust anchor zone performs a DNSSEC key rollover. TLS clients 516 using this specification MUST implement a mechanism to keep their 517 trust anchors up to date. They could use the method defined in 518 [RFC5011] to perform trust anchor updates inband in TLS, by tracking 519 the introduction of new keys seen in the trust anchor DNSKEY RRset. 520 However, alternative mechanisms external to TLS may also be utilized. 521 Some operating systems may have a system-wide service to maintain and 522 keep the root trust anchor up to date. In such cases, the TLS client 523 application could simply reference that as its trust anchor, 524 periodically checking whether it has changed. Some applications may 525 prefer to implement trust anchor updates as part of their automated 526 software updates. 528 9. Virtual Hosting 530 Delivery of application services is often provided by a third party 531 on behalf of the domain owner (hosting customer). Since the domain 532 owner may want to be able to move the service between providers, non- 533 zero support lifetimes for this extension should only be enabled by 534 mutual agreement between the provider and domain owner. 536 When CNAME records are employed to redirect network connections to 537 the provider's network, as mentioned in Section 4 the server uses the 538 client's SNI hostname as the TLSA base domain without CNAME 539 expansion. When the certificate chain for the service is managed by 540 the provider, it is impractical to coordinate certificate changes by 541 the provider with updates in the hosting customer's DNS. Therefore, 542 the TLSA RRset for the hosted domain is best configured as a CNAME 543 from the customer's domain to a TLSA RRset that is managed by the 544 provider as part of delivering the hosted service. For example: 546 ; Customer DNS 547 www.example.com. IN CNAME node1.provider.example. 548 _443._tcp.www.example.com. IN CNAME _dane443.node1.provider.example. 549 ; Provider DNS 550 node1.provider.example. IN A 192.0.2.1 551 _dane443.node1.provider.example. IN TLSA 1 1 1 ... 553 Clients that obtain TLSA records directly from DNS, bypassing this 554 extension, may however perform CNAME-expansion as in Section 7 of 555 [RFC7671], and if TLSA records are associated with the fully-expanded 556 name, may use that name as the TLSA base domain and SNI name for the 557 TLS handshake. 559 To avoid confusion, it is RECOMMENDED that server operators not 560 publish TLSA RRs (_port._tcp. + base domain) based on the expanded 561 CNAMEs used to locate their network addresses. Instead, the server 562 operator SHOULD publish TLSA RRs at an alternative DNS node (as in 563 the example above), to which the hosting customer will publish a 564 CNAME alias. This results in all clients (whether they obtain TLSA 565 records from DNS directly, or employ this extension) seeing the same 566 TLSA records and sending the same SNI name. 568 10. Operational Considerations 570 When DANE is being introduced incrementally into an existing PKIX 571 environment, there may be scenarios in which DANE authentication for 572 a server fails but PKIX succeeds, or vice versa. What happens here 573 depends on TLS client policy. If DANE authentication fails, the 574 client may decide to fall back to traditional PKIX authentication. 575 In order to do so efficiently within the same TLS handshake, the TLS 576 server needs to have provided the full X.509 certificate chain. When 577 TLS servers only support DANE-EE or DANE-TA modes, they have the 578 option to send a much smaller certificate chain: just the EE 579 certificate for the former, and a short certificate chain from the 580 DANE trust anchor to the EE certificate for the latter. If the TLS 581 server supports both DANE and traditional PKIX, and wants to allow 582 efficient PKIX fallback within the same handshake, they should always 583 provide the full X.509 certificate chain. 585 When a TLS server operator wishes to no longer deploy this extension, 586 it must properly decommission its use. If a non-zero pin lifetime is 587 presently advertised, it must first be changed to 0. The extension 588 can be disabled once all previously advertised pin lifetimes have 589 expired. Removal of TLSA records or even DNSSEC signing of the zone 590 can be done at any time, but the server MUST still be able to return 591 the associated denial of existence proofs to any clients that have 592 unexpired pins. 594 TLS clients MAY reduce the received extension pin value to a maximum 595 set by local policy. This can mitigate a theoretical yet unlikely 596 attack where a compromised TLS server is modified to advertise a pin 597 value set to the maximum of 7 years. Care should be taken not to set 598 a local maximum that is too short as that would reduce the downgrade 599 attack protection that the extension pin offers. 601 If the hosting provider intends to use end-entity TLSA records 602 (certificate usage PKIX-EE(1) or DANE-EE(3)) then the simplest 603 approach is to use the same key-pair for all the certificates at a 604 given hosting node, and publish "1 1 1" or "3 1 1" RRs matching the 605 common public key. Since key rollover cannot be simultaneous across 606 multiple certificate updates, there will be times when multiple "1 1 607 1" (or "3 1 1") records will be required to match all the extant 608 certificates. Multiple TLSA records are in any case needed a few 609 TTLs before certificate updates as explained in Section 8 of 610 [RFC7671]. 612 If the hosting provider intends to use trust-anchor TLSA records 613 (certificate usage PKIX-TA(0) or DANE-TA(2)) then the same TLSA 614 record can match all end-entity certificates issues by the 615 certification authority in question, and continues to work across 616 end-entity certificate updates, so long as the issuer certificate or 617 public keys remains unchanged. This can be easier to implement, at 618 the cost of greater reliance on the security of the selected 619 certification authority. 621 The provider can of course publish separate TLSA records for each 622 customer, which increases the number of such RRsets that need to be 623 managed, but makes each one independent of the rest. 625 11. Security Considerations 627 The security considerations of the normatively referenced RFCs all 628 pertain to this extension. Since the server is delivering a chain of 629 DNS records and signatures to the client, it MUST rebuild the chain 630 in accordance with TTL and signature expiration of the chain 631 components as described in Section 5. TLS clients need roughly 632 accurate time in order to properly authenticate these signatures. 633 This could be achieved by running a time synchronization protocol 634 like NTP [RFC5905] or SNTP [RFC5905], which are already widely used 635 today. TLS clients MUST support a mechanism to track and roll over 636 the trust anchor key, or be able to avail themselves of a service 637 that does this, as described in Section 8. Security considerations 638 related to mandating the use of this extension are described in 639 Section 7. 641 12. IANA Considerations 643 This document defines one new entry in the TLS ExtensionsType Values 644 registry: 646 Value Extension Name TLS 1.3 Recommended Reference 647 ----- -------------- ------- ----------- --------------- 648 TBD dnssec_chain CH No [this document] 650 Figure 1 652 13. Acknowledgments 654 Many thanks to Adam Langley for laying the groundwork for this 655 extension in [I-D.agl-dane-serializechain]. The original idea is his 656 but our acknowledgment in no way implies his endorsement. This 657 document also benefited from discussions with and review from the 658 following people: Daniel Kahn Gillmor, Jeff Hodges, Allison Mankin, 659 Patrick McManus, Rick van Rein, Ilari Liusvaara, Eric Rescorla, Gowri 660 Visweswaran, Duane Wessels, Nico Williams, and Richard Barnes. 662 14. References 664 14.1. Normative References 666 [RFC1035] Mockapetris, P., "Domain names - implementation and 667 specification", STD 13, RFC 1035, DOI 10.17487/RFC1035, 668 November 1987, . 670 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 671 Requirement Levels", BCP 14, RFC 2119, 672 DOI 10.17487/RFC2119, March 1997, 673 . 675 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 676 Rose, "DNS Security Introduction and Requirements", 677 RFC 4033, DOI 10.17487/RFC4033, March 2005, 678 . 680 [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. 681 Rose, "Resource Records for the DNS Security Extensions", 682 RFC 4034, DOI 10.17487/RFC4034, March 2005, 683 . 685 [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. 686 Rose, "Protocol Modifications for the DNS Security 687 Extensions", RFC 4035, DOI 10.17487/RFC4035, March 2005, 688 . 690 [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS 691 Security (DNSSEC) Hashed Authenticated Denial of 692 Existence", RFC 5155, DOI 10.17487/RFC5155, March 2008, 693 . 695 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 696 (TLS) Protocol Version 1.2", RFC 5246, 697 DOI 10.17487/RFC5246, August 2008, 698 . 700 [RFC6066] Eastlake 3rd, D., "Transport Layer Security (TLS) 701 Extensions: Extension Definitions", RFC 6066, 702 DOI 10.17487/RFC6066, January 2011, 703 . 705 [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication 706 of Named Entities (DANE) Transport Layer Security (TLS) 707 Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August 708 2012, . 710 [RFC7218] Gudmundsson, O., "Adding Acronyms to Simplify 711 Conversations about DNS-Based Authentication of Named 712 Entities (DANE)", RFC 7218, DOI 10.17487/RFC7218, April 713 2014, . 715 [RFC7671] Dukhovni, V. and W. Hardaker, "The DNS-Based 716 Authentication of Named Entities (DANE) Protocol: Updates 717 and Operational Guidance", RFC 7671, DOI 10.17487/RFC7671, 718 October 2015, . 720 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 721 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 722 May 2017, . 724 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 725 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 726 . 728 14.2. Informative References 730 [HAMPERING] 731 Gorjon, X. and W. Toorop, "Discovery method for a DNSSEC 732 validating stub resolver", July 2015, 733 . 736 [I-D.agl-dane-serializechain] 737 Langley, A., "Serializing DNS Records with DNSSEC 738 Authentication", draft-agl-dane-serializechain-01 (work in 739 progress), July 2011. 741 [I-D.barnes-dane-uks] 742 Barnes, R., Thomson, M., and E. Rescorla, "Unknown Key- 743 Share Attacks on DNS-based Authentications of Named 744 Entities (DANE)", draft-barnes-dane-uks-00 (work in 745 progress), October 2016. 747 [RFC5011] StJohns, M., "Automated Updates of DNS Security (DNSSEC) 748 Trust Anchors", STD 74, RFC 5011, DOI 10.17487/RFC5011, 749 September 2007, . 751 [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, 752 "Network Time Protocol Version 4: Protocol and Algorithms 753 Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, 754 . 756 [RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J., 757 Weiler, S., and T. Kivinen, "Using Raw Public Keys in 758 Transport Layer Security (TLS) and Datagram Transport 759 Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250, 760 June 2014, . 762 [RFC7901] Wouters, P., "CHAIN Query Requests in DNS", RFC 7901, 763 DOI 10.17487/RFC7901, June 2016, 764 . 766 Appendix A. Test vectors 768 The test vectors in this appendix are representations of the content 769 of the "opaque AuthenticationChain" field in DNS presentation format. 770 And except for the "extention_data" in Figure 2, do not contain the 771 "uint16 ExtSupportLifetime" field. 773 For brevity and reproducibility all DNS zones involved with the test 774 vectors are signed using keys with algorithm 13: ECDSA Curve P-256 775 with SHA-256. 777 To reflect operational practice, different zones in the examples are 778 in different phases of rolling their signing keys: 780 All zones use a Key Signing Key (KSK) and Zone Signing Key (ZSK), 781 except for the example.com and example.net zones which use a 782 Combined Signing Key (CSK). 784 The root and org zones are rolling their ZSK's. 786 The com and org zones are rolling their KSK's. 788 The test vectors are DNSSEC valid in the same period as the 789 certificate is valid, which is in between November 28 2018 and 790 December 2 2020, with the following root trust anchor: 792 . IN DS ( 47005 13 2 2eb6e9f2480126691594d649a5a613de3052e37861634 793 641bb568746f2ffc4d4 ) 795 The test vectors will authenticate the certificate used with 796 https://example.com/, https://example.net/ and https://example.org/ 797 at the time of writing: 799 -----BEGIN CERTIFICATE----- 800 MIIHQDCCBiigAwIBAgIQD9B43Ujxor1NDyupa2A4/jANBgkqhkiG9w0BAQsFADBN 801 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E 802 aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTgxMTI4MDAwMDAwWhcN 803 MjAxMjAyMTIwMDAwWjCBpTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju 804 aWExFDASBgNVBAcTC0xvcyBBbmdlbGVzMTwwOgYDVQQKEzNJbnRlcm5ldCBDb3Jw 805 b3JhdGlvbiBmb3IgQXNzaWduZWQgTmFtZXMgYW5kIE51bWJlcnMxEzARBgNVBAsT 806 ClRlY2hub2xvZ3kxGDAWBgNVBAMTD3d3dy5leGFtcGxlLm9yZzCCASIwDQYJKoZI 807 hvcNAQEBBQADggEPADCCAQoCggEBANDwEnSgliByCGUZElpdStA6jGaPoCkrp9vV 808 rAzPpXGSFUIVsAeSdjF11yeOTVBqddF7U14nqu3rpGA68o5FGGtFM1yFEaogEv5g 809 rJ1MRY/d0w4+dw8JwoVlNMci+3QTuUKf9yH28JxEdG3J37Mfj2C3cREGkGNBnY80 810 eyRJRqzy8I0LSPTTkhr3okXuzOXXg38ugr1x3SgZWDNuEaE6oGpyYJIBWZ9jF3pJ 811 QnucP9vTBejMh374qvyd0QVQq3WxHrogy4nUbWw3gihMxT98wRD1oKVma1NTydvt 812 hcNtBfhkp8kO64/hxLHrLWgOFT/l4tz8IWQt7mkrBHjbd2XLVPkCAwEAAaOCA8Ew 813 ggO9MB8GA1UdIwQYMBaAFA+AYRyCMWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBRm 814 mGIC4AmRp9njNvt2xrC/oW2nvjCBgQYDVR0RBHoweIIPd3d3LmV4YW1wbGUub3Jn 815 ggtleGFtcGxlLmNvbYILZXhhbXBsZS5lZHWCC2V4YW1wbGUubmV0ggtleGFtcGxl 816 Lm9yZ4IPd3d3LmV4YW1wbGUuY29tgg93d3cuZXhhbXBsZS5lZHWCD3d3dy5leGFt 817 cGxlLm5ldDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG 818 AQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNv 819 bS9zc2NhLXNoYTItZzYuY3JsMC+gLaArhilodHRwOi8vY3JsNC5kaWdpY2VydC5j 820 b20vc3NjYS1zaGEyLWc2LmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgG 821 CCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAEC 822 AjB8BggrBgEFBQcBAQRwMG4wJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2lj 823 ZXJ0LmNvbTBGBggrBgEFBQcwAoY6aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29t 824 L0RpZ2lDZXJ0U0hBMlNlY3VyZVNlcnZlckNBLmNydDAMBgNVHRMBAf8EAjAAMIIB 825 fwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdwCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb 826 37jjd80OyA3cEAAAAWdcMZVGAAAEAwBIMEYCIQCEZIG3IR36Gkj1dq5L6EaGVycX 827 sHvpO7dKV0JsooTEbAIhALuTtf4wxGTkFkx8blhTV+7sf6pFT78ORo7+cP39jkJC 828 AHYAh3W/51l8+IxDmV+9827/Vo1HVjb/SrVgwbTq/16ggw8AAAFnXDGWFQAABAMA 829 RzBFAiBvqnfSHKeUwGMtLrOG3UGLQIoaL3+uZsGTX3MfSJNQEQIhANL5nUiGBR6g 830 l0QlCzzqzvorGXyB/yd7nttYttzo8EpOAHYAb1N2rDHwMRnYmQCkURX/dxUcEdkC 831 wQApBo2yCJo32RMAAAFnXDGWnAAABAMARzBFAiEA5Hn7Q4SOyqHkT+kDsHq7ku7z 832 RDuM7P4UDX2ft2Mpny0CIE13WtxJAUr0aASFYZ/XjSAMMfrB0/RxClvWVss9LHKM 833 MA0GCSqGSIb3DQEBCwUAA4IBAQBzcIXvQEGnakPVeJx7VUjmvGuZhrr7DQOLeP4R 834 8CmgDM1pFAvGBHiyzvCH1QGdxFl6cf7wbp7BoLCRLR/qPVXFMwUMzcE1GLBqaGZM 835 v1Yh2lvZSLmMNSGRXdx113pGLCInpm/TOhfrvr0TxRImc8BdozWJavsn1N2qdHQu 836 N+UBO6bQMLCD0KHEdSGFsuX6ZwAworxTg02/1qiDu7zW7RyzHvFYA4IAjpzvkPIa 837 X6KjBtpdvp/aXabmL95YgBjT8WJ7pqOfrqhpcmOBZa6Cg6O1l4qbIFH/Gj9hQB5I 838 0Gs4+eH6F9h3SojmPTYkT+8KuZ9w84Mn+M8qBXUQoYoKgIjN 839 -----END CERTIFICATE----- 841 A.1. _443._tcp.www.example.com 843 _443._tcp.www.example.com. 3600 IN TLSA ( 3 1 1 844 8bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b 845 922 ) 846 _443._tcp.www.example.com. 3600 IN RRSIG ( TLSA 13 5 3600 847 20201202000000 20181128000000 1870 example.com. 848 rqY69NnTf4CN3GBGQjKEJCLAMsRkUrXe0JW8IqDb5rQHHzxNqqPeEoi+2vI6S 849 z2BhaswpGLVVuoijuVdzxYjmw== ) 850 example.com. 3600 IN DNSKEY ( 257 3 13 851 JnA1XgyJTZz+psWvbrfUWLV6ULqIJyUS2CQdhUH9VK35bslWeJpRzrlxCUs7s 852 /TsSfZMaGWVvlsuieh5nHcXzA== ) ; Key ID = 1870 853 example.com. 3600 IN RRSIG ( DNSKEY 13 2 3600 854 20201202000000 20181128000000 1870 example.com. 855 nYisnu/26Sw1qmGuREa9o/fLgYuA4oNPt4+6PMBZoN0MS8Gjtli9NVRYeSIzt 856 QHPGSpvRxTUC4tZi62z1UgGDw== ) 857 example.com. 172800 IN DS ( 1870 13 2 e9b533a049798e900b5c29c90cd 858 25a986e8a44f319ac3cd302bafc08f5b81e16) 859 example.com. 172800 IN RRSIG ( DS 13 2 172800 860 20201202000000 20181128000000 34327 com. 861 sEAKvX4H6pJfN8nKcclB1NRcRSPOztx8omr4fCSHu6lp+uESP/Le4iF2sKukO 862 J1hhWSB6jgubEVl17rGNOA/YQ== ) 863 com. 172800 IN DNSKEY ( 256 3 13 864 7IIE5Dol8jSMUqHTvOOiZapdEbQ9wqRxFi/zQcSdufUKLhpByvLpzSAQTqCWj 865 3URIZ8L3Fa2gBLMOZUzZ1GQCw== ) ; Key ID = 34327 866 com. 172800 IN DNSKEY ( 257 3 13 867 RbkcO+96XZmnp8jYIuM4lryAp3egQjSmBaSoiA7H76Tm0RLHPNPUxlVk+nQ0f 868 Ic3I8xfZDNw8Wa0Pe3/g2QA/w== ) ; Key ID = 18931 869 com. 172800 IN DNSKEY ( 257 3 13 870 szc7biLo5J4OHlkan1vZrF4aD4YYf+NHA/GAqdNslY9xxK9Izg68XHkqck4Rt 871 DiVk37lNAQmgSlHbrGu0yOTkA== ) ; Key ID = 28809 872 com. 172800 IN RRSIG ( DNSKEY 13 1 172800 20201202000000 873 20181128000000 18931 com. 874 LJ4p5ORS2ViILwTotSlWixElqRXHY5tOdIuHlPWTdBGPMq3y40QNr1V+ZOyA5 875 7LFdPKpcvb8BvhM+GqKWGBEsg== ) 876 com. 172800 IN RRSIG ( DNSKEY 13 1 172800 20201202000000 877 20181128000000 28809 com. 878 sO+4X2N21yS6x8+dBVBzbRo9+55MM8n7+RUvdBuxRFVh6JaBlqDOC5LLkl7Ev 879 mDXqz6KEhhQjT+aQWDt6WFHlA== ) 880 com. 86400 IN DS ( 18931 13 2 20f7a9db42d0e2042fbbb9f9ea015941202 881 f9eabb94487e658c188e7bcb52115 ) 882 com. 86400 IN DS ( 28809 13 2 ad66b3276f796223aa45eda773e92c6d98e 883 70643bbde681db342a9e5cf2bb380 ) 884 com. 86400 IN RRSIG ( DS 13 1 86400 20201202000000 885 20181128000000 31918 . 886 nDiDlBjXEE/6AudhC++Hui1ckPcuAnGbjEASNoxA3ZHjlXRzL050UzePko5Pb 887 vBKTf6pk8JRCqnfzlo2QY+WXA== ) 888 . 86400 IN DNSKEY ( 256 3 13 889 zKz+DCWkNA/vuheiVPcGqsH40U84KZAlrMRIyozj9WHzf8PsFp/oR8j8vmjjW 890 P98cbte4d8NvlGLxzbUzo3+FA== ) ; Key ID = 31918 891 . 86400 IN DNSKEY ( 256 3 13 892 8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW 893 xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635 894 . 86400 IN DNSKEY ( 257 3 13 895 yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv 896 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 897 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000 898 20181128000000 47005 . 899 0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m 900 nBT1dtNjIczvLG9pQTnOKUsHQ== ) 902 A hex dump of the "extension_data" of the server's "dnssec_chain" 903 extension represention this with an ExtSupportLifetime value of 0 is: 905 0000: 00 00 04 5f 34 34 33 04 5f 74 63 70 03 77 77 77 906 0010: 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 34 00 907 0020: 01 00 00 0e 10 00 23 03 01 01 8b d1 da 95 27 2f 908 0030: 7f a4 ff b2 41 37 fc 0e d0 3a ae 67 e5 c4 d8 b3 909 0040: c5 07 34 e1 05 0a 79 20 b9 22 04 5f 34 34 33 04 910 0050: 5f 74 63 70 03 77 77 77 07 65 78 61 6d 70 6c 65 911 0060: 03 63 6f 6d 00 00 2e 00 01 00 00 0e 10 00 5f 00 912 0070: 34 0d 05 00 00 0e 10 5f c6 d9 00 5b fd da 80 07 913 0080: 4e 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ce 1d 914 0090: 3a de b7 dc 7c ee 65 6d 61 cf b4 72 c5 97 7c 8c 915 00a0: 9c ae ae 9b 76 51 55 c5 18 fb 10 7b 6a 1f e0 35 916 00b0: 5f ba af 75 3c 19 28 32 fa 62 1f a7 3a 8b 85 ed 917 00c0: 79 d3 74 11 73 87 59 8f cc 81 2e 1e f3 fb 07 65 918 00d0: 78 61 6d 70 6c 65 03 63 6f 6d 00 00 30 00 01 00 919 00e0: 00 0e 10 00 44 01 01 03 0d 26 70 35 5e 0c 89 4d 920 00f0: 9c fe a6 c5 af 6e b7 d4 58 b5 7a 50 ba 88 27 25 921 0100: 12 d8 24 1d 85 41 fd 54 ad f9 6e c9 56 78 9a 51 922 0110: ce b9 71 09 4b 3b b3 f4 ec 49 f6 4c 68 65 95 be 923 0120: 5b 2e 89 e8 79 9c 77 17 cc 07 65 78 61 6d 70 6c 924 0130: 65 03 63 6f 6d 00 00 2e 00 01 00 00 0e 10 00 5f 925 0140: 00 30 0d 02 00 00 0e 10 5f c6 d9 00 5b fd da 80 926 0150: 07 4e 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 46 927 0160: 28 38 30 75 b8 e3 4b 74 3a 20 9b 27 ae 14 8d 11 928 0170: 0d 4e 1a 24 61 38 a9 10 83 24 9c b4 a1 2a 2d 9b 929 0180: c4 c2 d7 ab 5e b3 af b9 f5 d1 03 7e 4d 5d a8 33 930 0190: 9c 16 2a 92 98 e9 be 18 07 41 a8 ca 74 ac cc 07 931 01a0: 65 78 61 6d 70 6c 65 03 63 6f 6d 00 00 2b 00 01 932 01b0: 00 02 a3 00 00 24 07 4e 0d 02 e9 b5 33 a0 49 79 933 01c0: 8e 90 0b 5c 29 c9 0c d2 5a 98 6e 8a 44 f3 19 ac 934 01d0: 3c d3 02 ba fc 08 f5 b8 1e 16 07 65 78 61 6d 70 935 01e0: 6c 65 03 63 6f 6d 00 00 2e 00 01 00 02 a3 00 00 936 01f0: 57 00 2b 0d 02 00 02 a3 00 5f c6 d9 00 5b fd da 937 0200: 80 86 17 03 63 6f 6d 00 a2 03 e7 04 a6 fa cb eb 938 0210: 13 fc 93 84 fd d6 de 6b 50 de 56 59 27 1f 38 ce 939 0220: 81 49 86 84 e6 36 31 72 d4 7e 23 19 fd b4 a2 2a 940 0230: 58 a2 31 ed c2 f1 ff 4f b2 81 1a 18 07 be 72 cb 941 0240: 52 41 aa 26 fd ae e0 39 03 63 6f 6d 00 00 30 00 942 0250: 01 00 02 a3 00 00 44 01 00 03 0d ec 82 04 e4 3a 943 0260: 25 f2 34 8c 52 a1 d3 bc e3 a2 65 aa 5d 11 b4 3d 944 0270: c2 a4 71 16 2f f3 41 c4 9d b9 f5 0a 2e 1a 41 ca 945 0280: f2 e9 cd 20 10 4e a0 96 8f 75 11 21 9f 0b dc 56 946 0290: b6 80 12 cc 39 95 33 67 51 90 0b 03 63 6f 6d 00 947 02a0: 00 30 00 01 00 02 a3 00 00 44 01 01 03 0d 45 b9 948 02b0: 1c 3b ef 7a 5d 99 a7 a7 c8 d8 22 e3 38 96 bc 80 949 02c0: a7 77 a0 42 34 a6 05 a4 a8 88 0e c7 ef a4 e6 d1 950 02d0: 12 c7 3c d3 d4 c6 55 64 fa 74 34 7c 87 37 23 cc 951 02e0: 5f 64 33 70 f1 66 b4 3d ed ff 83 64 00 ff 03 63 952 02f0: 6f 6d 00 00 30 00 01 00 02 a3 00 00 44 01 01 03 953 0300: 0d b3 37 3b 6e 22 e8 e4 9e 0e 1e 59 1a 9f 5b d9 954 0310: ac 5e 1a 0f 86 18 7f e3 47 03 f1 80 a9 d3 6c 95 955 0320: 8f 71 c4 af 48 ce 0e bc 5c 79 2a 72 4e 11 b4 38 956 0330: 95 93 7e e5 34 04 26 81 29 47 6e b1 ae d3 23 93 957 0340: 90 03 63 6f 6d 00 00 2e 00 01 00 02 a3 00 00 57 958 0350: 00 30 0d 01 00 02 a3 00 5f c6 d9 00 5b fd da 80 959 0360: 49 f3 03 63 6f 6d 00 18 a9 48 eb 23 d4 4f 80 ab 960 0370: c9 92 38 fc b4 3c 5a 18 de be 57 00 4f 73 43 59 961 0380: 3f 6d eb 6e d7 1e 04 65 4a 43 3f 7a a1 97 21 30 962 0390: d9 bd 92 1c 73 dc f6 3f cf 66 5f 2f 05 a0 aa eb 963 03a0: af b0 59 dc 12 c9 65 03 63 6f 6d 00 00 2e 00 01 964 03b0: 00 02 a3 00 00 57 00 30 0d 01 00 02 a3 00 5f c6 965 03c0: d9 00 5b fd da 80 70 89 03 63 6f 6d 00 61 70 e6 966 03d0: 95 9b d9 ed 6e 57 58 37 b6 f5 80 bd 99 db d2 4a 967 03e0: 44 68 2b 0a 35 96 26 a2 46 b1 81 2f 5f 90 96 b7 968 03f0: 5e 15 7e 77 84 8f 06 8a e0 08 5e 1a 60 9f c1 92 969 0400: 98 c3 3b 73 68 63 fb cc d4 d8 1f 5e b2 03 63 6f 970 0410: 6d 00 00 2b 00 01 00 01 51 80 00 24 49 f3 0d 02 971 0420: 20 f7 a9 db 42 d0 e2 04 2f bb b9 f9 ea 01 59 41 972 0430: 20 2f 9e ab b9 44 87 e6 58 c1 88 e7 bc b5 21 15 973 0440: 03 63 6f 6d 00 00 2b 00 01 00 01 51 80 00 24 70 974 0450: 89 0d 02 ad 66 b3 27 6f 79 62 23 aa 45 ed a7 73 975 0460: e9 2c 6d 98 e7 06 43 bb de 68 1d b3 42 a9 e5 cf 976 0470: 2b b3 80 03 63 6f 6d 00 00 2e 00 01 00 01 51 80 977 0480: 00 53 00 2b 0d 01 00 01 51 80 5f c6 d9 00 5b fd 978 0490: da 80 7c ae 00 12 2e 27 6d 45 d9 e9 81 6f 79 22 979 04a0: ad 6e a2 e7 3e 82 d2 6f ce 0a 4b 71 86 25 f3 14 980 04b0: 53 1a c9 2f 8a e8 24 18 df 9b 89 8f 98 9d 32 e8 981 04c0: 0b c4 de ab a7 c4 a7 c8 f1 72 ad b5 7c ed 7f b5 982 04d0: e7 7a 78 4b 07 00 00 30 00 01 00 01 51 80 00 44 983 04e0: 01 00 03 0d cc ac fe 0c 25 a4 34 0f ef ba 17 a2 984 04f0: 54 f7 06 aa c1 f8 d1 4f 38 29 90 25 ac c4 48 ca 985 0500: 8c e3 f5 61 f3 7f c3 ec 16 9f e8 47 c8 fc be 68 986 0510: e3 58 ff 7c 71 bb 5e e1 df 0d be 51 8b c7 36 d4 987 0520: ce 8d fe 14 00 00 30 00 01 00 01 51 80 00 44 01 988 0530: 00 03 0d f3 03 19 67 89 73 1d dc 8a 67 87 ef f2 989 0540: 4c ac fe dd d0 32 58 2f 11 a7 5b b1 bc aa 5a b3 990 0550: 21 c1 d7 52 5c 26 58 19 1a ec 01 b3 e9 8a b7 91 991 0560: 5b 16 d5 71 dd 55 b4 ea e5 14 17 11 0c c4 cd d1 992 0570: 1d 17 11 00 00 30 00 01 00 01 51 80 00 44 01 01 993 0580: 03 0d ca f5 fe 54 d4 d4 8f 16 62 1a fb 6b d3 ad 994 0590: 21 55 ba cf 57 d1 fa ad 5b ac 42 d1 7d 94 8c 42 995 05a0: 17 36 d9 38 9c 4c 40 11 66 6e a9 5c f1 77 25 bd 996 05b0: 0f a0 0c e5 e7 14 e4 ec 82 cf df ac c9 b1 c8 63 997 05c0: ad 46 00 00 2e 00 01 00 01 51 80 00 53 00 30 0d 998 05d0: 00 00 01 51 80 5f c6 d9 00 5b fd da 80 b7 9d 00 999 05e0: de 7a 67 40 ee ec ba 4b da 1e 5c 2d d4 89 9b 2c 1000 05f0: 96 58 93 f3 78 6c e7 47 f4 1e 50 d9 de 8c 0a 72 1001 0600: df 82 56 0d fb 48 d7 14 de 32 83 ae 99 a4 9c 0f 1002 0610: cb 50 d3 aa ad b1 a3 fc 62 ee 3a 8a 09 88 b6 be 1004 Figure 2 1006 A.2. _25._tcp.example.com NSEC wildcard 1008 _25._tcp.example.com. 3600 IN TLSA ( 3 1 1 1009 8bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b 1010 922 ) 1011 _25._tcp.example.com. 3600 IN RRSIG ( TLSA 13 3 3600 1012 20201202000000 20181128000000 1870 example.com. 1013 BZawXvte5SyF8hnXviKDWqll5E2v+RMXqaSE+NOcAMlZOrSMUkfyPqvkv53K2 1014 rfL4DFP8rO3VMgI0v+ogrox0w== ) 1015 *._tcp.example.com. 3600 IN NSEC ( smtp.example.com. RRSIG 1016 NSEC TLSA ) 1017 *._tcp.example.com. 3600 IN RRSIG ( NSEC 13 3 3600 1018 20201202000000 20181128000000 1870 example.com. 1019 K6u8KrR8ca5bjtbce3w8yjMXr9vw12225lAwyIHpxptY43OMLCUCenwpYW5qd 1020 mpFvAacqj4+tSkKiN279SI9pA== ) 1021 example.com. 3600 IN DNSKEY ( 257 3 13 1022 JnA1XgyJTZz+psWvbrfUWLV6ULqIJyUS2CQdhUH9VK35bslWeJpRzrlxCUs7s 1023 /TsSfZMaGWVvlsuieh5nHcXzA== ) ; Key ID = 1870 1024 example.com. 3600 IN RRSIG ( DNSKEY 13 2 3600 1025 20201202000000 20181128000000 1870 example.com. 1026 nYisnu/26Sw1qmGuREa9o/fLgYuA4oNPt4+6PMBZoN0MS8Gjtli9NVRYeSIzt 1027 QHPGSpvRxTUC4tZi62z1UgGDw== ) 1028 example.com. 172800 IN DS ( 1870 13 2 e9b533a049798e900b5c29c90cd 1029 25a986e8a44f319ac3cd302bafc08f5b81e16 ) 1030 example.com. 172800 IN RRSIG ( DS 13 2 172800 1031 20201202000000 20181128000000 34327 com. 1032 sEAKvX4H6pJfN8nKcclB1NRcRSPOztx8omr4fCSHu6lp+uESP/Le4iF2sKukO 1033 J1hhWSB6jgubEVl17rGNOA/YQ== ) 1034 com. 172800 IN DNSKEY ( 256 3 13 1035 7IIE5Dol8jSMUqHTvOOiZapdEbQ9wqRxFi/zQcSdufUKLhpByvLpzSAQTqCWj 1036 3URIZ8L3Fa2gBLMOZUzZ1GQCw== ) ; Key ID = 34327 1037 com. 172800 IN DNSKEY ( 257 3 13 1038 RbkcO+96XZmnp8jYIuM4lryAp3egQjSmBaSoiA7H76Tm0RLHPNPUxlVk+nQ0f 1039 Ic3I8xfZDNw8Wa0Pe3/g2QA/w== ) ; Key ID = 18931 1040 com. 172800 IN DNSKEY ( 257 3 13 1041 szc7biLo5J4OHlkan1vZrF4aD4YYf+NHA/GAqdNslY9xxK9Izg68XHkqck4Rt 1042 DiVk37lNAQmgSlHbrGu0yOTkA== ) ; Key ID = 28809 1043 com. 172800 IN RRSIG ( DNSKEY 13 1 172800 20201202000000 1044 20181128000000 18931 com. 1045 LJ4p5ORS2ViILwTotSlWixElqRXHY5tOdIuHlPWTdBGPMq3y40QNr1V+ZOyA5 1046 7LFdPKpcvb8BvhM+GqKWGBEsg== ) 1047 com. 172800 IN RRSIG ( DNSKEY 13 1 172800 20201202000000 1048 20181128000000 28809 com. 1049 sO+4X2N21yS6x8+dBVBzbRo9+55MM8n7+RUvdBuxRFVh6JaBlqDOC5LLkl7Ev 1050 mDXqz6KEhhQjT+aQWDt6WFHlA== ) 1051 com. 86400 IN DS ( 18931 13 2 20f7a9db42d0e2042fbbb9f9ea015941202 1052 f9eabb94487e658c188e7bcb52115 ) 1053 com. 86400 IN DS ( 28809 13 2 ad66b3276f796223aa45eda773e92c6d98e 1054 70643bbde681db342a9e5cf2bb380 ) 1055 com. 86400 IN RRSIG ( DS 13 1 86400 20201202000000 1056 20181128000000 31918 . 1057 nDiDlBjXEE/6AudhC++Hui1ckPcuAnGbjEASNoxA3ZHjlXRzL050UzePko5Pb 1058 vBKTf6pk8JRCqnfzlo2QY+WXA== ) 1059 . 86400 IN DNSKEY ( 256 3 13 1060 zKz+DCWkNA/vuheiVPcGqsH40U84KZAlrMRIyozj9WHzf8PsFp/oR8j8vmjjW 1061 P98cbte4d8NvlGLxzbUzo3+FA== ) ; Key ID = 31918 1062 . 86400 IN DNSKEY ( 256 3 13 1063 8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW 1064 xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635 1065 . 86400 IN DNSKEY ( 257 3 13 1066 yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv 1067 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 1068 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000 1069 20181128000000 47005 . 1070 0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m 1071 nBT1dtNjIczvLG9pQTnOKUsHQ== ) 1073 A.3. _25._tcp.example.org NSEC3 wildcard 1075 _25._tcp.example.org. 3600 IN TLSA ( 3 1 1 1076 8bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b 1077 922 ) 1078 _25._tcp.example.org. 3600 IN RRSIG ( TLSA 13 3 3600 1079 20201202000000 20181128000000 56566 example.org. 1080 lNp6th/CJel5WsYlLsLadcQ/YdSTJAIOttzYKnNkNzeZ0jxtDyEP818Q1R4lL 1081 cYzJ7vCvqb9gFCiCJjK2gAamw== ) 1082 dlm7rss9pejqnh0ev6h7k1ikqqcl5mae.example.org. 3600 IN NSEC3 ( 1083 1 0 1 - t6lf7uuoi0qofq0nvdjroavo46pp20im RRSIG TLSA ) 1084 dlm7rss9pejqnh0ev6h7k1ikqqcl5mae.example.org. 3600 IN RRSIG ( 1085 NSEC3 13 3 3600 20201202000000 20181128000000 56566 1086 example.org. 1088 guUyy9LIZlYb0FZttAdYJGrFNKpKu91Tm+dPOz98rnpwIlwwvLifXIvIl90nE 1089 X38cWzEQOpreJu3t4WAfPsxdg== ) 1090 example.org. 3600 IN DNSKEY ( 256 3 13 1091 NrbL6utGqIW1wrhhjeexdA6bMdD1lC1hj0Fnpevaa1AMyY2uy83TmoGnR996N 1092 UR5TlG4Zh+YPbbmUIixe4nS3w== ) ; Key ID = 56566 1093 example.org. 3600 IN DNSKEY ( 257 3 13 1094 uspaqp17jsMTX6AWVgmbog/3Sttz+9ANFUWLn6qKUHr0BOqRuChQWj8jyYUUr 1095 Wy9txxesNQ9MkO4LUrFght1LQ== ) ; Key ID = 44384 1096 example.org. 3600 IN RRSIG ( DNSKEY 13 2 3600 1097 20201202000000 20181128000000 44384 example.org. 1098 ttse9pYp9PSu0pJ+TOpIVFLWJ6NKOMWZX4Q/SlU6ZfaiKQc0Bg7Tut9+wPunk 1099 6OPPvyHjVXMAsvk0tqV0B+/ag== ) 1100 example.org. 86400 IN DS ( 44384 13 2 ec307e2efc8f0117ed96ab48a51 1101 3c8003e1d9121f1ff11a08b4cdd348d090aa6 ) 1102 example.org. 86400 IN RRSIG ( DS 13 2 86400 20201202000000 1103 20181128000000 9523 org. 1104 m86Xz0CEa2sWG40a0bS2kqLKPmIlyiVyDeoWXAq3djeGiPaikLuKORNzWXu62 1105 clpAfvZHx59Ackst4X+zXYpUA== ) 1106 org. 86400 IN DNSKEY ( 256 3 13 1107 fuLp60znhSSEr9HowILpTpyLKQdM6ixcgkTE0gqVdsLx+DSNHSc69o6fLWC0e 1108 HfWx7kzlBBoJB0vLrvsJtXJ6g== ) ; Key ID = 47417 1109 org. 86400 IN DNSKEY ( 256 3 13 1110 zTHbb7JM627Bjr8CGOySUarsic91xZU3vvLJ5RjVix9YH6+iwpBXb6qfHyQHy 1111 mlMiAAoaoXh7BUkEBVgDVN8sQ== ) ; Key ID = 9523 1112 org. 86400 IN DNSKEY ( 257 3 13 1113 Uf24EyNt51DMcLV+dHPInhSpmjPnqAQNUTouU+SGLu+lFRRlBetgw1bJUZNI6 1114 Dlger0VJTm0QuX/JVXcyGVGoQ== ) ; Key ID = 49352 1115 org. 86400 IN DNSKEY ( 257 3 13 1116 0SZfoe8Yx+eoaGgyAGEeJax/ZBV1AuG+/smcOgRm+F6doNlgc3lddcM1MbTvJ 1117 HTjK6Fvy8W6yZ+cAptn8sQheg== ) ; Key ID = 12651 1118 org. 86400 IN RRSIG ( DNSKEY 13 1 86400 20201202000000 1119 20181128000000 12651 org. 1120 Gq9wf+z3pasXXUwE210jYc0LhJnMAhcwXydnvkHtCVY6/0jUafHO4RksN84Zt 1121 us0pUgWngbT/OWXskdMYXZU4A== ) 1122 org. 86400 IN RRSIG ( DNSKEY 13 1 86400 20201202000000 1123 20181128000000 49352 org. 1124 VGEkEMWBJ2IbOpm2Z56Qxu2NGPcVUDWCbYRyk+Qk1+HzGtyd2qPEKkpgMs/0p 1125 vZEMj1YXD+dIqb2nUK9PGBAXw== ) 1126 org. 86400 IN DS ( 12651 13 2 3979a51f98bbf219fcaf4a4176e766dfa8f 1127 9db5c24a75743eb1e704b97a9fabc ) 1128 org. 86400 IN DS ( 49352 13 2 03d11a1aa114abbb8f708c3c0ff0db765fe 1129 f4a2f18920db5f58710dd767c293b ) 1130 org. 86400 IN RRSIG ( DS 13 1 86400 20201202000000 1131 20181128000000 31918 . 1132 adiFuP2UIulQw5Edsb/7WSPqr5nkRSTVXbZ2tkBeZRQcMjdCD3pyonWO5JPRV 1133 EemgaE357S4pX5D0tVZzeZJ6A== ) 1134 . 86400 IN DNSKEY ( 256 3 13 1135 zKz+DCWkNA/vuheiVPcGqsH40U84KZAlrMRIyozj9WHzf8PsFp/oR8j8vmjjW 1136 P98cbte4d8NvlGLxzbUzo3+FA== ) ; Key ID = 31918 1137 . 86400 IN DNSKEY ( 256 3 13 1138 8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW 1139 xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635 1140 . 86400 IN DNSKEY ( 257 3 13 1141 yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv 1142 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 1143 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000 1144 20181128000000 47005 . 1145 0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m 1146 nBT1dtNjIczvLG9pQTnOKUsHQ== ) 1148 A.4. _443._tcp.www.example.org CNAME 1150 _443._tcp.www.example.org. 3600 IN CNAME ( 1151 dane311.example.org. ) 1152 _443._tcp.www.example.org. 3600 IN RRSIG ( CNAME 13 5 3600 1153 20201202000000 20181128000000 56566 example.org. 1154 R0dUe6Rt4G+2ablrQH9Zw8j9NhBLMgNYTI5+H7nO8SNz5Nm8w0NZrXv3Qp7gx 1155 Qb/a90O696120NsYaZX2+ebBA== ) 1156 dane311.example.org. 3600 IN TLSA ( 3 1 1 1157 8bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b 1158 922 ) 1159 dane311.example.org. 3600 IN RRSIG ( TLSA 13 3 3600 1160 20201202000000 20181128000000 56566 example.org. 1161 f6TbTZTpu3h6MYpLkKQwWILAkYQ3EUY+Nsoa6any6yt+aeuunMUjw+IJB2QLm 1162 0x0PrD7m39JA3NUSkUp9riNNQ== ) 1163 example.org. 3600 IN DNSKEY ( 256 3 13 1164 NrbL6utGqIW1wrhhjeexdA6bMdD1lC1hj0Fnpevaa1AMyY2uy83TmoGnR996N 1165 UR5TlG4Zh+YPbbmUIixe4nS3w== ) ; Key ID = 56566 1166 example.org. 3600 IN DNSKEY ( 257 3 13 1167 uspaqp17jsMTX6AWVgmbog/3Sttz+9ANFUWLn6qKUHr0BOqRuChQWj8jyYUUr 1168 Wy9txxesNQ9MkO4LUrFght1LQ== ) ; Key ID = 44384 1169 example.org. 3600 IN RRSIG ( DNSKEY 13 2 3600 1170 20201202000000 20181128000000 44384 example.org. 1171 ttse9pYp9PSu0pJ+TOpIVFLWJ6NKOMWZX4Q/SlU6ZfaiKQc0Bg7Tut9+wPunk 1172 6OPPvyHjVXMAsvk0tqV0B+/ag== ) 1173 example.org. 86400 IN DS ( 44384 13 2 ec307e2efc8f0117ed96ab48a51 1174 3c8003e1d9121f1ff11a08b4cdd348d090aa6 ) 1175 example.org. 86400 IN RRSIG ( DS 13 2 86400 20201202000000 1176 20181128000000 9523 org. 1177 m86Xz0CEa2sWG40a0bS2kqLKPmIlyiVyDeoWXAq3djeGiPaikLuKORNzWXu62 1178 clpAfvZHx59Ackst4X+zXYpUA== ) 1179 org. 86400 IN DNSKEY ( 256 3 13 1180 fuLp60znhSSEr9HowILpTpyLKQdM6ixcgkTE0gqVdsLx+DSNHSc69o6fLWC0e 1181 HfWx7kzlBBoJB0vLrvsJtXJ6g== ) ; Key ID = 47417 1182 org. 86400 IN DNSKEY ( 256 3 13 1183 zTHbb7JM627Bjr8CGOySUarsic91xZU3vvLJ5RjVix9YH6+iwpBXb6qfHyQHy 1184 mlMiAAoaoXh7BUkEBVgDVN8sQ== ) ; Key ID = 9523 1185 org. 86400 IN DNSKEY ( 257 3 13 1186 Uf24EyNt51DMcLV+dHPInhSpmjPnqAQNUTouU+SGLu+lFRRlBetgw1bJUZNI6 1187 Dlger0VJTm0QuX/JVXcyGVGoQ== ) ; Key ID = 49352 1188 org. 86400 IN DNSKEY ( 257 3 13 1189 0SZfoe8Yx+eoaGgyAGEeJax/ZBV1AuG+/smcOgRm+F6doNlgc3lddcM1MbTvJ 1190 HTjK6Fvy8W6yZ+cAptn8sQheg== ) ; Key ID = 12651 1191 org. 86400 IN RRSIG ( DNSKEY 13 1 86400 20201202000000 1192 20181128000000 12651 org. 1193 Gq9wf+z3pasXXUwE210jYc0LhJnMAhcwXydnvkHtCVY6/0jUafHO4RksN84Zt 1194 us0pUgWngbT/OWXskdMYXZU4A== ) 1195 org. 86400 IN RRSIG ( DNSKEY 13 1 86400 20201202000000 1196 20181128000000 49352 org. 1197 VGEkEMWBJ2IbOpm2Z56Qxu2NGPcVUDWCbYRyk+Qk1+HzGtyd2qPEKkpgMs/0p 1198 vZEMj1YXD+dIqb2nUK9PGBAXw== ) 1199 org. 86400 IN DS ( 12651 13 2 3979a51f98bbf219fcaf4a4176e766dfa8f 1200 9db5c24a75743eb1e704b97a9fabc ) 1201 org. 86400 IN DS ( 49352 13 2 03d11a1aa114abbb8f708c3c0ff0db765fe 1202 f4a2f18920db5f58710dd767c293b ) 1203 org. 86400 IN RRSIG ( DS 13 1 86400 20201202000000 1204 20181128000000 31918 . 1205 adiFuP2UIulQw5Edsb/7WSPqr5nkRSTVXbZ2tkBeZRQcMjdCD3pyonWO5JPRV 1206 EemgaE357S4pX5D0tVZzeZJ6A== ) 1207 . 86400 IN DNSKEY ( 256 3 13 1208 zKz+DCWkNA/vuheiVPcGqsH40U84KZAlrMRIyozj9WHzf8PsFp/oR8j8vmjjW 1209 P98cbte4d8NvlGLxzbUzo3+FA== ) ; Key ID = 31918 1210 . 86400 IN DNSKEY ( 256 3 13 1211 8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW 1212 xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635 1213 . 86400 IN DNSKEY ( 257 3 13 1214 yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv 1215 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 1216 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000 1217 20181128000000 47005 . 1218 0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m 1219 nBT1dtNjIczvLG9pQTnOKUsHQ== ) 1221 A.5. _443._tcp.www.example.net DNAME 1223 example.net. 3600 IN DNAME example.com. 1224 example.net. 3600 IN RRSIG ( DNAME 13 2 3600 20201202000000 1225 20181128000000 48085 example.net. 1226 o3uV5k5Ewp5fdrOZt0n4QuH+/Hpku2Lo3CzGRt9/MS2zZt2Qb/AXz435UFQBx 1227 OI/pDnjJcLSd/gBLtqR52WLMA== ) 1228 ; _443._tcp.www.example.net. 3600 IN CNAME ( 1229 ; _443._tcp.www.example.com. ) 1230 _443._tcp.www.example.com. 3600 IN TLSA ( 3 1 1 1231 8bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b 1232 922 ) 1233 _443._tcp.www.example.com. 3600 IN RRSIG ( TLSA 13 5 3600 1234 20201202000000 20181128000000 1870 example.com. 1235 rqY69NnTf4CN3GBGQjKEJCLAMsRkUrXe0JW8IqDb5rQHHzxNqqPeEoi+2vI6S 1236 z2BhaswpGLVVuoijuVdzxYjmw== ) 1237 example.net. 3600 IN DNSKEY ( 257 3 13 1238 X9GHpJcS7bqKVEsLiVAbddHUHTZqqBbVa3mzIQmdp+5cTJk7qDazwH68Kts8d 1239 9MvN55HddWgsmeRhgzePz6hMg== ) ; Key ID = 48085 1240 example.net. 3600 IN RRSIG ( DNSKEY 13 2 3600 1241 20201202000000 20181128000000 48085 example.net. 1242 CkwqgEt1p97oMa3w5LctIjKIuG5XVSapKrfwuHhb5p04fWXRMNsXasG/kd2F/ 1243 wlmMWiq38gOQaYCLNm+cjQzpQ== ) 1244 example.net. 172800 IN DS ( 48085 13 2 7c1998ce683df60e2fa41460c4 1245 53f88f463dac8cd5d074277b4a7c04502921be ) 1246 example.net. 172800 IN RRSIG ( DS 13 2 172800 1247 20201202000000 20181128000000 10713 net. 1248 w0JxDeiBJZNlpCdxKtRENlqfTpSxcs6Vftscsyfo/hyeTPYcIt4yItDkYsYK+ 1249 KQ6FYAVE4nisA3vDQoZVL4wow== ) 1250 net. 172800 IN DNSKEY ( 256 3 13 1251 061EoQs4sBcDsPiz17vt4nFSGLmXAGguqLStOesmKNCimi4/lw/vtyfqALuLF 1252 JiFjtCK3HMPi8HQ1jbGEwbGCA== ) ; Key ID = 10713 1253 net. 172800 IN DNSKEY ( 257 3 13 1254 LkNCPE+v3S4MVnsOqZFhn8n2NSwtLYOZLZjjgVsAKgu4XZncaDgq1R/7ZXRO5 1255 oVx2zthxuu2i+mGbRrycAaCvA== ) ; Key ID = 485 1256 net. 172800 IN RRSIG ( DNSKEY 13 1 172800 20201202000000 1257 20181128000000 485 net. 1258 031jXg06zSuDwI5zqYuYFJg1O5p+zy85csMXagvRxB9W2lL/wJRi6Gn9BcaCV 1259 RnDId5WR+yCADhsbKfSrrd9vQ== ) 1260 net. 86400 IN DS ( 485 13 2 ab25a2941aa7f1eb8688bb783b25587515a0c 1261 d8c247769b23adb13ca234d1c05 ) 1262 net. 86400 IN RRSIG ( DS 13 1 86400 20201202000000 1263 20181128000000 31918 . 1264 vOXoTjxggGTYKIwssQ3kpML0ag6D0Hcm+Syy7++4zT7gaFHfRH9a6uZekIWdb 1265 oss8y7q4onW4rxKdtw2S28hwQ== ) 1266 . 86400 IN DNSKEY ( 256 3 13 1267 zKz+DCWkNA/vuheiVPcGqsH40U84KZAlrMRIyozj9WHzf8PsFp/oR8j8vmjjW 1268 P98cbte4d8NvlGLxzbUzo3+FA== ) ; Key ID = 31918 1269 . 86400 IN DNSKEY ( 256 3 13 1270 8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW 1271 xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635 1272 . 86400 IN DNSKEY ( 257 3 13 1273 yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv 1274 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 1275 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000 1276 20181128000000 47005 . 1277 0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m 1278 nBT1dtNjIczvLG9pQTnOKUsHQ== ) 1279 example.com. 3600 IN DNSKEY ( 257 3 13 1280 JnA1XgyJTZz+psWvbrfUWLV6ULqIJyUS2CQdhUH9VK35bslWeJpRzrlxCUs7s 1281 /TsSfZMaGWVvlsuieh5nHcXzA== ) ; Key ID = 1870 1282 example.com. 3600 IN RRSIG ( DNSKEY 13 2 3600 1283 20201202000000 20181128000000 1870 example.com. 1284 nYisnu/26Sw1qmGuREa9o/fLgYuA4oNPt4+6PMBZoN0MS8Gjtli9NVRYeSIzt 1285 QHPGSpvRxTUC4tZi62z1UgGDw== ) 1286 example.com. 172800 IN DS ( 1870 13 2 e9b533a049798e900b5c29c90cd 1287 25a986e8a44f319ac3cd302bafc08f5b81e16 ) 1288 example.com. 172800 IN RRSIG ( DS 13 2 172800 1289 20201202000000 20181128000000 34327 com. 1290 sEAKvX4H6pJfN8nKcclB1NRcRSPOztx8omr4fCSHu6lp+uESP/Le4iF2sKukO 1291 J1hhWSB6jgubEVl17rGNOA/YQ== ) 1292 com. 172800 IN DNSKEY ( 256 3 13 1293 7IIE5Dol8jSMUqHTvOOiZapdEbQ9wqRxFi/zQcSdufUKLhpByvLpzSAQTqCWj 1294 3URIZ8L3Fa2gBLMOZUzZ1GQCw== ) ; Key ID = 34327 1295 com. 172800 IN DNSKEY ( 257 3 13 1296 RbkcO+96XZmnp8jYIuM4lryAp3egQjSmBaSoiA7H76Tm0RLHPNPUxlVk+nQ0f 1297 Ic3I8xfZDNw8Wa0Pe3/g2QA/w== ) ; Key ID = 18931 1298 com. 172800 IN DNSKEY ( 257 3 13 1299 szc7biLo5J4OHlkan1vZrF4aD4YYf+NHA/GAqdNslY9xxK9Izg68XHkqck4Rt 1300 DiVk37lNAQmgSlHbrGu0yOTkA== ) ; Key ID = 28809 1301 com. 172800 IN RRSIG ( DNSKEY 13 1 172800 20201202000000 1302 20181128000000 18931 com. 1303 LJ4p5ORS2ViILwTotSlWixElqRXHY5tOdIuHlPWTdBGPMq3y40QNr1V+ZOyA5 1304 7LFdPKpcvb8BvhM+GqKWGBEsg== ) 1305 com. 172800 IN RRSIG ( DNSKEY 13 1 172800 20201202000000 1306 20181128000000 28809 com. 1307 sO+4X2N21yS6x8+dBVBzbRo9+55MM8n7+RUvdBuxRFVh6JaBlqDOC5LLkl7Ev 1308 mDXqz6KEhhQjT+aQWDt6WFHlA== ) 1309 com. 86400 IN DS ( 18931 13 2 20f7a9db42d0e2042fbbb9f9ea015941202 1310 f9eabb94487e658c188e7bcb52115 ) 1311 com. 86400 IN DS ( 28809 13 2 ad66b3276f796223aa45eda773e92c6d98e 1312 70643bbde681db342a9e5cf2bb380 ) 1313 com. 86400 IN RRSIG ( DS 13 1 86400 20201202000000 1314 20181128000000 31918 . 1315 nDiDlBjXEE/6AudhC++Hui1ckPcuAnGbjEASNoxA3ZHjlXRzL050UzePko5Pb 1316 vBKTf6pk8JRCqnfzlo2QY+WXA== ) 1318 A.6. _25._tcp.smtp.example.com NSEC Denial of Existence 1320 example.com. 3600 IN SOA ( sns.dns.icann.org. noc.dns.icann.org. 1321 2017042720 7200 3600 1209600 3600 ) 1322 example.com. 3600 IN RRSIG ( SOA 13 2 3600 20201202000000 1323 20181128000000 1870 example.com. 1324 sr214XHDDSIcInHStplCFZQ0CI5pl5aIIrrFRkwyISWYbjp9KncxJlWc4nsvf 1325 6npBwVo+MP4/dg9JLO35kVkUw== ) 1326 smtp.example.com. 3600 IN NSEC ( www.example.com. A AAAA 1327 RRSIG NSEC ) 1329 smtp.example.com. 3600 IN RRSIG ( NSEC 13 3 3600 1330 20201202000000 20181128000000 1870 example.com. 1331 rH/K4wghCOm4jpEHwQKiyZzvFIa7qpFySuKIGGetW4SE4O2Mh5jPxcEzf78Hf 1332 crlsQZmnAUlfmBNCygxAd7JNw== ) 1333 example.com. 3600 IN DNSKEY ( 257 3 13 1334 JnA1XgyJTZz+psWvbrfUWLV6ULqIJyUS2CQdhUH9VK35bslWeJpRzrlxCUs7s 1335 /TsSfZMaGWVvlsuieh5nHcXzA== ) ; Key ID = 1870 1336 example.com. 3600 IN RRSIG ( DNSKEY 13 2 3600 1337 20201202000000 20181128000000 1870 example.com. 1338 nYisnu/26Sw1qmGuREa9o/fLgYuA4oNPt4+6PMBZoN0MS8Gjtli9NVRYeSIzt 1339 QHPGSpvRxTUC4tZi62z1UgGDw== ) 1340 example.com. 172800 IN DS ( 1870 13 2 e9b533a049798e900b5c29c90cd 1341 25a986e8a44f319ac3cd302bafc08f5b81e16 ) 1342 example.com. 172800 IN RRSIG ( DS 13 2 172800 1343 20201202000000 20181128000000 34327 com. 1344 sEAKvX4H6pJfN8nKcclB1NRcRSPOztx8omr4fCSHu6lp+uESP/Le4iF2sKukO 1345 J1hhWSB6jgubEVl17rGNOA/YQ== ) 1346 com. 172800 IN DNSKEY ( 256 3 13 1347 7IIE5Dol8jSMUqHTvOOiZapdEbQ9wqRxFi/zQcSdufUKLhpByvLpzSAQTqCWj 1348 3URIZ8L3Fa2gBLMOZUzZ1GQCw== ) ; Key ID = 34327 1349 com. 172800 IN DNSKEY ( 257 3 13 1350 RbkcO+96XZmnp8jYIuM4lryAp3egQjSmBaSoiA7H76Tm0RLHPNPUxlVk+nQ0f 1351 Ic3I8xfZDNw8Wa0Pe3/g2QA/w== ) ; Key ID = 18931 1352 com. 172800 IN DNSKEY ( 257 3 13 1353 szc7biLo5J4OHlkan1vZrF4aD4YYf+NHA/GAqdNslY9xxK9Izg68XHkqck4Rt 1354 DiVk37lNAQmgSlHbrGu0yOTkA== ) ; Key ID = 28809 1355 com. 172800 IN RRSIG ( DNSKEY 13 1 172800 20201202000000 1356 20181128000000 18931 com. 1357 LJ4p5ORS2ViILwTotSlWixElqRXHY5tOdIuHlPWTdBGPMq3y40QNr1V+ZOyA5 1358 7LFdPKpcvb8BvhM+GqKWGBEsg== ) 1359 com. 172800 IN RRSIG ( DNSKEY 13 1 172800 20201202000000 1360 20181128000000 28809 com. 1361 sO+4X2N21yS6x8+dBVBzbRo9+55MM8n7+RUvdBuxRFVh6JaBlqDOC5LLkl7Ev 1362 mDXqz6KEhhQjT+aQWDt6WFHlA== ) 1363 com. 86400 IN DS ( 18931 13 2 20f7a9db42d0e2042fbbb9f9ea015941202 1364 f9eabb94487e658c188e7bcb52115 ) 1365 com. 86400 IN DS ( 28809 13 2 ad66b3276f796223aa45eda773e92c6d98e 1366 70643bbde681db342a9e5cf2bb380 ) 1367 com. 86400 IN RRSIG ( DS 13 1 86400 20201202000000 1368 20181128000000 31918 . 1369 nDiDlBjXEE/6AudhC++Hui1ckPcuAnGbjEASNoxA3ZHjlXRzL050UzePko5Pb 1370 vBKTf6pk8JRCqnfzlo2QY+WXA== ) 1371 . 86400 IN DNSKEY ( 256 3 13 1372 zKz+DCWkNA/vuheiVPcGqsH40U84KZAlrMRIyozj9WHzf8PsFp/oR8j8vmjjW 1373 P98cbte4d8NvlGLxzbUzo3+FA== ) ; Key ID = 31918 1374 . 86400 IN DNSKEY ( 256 3 13 1375 8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW 1376 xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635 1378 . 86400 IN DNSKEY ( 257 3 13 1379 yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv 1380 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 1381 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000 1382 20181128000000 47005 . 1383 0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m 1384 nBT1dtNjIczvLG9pQTnOKUsHQ== ) 1386 A.7. _25._tcp.smtp.example.org NSEC3 Denial of Existence 1388 example.org. 3600 IN SOA ( sns.dns.icann.org. noc.dns.icann.org. 1389 2017042720 7200 3600 1209600 3600 ) 1390 example.org. 3600 IN RRSIG ( SOA 13 2 3600 20201202000000 1391 20181128000000 56566 example.org. 1392 cpKzINSSU0Jk6Y/QrsYLgfXNUY4b/pXDWsXrzIHOT8udmQcJkIU+LtnO9+Qa3 1393 2vJqiV6m65FvbBigJ612c3Wyw== ) 1394 vkv62jbv85822q8rtmfnbhfnmnat9ve3.example.org. 3600 IN NSEC3 ( 1395 1 0 1 - 93u63bg57ppj6649al2n31l92iedkjd6 A AAAA RRSIG ) 1396 vkv62jbv85822q8rtmfnbhfnmnat9ve3.example.org. 3600 IN RRSIG ( 1397 NSEC3 13 3 3600 20201202000000 20181128000000 56566 1398 example.org. 1399 wn3cePVdc5VPPniYzGp+1CBPOY2m83/A3cjnAb7FTZuwL45B25fwVUyjKQksh 1400 gQeV5KgP1cdvPt1BEowKqK4Sw== ) 1401 dlm7rss9pejqnh0ev6h7k1ikqqcl5mae.example.org. 3600 IN NSEC3 ( 1402 1 0 1 - t6lf7uuoi0qofq0nvdjroavo46pp20im RRSIG TLSA ) 1403 dlm7rss9pejqnh0ev6h7k1ikqqcl5mae.example.org. 3600 IN RRSIG ( 1404 NSEC3 13 3 3600 20201202000000 20181128000000 56566 1405 example.org. 1406 guUyy9LIZlYb0FZttAdYJGrFNKpKu91Tm+dPOz98rnpwIlwwvLifXIvIl90nE 1407 X38cWzEQOpreJu3t4WAfPsxdg== ) 1408 a73bi8coh6dvf1arqdeuogf95r0828mk.example.org. 3600 IN NSEC3 ( 1409 1 0 1 - c1p0lp7l1l8gdn0jl13pp1o41h35untj CNAME RRSIG ) 1410 a73bi8coh6dvf1arqdeuogf95r0828mk.example.org. 3600 IN RRSIG ( 1411 NSEC3 13 3 3600 20201202000000 20181128000000 56566 1412 example.org. 1413 ePBUuWdj8Bc+/41gHBm2Bx/IK/j/Q4W7A5uTgSj/0Sd57mP/NTWRZq3p8yBNe 1414 FPC2mBJ2oWQFi6/V9dmyiBh2A== ) 1415 example.org. 3600 IN DNSKEY ( 256 3 13 1416 NrbL6utGqIW1wrhhjeexdA6bMdD1lC1hj0Fnpevaa1AMyY2uy83TmoGnR996N 1417 UR5TlG4Zh+YPbbmUIixe4nS3w== ) ; Key ID = 56566 1418 example.org. 3600 IN DNSKEY ( 257 3 13 1419 uspaqp17jsMTX6AWVgmbog/3Sttz+9ANFUWLn6qKUHr0BOqRuChQWj8jyYUUr 1420 Wy9txxesNQ9MkO4LUrFght1LQ== ) ; Key ID = 44384 1421 example.org. 3600 IN RRSIG ( DNSKEY 13 2 3600 1422 20201202000000 20181128000000 44384 example.org. 1423 ttse9pYp9PSu0pJ+TOpIVFLWJ6NKOMWZX4Q/SlU6ZfaiKQc0Bg7Tut9+wPunk 1424 6OPPvyHjVXMAsvk0tqV0B+/ag== ) 1425 example.org. 86400 IN DS ( 44384 13 2 ec307e2efc8f0117ed96ab48a51 1426 3c8003e1d9121f1ff11a08b4cdd348d090aa6 ) 1427 example.org. 86400 IN RRSIG ( DS 13 2 86400 20201202000000 1428 20181128000000 9523 org. 1429 m86Xz0CEa2sWG40a0bS2kqLKPmIlyiVyDeoWXAq3djeGiPaikLuKORNzWXu62 1430 clpAfvZHx59Ackst4X+zXYpUA== ) 1431 org. 86400 IN DNSKEY ( 256 3 13 1432 fuLp60znhSSEr9HowILpTpyLKQdM6ixcgkTE0gqVdsLx+DSNHSc69o6fLWC0e 1433 HfWx7kzlBBoJB0vLrvsJtXJ6g== ) ; Key ID = 47417 1434 org. 86400 IN DNSKEY ( 256 3 13 1435 zTHbb7JM627Bjr8CGOySUarsic91xZU3vvLJ5RjVix9YH6+iwpBXb6qfHyQHy 1436 mlMiAAoaoXh7BUkEBVgDVN8sQ== ) ; Key ID = 9523 1437 org. 86400 IN DNSKEY ( 257 3 13 1438 Uf24EyNt51DMcLV+dHPInhSpmjPnqAQNUTouU+SGLu+lFRRlBetgw1bJUZNI6 1439 Dlger0VJTm0QuX/JVXcyGVGoQ== ) ; Key ID = 49352 1440 org. 86400 IN DNSKEY ( 257 3 13 1441 0SZfoe8Yx+eoaGgyAGEeJax/ZBV1AuG+/smcOgRm+F6doNlgc3lddcM1MbTvJ 1442 HTjK6Fvy8W6yZ+cAptn8sQheg== ) ; Key ID = 12651 1443 org. 86400 IN RRSIG ( DNSKEY 13 1 86400 20201202000000 1444 20181128000000 12651 org. 1445 Gq9wf+z3pasXXUwE210jYc0LhJnMAhcwXydnvkHtCVY6/0jUafHO4RksN84Zt 1446 us0pUgWngbT/OWXskdMYXZU4A== ) 1447 org. 86400 IN RRSIG ( DNSKEY 13 1 86400 20201202000000 1448 20181128000000 49352 org. 1449 VGEkEMWBJ2IbOpm2Z56Qxu2NGPcVUDWCbYRyk+Qk1+HzGtyd2qPEKkpgMs/0p 1450 vZEMj1YXD+dIqb2nUK9PGBAXw== ) 1451 org. 86400 IN DS ( 12651 13 2 3979a51f98bbf219fcaf4a4176e766dfa8f 1452 9db5c24a75743eb1e704b97a9fabc ) 1453 org. 86400 IN DS ( 49352 13 2 03d11a1aa114abbb8f708c3c0ff0db765fe 1454 f4a2f18920db5f58710dd767c293b ) 1455 org. 86400 IN RRSIG ( DS 13 1 86400 20201202000000 1456 20181128000000 31918 . 1457 adiFuP2UIulQw5Edsb/7WSPqr5nkRSTVXbZ2tkBeZRQcMjdCD3pyonWO5JPRV 1458 EemgaE357S4pX5D0tVZzeZJ6A== ) 1459 . 86400 IN DNSKEY ( 256 3 13 1460 zKz+DCWkNA/vuheiVPcGqsH40U84KZAlrMRIyozj9WHzf8PsFp/oR8j8vmjjW 1461 P98cbte4d8NvlGLxzbUzo3+FA== ) ; Key ID = 31918 1462 . 86400 IN DNSKEY ( 256 3 13 1463 8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW 1464 xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635 1465 . 86400 IN DNSKEY ( 257 3 13 1466 yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv 1467 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 1468 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000 1469 20181128000000 47005 . 1470 0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m 1471 nBT1dtNjIczvLG9pQTnOKUsHQ== ) 1473 A.8. _443._tcp.www.insecure.example NSEC3 opt-out insecure delegation 1474 example. 432000 IN SOA ( ns.ns-servers.example. 1475 hostmaster.ns-servers.example. 1476 2018042500 1800 900 604800 43200) 1477 example. 432000 IN RRSIG ( SOA 13 1 432000 20201202000000 1478 20181128000000 15903 example. 1479 Hx4gEL0q9Za/jAB0LZ8dduuwef9qPrSyEK3RoSevb1S9UkrLQj1cL08HkiDwz 1480 mcduSc5oMky0toC/gjOoZClEA== ) 1481 c1kgc91hrn9nqi2qjh1ms78ki8p7s75o.example. 43200 IN NSEC3 ( 1482 1 1 1 - shn05itmoa45mmnv74lc4p0nnfmimtjt NS SOA RRSIG DNSKEY 1483 NSEC3PARAM ) 1484 c1kgc91hrn9nqi2qjh1ms78ki8p7s75o.example. 43200 IN RRSIG ( 1485 NSEC3 13 2 43200 20201202000000 20181128000000 15903 1486 example. 1487 pW16gQOLhLpKYgXpGt4XB4o92W/QoPYyG5CjQ+t+g7LBVcCiPQv8ars1j9UOg 1488 RpXUsJhZBDax2dfDhK7zOk7ow== ) 1489 shn05itmoa45mmnv74lc4p0nnfmimtjt.example. 43200 IN NSEC3 ( 1490 1 1 1 - a3ib1dvf1bdtfmd91usrdem5fiiepi6p NS DS RRSIG ) 1491 shn05itmoa45mmnv74lc4p0nnfmimtjt.example. 43200 IN RRSIG ( 1492 NSEC3 13 2 43200 20201202000000 20181128000000 15903 1493 example. 1494 5Aq//A8bsWNwcXbT91pMX2Oqf8VpJQRjqH4D2yZElW00wKmt85mhgu2qYPrvH 1495 QwGEB4STMz2Nefq01/GY6NHKg== ) 1496 example. 432000 IN DNSKEY ( 257 3 13 1497 yrkqXSbVwXOoUxCjr/E9yg8XUzbZNlwPllVsoUPd73TLOnBQQ+03Qw4/k+Nme 1498 /66WIw+ZTlHYcTNalxiGYm0uQ== ) ; Key ID = 15903 1499 example. 432000 IN RRSIG ( DNSKEY 13 1 432000 1500 20201202000000 20181128000000 15903 example. 1501 wwEo3ri6JBuCqx5b33w8axFWOhIen1l+/mm0Isyc9FciuLhBiP+IqSgt+Igc8 1502 9nR8zRpJpo1D6XR/qJxZgnfaA== ) 1503 example. 86400 IN DS ( 15903 13 2 7e0ebaf1cc0d309d4a73ca7d711719d 1504 d940f4da87b3d72865167650fc73ea577 ) 1505 example. 86400 IN RRSIG ( DS 13 1 86400 20201202000000 1506 20181128000000 31918 . 1507 B5vx4zZaS+bOYfz0PzpaPfk9VxxBvYbGjIvGhpUZV3diXzfCguXxN4JIT1Sz8 1508 eJX6BYT5QPIrbG/N35U1sIskw== ) 1509 . 86400 IN DNSKEY ( 256 3 13 1510 zKz+DCWkNA/vuheiVPcGqsH40U84KZAlrMRIyozj9WHzf8PsFp/oR8j8vmjjW 1511 P98cbte4d8NvlGLxzbUzo3+FA== ) ; Key ID = 31918 1512 . 86400 IN DNSKEY ( 256 3 13 1513 8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW 1514 xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635 1515 . 86400 IN DNSKEY ( 257 3 13 1516 yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv 1517 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 1518 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20201202000000 1519 20181128000000 47005 . 1520 0EPW1ca+N/ZhZPKla77STG734cTeIOjUwq7eW0HsnOfudWmnCEVeco2wLLq9m 1521 nBT1dtNjIczvLG9pQTnOKUsHQ== ) 1523 Authors' Addresses 1525 Viktor Dukhovni 1526 Two Sigma 1528 EMail: ietf-dane@dukhovni.org 1530 Shumon Huque 1531 Salesforce 1533 EMail: shuque@gmail.com 1535 Willem Toorop 1536 NLnet Labs 1538 EMail: willem@nlnetlabs.nl 1540 Paul Wouters 1541 Red Hat 1543 EMail: pwouters@redhat.com 1545 Melinda Shore 1546 Fastly 1548 EMail: mshore@fastly.com