verify unit test.

git-svn-id: file:///svn/unbound/trunk@522 be551aaa-1e26-0410-a405-d3ace91eadb9
2025-12-20 23:00:56 -05:00 · 2007-08-15 13:18:32 +00:00 · 2007-08-15 13:18:32 +00:00 · 1d29f79974
commit 1d29f79974
parent 927af50c81
8 changed files with 333 additions and 11 deletions
--- a/Makefile.in
+++ b/Makefile.in
@ -57,7 +57,8 @@ COMMON_SRC=$(wildcard services/*.c services/cache/*.c util/*.c \
 	util/configparser.c util/configlexer.c testcode/checklocks.c
 COMMON_OBJ=$(addprefix $(BUILD),$(COMMON_SRC:.c=.o))
 COMPAT_OBJ=$(addprefix $(BUILD)compat/,$(LIBOBJS))
-UNITTEST_SRC=$(wildcard testcode/unit*.c) testcode/readhex.c $(COMMON_SRC)
+UNITTEST_SRC=$(wildcard testcode/unit*.c) testcode/readhex.c \
+	testcode/ldns-testpkts.c $(COMMON_SRC)
 UNITTEST_OBJ=$(addprefix $(BUILD),$(UNITTEST_SRC:.c=.o)) $(COMPAT_OBJ)
 DAEMON_SRC=$(wildcard daemon/*.c) $(COMMON_SRC)
 DAEMON_OBJ=$(addprefix $(BUILD),$(DAEMON_SRC:.c=.o)) $(COMPAT_OBJ)
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,5 +1,6 @@
 15 August 2007: Wouter
 	- crypto calls to verify signatures.
+	- unit test for rrsig verification.

 14 August 2007: Wouter
 	- default outgoing ports changed to avoid port 2049 by default.
--- a/testcode/unitmain.c
+++ b/testcode/unitmain.c
@ -213,6 +213,7 @@ main(int argc, char* argv[])
 	}
 	printf("Start of %s unit test.\n", PACKAGE_STRING);
 	checklock_start();
+	verify_test();
 	net_test();
 	dname_test();
 	anchors_test();
--- a/testcode/unitmain.h
+++ b/testcode/unitmain.h
@ -57,5 +57,7 @@ void msgparse_test();
 void dname_test();
 /** unit test trust anchor storage functions */
 void anchors_test();
+/** unit test for verification functions */
+void verify_test();

 #endif /* TESTCODE_UNITMAIN_H */
--- a/testcode/unitverify.c
+++ b/testcode/unitverify.c
@ -0,0 +1,232 @@
+/*
+ * testcode/unitverify.c - unit test for signature verification routines.
+ *
+ * Copyright (c) 2007, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+/**
+ * \file
+ * Calls verification unit tests. Exits with code 1 on a failure. 
+ */
+
+#include "config.h"
+#include "util/log.h"
+#include "testcode/unitmain.h"
+#include "validator/val_sigcrypt.h"
+#include "validator/validator.h"
+#include "testcode/ldns-testpkts.h"
+#include "util/data/msgreply.h"
+#include "util/data/msgparse.h"
+#include "util/region-allocator.h"
+#include "util/alloc.h"
+#include "util/net_help.h"
+#include "util/module.h"
+#include "util/config_file.h"
+
+/** verbose signature test */
+static int vsig = 0;
+
+/** entry to packet buffer with wireformat */
+static void
+entry_to_buf(struct entry* e, ldns_buffer* pkt)
+{
+	unit_assert(e->reply_list);
+	if(e->reply_list->reply_from_hex) {
+		ldns_buffer_copy(pkt, e->reply_list->reply_from_hex);
+	} else {
+		ldns_status status;
+		size_t answer_size;
+		uint8_t* ans = NULL;
+		status = ldns_pkt2wire(&ans, e->reply_list->reply, 
+			&answer_size);
+		if(status != LDNS_STATUS_OK) {
+			log_err("could not create reply: %s",
+				ldns_get_errorstr_by_id(status));
+			fatal_exit("error in test");
+		}
+		ldns_buffer_clear(pkt);
+		ldns_buffer_write(pkt, ans, answer_size);
+		ldns_buffer_flip(pkt);
+		free(ans);
+	}
+}
+
+/** entry to reply info conversion */
+static void
+entry_to_repinfo(struct entry* e, struct alloc_cache* alloc, struct region* 
+	region, ldns_buffer* pkt, struct query_info* qi, 
+	struct reply_info** rep)
+{
+	int ret;
+	struct edns_data edns;
+	entry_to_buf(e, pkt);
+	ret = reply_info_parse(pkt, alloc, qi, rep, region, &edns);
+	region_free_all(region);
+	if(ret != 0) {
+		printf("parse code %d: %s\n", ret,
+			ldns_lookup_by_id(ldns_rcodes, ret)->name);
+		unit_assert(ret != 0);
+	}
+}
+
+/** extract DNSKEY rrset from answer and convert it */
+static struct ub_packed_rrset_key* 
+extract_keys(struct entry* e, struct alloc_cache* alloc, struct region*
+        region, ldns_buffer* pkt)
+{
+	struct ub_packed_rrset_key* dnskey = NULL;
+	struct query_info qinfo;
+	struct reply_info* rep = NULL;
+	size_t i;
+
+	entry_to_repinfo(e, alloc, region, pkt, &qinfo, &rep);
+	for(i=0; i<rep->an_numrrsets; i++) {
+		if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_DNSKEY) {
+			dnskey = rep->rrsets[i];
+			rep->rrsets[i] = NULL;
+			break;
+		}
+	}
+	unit_assert(dnskey);
+
+	reply_info_parsedelete(rep, alloc);
+	query_info_clear(&qinfo);
+	return dnskey;
+}
+
+/** return true if answer should be bogus */
+static int
+should_be_bogus(struct ub_packed_rrset_key* rrset)
+{
+	struct packed_rrset_data* d = (struct packed_rrset_data*)rrset->
+		entry.data;
+	if(d->rrsig_count == 0)
+		return 1;
+	return 0;
+}
+
+/** verify and test one rrset against the key rrset */
+static void
+verifytest_rrset(struct module_env* env, struct val_env* ve, 
+	struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey)
+{
+	enum sec_status sec;
+	if(vsig) {
+		log_nametypeclass(VERB_DETAIL, "verify of rrset",
+			rrset->rk.dname, ntohs(rrset->rk.type),
+			ntohs(rrset->rk.rrset_class));
+	}
+	sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey);
+	if(vsig) {
+		printf("verify outcome is: %s\n", sec_status_to_string(sec));
+	}
+	if(should_be_bogus(rrset)) {
+		unit_assert(sec == sec_status_bogus);
+	} else {
+		unit_assert(sec == sec_status_secure);
+	}
+}
+
+/** verify and test an entry - every rr in the message */
+static void
+verifytest_entry(struct entry* e, struct alloc_cache* alloc, struct region*
+        region, ldns_buffer* pkt, struct ub_packed_rrset_key* dnskey,
+	struct module_env* env, struct val_env* ve)
+{
+	struct query_info qinfo;
+	struct reply_info* rep = NULL;
+	size_t i;
+
+	region_free_all(region);
+	if(vsig) {
+		printf("verifying pkt:\n");
+		ldns_pkt_print(stdout, e->reply_list->reply);
+		printf("\n");
+	}
+	entry_to_repinfo(e, alloc, region, pkt, &qinfo, &rep);
+
+	for(i=0; i<rep->rrset_count; i++) {
+		verifytest_rrset(env, ve, rep->rrsets[i], dnskey);
+	}
+
+	reply_info_parsedelete(rep, alloc);
+	query_info_clear(&qinfo);
+}
+
+/** verify from a file */
+static void
+verifytest_file(const char* fname, const char* at_date)
+{
+	/* 
+	 * The file contains a list of ldns-testpkts entries.
+	 * The first entry must be a query for DNSKEY.
+	 * The answer rrset is the keyset that will be used for verification
+	 */
+	struct ub_packed_rrset_key* dnskey;
+	struct region* region = region_create(malloc, free);
+	struct alloc_cache alloc;
+	ldns_buffer* buf = ldns_buffer_new(65535);
+	struct entry* e;
+	struct entry* list = read_datafile(fname);
+	struct module_env env;
+	struct val_env ve;
+
+	if(!list)
+		fatal_exit("could not read %s: %s", fname, strerror(errno));
+	alloc_init(&alloc, NULL, 1);
+	memset(&env, 0, sizeof(env));
+	memset(&ve, 0, sizeof(ve));
+	env.scratch = region;
+	env.scratch_buffer = buf;
+	ve.date_override = cfg_convert_timeval(at_date);
+	unit_assert(region && buf);
+	dnskey = extract_keys(list, &alloc, region, buf);
+	if(vsig) log_nametypeclass(VERB_DETAIL, "test dnskey",
+			dnskey->rk.dname, ntohs(dnskey->rk.type), 
+			ntohs(dnskey->rk.rrset_class));
+	/* ready to go! */
+	for(e = list->next; e; e = e->next) {
+		verifytest_entry(e, &alloc, region, buf, dnskey, &env, &ve);
+	}
+
+	delete_entry(list);
+	region_destroy(region);
+	alloc_clear(&alloc);
+	ldns_buffer_free(buf);
+}
+
+void 
+verify_test()
+{
+	printf("verify test\n");
+	verifytest_file("testdata/test_signatures.1", "20070818005004");
+}
--- a/testdata/test_signatures.1
+++ b/testdata/test_signatures.1
@ -0,0 +1,81 @@
+; Signature test file
+
+; first entry is a DNSKEY answer, with the DNSKEY rrset used for verification. 
+; later entries are verified with it.
+
+
+; DNSKEY used for testing, from august 2007.
+ENTRY_BEGIN
+SECTION QUESTION
+nlnetlabs.nl. IN DNSKEY
+SECTION ANSWER
+nlnetlabs.nl.           3600    IN      DNSKEY  257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==
+nlnetlabs.nl.           3600    IN      DNSKEY  256 3 5 AQOpbYrUNahQAV5/wTCJ9/wbSM/eV+N+jYZAMmIKn6QF3Z57B6upgcjV HEOyFkA3YcIt5Fz+WqodCrABn4qShd6qJYR8iP3S6fjN6PVpljMjrhsp /6yVc30C6c7P2b/mgWZi5iYC56lkegDs0VGfAW5HmosKjQVoYMjOtNo3 F+MGQw==
+nlnetlabs.nl.           3600    IN      DNSKEY  257 3 5 AQO6TtiOq7uZa8wHrQNUGT3ZXudaGjnbduUnyLw9WwiDEd8Vy1Ao4FVK 7xqEAFo4F5gOkdGr6Y7Xz0F+Z5e1AaQlvhBhjujvIhPZ5EIuNGkGUbRT YLhVX5OJUHMYdrXpGPdyG+V1TBTmxJ/+OmUdkWiT2J6w5XUpSYRB+p0k YwGf7uxPO/cDNp67fILtx1+dduS30B7QygOK+f7PeAZDcdBo2qsy5rnB sPsLhbEpdpWFs2WPTVo0IGYAER3nG6WZptiq8OYAb1K22K8i+j8+hDwv NRDMjWeVMebBZXbNQGkwsGgJsIsaoGfVOT3WdeJxDu9GqODM//mwZxTv O7StbOht
+ENTRY_END
+
+; first entry; the www site
+ENTRY_BEGIN
+SECTION QUESTION
+www.nlnetlabs.nl.              IN      A
+SECTION ANSWER
+www.nlnetlabs.nl.       600     IN      A       213.154.224.1
+www.nlnetlabs.nl.       600     IN      RRSIG   A 5 3 600 20070912005003 20070815005003 18182 nlnetlabs.nl. hAF6ZARy1QIdBuPF5FbRqktIrSZO1z6WcTXvxJ8FhpPnk17ytkD+gus/ 7Ae7pA/Lpr2KyQveSHyjfyYlnFZ82lasF3hPGrmeE/+stl3dEnuBz3Vo f8+s9lwQ6eXf7UM4e0md5KFPMdre0F9hrom/+P4/AU2yteLmuXVP6drC tFM=
+SECTION AUTHORITY
+nlnetlabs.nl.           86400   IN      NS      open.nlnetlabs.nl.
+nlnetlabs.nl.           86400   IN      NS      omval.tednet.nl.
+nlnetlabs.nl.           86400   IN      NS      ns7.domain-registry.nl.
+nlnetlabs.nl.           86400   IN      RRSIG   NS 5 2 86400 20070912005004 20070815005004 18182 nlnetlabs.nl. XHtgh1xXm5rLRLW5eGsjMzoQdCP/GsL6Yqg6/Th5WHgwwbWQicdr7VFH Jhx4hssPtQZxc2Z34kERHTQndJ1mhefmI4qatDzZpGEmAuBTvWXC1JvR MprptlhncaqeV4jaK4P6OSd23lFIeoLl31glmcwl7a77IihaE6O57YRj WGo=
+SECTION ADDITIONAL
+ns7.domain-registry.nl. 17717   IN      A       62.4.86.230
+open.nlnetlabs.nl.      600     IN      A       213.154.224.1
+open.nlnetlabs.nl.      600     IN      AAAA    2001:7b8:206:1::1
+open.nlnetlabs.nl.      600     IN      AAAA    2001:7b8:206:1::53
+omval.tednet.nl.        28800   IN      A       213.154.224.17
+omval.tednet.nl.        28800   IN      AAAA    2001:7b8:206:1:200:39ff:fe59:b187
+open.nlnetlabs.nl.      600     IN      RRSIG   A 5 3 600 20070912005004 20070815005004 18182 nlnetlabs.nl. mit7SKO8i2b7rQ9E0chqJ25Lv4SYOfR6pdBGdtDrer6PLpASo72yaAlI wA232BS8Y1z8Mfrpo03li9c6FWB3tpUd8oRZyntcWRwvEwm6Q3mvpKN3 Ppsolcg+2fLDqSDyFqSw2jIPjrr2vlZfomRANwCce1N9UdD6aBgGpFQ+ DPE=
+open.nlnetlabs.nl.      600     IN      RRSIG   AAAA 5 3 600 20070912005004 20070815005004 18182 nlnetlabs.nl. gGE8aCQHfLEDjJ5myimVH4ho+LzXBEa8K/BVAVJbwlfvh83XEFujjeEx rifIwxqWAG0gylCywcJdZdFhB0UHn+X9AVne9TaP9QMvvzoCLGu6h/UI Uy15K/wD4ezPjvaxG/7o6fs6m+QUUU8ZYK2HRYxf90XCkL/BlkBWcLLy Fjc=
+ENTRY_END
+
+
+; big zone apex
+ENTRY_BEGIN
+SECTION QUESTION
+nlnetlabs.nl.                  IN      ANY
+SECTION ANSWER
+nlnetlabs.nl.           18000   IN      NSEC    _sip._udp.nlnetlabs.nl. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY
+nlnetlabs.nl.           18000   IN      RRSIG   NSEC 5 2 18000 20070912005004 20070815005004 18182 nlnetlabs.nl. fiCZX4X46rActlXXx8UrNwilCU6F+GiN6iVNmsAROoOcFVsV6EMbfQpR Z47XI2WHf0lmEjFcAQJbbIUlPPoMwSFeRHU9caSBkLPY7Da3rwTRDpQy nf28WwA90ZG8CxMyr0p2yIy4rd3qo7WItFvhaeFrZtovQDOx9gg92pAf SfM=
+nlnetlabs.nl.           86400   IN      A       213.154.224.1
+nlnetlabs.nl.           86400   IN      RRSIG   A 5 2 86400 20070912005004 20070815005004 18182 nlnetlabs.nl. ZpLGyN5EUfMVOIgoLvy7axjk6fgdejFaElKiScNOx452GXwyvKRonU2K DBS+1cyxQg6nsEiq0PhIk+iOW5UdlBqyqVrNOzwItuWiQLqTFFVHjN16 DqiZGLvy7EiaTecbuq4oAQDkCYe/fy1d7if6q6POurYDjN2auRfOlo9Q JLw=
+nlnetlabs.nl.           86400   IN      NS      ns7.domain-registry.nl.
+nlnetlabs.nl.           86400   IN      NS      open.nlnetlabs.nl.
+nlnetlabs.nl.           86400   IN      NS      omval.tednet.nl.
+nlnetlabs.nl.           86400   IN      RRSIG   NS 5 2 86400 20070912005004 20070815005004 18182 nlnetlabs.nl. XHtgh1xXm5rLRLW5eGsjMzoQdCP/GsL6Yqg6/Th5WHgwwbWQicdr7VFH Jhx4hssPtQZxc2Z34kERHTQndJ1mhefmI4qatDzZpGEmAuBTvWXC1JvR MprptlhncaqeV4jaK4P6OSd23lFIeoLl31glmcwl7a77IihaE6O57YRj WGo=
+nlnetlabs.nl.           86400   IN      RRSIG   SOA 5 2 86400 20070912005004 20070815005004 18182 nlnetlabs.nl. LkiJYh+EV9vtH2a5Qzai1foMe60J+J5aioEvYwMrwAgi8OFPW/eiOhhC kDWXeCRXmmFaaImyzZQ2R1dA9Kz0Caar54fOEHQ63waYeODN+LAsewLx KLQBInTxFlH/eByFAOZmlO9+jutCLGBi2Tv/LL5T2XAfDMmcpzxgXDry ExQ=
+nlnetlabs.nl.           86400   IN      MX      50 open.nlnetlabs.nl.
+nlnetlabs.nl.           86400   IN      MX      100 omval.tednet.nl.
+nlnetlabs.nl.           86400   IN      RRSIG   MX 5 2 86400 20070912005004 20070815005004 18182 nlnetlabs.nl. CdrpaduVD2QNfY2ifjKTN+t6tUDJgfUZZRzmf3LcwwtBlwfC4tRT44WD 2537dqDVnf5h6+Ejp3qJef44lwPzYaUI+/IHsGkmg6v063fHygHQf1Qz v+oBL3d4vRm7IZz0U8JzHMKwYt/D88Dw5ojr9w6NyYr7eiKXbFRD5R7x YT0=
+nlnetlabs.nl.           86400   IN      TXT     "Stichting NLnet Labs zone"
+nlnetlabs.nl.           86400   IN      RRSIG   TXT 5 2 86400 20070912005004 20070815005004 18182 nlnetlabs.nl. Ray47yu7XIgwdCRvC5Ik/0S10m8reHMuV4d0OGh/q7J5bLN8PsONLzuX ncFihPZW9ziLKCFfJu5zKCjYh/RDNwpztAAeGNmfV7e1+ZWvolFU9DIY oHYbINYKKTqhNaU/UMXDTjmnHujo+7llgfQH6muc5R5ftvBnMcPHHQBg ydw=
+nlnetlabs.nl.           86400   IN      AAAA    2001:7b8:206:1::1
+nlnetlabs.nl.           86400   IN      RRSIG   AAAA 5 2 86400 20070912005004 20070815005004 18182 nlnetlabs.nl. Pw+xxoPe7UkfOML40UkSOmWFyRS4mSPcx6P37E6xLaJ4V9uYl5MldzRh NCBGtOYH7tPZUEIEqVCQU/G2jvP6643fLs7OwGMTFFZ/jSqo7ATdUzbk AMd1ewVAtMdpDRKqOPorsMFOsU6C7YB+pkvHTizfSMLsz23RI9kJqvXQ AgQ=
+nlnetlabs.nl.           600     IN      NAPTR   20 0 "s" "SIP+D2U" "" _sip._udp.nlnetlabs.nl.
+nlnetlabs.nl.           600     IN      RRSIG   NAPTR 5 2 600 20070912005004 20070815005004 18182 nlnetlabs.nl. jhGLCeaBRFOiRMWtNgAW6tcU4x/2NQG3cnbedaCUE+vxMGFwLKQ7Y8HH sio7PAIbwl3WDzXcBnSoVXtpFQyHvyVA9PdWujq16HN2tRn3+FFRZmvz +eywRXlSQCdj4GmamjVb1MGA3deV19t/YGBetshcwQBxeT4/7p/yN0/T Zro=
+nlnetlabs.nl.           3600    IN      DNSKEY  257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ==
+nlnetlabs.nl.           3600    IN      DNSKEY  256 3 5 AQOpbYrUNahQAV5/wTCJ9/wbSM/eV+N+jYZAMmIKn6QF3Z57B6upgcjV HEOyFkA3YcIt5Fz+WqodCrABn4qShd6qJYR8iP3S6fjN6PVpljMjrhsp /6yVc30C6c7P2b/mgWZi5iYC56lkegDs0VGfAW5HmosKjQVoYMjOtNo3 F+MGQw==
+nlnetlabs.nl.           3600    IN      DNSKEY  257 3 5 AQO6TtiOq7uZa8wHrQNUGT3ZXudaGjnbduUnyLw9WwiDEd8Vy1Ao4FVK 7xqEAFo4F5gOkdGr6Y7Xz0F+Z5e1AaQlvhBhjujvIhPZ5EIuNGkGUbRT YLhVX5OJUHMYdrXpGPdyG+V1TBTmxJ/+OmUdkWiT2J6w5XUpSYRB+p0k YwGf7uxPO/cDNp67fILtx1+dduS30B7QygOK+f7PeAZDcdBo2qsy5rnB sPsLhbEpdpWFs2WPTVo0IGYAER3nG6WZptiq8OYAb1K22K8i+j8+hDwv NRDMjWeVMebBZXbNQGkwsGgJsIsaoGfVOT3WdeJxDu9GqODM//mwZxTv O7StbOht
+nlnetlabs.nl.           3600    IN      RRSIG   DNSKEY 5 2 3600 20070912005004 20070815005004 18182 nlnetlabs.nl. ZBI75wWBme2zbhXevr6AMojVcLg5rSYb8osh6dxKKu92Gy2qJoOzYvjy YIn2NADmh5lMgPH836byoYlLnQ/SwAIkDgn+h7i8fTWA8mWynjl/sbK/ ojIMEKpvvLvp+o7vw09hjQfq8XAupj4oPE8Cbx7nQ9sSDPw1gED6x+si n6U=
+nlnetlabs.nl.           3600    IN      RRSIG   DNSKEY 5 2 3600 20070912005004 20070815005004 36867 nlnetlabs.nl. JYLaHp/ORxrDE2wu/gsq8t5SDmwXudnTxXPg4+IHxvg0MiVBSPYeDtEr oZgHSE5sL+AgJ0PLpL8U/CKaMuv2xTbYJ1+tABZUpE1yxmjdF3p4VJuQ P+r2qkAbnr9b0w4Bt/gzlP5hmZcUA+E9g6uZdp2pjni0OD3mgB5EhilD GaVnVUi2P0d3MCPDkGsVgNl76JY4098bL1LXmn6oqV2MbAaim7z4nb67 /S0qLIxz8Dw605dFRMDd8tfjK/FD9PGxXc424GPRWeycd5fuuifu6aig hCcG3qtNHYCtMqHaMfw6C/LiyQFvQ7zrKzq6rqGbt5PWID76j/cd1OqV QKtuYA==
+nlnetlabs.nl.           3600    IN      RRSIG   DNSKEY 5 2 3600 20070912005004 20070815005004 43791 nlnetlabs.nl. cNIuHTM6VpXpvpCjTaDLOVrzGQoNVXwJ2vcLbeNcuELeNMubpJ2hiLTG VorQbKM04t1HiJApf0BzkR5ke+9Mtoktm0/MvS1gW0lU2rqV5+7BhwTB Q6Q3QSYcgF/LUJp4neKjAKYNM4pwz4Tkg5AaurulCKfk5UZDE4JxCeCu zpI=
+nlnetlabs.nl.           86400   IN      SOA     open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2007081500 28800 7200 604800 18000
+SECTION ADDITIONAL
+open.nlnetlabs.nl.      600     IN      A       213.154.224.1
+open.nlnetlabs.nl.      600     IN      AAAA    2001:7b8:206:1::1
+open.nlnetlabs.nl.      600     IN      AAAA    2001:7b8:206:1::53
+johnny.nlnetlabs.nl.    600     IN      A       213.154.224.44
+open.nlnetlabs.nl.      600     IN      RRSIG   A 5 3 600 20070912005004 20070815005004 18182 nlnetlabs.nl. mit7SKO8i2b7rQ9E0chqJ25Lv4SYOfR6pdBGdtDrer6PLpASo72yaAlI wA232BS8Y1z8Mfrpo03li9c6FWB3tpUd8oRZyntcWRwvEwm6Q3mvpKN3 Ppsolcg+2fLDqSDyFqSw2jIPjrr2vlZfomRANwCce1N9UdD6aBgGpFQ+ DPE=
+open.nlnetlabs.nl.      600     IN      RRSIG   AAAA 5 3 600 20070912005004 20070815005004 18182 nlnetlabs.nl. gGE8aCQHfLEDjJ5myimVH4ho+LzXBEa8K/BVAVJbwlfvh83XEFujjeEx rifIwxqWAG0gylCywcJdZdFhB0UHn+X9AVne9TaP9QMvvzoCLGu6h/UI Uy15K/wD4ezPjvaxG/7o6fs6m+QUUU8ZYK2HRYxf90XCkL/BlkBWcLLy Fjc=
+_sip._udp.nlnetlabs.nl. 600     IN      RRSIG   SRV 5 4 600 20070912005004 20070815005004 18182 nlnetlabs.nl. EY2l3CzYpfRBAKw76ztFvEiSWHVLjmcqpTHJ7vc5FgF1+ryV7Y0Z2Hdj LZYse2e6DZvll5aGmtpG9TWtOf3aBx53YIpDS6j3j438lrAgThJZ+heU 1Jfp7i0nHcfj3V86uo8q/2S4/y8fKNgmhgJeJLm5Il7/WARANVpnYeFS 9Ko=
+johnny.nlnetlabs.nl.    600     IN      RRSIG   A 5 3 600 20070912005004 20070815005004 18182 nlnetlabs.nl. DY30CLeeKAif9SSFRvC8hHpYrLa2FEtspL4ay0pHfujyLkebvOko6BBL pjfr7VWL+0MGAIOGtCOq37ouWKMmCEbONyPCwj2eC6P/Dlr+llqTwgW8 5430Yhww2K8GTFnMtBZhqIlITtfIRgK4d8CQOJtIqwJ2qrc9iavun1JK IWc=
+_sip._udp.nlnetlabs.nl. 600     IN      SRV     0 0 5060 johnny.nlnetlabs.nl.
+ENTRY_END
--- a/util/net_help.h
+++ b/util/net_help.h
@ -73,9 +73,9 @@
 #define INET6_SIZE 16

 /** DNSKEY zone sign key flag */
-#define DNSKEY_BIT_ZSK 0x10
+#define DNSKEY_BIT_ZSK 0x0100
 /** DNSKEY secure entry point, KSK flag */
-#define DNSKEY_BIT_SEP 0x01
+#define DNSKEY_BIT_SEP 0x0001

 /**
 * See if string is ip4 or ip6.
--- a/validator/val_sigcrypt.c
+++ b/validator/val_sigcrypt.c
@ -90,7 +90,7 @@ rrset_get_sig_keytag(struct ub_packed_rrset_key* k, size_t sig_idx)
 	if(d->rr_len[d->count + sig_idx] < 2+18)
 		return 0;
 	memmove(&t, d->rr_data[d->count + sig_idx]+2+16, 2);
-	return t;
+	return ntohs(t);
 }

 /**
@ -671,6 +671,9 @@ canonical_compare(struct ub_packed_rrset_key* rrset, size_t i, size_t j)

 	if(i==j)
 		return 0;
+	c = memcmp(d->rr_data[i], d->rr_data[j], 2);
+	if(c != 0)
+		return c;

 	switch(type) {
 		/* These RR types have only a name as RDATA. 
@ -967,7 +970,8 @@ rrset_canonical(struct region* region, ldns_buffer* buf,

 	ldns_buffer_clear(buf);
 	ldns_buffer_write(buf, sig, siglen);
-	query_dname_tolower(sig+18); /* canonicalize signer name */
+	/* canonicalize signer name */
+	query_dname_tolower(ldns_buffer_begin(buf)+18); 
 	RBTREE_FOR(walk, struct canon_rr*, &sortree) {
 		/* determine canonical owner name */
 		if(can_owner)
@ -1291,18 +1295,18 @@ dnskey_verify_rrset_sig(struct module_env* env, struct val_env* ve,
 		return sec_status_bogus;
 	}
 	/* verify keytag and sig algo (possibly again) */
-	if((int)sig[2] != dnskey_get_algo(dnskey, dnskey_idx)) {
+	if((int)sig[2+2] != dnskey_get_algo(dnskey, dnskey_idx)) {
 		verbose(VERB_ALGO, "verify: wrong algorithm");
 		return sec_status_bogus;
 	}
-	ktag = dnskey_calc_keytag(dnskey, dnskey_idx);
-	if(memcmp(sig+16, &ktag, 2) != 0) {
+	ktag = htons(dnskey_calc_keytag(dnskey, dnskey_idx));
+	if(memcmp(sig+2+16, &ktag, 2) != 0) {
 		verbose(VERB_ALGO, "verify: wrong keytag");
 		return sec_status_bogus;
 	}

 	/* verify labels is in a valid range */
-	if((int)sig[3] > dname_signame_label_count(rrset->rk.dname)) {
+	if((int)sig[2+3] > dname_signame_label_count(rrset->rk.dname)) {
 		verbose(VERB_ALGO, "verify: labelcount out of range");
 		return sec_status_bogus;
 	}
@ -1310,7 +1314,7 @@ dnskey_verify_rrset_sig(struct module_env* env, struct val_env* ve,
 	/* original ttl, always ok */

 	/* verify inception, expiration dates */
-	if(!check_dates(ve, sig+8, sig+12)) {
+	if(!check_dates(ve, sig+2+8, sig+2+12)) {
 		return sec_status_bogus;
 	}

@ -1329,6 +1333,6 @@ dnskey_verify_rrset_sig(struct module_env* env, struct val_env* ve,
 	}

 	/* verify */
-	return verify_canonrrset(env->scratch_buffer, (int)sig[2],
+	return verify_canonrrset(env->scratch_buffer, (int)sig[2+2],
 		sigblock, sigblock_len, key, keylen);
 }