# loading rule file # /usr/local/share/dnssec-tools/donuts/rules/check_nameservers.txt # Rules Run: # DNS_SERVERS_MATCH_DATA # loading rule file # /usr/local/share/dnssec-tools/donuts/rules/dns.errors.txt # Rules Run: # DNS_NS_NO_CNAME DNS_SOA_REQUIRED DNS_SERVERS_MATCH_DATA # loading rule file # /usr/local/share/dnssec-tools/donuts/rules/dnssec.rules.txt # Rules Run: # DNSSEC_MISSING_RRSIG_RECORD1 DNSSEC_BOGUS_NS_MEMORIZE # DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_MISSING_NSEC_RECORD1 # DNSSEC_OPENSSL_KEY_ISSUES DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE # DNSSEC_RRSIG_TTL_MATCH_ORGTTL DNSSEC_NSEC_FOR_NS_GLUE_RECORD # DNS_SOA_REQUIRED DNS_SERVERS_MATCH_DATA DNSSEC_MISSING_NSEC_RECORD2 # DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD DNSSEC_RRSIGS_VERIFY # DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_RRSIG_SIGEXP # DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME DNSSEC_TWO_ZSKS DNS_NS_NO_CNAME # DNSSEC_RRSIG_FOR_NS_GLUE_RECORD DNSSEC_NSEC_TTL # DNSSEC_MISSING_RRSIG_RECORD2 DNSSEC_RRSIG_NOT_SIGNING_RRSIG # DNSSEC_NSEC3_TTL # loading rule file # /usr/local/share/dnssec-tools/donuts/rules/nsec_check.rules.txt # Rules Run: # DNSSEC_MISSING_RRSIG_RECORD1 DNSSEC_BOGUS_NS_MEMORIZE # DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_MISSING_NSEC_RECORD1 # DNSSEC_NSEC_MEMORIZE DNSSEC_OPENSSL_KEY_ISSUES # DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE DNSSEC_RRSIG_TTL_MATCH_ORGTTL # DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNSSEC_NSEC_CHECK DNS_SOA_REQUIRED # DNS_SERVERS_MATCH_DATA DNSSEC_NSEC3_MEMORIZE DNSSEC_MISSING_NSEC_RECORD2 # DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD DNSSEC_RRSIGS_VERIFY # DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_RRSIG_SIGEXP # DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME DNSSEC_NSEC3_CHECK DNSSEC_TWO_ZSKS # DNS_NS_NO_CNAME DNSSEC_RRSIG_FOR_NS_GLUE_RECORD DNSSEC_NSEC_TTL # DNSSEC_MISSING_RRSIG_RECORD2 DNSSEC_RRSIG_NOT_SIGNING_RRSIG # DNSSEC_NSEC3_TTL # loading rule file # /usr/local/share/dnssec-tools/donuts/rules/parent_child.rules.txt # Rules Run: # DNSSEC_MISSING_RRSIG_RECORD1 DNSSEC_BOGUS_NS_MEMORIZE # DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_DS_CHILD_HAS_MATCHING_DNSKEY # DNSSEC_MISSING_NSEC_RECORD1 DNSSEC_NSEC_MEMORIZE # DNSSEC_OPENSSL_KEY_ISSUES DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE # DNSSEC_DNSKEY_PARENT_HAS_VALID_DS DNSSEC_RRSIG_TTL_MATCH_ORGTTL # DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNSSEC_NSEC_CHECK DNS_SOA_REQUIRED # DNS_SERVERS_MATCH_DATA DNS_MULTIPLE_NS DNSSEC_NSEC3_MEMORIZE # DNSSEC_MISSING_NSEC_RECORD2 DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD # DNSSEC_RRSIGS_VERIFY DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_RRSIG_SIGEXP # DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME DNSSEC_NSEC3_CHECK DNSSEC_TWO_ZSKS # DNS_NS_NO_CNAME DNSSEC_SUB_NOT_SECURE DNSSEC_RRSIG_FOR_NS_GLUE_RECORD # DNSSEC_NSEC_TTL DNSSEC_MISSING_RRSIG_RECORD2 # DNSSEC_RRSIG_NOT_SIGNING_RRSIG DNSSEC_NSEC3_TTL # loading rule file # /usr/local/share/dnssec-tools/donuts/rules/recommendations.rules.txt # Rules Run: # DNSSEC_BOGUS_NS_MEMORIZE DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 # DNSSEC_MISSING_NSEC_RECORD1 DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE # DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNS_MULTIPLE_NS # DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD DNSSEC_RRSIGS_VERIFY # DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_RRSIG_SIGEXP # DNS_NO_DOMAIN_MX_RECORDS DNSSEC_NSEC3_CHECK DNSSEC_SUB_NOT_SECURE # DNSSEC_MISSING_RRSIG_RECORD2 DNSSEC_MISSING_RRSIG_RECORD1 # DNSSEC_DS_CHILD_HAS_MATCHING_DNSKEY DNSSEC_OPENSSL_KEY_ISSUES # DNSSEC_NSEC_MEMORIZE DNSSEC_DNSKEY_PARENT_HAS_VALID_DS # DNSSEC_RRSIG_TTL_MATCH_ORGTTL DNSSEC_NSEC_CHECK DNS_SOA_REQUIRED # DNS_SERVERS_MATCH_DATA DNSSEC_MISSING_NSEC_RECORD2 DNSSEC_NSEC3_MEMORIZE # DNS_REASONABLE_TTLS DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME DNS_NS_NO_CNAME # DNSSEC_TWO_ZSKS DNSSEC_RRSIG_FOR_NS_GLUE_RECORD DNSSEC_NSEC_TTL # DNSSEC_NSEC3_TTL DNSSEC_RRSIG_NOT_SIGNING_RRSIG Donuts Analysis: insecure-ns.test.dnssec-tools.org Donuts Results: insecure-ns.test.dnssec-tools.org Source: db.insecure-ns.test.dnssec-tools.org.zs.signed.modified Record Results: # Analyzing individual records in # db.insecure-ns.test.dnssec-tools.org.zs.signed.modified Name Results: # Analyzing records for each name in # db.insecure-ns.test.dnssec-tools.org.zs.signed.modified Error: *.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name *.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: *.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name *.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: pastdate-a.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name pastdate-a.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: pastdate-a.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name pastdate-a.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: good-a.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name good-a.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: good-a.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name good-a.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: good-aaaa.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name good-aaaa.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: good-aaaa.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name good-aaaa.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: reverseddates-aaaa.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name reverseddates-aaaa.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: reverseddates-aaaa.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name reverseddates-aaaa.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: futuredate-a.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name futuredate-a.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: futuredate-a.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name futuredate-a.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: baddata-aaaa.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name baddata-aaaa.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: baddata-aaaa.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name baddata-aaaa.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: dns1.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns1.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name dns1.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: dns2.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: dns2.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name dns2.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: nosig-a.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name nosig-a.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: nosig-a.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name nosig-a.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: extra-txt.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name extra-txt.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: extra-txt.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name extra-txt.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: nsectest.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name nsectest.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: nsectest.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name nsectest.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: longlabel-01234567890123456789012345678901234567890123456789012.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name longlabel-01234567890123456789012345678901234567890123 456789012.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: longlabel-01234567890123456789012345678901234567890123456789012.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name longlabel-01234567890123456789012345678901234567890123 456789012.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: other-aaaa.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name other-aaaa.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: other-aaaa.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name other-aaaa.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: pastdate-aaaa.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name pastdate-aaaa.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: pastdate-aaaa.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name pastdate-aaaa.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: badsign-a.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name badsign-a.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: badsign-a.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name badsign-a.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: reverseddates-a.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name reverseddates-a.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: reverseddates-a.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name reverseddates-a.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: other-a.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name other-a.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: other-a.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name other-a.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: futuredate-aaaa.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name futuredate-aaaa.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: futuredate-aaaa.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name futuredate-aaaa.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: badsign-aaaa.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name badsign-aaaa.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: badsign-aaaa.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name badsign-aaaa.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: nosig-aaaa.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name nosig-aaaa.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: nosig-aaaa.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name nosig-aaaa.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: baddata-a.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name baddata-a.insecure-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: baddata-a.insecure-ns.test.dnssec-tools.org Rule Type: Error Message: name baddata-a.insecure-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Donuts Summary: insecure-ns.test.dnssec-tools.org Rules Considered: 33 Rules Tested: 21 Records Analyzed: 26 Names Analyzed: 23 Errors Found: 44