# loading rule file # /usr/local/share/dnssec-tools/donuts/rules/check_nameservers.txt # Rules Run: # DNS_SERVERS_MATCH_DATA # loading rule file # /usr/local/share/dnssec-tools/donuts/rules/dns.errors.txt # Rules Run: # DNS_NS_NO_CNAME DNS_SOA_REQUIRED DNS_SERVERS_MATCH_DATA # loading rule file # /usr/local/share/dnssec-tools/donuts/rules/dnssec.rules.txt # Rules Run: # DNSSEC_MISSING_RRSIG_RECORD1 DNSSEC_BOGUS_NS_MEMORIZE # DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_MISSING_NSEC_RECORD1 # DNSSEC_OPENSSL_KEY_ISSUES DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE # DNSSEC_RRSIG_TTL_MATCH_ORGTTL DNSSEC_NSEC_FOR_NS_GLUE_RECORD # DNS_SOA_REQUIRED DNS_SERVERS_MATCH_DATA DNSSEC_MISSING_NSEC_RECORD2 # DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD DNSSEC_RRSIGS_VERIFY # DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_RRSIG_SIGEXP # DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME DNSSEC_TWO_ZSKS DNS_NS_NO_CNAME # DNSSEC_RRSIG_FOR_NS_GLUE_RECORD DNSSEC_NSEC_TTL # DNSSEC_MISSING_RRSIG_RECORD2 DNSSEC_RRSIG_NOT_SIGNING_RRSIG # DNSSEC_NSEC3_TTL # loading rule file # /usr/local/share/dnssec-tools/donuts/rules/nsec_check.rules.txt # Rules Run: # DNSSEC_MISSING_RRSIG_RECORD1 DNSSEC_BOGUS_NS_MEMORIZE # DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_MISSING_NSEC_RECORD1 # DNSSEC_NSEC_MEMORIZE DNSSEC_OPENSSL_KEY_ISSUES # DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE DNSSEC_RRSIG_TTL_MATCH_ORGTTL # DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNSSEC_NSEC_CHECK DNS_SOA_REQUIRED # DNS_SERVERS_MATCH_DATA DNSSEC_NSEC3_MEMORIZE DNSSEC_MISSING_NSEC_RECORD2 # DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD DNSSEC_RRSIGS_VERIFY # DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_RRSIG_SIGEXP # DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME DNSSEC_NSEC3_CHECK DNSSEC_TWO_ZSKS # DNS_NS_NO_CNAME DNSSEC_RRSIG_FOR_NS_GLUE_RECORD DNSSEC_NSEC_TTL # DNSSEC_MISSING_RRSIG_RECORD2 DNSSEC_RRSIG_NOT_SIGNING_RRSIG # DNSSEC_NSEC3_TTL # loading rule file # /usr/local/share/dnssec-tools/donuts/rules/parent_child.rules.txt # Rules Run: # DNSSEC_MISSING_RRSIG_RECORD1 DNSSEC_BOGUS_NS_MEMORIZE # DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_DS_CHILD_HAS_MATCHING_DNSKEY # DNSSEC_MISSING_NSEC_RECORD1 DNSSEC_NSEC_MEMORIZE # DNSSEC_OPENSSL_KEY_ISSUES DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE # DNSSEC_DNSKEY_PARENT_HAS_VALID_DS DNSSEC_RRSIG_TTL_MATCH_ORGTTL # DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNSSEC_NSEC_CHECK DNS_SOA_REQUIRED # DNS_SERVERS_MATCH_DATA DNS_MULTIPLE_NS DNSSEC_NSEC3_MEMORIZE # DNSSEC_MISSING_NSEC_RECORD2 DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD # DNSSEC_RRSIGS_VERIFY DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_RRSIG_SIGEXP # DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME DNSSEC_NSEC3_CHECK DNSSEC_TWO_ZSKS # DNS_NS_NO_CNAME DNSSEC_SUB_NOT_SECURE DNSSEC_RRSIG_FOR_NS_GLUE_RECORD # DNSSEC_NSEC_TTL DNSSEC_MISSING_RRSIG_RECORD2 # DNSSEC_RRSIG_NOT_SIGNING_RRSIG DNSSEC_NSEC3_TTL # loading rule file # /usr/local/share/dnssec-tools/donuts/rules/recommendations.rules.txt # Rules Run: # DNSSEC_BOGUS_NS_MEMORIZE DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 # DNSSEC_MISSING_NSEC_RECORD1 DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE # DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNS_MULTIPLE_NS # DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD DNSSEC_RRSIGS_VERIFY # DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_RRSIG_SIGEXP # DNS_NO_DOMAIN_MX_RECORDS DNSSEC_NSEC3_CHECK DNSSEC_SUB_NOT_SECURE # DNSSEC_MISSING_RRSIG_RECORD2 DNSSEC_MISSING_RRSIG_RECORD1 # DNSSEC_DS_CHILD_HAS_MATCHING_DNSKEY DNSSEC_OPENSSL_KEY_ISSUES # DNSSEC_NSEC_MEMORIZE DNSSEC_DNSKEY_PARENT_HAS_VALID_DS # DNSSEC_RRSIG_TTL_MATCH_ORGTTL DNSSEC_NSEC_CHECK DNS_SOA_REQUIRED # DNS_SERVERS_MATCH_DATA DNSSEC_MISSING_NSEC_RECORD2 DNSSEC_NSEC3_MEMORIZE # DNS_REASONABLE_TTLS DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME DNS_NS_NO_CNAME # DNSSEC_TWO_ZSKS DNSSEC_RRSIG_FOR_NS_GLUE_RECORD DNSSEC_NSEC_TTL # DNSSEC_NSEC3_TTL DNSSEC_RRSIG_NOT_SIGNING_RRSIG Donuts Analysis: newkeys-ns.test.dnssec-tools.org Donuts Results: newkeys-ns.test.dnssec-tools.org Source: db.newkeys-ns.test.dnssec-tools.org.zs.signed.modified Record Results: # Analyzing individual records in # db.newkeys-ns.test.dnssec-tools.org.zs.signed.modified Error: pastdate-a.newkeys-ns.test.dnssec-tools.org Rule Type: Error Location: db.newkeys-ns.test.dnssec-tools.org.zs.signed.modified :392 Message: RRSIG record for pastdate-a.newkeys-ns.test.dnssec-tools.org has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: pastdate-aaaa.newkeys-ns.test.dnssec-tools.org Rule Type: Error Location: db.newkeys-ns.test.dnssec-tools.org.zs.signed.modified :407 Message: RRSIG record for pastdate-aaaa.newkeys-ns.test.dnssec-tools.org has expired Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-a.newkeys-ns.test.dnssec-tools.org Rule Type: Error Location: db.newkeys-ns.test.dnssec-tools.org.zs.signed.modified :414 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Error: reverseddates-aaaa.newkeys-ns.test.dnssec-tools.org Rule Type: Error Location: db.newkeys-ns.test.dnssec-tools.org.zs.signed.modified :430 Message: RRSIG is nearing its expiration time Details: Checks signature expiration time and warns or signals an error if the time is near or past. Name Results: # Analyzing records for each name in # db.newkeys-ns.test.dnssec-tools.org.zs.signed.modified Error: pastdate-aaaa.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-aaaa.newkeys-ns.test.dnssec-tools.org type: AAAA failed to verify: Signature has expired since: 20140909065615 Details: RRSIGs must cryptographically verify the records they are signing. Error: badsign-a.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-a.newkeys-ns.test.dnssec-tools.org type: A failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: addedlater-nosig-aaaa.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: name addedlater-nosig-aaaa.newkeys-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: addedlater-nosig-aaaa.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: name addedlater-nosig-aaaa.newkeys-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: badsign-aaaa.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: badsign-aaaa.newkeys-ns.test.dnssec-tools.org type: AAAA failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: addedlater-withsig-aaaa.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: name addedlater-withsig-aaaa.newkeys-ns.test.dnssec-tools.o rg does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: baddata-aaaa.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: baddata-aaaa.newkeys-ns.test.dnssec-tools.org type: AAAA failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: futuredate-aaaa.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-aaaa.newkeys-ns.test.dnssec-tools.org type: AAAA failed to verify: Signature may only be used in the future; after 20141108060115 Details: RRSIGs must cryptographically verify the records they are signing. Error: reverseddates-aaaa.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-aaaa.newkeys-ns.test.dnssec-tools.org type: AAAA failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: nsectest.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: nsectest.newkeys-ns.test.dnssec-tools.org type: NSEC failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: baddata-a.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: baddata-a.newkeys-ns.test.dnssec-tools.org type: A failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: futuredate-a.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: futuredate-a.newkeys-ns.test.dnssec-tools.org type: A failed to verify: Signature may only be used in the future; after 20141108060115 Details: RRSIGs must cryptographically verify the records they are signing. Error: addedlater-withsig-a.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: name addedlater-withsig-a.newkeys-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: addedlater-nosig-a.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: name addedlater-nosig-a.newkeys-ns.test.dnssec-tools.org does not have an NSEC record, which is required for secure domains. Details: checks to see if a given name is missing an NSEC record, which is require for dnssec to prove non-existence. Error: addedlater-nosig-a.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: name addedlater-nosig-a.newkeys-ns.test.dnssec-tools.org does not have a RRSIG record, which is required for secure domains. Details: Checks to see if a name contains a RRSIG record. Error: reverseddates-a.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: reverseddates-a.newkeys-ns.test.dnssec-tools.org type: A failed to verify: RSA Verification failed Details: RRSIGs must cryptographically verify the records they are signing. Error: pastdate-a.newkeys-ns.test.dnssec-tools.org Rule Type: Error Message: RRSIG on name: pastdate-a.newkeys-ns.test.dnssec-tools.org type: A failed to verify: Signature has expired since: 20140909065615 Details: RRSIGs must cryptographically verify the records they are signing. Donuts Summary: newkeys-ns.test.dnssec-tools.org Rules Considered: 33 Rules Tested: 21 Records Analyzed: 108 Names Analyzed: 27 Errors Found: 21