diff --git a/doc/Changelog b/doc/Changelog index 4ef7bf16d..be1336228 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,8 @@ 15 October 2008: Wouter - better documentation for 0x20; remove fallback TODO, it is done. + - harden-referral-path feature includes A, AAAA queries for glue, + as well as very careful NS caching (only when doing NS query). + A, AAAA use the delegation from the NS-query. 14 October 2008: Wouter - fwd_three.tpkg test was flaky. If the three requests hit the diff --git a/doc/plan b/doc/plan index e7f12b928..dd2963a68 100644 --- a/doc/plan +++ b/doc/plan @@ -75,11 +75,11 @@ not stats on SIGUSR1. perhaps also see which slow auth servers cause >1sec value *** from draft resolver-mitigation + option harden-referral-path + direct queries for NS records -* careful caching, only NS query causes referral caching. -* direct queries for A, AAAA in-bailiwick from a referral. ++ careful caching, only NS query causes referral caching. ++ direct queries for A, AAAA in-bailiwick from a referral. * trouble counter, cache wipe threshold. -* off-path validation? ++ off-path validation * root NS, root glue validation after prime * ignore bogus nameservers, pretend they always return a servfail. diff --git a/iterator/iterator.c b/iterator/iterator.c index 40fcbd452..bba487748 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -630,6 +630,57 @@ prime_stub(struct module_qstate* qstate, struct iter_qstate* iq, return 1; } +/** + * Generate A and AAAA checks for glue that is in-zone for the referral + * we just got to obtain authoritative information on the adresses. + * + * @param qstate: the qtstate that triggered the need to prime. + * @param iq: iterator query state. + * @param id: module id. + */ +static void +generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq, + int id) +{ + struct module_qstate* subq; + size_t i; + struct reply_info* rep = iq->response->rep; + struct ub_packed_rrset_key* s; + log_assert(iq->dp); + + /* walk through additional, and check if in-zone, + * only relevant A, AAAA are left after scrub anyway */ + for(i=rep->an_numrrsets+rep->ns_numrrsets; irrset_count; i++) { + s = rep->rrsets[i]; + /* check *ALL* addresses that are transmitted in additional*/ + /* is it an address ? */ + if( !(ntohs(s->rk.type)==LDNS_RR_TYPE_A || + ntohs(s->rk.type)==LDNS_RR_TYPE_AAAA)) { + continue; + } + /* is this query the same as the A/AAAA check for it */ + if(qstate->qinfo.qtype == ntohs(s->rk.type) && + qstate->qinfo.qclass == ntohs(s->rk.rrset_class) && + query_dname_compare(qstate->qinfo.qname, + s->rk.dname)==0 && + (qstate->query_flags&BIT_RD) && + !(qstate->query_flags&BIT_CD)) + continue; + + /* generate subrequest for it */ + log_nametypeclass(VERB_ALGO, "must fetch addr", s->rk.dname, + ntohs(s->rk.type), ntohs(s->rk.rrset_class)); + if(!generate_sub_request(s->rk.dname, s->rk.dname_len, + ntohs(s->rk.type), ntohs(s->rk.rrset_class), + qstate, id, iq, + INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) { + log_err("out of memory generating ns check"); + return; + } + /* ignore subq - not need for more init */ + } +} + /** * Generate a NS check request to obtain authoritative information * on an NS rrset. @@ -637,18 +688,26 @@ prime_stub(struct module_qstate* qstate, struct iter_qstate* iq, * @param qstate: the qtstate that triggered the need to prime. * @param iq: iterator query state. * @param id: module id. - * @param qclass: the class. */ static void -generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, - int id, uint16_t qclass) +generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id) { struct module_qstate* subq; log_assert(iq->dp); - /* avoid the redundant INIT state processing. */ + /* is this query the same as the nscheck? */ + if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS && + query_dname_compare(iq->dp->name, qstate->qinfo.qname)==0 && + (qstate->query_flags&BIT_RD) && !(qstate->query_flags&BIT_CD)){ + /* spawn off A, AAAA queries for in-zone glue to check */ + generate_a_aaaa_check(qstate, iq, id); + return; + } + + log_nametypeclass(VERB_ALGO, "must fetch ns", + iq->dp->name, LDNS_RR_TYPE_NS, iq->qchase.qclass); if(!generate_sub_request(iq->dp->name, iq->dp->namelen, - LDNS_RR_TYPE_NS, qclass, qstate, id, iq, + LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq, INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) { log_err("out of memory generating ns check"); return; @@ -657,9 +716,9 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, struct iter_qstate* subiq = (struct iter_qstate*)subq->minfo[id]; - /* Set the initial delegation point to mine. */ - /* this means it queries the referral we just got */ /* make copy to avoid use of stub dp by different qs/threads */ + /* refetch glue to start higher up the tree */ + subiq->refetch_glue = 1; subiq->dp = delegpt_copy(iq->dp, subq->region); if(!subiq->dp) { log_err("out of memory generating ns check, copydp"); @@ -669,9 +728,6 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, return; } } - - /* this module stops, our submodule starts, and does the query. */ - qstate->ext_state[id] = module_wait_subquery; } /** @@ -1365,13 +1421,27 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, * delegation point, and back to the QUERYTARGETS_STATE. */ verbose(VERB_DETAIL, "query response was REFERRAL"); - /* Store the referral under the current query */ - if(!iter_dns_store(qstate->env, &iq->response->qinfo, - iq->response->rep, 1)) - return error_response(qstate, id, LDNS_RCODE_SERVFAIL); - if(qstate->env->neg_cache) - val_neg_addreferral(qstate->env->neg_cache, - iq->response->rep, iq->dp->name); + /* if hardened, only store referral if we asked for it */ + if(!qstate->env->cfg->harden_referral_path || + ( qstate->qinfo.qtype == LDNS_RR_TYPE_NS + && (qstate->query_flags&BIT_RD) + && !(qstate->query_flags&BIT_CD) + /* we know that all other NS rrsets are scrubbed + * away, thus on referral only one is left. + * see if that equals the query name... */ + && reply_find_rrset_section_ns(iq->response->rep, + qstate->qinfo.qname, qstate->qinfo.qname_len, + LDNS_RR_TYPE_NS, qstate->qinfo.qclass) + )) { + /* Store the referral under the current query */ + if(!iter_dns_store(qstate->env, &iq->response->qinfo, + iq->response->rep, 1)) + return error_response(qstate, id, + LDNS_RCODE_SERVFAIL); + if(qstate->env->neg_cache) + val_neg_addreferral(qstate->env->neg_cache, + iq->response->rep, iq->dp->name); + } /* Reset the event state, setting the current delegation * point to the referral. */ @@ -1390,12 +1460,12 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, iq->dnssec_expected = iter_indicates_dnssec(qstate->env, iq->dp, iq->response, iq->qchase.qclass); - /* spawn off a NS query to auth servers for the NS we just + /* spawn off NS and addr to auth servers for the NS we just * got in the referral. This gets authoritative answer - * (answer section trust level) rrset. - * right after, we detach subs, we don't want the answer */ + * (answer section trust level) rrset. + * right after, we detach the subs, answer goes to cache. */ if(qstate->env->cfg->harden_referral_path) - generate_ns_check(qstate, iq, id, iq->qchase.qclass); + generate_ns_check(qstate, iq, id); /* stop current outstanding queries. * FIXME: should the outstanding queries be waited for and diff --git a/testdata/dlv_insecure.rpl b/testdata/dlv_insecure.rpl index d6b8d6a1b..3da25d559 100644 --- a/testdata/dlv_insecure.rpl +++ b/testdata/dlv_insecure.rpl @@ -3,7 +3,7 @@ server: dlv-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" val-override-date: "20070916134226" - harden-referral-path: yes + harden-referral-path: no stub-zone: name: "." @@ -140,23 +140,25 @@ ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 ENTRY_END ; DLV query -; picked out of the negative cache due to NS queries in between. -; ENTRY_BEGIN -; MATCH opcode qtype qname -; ADJUST copy_id -; REPLY QR NXDOMAIN -; SECTION QUESTION -; example.net.example.com. IN DLV -; SECTION ANSWER -; SECTION AUTHORITY -; example.com. IN NS ns.example.com. -; example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} -; example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC -; example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854} -; SECTION ADDITIONAL -; ns.example.com. IN A 1.2.3.4 -; ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} -; ENTRY_END +; could be picked out of the negative cache due to NS queries in between. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NXDOMAIN +SECTION QUESTION +www.example.net.example.com. IN DLV +SECTION ANSWER +SECTION AUTHORITY +example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600 +example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854} +example.com. IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} +example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC +example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854} +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} +ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname diff --git a/testdata/iter_lame_noaa.rpl b/testdata/iter_lame_noaa.rpl index a232dbcb8..f5906808c 100644 --- a/testdata/iter_lame_noaa.rpl +++ b/testdata/iter_lame_noaa.rpl @@ -1,6 +1,6 @@ ; config options server: - harden-referral-path: yes + harden-referral-path: no stub-zone: name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. @@ -70,25 +70,25 @@ www.example.com. IN A ENTRY_END ; answer the NS queries that have been generated -STEP 62 CHECK_OUT_QUERY -ENTRY_BEGIN -MATCH qname qtype opcode -SECTION QUESTION -com. IN NS -ENTRY_END - -STEP 63 REPLY -ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id -REPLY QR AA NOERROR -SECTION QUESTION -com. IN NS -SECTION ANSWER -com. IN NS a.gtld-servers.net. -SECTION ADDITIONAL -a.gtld-servers.net. IN A 192.5.6.30 -ENTRY_END +; STEP 62 CHECK_OUT_QUERY +; ENTRY_BEGIN +; MATCH qname qtype opcode +; SECTION QUESTION +; com. IN NS +; ENTRY_END +; +; STEP 63 REPLY +; ; ENTRY_BEGIN +; MATCH opcode qtype qname +; ADJUST copy_id +; REPLY QR AA NOERROR +; SECTION QUESTION +; com. IN NS +; SECTION ANSWER +; com. IN NS a.gtld-servers.net. +; SECTION ADDITIONAL +; a.gtld-servers.net. IN A 192.5.6.30 +; ENTRY_END STEP 70 REPLY ENTRY_BEGIN @@ -114,28 +114,28 @@ SECTION QUESTION www.example.com. IN A ENTRY_END -STEP 82 CHECK_OUT_QUERY -ENTRY_BEGIN -MATCH qname qtype opcode -SECTION QUESTION -example.com. IN NS -ENTRY_END - -STEP 83 REPLY -ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id -REPLY QR AA NOERROR -SECTION QUESTION -example.com. IN NS -SECTION ANSWER -example.com. IN NS ns1.example.com. -example.com. IN NS ns2.example.com. -SECTION ADDITIONAL -ns1.example.com. IN A 168.192.2.2 -ns2.example.com. IN A 168.192.3.3 -ENTRY_END - +; STEP 82 CHECK_OUT_QUERY +; ENTRY_BEGIN +; MATCH qname qtype opcode +; SECTION QUESTION +; example.com. IN NS +; ENTRY_END +; +; STEP 83 REPLY +; ENTRY_BEGIN +; MATCH opcode qtype qname +; ADJUST copy_id +; REPLY QR AA NOERROR +; SECTION QUESTION +; example.com. IN NS +; SECTION ANSWER +; example.com. IN NS ns1.example.com. +; example.com. IN NS ns2.example.com. +; SECTION ADDITIONAL +; ns1.example.com. IN A 168.192.2.2 +; ns2.example.com. IN A 168.192.3.3 +; ENTRY_END +; STEP 90 REPLY ENTRY_BEGIN MATCH opcode qtype qname diff --git a/testdata/iter_ns_spoof.rpl b/testdata/iter_ns_spoof.rpl index 330141f82..891af28ed 100644 --- a/testdata/iter_ns_spoof.rpl +++ b/testdata/iter_ns_spoof.rpl @@ -24,27 +24,50 @@ K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.com. IN A +com. IN NS SECTION AUTHORITY com. IN NS a.gtld-servers.net. SECTION ADDITIONAL a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END + +; for simplicity the root server is authoritative for root-servers.net +; and also for gtld-servers.net +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +K.ROOT-SERVERS.NET. IN A +SECTION ANSWER +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +a.gtld-servers.net. IN A +SECTION ANSWER +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + RANGE_END ; a.gtld-servers.net. RANGE_BEGIN 0 100 ADDRESS 192.5.6.30 ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.com. IN A +example.com. IN NS SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL @@ -56,7 +79,7 @@ MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION -com. IN NS +com. IN NS SECTION ANSWER com. IN NS a.gtld-servers.net. SECTION ADDITIONAL @@ -107,6 +130,18 @@ SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 ENTRY_END +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION ANSWER +ns.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +ENTRY_END + ;; answer to the spoofed query ; spoofed reply answer. ; here we put it in the nameserver for ease. ENTRY_BEGIN diff --git a/testdata/iter_scrub_cname_an.rpl b/testdata/iter_scrub_cname_an.rpl index fae2bfde6..164789b4f 100644 --- a/testdata/iter_scrub_cname_an.rpl +++ b/testdata/iter_scrub_cname_an.rpl @@ -1,6 +1,6 @@ ; config options server: - harden-referral-path: yes + harden-referral-path: no stub-zone: name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. @@ -63,24 +63,24 @@ SECTION QUESTION www.example.com. IN A ENTRY_END -STEP 62 CHECK_OUT_QUERY -ENTRY_BEGIN -MATCH qname qtype opcode -SECTION QUESTION -com. IN NS -ENTRY_END -STEP 63 REPLY -ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id -REPLY QR NOERROR -SECTION QUESTION -com. IN NS -SECTION ANSWER -com. IN NS a.gtld-servers.net. -SECTION ADDITIONAL -a.gtld-servers.net. IN A 192.5.6.30 -ENTRY_END +; STEP 62 CHECK_OUT_QUERY +; ENTRY_BEGIN +; MATCH qname qtype opcode +; SECTION QUESTION +; com. IN NS +; ENTRY_END +; STEP 63 REPLY +; ENTRY_BEGIN +; MATCH opcode qtype qname +; ADJUST copy_id +; REPLY QR NOERROR +; SECTION QUESTION +; com. IN NS +; SECTION ANSWER +; com. IN NS a.gtld-servers.net. +; SECTION ADDITIONAL +; a.gtld-servers.net. IN A 192.5.6.30 +; ENTRY_END STEP 70 REPLY ENTRY_BEGIN @@ -103,24 +103,24 @@ SECTION QUESTION www.example.com. IN A ENTRY_END -STEP 82 CHECK_OUT_QUERY -ENTRY_BEGIN -MATCH qname qtype opcode -SECTION QUESTION -example.com. IN NS -ENTRY_END -STEP 83 REPLY -ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id -REPLY QR NOERROR -SECTION QUESTION -example.com. IN NS -SECTION ANSWER -example.com. IN NS ns1.example.com. -SECTION ADDITIONAL -ns1.example.com. IN A 168.192.2.2 -ENTRY_END +; STEP 82 CHECK_OUT_QUERY +; ENTRY_BEGIN +; MATCH qname qtype opcode +; SECTION QUESTION +; example.com. IN NS +; ENTRY_END +; STEP 83 REPLY +; ENTRY_BEGIN +; MATCH opcode qtype qname +; ADJUST copy_id +; REPLY QR NOERROR +; SECTION QUESTION +; example.com. IN NS +; SECTION ANSWER +; example.com. IN NS ns1.example.com. +; SECTION ADDITIONAL +; ns1.example.com. IN A 168.192.2.2 +; ENTRY_END STEP 90 REPLY ENTRY_BEGIN diff --git a/testdata/iter_scrub_dname_insec.rpl b/testdata/iter_scrub_dname_insec.rpl index d7b8bc1b8..43c62e8d9 100644 --- a/testdata/iter_scrub_dname_insec.rpl +++ b/testdata/iter_scrub_dname_insec.rpl @@ -1,6 +1,6 @@ ; config options server: - harden-referral-path: yes + harden-referral-path: no stub-zone: name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. @@ -62,24 +62,26 @@ MATCH qname qtype opcode SECTION QUESTION x.y.example.com. IN A ENTRY_END -STEP 62 CHECK_OUT_QUERY -ENTRY_BEGIN -MATCH qname qtype opcode -SECTION QUESTION -com. IN NS -ENTRY_END -STEP 63 REPLY -ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id -REPLY QR NOERROR -SECTION QUESTION -com. IN NS -SECTION ANSWER -com. IN NS a.gtld-servers.net. -SECTION ADDITIONAL -a.gtld-servers.net. IN A 192.5.6.30 -ENTRY_END + +; STEP 62 CHECK_OUT_QUERY +; ENTRY_BEGIN +; MATCH qname qtype opcode +; SECTION QUESTION +; com. IN NS +; ENTRY_END +; STEP 63 REPLY +; ENTRY_BEGIN +; MATCH opcode qtype qname +; ADJUST copy_id +; REPLY QR NOERROR +; SECTION QUESTION +; com. IN NS +; SECTION ANSWER +; com. IN NS a.gtld-servers.net. +; SECTION ADDITIONAL +; a.gtld-servers.net. IN A 192.5.6.30 +; ENTRY_END + STEP 70 REPLY ENTRY_BEGIN MATCH opcode qtype qname @@ -99,24 +101,26 @@ MATCH qname qtype opcode SECTION QUESTION x.y.example.com. IN A ENTRY_END -STEP 82 CHECK_OUT_QUERY -ENTRY_BEGIN -MATCH qname qtype opcode -SECTION QUESTION -example.com. IN NS -ENTRY_END -STEP 83 REPLY -ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id -REPLY QR NOERROR -SECTION QUESTION -example.com. IN NS -SECTION ANSWER -example.com. IN NS ns1.example.com. -SECTION ADDITIONAL -ns1.example.com. IN A 168.192.2.2 -ENTRY_END + +; STEP 82 CHECK_OUT_QUERY +; ENTRY_BEGIN +; MATCH qname qtype opcode +; SECTION QUESTION +; example.com. IN NS +; ENTRY_END +; STEP 83 REPLY +; ENTRY_BEGIN +; MATCH opcode qtype qname +; ADJUST copy_id +; REPLY QR NOERROR +; SECTION QUESTION +; example.com. IN NS +; SECTION ANSWER +; example.com. IN NS ns1.example.com. +; SECTION ADDITIONAL +; ns1.example.com. IN A 168.192.2.2 +; ENTRY_END + STEP 90 REPLY ENTRY_BEGIN MATCH opcode qtype qname diff --git a/testdata/val_referd.rpl b/testdata/val_referd.rpl index 26cef9995..b1398163e 100644 --- a/testdata/val_referd.rpl +++ b/testdata/val_referd.rpl @@ -3,7 +3,7 @@ server: trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" val-override-date: "20070916134226" - harden-referral-path: yes + harden-referral-path: no access-control: 127.0.0.1 allow_snoop stub-zone: @@ -112,7 +112,7 @@ SECTION QUESTION www.example.com. IN A SECTION ANSWER www.example.com. IN A 10.20.30.40 -ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854} +www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. AD8qRJvXxOtmSuy8Ogyo0roA294qOtNT2E1m05kSU0jbxN4qLYn0OmU= ;{id = 2854} SECTION AUTHORITY example.com. IN NS ns.example.com. example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}