NSEC3 Test
This is a page just like the normal DNSSEC test page, only here the test tree is signed with a variant of our experimental NSEC3 branch.
At this time, the special signer for nsec3 is not finished. Therefore, while these zones are signed with the special error-inducing signer (which is under test), they only go 3 levels deep. That way I can update them more easily. Problems should not appear (if they do, I have a bug, please notify me).
Test Tree
I also created a complete tree to test your chaser/tracer/verifier/whatever with. At the moment it goes down 5 levels from nsec3.jelte.nlnetlabs.nl.
The address of the server is the same as this webserver.
Every zone has 6 delegations:
- ok these are signed correctly.
- nods A zone, but without the DS RR for the child zone
- bogussig the RRSIGs of zones starting with this name contain bad signature data.
- sigexpired the RRSIGs of zones starting with this name have an expiration date in the past.
- signotincepted the RRSIGs of zones starting with this name have an inception date in the future.
-
unknownalgorithm
the RRSIGS of zones starting with this name are signed correctly (with a known algorithm), but have the algorithm field set to another value.
The result is that you can test your programs with a range of domains, for example:
- ok.ok.ok.nsec3.jelte.nlnetlabs.nl
- ok.ok.nods.ok.nsec3.jelte.nlnetlabs.nl
- ok.bogussig.ok.nsec3.jelte.nlnetlabs.nl
- ok.ok.ok.nsec3.jelte.nlnetlabs.nl
- ok.bogussig.ok.ok.nsec3.jelte.nlnetlabs.nl
- ok.unknownalgorithm.ok.sigexpired.ok.nsec3.jelte.nlnetlabs.nl
- signotincepted.bogussig.sigexpired.bogussig.nsec3.jelte.nlnetlabs.nl
- bogussig.nsec3.jelte.nlnetlabs.nl
- sigexpired.nsec3.jelte.nlnetlabs.nl
- signotincepted.nsec3.jelte.nlnetlabs.nl
- unknownalgorithm.nsec3.jelte.nlnetlabs.nl