├── README.md └── bind ├── dns.netmeister.org ├── dnskey.dns.netmeister.org ├── ds.dns.netmeister.org ├── invalid.dns.netmeister.org ├── named.conf ├── ns.dns.netmeister.org ├── nsec3.dns.netmeister.org ├── nsec3param.dns.netmeister.org ├── size.dns.netmeister.org ├── soa.dns.netmeister.org ├── valid.dns.netmeister.org └── zonemd.dns.netmeister.org /README.md: -------------------------------------------------------------------------------- 1 | # (All) DNS Resource Records 2 | 3 | In this directory you will find `bind(8)` DNS zone 4 | files used by `panix.netmeister.org` to serve a 5 | reasonable looking entry for every defined DNS 6 | Resource Record (RR). 7 | 8 | That is, for each RR ``, there exists an RR of 9 | type `` under `.dns.netmeister.org.` 10 | 11 | In addition, each RR has an accompanying TXT record 12 | summarizing the purpose of the RR as well as which RFC 13 | the record was defined in (earliest and latest), and a 14 | TXT record providing the format of the RDATA in 15 | question. 16 | 17 | This allows you to look up any given RR type and retrieve an 18 | example via the common host lookup tools: 19 | 20 | ``` 21 | host -t a a.dns.netmeister.org 22 | dig aaaa aaaa.dns.netmeister.org +short 23 | nslookup -query=cname cname.dns.netmeister.org 24 | ... 25 | ``` 26 | 27 | Since this zone is DNSSEC signed and uses NSEC instead 28 | of NSEC3, you can easily walk the entire zone. 29 | 30 | Note: not all of the values (RDATA) of these RRs 31 | necessarily is meaningful, correct, or make sense. 32 | They are, however, valid. 33 | 34 | Your client may not support all RRs. If you do not 35 | get a response (or not the response you expected), try 36 | performing an ANY lookup against 37 | `panix.netmeister.org`. 38 | 39 | A longer discussion of each record an be found at: 40 | [https://www.netmeister.org/blog/dns-rrs.html](https://www.netmeister.org/blog/dns-rrs.html) 41 | -------------------------------------------------------------------------------- /bind/dns.netmeister.org: -------------------------------------------------------------------------------- 1 | ; This zone file contains example entries for all defined DNS Resource Records. 2 | ; That is, for each RR , there exists an RR of type under 3 | ; .dns.netmeister.org. 4 | ; In addition, each RR has an accompanying TXT record summarizing the 5 | ; purpose of the RR as well as which RFC the record was defined in 6 | ; (earliest and latest), and a TXT record providing the format of the RDATA 7 | ; in question. 8 | ; 9 | ; This allows you to look up any given RR type and retrieve an 10 | ; example via the common host lookup tools: 11 | ; host -t a a.dns.netmeister.org 12 | ; dig aaaa aaaa.dns.netmeister.org +short 13 | ; nslookup -query=cname cname.dns.netmeister.org 14 | ; 15 | ; Since this zone is DNSSEC signed and uses NSEC instead of NSEC3, you can 16 | ; easily walk the entire zone. 17 | ; 18 | ; Note: not all of the values (RDATA) of these RRs necessarily is 19 | ; meaningful, correct, or make sense. They are, however, valid. 20 | ; 21 | ; Your client may not support all RRs. If you do not get a response 22 | ; (or not the response you expected), try performing an ANY lookup. 23 | ; 24 | ; See also: https://www.netmeister.org/blog/dns-rrs.html 25 | ; 26 | ; This file is in the public domain. 27 | ; 28 | ; -Jan Schaumann / @jschauma 29 | ; 30 | ; https://github.com/jschauma/dns-rrs 31 | 32 | $TTL 3600 33 | @ IN SOA panix.netmeister.org. jschauma.netmeister.org. ( 34 | 2024101800 ; Serial 35 | 3600 ; Refresh 36 | 300 ; Retry 37 | 3600000 ; Expire 38 | 3600 ) ; Minimum 39 | IN NS panix.netmeister.org. 40 | IN TXT "This zone has example entries for all defined DNS Resource Records. See also: https://www.netmeister.org/blog/dns-rrs.html" 41 | 42 | 43 | * IN TXT "Wildcard record matching any names _not_ in the zone." 44 | * IN A 198.51.100.1 45 | * IN AAAA 2001:db8::c2de:2d22:5ca1:2727 46 | 47 | a IN A 166.84.7.99 48 | IN TXT "Format: a single dotted decimal quad IPv4 address" 49 | IN TXT "A 32-bit IPv4 host address. RFC882 (1983); RFC1035 (1987)" 50 | 51 | aaaa IN AAAA 2602:f977:800:0:e276:63ff:fe72:3900 52 | IN TXT "Format: single a hexadecimal IPv6 address" 53 | IN TXT "A 128-bit IPv6 host address. RFC1884 (1995); RFC4291 (2006)" 54 | 55 | afsdb IN AFSDB 1 panix.netmeister.org. 56 | IN TXT "Format: <16-bit subtype> " 57 | IN TXT "Location of a database server of an Andrew File System (AFS) cell. RFC1183 (1990)" 58 | 59 | any IN TXT "Pseudo-RR QTYPE value 255 ('*'). Returns all records. RFC1035 (1987)" 60 | 61 | apl IN APL 1:192.168.32.0/21 !1:192.168.38.0/28 2:2001:db8::/32 !2:2001:0470:0030:0084::/64 62 | IN TXT "Format: {[!]afi:address/prefix}* -- whitespace separated strings; an optional '!', a numerical address family indicator, ':', an address prefix in CIDR notation" 63 | IN TXT "Address Prefix List. RFC3123 (2001)" 64 | 65 | axfr IN TXT "Pseudo-RR: Authoritative Zone Transfer. RFC1035 (1987)" 66 | 67 | caa IN CAA 0 issue ";" 68 | IN CAA 0 issuewild ";" 69 | IN CAA 0 iodef "mailto:abuse@netmeister.org" 70 | IN TXT "Format: -- flag is commonly 0; tag one of 'issue', 'issuewild', 'iodef' (others reserved or not yet defined); value is a ''" 71 | IN TXT "Indication of certificate authorities authorized to issue certificates for this domain. RFC6844 (2013)" 72 | 73 | cdnskey IN CDNSKEY 257 3 13 JErBf5lZ1osSWg7r51+4VfEiWIdONph0L70X0ToT7DkbikKQIp+qvuOOZri7j3qVComv7tgTIBhKxeDQercdKQ== 74 | IN TXT "Format: <16-bit flags> <8-bit protocol> <8-bit algorithm> " 75 | IN TXT "Child Copy of DSNKEY record, for transfer to parent. RFC7344 (2014)" 76 | 77 | cds IN CDS 56039 13 2 4104805B43928FC573F0704A2C1B5A10BAA2878DE26B8535DDE77517C154CE9F 78 | IN TXT "Format: <16-bit key tag> <8-bit algorithm> <8-bit digest type> " 79 | IN TXT "Child Copy of DS record, for transfer to parent. RFC7344 (2014)" 80 | 81 | ; The CERT record is a bit of a pain to construct. 82 | ; The key tag is calculated by reading the certificate 83 | ; pubkey and using the 'keytag' function from RFC4034, 84 | ; Appendix B.1.: 85 | ; #include 86 | ; #include 87 | ; #include 88 | ; 89 | ; #define MAX_KEY_SIZE 4096 90 | ; 91 | ; unsigned int keytag(unsigned char key[], unsigned int keysize) { 92 | ; unsigned long ac; /* assumed to be 32 bits or larger */ 93 | ; int i; /* loop index */ 94 | ; 95 | ; for (ac = 0, i = 0; i < keysize; ++i) 96 | ; ac += (i & 1) ? key[i] : key[i] << 8; 97 | ; ac += (ac >> 16) & 0xFFFF; 98 | ; return ac & 0xFFFF; 99 | ; } 100 | ; 101 | ; int main() { 102 | ; unsigned char key[MAX_KEY_SIZE]; 103 | ; unsigned int keysize = 0; 104 | ; int ch; 105 | ; 106 | ; while ((ch = getchar()) != EOF && keysize < MAX_KEY_SIZE) { 107 | ; key[keysize++] = (unsigned char)ch; 108 | ; } 109 | ; 110 | ; unsigned int tag = keytag(key, keysize); 111 | ; printf("Key tag: %u\n", tag); 112 | ; } 113 | ; 114 | ; The algorithm is based on the certificate type per 115 | ; https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml 116 | ; The actual data includes the X.509 OID plus the DER 117 | ; of the cert. 118 | ; In this example, we have: 119 | ; keytag = openssl x509 -in cert.pem -noout -pubkey | 120 | ; openssl ec -pubin -outform DER | 121 | ; openssl dgst -sha256 -binary | ./keytag 122 | ; algorithm = ECDSAP256SHA256 => 13 123 | ; OID in DER (06) 124 | ; length 10 (0A) 125 | ; X509 server cert = 1.3.6.1.5.5.7.3.1 126 | ; 127 | ; ( printf "\x06\x0A\x2B\x01\x05\x05\x07\x03\x01" ; 128 | ; openssl x509 -in cert.pem -outform DER ; ) | base64 129 | cert IN A 166.84.7.99 130 | IN AAAA 2602:f977:800:0:e276:63ff:fe72:3900 131 | IN CERT PKIX 24753 13 ( 132 | BgorAQUFBwMBMIID8jCCA3igAwIBAgISA+Xn2xmfe1mwordqibd8h6qoMAoGCCqGSM49BAMDMDIx 133 | CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJFNTAeFw0yNDEw 134 | MTYwMTIzMzZaFw0yNTAxMTQwMTIzMzVaMBkxFzAVBgNVBAMTDm5ldG1laXN0ZXIub3JnMFkwEwYH 135 | KoZIzj0CAQYIKoZIzj0DAQcDQgAEUd81nZXCa/79Joc30jt8VpbRE2sfRt5zg/nLbnm78oObHeJT 136 | Cnr7mkhNNmN1BfsMr/dsmBo47bpxXTPnWTAP7qOCAoUwggKBMA4GA1UdDwEB/wQEAwIHgDAdBgNV 137 | HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU2w1POKUp 138 | Lil1R7hGZz2XOuLxNQEwHwYDVR0jBBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0wVQYIKwYBBQUH 139 | AQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vZTUuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0 140 | dHA6Ly9lNS5pLmxlbmNyLm9yZy8wgY0GA1UdEQSBhTCBgoIZaHR0cHMudGVzdC5uZXRtZWlzdGVy 141 | Lm9yZ4ITbWFpbC5uZXRtZWlzdGVyLm9yZ4IWbXRhLXN0cy5uZXRtZWlzdGVyLm9yZ4IObmV0bWVp 142 | c3Rlci5vcmeCFHBhbml4Lm5ldG1laXN0ZXIub3JnghJ3d3cubmV0bWVpc3Rlci5vcmcwEwYDVR0g 143 | BAwwCjAIBgZngQwBAgEwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdwDPEVbu1S58r/OHW9lpLpvp 144 | GnFnSrAX7KwB0lt3zsw7CAAAAZKTIeqQAAAEAwBIMEYCIQD01SNrY7TCLowbYRsXS1lGU53DAFsB 145 | q5xvoYc6/ohc1QIhAPSVVdXSUs31RVDcoOPTA6ttzsQp5u8gryr1INRZv0PBAHUAE0rfGrWYQgl4 146 | DG/vTHqRpBa3I0nOWFdq367ap8Kr4CIAAAGSkyHrDAAABAMARjBEAiAhKJRr39UrzsrOM+j2m8BF 147 | rd8SHMM0/TXRyDGb2rFQGwIgSCOYc3EIpuqqec/zngQHLVJ49tl6Bjgzo8rqyAY/JRowCgYIKoZI 148 | zj0EAwMDaAAwZQIxANAsPjni8bpq6Hu5iVi0QJmKMvMPnaGLCecSK77eL0olcUST6rkCnsGLkEEO 149 | 4SQlHgIwWswNIVe2eG/lVNoPvpsdWZyWKqj6o6isP0QsiN+bG3iFcr04Mrd+zjYWQ42xgR3j 150 | ) 151 | IN CERT IPGP 0 0 99CE1DC7770AC5A809A60DCD66CE4FE96F6BD3D7 152 | IN CERT PGP 0 0 ( 153 | mQENBE2L+QkBCADx6DXFdqDEAK1OYYtOeLp54Z0G87t6Nmz+nodbd9f4Uw0T6v32 154 | O2O0yVwA07fCGfPc+3oeCgDact5cpicAm1C1nF3XrcV6YCAccswybl11ZnlJBOtu 155 | 1iePYHoBM+iZwdtCaPVlnPoFbuYbjDt5sv7g1MN5sXqktkyEg8JcJKWxrlaFI0lH 156 | /YIpOBokXznv2YUWIg+8V6GTGpX2kYRJziXJizzQ1jFYn1UP3Pa+PYlffkbT/vEa 157 | Lc3NzVoLUavXRgeRrUWbDc06tQmYolZGArrH7Lrf6Bft1YFNsTxXqo/eUFvW8gUR 158 | AxbbD9F05sFtyDenuVl40xsbMfSFtqfQKi+TABEBAAG0I0phbiBTY2hhdW1hbm4g 159 | PGpzY2hhdW1hQG5ldGJzZC5vcmc+iQE2BBMBAgAgAhsDBgsJCAcDAgQVAggDBBYC 160 | AwECHgECF4AFAmA1JXgACgkQZs5P6W9r09cPFgf8DfO2IGx1iIbrTHRM5K+Kpify 161 | gRxJTckO+G1M9XICbO2DZ5O/eex0cFPaueSln92xp9skl5p2R3oIUVnSEaS00mGV 162 | 7CMbKGIXlb4K4qeVb6uT8/2OCAn3xdPKehcW8lvguaS+65596XVLYjabz8Zhwhkx 163 | SL5XRbIPCga4AxVAi0DiJLLrEFPlRWb5X3VYdxxnU8lXiQKgAKWVhONldf2NZW8i 164 | OhGXVNXZMmjybFYihFdGO3szaZDFkeh96e2axE8BoXLxDuuTIe+F92oE6pWaH/as 165 | Io4LiGGYFdH/+2wqieoG1uNIQ5xc5xSju8qpdrQ4Q7GgeemF0A4CspKx5cMs8LQz 166 | SmFuIFNjaGF1bWFubiAoQGpzY2hhdW1hKSA8anNjaGF1bWFAbmV0bWVpc3Rlci5v 167 | cmc+iQE2BBMBAgAgBQJSrcFAAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQ 168 | Zs5P6W9r09efjgf/ajHLyvaVMeX2eT5V5tluecR2+ZKF0fPp1kV/kN2ilo1ikS4l 169 | ClxzYf5mcBket+4TjfrDtVgRdipCszeYXerFBz3j554dORMTSxu3wItycL85nAbm 170 | dk7wH0uvNu4LN/rSxzg938oMp2O7gH9oZTx+mVczYW8I4I9RFttIvDjmAEujKzmI 171 | 07kUJZsQCAtQ7jEEQRGHDggLv7hQI90tihunYbwfxmBnWNETD/mLkiouMwzfjVDH 172 | eC6GQok8oMiMf0RuGc2jmGZFqOAUGupBMIoDTJO5Mcn963va1Y4ncJBV+XEh9p7V 173 | fOSjc7bHfTSlFB/kaq4lSjQ8LLzYN1gfAdYU4rQnSmFuIFNjaGF1bWFubiA8anNj 174 | aGF1bWFAbmV0bWVpc3Rlci5vcmc+iQE5BBMBAgAjAhsDBgsJCAcDAgQVAggDBBYC 175 | AwECHgECF4AFAmA1JXwCGQEACgkQZs5P6W9r09fGBwf+P2cm/HxfnlYhFS5hsNdb 176 | K0EyiXIewOYHkBj4ZkNlWvzNjwROZySEizF6Zfcxt8vZKCJckneAHrRNB6dXZSJ7 177 | S9Me0gPOS7AVYtX+5oJPZv4ug3odygJx0bXx/YTQQxoYHj4QG9Kxx+QXfHTZ6QkQ 178 | 4Vc/gWMsTxmhFj3DSqyjPcLp5GSC6z6Pwpp5XlC1ctQwg2QvMxNcpjlvdbBF26Qg 179 | QeKM45D41/W8cRyk2geZjZLI/8MiHsfQ88wCtuECjAGNfBDz/fNqjQ9a1M38Tad6 180 | WIsN+SZiX5aG6JrPRT9lL38U4/ziaA5WLSvBBvfc/jOoPQOtEK9UXkFutJmkaKQm 181 | QbkBDQRNi/kxAQgAtb4+nY+l5ojJpUWFOOMCGjvYO6PhY5NpuOfLIgjOHVcwj6Yz 182 | 0LSnDG+QSnQ1JxSDovXxZZtcnN7j9xqJFbtMi4MQEoSNL3XxFZy+QAqqKNkGhARq 183 | W5uK4jlm5BPgza4qnaG5bqtdPMIOyvojIJQoWKhKcGMmWsvq3sD4JdMEsnK/YjQC 184 | H6N4eCos2P7nW6Q8kjMIO3YqJT+6sHliOXrqi5/4EoT6GmkyTttX5IMkClv4faAi 185 | 7U9SkucZDjsdk2uwcetobUu/0LLnzFrexk/K2xNSDcX6MMD3x3/So1DsA6Mxo/Fb 186 | wzE+AQ2Y2ve4Y9hGFX35TDoBi881kQ7oDiukLwARAQABiQEfBBgBAgAJBQJNi/kx 187 | AhsMAAoJEGbOT+lva9PXpWAIAMn/iaZdax6a0GkEkPWvwpzb1zjNehjnO5lKI4Nr 188 | LKNlygHoWL4SXsr925e/GOFInAn6iGdB3KibE8YEoWVuON5teMMsZxfln094F5sz 189 | Tv1HA8Gsdvf0R+8IMifFO+7HavJj+Qhuu8+Xpm8tleYeZR61qbY4h4KoPQP4G4Kb 190 | F+R11vma31gLkBGD5gnkgVPyhFuPeBptCP+T+2W9sc2EEVcxWbLB0qcqyBEy6eXi 191 | PxyKurOCed9kBvyqo+FZTJpElOnJo/NqodY5Nsz1QchbMHN2FVmmFfrVpocnRQPm 192 | 1lxqzxwoqJrUTyWpk/J8/0PbKlSTjRKziFLqudSy/dqFWmk= 193 | ) 194 | IN TXT "Format: <16-bit type> <16-bit key tag> <8-bit algorithm> " 195 | IN TXT "A certificate or certificate revocation list, including x509, S/MIME, PGP or IPSec certificates. RFC2538 (1999); RFC4398 (2006)" 196 | 197 | 198 | www IN CNAME www.netmeister.org. 199 | cname-loop IN CNAME cname-loop 200 | ; Yes, this is a loop. 201 | 202 | cname IN CNAME cname-txt 203 | cname-txt IN TXT "Format: " 204 | IN TXT "Additional records (besides DNSSEC related records) are not allowed on CNAMEs." 205 | cname01 IN CNAME cname02 206 | cname02 IN CNAME cname03 207 | cname03 IN CNAME cname04 208 | cname04 IN CNAME cname05 209 | cname05 IN CNAME cname06 210 | cname06 IN CNAME cname07 211 | cname07 IN CNAME cname08 212 | cname08 IN CNAME cname09 213 | cname09 IN CNAME cname10 214 | cname10 IN CNAME cname11 215 | cname11 IN CNAME cname12 216 | cname12 IN CNAME cname13 217 | cname13 IN CNAME cname14 218 | cname14 IN CNAME cname15 219 | cname15 IN CNAME cname16 220 | cname16 IN CNAME cname17 221 | cname17 IN CNAME cname18 222 | cname18 IN CNAME cname19 223 | cname19 IN CNAME cname20 224 | cname20 IN CNAME cname21 225 | cname21 IN CNAME cname22 226 | cname22 IN CNAME cname23 227 | cname23 IN CNAME cname24 228 | cname24 IN CNAME cname25 229 | cname25 IN CNAME cname26 230 | cname26 IN CNAME cname27 231 | cname27 IN CNAME cname28 232 | cname28 IN CNAME cname29 233 | cname29 IN CNAME cname30 234 | cname30 IN CNAME cname31 235 | cname31 IN CNAME cname32 236 | cname32 IN CNAME cname33 237 | cname33 IN CNAME cname34 238 | cname34 IN CNAME cname35 239 | cname35 IN CNAME cname36 240 | cname36 IN CNAME cname37 241 | cname37 IN CNAME cname38 242 | cname38 IN CNAME cname39 243 | cname39 IN CNAME cname40 244 | cname40 IN CNAME cname41 245 | cname41 IN CNAME cname42 246 | cname42 IN CNAME cname43 247 | cname43 IN CNAME cname44 248 | cname44 IN CNAME cname45 249 | cname45 IN CNAME cname46 250 | cname46 IN CNAME cname47 251 | cname47 IN CNAME cname48 252 | cname48 IN CNAME cname49 253 | cname49 IN CNAME cname50 254 | cname50 IN CNAME cname51 255 | cname51 IN CNAME cname52 256 | cname52 IN CNAME cname53 257 | cname53 IN CNAME cname54 258 | cname54 IN CNAME cname55 259 | cname55 IN CNAME cname56 260 | cname56 IN CNAME cname57 261 | cname57 IN CNAME cname58 262 | cname58 IN CNAME cname59 263 | cname59 IN CNAME cname60 264 | cname60 IN CNAME cname61 265 | cname61 IN CNAME cname62 266 | cname62 IN CNAME cname63 267 | cname63 IN CNAME cname64 268 | cname64 IN CNAME cname65 269 | cname65 IN CNAME cname66 270 | cname66 IN CNAME cname67 271 | cname67 IN CNAME cname68 272 | cname68 IN CNAME cname69 273 | cname69 IN CNAME cname70 274 | cname70 IN CNAME cname71 275 | cname71 IN CNAME cname72 276 | cname72 IN CNAME cname73 277 | cname73 IN CNAME cname74 278 | cname74 IN CNAME cname75 279 | cname75 IN CNAME cname76 280 | cname76 IN CNAME cname77 281 | cname77 IN CNAME cname78 282 | cname78 IN CNAME cname79 283 | cname79 IN CNAME cname80 284 | cname80 IN CNAME cname81 285 | cname81 IN CNAME cname82 286 | cname82 IN CNAME cname83 287 | cname83 IN CNAME cname84 288 | cname84 IN CNAME cname85 289 | cname85 IN CNAME cname86 290 | cname86 IN CNAME cname87 291 | cname87 IN CNAME cname88 292 | cname88 IN CNAME cname89 293 | cname89 IN CNAME cname90 294 | cname90 IN CNAME cname91 295 | cname91 IN CNAME cname92 296 | cname92 IN CNAME cname93 297 | cname93 IN CNAME cname94 298 | cname94 IN CNAME cname95 299 | cname95 IN CNAME cname96 300 | cname96 IN CNAME cname97 301 | cname97 IN CNAME cname98 302 | cname98 IN CNAME cname99 303 | cname99 IN CNAME cname 304 | 305 | 306 | csync IN CSYNC 2021071001 3 NS 307 | IN TXT "Format: <32-bit SOA serial> <16-bit flags> <16-bit type bit map>" 308 | IN TXT "Child-to-Parent Synchronization, commonly used for glue records. RFC7477 (2015)" 309 | 310 | dhcid IN DHCID AAIBMmFjOTc1NzMyMTk0ZWE1ZTBhN2MzN2M4MzE2NTFiM2M= 311 | IN TXT "Format: SHA-256( )" 312 | IN TXT "DHCP identifier. RFC4701 (2006)" 313 | 314 | dlv IN DLV 56039 13 2 4104805B43928FC573F0704A2C1B5A10BAA2878DE26B8535DDE77517C154CE9F 315 | IN TXT "Format: <16-bit key tag> <8-bit algorithm> <8-bit digest type> " 316 | IN TXT "DNSSEC Lookaside Validation used for off-path validation. RFC4431 (2006); RFC5074 (2007)" 317 | 318 | dname IN DNAME dns.netmeister.org. 319 | IN TXT "Format: " 320 | IN TXT "Delegation name record, used to e.g., redirect an entire domain. RFC2672 (1999); RFC6672 (2012)" 321 | 322 | dnskey IN DNSKEY 257 3 13 JErBf5lZ1osSWg7r51+4VfEiWIdONph0L70X0ToT7DkbikKQIp+qvuOO Zri7j3qVComv7tgTIBhKxeDQercdKQ== 323 | IN DS 51266 13 2 809A66766A5D69A3DA6ACBE461483393B879B746481BA80BC4D1C69ECC52923D 324 | ; TXT records in dnskey zone 325 | 326 | ; This only makes sense if we have a "ds" zone 327 | ds IN DS 56393 13 2 BD36DD608262A026083721FA19E2F7B474F531BB3179CC00A0C38FF00CA11657 328 | 329 | ; TXT records in dnskey zone 330 | 331 | eui48 IN EUI48 bc-a2-b9-82-32-a7 332 | IN TXT "Format: six two-digit hexadecimal numbers separated by hyphens" 333 | IN TXT "48-bit IEEE Extended Unique Identifier; MAC address. RFC7043 (2013)" 334 | 335 | eui64 IN EUI64 be-a2-b9-ff-fe-82-32-a7 336 | IN TXT "Format: eight two-digit hexadecimal numbers separated by hyphens" 337 | IN TXT "64-bit IEEE Extended Unique Identifier; MAC address. RFC7043 (2013)" 338 | 339 | hinfo IN HINFO PDP-11 UNIX 340 | IN TXT "Format: two s of up to 40 chars each" 341 | IN TXT "Originally 'host information' like CPU and OS; now used by Cloudflare in response to 'ANY' requests. RFC883 (1983); RFC8482 (2019)" 342 | 343 | hip IN HIP ( 2 ; RSA 344 | 200100107B1A74DF365639CC39F1D578 ; HIT as IPv6 (RFC7343) 345 | AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D 346 | rvs.example.com. ; rendezvous server 347 | ) 348 | IN TXT "Format: ... " 349 | IN TXT "Host Identity Protocol mappings of Host Identities and Host Identity Tags to IP addresses. RFC5205 (2008); RFC8005 (2016)" 350 | 351 | ; Commonly used with a _port._scheme name, e.g., _8443._foo => foo://:8443 352 | ; ServiceForm 353 | https IN HTTPS 1 . ( 354 | alpn="h2,http/1.1" 355 | ipv6hint="2602:f977:800:0:e276:63ff:fe72:3900" 356 | ipv4hint="166.84.7.99" ) 357 | ; AliasForm 358 | IN HTTPS 0 www.netmeister.org. 359 | IN TXT "Format: <16-bit SvcFieldPriority> " 360 | IN TXT "SVCB variation specifically for HTTP/HTTPS. IETF Draft (2020)" 361 | 362 | ipseckey IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== 363 | IN TXT "Format: <8-bit precedence> <8-bit gateway type> <8-bit algorithm> <40-bit gateway> " 364 | IN TXT "Public Key for use with IPSec; usually stored in the relevant in-addr.arpa / ip6.arpa zone. RFC4025 (2005)" 365 | 366 | ixfr IN TXT "Pseudo-RR: Incremental Zone Transfer. RFC1995 (1996)" 367 | 368 | ; dnssec-keygen -r /dev/urandom -p 255 -n ENTITY -T KEY -b 256 -a DH key.dns.netmeister.org. 369 | key IN KEY 512 255 2 ACDtkdVR2HWmc0HPEwkrM+SOrWZd8yPTAytLYZj2u33KgwABAgAg6jav9rTK68C8j+kfLv7+re8KAb1qJXqdSrmL+1l3Js4= 370 | IN TXT "Format: <16-bit flags> <8-bit protocol> <8-bit algorithm> " 371 | IN TXT "Public Key associated name; used with e.g., TSIG / SIG(0). Obsoleted for DNSSEC keys via DNSKEY, for IPSec via IPSECKEY RRs. RFC2535 (1999); RFC2930 (2000); RFC2931 (2000)" 372 | 373 | kx IN KX 1 panix.netmeister.org. 374 | IN TXT "Format: <16-bit preference> " 375 | IN TXT "Key Exchange Delegation. RFC2230 (1997)" 376 | 377 | loc IN LOC 40 44 9 N 73 59 26 W 10m 378 | IN TXT "Format: d-lat [m-lat [s-lat]] {"N"|"S"} d-long [m-long [s-long]] {"E"|"W"} alt["m"] [siz["m"] [hp["m"] [vp["m"]]]]" 379 | IN TXT "Geographical information associated with a domain name. RFC1876 (1996)" 380 | 381 | mx IN MX 50 panix.netmeister.org. 382 | IN TXT "Format: <16-bit preference> " 383 | IN TXT "Mail Exchange Delegation. RFC1035 (1987)" 384 | 385 | naptr IN NAPTR 10 10 "u" "smtp+E2U" "!.*([^\.]+[^\.]+)$!mailto:postmaster@$1!i" . 386 | IN NAPTR 20 10 "s" "http+N2L+N2C+N2R" "" www.netmeister.org. 387 | IN TXT "Format: <16-bit order> <16-bit preference> " 388 | IN TXT "Naming Authority Pointer; regular expression rewriting of domain names, commonly used with e.g., SIP. RFC2915 (2000); RFC3403 (2002)" 389 | 390 | ns IN NS panix.netmeister.org. 391 | IN DS 21656 13 2 EAB9CBDA29CF68BB9ABB0047E49B56383C093FABF7C75B6B6F0483E36D3FCA3A 392 | IN TXT "Format: " 393 | IN TXT "Naming Authority Pointer; delegates authority of the given domain to the given name server. RFC883 (1983); RFC1035 (1987)" 394 | 395 | ; The actual value will be provided by bind, so no need to define it. 396 | nsec IN TXT "Format: <16-bit type bit map>" 397 | IN TXT "Next secure record. Used to e.g., prove non-existence of a record. RFC4034 (2005)" 398 | 399 | nsec3 IN DS 24381 13 2 6839540410B8D55D2994DC98DF7134C22FA831F008B626DC788617B7A3DC47AC 400 | 401 | nsec3param IN DS 54885 13 2 EBBF775A8F45E1ADDD5BB177619ECD9FEEA682412D4F5B377161CBFF2BA97476 402 | 403 | ; This makes no sense. For an actual example, see e.g., 404 | ; f6d6048431f8b67313b5b8011e0be5b03f21b4458a7e67f3fb298900._openpgpkey.netmeister.org, 405 | ; which represents jschauma@netmeister.org. 406 | openpgpkey IN OPENPGPKEY ( 407 | mQENBE2L+QkBCADx6DXFdqDEAK1OYYtOeLp54Z0G87t6Nmz+nodbd9f4Uw0T 408 | 6v32O2O0yVwA07fCGfPc+3oeCgDact5cpicAm1C1nF3XrcV6YCAccswybl11 409 | ZnlJBOtu1iePYHoBM+iZwdtCaPVlnPoFbuYbjDt5sv7g1MN5sXqktkyEg8Jc 410 | JKWxrlaFI0lH/YIpOBokXznv2YUWIg+8V6GTGpX2kYRJziXJizzQ1jFYn1UP 411 | 3Pa+PYlffkbT/vEaLc3NzVoLUavXRgeRrUWbDc06tQmYolZGArrH7Lrf6Bft 412 | 1YFNsTxXqo/eUFvW8gURAxbbD9F05sFtyDenuVl40xsbMfSFtqfQKi+TABEB 413 | AAG0I0phbiBTY2hhdW1hbm4gPGpzY2hhdW1hQG5ldGJzZC5vcmc+iQE2BBMB 414 | AgAgAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AFAmA1JXgACgkQZs5P6W9r 415 | 09cPFgf8DfO2IGx1iIbrTHRM5K+KpifygRxJTckO+G1M9XICbO2DZ5O/eex0 416 | cFPaueSln92xp9skl5p2R3oIUVnSEaS00mGV7CMbKGIXlb4K4qeVb6uT8/2O 417 | CAn3xdPKehcW8lvguaS+65596XVLYjabz8ZhwhkxSL5XRbIPCga4AxVAi0Di 418 | JLLrEFPlRWb5X3VYdxxnU8lXiQKgAKWVhONldf2NZW8iOhGXVNXZMmjybFYi 419 | hFdGO3szaZDFkeh96e2axE8BoXLxDuuTIe+F92oE6pWaH/asIo4LiGGYFdH/ 420 | +2wqieoG1uNIQ5xc5xSju8qpdrQ4Q7GgeemF0A4CspKx5cMs8LQzSmFuIFNj 421 | aGF1bWFubiAoQGpzY2hhdW1hKSA8anNjaGF1bWFAbmV0bWVpc3Rlci5vcmc+ 422 | iQE2BBMBAgAgBQJSrcFAAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQ 423 | Zs5P6W9r09efjgf/ajHLyvaVMeX2eT5V5tluecR2+ZKF0fPp1kV/kN2ilo1i 424 | kS4lClxzYf5mcBket+4TjfrDtVgRdipCszeYXerFBz3j554dORMTSxu3wIty 425 | cL85nAbmdk7wH0uvNu4LN/rSxzg938oMp2O7gH9oZTx+mVczYW8I4I9RFttI 426 | vDjmAEujKzmI07kUJZsQCAtQ7jEEQRGHDggLv7hQI90tihunYbwfxmBnWNET 427 | D/mLkiouMwzfjVDHeC6GQok8oMiMf0RuGc2jmGZFqOAUGupBMIoDTJO5Mcn9 428 | 63va1Y4ncJBV+XEh9p7VfOSjc7bHfTSlFB/kaq4lSjQ8LLzYN1gfAdYU4rQn 429 | SmFuIFNjaGF1bWFubiA8anNjaGF1bWFAbmV0bWVpc3Rlci5vcmc+iQE5BBMB 430 | AgAjAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AFAmA1JXwCGQEACgkQZs5P 431 | 6W9r09fGBwf+P2cm/HxfnlYhFS5hsNdbK0EyiXIewOYHkBj4ZkNlWvzNjwRO 432 | ZySEizF6Zfcxt8vZKCJckneAHrRNB6dXZSJ7S9Me0gPOS7AVYtX+5oJPZv4u 433 | g3odygJx0bXx/YTQQxoYHj4QG9Kxx+QXfHTZ6QkQ4Vc/gWMsTxmhFj3DSqyj 434 | PcLp5GSC6z6Pwpp5XlC1ctQwg2QvMxNcpjlvdbBF26QgQeKM45D41/W8cRyk 435 | 2geZjZLI/8MiHsfQ88wCtuECjAGNfBDz/fNqjQ9a1M38Tad6WIsN+SZiX5aG 436 | 6JrPRT9lL38U4/ziaA5WLSvBBvfc/jOoPQOtEK9UXkFutJmkaKQmQbkBDQRN 437 | i/kxAQgAtb4+nY+l5ojJpUWFOOMCGjvYO6PhY5NpuOfLIgjOHVcwj6Yz0LSn 438 | DG+QSnQ1JxSDovXxZZtcnN7j9xqJFbtMi4MQEoSNL3XxFZy+QAqqKNkGhARq 439 | W5uK4jlm5BPgza4qnaG5bqtdPMIOyvojIJQoWKhKcGMmWsvq3sD4JdMEsnK/ 440 | YjQCH6N4eCos2P7nW6Q8kjMIO3YqJT+6sHliOXrqi5/4EoT6GmkyTttX5IMk 441 | Clv4faAi7U9SkucZDjsdk2uwcetobUu/0LLnzFrexk/K2xNSDcX6MMD3x3/S 442 | o1DsA6Mxo/FbwzE+AQ2Y2ve4Y9hGFX35TDoBi881kQ7oDiukLwARAQABiQEf 443 | BBgBAgAJBQJNi/kxAhsMAAoJEGbOT+lva9PXpWAIAMn/iaZdax6a0GkEkPWv 444 | wpzb1zjNehjnO5lKI4NrLKNlygHoWL4SXsr925e/GOFInAn6iGdB3KibE8YE 445 | oWVuON5teMMsZxfln094F5szTv1HA8Gsdvf0R+8IMifFO+7HavJj+Qhuu8+X 446 | pm8tleYeZR61qbY4h4KoPQP4G4KbF+R11vma31gLkBGD5gnkgVPyhFuPeBpt 447 | CP+T+2W9sc2EEVcxWbLB0qcqyBEy6eXiPxyKurOCed9kBvyqo+FZTJpElOnJ 448 | o/NqodY5Nsz1QchbMHN2FVmmFfrVpocnRQPm1lxqzxwoqJrUTyWpk/J8/0Pb 449 | KlSTjRKziFLqudSy/dqFWmk= 450 | ) 451 | IN TXT "Format: base64-encoded OpenPGP Transferable Public Key" 452 | IN TXT "OpenPGP Public Key record, used within DANE. RFC7929 (2016)" 453 | 454 | opt IN TXT "Format: <16-bit option code> <16-bit option length> " 455 | IN TXT "Pseudo-RR for EDNS options. RFC6891 (2013)" 456 | 457 | ptr IN PTR ptr.dns.netmeister.org. 458 | IN TXT "Format: " 459 | IN TXT "Domain Name Pointer; commonly found in the in-addr.arpa and ip6.arpa domains and used in reverse lookups. RFC1035 (1987)" 460 | 461 | rp IN RP jschauma.netmeister.org. contact.netmeister.org. 462 | IN TXT "Format: " 463 | IN TXT "Responsible Person. RFC1183 (1990)" 464 | 465 | ; Automatically generated via DNSSEC. 466 | rrsig IN TXT "Format: <16-bit type covered> <8-bit algorithm> <8-bit labels> <32-bit TTL> <32-bit signature expiration> <32-bit signature inception> <16-bit key tag> <40-bit signers name> " 467 | IN TXT "DNSSEC Signature of the Resource Record Set. RFC4034 (2005)" 468 | 469 | ; SIG(0) records are generated by the server, not read from the zone, 470 | ; so this is a bogus SIG record that you won't actually get returned 471 | ; to you. bind also only uses SIG(0) with nsupdate(1). 472 | ;sig IN SIG TXT 13 4 3600 20210725182822 20210711204631 56039 dns.netmeister.org. yrYfGgprzYhsBLDlxwu9NFLbpwPeJ0CkZWpLJGUAp5/qWnEEY2CmpD9fg0ozpxTh2eC349j+6+l7ylKKMmRrJA== 473 | sig IN TXT "Format: <16-bit type covered> <8-bit algorithm> <8-bit labels> <32-bit TTL> <32-bit signature expiration> <32-bit signature inception> <16-bit key tag> <40-bit signers name> " 474 | IN TXT "Signature record; in DNSSEC replaced by RRSIG. RFC2535 (1999); RFC2931 (2000); RFC4034 (2005)" 475 | 476 | ; Incorrect data. Normally would use e.g. 477 | ; f6d6048431f8b67313b5b8011e0be5b03f21b4458a7e67f3fb298900._smimecert.netmeister.org, 478 | ; which represents jschauma@netmeister.org. 479 | smimea IN SMIMEA 3 1 1 8CE14CBE1FAFAE9FB25845D335E00E416BC2FAE02E8746689C006DA59C1F9382 480 | IN TXT "Format: <8-bit cert usage> <8-bit selector> <8-bit matching type> " 481 | IN TXT "S/MIME certificate association. RFC8162 (2017)" 482 | 483 | ; The actual SOA record comes from the subzone. 484 | soa IN DS 15057 13 2 37B820412C83F1B495224F3064C272E287292C2453BB248BD182D4B0E81F72AC 485 | 486 | srv IN SRV 0 1 80 panix.netmeister.org. 487 | IN TXT "Format: <16-bit priority> <16-bit weight> <16-bit port> " 488 | IN TXT "Service location records. Commonly something like _port._protocol. RFC2052 (1996); RFC2782 (2000)" 489 | 490 | sshfp IN SSHFP 1 1 53A76D5284C91E140DEC9AD1A757DA123B95B081 491 | IN SSHFP 3 2 62475A22F1E4F09594206539AAFF90A6EDAABAB1BA6F4A67AB3906177455CF84 492 | IN TXT "Format: <8-bit algorithm> <8-bit fingerprint type> " 493 | IN TXT "SSH Public Key Fingerprints. RFC4255 (2006)" 494 | 495 | ; Commonly used with a _port._scheme name, e.g., _8443._foo => foo://:8443 496 | ; Not yet supported in bind, but see e.g., 497 | ; https://ypcs.fi/howto/2020/09/30/announce-https-via-dns/ 498 | ; ServiceForm 499 | svcb IN SVCB 1 panix.netmeister.org. ipv6hint="2602:f977:800:0:e276:63ff:fe72:3900" port="8888" 500 | IN TXT "Format: <16-bit SvcFieldPriority> " 501 | IN TXT "General Purpose Service Binding. IETF Draft (2020)" 502 | 503 | ta IN TA 56039 13 2 4104805B43928FC573F0704A2C1B5A10BAA2878DE26B8535DDE77517C154CE9F 504 | IN TXT "Format: <16-bit key tag> <8-bit algorithm> <8-bit digest type> " 505 | IN TXT "DNSSEC Trust Authorities; proposed for DNSSEC without a signed root. No RFC (2005)." 506 | 507 | ; Quoting RFC2930: 508 | ; TKEY is a meta-RR that is not stored or cached in the DNS and does not appear in zone files. 509 | ; sudo dnssec-keygen -r /dev/urandom -p 255 -n ENTITY -T KEY -b 256 -a DH tkey.dns.netmeister.org. 510 | tkey IN KEY 512 255 2 ACChNLJiFjqre0/veUP0AplAf2lyNgRwcdwZViTAo6m/swABAgAgMp9m 2JGio5XOHHXmKLDZ37/39/SbmPKhsMd/WUYToWE= 511 | IN TXT "Format: <32-bit inception> <32-bit expiration> <16-bit mode> <16-bit error> <16-bit key size> <16-bit other size> " 512 | IN TXT "Transaction Key for e.g., TSIG, encrypted with accompanying KEY record. RFC2930 (2000)" 513 | 514 | ; This is actually the TLSA record for _443._tcp.panix.netmeister.org. 515 | tlsa IN TLSA 3 1 1 8CE14CBE1FAFAE9FB25845D335E00E416BC2FAE02E8746689C006DA59C1F9382 516 | IN TXT "Format: <8-bit usage> <8-bit selector> <8-bit matching type> " 517 | IN TXT "DANE record for TLS. RFC6698 (2012)" 518 | 519 | ; TSIG RR is generated by bind when queried with a TSIG 520 | ; e.g.: 521 | ; dig @panix.netmeister.org -y hmac-sha256:tsig.dns.netmeister.org:shared-key-here= tsig tsig.dns.netmeister.org. 522 | tsig IN TXT "Format: <48-bit time signed> <16-bit fudge> <16-bit MAC size> <16-bit oid> <16-bit error> <16-bit other size> " 523 | IN TXT "Transaction Signature, used to authenticate e.g., dynamic client updates or server responses by way of a shared secret (e.g., TKEY). RFC2845 (2000); RFC8945 (2020)" 524 | 525 | txt IN TXT "Format: " 526 | IN TXT "Descriptive text. Completely overloaded for all sorts of things. RFC1035 (1987)" 527 | 528 | ; Normally this would be e.g., _service._protocol 529 | uri IN URI 10 1 "https://www.netmeister.org/blog/dns-rrs.html" 530 | IN TXT "Format: <16-bit priority> <16-bit weight> " 531 | IN TXT "URI selection. Improvement / complement to NAPTR / SRV. RFC7553 (2015)" 532 | 533 | ; zonemd is in its own zone. 534 | ; calculated via e.g., https://github.com/niclabs/dns-tools 535 | ; dns-tools digest -f zonemd-zone -o somewhere -z zonemd.dns.netmeister.org. 536 | zonemd IN DS 7645 13 2 EB032BCDA4F0333AEEE9484C2A07B5EA0F52BD85319E1AB9C0D933050D9AD506 537 | 538 | ; --- Obsolete, ancient, or largely unused RRs --- 539 | 540 | a6 IN A6 0 2602:f977:800:0:e276:63ff:fe72:3900 541 | IN A6 64 ::e276:63ff:fe72:3900 a6-prefix 542 | IN TXT "Format: <8-bit prefix> <128-bit hex IPv6 address> " 543 | IN TXT "Early IPv6 record, obsoleted by AAAA. RFC2874 (2000)" 544 | 545 | ; used to supplement the second prefix example of the above a6 record 546 | a6-prefix IN A6 0 2001:470:30:84:: 547 | 548 | amtrelay IN AMTRELAY 10 0 2 2602:f977:800:0:e276:63ff:fe72:3900 549 | IN TXT "Format: <8-bit precedence> <1-bit discover> <7-bit type> " 550 | IN TXT "Automatic Multicast Tunneling Relay. RFC8777 (2020)" 551 | 552 | atma IN ATMA 39.246f.000e7c9c031200010001.000012345678.00 553 | IN TXT "Format:
" 554 | IN TXT "ATM End System Address. ATM Forum Publication (2000)" 555 | 556 | ; https://www.iana.org/assignments/dns-parameters/AVC/avc-completed-template 557 | avc IN AVC app-name:Unix time|business:default|server-port:TCP/4242,UDP/4242 558 | IN TXT "Format: " 559 | IN TXT "Application Visibility and Control. RR Submission (2016)" 560 | 561 | ; https://www.ietf.org/archive/id/draft-durand-doa-over-dns-03.txt 562 | doa IN DOA 0 1 2 "" aHR0cHM6Ly93d3cubmV0bWVpc3Rlci5vcmcvYmxvZy9kbnMtcnJzLmh0bWwK 563 | IN TXT "Format: <32-bit doa-enterprise> <32-bit doa-type> <16-bit doa-location> " 564 | IN TXT "Digital Object Architecture in the DNS. Internet Draft (2017)" 565 | 566 | ; http://ana-3.lcs.mit.edu/~jnc/nimrod/dns.txt 567 | eid IN EID CA FE FA CE 12 34 568 | IN TXT "Format: " 569 | IN TXT "Endpoint Identifier in the Nimrod Routing Architecture. Internet Draft (1995)" 570 | 571 | gpos IN GPOS 40.731 -73.9919 10.0 572 | IN TXT "Format: " 573 | IN TXT "Geographical Location, similar to LOC. RFC1712 (1994)" 574 | 575 | isdn IN ISDN 150862028003217 004 576 | IN TXT "Format: " 577 | IN TXT "ISDN Telephone Number. RFC1183 (1990)" 578 | 579 | l32 IN L32 10 203.0.113.44 580 | IN TXT "Format: <16-bit preference> <32-bit locator32>" 581 | IN TXT "Identifier-Locator Network Protocol; 32-bit Locator. RFC6742 (2012)" 582 | 583 | l64 IN L64 10 2001:0DB8:1140:1000 584 | IN TXT "Format: <16-bit preference> <64-bit locator64>" 585 | IN TXT "Identifier-Locator Network Protocol; 64-bit Locator. RFC6742 (2012)" 586 | 587 | lp IN LP 10 l64.dns.netmeister.org. 588 | IN LP 20 l32.dns.netmeister.org. 589 | IN TXT "Format: <16-bit preference> " 590 | IN TXT "Identifier-Locator Network Protocol; Locator Pointer. RFC6742 (2012)" 591 | 592 | maila IN TXT "Format: " 593 | IN TXT "QTYPE request for MD and MF. RFC883 (1983); obsoleted by MX via RFC973 (1986)" 594 | 595 | mailb IN TXT "Format: " 596 | IN TXT "QTYPE request for MB, MG, or MR. RFC883 (1983); obsoleted by MX via RFC973 (1986)" 597 | 598 | mb IN MB panix.netmeister.org. 599 | IN TXT "Format: " 600 | IN TXT "Mailbox record. RFC883 (1983); not formally obsoleted" 601 | 602 | ;md IN MD panix.netmeister.org. 603 | md IN TXT "Format: " 604 | IN TXT "Mail Destination RFC883 (1983); obsoleted by MX via RFC973 (1986)" 605 | 606 | ;mf IN MF panix.netmeister.org. 607 | mf IN TXT "Format: " 608 | IN TXT "Mail Forwarder RFC883 (1983); obsoleted by MX via RFC973 (1986)" 609 | 610 | mg IN MG jschauma.netmeister.org. 611 | IN MG digestingducks.netmeister.org. 612 | IN MG jschauma.yahoo.com. 613 | IN MINFO jschauma.netmeister.org. postmaster.netmeister.org. 614 | IN TXT "Format: " 615 | IN TXT "Mail Group (mailing list) record. RFC883 (1983); not formally obsoleted" 616 | 617 | minfo IN MINFO jschauma.netmeister.org. postmaster.netmeister.org. 618 | IN TXT "Format: " 619 | IN TXT "Responsible and error handling mailbox. RFC883 (1983); not formally obsoleted" 620 | 621 | mr IN MR panix.netmeister.org. 622 | IN TXT "Format: " 623 | IN TXT "Mail Rename record. RFC883 (1983); not formally obsoleted" 624 | 625 | nid IN NID 10 0014:4fff:ff20:ee64 626 | IN TXT "Format: <16-bit preference> <64-bit nodeid>" 627 | IN TXT "Identifier-Locator Network Protocol; Node Identifier. RFC6742 (2012)" 628 | 629 | ; http://ana-3.lcs.mit.edu/~jnc/nimrod/dns.txt 630 | nimloc IN NIMLOC DE AD BE EF 12 34 631 | IN TXT "Format: " 632 | IN TXT "Nimrod Locator in the Nimrod Routing Architecture. Internet Draft (1995)" 633 | 634 | ; https://www.ietf.org/archive/id/draft-reid-dnsext-zs-01.txt 635 | ninfo IN NINFO "The zone owner is asleep, so don't bother trying voice-based communication." 636 | IN TXT "Format: " 637 | IN TXT "Zone Status information, initially requested as 'ZS'. Internet Draft (2008)" 638 | 639 | ; Quoting RFC883: 640 | ; "Null RRs are not allowed in master files." 641 | ;null IN NULL "avocado" 642 | null IN TXT "Format: " 643 | IN TXT "Placeholder records in some experimental extensions. RFC883 (1983)" 644 | 645 | nsap IN NSAP 0x47.0005.80.005a00.0000.0001.e133.ffffff000161.00 646 | IN TXT "Format: " 647 | IN TXT "Network Service Access Point. RFC1706 (1994)" 648 | 649 | nsap-ptr IN NSAP-PTR nsap 650 | IN TXT "Format: " 651 | IN TXT "NSAP to name mapping. Usually found in the 'nsap.int' domain. RFC1706 (1994)" 652 | 653 | nxt IN NXT openpgpkey OPENPGPKEY TXT 654 | IN TXT "Format: <16-bit type bit map>" 655 | IN TXT "Precursor to NSEC/NSEC3. RFC2065 (1997)" 656 | 657 | px IN PX 10 px PRMD-netmeister.C-us.G-Jan.S-Schaumann 658 | IN TXT "Format: <16-bit preference> " 659 | IN TXT "Map domain names into X.400 O/R names. RFC2163 (1998)" 660 | 661 | rt IN RT 10 panix.netmeister.org. 662 | IN TXT "Format: <16-bit preference> " 663 | IN TXT "Route Through RR. RFC1183 (1990)" 664 | 665 | ; bind uses an undocumented "meaning" field 666 | ; https://gitlab.isc.org/isc-projects/bind9/-/issues/1202 667 | sink IN SINK 0 64 1 ZG5zLm5ldG1laXN0ZXIub3JnLg== 668 | IN TXT "Format: " 669 | IN TXT "Kitchen Sink record to allow stuffing just about anything into the DNS without requiring new RRs to be defined. Internet draft (1997)" 670 | 671 | spf IN SPF "v=spf1 a mx -all" 672 | IN TXT "Format: " 673 | IN TXT "Sender Policy Framework alternative to TXT record. RFC4408 (2006)" 674 | 675 | talink IN TALINK . _talink1 676 | IN TXT "Format: " 677 | IN TXT "DNSSEC Trust Anchor History. Internet Draft (2009)" 678 | 679 | _talink1 IN TALINK talink _talink2 680 | _talink2 IN TALINK _talink2 . 681 | 682 | wks IN WKS 166.84.7.99 6 25 80 443 683 | IN WKS 166.84.7.99 17 53 684 | IN TXT "Format: <32-bit IP address> <16-bit protocol> <8-bit bit map>" 685 | IN TXT "Well Known Services. RFC883 (1983); not formally obsoleted, but recommended against in e.g., RFC1123 (1989)" 686 | 687 | x25 IN X25 311061700956 688 | IN TXT "Format: " 689 | IN TXT "Experimental representation of X.25 addresses. RFC1183 (1990)" 690 | -------------------------------------------------------------------------------- /bind/dnskey.dns.netmeister.org: -------------------------------------------------------------------------------- 1 | ; This zone file exists purely so that our parent lookup against 2 | ; "dnskey.dns.netmeister.org" works. 3 | ; 4 | ; See also: https://www.netmeister.org/blog/dns-rrs.html 5 | ; 6 | ; This file is in the public domain. 7 | ; 8 | ; -Jan Schaumann / @jschauma 9 | ; 10 | ; https://github.com/jschauma/dns-rrs 11 | 12 | $TTL 3600 13 | @ IN SOA panix.netmeister.org. jschauma.netmeister.org. ( 14 | 2021071101 ; Serial 15 | 3600 ; Refresh 16 | 300 ; Retry 17 | 3600000 ; Expire 18 | 3600 ) ; Minimum 19 | IN NS panix.netmeister.org. 20 | IN TXT "Format: <16-bit flags> <8-bit protocol> <8-bit algorithm> " 21 | IN TXT "The public key matching the private key used to sign the given zone. RFC4034 (2005)" 22 | -------------------------------------------------------------------------------- /bind/ds.dns.netmeister.org: -------------------------------------------------------------------------------- 1 | ; This zone file exists purely so that our parent lookup against 2 | ; "ds.dns.netmeister.org" works. 3 | ; 4 | ; See also: https://www.netmeister.org/blog/dns-rrs.html 5 | ; 6 | ; This file is in the public domain. 7 | ; 8 | ; -Jan Schaumann / @jschauma 9 | ; 10 | ; https://github.com/jschauma/dns-rrs 11 | 12 | $TTL 3600 13 | @ IN SOA panix.netmeister.org. jschauma.netmeister.org. ( 14 | 2021072300 ; Serial 15 | 3600 ; Refresh 16 | 300 ; Retry 17 | 3600000 ; Expire 18 | 3600 ) ; Minimum 19 | IN NS panix.netmeister.org. 20 | IN TXT "Format: <16-bit key tag> <8-bit algorithm> <8-bit digest type> " 21 | IN TXT "Delegation signer; the DNSSEC public key of the given child zone stored in the parent zone. RFC4034 (2005)" 22 | IN DNSKEY 257 3 13 RyjD9PTu6vn/kaWqvmmSUjwo9XGKz/Fm6sRRQBO3uZfcGJpk9l7rqYg5 MEtCcHc2O8dTJVDZL+Y+PzqJxsomJw== 23 | -------------------------------------------------------------------------------- /bind/invalid.dns.netmeister.org: -------------------------------------------------------------------------------- 1 | ; This zone file contains invalid DNS names to illustrate that 2 | ; "hostnames" are not well-defined and that a DNS server may 3 | ; well serve you answers for queries of type A/AAAA that are 4 | ; not "valid". 5 | ; 6 | ; See also: https://www.netmeister.org/blog/hostnames.html 7 | ; 8 | ; This file is in the public domain. 9 | ; 10 | ; -Jan Schaumann / @jschauma 11 | ; 12 | ; https://github.com/jschauma/dns-rrs 13 | 14 | $TTL 3600 15 | @ IN SOA panix.netmeister.org. jschauma.netmeister.org. ( 16 | 2021101602 ; Serial 17 | 3600 ; Refresh 18 | 300 ; Retry 19 | 3600000 ; Expire 20 | 3600 ) ; Minimum 21 | IN NS panix.netmeister.org. 22 | IN TXT "This zone has example entries for 'invalid' hostnames. See also: https://www.netmeister.org/blog/hostnames.html" 23 | 24 | ; "hostnames" must not start with a '-' 25 | 26 | - IN A 192.0.2.1 27 | IN AAAA 2001:db8:fa4e::1 28 | 29 | ; neither can you end in a hyphen: 30 | a- IN A 192.0.2.2 31 | IN AAAA 2001:db8:fa4e::2 32 | 33 | ; "_" is not allowed, either, although used for query minimization 34 | _ IN A 192.0.2.3 35 | IN AAAA 2001:db8:fa4e::3 36 | 37 | ; MX records should also be "hostnames", but would be funny if we could: 38 | jschauma@this.is IN MX 50 panix.netmeister.org. 39 | IN A 192.0.2.4 40 | IN AAAA 2001:db8:fa4e::4 41 | 42 | 43 | ; multiple successive dashes are possible, but... 44 | ; RFC5891 does not permit multiple dashes "in the third and fourth character position": 45 | 0-------------------------------------------------------------9 IN A 192.0.2.5 46 | IN AAAA 2001:db8:fa4e::5 47 | 48 | ; Once we disable check-names in bind, anything goes: 49 | ; :shrug: 50 | ¯\_\(ツ\)_/¯ IN A 192.0.2.6 51 | 52 | IN AAAA 2001:db8:fa4e::6 53 | 54 | ; ...and then we can escape stuff: 55 | \$HOSTNAME IN A 192.0.2.7 56 | IN AAAA 2001:db8:fa4e::7 57 | 58 | \(\){\;}\;whoami IN A 192.0.2.8 59 | IN AAAA 2001:db8:fa4e::8 60 | 61 | '.' IN A 192.0.2.9 62 | IN AAAA 2001:db8:fa4e::9 63 | 64 | ; literal poop-emoji UTF-8 65 | 💩 IN A 192.0.2.10 66 | IN AAAA 2001:db8:fa4e::10 67 | 68 | ; literal a-umlaut 69 | ä IN A 192.0.2.11 70 | IN AAAA 2001:db8:fa4e::11 71 | -------------------------------------------------------------------------------- /bind/named.conf: -------------------------------------------------------------------------------- 1 | # This is the named.conf file used on 2 | # panix.netmeister.org to serve the dns.netmeister.org 3 | # zone. 4 | # 5 | # Please see 6 | # https://www.netmeister.org/blog/dns-rrs.html for 7 | # more information. 8 | 9 | options { 10 | directory "/etc/namedb"; 11 | dnssec-validation auto; 12 | managed-keys-directory "keys"; 13 | bindkeys-file "bind.keys"; 14 | allow-recursion { localhost; localnets; }; 15 | 16 | allow-query { localhost; localnets; }; 17 | allow-query-cache { any; }; 18 | listen-on { any; }; 19 | listen-on-v6 { any; }; 20 | 21 | ixfr-from-differences yes; 22 | 23 | #querylog yes; 24 | # 25 | # This forces all queries to come from port 53; might be 26 | # needed for firewall traversals but should be avoided if 27 | # at all possible because of the risk of spoofing attacks. 28 | # 29 | #query-source address * port 53; 30 | 31 | #response-policy { 32 | #zone "rpz.local"; 33 | #}; 34 | }; 35 | 36 | logging { 37 | category default { 38 | default_file; 39 | }; 40 | 41 | category queries { 42 | querylog; 43 | }; 44 | 45 | channel security_log { 46 | file "/var/log/named-security" versions 3; 47 | print-time yes; 48 | print-severity yes; 49 | print-category yes; 50 | severity info; 51 | }; 52 | 53 | channel default_file { 54 | file "/var/log/named"; 55 | severity info; 56 | }; 57 | 58 | channel querylog { 59 | file "/var/log/querylog"; 60 | severity debug 3; 61 | print-category yes; 62 | print-time yes; 63 | }; 64 | 65 | category security { 66 | security_log; 67 | }; 68 | }; 69 | 70 | key "rndc-key" { 71 | algorithm hmac-md5; 72 | secret ""; 73 | }; 74 | 75 | controls { 76 | inet ::1 allow { localhost; } keys { "rndc-key"; }; 77 | inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; 78 | 79 | }; 80 | 81 | #zone "rpz.local" { 82 | #type master; 83 | #file "db.rpz.local"; 84 | #allow-update { none; }; 85 | #allow-transfer { none; }; 86 | #allow-query { any; }; 87 | #}; 88 | 89 | zone "." { 90 | type hint; 91 | file "root.cache"; 92 | }; 93 | 94 | zone "localhost" { 95 | type master; 96 | file "localhost"; 97 | }; 98 | 99 | zone "dns.netmeister.org" { 100 | type master; 101 | file "dns.netmeister.org"; 102 | allow-query { any; }; 103 | dnssec-policy default; 104 | }; 105 | 106 | zone "valid.dns.netmeister.org" { 107 | type master; 108 | file "valid.dns.netmeister.org"; 109 | allow-query { any; }; 110 | dnssec-policy default; 111 | 112 | }; 113 | 114 | zone "invalid.dns.netmeister.org" { 115 | type master; 116 | file "invalid.dns.netmeister.org"; 117 | allow-query { any; }; 118 | dnssec-policy default; 119 | check-names ignore; 120 | }; 121 | 122 | zone "ns.dns.netmeister.org" { 123 | type master; 124 | file "ns.dns.netmeister.org"; 125 | allow-query { any; }; 126 | dnssec-policy default; 127 | }; 128 | 129 | zone "ds.dns.netmeister.org" { 130 | type master; 131 | file "ds.dns.netmeister.org"; 132 | allow-query { any; }; 133 | dnssec-policy default; 134 | }; 135 | 136 | zone "dnskey.dns.netmeister.org" { 137 | type master; 138 | file "dnskey.dns.netmeister.org"; 139 | allow-query { any; }; 140 | dnssec-policy default; 141 | }; 142 | 143 | zone "soa.dns.netmeister.org" { 144 | type master; 145 | file "soa.dns.netmeister.org"; 146 | allow-query { any; }; 147 | dnssec-policy default; 148 | }; 149 | 150 | 151 | zone "nsec3.dns.netmeister.org" { 152 | type master; 153 | file "nsec3.dns.netmeister.org"; 154 | allow-query { any; }; 155 | dnssec-policy nsec3; 156 | }; 157 | 158 | zone "nsec3param.dns.netmeister.org" { 159 | type master; 160 | file "nsec3param.dns.netmeister.org"; 161 | allow-query { any; }; 162 | dnssec-policy nsec3; 163 | }; 164 | 165 | zone "zonemd.dns.netmeister.org" { 166 | type master; 167 | file "zonemd.dns.netmeister.org"; 168 | allow-query { any; }; 169 | dnssec-policy nsec3; 170 | }; 171 | 172 | key "tkey.dns.netmeister.org." { 173 | algorithm hmac-md5; 174 | secret ""; 175 | }; 176 | 177 | key "tsig.dns.netmeister.org." { 178 | algorithm hmac-sha256; 179 | secret ""; 180 | }; 181 | 182 | dnssec-policy "nsec3" { 183 | nsec3param iterations 15 optout no salt-length 8; 184 | }; 185 | 186 | zone "127.IN-ADDR.ARPA" { 187 | type master; 188 | file "127"; 189 | }; 190 | 191 | zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" { 192 | type master; 193 | file "loopback.v6"; 194 | }; 195 | -------------------------------------------------------------------------------- /bind/ns.dns.netmeister.org: -------------------------------------------------------------------------------- 1 | ; This zone file exists purely so that our parent lookup against 2 | ; "ns.dns.netmeister.org" works. 3 | ; 4 | ; See also: https://www.netmeister.org/blog/dns-rrs.html 5 | ; 6 | ; This file is in the public domain. 7 | ; 8 | ; -Jan Schaumann / @jschauma 9 | ; 10 | ; https://github.com/jschauma/dns-rrs 11 | 12 | $TTL 3600 13 | @ IN SOA panix.netmeister.org. jschauma.netmeister.org. ( 14 | 2021072300 ; Serial 15 | 3600 ; Refresh 16 | 300 ; Retry 17 | 3600000 ; Expire 18 | 3600 ) ; Minimum 19 | IN NS panix.netmeister.org. 20 | IN TXT "Format: " 21 | IN TXT "Naming Authority Pointer; delegates authority of the given domain to the given name server. RFC1035 (1987)" 22 | IN DNSKEY 257 3 13 JErBf5lZ1osSWg7r51+4VfEiWIdONph0L70X0ToT7DkbikKQIp+qvuOO Zri7j3qVComv7tgTIBhKxeDQercdKQ== 23 | 24 | -------------------------------------------------------------------------------- /bind/nsec3.dns.netmeister.org: -------------------------------------------------------------------------------- 1 | ; This zone file exists purely so that we can use NSEC3 on this zone 2 | ; but NSEC on the parent zone. 3 | ; 4 | ; See also: https://www.netmeister.org/blog/dns-rrs.html 5 | ; 6 | ; This file is in the public domain. 7 | ; 8 | ; -Jan Schaumann / @jschauma 9 | ; 10 | ; https://github.com/jschauma/dns-rrs 11 | 12 | $TTL 3600 13 | @ IN SOA panix.netmeister.org. jschauma.netmeister.org. ( 14 | 2021072300 ; Serial 15 | 3600 ; Refresh 16 | 300 ; Retry 17 | 3600000 ; Expire 18 | 3600 ) ; Minimum 19 | IN NS panix.netmeister.org. 20 | IN TXT "Format: <8-bit hash algorithm> <8-bit flags> <16-bits iterations> <8-bit salt length> <24-bit salt> <8-bit hash-length> <24-bit next hashed owner name> <16-bit type bit map>" 21 | IN TXT "Next secure record, v3, to prove authenticated denial of existence. RFC5155 (2008)" 22 | IN DNSKEY 257 3 13 i1eth2wpAeyweTpRp8/Tim26m9wjYiFZRhzTSn6neM4q7ZYqlDH61as4 +U7QvPAz6yV0bn9t1YCt+Ox4YFqJ/w== 23 | 24 | next IN TXT "A text record so that we can show the use of NSEC3." 25 | 26 | -------------------------------------------------------------------------------- /bind/nsec3param.dns.netmeister.org: -------------------------------------------------------------------------------- 1 | ; This zone file exists purely so that we can use NSEC3 on this zone 2 | ; but NSEC on the parent zone. 3 | ; 4 | ; See also: https://www.netmeister.org/blog/dns-rrs.html 5 | ; 6 | ; This file is in the public domain. 7 | ; 8 | ; -Jan Schaumann / @jschauma 9 | ; 10 | ; https://github.com/jschauma/dns-rrs 11 | 12 | $TTL 3600 13 | @ IN SOA panix.netmeister.org. jschauma.netmeister.org. ( 14 | 2021072300 ; Serial 15 | 3600 ; Refresh 16 | 300 ; Retry 17 | 3600000 ; Expire 18 | 3600 ) ; Minimum 19 | IN NS panix.netmeister.org. 20 | IN TXT "Format: <8-bit hash algorithm> <8-bit flags> <16-bit iterations> <8-bit salt length> <24-bit salt>" 21 | IN TXT "Parameters used for NSEC3. RFC5155 (2008)" 22 | IN DNSKEY 257 3 13 Axfep/JzUMTy442H2mssCegqjUxx4YaB4+GbfBpGS1S0QXioQKi4LSCI Tnlss3P9ZzOtNJeFxAbRxjPrHBbMfQ== 23 | -------------------------------------------------------------------------------- /bind/soa.dns.netmeister.org: -------------------------------------------------------------------------------- 1 | ; This zone file exists purely so that we can look up 2 | ; the SOA RR for soa.dns.netmeister.org. 3 | ; 4 | ; See also: https://www.netmeister.org/blog/dns-rrs.html 5 | ; 6 | ; This file is in the public domain. 7 | ; 8 | ; -Jan Schaumann / @jschauma 9 | ; 10 | ; https://github.com/jschauma/dns-rrs 11 | 12 | $TTL 3600 13 | @ IN SOA panix.netmeister.org. jschauma.netmeister.org. ( 14 | 2021072300 ; Serial 15 | 3600 ; Refresh 16 | 300 ; Retry 17 | 3600000 ; Expire 18 | 3600 ) ; Minimum 19 | IN NS panix.netmeister.org. 20 | IN TXT "Format: <32-bit serial> <32-bit refresh interval> <32-bit retry interval> <32-bit expiration interval> <32-bit minimum TTL>" 21 | IN TXT "Start of Authority information about the given zone. RFC883 (1983); RFC1035 (1987)" 22 | IN DNSKEY 257 3 13 A1Hroyhgo6rBgOzwrb78Ze3TLlSilzL0TjiFjQlqCfXiKeTspN3kWw8L XerArBYxRL72Mq9F7wOl6VnbuOQkTA== 23 | 24 | -------------------------------------------------------------------------------- /bind/valid.dns.netmeister.org: -------------------------------------------------------------------------------- 1 | ; This zone file contains valid DNS names to illustrate edge cases 2 | ; of what is defined as "valid" for a "hostname" label. 3 | ; 4 | ; See also: https://www.netmeister.org/blog/hostnames.html 5 | ; 6 | ; This file is in the public domain. 7 | ; 8 | ; -Jan Schaumann / @jschauma 9 | ; 10 | ; https://github.com/jschauma/dns-rrs 11 | 12 | $TTL 3600 13 | @ IN SOA panix.netmeister.org. jschauma.netmeister.org. ( 14 | 2021101607 ; Serial 15 | 3600 ; Refresh 16 | 300 ; Retry 17 | 3600000 ; Expire 18 | 3600 ) ; Minimum 19 | IN NS panix.netmeister.org. 20 | IN TXT "This zone has example entries for 'valid' hostnames. See also: https://www.netmeister.org/blog/hostnames.html" 21 | 22 | 23 | ; since RFC1123, hostnames may start with a digit 24 | 1 IN A 203.0.113.1 25 | IN AAAA 2001:db8:1::1 26 | 27 | ; valid characters for a "hostname" are: 28 | a-zA-Z0-9 IN A 203.0.113.2 29 | IN AAAA 2001:db8:1::2 30 | 31 | aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa IN A 203.0.113.63 32 | IN AAAA 2001:db8:a:a:a:a:a:63 33 | 34 | ; we can have 253 total length, so strlen(".valid.dns.netmeister.org.") 35 | ; 0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.9.8.7.6.5.4.3.2.1.0.0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.z.y.x.w.vu IN A 203.0.113.3 36 | 0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.9.8.7.6.5.4.3.2.1.0.0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.z.y.x.w.v.ut IN A 203.0.113.3 37 | IN AAAA 2001:db8:0:1:2:3:4:5 38 | 39 | ; 'b' and 'B' are the same, you will get back both records 40 | b IN A 203.0.113.4 41 | b IN AAAA 2001:db8:b::1 42 | B IN A 203.0.113.5 43 | B IN AAAA 2001:db8:b::2 44 | 45 | ; punycode for poop emoji -- allowed in DNS, but 46 | xn--ls8h IN A 203.0.113.6 47 | IN AAAA 2001:db8:53::6 48 | ; a-umlaut 49 | xn--4ca IN A 203.0.113.7 50 | IN AAAA 2001:db8:53::7 51 | 52 | ; you _can_ start a label with a hyphen if it's not a "hostname" 53 | - IN TXT "nothing to see here" 54 | 55 | ; underscores are also ok as labels, but not as "hostnames" 56 | _ IN TXT "no query minimization here" 57 | 58 | ; spaces work... 59 | \ IN CNAME 1 60 | www.netmeister.org.\ .is IN CNAME www.netmeister.org. 61 | ; as do underscores, of course: 62 | ________ IN CNAME www.netmeister.org. 63 | 64 | ; and all the other shenanigans from 'invalid': 65 | ; :shrug: 66 | ¯\_\(ツ\)_/¯ IN CNAME 1 67 | 68 | ; ...and then we can escape stuff: 69 | \$HOSTNAME IN CNAME 1 70 | \(\){\;}\;whoami IN CNAME 1 71 | 72 | 73 | ; multiple successive dashes are possible, but... 74 | ; RFC5891 does not permit multiple dashes "in the third and fourth character position". 75 | ; bind9 doesn't seem to care: 76 | 0-------------------------------------------------------------9 IN A 203.0.113.8 77 | IN AAAA 2001:db8:53::8 78 | 79 | ; multiple successive dashes are possible, but... 80 | ; RFC5891 does not permit multiple dashes "in the third and fourth character position": 81 | 0-a----------------------------------------------------------1.0-b----------------------------------------------------------2.0-c----------------------------------------------------------3.0-d-------------------------------4 IN A 203.0.113.9 82 | IN AAAA 2001:db8:1:2:3:4:5:6789 83 | 84 | 0xcafe IN A 203.0.113.10 85 | IN AAAA 2001:db8:cafe:cafe:cafe:cafe:cafe:c0fe 86 | -------------------------------------------------------------------------------- /bind/zonemd.dns.netmeister.org: -------------------------------------------------------------------------------- 1 | ; This zone file exists purely so that we can look up 2 | ; the ZONEMD RR for zonemd.dns.netmeister.org. 3 | ; 4 | ; See also: https://www.netmeister.org/blog/dns-rrs.html 5 | ; 6 | ; This file is in the public domain. 7 | ; 8 | ; -Jan Schaumann / @jschauma 9 | ; 10 | ; https://github.com/jschauma/dns-rrs 11 | 12 | $TTL 3600 13 | @ IN SOA panix.netmeister.org. jschauma.netmeister.org. ( 14 | 2021072300 ; Serial 15 | 3600 ; Refresh 16 | 300 ; Retry 17 | 3600000 ; Expire 18 | 3600 ) ; Minimum 19 | IN NS panix.netmeister.org. 20 | IN ZONEMD 2021071219 1 1 4274f6bc562cf8ce512b21aa0a4ccc1eb9f4faaaecd01642d0a07bdea890c8845849d6015cc590f54b0ac7e87b9e41ed 21 | IN TXT "Format: <32-bit serial> <8-bit scheme> <8-bit hash algorithm> " 22 | IN DNSKEY 257 3 13 sg1EBb/44SfKd+ZrR0LsZdMGobB55hvL2OaRGpVdPJfLe8bZgPGYBAC/ TfJRn6AvLlpmXNl9U8cTd3We7I40RA== 23 | IN TXT "Message Digest for zone data. RFC8976 (2021)" 24 | --------------------------------------------------------------------------------