draft-ietf-tls-dnssec-chain-extension-06.txt   draft-ietf-tls-dnssec-chain-extension-07.txt 
TLS M. Shore TLS M. Shore
Internet-Draft Fastly Internet-Draft Fastly
Intended status: Standards Track R. Barnes Intended status: Standards Track R. Barnes
Expires: July 27, 2018 Mozilla Expires: September 22, 2018 Mozilla
S. Huque S. Huque
Salesforce Salesforce
W. Toorop W. Toorop
NLnet Labs NLnet Labs
January 23, 2018 March 21, 2018
A DANE Record and DNSSEC Authentication Chain Extension for TLS A DANE Record and DNSSEC Authentication Chain Extension for TLS
draft-ietf-tls-dnssec-chain-extension-06 draft-ietf-tls-dnssec-chain-extension-07
Abstract Abstract
This draft describes a new TLS extension for transport of a DNS This draft describes a new TLS extension for transport of a DNS
record set serialized with the DNSSEC signatures needed to record set serialized with the DNSSEC signatures needed to
authenticate that record set. The intent of this proposal is to authenticate that record set. The intent of this proposal is to
allow TLS clients to perform DANE authentication of a TLS server allow TLS clients to perform DANE authentication of a TLS server
without needing to perform additional DNS record lookups. It will without needing to perform additional DNS record lookups. It is not
typically not be used for general DNSSEC validation of TLS endpoint intended to be used to validate the TLS server's address records.
names.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 27, 2018. This Internet-Draft will expire on September 22, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Requirements Notation . . . . . . . . . . . . . . . . . . . . 2 1. Requirements Notation . . . . . . . . . . . . . . . . . . . . 2
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
3. DNSSEC Authentication Chain Extension . . . . . . . . . . . . 4 3. DNSSEC Authentication Chain Extension . . . . . . . . . . . . 3
3.1. Protocol, TLS 1.2 . . . . . . . . . . . . . . . . . . . . 4 3.1. Protocol, TLS 1.2 . . . . . . . . . . . . . . . . . . . . 3
3.2. Protocol, TLS 1.3 . . . . . . . . . . . . . . . . . . . . 4 3.2. Protocol, TLS 1.3 . . . . . . . . . . . . . . . . . . . . 4
3.3. Raw Public Keys . . . . . . . . . . . . . . . . . . . . . 4 3.3. Raw Public Keys . . . . . . . . . . . . . . . . . . . . . 4
3.4. DNSSEC Authentication Chain Data . . . . . . . . . . . . 5 3.4. DNSSEC Authentication Chain Data . . . . . . . . . . . . 5
4. Construction of Serialized Authentication Chains . . . . . . 7 4. Construction of Serialized Authentication Chains . . . . . . 7
5. Caching and Regeneration of the Authentication Chain . . . . 8 5. Caching and Regeneration of the Authentication Chain . . . . 8
6. Verification . . . . . . . . . . . . . . . . . . . . . . . . 8 6. Verification . . . . . . . . . . . . . . . . . . . . . . . . 9
7. Trust Anchor Maintenance . . . . . . . . . . . . . . . . . . 9 7. Trust Anchor Maintenance . . . . . . . . . . . . . . . . . . 9
8. Mandating use of this extension . . . . . . . . . . . . . . . 9 8. Mandating use of this extension . . . . . . . . . . . . . . . 9
9. Security Considerations . . . . . . . . . . . . . . . . . . . 10 9. DANE and Traditional PKIX Interoperation . . . . . . . . . . 10
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 10. Security Considerations . . . . . . . . . . . . . . . . . . . 11
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11
12.1. Normative References . . . . . . . . . . . . . . . . . . 10 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
12.2. Informative References . . . . . . . . . . . . . . . . . 11 13.1. Normative References . . . . . . . . . . . . . . . . . . 11
Appendix A. Updates from -01 and -02 . . . . . . . . . . . . . . 12 13.2. Informative References . . . . . . . . . . . . . . . . . 12
Appendix B. Updates from -01 . . . . . . . . . . . . . . . . . . 12 Appendix A. Test vectors . . . . . . . . . . . . . . . . . . . . 14
Appendix C. Updates from -00 . . . . . . . . . . . . . . . . . . 12 A.1. _443._tcp.www.example.com . . . . . . . . . . . . . . . . 15
Appendix D. Test vectors . . . . . . . . . . . . . . . . . . . . 13 A.2. _25._tcp.example.com wildcard . . . . . . . . . . . . . . 18
D.1. _443._tcp.www.example.com . . . . . . . . . . . . . . . . 14 A.3. _443._tcp.www.example.org CNAME . . . . . . . . . . . . . 20
D.2. _25._tcp.example.com wildcard . . . . . . . . . . . . . . 16 A.4. _443._tcp.www.example.net DNAME . . . . . . . . . . . . . 21
D.3. _443._tcp.www.example.org CNAME . . . . . . . . . . . . . 17
D.4. _443._tcp.www.example.net DNAME . . . . . . . . . . . . . 18
1. Requirements Notation 1. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
document are to be interpreted as described in [RFC2119]. "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Introduction 2. Introduction
This draft describes a new TLS [RFC5246] extension for transport of a This draft describes a new TLS [RFC5246] [TLS13] extension for
DNS record set serialized with the DNSSEC signatures [RFC4034] needed transport of a DNS record set serialized with the DNSSEC signatures
to authenticate that record set. The intent of this proposal is to [RFC4034] needed to authenticate that record set. The intent of this
allow TLS clients to perform DANE Authentication [RFC6698] [RFC7671] proposal is to allow TLS clients to perform DANE Authentication
of a TLS server without performing additional DNS record lookups and
incurring the associated latency penalty. It also provides the [RFC6698] [RFC7671] of a TLS server without performing additional DNS
ability to avoid potential problems with TLS clients being unable to record lookups and incurring the associated latency penalty. It also
look up DANE records because of an interfering or broken middlebox on provides the ability to avoid potential problems with TLS clients
the path between the client and a DNS server. And lastly, it allows being unable to look up DANE records because of an interfering or
a TLS client to validate DANE records itself without necessarily broken middlebox on the path between the client and a DNS server
needing access to a validating DNS resolver to which it has a secure [HAMPERING]. And lastly, it allows a TLS client to validate the
connection. It will typically not be used for general DNSSEC server's DANE (TLSA) records itself without needing access to a
validation of endpoint names, but is more appropriate for validation validating DNS resolver to which it has a secure connection.
of DANE TLSA records.
This mechanism is useful for TLS applications that need to address This mechanism is useful for TLS applications that need to address
the problems described above, typically web browsers or VoIP and XMPP the problems described above, typically web browsers or SIP/VoIP
applications. It may not be relevant for many other applications. [RFC3261] and XMPP [RFC7590]. It may not be relevant for many other
For example, SMTP MTAs are usually located in data centers, may applications. For example, SMTP MTAs are usually located in data
tolerate extra DNS lookup latency, are on servers where it is easier centers, may tolerate extra DNS lookup latency, are on servers where
to provision a validating resolver, or are less likely to experience it is easier to provision a validating resolver, or are less likely
traffic interference from misconfigured middleboxes. Furthermore, to experience traffic interference from misconfigured middleboxes.
SMTP MTAs usually employ Opportunistic Security [RFC7672], in which Furthermore, SMTP MTAs usually employ Opportunistic Security
the presence of the DNS TLSA records is used to determine whether to [RFC7672], in which the presence of the DNS TLSA records is used to
enforce an authenticated TLS connection. Hence DANE authentication determine whether to enforce an authenticated TLS connection. Hence
of SMTP MTAs will typically not use this mechanism. DANE authentication of SMTP MTAs will typically not use this
mechanism.
The extension described here allows a TLS client to request in the The extension described here allows a TLS client to request that the
ClientHello message that the DNS authentication chain be returned in TLS server return the DNSSEC authentication chain corresponding to
the (extended) ServerHello message. If the server is configured for its DANE record. If the server is configured for DANE
DANE authentication, then it performs the appropriate DNS queries, authentication, then it performs the appropriate DNS queries, builds
builds the authentication chain, and returns it to the client. The the authentication chain, and returns it to the client. The server
server will usually use a previously cached authentication chain, but will usually use a previously cached authentication chain, but it
it will need to rebuild it periodically as described in Section 5. will need to rebuild it periodically as described in Section 5. The
The client then authenticates the chain using a pre-configured trust client then authenticates the chain using a pre-configured trust
anchor. anchor.
This specification is based on Adam Langley's original proposal for This specification is based on Adam Langley's original proposal for
serializing DNSSEC authentication chains and delivering them in an serializing DNSSEC authentication chains and delivering them in an
X.509 certificate extension [I-D.agl-dane-serializechain]. It X.509 certificate extension [I-D.agl-dane-serializechain]. It
modifies the approach by using wire format DNS records in the modifies the approach by using wire format DNS records in the
serialized data (assuming that the data will be prepared and consumed serialized data (assuming that the data will be prepared and consumed
by a DNS-specific library), and by using a TLS extension to deliver by a DNS-specific library), and by using a TLS extension to deliver
the data. the data.
skipping to change at page 4, line 12 skipping to change at page 4, line 4
by a DNS-specific library), and by using a TLS extension to deliver by a DNS-specific library), and by using a TLS extension to deliver
the data. the data.
As described in the DANE specification [RFC6698] [RFC7671], this As described in the DANE specification [RFC6698] [RFC7671], this
procedure applies to the DANE authentication of X.509 certificates or procedure applies to the DANE authentication of X.509 certificates or
raw public keys [RFC7250]. raw public keys [RFC7250].
3. DNSSEC Authentication Chain Extension 3. DNSSEC Authentication Chain Extension
3.1. Protocol, TLS 1.2 3.1. Protocol, TLS 1.2
A client MAY include an extension of type "dnssec_chain" in the A client MAY include an extension of type "dnssec_chain" in the
(extended) ClientHello. The "extension_data" field of this extension (extended) ClientHello. The "extension_data" field of this extension
MUST be empty. MUST be empty.
Servers receiving a "dnssec_chain" extension in the ClientHello, and Servers receiving a "dnssec_chain" extension in the ClientHello and
which are capable of being authenticated via DANE, MAY return a which are capable of being authenticated via DANE, return a
serialized authentication chain in the extended ServerHello message, serialized authentication chain in the extended ServerHello message
using the format described below. If a server is unable to return an using the format described below. If a server is unable to return an
authentication chain, or does not wish to return an authentication authentication chain, or does not wish to return an authentication
chain, it does not include a dnssec_chain extension. As with all TLS chain, it does not include a dnssec_chain extension. As with all TLS
extensions, if the server does not support this extension it will not extensions, if the server does not support this extension it will not
return any authentication chain. return any authentication chain.
A client must not be able to force a server to perform lookups on
arbitrary domain names using this mechanism. Therefore, a server
MUST NOT construct chains for domain names other than its own.
3.2. Protocol, TLS 1.3 3.2. Protocol, TLS 1.3
A client MAY include an extension of type "dnssec_chain" in the A client MAY include an extension of type "dnssec_chain" in the
ClientHello. The "extension_data" field of this extension MUST be ClientHello. The "extension_data" field of this extension MUST be
empty. empty.
Servers receiving a "dnssec_chain" extension in the ClientHello, and Servers receiving a "dnssec_chain" extension in the ClientHello, and
which are capable of being authenticated via DANE, SHOULD return a which are capable of being authenticated via DANE, return a
serialized authentication chain in the extension block of the serialized authentication chain in the extension block of the
Certificate message containing the end entity certificate being Certificate message containing the end entity certificate being
validated, using the format described below. validated, using the format described below.
The extension protocol behavior otherwise follows that specified for The extension protocol behavior otherwise follows that specified for
TLS version 1.2. TLS version 1.2.
3.3. Raw Public Keys 3.3. Raw Public Keys
[RFC7250] specifies the use of raw public keys for both server and [RFC7250] specifies the use of raw public keys for both server and
skipping to change at page 5, line 13 skipping to change at page 5, line 7
raw public key to a named entity in the DNS, and when using DANE for raw public key to a named entity in the DNS, and when using DANE for
authentication a raw key may be validated using a path chaining back authentication a raw key may be validated using a path chaining back
to a DNSSEC trust root. This has the added benefit of mitigating an to a DNSSEC trust root. This has the added benefit of mitigating an
unknown key share attack, as described in [I-D.barnes-dane-uks], unknown key share attack, as described in [I-D.barnes-dane-uks],
since it effectively augments the raw public key with the server's since it effectively augments the raw public key with the server's
name and provides a means to commit both the server and the client to name and provides a means to commit both the server and the client to
using that binding. using that binding.
The UKS attack is possible in situations in which the association The UKS attack is possible in situations in which the association
between a domain name and a public key is not tightly bound, as in between a domain name and a public key is not tightly bound, as in
the case in DANE in which a client either ignores the name in the case in DANE in which a client either ignores the name in the
certificate (as specified in [RFC7671] or there is no attestation of certificate (as specified in [RFC7671]) or there is no attestation of
trust outside of the DNS. The vulnerability arises in the following trust outside of the DNS. The vulnerability arises in the following
situations: situations:
o If the client does not verify the identity in the server's o If the client does not verify the identity in the server's
certificate (as recommended in Section 5.1 of [RFC7671]), then an certificate (as recommended in Section 5.1 of [RFC7671]), then an
attacker can induce the client to accept an unintended identity attacker can induce the client to accept an unintended identity
for the server, for the server,
o If the client allows the use of raw public keys in TLS, then it o If the client allows the use of raw public keys in TLS, then it
will not receive any indication of the server's identity in the will not receive any indication of the server's identity in the
TLS channel, and is thus unable to check that the server's TLS channel, and is thus unable to check that the server's
identity is as intended. identity is as intended.
The mechanism for conveying DNSSEC validation chains described in The mechanism for conveying DNSSEC validation chains described in
this document results in a commitment by both parties, via the TLS this document results in a commitment by both parties, via the TLS
handshake, to a domain name which has been validated as belonging to handshake, to a validated domain name and EE key.
the owner name.
The mechanism for encoding DNSSEC authentication chains in a TLS The mechanism for encoding DNSSEC authentication chains in a TLS
extension, as described in this document, is not limited to public extension, as described in this document, is not limited to public
keys encapsulated in X.509 containers but MAY be applied to raw keys encapsulated in X.509 containers but MAY be applied to raw
public keys and other representations, as well. public keys and other representations, as well.
3.4. DNSSEC Authentication Chain Data 3.4. DNSSEC Authentication Chain Data
The "extension_data" field of the "dnssec_chain" extension MUST The "extension_data" field of the "dnssec_chain" extension MUST
contain a DNSSEC Authentication Chain encoded in the following form: contain a DNSSEC Authentication Chain encoded in the following form:
opaque AuthenticationChain<0..2^16-1> opaque AuthenticationChain<1..2^16-1>
The AuthenticationChain structure is composed of a sequence of The AuthenticationChain structure is composed of a sequence of
uncompressed wire format DNS resource record sets (RRset) and uncompressed wire format DNS resource record sets (RRset) and
corresponding signatures (RRSIG) record sets. corresponding signatures (RRSIG) record sets.
This sequence of native DNS wire format records enables easier This sequence of native DNS wire format records enables easier
generation of the data structure on the server and easier generation of the data structure on the server and easier
verification of the data on client by means of existing DNS library verification of the data on client by means of existing DNS library
functions. However this document describes the data structure in functions.
sufficient detail that implementers if they desire can write their
own code to do this.
Each RRset in the chain is composed of a sequence of wire format DNS Each RRset in the chain is composed of a sequence of wire format DNS
resource records. The format of the resource record is described in resource records. The format of the resource record is described in
RFC 1035 [RFC1035], Section 3.2.1. RFC 1035 [RFC1035], Section 3.2.1.
RR(i) = owner | type | class | TTL | RDATA length | RDATA RR(i) = owner | type | class | TTL | RDATA length | RDATA
Each RRset in the sequence is followed by its associated RRsig record where RR(i) denotes the ith RR.
set. The RRsig record wire format is described in RFC 4034
[RFC4034], Section 3.1. The signature portion of the RDATA, as The resource records that make up a RRset all have the same owner,
described in the same section, is the following: type and class, but different RDATA as specified RFC 2181 [RFC2181],
Section 5. Each RRset in the sequence is followed by its associated
RRsig record set. This RRset has the same owner and class as the
preceding RRset, but has type RRSIG. The Type Covered field in the
RDATA of the RRsigs identifies the type of the preceding RRset as
described in RFC 4034 [RFC4034], Section 3. The RRsig record wire
format is described in RFC 4034 [RFC4034], Section 3.1. The
signature portion of the RDATA, as described in the same section, is
the following:
signature = sign(RRSIG_RDATA | RR(1) | RR(2)... ) signature = sign(RRSIG_RDATA | RR(1) | RR(2)... )
where RRSIG_RDATA is the wire format of the RRSIG RDATA fields with where RRSIG_RDATA is the wire format of the RRSIG RDATA fields with
the Signer's Name field in canonical form and the signature field the Signer's Name field in canonical form and the signature field
excluded. excluded.
The first RRset in the chain MUST contain the TLSA record set being The first RRset in the chain MUST contain the TLSA record set being
presented. However, if the owner name of the TLSA record set is an presented. However, if the owner name of the TLSA record set is an
alias (CNAME or DNAME), then it MUST be preceded by the chain of alias (CNAME or DNAME), then it MUST be preceded by the chain of
alias records needed to resolve it. DNAME chains should omit alias records needed to resolve it. DNAME chains SHOULD omit
unsigned CNAME records that may have been synthesized in the response unsigned CNAME records that may have been synthesized in the response
from a DNS resolver. from a DNS resolver. (If unsigned synthetic CNAMES are present, then
the TLS client will just ignore them, as they are not necessary to
validate the chain.)
The subsequent RRsets MUST contain the full set of DNS records needed The subsequent RRsets MUST contain the full set of DNS records needed
to authenticate the TLSA record set from the server's trust anchor. to authenticate the TLSA record set from the server's trust anchor.
Typically this means a set of DNSKEY and DS RRsets that cover all Typically this means a set of DNSKEY and DS RRsets that cover all
zones from the target zone containing the TLSA record set to the zones from the target zone containing the TLSA record set to the
trust anchor zone. The TLS client should be prepared to receive this trust anchor zone. The TLS client should be prepared to receive this
set of RRsets in any order. set of RRsets in any order.
Names that are aliased via CNAME and/or DNAME records may involve Names that are aliased via CNAME and/or DNAME records may involve
multiple branches of the DNS tree. In this case, the authentication multiple branches of the DNS tree. In this case, the authentication
chain structure needs to include DS and DNSKEY record sets that cover chain structure needs to include DS and DNSKEY record sets that cover
all the necessary branches. all the necessary branches.
If the TLSA record set was synthesized by a DNS wildcard, the chain If the TLSA record set was synthesized by a DNS wildcard, the chain
must include the signed NSEC or NSEC3 records that prove that there MUST include the signed NSEC or NSEC3 [RFC5155] records that prove
was no explicit match of the TLSA record name and no closer wildcard that there was no explicit match of the TLSA record name and no
match. closer wildcard match.
The final DNSKEY RRset in the authentication chain corresponds to the The final DNSKEY RRset in the authentication chain corresponds to the
trust anchor (typically the DNS root). This trust anchor is also trust anchor (typically the DNS root). This trust anchor is also
preconfigured in the TLS client, but including it in the response preconfigured in the TLS client, but including it in the response
from the server permits TLS clients to use the automated trust anchor from the server permits TLS clients to use the automated trust anchor
rollover mechanism defined in RFC 5011 [RFC5011] to update their rollover mechanism defined in RFC 5011 [RFC5011] to update their
configured trust anchor. configured trust anchor.
The following is an example of the records in the AuthenticationChain The following is an example of the records in the AuthenticationChain
structure for the HTTPS server at www.example.com, where there are structure for the HTTPS server at www.example.com, where there are
skipping to change at page 7, line 49 skipping to change at page 8, line 9
When the goal is to perform DANE authentication [RFC6698] [RFC7671] When the goal is to perform DANE authentication [RFC6698] [RFC7671]
of the server, the DNS record set to be serialized is a TLSA record of the server, the DNS record set to be serialized is a TLSA record
set corresponding to the server's domain name, protocol, and port set corresponding to the server's domain name, protocol, and port
number. number.
The domain name of the server MUST be that included in the TLS The domain name of the server MUST be that included in the TLS
server_name extension [RFC6066] when present. If the server_name server_name extension [RFC6066] when present. If the server_name
extension is not present, or if the server does not recognize the extension is not present, or if the server does not recognize the
provided name and wishes to proceed with the handshake rather than to provided name and wishes to proceed with the handshake rather than to
abort the connection, the server uses the domain name associated with abort the connection, the server picks one of its configured domain
the server IP address to which the connection has been established. names associated with the server IP address to which the connection
has been established.
The TLSA record to be queried is constructed by prepending the _port The TLSA record to be queried is constructed by prepending the _port
and _transport labels to the domain name as described in [RFC6698], and _transport labels to the domain name as described in [RFC6698],
where "port" is the port number associated with the TLS server. The where "port" is the port number associated with the TLS server. The
transport is "tcp" for TLS servers, and "udp" for DTLS servers. The transport is "tcp" for TLS servers, and "udp" for DTLS servers. The
port number label is the left-most label, followed by the transport, port number label is the left-most label, followed by the transport,
followed by the base domain name. followed by the base domain name.
The components of the authentication chain are typically built by The components of the authentication chain are typically built by
starting at the target record set and its corresponding RRSIG. Then starting at the target record set and its corresponding RRSIG. Then
traversing the DNS tree upwards towards the trust anchor zone traversing the DNS tree upwards towards the trust anchor zone
(normally the DNS root), for each zone cut, the DNSKEY and DS RRsets (normally the DNS root), for each zone cut, the DNSKEY and DS RRsets
and their signatures are added. However, see Section 3.4 for and their signatures are added. However, see Section 3.4 for
specific processing needed for aliases and wildcards. If DNS specific processing needed for aliases and wildcards. If DNS
responses messages contain any domain names utilizing name response messages contain any domain names utilizing name compression
compression [RFC1035], then they must be uncompressed. [RFC1035], then they MUST be uncompressed.
Newer DNS protocol enhancements, such as the EDNS Chain Query Newer DNS protocol enhancements, such as the EDNS Chain Query
extension [RFC7901] if supported, may offer easier ways to obtain all extension [RFC7901] if supported, may offer easier ways to obtain all
of the chain data in one transaction with an upstream DNSSEC aware of the chain data in one transaction with an upstream DNSSEC aware
recursive server. recursive server.
5. Caching and Regeneration of the Authentication Chain 5. Caching and Regeneration of the Authentication Chain
DNS records have Time To Live (TTL) parameters, and DNSSEC signatures DNS records have Time To Live (TTL) parameters, and DNSSEC signatures
have validity periods (specifically signature expiration times). have validity periods (specifically signature expiration times).
skipping to change at page 8, line 43 skipping to change at page 9, line 8
validity periods dictate. A server implementation could carefully validity periods dictate. A server implementation could carefully
track these parameters and requery component records in the chain track these parameters and requery component records in the chain
correspondingly. Alternatively, it could be configured to rebuild correspondingly. Alternatively, it could be configured to rebuild
the entire chain at some predefined periodic interval that does not the entire chain at some predefined periodic interval that does not
exceed the DNS TTLs or signature validity periods of the component exceed the DNS TTLs or signature validity periods of the component
records in the chain. records in the chain.
6. Verification 6. Verification
A TLS client making use of this specification, and which receives a A TLS client making use of this specification, and which receives a
DNSSEC authentication chain extension from a server, SHOULD use this DNSSEC authentication chain extension from a server, MUST use this
information to perform DANE authentication of the server. In order information to perform DANE authentication of the server. In order
to do this, it uses the mechanism specified by the DNSSEC protocol to do this, it uses the mechanism specified by the DNSSEC protocol
[RFC4035] [RFC5155]. This mechanism is sometimes implemented in a [RFC4035] [RFC5155]. This mechanism is sometimes implemented in a
DNSSEC validation engine or library. DNSSEC validation engine or library.
If the authentication chain is correctly verified, the client then If the authentication chain is correctly verified, the client then
performs DANE authentication of the server according to the DANE TLS performs DANE authentication of the server according to the DANE TLS
protocol [RFC6698] [RFC7671]. protocol [RFC6698] [RFC7671].
Clients MAY cache the server's validated TLS RRset or other validated Clients MAY cache the server's validated TLSA RRset or other
portions of the chain as an optimization to save signature validated portions of the chain as an optimization to save signature
verification work for future connections. The period of such caching verification work for future connections. The period of such caching
MUST NOT exceed the TTL associated with those records. MUST NOT exceed the TTL associated with those records. A client that
possesses a validated and unexpired TLSA RRset or the full chain in
its cache does not need to send the dnssec_chain extension for
subsequent connections to the same TLS server. It can use the cached
information to perform DANE authentication.
7. Trust Anchor Maintenance 7. Trust Anchor Maintenance
The trust anchor may change periodically, e.g. when the operator of The trust anchor may change periodically, e.g. when the operator of
the trust anchor zone performs a DNSSEC key rollover. TLS clients the trust anchor zone performs a DNSSEC key rollover. TLS clients
using this specification MUST implement a mechanism to keep their using this specification MUST implement a mechanism to keep their
trust anchors up to date. They could use the method defined in trust anchors up to date. They could use the method defined in
[RFC5011] to perform trust anchor updates inband in TLS, by tracking [RFC5011] to perform trust anchor updates inband in TLS, by tracking
the introduction of new keys seen in the trust anchor DNSKEY RRset. the introduction of new keys seen in the trust anchor DNSKEY RRset.
However, alternative mechanisms external to TLS may also be utilized. However, alternative mechanisms external to TLS may also be utilized.
skipping to change at page 10, line 5 skipping to change at page 10, line 22
establish a PKIX verified connection to the rogue server that establish a PKIX verified connection to the rogue server that
precluded DANE authentication. This could be solved by enhancing precluded DANE authentication. This could be solved by enhancing
this protocol to require that servers without TLSA records need to this protocol to require that servers without TLSA records need to
provide a DNSSEC authentication chain that proves this (i.e. the provide a DNSSEC authentication chain that proves this (i.e. the
chain includes NSEC or NSEC3 records that demonstrate either the chain includes NSEC or NSEC3 records that demonstrate either the
absence of the TLSA record, or the absence of a secure delegation to absence of the TLSA record, or the absence of a secure delegation to
the associated zone). Such an enhancement would be impossible to the associated zone). Such an enhancement would be impossible to
deploy incrementally though since it requires all TLS servers to deploy incrementally though since it requires all TLS servers to
support this protocol. support this protocol.
9. Security Considerations One possible way to address the threat of attackers that have
fraudulently obtained valid PKIX credentials, is to use current PKIX
defense mechanisms, such as checking Certificate Transparency logs to
detect certificate misissuance. This may be necessary anyway, as TLS
servers may support both DANE and PKIX authentication. Even TLS
servers that support only DANE may be interested in detecting PKIX
adversaries impersonating their service to DANE unaware TLS clients.
9. DANE and Traditional PKIX Interoperation
When DANE is being introduced incrementally into an existing PKIX
environment, there may be scenarios in which DANE authentication for
a server fails but PKIX succeeds, or vice versa. What happens here
depends on TLS client policy. If DANE authentication fails, the
client may decide to fallback to traditional PKIX authentication. In
order to do so efficiently within the same TLS handshake, the TLS
server needs to have provided the full X.509 certificate chain. When
TLS servers only support DANE-EE or DANE-TA modes, they have the
option to send a much smaller certificate chain: just the EE
certificate for the former, and a short certificate chain from the
DANE trust anchor to the EE certificate for the latter. If the TLS
server supports both DANE and traditional PKIX, and wants to allow
efficient PKIX fallback within the same handshake, they should always
provide the full X.509 certificate chain.
10. Security Considerations
The security considerations of the normatively referenced RFCs all The security considerations of the normatively referenced RFCs all
pertain to this extension. Since the server is delivering a chain of pertain to this extension. Since the server is delivering a chain of
DNS records and signatures to the client, it MUST rebuild the chain DNS records and signatures to the client, it MUST rebuild the chain
in accordance with TTL and signature expiration of the chain in accordance with TTL and signature expiration of the chain
components as described in Section 5. TLS clients need roughly components as described in Section 5. TLS clients need roughly
accurate time in order to properly authenticate these signatures. accurate time in order to properly authenticate these signatures.
This could be achieved by running a time synchronization protocol This could be achieved by running a time synchronization protocol
like NTP [RFC5905] or SNTP [RFC5905], which are already widely used like NTP [RFC5905] or SNTP [RFC5905], which are already widely used
today. TLS clients MUST support a mechanism to track and rollover today. TLS clients MUST support a mechanism to track and rollover
the trust anchor key, or be able to avail themselves of a service the trust anchor key, or be able to avail themselves of a service
that does this, as described in Section 7. Security considerations that does this, as described in Section 7. Security considerations
related to mandating the use of this extension are described in related to mandating the use of this extension are described in
Section 8. Section 8.
10. IANA Considerations 11. IANA Considerations
This extension requires the registration of a new value in the TLS This extension requires the registration of a new value in the TLS
ExtensionsType registry. The value requested from IANA is 53. If ExtensionsType registry. The value requested from IANA is 53, and
the draft is adopted by the WG, the authors expect to make an early the extension should be marked "Recommended" in accordance with "IANA
allocation request as specified in [RFC7120]. Registry Updates for TLS and DTLS" [TLSIANA].
11. Acknowledgments 12. Acknowledgments
Many thanks to Adam Langley for laying the groundwork for this Many thanks to Adam Langley for laying the groundwork for this
extension. The original idea is his but our acknowledgment in no way extension. The original idea is his but our acknowledgment in no way
implies his endorsement. This document also benefited from implies his endorsement. This document also benefited from
discussions with and review from the following people: Viktor discussions with and review from the following people: Viktor
Dukhovni, Daniel Kahn Gillmor, Jeff Hodges, Allison Mankin, Patrick Dukhovni, Daniel Kahn Gillmor, Jeff Hodges, Allison Mankin, Patrick
McManus, Rick van Rein, Ilari Liusvaara, Gowri Visweswaran, Duane McManus, Rick van Rein, Ilari Liusvaara, Eric Rescorla, Gowri
Wessels, Nico Williams, and Paul Wouters. Visweswaran, Duane Wessels, Nico Williams, and Paul Wouters.
12. References 13. References
12.1. Normative References 13.1. Normative References
[RFC1035] Mockapetris, P., "Domain names - implementation and [RFC1035] Mockapetris, P., "Domain names - implementation and
specification", STD 13, RFC 1035, November 1987. specification", STD 13, RFC 1035, November 1987.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
Specification", RFC 2181, DOI 10.17487/RFC2181, July 1997,
<http://www.rfc-editor.org/info/rfc2181>.
[RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Resource Records for the DNS Security Extensions", Rose, "Resource Records for the DNS Security Extensions",
RFC 4034, March 2005. RFC 4034, March 2005.
[RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S. [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "Protocol Modifications for the DNS Security Rose, "Protocol Modifications for the DNS Security
Extensions", RFC 4035, March 2005. Extensions", RFC 4035, March 2005.
[RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
Security (DNSSEC) Hashed Authenticated Denial of Security (DNSSEC) Hashed Authenticated Denial of
skipping to change at page 11, line 28 skipping to change at page 12, line 32
[RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
of Named Entities (DANE) Transport Layer Security (TLS) of Named Entities (DANE) Transport Layer Security (TLS)
Protocol: TLSA", RFC 6698, August 2012. Protocol: TLSA", RFC 6698, August 2012.
[RFC7671] Dukhovni, V. and W. Hardaker, "The DNS-Based [RFC7671] Dukhovni, V. and W. Hardaker, "The DNS-Based
Authentication of Named Entities (DANE) Protocol: Updates Authentication of Named Entities (DANE) Protocol: Updates
and Operational Guidance", RFC 7671, DOI 10.17487/RFC7671, and Operational Guidance", RFC 7671, DOI 10.17487/RFC7671,
October 2015, <http://www.rfc-editor.org/info/rfc7671>. October 2015, <http://www.rfc-editor.org/info/rfc7671>.
12.2. Informative References [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[TLS13] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", March 2018, <https://tools.ietf.org/html/
draft-ietf-tls-tls13>.
[TLSIANA] Salowey, J. and S. Turner, "IANA Registry Updates for TLS
and DTLS", , <https://tools.ietf.org/html/draft-ietf-tls-
iana-registry-updates>.
13.2. Informative References
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002, <https://www.rfc-
editor.org/info/rfc3261>.
[RFC5011] StJohns, M., "Automated Updates of DNS Security (DNSSEC) [RFC5011] StJohns, M., "Automated Updates of DNS Security (DNSSEC)
Trust Anchors", STD 74, RFC 5011, September 2007. Trust Anchors", STD 74, RFC 5011, September 2007.
[RFC5905] Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network [RFC5905] Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network
Time Protocol Version 4: Protocol and Algorithms Time Protocol Version 4: Protocol and Algorithms
Specification", RFC 5905, June 2010. Specification", RFC 5905, June 2010.
[RFC7120] Cotton, M., "Early IANA Allocation of Standards Track Code [RFC7120] Cotton, M., "Early IANA Allocation of Standards Track Code
Points", BCP 100, RFC 7120, January 2014. Points", BCP 100, RFC 7120, January 2014.
[RFC7250] Wouters, P., Tschofenig, H., Gilmore, J., Weiler, S., and [RFC7250] Wouters, P., Tschofenig, H., Gilmore, J., Weiler, S., and
T. Kivinen, "Using Raw Public Keys in Transport Layer T. Kivinen, "Using Raw Public Keys in Transport Layer
Security (TLS) and Datagram Transport Layer Security Security (TLS) and Datagram Transport Layer Security
(DTLS)", RFC 7250, June 2014. (DTLS)", RFC 7250, June 2014.
[RFC7590] Saint-Andre, P. and T. Alkemade, "Use of Transport Layer
Security (TLS) in the Extensible Messaging and Presence
Protocol (XMPP)", RFC 7590, DOI 10.17487/RFC7590, June
2015, <https://www.rfc-editor.org/info/rfc7590>.
[RFC7672] Dukhovni, V. and W. Hardaker, "SMTP Security via [RFC7672] Dukhovni, V. and W. Hardaker, "SMTP Security via
Opportunistic DNS-Based Authentication of Named Entities Opportunistic DNS-Based Authentication of Named Entities
(DANE) Transport Layer Security (TLS)", RFC 7672, DOI (DANE) Transport Layer Security (TLS)", RFC 7672, DOI
10.17487/RFC7672, October 2015, 10.17487/RFC7672, October 2015,
<http://www.rfc-editor.org/info/rfc7672>. <http://www.rfc-editor.org/info/rfc7672>.
[RFC7901] Wouters, P., "CHAIN Query Requests in DNS", RFC 7901, DOI [RFC7901] Wouters, P., "CHAIN Query Requests in DNS", RFC 7901, DOI
10.17487/RFC7901, June 2016, 10.17487/RFC7901, June 2016,
<http://www.rfc-editor.org/info/rfc7901>. <http://www.rfc-editor.org/info/rfc7901>.
skipping to change at page 12, line 20 skipping to change at page 13, line 46
Langley, A., "Serializing DNS Records with DNSSEC Langley, A., "Serializing DNS Records with DNSSEC
Authentication", draft-agl-dane-serializechain-01 (work in Authentication", draft-agl-dane-serializechain-01 (work in
progress), July 2011. progress), July 2011.
[I-D.barnes-dane-uks] [I-D.barnes-dane-uks]
Barnes, R., Thomson, M., and E. Rescorla, "Unknown Key- Barnes, R., Thomson, M., and E. Rescorla, "Unknown Key-
Share Attacks on DNS-based Authentications of Named Share Attacks on DNS-based Authentications of Named
Entities (DANE)", draft-barnes-dane-uks-00 (work in Entities (DANE)", draft-barnes-dane-uks-00 (work in
progress), October 2016. progress), October 2016.
Appendix A. Updates from -01 and -02 [HAMPERING]
Gorjon, X. and W. Toorop, "Discovery method for a DNSSEC
o Editorial updates for style and consistency validating stub resolver", July 2015, <http://
www.nlnetlabs.nl/downloads/publications/os3-2015-rp2
o Updated discussion of UKS attack -xavier-torrent-gorjon.pdf>.
Appendix B. Updates from -01
o Added TLS 1.3 support
o Added section describing applicability to raw public keys
o Softened language about record order
Appendix C. Updates from -00
o Edits based on comments from Rick van Rein
o Warning about not overloading X.509 wildcards on DNSSEC wildcards
(from V. Dukhovny)
o Added MUST include negative proof on wildcards (from V. Dukhovny)
o Removed "TODO" on allowing the server to deliver only one
signature per RRset
o Added additional minor edits suggested by Viktor Dukhovny
Appendix D. Test vectors Appendix A. Test vectors
The provided test vectors will authenticate the certificate used with The provided test vectors will authenticate the certificate used with
https://example.com/, https://example.net/ and https://example.org/ https://example.com/, https://example.net/ and https://example.org/
at the time of writing: at the time of writing:
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIF8jCCBNqgAwIBAgIQDmTF+8I2reFLFyrrQceMsDANBgkqhkiG9w0BAQsFADBw MIIF8jCCBNqgAwIBAgIQDmTF+8I2reFLFyrrQceMsDANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNTExMDMwMDAwMDBaFw0xODExMjgxMjAwMDBa dXJhbmNlIFNlcnZlciBDQTAeFw0xNTExMDMwMDAwMDBaFw0xODExMjgxMjAwMDBa
skipping to change at page 13, line 47 skipping to change at page 14, line 47
aWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQC aWdpQ2VydFNIQTJIaWdoQXNzdXJhbmNlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQC
MAAwDQYJKoZIhvcNAQELBQADggEBAISomhGn2L0LJn5SJHuyVZ3qMIlRCIdvqe0Q MAAwDQYJKoZIhvcNAQELBQADggEBAISomhGn2L0LJn5SJHuyVZ3qMIlRCIdvqe0Q
6ls+C8ctRwRO3UU3x8q8OH+2ahxlQmpzdC5al4XQzJLiLjiJ2Q1p+hub8MFiMmVP 6ls+C8ctRwRO3UU3x8q8OH+2ahxlQmpzdC5al4XQzJLiLjiJ2Q1p+hub8MFiMmVP
PZjb2tZm2ipWVuMRM+zgpRVM6nVJ9F3vFfUSHOb4/JsEIUvPY+d8/Krc+kPQwLvy PZjb2tZm2ipWVuMRM+zgpRVM6nVJ9F3vFfUSHOb4/JsEIUvPY+d8/Krc+kPQwLvy
ieqRbcuFjmqfyPmUv1U9QoI4TQikpw7TZU0zYZANP4C/gj4Ry48/znmUaRvy2kvI ieqRbcuFjmqfyPmUv1U9QoI4TQikpw7TZU0zYZANP4C/gj4Ry48/znmUaRvy2kvI
l7gRQ21qJTK5suoiYoYNo3J9T+pXPGU7Lydz/HwW+w0DpArtAaukI8aNX4ohFUKS l7gRQ21qJTK5suoiYoYNo3J9T+pXPGU7Lydz/HwW+w0DpArtAaukI8aNX4ohFUKS
wDSiIIWIWJiJGbEeIO0TIFwEVWTOnbNl/faPXpk5IRXicapqiII= wDSiIIWIWJiJGbEeIO0TIFwEVWTOnbNl/faPXpk5IRXicapqiII=
-----END CERTIFICATE----- -----END CERTIFICATE-----
For brevity and reproducability all DNS zones involved with the test For brevity and reproducability all DNS zones involved with the test
vectors are signed using a single key with algorithm 13: ECDSA Curve vectors are signed using keys with algorithm 13: ECDSA Curve P-256
P-256 with SHA-256. with SHA-256.
The test vectors are DNSSEC valid at June 1 2017, with the following To reflect operational practice, different zones in the examples are
root trust anchor: in different phases of rolling their signing keys:
All zones use a Key Signing Key (KSK) and Zone Signing Key (ZSK),
except for the example.com and example.net zones which use a
Combined Signing Key (CSK).
The root and org zones are rolling their ZSK's.
The com and org zones are rolling their KSK's.
The test vectors are DNSSEC valid in the same period as the
certificate is valid, which is in between November 3 2015 and
November 28 2018, with the following root trust anchor:
. IN DS ( 47005 13 2 2eb6e9f2480126691594d649a5a613de3052e37861634 . IN DS ( 47005 13 2 2eb6e9f2480126691594d649a5a613de3052e37861634
641bb568746f2ffc4d4 ) 641bb568746f2ffc4d4 )
D.1. _443._tcp.www.example.com A.1. _443._tcp.www.example.com
_443._tcp.www.example.com. 3600 IN TLSA ( 3 1 1 _443._tcp.www.example.com. 3600 IN TLSA ( 3 1 1
c66bef6a5c1a3e78b82016e13f314f3cc5fa25b1e52aab9adb9ec5989b165 c66bef6a5c1a3e78b82016e13f314f3cc5fa25b1e52aab9adb9ec5989b165
ada ) ada )
_443._tcp.www.example.com. 3600 IN RRSIG ( TLSA 13 5 3600 _443._tcp.www.example.com. 3600 IN RRSIG ( TLSA 13 5 3600
20170616000000 20170526000000 1870 example.com. 20181128000000 20151103000000 1870 example.com.
GRsT6bcn3fokM5JMvHF0liq63N/kUX+CrZQZIr4GlFnMr/uoS4P1zOBwc0sft uml1DUjp5RfrXn9WtuMxEQV+ygzrONcuzsnyfOGSszwaDdkSOJ0Kndcfbb2Il
Kd8NsZJAikRr4CpaXITYQMx1w== ) LUV04Z+V488+Sd1jr7/21tsKA== )
example.com. 3600 IN DNSKEY ( 257 3 13 example.com. 3600 IN DNSKEY ( 257 3 13
JnA1XgyJTZz+psWvbrfUWLV6ULqIJyUS2CQdhUH9VK35bslWeJpRzrlxCUs7s JnA1XgyJTZz+psWvbrfUWLV6ULqIJyUS2CQdhUH9VK35bslWeJpRzrlxCUs7s
/TsSfZMaGWVvlsuieh5nHcXzA== ) ; Key ID = 1870 /TsSfZMaGWVvlsuieh5nHcXzA== ) ; Key ID = 1870
example.com. 3600 IN RRSIG ( DNSKEY 13 2 3600 example.com. 3600 IN RRSIG ( DNSKEY 13 2 3600
20170616000000 20170526000000 1870 example.com. 20181128000000 20151103000000 1870 example.com.
sB6o0XXz7AXDWibruD75rllaHI1kOu4ftoXsKOPPArjflNlTPxrJsspN8ww9r HujA9vQTbCxMeaYjDOCF0fYyHhajTl5xPztrp5u6P2vYV8naYQLG3zUF1gaer
8q6DBlCdlRQvzD90UKZDIAqbA== ) WBOagXXblaSSbYwB96LU3uSdg== )
example.com. 900 IN DS ( 1870 13 2 example.com. 900 IN DS ( 1870 13 2 e9b533a049798e900b5c29c90cd25a
e9b533a049798e900b5c29c90cd25a986e8a44f319ac3cd302bafc08f5b81 986e8a44f319ac3cd302bafc08f5b81e16 )
e16 ) example.com. 900 IN RRSIG ( DS 13 2 900 20181128000000
example.com. 900 IN RRSIG ( DS 13 2 900 20170605000000 20151103000000 34327 com.
20170529000000 18931 com. 1tua9ntAqZvOnK5UztzIjN38Bqs6mJ8KAT7L4+AxevDL+z0Jft7RC1/g6Qrfa
rBV/16HTJBwmexByZq7WzYbB3EYaJ6MctpUSxuSNEpwDgzKkwIXzKECh5F5x3 In1wqF4U7TvC8PYOD0U/HYtwQ== )
5XxvbOdLIJAcxhRS1c2VITfMA== ) com. 900 IN DNSKEY ( 256 3 13
7IIE5Dol8jSMUqHTvOOiZapdEbQ9wqRxFi/zQcSdufUKLhpByvLpzSAQTqCWj
3URIZ8L3Fa2gBLMOZUzZ1GQCw== ) ; Key ID = 34327
com. 900 IN DNSKEY ( 257 3 13 com. 900 IN DNSKEY ( 257 3 13
RbkcO+96XZmnp8jYIuM4lryAp3egQjSmBaSoiA7H76Tm0RLHPNPUxlVk+nQ0f RbkcO+96XZmnp8jYIuM4lryAp3egQjSmBaSoiA7H76Tm0RLHPNPUxlVk+nQ0f
Ic3I8xfZDNw8Wa0Pe3/g2QA/w== ) ; Key ID = 18931 Ic3I8xfZDNw8Wa0Pe3/g2QA/w== ) ; Key ID = 18931
com. 900 IN RRSIG ( DNSKEY 13 1 900 20170605000000 com. 900 IN DNSKEY ( 257 3 13
20170529000000 18931 com. szc7biLo5J4OHlkan1vZrF4aD4YYf+NHA/GAqdNslY9xxK9Izg68XHkqck4Rt
wjCqnHNa5QcMrbuAnKIWBESMFtVjDldmd98udKPtg35V9ESD9SuNKtRJRdHYk DiVk37lNAQmgSlHbrGu0yOTkA== ) ; Key ID = 28809
c6Nx3HLmhidf6dmt/Hi0ePBsQ== ) com. 900 IN RRSIG ( DNSKEY 13 1 900 20181128000000
com. 86400 IN DS ( 18931 13 2 20151103000000 18931 com.
20f7a9db42d0e2042fbbb9f9ea015941202f9eabb94487e658c188e7bcb52 lZmTBrfcRgVbqHJIfCVr6c3HUDgy3MlNSCSnrVV2S5/NmB3ZiFcvIDn0iqXPm
115 ) 7YQfvfWi6utyxBu/fSD6S1ARw== )
com. 86400 IN RRSIG ( DS 13 1 86400 20170612000000 com. 900 IN RRSIG ( DNSKEY 13 1 900 20181128000000
20170530000000 47005 . 20151103000000 28809 com.
jPah4caFBSqhdt78YYhwFZn3ouKiWUKTH1t/nMB7tXzjorQJ50j1RMR23JVL+ 8qZOVM4X8wGt5XPWhG2HO4FAD6Kvs5eIhZUz+7DVCrZ/XMEVrMIHcm1Q+sq0s
jGGQccnLkQnUf7zednetSWalg== ) hm4cSivK2BxOO24PHJXoZN2Lw== )
com. 86400 IN DS ( 18931 13 2 20f7a9db42d0e2042fbbb9f9ea015941202
f9eabb94487e658c188e7bcb52115 )
com. 86400 IN DS ( 28809 13 2 ad66b3276f796223aa45eda773e92c6d98e
70643bbde681db342a9e5cf2bb380 )
com. 86400 IN RRSIG ( DS 13 1 86400 20181128000000
20151103000000 31918 .
5KQVa0NP+6k7VEGMmeky2/Y3wIGM70Fkm0vp5NmQ6KPk8L1XMJPltcJDWGGjc
EU3Uc4z2DUxzZyWgEDdrSOcdw== )
. 86400 IN DNSKEY ( 256 3 13
zKz+DCWkNA/vuheiVPcGqsH40U84KZAlrMRIyozj9WHzf8PsFp/oR8j8vmjjW
P98cbte4d8NvlGLxzbUzo3+FA== ) ; Key ID = 31918
. 86400 IN DNSKEY ( 256 3 13
8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW
xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635
. 86400 IN DNSKEY ( 257 3 13 . 86400 IN DNSKEY ( 257 3 13
yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv
Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005
. 86400 IN RRSIG ( DNSKEY 13 0 86400 20170612000000 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20181128000000
20170530000000 47005 . 20151103000000 47005 .
tFldEx7SQI43PIzn1ib/oZTko+Q+gRuOLcALoSA0WQRh1yXSV1752p1n3imhK ehAzuZD3yT0pShXkKavrMdz+DKvvFvbZ+sGRZ5iQTni+ulMzZxHQ5+kSha65B
8y3m+LZSLDSBHEocXIiRHWdFg== ) Y2AIUphjyWcGr6VwP3Ne74iZA== )
A hex dump of the wire format data of this content is: A hex dump of the wire format data of this content is:
0000: 04 5f 34 34 33 04 5f 74 63 70 03 77 77 77 07 65 0000: 04 5f 34 34 33 04 5f 74 63 70 03 77 77 77 07 65
0010: 78 61 6d 70 6c 65 03 63 6f 6d 00 00 34 00 01 00 0010: 78 61 6d 70 6c 65 03 63 6f 6d 00 00 34 00 01 00
0020: 00 0e 10 00 23 03 01 01 c6 6b ef 6a 5c 1a 3e 78 0020: 00 0e 10 00 23 03 01 01 c6 6b ef 6a 5c 1a 3e 78
0030: b8 20 16 e1 3f 31 4f 3c c5 fa 25 b1 e5 2a ab 9a 0030: b8 20 16 e1 3f 31 4f 3c c5 fa 25 b1 e5 2a ab 9a
0040: db 9e c5 98 9b 16 5a da 04 5f 34 34 33 04 5f 74 0040: db 9e c5 98 9b 16 5a da 04 5f 34 34 33 04 5f 74
0050: 63 70 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63 0050: 63 70 03 77 77 77 07 65 78 61 6d 70 6c 65 03 63
0060: 6f 6d 00 00 2e 00 01 00 00 0e 10 00 5f 00 34 0d 0060: 6f 6d 00 00 2e 00 01 00 00 0e 10 00 5f 00 34 0d
0070: 05 00 00 0e 10 59 43 1f 80 59 27 70 00 07 4e 07 0070: 05 00 00 0e 10 5b fd da 80 56 37 f9 00 07 4e 07
0080: 65 78 61 6d 70 6c 65 03 63 6f 6d 00 7b be 85 af 0080: 65 78 61 6d 70 6c 65 03 63 6f 6d 00 ba 69 75 0d
0090: 63 08 fd be 6e eb 68 df 85 c2 58 e6 41 37 2f 68 0090: 48 e9 e5 17 eb 5e 7f 56 b6 e3 31 11 05 7e ca 0c
00a0: 34 4f 4f ce 91 9c 4c b0 54 bb e5 31 cd 57 0c 57 00a0: eb 38 d7 2e ce c9 f2 7c e1 92 b3 3c 1a 0d d9 12
00b0: cf 10 ce 33 13 29 7a b4 81 d9 10 d0 cf f3 32 c8 00b0: 38 9d 0a 9d d7 1f 6d bd 88 94 b5 15 d3 86 7e 57
00c0: 24 e8 06 12 59 8c 58 c5 15 6e ae e1 07 65 78 61 00c0: 8f 3c f9 27 75 8e be ff db 5b 6c 28 07 65 78 61
00d0: 6d 70 6c 65 03 63 6f 6d 00 00 30 00 01 00 00 0e 00d0: 6d 70 6c 65 03 63 6f 6d 00 00 30 00 01 00 00 0e
00e0: 10 00 44 01 01 03 0d 26 70 35 5e 0c 89 4d 9c fe 00e0: 10 00 44 01 01 03 0d 26 70 35 5e 0c 89 4d 9c fe
00f0: a6 c5 af 6e b7 d4 58 b5 7a 50 ba 88 27 25 12 d8 00f0: a6 c5 af 6e b7 d4 58 b5 7a 50 ba 88 27 25 12 d8
0100: 24 1d 85 41 fd 54 ad f9 6e c9 56 78 9a 51 ce b9 0100: 24 1d 85 41 fd 54 ad f9 6e c9 56 78 9a 51 ce b9
0110: 71 09 4b 3b b3 f4 ec 49 f6 4c 68 65 95 be 5b 2e 0110: 71 09 4b 3b b3 f4 ec 49 f6 4c 68 65 95 be 5b 2e
0120: 89 e8 79 9c 77 17 cc 07 65 78 61 6d 70 6c 65 03 0120: 89 e8 79 9c 77 17 cc 07 65 78 61 6d 70 6c 65 03
0130: 63 6f 6d 00 00 2e 00 01 00 00 0e 10 00 5f 00 30 0130: 63 6f 6d 00 00 2e 00 01 00 00 0e 10 00 5f 00 30
0140: 0d 02 00 00 0e 10 59 43 1f 80 59 27 70 00 07 4e 0140: 0d 02 00 00 0e 10 5b fd da 80 56 37 f9 00 07 4e
0150: 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 db ce bb 0150: 07 65 78 61 6d 70 6c 65 03 63 6f 6d 00 1e e8 c0
0160: 5f 1c 4b f0 4e de 1e 36 f0 00 75 ae 79 f1 4e 7b 0160: f6 f4 13 6c 2c 4c 79 a6 23 0c e0 85 d1 f6 32 1e
0170: 42 3b ff dc c0 04 b8 3c 5f 3a e7 ac a7 0c 47 0a 0170: 16 a3 4e 5e 71 3f 3b 6b a7 9b ba 3f 6b d8 57 c9
0180: a5 3d 70 95 28 d5 c9 65 5c 6f 7c ad 25 1e d2 77 0180: da 61 02 c6 df 35 05 d6 06 9e ad 60 4e 6a 05 d7
0190: 00 2c 0a 9f f7 e9 19 a6 04 e9 cb 09 60 07 65 78 0190: 6e 56 92 49 b6 30 07 de 8b 53 7b 92 76 07 65 78
01a0: 61 6d 70 6c 65 03 63 6f 6d 00 00 2b 00 01 00 00 01a0: 61 6d 70 6c 65 03 63 6f 6d 00 00 2b 00 01 00 00
01b0: 03 84 00 24 07 4e 0d 02 e9 b5 33 a0 49 79 8e 90 01b0: 03 84 00 24 07 4e 0d 02 e9 b5 33 a0 49 79 8e 90
01c0: 0b 5c 29 c9 0c d2 5a 98 6e 8a 44 f3 19 ac 3c d3 01c0: 0b 5c 29 c9 0c d2 5a 98 6e 8a 44 f3 19 ac 3c d3
01d0: 02 ba fc 08 f5 b8 1e 16 07 65 78 61 6d 70 6c 65 01d0: 02 ba fc 08 f5 b8 1e 16 07 65 78 61 6d 70 6c 65
01e0: 03 63 6f 6d 00 00 2e 00 01 00 00 03 84 00 57 00 01e0: 03 63 6f 6d 00 00 2e 00 01 00 00 03 84 00 57 00
01f0: 2b 0d 02 00 00 03 84 59 34 9f 00 59 2b 64 80 49 01f0: 2b 0d 02 00 00 03 84 5b fd da 80 56 37 f9 00 86
0200: f3 03 63 6f 6d 00 18 f3 6d 66 92 89 48 73 26 3a 0200: 17 03 63 6f 6d 00 d6 db 9a f6 7b 40 a9 9b ce 9c
0210: cd 1e 35 38 a3 97 07 1b ed de d6 14 db 16 f0 f5 0210: ae 54 ce dc c8 8c dd fc 06 ab 3a 98 9f 0a 01 3e
0220: 62 27 20 c5 eb fa 66 ac a4 a7 8e 93 33 ca 62 42 0220: cb e3 e0 31 7a f0 cb fb 3d 09 7e de d1 0b 5f e0
0230: 91 7a 51 b5 15 3a 83 14 3a 80 a5 f2 b6 80 00 e5 0230: e9 0a df 68 89 f5 c2 a1 78 53 b4 ef 0b c3 d8 38
0240: 6b 92 ba 37 ec 2d 03 63 6f 6d 00 00 30 00 01 00 0240: 3d 14 fc 76 2d c1 03 63 6f 6d 00 00 30 00 01 00
0250: 00 03 84 00 44 01 01 03 0d 45 b9 1c 3b ef 7a 5d 0250: 00 03 84 00 44 01 00 03 0d ec 82 04 e4 3a 25 f2
0260: 99 a7 a7 c8 d8 22 e3 38 96 bc 80 a7 77 a0 42 34 0260: 34 8c 52 a1 d3 bc e3 a2 65 aa 5d 11 b4 3d c2 a4
0270: a6 05 a4 a8 88 0e c7 ef a4 e6 d1 12 c7 3c d3 d4 0270: 71 16 2f f3 41 c4 9d b9 f5 0a 2e 1a 41 ca f2 e9
0280: c6 55 64 fa 74 34 7c 87 37 23 cc 5f 64 33 70 f1 0280: cd 20 10 4e a0 96 8f 75 11 21 9f 0b dc 56 b6 80
0290: 66 b4 3d ed ff 83 64 00 ff 03 63 6f 6d 00 00 2e 0290: 12 cc 39 95 33 67 51 90 0b 03 63 6f 6d 00 00 30
02a0: 00 01 00 00 03 84 00 57 00 30 0d 01 00 00 03 84 02a0: 00 01 00 00 03 84 00 44 01 01 03 0d 45 b9 1c 3b
02b0: 59 34 9f 00 59 2b 64 80 49 f3 03 63 6f 6d 00 8d 02b0: ef 7a 5d 99 a7 a7 c8 d8 22 e3 38 96 bc 80 a7 77
02c0: 21 46 95 a5 17 ab 10 0a 49 dd 25 d3 6b 7d 88 ab 02c0: a0 42 34 a6 05 a4 a8 88 0e c7 ef a4 e6 d1 12 c7
02d0: 2b 18 c9 53 da f2 76 fd a5 82 b8 ea 14 cb 7c 25 02d0: 3c d3 d4 c6 55 64 fa 74 34 7c 87 37 23 cc 5f 64
02e0: 4a 36 4a f0 48 9b e6 a3 0d aa 5b 98 15 8e 64 12 02e0: 33 70 f1 66 b4 3d ed ff 83 64 00 ff 03 63 6f 6d
02f0: bb 1b 6e 45 3f 03 00 88 3d 48 b7 0f 78 53 2b 03 02f0: 00 00 30 00 01 00 00 03 84 00 44 01 01 03 0d b3
0300: 63 6f 6d 00 00 2b 00 01 00 01 51 80 00 24 49 f3 0300: 37 3b 6e 22 e8 e4 9e 0e 1e 59 1a 9f 5b d9 ac 5e
0310: 0d 02 20 f7 a9 db 42 d0 e2 04 2f bb b9 f9 ea 01 0310: 1a 0f 86 18 7f e3 47 03 f1 80 a9 d3 6c 95 8f 71
0320: 59 41 20 2f 9e ab b9 44 87 e6 58 c1 88 e7 bc b5 0320: c4 af 48 ce 0e bc 5c 79 2a 72 4e 11 b4 38 95 93
0330: 21 15 03 63 6f 6d 00 00 2e 00 01 00 01 51 80 00 0330: 7e e5 34 04 26 81 29 47 6e b1 ae d3 23 93 90 03
0340: 53 00 2b 0d 01 00 01 51 80 59 3d d9 80 59 2c b6 0340: 63 6f 6d 00 00 2e 00 01 00 00 03 84 00 57 00 30
0350: 00 b7 9d 00 33 56 6b d8 e2 80 50 7a e6 cf 68 27 0350: 0d 01 00 00 03 84 5b fd da 80 56 37 f9 00 49 f3
0360: bb 22 5c a7 aa 41 f1 36 94 1c ae 94 9c 3f da 98 0360: 03 63 6f 6d 00 95 99 93 06 b7 dc 46 05 5b a8 72
0370: c5 0f 56 b8 26 c7 57 44 05 a3 a5 11 ef d9 77 b3 0370: 48 7c 25 6b e9 cd c7 50 38 32 dc c9 4d 48 24 a7
0380: 49 a9 50 8d 99 76 98 78 8e 4b 30 a8 70 51 63 09 0380: ad 55 76 4b 9f cd 98 1d d9 88 57 2f 20 39 f4 8a
0390: a2 b6 14 05 00 00 30 00 01 00 01 51 80 00 44 01 0390: a5 cf 9b b6 10 7e f7 d6 8b ab ad cb 10 6e fd f4
03a0: 01 03 0d ca f5 fe 54 d4 d4 8f 16 62 1a fb 6b d3 03a0: 83 e9 2d 40 47 03 63 6f 6d 00 00 2e 00 01 00 00
03b0: ad 21 55 ba cf 57 d1 fa ad 5b ac 42 d1 7d 94 8c 03b0: 03 84 00 57 00 30 0d 01 00 00 03 84 5b fd da 80
03c0: 42 17 36 d9 38 9c 4c 40 11 66 6e a9 5c f1 77 25 03c0: 56 37 f9 00 70 89 03 63 6f 6d 00 f2 a6 4e 54 ce
03d0: bd 0f a0 0c e5 e7 14 e4 ec 82 cf df ac c9 b1 c8 03d0: 17 f3 01 ad e5 73 d6 84 6d 87 3b 81 40 0f a2 af
03e0: 63 ad 46 00 00 2e 00 01 00 01 51 80 00 53 00 30 03e0: b3 97 88 85 95 33 fb b0 d5 0a b6 7f 5c c1 15 ac
03f0: 0d 00 00 01 51 80 59 3d d9 80 59 2c b6 00 b7 9d 03f0: c2 07 72 6d 50 fa ca b4 b2 19 b8 71 28 af 2b 60
0400: 00 2b 43 e5 99 de 8d bd e6 e1 f0 05 2d 16 a1 7a 0400: 71 38 ed b8 3c 72 57 a1 93 76 2f 03 63 6f 6d 00
0410: 79 15 42 da 47 da 2f 63 0e 46 ab 7d e3 7e 9b 8a 0410: 00 2b 00 01 00 01 51 80 00 24 49 f3 0d 02 20 f7
0420: 7d 25 e2 3f 18 bf 85 4c 17 b7 d5 3c 06 c8 18 bb 0420: a9 db 42 d0 e2 04 2f bb b9 f9 ea 01 59 41 20 2f
0430: bd 98 44 11 72 e3 18 bc 9d 99 88 e5 00 91 58 c8 0430: 9e ab b9 44 87 e6 58 c1 88 e7 bc b5 21 15 03 63
0440: 47 0440: 6f 6d 00 00 2b 00 01 00 01 51 80 00 24 70 89 0d
0450: 02 ad 66 b3 27 6f 79 62 23 aa 45 ed a7 73 e9 2c
0460: 6d 98 e7 06 43 bb de 68 1d b3 42 a9 e5 cf 2b b3
0470: 80 03 63 6f 6d 00 00 2e 00 01 00 01 51 80 00 53
0480: 00 2b 0d 01 00 01 51 80 5b fd da 80 56 37 f9 00
0490: 7c ae 00 e4 a4 15 6b 43 4f fb a9 3b 54 41 8c 99
04a0: e9 32 db f6 37 c0 81 8c ef 41 64 9b 4b e9 e4 d9
04b0: 90 e8 a3 e4 f0 bd 57 30 93 e5 b5 c2 43 58 61 a3
04c0: 70 45 37 51 ce 33 d8 35 31 cd 9c 96 80 40 dd ad
04d0: 23 9c 77 00 00 30 00 01 00 01 51 80 00 44 01 00
04e0: 03 0d cc ac fe 0c 25 a4 34 0f ef ba 17 a2 54 f7
04f0: 06 aa c1 f8 d1 4f 38 29 90 25 ac c4 48 ca 8c e3
0500: f5 61 f3 7f c3 ec 16 9f e8 47 c8 fc be 68 e3 58
0510: ff 7c 71 bb 5e e1 df 0d be 51 8b c7 36 d4 ce 8d
0520: fe 14 00 00 30 00 01 00 01 51 80 00 44 01 00 03
0530: 0d f3 03 19 67 89 73 1d dc 8a 67 87 ef f2 4c ac
0540: fe dd d0 32 58 2f 11 a7 5b b1 bc aa 5a b3 21 c1
0550: d7 52 5c 26 58 19 1a ec 01 b3 e9 8a b7 91 5b 16
0560: d5 71 dd 55 b4 ea e5 14 17 11 0c c4 cd d1 1d 17
0570: 11 00 00 30 00 01 00 01 51 80 00 44 01 01 03 0d
0580: ca f5 fe 54 d4 d4 8f 16 62 1a fb 6b d3 ad 21 55
0590: ba cf 57 d1 fa ad 5b ac 42 d1 7d 94 8c 42 17 36
05a0: d9 38 9c 4c 40 11 66 6e a9 5c f1 77 25 bd 0f a0
05b0: 0c e5 e7 14 e4 ec 82 cf df ac c9 b1 c8 63 ad 46
05c0: 00 00 2e 00 01 00 01 51 80 00 53 00 30 0d 00 00
05d0: 01 51 80 5b fd da 80 56 37 f9 00 b7 9d 00 7a 10
05e0: 33 b9 90 f7 c9 3d 29 4a 15 e4 29 ab eb 31 dc fe
05f0: 0c ab ef 16 f6 d9 fa c1 91 67 98 90 4e 78 be ba
0600: 53 33 67 11 d0 e7 e9 12 85 ae b9 05 8d 80 21 4a
0610: 61 8f 25 9c 1a be 95 c0 fd cd 7b be 22 64
D.2. _25._tcp.example.com wildcard A.2. _25._tcp.example.com wildcard
_25._tcp.example.com. 3600 IN TLSA ( 3 1 1 _25._tcp.example.com. 3600 IN TLSA ( 3 1 1
c66bef6a5c1a3e78b82016e13f314f3cc5fa25b1e52aab9adb9ec5989b165 c66bef6a5c1a3e78b82016e13f314f3cc5fa25b1e52aab9adb9ec5989b165
ada ) ada )
_25._tcp.example.com. 3600 IN RRSIG ( TLSA 13 3 3600 _25._tcp.example.com. 3600 IN RRSIG ( TLSA 13 3 3600
20170616000000 20170526000000 1870 example.com. 20181128000000 20151103000000 1870 example.com.
dVxm88Spko03MB4pLo+zijMup2nr1Ii65yPqB/cAR/1Zg41iXer7I2sGh9KfT e7Q5L2x7Ca3SkSY6pRjqgtRxkEN1uYUcgyMlPp6GQ4zxAZxoO1Y1vGqxN4eNA
ExLJC6dUMDVFUfm+1rwb+ax8Q== ) +yBnlUSIJQ46KKVS5PC79Qipg== )
*._tcp.example.com. 3600 IN NSEC ( *._tcp.example.com. 3600 IN NSEC (
_443._tcp.www.example.com. RRSIG NSEC TLSA ) _443._tcp.www.example.com. RRSIG NSEC TLSA )
*._tcp.example.com. 3600 IN RRSIG ( NSEC 13 3 3600 *._tcp.example.com. 3600 IN RRSIG ( NSEC 13 3 3600
20170616000000 20170526000000 1870 example.com. 20181128000000 20151103000000 1870 example.com.
1lNaYYQ+FAG8YBVEx/026OGhVw5DjAyqBGrrLN9D12IZuLHtTQ4C9QPORP4na FlTtPqEPUPAQozlbt7bD9s2XIxdVPJ3nb+jK94Fxa2JsaZChH1n/DsYb5KS7J
GWNPgASvLyNR8MoN0oXV7tbnQ== ) G5GyubhMFTLeIqwTngx6JCktg== )
example.com. 3600 IN DNSKEY ( 257 3 13 example.com. 3600 IN DNSKEY ( 257 3 13
JnA1XgyJTZz+psWvbrfUWLV6ULqIJyUS2CQdhUH9VK35bslWeJpRzrlxCUs7s JnA1XgyJTZz+psWvbrfUWLV6ULqIJyUS2CQdhUH9VK35bslWeJpRzrlxCUs7s
/TsSfZMaGWVvlsuieh5nHcXzA== ) ; Key ID = 1870 /TsSfZMaGWVvlsuieh5nHcXzA== ) ; Key ID = 1870
example.com. 3600 IN RRSIG ( DNSKEY 13 2 3600 example.com. 3600 IN RRSIG ( DNSKEY 13 2 3600
20170616000000 20170526000000 1870 example.com. 20181128000000 20151103000000 1870 example.com.
sB6o0XXz7AXDWibruD75rllaHI1kOu4ftoXsKOPPArjflNlTPxrJsspN8ww9r HujA9vQTbCxMeaYjDOCF0fYyHhajTl5xPztrp5u6P2vYV8naYQLG3zUF1gaer
8q6DBlCdlRQvzD90UKZDIAqbA== ) WBOagXXblaSSbYwB96LU3uSdg== )
example.com. 900 IN DS ( 1870 13 2 example.com. 900 IN DS ( 1870 13 2 e9b533a049798e900b5c29c90cd25a
e9b533a049798e900b5c29c90cd25a986e8a44f319ac3cd302bafc08f5b81 986e8a44f319ac3cd302bafc08f5b81e16 )
e16 ) example.com. 900 IN RRSIG ( DS 13 2 900 20181128000000
example.com. 900 IN RRSIG ( DS 13 2 900 20170605000000 20151103000000 34327 com.
20170529000000 18931 com. 1tua9ntAqZvOnK5UztzIjN38Bqs6mJ8KAT7L4+AxevDL+z0Jft7RC1/g6Qrfa
rBV/16HTJBwmexByZq7WzYbB3EYaJ6MctpUSxuSNEpwDgzKkwIXzKECh5F5x3 In1wqF4U7TvC8PYOD0U/HYtwQ== )
5XxvbOdLIJAcxhRS1c2VITfMA== ) com. 900 IN DNSKEY ( 256 3 13
7IIE5Dol8jSMUqHTvOOiZapdEbQ9wqRxFi/zQcSdufUKLhpByvLpzSAQTqCWj
3URIZ8L3Fa2gBLMOZUzZ1GQCw== ) ; Key ID = 34327
com. 900 IN DNSKEY ( 257 3 13 com. 900 IN DNSKEY ( 257 3 13
RbkcO+96XZmnp8jYIuM4lryAp3egQjSmBaSoiA7H76Tm0RLHPNPUxlVk+nQ0f RbkcO+96XZmnp8jYIuM4lryAp3egQjSmBaSoiA7H76Tm0RLHPNPUxlVk+nQ0f
Ic3I8xfZDNw8Wa0Pe3/g2QA/w== ) ; Key ID = 18931 Ic3I8xfZDNw8Wa0Pe3/g2QA/w== ) ; Key ID = 18931
com. 900 IN RRSIG ( DNSKEY 13 1 900 20170605000000 com. 900 IN DNSKEY ( 257 3 13
20170529000000 18931 com. szc7biLo5J4OHlkan1vZrF4aD4YYf+NHA/GAqdNslY9xxK9Izg68XHkqck4Rt
wjCqnHNa5QcMrbuAnKIWBESMFtVjDldmd98udKPtg35V9ESD9SuNKtRJRdHYk DiVk37lNAQmgSlHbrGu0yOTkA== ) ; Key ID = 28809
c6Nx3HLmhidf6dmt/Hi0ePBsQ== ) com. 900 IN RRSIG ( DNSKEY 13 1 900 20181128000000
com. 86400 IN DS ( 18931 13 2 20151103000000 18931 com.
20f7a9db42d0e2042fbbb9f9ea015941202f9eabb94487e658c188e7bcb52 lZmTBrfcRgVbqHJIfCVr6c3HUDgy3MlNSCSnrVV2S5/NmB3ZiFcvIDn0iqXPm
115 ) 7YQfvfWi6utyxBu/fSD6S1ARw== )
com. 86400 IN RRSIG ( DS 13 1 86400 20170612000000 com. 900 IN RRSIG ( DNSKEY 13 1 900 20181128000000
20170530000000 47005 . 20151103000000 28809 com.
jPah4caFBSqhdt78YYhwFZn3ouKiWUKTH1t/nMB7tXzjorQJ50j1RMR23JVL+ 8qZOVM4X8wGt5XPWhG2HO4FAD6Kvs5eIhZUz+7DVCrZ/XMEVrMIHcm1Q+sq0s
jGGQccnLkQnUf7zednetSWalg== ) hm4cSivK2BxOO24PHJXoZN2Lw== )
com. 86400 IN DS ( 18931 13 2 20f7a9db42d0e2042fbbb9f9ea015941202
f9eabb94487e658c188e7bcb52115 )
com. 86400 IN DS ( 28809 13 2 ad66b3276f796223aa45eda773e92c6d98e
70643bbde681db342a9e5cf2bb380 )
com. 86400 IN RRSIG ( DS 13 1 86400 20181128000000
20151103000000 31918 .
5KQVa0NP+6k7VEGMmeky2/Y3wIGM70Fkm0vp5NmQ6KPk8L1XMJPltcJDWGGjc
EU3Uc4z2DUxzZyWgEDdrSOcdw== )
. 86400 IN DNSKEY ( 256 3 13
zKz+DCWkNA/vuheiVPcGqsH40U84KZAlrMRIyozj9WHzf8PsFp/oR8j8vmjjW
P98cbte4d8NvlGLxzbUzo3+FA== ) ; Key ID = 31918
. 86400 IN DNSKEY ( 256 3 13
8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW
xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635
. 86400 IN DNSKEY ( 257 3 13 . 86400 IN DNSKEY ( 257 3 13
yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv
Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005
. 86400 IN RRSIG ( DNSKEY 13 0 86400 20170612000000 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20181128000000
20170530000000 47005 . 20151103000000 47005 .
tFldEx7SQI43PIzn1ib/oZTko+Q+gRuOLcALoSA0WQRh1yXSV1752p1n3imhK ehAzuZD3yT0pShXkKavrMdz+DKvvFvbZ+sGRZ5iQTni+ulMzZxHQ5+kSha65B
8y3m+LZSLDSBHEocXIiRHWdFg== ) Y2AIUphjyWcGr6VwP3Ne74iZA== )
D.3. _443._tcp.www.example.org CNAME A.3. _443._tcp.www.example.org CNAME
_443._tcp.www.example.org. 3600 IN CNAME ( _443._tcp.www.example.org. 3600 IN CNAME (
dane311.example.org. ) dane311.example.org. )
_443._tcp.www.example.org. 3600 IN RRSIG ( CNAME 13 5 3600 _443._tcp.www.example.org. 3600 IN RRSIG ( CNAME 13 5 3600
20170616000000 20170526000000 44384 example.org. 20181128000000 20151103000000 56566 example.org.
DN+UMxh5TWL1u6Mc6ScWMU5R9C+qqIOSH4hqQmiPWhvSg0lFd71g43UqtdmBT wLQYbRNMqrXCD65GZJqwwsD0TDF2VQTklBYdYCMo+JTjqvZw1UFYmcJXmwJsL
VRUbhk/f9WC8Fy5D0gE5lUcyA== ) KezLIzSdKW6jK0LMJ3YUw3Bmw== )
dane311.example.org. 3600 IN TLSA ( 3 1 1 dane311.example.org. 3600 IN TLSA ( 3 1 1
c66bef6a5c1a3e78b82016e13f314f3cc5fa25b1e52aab9adb9ec5989b165 c66bef6a5c1a3e78b82016e13f314f3cc5fa25b1e52aab9adb9ec5989b165
ada ) ada )
dane311.example.org. 3600 IN RRSIG ( TLSA 13 3 3600 dane311.example.org. 3600 IN RRSIG ( TLSA 13 3 3600
20170616000000 20170526000000 44384 example.org. 20181128000000 20151103000000 56566 example.org.
HJx59dAMQgvJSYBYtixzfodup5KRUzJ1SlRUrFJkGZz6PkpfuFdtpZwPN1vw9 AllKVcpLz/9vG/xJQFwWEK0cHbjO6lI65ELWSoWxPvYJ5o8QnSbRkzfCM4lTs
SyvXq7WqRD46aaCMwR4ApUJ+w== ) g94s5VvzMLYIbSZ1TWo2hcCdg== )
example.org. 3600 IN DNSKEY ( 256 3 13
NrbL6utGqIW1wrhhjeexdA6bMdD1lC1hj0Fnpevaa1AMyY2uy83TmoGnR996N
UR5TlG4Zh+YPbbmUIixe4nS3w== ) ; Key ID = 56566
example.org. 3600 IN DNSKEY ( 257 3 13 example.org. 3600 IN DNSKEY ( 257 3 13
uspaqp17jsMTX6AWVgmbog/3Sttz+9ANFUWLn6qKUHr0BOqRuChQWj8jyYUUr uspaqp17jsMTX6AWVgmbog/3Sttz+9ANFUWLn6qKUHr0BOqRuChQWj8jyYUUr
Wy9txxesNQ9MkO4LUrFght1LQ== ) ; Key ID = 44384 Wy9txxesNQ9MkO4LUrFght1LQ== ) ; Key ID = 44384
example.org. 3600 IN RRSIG ( DNSKEY 13 2 3600 example.org. 3600 IN RRSIG ( DNSKEY 13 2 3600
20170616000000 20170526000000 44384 example.org. 20181128000000 20151103000000 44384 example.org.
MPTpfbVvPBXmh2Z4fgjy2GMgcJ8RYpXeOBOBidJDglLh4XQAiFOT6YpGRR5ig ZsQ5wl2ZvofwDq7uYlvoqEeq9byHbl59Ap4EPXdB4PpnWy2dJkIElgXCfILrU
tQGINd6gKVYdRSsEtXe1K8zxg== ) EUCD1aKb2SoRZe18EJ8LMVJuw== )
example.org. 900 IN DS ( 44384 13 2 example.org. 900 IN DS ( 44384 13 2 ec307e2efc8f0117ed96ab48a513c
ec307e2efc8f0117ed96ab48a513c8003e1d9121f1ff11a08b4cdd348d090 8003e1d9121f1ff11a08b4cdd348d090aa6 )
aa6 ) example.org. 900 IN RRSIG ( DS 13 2 900 20181128000000
example.org. 900 IN RRSIG ( DS 13 2 900 20170615000000 20151103000000 9523 org.
20170525000000 12651 org. 15KUWAaNkJehAUdqm46TdeGg6mVm6bVKeaWLr34FTJlfMWWij+kmA6SM/bZbq
MA3pxiap702Hvc81diwZDcRzLrkKssVzzTqCiJJoZFeNq40GuCOVGgEc+w6aq kZBjtMWT55XersA+llFQNQI/Q== )
SVgkgFJrhJISei/kvIZTx8ftw== ) org. 900 IN DNSKEY ( 256 3 13
fuLp60znhSSEr9HowILpTpyLKQdM6ixcgkTE0gqVdsLx+DSNHSc69o6fLWC0e
HfWx7kzlBBoJB0vLrvsJtXJ6g== ) ; Key ID = 47417
org. 900 IN DNSKEY ( 256 3 13
zTHbb7JM627Bjr8CGOySUarsic91xZU3vvLJ5RjVix9YH6+iwpBXb6qfHyQHy
mlMiAAoaoXh7BUkEBVgDVN8sQ== ) ; Key ID = 9523
org. 900 IN DNSKEY ( 257 3 13
Uf24EyNt51DMcLV+dHPInhSpmjPnqAQNUTouU+SGLu+lFRRlBetgw1bJUZNI6
Dlger0VJTm0QuX/JVXcyGVGoQ== ) ; Key ID = 49352
org. 900 IN DNSKEY ( 257 3 13 org. 900 IN DNSKEY ( 257 3 13
0SZfoe8Yx+eoaGgyAGEeJax/ZBV1AuG+/smcOgRm+F6doNlgc3lddcM1MbTvJ 0SZfoe8Yx+eoaGgyAGEeJax/ZBV1AuG+/smcOgRm+F6doNlgc3lddcM1MbTvJ
HTjK6Fvy8W6yZ+cAptn8sQheg== ) ; Key ID = 12651 HTjK6Fvy8W6yZ+cAptn8sQheg== ) ; Key ID = 12651
org. 900 IN RRSIG ( DNSKEY 13 1 900 20170615000000 org. 900 IN RRSIG ( DNSKEY 13 1 900 20181128000000
20170525000000 12651 org. 20151103000000 12651 org.
o4L9nBQo8KXF0a7D5268U+Bq8SuW/aePtyuSfvQvP79nN/mzh9P11CsT/opmW G9I7dIh5Zn2hBu8jhgnLDTXZUpnPRkOMHjl1RcyHNbvJGLIiaPRVtcJXW0Vr+
kg0u6pqaG9KE1T37jloes8J8w== ) arygWmsHrDgWz0vw2IXZr3qKw== )
org. 86400 IN DS ( 12651 13 2 org. 900 IN RRSIG ( DNSKEY 13 1 900 20181128000000
3979a51f98bbf219fcaf4a4176e766dfa8f9db5c24a75743eb1e704b97a9f 20151103000000 49352 org.
abc ) iQmYWqUdU07Syw1Fqwx+8+hSk0w06tCGmkwdppyxUSFESumEhkOXgOv6NuIEn
org. 86400 IN RRSIG ( DS 13 1 86400 20170612000000 eKjwMIaLj5HFB+9WnOkzgGE5Q== )
20170530000000 47005 . org. 86400 IN DS ( 12651 13 2 3979a51f98bbf219fcaf4a4176e766dfa8f
Mi1c7QrpHnl1MSLJTrq/WM0V0DQKwFPGaMFmHHwm8Yb/b934CUHMXU0dR+cLT 9db5c24a75743eb1e704b97a9fabc )
hakZNz37edtwPxKKOzZQ6pYUw== ) org. 86400 IN DS ( 49352 13 2 03d11a1aa114abbb8f708c3c0ff0db765fe
f4a2f18920db5f58710dd767c293b )
org. 86400 IN RRSIG ( DS 13 1 86400 20181128000000
20151103000000 31918 .
JGPMvEbfLoWNUELn/5cjjdRZx2CmdikbHuH6N/1BrxACWrGy05NuPvBPTEVOr
mPFfm5SIMLLTWgxf0K0FsNHoQ== )
. 86400 IN DNSKEY ( 256 3 13
zKz+DCWkNA/vuheiVPcGqsH40U84KZAlrMRIyozj9WHzf8PsFp/oR8j8vmjjW
P98cbte4d8NvlGLxzbUzo3+FA== ) ; Key ID = 31918
. 86400 IN DNSKEY ( 256 3 13
8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW
xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635
. 86400 IN DNSKEY ( 257 3 13 . 86400 IN DNSKEY ( 257 3 13
yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv
Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005
. 86400 IN RRSIG ( DNSKEY 13 0 86400 20170612000000 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20181128000000
20170530000000 47005 . 20151103000000 47005 .
tFldEx7SQI43PIzn1ib/oZTko+Q+gRuOLcALoSA0WQRh1yXSV1752p1n3imhK ehAzuZD3yT0pShXkKavrMdz+DKvvFvbZ+sGRZ5iQTni+ulMzZxHQ5+kSha65B
8y3m+LZSLDSBHEocXIiRHWdFg== ) Y2AIUphjyWcGr6VwP3Ne74iZA== )
D.4. _443._tcp.www.example.net DNAME A.4. _443._tcp.www.example.net DNAME
example.net. 3600 IN DNAME example.com. example.net. 3600 IN DNAME example.com.
example.net. 3600 IN RRSIG ( DNAME 13 2 3600 20170616000000 example.net. 3600 IN RRSIG ( DNAME 13 2 3600 20181128000000
20170526000000 48085 example.net. 20151103000000 48085 example.net.
sTl9oxvpd7KxOZ9e5suevha7Fr+zPc3a0pWEUfjFE5v9Umu5js/vcp1i6hdqy +MJa5ZEmYh/kHYOhabF3ibfJ5xhJDJAA76Sugc/LFyTDJbmYW/nlYf3XLdcDh
tQ2WXEQDsHeEjw9stupvMJkkg== ) 7lv6NfCkPuv6eCkSFGnVVvriA== )
_443._tcp.www.example.net. 3600 IN CNAME ( _443._tcp.www.example.net. 3600 IN CNAME (
_443._tcp.www.example.com. ) _443._tcp.www.example.com. )
_443._tcp.www.example.com. 3600 IN TLSA ( 3 1 1 _443._tcp.www.example.com. 3600 IN TLSA ( 3 1 1
c66bef6a5c1a3e78b82016e13f314f3cc5fa25b1e52aab9adb9ec5989b165 c66bef6a5c1a3e78b82016e13f314f3cc5fa25b1e52aab9adb9ec5989b165
ada ) ada )
_443._tcp.www.example.com. 3600 IN RRSIG ( TLSA 13 5 3600 _443._tcp.www.example.com. 3600 IN RRSIG ( TLSA 13 5 3600
20170616000000 20170526000000 1870 example.com. 20181128000000 20151103000000 1870 example.com.
GRsT6bcn3fokM5JMvHF0liq63N/kUX+CrZQZIr4GlFnMr/uoS4P1zOBwc0sft
Kd8NsZJAikRr4CpaXITYQMx1w== ) uml1DUjp5RfrXn9WtuMxEQV+ygzrONcuzsnyfOGSszwaDdkSOJ0Kndcfbb2Il
LUV04Z+V488+Sd1jr7/21tsKA== )
example.net. 3600 IN DNSKEY ( 257 3 13 example.net. 3600 IN DNSKEY ( 257 3 13
X9GHpJcS7bqKVEsLiVAbddHUHTZqqBbVa3mzIQmdp+5cTJk7qDazwH68Kts8d X9GHpJcS7bqKVEsLiVAbddHUHTZqqBbVa3mzIQmdp+5cTJk7qDazwH68Kts8d
9MvN55HddWgsmeRhgzePz6hMg== ) ; Key ID = 48085 9MvN55HddWgsmeRhgzePz6hMg== ) ; Key ID = 48085
example.net. 3600 IN RRSIG ( DNSKEY 13 2 3600 example.net. 3600 IN RRSIG ( DNSKEY 13 2 3600
20170616000000 20170526000000 48085 example.net. 20181128000000 20151103000000 48085 example.net.
8jSs5O3AypurKs8JFoAYj30qlmQ9QS29IBoqbyv2ggxtdDZoKWZE0kOuQcRxx Qu7q2IheqxAKGnchYSvQeJuXdnBj/+wJoEmv67wemOUI6qvWWIo535w+hguUV
q1pP707qRjp98THQSTVh+C0iQ== ) mZm/W5rp3qWBGChLxxfqIK13g== )
example.net. 900 IN DS ( 48085 13 2 example.net. 900 IN DS ( 48085 13 2 7c1998ce683df60e2fa41460c453f
7c1998ce683df60e2fa41460c453f88f463dac8cd5d074277b4a7c0450292 88f463dac8cd5d074277b4a7c04502921be )
1be ) example.net. 900 IN RRSIG ( DS 13 2 900 20181128000000
example.net. 900 IN RRSIG ( DS 13 2 900 20170615000000 20151103000000 10713 net.
20170525000000 485 net. xxSlIJlpOSmrUgwR++os2SHTpRf53SO95G6FQyH5lEslnTnbZoq0p/AVrlB8q
xqN9gHO5HXB+GH2x3DvjpMl6f+CdsVvON2K7G0FDVIL5iFMNLPqCAITlFofWF Qw3qmSXjRwGW3VFbkV60/tWCg== )
Ty6VXFKPoy9TZresE/JCL/PFA== ) net. 900 IN DNSKEY ( 256 3 13
061EoQs4sBcDsPiz17vt4nFSGLmXAGguqLStOesmKNCimi4/lw/vtyfqALuLF
JiFjtCK3HMPi8HQ1jbGEwbGCA== ) ; Key ID = 10713
net. 900 IN DNSKEY ( 257 3 13 net. 900 IN DNSKEY ( 257 3 13
LkNCPE+v3S4MVnsOqZFhn8n2NSwtLYOZLZjjgVsAKgu4XZncaDgq1R/7ZXRO5 LkNCPE+v3S4MVnsOqZFhn8n2NSwtLYOZLZjjgVsAKgu4XZncaDgq1R/7ZXRO5
oVx2zthxuu2i+mGbRrycAaCvA== ) ; Key ID = 485 oVx2zthxuu2i+mGbRrycAaCvA== ) ; Key ID = 485
net. 900 IN RRSIG ( DNSKEY 13 1 900 20170615000000 net. 900 IN RRSIG ( DNSKEY 13 1 900 20181128000000
20170525000000 485 net. 20151103000000 485 net.
jEI8WucG9EzJ1Euv0Pq3aNFhoYbvQeLUs19r9YImkWi8QlmH76ZJuLTCGHTDh CC494bZrtBHXImEZpe6E3h6NL0R5fRR/MEuC1f2sfC6/dlCjRwFjCy9eOKnFL
/Il5cZWukKc3ScptxVA57uRyQ== ) ar4Rxbpf7dvEwqGHNTawEo6jw== )
net. 86400 IN DS ( 485 13 2 net. 86400 IN DS ( 485 13 2 ab25a2941aa7f1eb8688bb783b25587515a0c
ab25a2941aa7f1eb8688bb783b25587515a0cd8c247769b23adb13ca234d1 d8c247769b23adb13ca234d1c05 )
c05 ) net. 86400 IN RRSIG ( DS 13 1 86400 20181128000000
net. 86400 IN RRSIG ( DS 13 1 86400 20170612000000 20151103000000 31918 .
20170530000000 47005 . q+G4l97pYbFgAUhzzOW5+YoFiJc5omUbe20H28AwMHOrx19BdGp/2XhKDQ5F3
ZR/UTP2OrYwJQhsCAWsKoIs9OSiUDdBFXzFqYSrV41G1oQsKVSi/NU1tT1UZW tUTNerRmklzYm+7J/XtLpGXAw== )
CENddWt90XLXZAlSYnv6s8Ceg== ) . 86400 IN DNSKEY ( 256 3 13
zKz+DCWkNA/vuheiVPcGqsH40U84KZAlrMRIyozj9WHzf8PsFp/oR8j8vmjjW
P98cbte4d8NvlGLxzbUzo3+FA== ) ; Key ID = 31918
. 86400 IN DNSKEY ( 256 3 13
8wMZZ4lzHdyKZ4fv8kys/t3QMlgvEadbsbyqWrMhwddSXCZYGRrsAbPpireRW
xbVcd1VtOrlFBcRDMTN0R0XEQ== ) ; Key ID = 2635
. 86400 IN DNSKEY ( 257 3 13 . 86400 IN DNSKEY ( 257 3 13
yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv yvX+VNTUjxZiGvtr060hVbrPV9H6rVusQtF9lIxCFzbZOJxMQBFmbqlc8Xclv
Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005 Q+gDOXnFOTsgs/frMmxyGOtRg== ) ; Key ID = 47005
. 86400 IN RRSIG ( DNSKEY 13 0 86400 20170612000000 . 86400 IN RRSIG ( DNSKEY 13 0 86400 20181128000000
20170530000000 47005 . 20151103000000 47005 .
tFldEx7SQI43PIzn1ib/oZTko+Q+gRuOLcALoSA0WQRh1yXSV1752p1n3imhK ehAzuZD3yT0pShXkKavrMdz+DKvvFvbZ+sGRZ5iQTni+ulMzZxHQ5+kSha65B
8y3m+LZSLDSBHEocXIiRHWdFg== ) Y2AIUphjyWcGr6VwP3Ne74iZA== )
example.com. 3600 IN DNSKEY ( 257 3 13 example.com. 3600 IN DNSKEY ( 257 3 13
JnA1XgyJTZz+psWvbrfUWLV6ULqIJyUS2CQdhUH9VK35bslWeJpRzrlxCUs7s JnA1XgyJTZz+psWvbrfUWLV6ULqIJyUS2CQdhUH9VK35bslWeJpRzrlxCUs7s
/TsSfZMaGWVvlsuieh5nHcXzA== ) ; Key ID = 1870 /TsSfZMaGWVvlsuieh5nHcXzA== ) ; Key ID = 1870
example.com. 3600 IN RRSIG ( DNSKEY 13 2 3600 example.com. 3600 IN RRSIG ( DNSKEY 13 2 3600
20170616000000 20170526000000 1870 example.com. 20181128000000 20151103000000 1870 example.com.
sB6o0XXz7AXDWibruD75rllaHI1kOu4ftoXsKOPPArjflNlTPxrJsspN8ww9r HujA9vQTbCxMeaYjDOCF0fYyHhajTl5xPztrp5u6P2vYV8naYQLG3zUF1gaer
8q6DBlCdlRQvzD90UKZDIAqbA== ) WBOagXXblaSSbYwB96LU3uSdg== )
example.com. 900 IN DS ( 1870 13 2 example.com. 900 IN DS ( 1870 13 2 e9b533a049798e900b5c29c90cd25a
e9b533a049798e900b5c29c90cd25a986e8a44f319ac3cd302bafc08f5b81 986e8a44f319ac3cd302bafc08f5b81e16 )
e16 ) example.com. 900 IN RRSIG ( DS 13 2 900 20181128000000
example.com. 900 IN RRSIG ( DS 13 2 900 20170605000000 20151103000000 34327 com.
20170529000000 18931 com. 1tua9ntAqZvOnK5UztzIjN38Bqs6mJ8KAT7L4+AxevDL+z0Jft7RC1/g6Qrfa
In1wqF4U7TvC8PYOD0U/HYtwQ== )
rBV/16HTJBwmexByZq7WzYbB3EYaJ6MctpUSxuSNEpwDgzKkwIXzKECh5F5x3 com. 900 IN DNSKEY ( 256 3 13
5XxvbOdLIJAcxhRS1c2VITfMA== ) 7IIE5Dol8jSMUqHTvOOiZapdEbQ9wqRxFi/zQcSdufUKLhpByvLpzSAQTqCWj
3URIZ8L3Fa2gBLMOZUzZ1GQCw== ) ; Key ID = 34327
com. 900 IN DNSKEY ( 257 3 13 com. 900 IN DNSKEY ( 257 3 13
RbkcO+96XZmnp8jYIuM4lryAp3egQjSmBaSoiA7H76Tm0RLHPNPUxlVk+nQ0f RbkcO+96XZmnp8jYIuM4lryAp3egQjSmBaSoiA7H76Tm0RLHPNPUxlVk+nQ0f
Ic3I8xfZDNw8Wa0Pe3/g2QA/w== ) ; Key ID = 18931 Ic3I8xfZDNw8Wa0Pe3/g2QA/w== ) ; Key ID = 18931
com. 900 IN RRSIG ( DNSKEY 13 1 900 20170605000000 com. 900 IN DNSKEY ( 257 3 13
20170529000000 18931 com. szc7biLo5J4OHlkan1vZrF4aD4YYf+NHA/GAqdNslY9xxK9Izg68XHkqck4Rt
wjCqnHNa5QcMrbuAnKIWBESMFtVjDldmd98udKPtg35V9ESD9SuNKtRJRdHYk DiVk37lNAQmgSlHbrGu0yOTkA== ) ; Key ID = 28809
c6Nx3HLmhidf6dmt/Hi0ePBsQ== ) com. 900 IN RRSIG ( DNSKEY 13 1 900 20181128000000
com. 86400 IN DS ( 18931 13 2 20151103000000 18931 com.
20f7a9db42d0e2042fbbb9f9ea015941202f9eabb94487e658c188e7bcb52 lZmTBrfcRgVbqHJIfCVr6c3HUDgy3MlNSCSnrVV2S5/NmB3ZiFcvIDn0iqXPm
115 ) 7YQfvfWi6utyxBu/fSD6S1ARw== )
com. 86400 IN RRSIG ( DS 13 1 86400 20170612000000 com. 900 IN RRSIG ( DNSKEY 13 1 900 20181128000000
20170530000000 47005 . 20151103000000 28809 com.
jPah4caFBSqhdt78YYhwFZn3ouKiWUKTH1t/nMB7tXzjorQJ50j1RMR23JVL+ 8qZOVM4X8wGt5XPWhG2HO4FAD6Kvs5eIhZUz+7DVCrZ/XMEVrMIHcm1Q+sq0s
jGGQccnLkQnUf7zednetSWalg== ) hm4cSivK2BxOO24PHJXoZN2Lw== )
com. 86400 IN DS ( 18931 13 2 20f7a9db42d0e2042fbbb9f9ea015941202
f9eabb94487e658c188e7bcb52115 )
com. 86400 IN DS ( 28809 13 2 ad66b3276f796223aa45eda773e92c6d98e
70643bbde681db342a9e5cf2bb380 )
com. 86400 IN RRSIG ( DS 13 1 86400 20181128000000
20151103000000 31918 .
5KQVa0NP+6k7VEGMmeky2/Y3wIGM70Fkm0vp5NmQ6KPk8L1XMJPltcJDWGGjc
EU3Uc4z2DUxzZyWgEDdrSOcdw== )
Authors' Addresses Authors' Addresses
Melinda Shore Melinda Shore
Fastly Fastly
EMail: mshore@fastly.com EMail: mshore@fastly.com
Richard Barnes Richard Barnes
Mozilla Mozilla
 End of changes. 71 change blocks. 
334 lines changed or deleted 483 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/