On 2013-03-21 at 12:59 -0700, Todd Lyons wrote:
> SPF is also required for DMARC to be tested comprehensively, and the
> libspf functions require active DNS with seemingly no way around that.
> This means I cannot fully test DMARC because SPF will always be
> missing if I use the test.ex test harness domain.
Frankly, test.ex strikes me as problematic, because you're not testing
the real code-paths used in normal running code.
Thus testdns.exim.org exists: it'll be even more critical with DNSSEC
checks, to be sure we're really testing what we think we're testing.
I'm happy to add whatever folks want to it.
Anyone on tahini can AXFR the content; in addition, I've attached the
zonefile to this message.
Most recent change was to add the dlv record, but that's failing
because the exim.org DNS servers don't accept queries over TCP; SOA
serial in zone as served happens to match this right now, but isn't
guaranteed (bind inline signing).
-Phil
; $HeadURL:
https://svn.spodhuis.org/ksvn/services/trunk/DNS/zones.public/db.testdns.exim.org $
; $Id: db.testdns.exim.org 2621 2013-03-15 06:30:18Z pdp@??? $
;
$TTL 3600
$ORIGIN testdns.exim.org.
@ IN SOA nlns.globnix.net. dnsadmin.globnix.net. (
2013031422 ; Serial
3h ; Refresh
1h ; Retry
10d ; Expire
1200 ; Min/Neg TTL
) ; end of authority information
@ NS nlns.globnix.net.
@ NS us0ns.globnix.net.
@ MX 0 .
@ SPF "v=spf1 -all"
@ TXT "v=spf1 -all"
@ TXT "dummy food"
dlv 0 IN TXT "DLV:1:gbmswyvxymrr"
$ORIGIN misc.testdns.exim.org.
; these resolve to reserved-for-documentation IPs
; some come from test.globnix.net.
; Examples of loading a TXT record via \#
_loaded_0 IN TXT \# 1 00
_loaded_1 IN TXT \# 6 05 48 65 6c 6c 6f
normal A 192.0.2.1
single\032space A 192.0.2.2
middle\.dot A 192.0.2.3
trailing-dot\. A 192.0.2.4
long-hostname-carefully-selected-to-expose-fixed-length-buffers A 192.0.2.5
nul\000gap A 192.0.2.6
foo/slash A 192.0.2.7
foo:colon A 192.0.2.8
foo\000null A 192.0.2.9
txt-3-in-1 TXT "first" "second" "third"
txt-4-in-2 TXT "[rec-a part1]" "{rec-a part2}"
txt-4-in-2 TXT "(rec-b part3)" "<rec-b part4>"
$ORIGIN local.testdns.exim.org.
mx4 A 127.0.0.1
mx6 AAAA ::1
mx A 127.0.0.1
mx AAAA ::1
mail4 A 127.0.0.1
mail6 AAAA ::1
mail A 127.0.0.1
mail AAAA ::1
services4 A 127.0.0.1
services6 AAAA ::1
services A 127.0.0.1
services AAAA ::1
@ MX 10 mx
@ MX 40 mx4
@ MX 60 mx6
_submission._tcp SRV 10 10 587 mail
_ldap._tcp SRV 10 10 389 services
@ SPF "v=spf1 mx a:mail.local.testdns.exim.org -all"
$ORIGIN valid254.testdns.exim.org.
; for IPv6, can't use link-local as that needs scope for resolution, plus
; I've seen some weirdness with fe80:4242::6%lo0 being reported as fe80::6%lo0
; and both being pingable. Er.
; So use FC00::/7 "Unique Local IPv6 Unicast Addresses" per RFC 4193.
; Not recommended for global DNS, but this is for local systems testing, just
; as we use RFC1918 space for ip4. Random assignment, L=1, => fd::/8
; The subnetid needs to be random, and the recommended approach uses a MAC
; address as part of the input; sha1(64-bit-binary-NTP-time | MAC) and lowest
; 40 bits. Rather than code, I searched and found http://bitace.com/ipv6calc/
; which actually just generates random numbers with JS Math.random(). Sod it,
; that's good enough.
; Unicast Subnet: fdaa:58d3:2c8b::/48
; Multicast Subnet: ff3e:30:fdaa:58d3:2c8b::/96 global
; ff38:30:fdaa:58d3:2c8b::/96 organisation-local
; ff35:30:fdaa:58d3:2c8b::/96 site-local
;
mx4 A 192.168.254.4
mx6 AAAA fdaa:58d3:2c8b::254:6
mx A 192.168.254.4
mx AAAA fdaa:58d3:2c8b::254:6
mail4 A 192.168.254.104
mail6 AAAA fdaa:58d3:2c8b::254:106
mail A 192.168.254.104
mail AAAA fdaa:58d3:2c8b::254:106
services4 A 192.168.254.204
services6 AAAA fdaa:58d3:2c8b::254:206
services A 192.168.254.204
services AAAA fdaa:58d3:2c8b::254:206
@ MX 10 mx
@ MX 40 mx4
@ MX 60 mx6
_submission._tcp SRV 10 10 587 mail
_ldap._tcp SRV 10 10 389 services
; deliberately exclude services as source address
@ SPF "v=spf1 mx a:mail.valid254.testdns.exim.org -all"
;
; Keep a copy of this valid254 data in the IDN test too, changing only SPF
$ORIGIN xn--qck5b9a5eml3bze.testdns.exim.org.
;
; xn--qck5b9a5eml3bze == グランピートロル (grumpy troll)
; should be a copy of valid254.
;
mx4 A 192.168.254.4
mx6 AAAA fdaa:58d3:2c8b::254:6
mx A 192.168.254.4
mx AAAA fdaa:58d3:2c8b::254:6
mail4 A 192.168.254.104
mail6 AAAA fdaa:58d3:2c8b::254:106
mail A 192.168.254.104
mail AAAA fdaa:58d3:2c8b::254:106
services4 A 192.168.254.204
services6 AAAA fdaa:58d3:2c8b::254:206
services A 192.168.254.204
services AAAA fdaa:58d3:2c8b::254:206
@ MX 10 mx
@ MX 40 mx4
@ MX 60 mx6
_submission._tcp SRV 10 10 587 mail
_ldap._tcp SRV 10 10 389 services
; deliberately exclude services as source address
@ SPF "v=spf1 mx a:mail.xn--qck5b9a5eml3bze.testdns.exim.org -all"
;
idn-puny MX 10 mx
idn-puny SPF "v=spf1 a:mail.xn--qck5b9a5eml3bze.testdns.exim.org -all"
idn-utf8 MX 10 mx
; codecs.lookup('utf-8').encode('グランピートロル')[0] ->
; \xe3\x82\xb0\xe3\x83\xa9\xe3\x83\xb3\xe3\x83\x94\xe3\x83\xbc\xe3\x83\x88\xe3\x83\xad\xe3\x83\xab
; H.encode( U8.encode(d)[0] ) -> b'e382b0e383a9e383b3e38394e383bce38388e383ade383ab'
; H=codecs.lookup('hex_codec')
; H.encode(b'.')[0] = '2e' -- sanity check
; b'v=spf1 a:mail.' -> 763d7370663120613a6d61696c2e
; b'.testdns.exim.org -all' -> 2e74657374646e732e6578696d2e6f7267202d616c6c
; We are encoding an SPF record, the RRdata for which is formatted as a TXT record's is.
; A sequence of strings, each of which is a length octet followed by the data octets.
; The string has length 60, 0x3C, so the length of the data is 61 octets,
; the first of which is the string length and then the "..." data follows
idn-utf8 SPF \# 61 ( 3C
76 3d 73 70 66 31 20 61 3a 6d 61 69 6c 2e
e3 82 b0 e3 83 a9 e3 83 b3 e3 83 94 e3 83 bc e3 83 88 e3 83 ad e3 83 ab
2e 74 65 73 74 64 6e 73 2e 65 78 69 6d 2e 6f 72 67 20 2d 61 6c 6c
)
$ORIGIN testdns.exim.org.
_final_record TXT "zone loaded"
; vim: set filetype=bindzone :
