[exim.git] / test / dnszones-src / db.test.ex

; This is a testing zone file for use when testing DNS handling in Exim. This
; is a fake zone of no real use. The zone name is
; test.ex. This file is passed through the substitution mechanism before being
; used by the fakens auxiliary program. This inserts the actual IP addresses
; of the local host into the zone.

; NOTE (1): apart from ::1, IPv6 addresses must always have 8 components. Do
; not abbreviate them by using the :: feature. Leading zeros in components may,
; however, be omitted.

; NOTE (2): the fakens program is very simple and assumes that the buffer into
; which is puts the response is always going to be big enough. In other words,
; the expectation is for just a few RRs for each query.

; NOTE (3): the top-level networks for testing addresses are parameterized by
; the use of V4NET and V6NET. These networks should be such that no real
; host ever uses them.
;
; Several prefixes may be used, see the source in src/fakens.c for a complete list
; and description.

test.ex.     NS      exim.test.ex.
test.ex.     SOA     exim.test.ex. hostmaster.exim.test.ex 1430683638 1200 120 604800 3600

test.ex.     TXT     "A TXT record for test.ex."
s/lash       TXT     "A TXT record for s/lash.test.ex."

cname        CNAME   test.ex.

ptr          PTR     data.for.ptr.test.ex.

; Standard localhost handling

localhost    A       127.0.0.1
localhost    AAAA    ::1

; This name exists only if qualified; it is never automatically qualified

dontqualify  A       V4NET.255.255.254

; A host with upper case letters in its canonical name

UpperCase    A       127.0.0.1

; A host with punycoded UTF-8 characters used for its lookup ( mx.π.test.ex )

mx.xn--1xa         A       V4NET.255.255.255

; A non-standard name for localhost

thishost     A       127.0.0.1
localhost4   A       127.0.0.1

; A localhost with short TTL

TTL=2 shorthost A    127.0.0.1


; Something that gives both the IP and the loopback

thisloop     A       HOSTIPV4
             A       127.0.0.1

; Something that gives an unreachable IP and the loopback

badloop      A       V4NET.0.0.1
             A       127.0.0.1

; Another host with both A and AAAA records

46           A       V4NET.0.0.4
             AAAA    V6NET:ffff:836f:0a00:000a:0800:200a:c031

; And another

46b          A       V4NET.0.0.5
             AAAA    V6NET:ffff:836f:0a00:000a:0800:200a:c033

; A working IPv4 address and a non-working IPv6 address, with different
; names so they can have different MX values

46c          AAAA    V6NET:ffff:836f:0a00:000a:0800:200a:c033
46d          A       HOSTIPV4

; A host with just a non-local IPv6 address

v6           AAAA    V6NET:ffff:836f:0a00:000a:0800:200a:c032

; Alias A and CNAME records for the local host, under the name "eximtesthost"
; Make the A covered by DNSSEC and add a TLSA for it.

eximtesthost     A       HOSTIPV4
alias-eximtesthost CNAME eximtesthost.test.ex.

; A bad CNAME

badcname     CNAME   rhubarb.test.ex.

; Test a name containing an underscore

a_b          A       99.99.99.99

; The reverse registration for this name is an empty string

empty        A       V4NET.255.255.255

; Some IPv6 stuff

eximtesthost.ipv6 AAAA   HOSTIPV6
test2.ipv6   AAAA    V6NET:2101:12:1:a00:20ff:fe86:a062
test3.ipv6   AAAA    V6NET:1234:5:6:7:8:abc:0d

; A case of forward and backward pointers disagreeing

badA         A       V4NET.99.99.99
badB         A       V4NET.99.99.98

; A host with multiple names in different (sub) domains
; These are intended to be within test.ex - absence of final dots is deliberate

x.gov.uk     A       V4NET.99.99.97
x.co.uk      A       V4NET.99.99.97

; A host, the reverse lookup of whose IP address gives this name plus another
; that does not forward resolve to the same address

oneback      A       V4NET.99.99.90
host1.masq   A       V4NET.90.90.90

; Fake hosts are registered in the V4NET.0.0.0 subnet. In the past, the
; 10.0.0.0/8 network was used; hence the names of the hosts.

ten-1        A       V4NET.0.0.1
ten-2        A       V4NET.0.0.2
ten-3        A       V4NET.0.0.3
ten-3-alias  A       V4NET.0.0.3
ten-3xtra    A       V4NET.0.0.3
ten-4        A       V4NET.0.0.4
ten-5        A       V4NET.0.0.5
ten-6        A       V4NET.0.0.6
ten-5-6      A       V4NET.0.0.5
             A       V4NET.0.0.6

ten-99       A       V4NET.0.0.99

black-1      A       V4NET.11.12.13
black-2      A       V4NET.11.12.14

myhost       A       V4NET.10.10.10
myhost2      A       V4NET.10.10.10

other1       A       V4NET.12.4.5
other2       A       V4NET.12.3.1
             A       V4NET.12.3.2

other99      A       V4NET.99.0.1

testsub.sub  A       V4NET.99.0.3

; This one's real name really is recurse.test.ex.test.ex. It is done like
; this for testing host widening, without getting tangled up in qualify issues.

recurse.test.ex   A  V4NET.99.0.2

; a CNAME pointing to a name with both ipv4 and ipv6 A-records
; and one with only ipv4

cname46      CNAME   localhost
cname4       CNAME   thishost

; -------- Testing RBL records -------

; V4NET.11.12.13 is deliberately not reverse-registered

13.12.11.V4NET.rbl    A   127.0.0.2
                      TXT "This is a test blacklisting message"
TTL=2 14.12.11.V4NET.rbl A 127.0.0.2
                      TXT "This is a test blacklisting message"
15.12.11.V4NET.rbl    A   127.0.0.2
                      TXT "This is a very long blacklisting message, continuing for ages and ages and certainly being longer than 128 characters which was a previous limit on the length that Exim was prepared to handle."

14.12.11.V4NET.rbl2   A   127.0.0.2
                      TXT "This is a test blacklisting2 message"
16.12.11.V4NET.rbl2   A   127.0.0.2
                      TXT "This is a test blacklisting2 message"

14.12.11.V4NET.rbl3   A   127.0.0.2
                      TXT "This is a test blacklisting3 message"
15.12.11.V4NET.rbl3   A   127.0.0.3
                      TXT "This is a very long blacklisting message, continuing for ages and ages and certainly being longer than 128 characters which was a previous limit on the length that Exim was prepared to handle."

20.12.11.V4NET.rbl4   A   127.0.0.6
21.12.11.V4NET.rbl4   A   127.0.0.7
22.12.11.V4NET.rbl4   A   127.0.0.128
                      TXT "This is a test blacklisting4 message"

22.12.11.V4NET.rbl5   A   127.0.0.1
                      TXT "This is a test blacklisting5 message"

1.13.13.V4NET.rbl     CNAME non-exist.test.ex.
2.13.13.V4NET.rbl     A   127.0.0.1
                      A   127.0.0.2

; -------- Testing MX records --------

mxcased      MX  5  ten-99.TEST.EX.

; Points to a host with both A and AAAA

mx46         MX  46 46.test.ex.

; Points to two hosts with both kinds of address, equal precedence

mx4646       MX  46 46.test.ex.
             MX  46 46b.test.ex.

; Ditto, with a third IPv6 host

mx46466      MX  46 46.test.ex.
             MX  46 46b.test.ex.
             MX  46 v6.test.ex.

; This time, change precedence

mx46466b     MX  46 46.test.ex.
             MX  47 46b.test.ex.
             MX  48 v6.test.ex.

; Points to a host with a working IPv4 and a non-working IPv6 record

mx46cd       MX  10 46c.test.ex.
             MX  11 46d.test.ex.

; Two equal precedence pointing to a v4 and a v6 host

mx246        MX  10 v6.test.ex.
             MX  10 ten-1.test.ex.

; Lowest-numbered points to local host

mxt1         MX  5  eximtesthost.test.ex.

; Points only to non-existent hosts

mxt2         MX  5  not-exist.test.ex.

; Points to some non-existent hosts;
; Lowest numbered existing points to local host

mxt3         MX  5  not-exist.test.ex.
             MX  6  eximtesthost.test.ex.

; Points to some non-existent hosts;
; Lowest numbered existing points to non-local host

mxt3r        MX  5  not-exist.test.ex.
             MX  6  exim.org.

; Points to an alias

mxt4         MX  5  alias-eximtesthost.test.ex.

; Various combinations of precedence and local host

mxt5         MX  5  eximtesthost.test.ex.
             MX  5  ten-1.test.ex.

mxt6         MX  5  ten-1.test.ex.
             MX  6  eximtesthost.test.ex.
             MX  6  ten-2.test.ex.

mxt7         MX  5  ten-2.test.ex.
             MX  6  ten-3.test.ex.
             MX  7  eximtesthost.test.ex.
             MX  8  ten-1.test.ex.

mxt8         MX  5  ten-2.test.ex.
             MX  6  ten-3.test.ex.
             MX  7  eximtesthost.test.ex.
             MX  7  ten-4.test.ex.
             MX  8  ten-1.test.ex.

; Same host appearing twice; make some variants in different orders to
; simulate a real nameserver and its round robinning

mxt9         MX  5  ten-1.test.ex.
             MX  6  ten-2.test.ex.
             MX  7  ten-3.test.ex.
             MX  8  ten-1.test.ex.

mxt9a        MX  6  ten-2.test.ex.
             MX  7  ten-3.test.ex.
             MX  8  ten-1.test.ex.
             MX  5  ten-1.test.ex.

mxt9b        MX  7  ten-3.test.ex.
             MX  8  ten-1.test.ex.
             MX  5  ten-1.test.ex.
             MX  6  ten-2.test.ex.

; MX pointing to IP address

mxt10        MX  5  V4NET.0.0.1.

; Several MXs pointing to local host

mxt11        MX  5  localhost.test.ex.
             MX  6  localhost.test.ex.

mxt11a       MX  5  localhost.test.ex.
             MX  6  ten-1.test.ex.

mxt12        MX  5  local1.test.ex.
             MX  6  local2.test.ex.

local1       A   127.0.0.2
local2       A   127.0.0.2

; Some more

mxt13        MX  4  other1.test.ex.
             MX  5  other2.test.ex.

; Different hosts with same IP addresses in the list

mxt14        MX  4  ten-5-6.test.ex.
             MX  5  ten-5.test.ex.
             MX  6  ten-6.test.ex.

; Non-local hosts with different precedence

mxt15        MX 10  ten-1.test.ex.
             MX 20  ten-2.test.ex.

; Large number of IP addresses at one MX value, and then some
; at another, to check that hosts_max_try tries the MX different
; values if it can.

mxt99        MX  1  ten-1.test.ex.
             MX  1  ten-2.test.ex.
             MX  1  ten-3.test.ex.
             MX  1  ten-4.test.ex.
             MX  1  ten-5.test.ex.
             MX  1  ten-6.test.ex.
             MX  3  black-1.test.ex.
             MX  3  black-2.test.ex.

; Special case test for @mx_any (to doublecheck a reported Exim 3 bug isn't
; in Exim 4). The MX points to two names, each with multiple addresses. The
; very last address is the local host. When Exim is testing, it will sort
; these addresses into ascending order.

mxt98        MX  1  98-1.test.ex.
             MX  2  98-2.test.ex.

98-1         A   V4NET.1.2.3
             A   V4NET.4.5.6

98-2         A   V4NET.7.8.9
             A   HOSTIPV4

; IP addresses with the same MX value

mxt97        MX  1  ten-1.test.ex.
             MX  1  ten-2.test.ex.
             MX  1  ten-3.test.ex.
             MX  1  ten-4.test.ex.

; MX pointing to a single-component name that exists if qualified, but not
; if not. We use the special name dontqualify to stop the fake resolver
; qualifying it.

mxt1c        MX  1  dontqualify.

; MX with punycoded UTF-8 characters used for its lookup ( π.test.ex )

xn--1xa      MX  0  mx.π.test.ex.

; MX with actual UTF-8 characters in its name, for allow_utf8_domains mode test

π            MX  0  mx.xn--1xa.test.ex.

; -------- Testing SRV records --------

_smtp._tcp.srv01    SRV  0 0 25 ten-1.test.ex.

_smtp._tcp.srv02    SRV  1 3 99 ten-1.test.ex.
                    SRV  1 1 99 ten-2.test.ex.
                    SRV  3 0 66 ten-3.test.ex.

_smtp._tcp.nosmtp   SRV  0 0 0  .

_smtp2._tcp.srv03   SRV  0 0 88 ten-4.test.ex.

_smtp._tcp.srv27    SRV  0 0 PORT_S localhost


; -------- With some for CSA testing plus their A records -------

_client._smtp.csa1  SRV  1 2 0  csa1.test.ex.
_client._smtp.csa2  SRV  1 1 0  csa2.test.ex.

csa1         A   V4NET.9.8.7
csa2         A   V4NET.9.8.8

; ------- Testing DNSSEC ----------

mx-unsec-a-unsec        MX 5 a-unsec
mx-unsec-a-sec          MX 5 a-sec
DNSSEC mx-sec-a-unsec   MX 5 a-unsec
DNSSEC mx-sec-a-sec     MX 5 a-sec
DNSSEC mx-sec-a-aa      MX 5 a-aa
AA mx-aa-a-sec          MX 5 a-sec

a-unsec        A V4NET.0.0.100
DNSSEC a-sec   A V4NET.0.0.100
DNSSEC l-sec   A 127.0.0.1

AA a-aa        A V4NET.0.0.100

; ------- Testing DANE ------------

; full suite dns chain, sha512
;
; openssl x509 -in aux-fixed/cert1 -noout -pubkey \
; | openssl pkey -pubin -outform DER \
; | openssl dgst -sha512 \
; | awk '{print $2}'
;
DNSSEC mxdane512ee          MX  1  dane512ee
DNSSEC dane512ee            A      HOSTIPV4
DNSSEC _1225._tcp.dane512ee TLSA  3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb590441d5f3811db17772f4bc6de29bdd7c4f4b723750dda871b99379192b3f979f03db1252c4f08b03ef7176528d

; A-only, sha256
;
; openssl x509 -in aux-fixed/cert1 -noout -pubkey \
; | openssl pkey -pubin -outform DER \
; | openssl dgst -sha256 \
; | awk '{print $2}'
;
DNSSEC dane256ee            A      HOSTIPV4
DNSSEC _1225._tcp.dane256ee TLSA  3 1 1 2bb55f418bb03411a5007cecbfcd3ec1c94404312c0d53a44bb2166b32654db3

; full MX, sha256, TA-mode
;
; openssl x509 -in aux-fixed/exim-ca/example.com/CA/CA.pem -fingerprint -sha256 -noout \
;  | awk -F= '{print $2}' | tr -d : | tr '[A-F]' '[a-f]'
;
; Since this refers to a cert in the exim-ca tree, it must be regenerated any time that tree is.
;
DNSSEC mxdane256ta          MX  1  dane256ta
DNSSEC dane256ta            A      HOSTIPV4
DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 6ec4a7b5f5310953ea3d6deb3f210ba60923be16bf1450b7a45e7567e98287bc


; full MX, sha256, TA-mode, cert-key-only
; Indicates a trust-anchor for a chain involving an Authority Key ID extension
; linkage, as this excites a bug in OpenSSL 1.0.2 which the DANE code has to
; work around, while synthesizing a selfsigned parent for it.
; As it happens it is also an intermediate cert in the CA-rooted chain, as this
; was initially thought ot be a factor.
;
; openssl x509 -in aux-fixed/exim-ca/example.com/CA/Signer.pem -noout -pubkey \
; | openssl pkey -pubin -outform DER \
; | openssl dgst -sha256 \
; | awk '{print $2}'
;
; Since this refers to a cert in the exim-ca tree, it must be regenerated any time that tree is.
;
DNSSEC mxdane256tak          MX  1  dane256tak
DNSSEC dane256tak            A      HOSTIPV4
DNSSEC _1225._tcp.dane256tak TLSA 2 1 1 7e241508cffb12c85b1b06a00268f6f7f926ba742db671f3994cbebc81368816


; A multiple-return MX where all TLSA lookups defer
DNSSEC mxdanelazy           MX  1   danelazy
DNSSEC                      MX  2   danelazy2

DNSSEC danelazy             A       HOSTIPV4
DNSSEC danelazy2            A       127.0.0.1

DNSSEC _1225._tcp.danelazy  CNAME   test.again.dns.
DNSSEC _1225._tcp.danelazy2 CNAME   test.again.dns.

; hosts with no TLSA (just missing here, hence the TLSA NXDMAIN is _insecure_; a broken dane config)
; 1 for dane-required, 2 for merely requested
DNSSEC dane.no.1            A       HOSTIPV4
DNSSEC dane.no.2            A       127.0.0.1

; a broken dane config (or under attack) where the TLSA lookup fails (as opposed to there not being one)
DNSSEC danebroken1          A       127.0.0.1
_1225._tcp.danebroken1      CNAME   test.fail.dns.

; a good dns config saying there is no dane support, by securely returning NOXDOMAIN for TLSA lookups
; 3 for dane-required, 4 for merely requested
; the TLSA data here is dummy; ignored
DNSSEC dane.no.3            A       HOSTIPV4
DNSSEC dane.no.4            A       127.0.0.1

DNSSEC NXDOMAIN _1225._tcp.dane.no.3 TLSA 2 0 1 eec923139018c540a344c5191660ecba1ac3708525a98bfc338e17f31d3fa741
DNSSEC NXDOMAIN _1225._tcp.dane.no.4 TLSA 2 0 1 eec923139018c540a344c5191660ecba1ac3708525a98bfc338e17f31d3fa741

; ------- Testing delays ------------

DELAY=500 delay500   A HOSTIPV4
DELAY=1500 delay1500 A HOSTIPV4

; ------- DKIM ---------

; public key, base64 - matches private key in aux-fixed/dkim/dkim.private
;  openssl genrsa -out aux-fixed/dkim/dkim.private 1024
;  openssl rsa -in aux-fixed/dkim/dkim.private -out /dev/stdout -pubout -outform PEM
;
; Deliberate bad version, having extra backslashes
; sha256-hash-only version.... appears to be too long, gets truncated
;
; Another, 512-bit (with a Notes field)
; 512 requiring sha1 hash
; 512 requiring sha256 hash
;
sel._domainkey TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXRFf+VhT+lCgFhhSkinZKcFNeRzjYdW8vT29Rbb3NadvTFwAd+cVLPFwZL8H5tUD/7JbUPqNTCPxmpgIL+V5T4tEZMorHatvvUM2qfcpQ45IfsZ+YdhbIiAslHCpy4xNxIR3zylgqRUF4+Dtsaqy3a5LhwMiKCLrnzhXk1F1hxwIDAQAB"
sel_bad._domainkey TXT "v=DKIM1\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXRFf+VhT+lCgFhhSkinZKcFNeRzjYdW8vT29Rbb3NadvTFwAd+cVLPFwZL8H5tUD/7JbUPqNTCPxmpgIL+V5T4tEZMorHatvvUM2qfcpQ45IfsZ+YdhbIiAslHCpy4xNxIR3zylgqRUF4+Dtsaqy3a5LhwMiKCLrnzhXk1F1hxwIDAQAB"
sel_sha256._domainkey TXT "v=DKIM1; h=sha256; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXRFf+VhT+lCgFhhSkinZKcFNeRzjYdW8vT29Rbb3NadvTFwAd+cVLPFwZL8H5tUD/7JbUPqNTCPxmpgIL+V5T4tEZMorHatvvUM2qfcpQ45IfsZ+YdhbIiAslHCpy4xNxIR3zylgqRUF4+Dtsaqy3a5LhwMiKCLrnzhXk1F1hxwIDAQAB"

ses._domainkey TXT "v=DKIM1; n=halfkilo; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL6eAQxd9didJ0/+05iDwJOqT6ly826Vi8aGPecsBiYK5/tAT97fxXk+dPWMZp9kQxtknEzYjYjAydzf+HQ2yJMCAwEAAQ=="
ses_sha1._domainkey TXT "v=DKIM1; h=sha1; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL6eAQxd9didJ0/+05iDwJOqT6ly826Vi8aGPecsBiYK5/tAT97fxXk+dPWMZp9kQxtknEzYjYjAydzf+HQ2yJMCAwEAAQ=="
ses_sha256._domainkey TXT "v=DKIM1; h=sha256; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL6eAQxd9didJ0/+05iDwJOqT6ly826Vi8aGPecsBiYK5/tAT97fxXk+dPWMZp9kQxtknEzYjYjAydzf+HQ2yJMCAwEAAQ=="

sel2._domainkey TXT "v=spf1 mx a include:spf.nl2go.com -all"
sel2._domainkey TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXRFf+VhT+lCgFhhSkinZKcFNeRzjYdW8vT29Rbb3NadvTFwAd+cVLPFwZL8H5tUD/7JbUPqNTCPxmpgIL+V5T4tEZMorHatvvUM2qfcpQ45IfsZ+YdhbIiAslHCpy4xNxIR3zylgqRUF4+Dtsaqy3a5LhwMiKCLrnzhXk1F1hxwIDAQAB"

; End
Commit	Line	Data
c55a77db	1	; This is a testing zone file for use when testing DNS handling in Exim. This
d2a2c69b	2	; is a fake zone of no real use. The zone name is
c55a77db PH	3	; test.ex. This file is passed through the substitution mechanism before being
	4	; used by the fakens auxiliary program. This inserts the actual IP addresses
	5	; of the local host into the zone.
	6
	7	; NOTE (1): apart from ::1, IPv6 addresses must always have 8 components. Do
	8	; not abbreviate them by using the :: feature. Leading zeros in components may,
	9	; however, be omitted.
	10
	11	; NOTE (2): the fakens program is very simple and assumes that the buffer into
	12	; which is puts the response is always going to be big enough. In other words,
	13	; the expectation is for just a few RRs for each query.
	14
	15	; NOTE (3): the top-level networks for testing addresses are parameterized by
	16	; the use of V4NET and V6NET. These networks should be such that no real
	17	; host ever uses them.
f6584c83 HSHR	18	;
	19	; Several prefixes may be used, see the source in src/fakens.c for a complete list
	20	; and description.
c55a77db PH	21
c55a77db PH	22	test.ex. NS exim.test.ex.
d2a2c69b	23	test.ex. SOA exim.test.ex. hostmaster.exim.test.ex 1430683638 1200 120 604800 3600
c55a77db PH	24
c55a77db PH	25	test.ex. TXT "A TXT record for test.ex."
230205fc	26	s/lash TXT "A TXT record for s/lash.test.ex."
c55a77db PH	27
	28	cname CNAME test.ex.
	29
	30	ptr PTR data.for.ptr.test.ex.
	31
	32	; Standard localhost handling
	33
	34	localhost A 127.0.0.1
	35	localhost AAAA ::1
	36
	37	; This name exists only if qualified; it is never automatically qualified
	38
	39	dontqualify A V4NET.255.255.254
	40
	41	; A host with upper case letters in its canonical name
	42
	43	UpperCase A 127.0.0.1
	44
766e7a65	45	; A host with punycoded UTF-8 characters used for its lookup ( mx.π.test.ex )
c55a77db	46
766e7a65	47	mx.xn--1xa A V4NET.255.255.255
c55a77db PH	48
	49	; A non-standard name for localhost
	50
	51	thishost A 127.0.0.1
ac9a0d91 JH	52	localhost4 A 127.0.0.1
ac9a0d91 JH	53
14b3c5bc JH	54	; A localhost with short TTL
	55
	56	TTL=2 shorthost A 127.0.0.1
	57
c55a77db	58
1cce3af8 PH	59	; Something that gives both the IP and the loopback
	60
	61	thisloop A HOSTIPV4
	62	A 127.0.0.1
	63
	64	; Something that gives an unreachable IP and the loopback
	65
	66	badloop A V4NET.0.0.1
	67	A 127.0.0.1
	68
c55a77db PH	69	; Another host with both A and AAAA records
	70
	71	46 A V4NET.0.0.4
	72	AAAA V6NET:ffff:836f:0a00:000a:0800:200a:c031
	73
	74	; And another
	75
	76	46b A V4NET.0.0.5
	77	AAAA V6NET:ffff:836f:0a00:000a:0800:200a:c033
	78
	79	; A working IPv4 address and a non-working IPv6 address, with different
	80	; names so they can have different MX values
	81
	82	46c AAAA V6NET:ffff:836f:0a00:000a:0800:200a:c033
	83	46d A HOSTIPV4
	84
	85	; A host with just a non-local IPv6 address
	86
	87	v6 AAAA V6NET:ffff:836f:0a00:000a:0800:200a:c032
	88
	89	; Alias A and CNAME records for the local host, under the name "eximtesthost"
b4161d10	90	; Make the A covered by DNSSEC and add a TLSA for it.
c55a77db	91
101de477	92	eximtesthost A HOSTIPV4
c55a77db PH	93	alias-eximtesthost CNAME eximtesthost.test.ex.
	94
	95	; A bad CNAME
	96
	97	badcname CNAME rhubarb.test.ex.
	98
	99	; Test a name containing an underscore
	100
	101	a_b A 99.99.99.99
	102
	103	; The reverse registration for this name is an empty string
	104
	105	empty A V4NET.255.255.255
	106
	107	; Some IPv6 stuff
	108
	109	eximtesthost.ipv6 AAAA HOSTIPV6
	110	test2.ipv6 AAAA V6NET:2101:12:1:a00:20ff:fe86:a062
	111	test3.ipv6 AAAA V6NET:1234:5:6:7:8:abc:0d
	112
	113	; A case of forward and backward pointers disagreeing
	114
	115	badA A V4NET.99.99.99
	116	badB A V4NET.99.99.98
	117
	118	; A host with multiple names in different (sub) domains
	119	; These are intended to be within test.ex - absence of final dots is deliberate
	120
	121	x.gov.uk A V4NET.99.99.97
	122	x.co.uk A V4NET.99.99.97
	123
	124	; A host, the reverse lookup of whose IP address gives this name plus another
	125	; that does not forward resolve to the same address
	126
	127	oneback A V4NET.99.99.90
	128	host1.masq A V4NET.90.90.90
	129
	130	; Fake hosts are registered in the V4NET.0.0.0 subnet. In the past, the
	131	; 10.0.0.0/8 network was used; hence the names of the hosts.
	132
	133	ten-1 A V4NET.0.0.1
	134	ten-2 A V4NET.0.0.2
	135	ten-3 A V4NET.0.0.3
	136	ten-3-alias A V4NET.0.0.3
	137	ten-3xtra A V4NET.0.0.3
	138	ten-4 A V4NET.0.0.4
	139	ten-5 A V4NET.0.0.5
	140	ten-6 A V4NET.0.0.6
	141	ten-5-6 A V4NET.0.0.5
	142	A V4NET.0.0.6
	143
	144	ten-99 A V4NET.0.0.99
	145
	146	black-1 A V4NET.11.12.13
	147	black-2 A V4NET.11.12.14
	148
	149	myhost A V4NET.10.10.10
	150	myhost2 A V4NET.10.10.10
	151
	152	other1 A V4NET.12.4.5
	153	other2 A V4NET.12.3.1
	154	A V4NET.12.3.2
	155
	156	other99 A V4NET.99.0.1
157
158	testsub.sub A V4NET.99.0.3
159
160	; This one's real name really is recurse.test.ex.test.ex. It is done like
161	; this for testing host widening, without getting tangled up in qualify issues.
162
163	recurse.test.ex A V4NET.99.0.2
164
8241d8dd JH	165	; a CNAME pointing to a name with both ipv4 and ipv6 A-records
	166	; and one with only ipv4
	167
	168	cname46 CNAME localhost
	169	cname4 CNAME thishost
	170
c55a77db PH	171	; -------- Testing RBL records -------
	172
	173	; V4NET.11.12.13 is deliberately not reverse-registered
	174
	175	13.12.11.V4NET.rbl A 127.0.0.2
	176	TXT "This is a test blacklisting message"
14b3c5bc	177	TTL=2 14.12.11.V4NET.rbl A 127.0.0.2
c55a77db PH	178	TXT "This is a test blacklisting message"
	179	15.12.11.V4NET.rbl A 127.0.0.2
	180	TXT "This is a very long blacklisting message, continuing for ages and ages and certainly being longer than 128 characters which was a previous limit on the length that Exim was prepared to handle."
	181
	182	14.12.11.V4NET.rbl2 A 127.0.0.2
	183	TXT "This is a test blacklisting2 message"
	184	16.12.11.V4NET.rbl2 A 127.0.0.2
	185	TXT "This is a test blacklisting2 message"
	186
	187	14.12.11.V4NET.rbl3 A 127.0.0.2
	188	TXT "This is a test blacklisting3 message"
	189	15.12.11.V4NET.rbl3 A 127.0.0.3
	190	TXT "This is a very long blacklisting message, continuing for ages and ages and certainly being longer than 128 characters which was a previous limit on the length that Exim was prepared to handle."
	191
	192	20.12.11.V4NET.rbl4 A 127.0.0.6
	193	21.12.11.V4NET.rbl4 A 127.0.0.7
d6f6e0dc PH	194	22.12.11.V4NET.rbl4 A 127.0.0.128
	195	TXT "This is a test blacklisting4 message"
	196
	197	22.12.11.V4NET.rbl5 A 127.0.0.1
	198	TXT "This is a test blacklisting5 message"
c55a77db PH	199
	200	1.13.13.V4NET.rbl CNAME non-exist.test.ex.
	201	2.13.13.V4NET.rbl A 127.0.0.1
	202	A 127.0.0.2
	203
	204	; -------- Testing MX records --------
	205
	206	mxcased MX 5 ten-99.TEST.EX.
	207
	208	; Points to a host with both A and AAAA
	209
	210	mx46 MX 46 46.test.ex.
	211
	212	; Points to two hosts with both kinds of address, equal precedence
	213
	214	mx4646 MX 46 46.test.ex.
	215	MX 46 46b.test.ex.
	216
	217	; Ditto, with a third IPv6 host
	218
	219	mx46466 MX 46 46.test.ex.
	220	MX 46 46b.test.ex.
	221	MX 46 v6.test.ex.
	222
98cd9003 PH	223	; This time, change precedence
	224
	225	mx46466b MX 46 46.test.ex.
	226	MX 47 46b.test.ex.
	227	MX 48 v6.test.ex.
	228
c55a77db PH	229	; Points to a host with a working IPv4 and a non-working IPv6 record
	230
	231	mx46cd MX 10 46c.test.ex.
	232	MX 11 46d.test.ex.
	233
	234	; Two equal precedence pointing to a v4 and a v6 host
	235
	236	mx246 MX 10 v6.test.ex.
	237	MX 10 ten-1.test.ex.
	238
	239	; Lowest-numbered points to local host
	240
	241	mxt1 MX 5 eximtesthost.test.ex.
	242
	243	; Points only to non-existent hosts
	244
	245	mxt2 MX 5 not-exist.test.ex.
	246
	247	; Points to some non-existent hosts;
	248	; Lowest numbered existing points to local host
	249
	250	mxt3 MX 5 not-exist.test.ex.
	251	MX 6 eximtesthost.test.ex.
	252
	253	; Points to some non-existent hosts;
	254	; Lowest numbered existing points to non-local host
	255
	256	mxt3r MX 5 not-exist.test.ex.
	257	MX 6 exim.org.
	258
	259	; Points to an alias
	260
	261	mxt4 MX 5 alias-eximtesthost.test.ex.
	262
	263	; Various combinations of precedence and local host
	264
	265	mxt5 MX 5 eximtesthost.test.ex.
	266	MX 5 ten-1.test.ex.
	267
	268	mxt6 MX 5 ten-1.test.ex.
	269	MX 6 eximtesthost.test.ex.
	270	MX 6 ten-2.test.ex.
	271
	272	mxt7 MX 5 ten-2.test.ex.
	273	MX 6 ten-3.test.ex.
	274	MX 7 eximtesthost.test.ex.
	275	MX 8 ten-1.test.ex.
	276
	277	mxt8 MX 5 ten-2.test.ex.
	278	MX 6 ten-3.test.ex.
	279	MX 7 eximtesthost.test.ex.
	280	MX 7 ten-4.test.ex.
	281	MX 8 ten-1.test.ex.
	282
	283	; Same host appearing twice; make some variants in different orders to
	284	; simulate a real nameserver and its round robinning
	285
	286	mxt9 MX 5 ten-1.test.ex.
	287	MX 6 ten-2.test.ex.
	288	MX 7 ten-3.test.ex.
	289	MX 8 ten-1.test.ex.
	290
	291	mxt9a MX 6 ten-2.test.ex.
	292	MX 7 ten-3.test.ex.
293	MX 8 ten-1.test.ex.
294	MX 5 ten-1.test.ex.
295
296	mxt9b MX 7 ten-3.test.ex.
297	MX 8 ten-1.test.ex.
298	MX 5 ten-1.test.ex.
299	MX 6 ten-2.test.ex.
300
301	; MX pointing to IP address
302
303	mxt10 MX 5 V4NET.0.0.1.
304
305	; Several MXs pointing to local host
306
307	mxt11 MX 5 localhost.test.ex.
308	MX 6 localhost.test.ex.
309
310	mxt11a MX 5 localhost.test.ex.
311	MX 6 ten-1.test.ex.
312
313	mxt12 MX 5 local1.test.ex.
314	MX 6 local2.test.ex.
315
316	local1 A 127.0.0.2
317	local2 A 127.0.0.2
318
319	; Some more
320
321	mxt13 MX 4 other1.test.ex.
322	MX 5 other2.test.ex.
323
324	; Different hosts with same IP addresses in the list
325
326	mxt14 MX 4 ten-5-6.test.ex.
327	MX 5 ten-5.test.ex.
328	MX 6 ten-6.test.ex.
329
cd9868ec PH	330	; Non-local hosts with different precedence
	331
	332	mxt15 MX 10 ten-1.test.ex.
	333	MX 20 ten-2.test.ex.
	334
c55a77db PH	335	; Large number of IP addresses at one MX value, and then some
	336	; at another, to check that hosts_max_try tries the MX different
	337	; values if it can.
	338
	339	mxt99 MX 1 ten-1.test.ex.
	340	MX 1 ten-2.test.ex.
	341	MX 1 ten-3.test.ex.
	342	MX 1 ten-4.test.ex.
	343	MX 1 ten-5.test.ex.
	344	MX 1 ten-6.test.ex.
	345	MX 3 black-1.test.ex.
	346	MX 3 black-2.test.ex.
	347
	348	; Special case test for @mx_any (to doublecheck a reported Exim 3 bug isn't
	349	; in Exim 4). The MX points to two names, each with multiple addresses. The
	350	; very last address is the local host. When Exim is testing, it will sort
	351	; these addresses into ascending order.
	352
	353	mxt98 MX 1 98-1.test.ex.
	354	MX 2 98-2.test.ex.
	355
	356	98-1 A V4NET.1.2.3
	357	A V4NET.4.5.6
	358
	359	98-2 A V4NET.7.8.9
	360	A HOSTIPV4
	361
	362	; IP addresses with the same MX value
	363
	364	mxt97 MX 1 ten-1.test.ex.
	365	MX 1 ten-2.test.ex.
	366	MX 1 ten-3.test.ex.
	367	MX 1 ten-4.test.ex.
	368
	369	; MX pointing to a single-component name that exists if qualified, but not
	370	; if not. We use the special name dontqualify to stop the fake resolver
	371	; qualifying it.
	372
	373	mxt1c MX 1 dontqualify.
	374
766e7a65	375	; MX with punycoded UTF-8 characters used for its lookup ( π.test.ex )
c55a77db	376
766e7a65 JH	377	xn--1xa MX 0 mx.π.test.ex.
	378
	379	; MX with actual UTF-8 characters in its name, for allow_utf8_domains mode test
	380
	381	π MX 0 mx.xn--1xa.test.ex.
c55a77db PH	382
	383	; -------- Testing SRV records --------
	384
	385	_smtp._tcp.srv01 SRV 0 0 25 ten-1.test.ex.
	386
	387	_smtp._tcp.srv02 SRV 1 3 99 ten-1.test.ex.
	388	SRV 1 1 99 ten-2.test.ex.
	389	SRV 3 0 66 ten-3.test.ex.
	390
	391	_smtp._tcp.nosmtp SRV 0 0 0 .
	392
	393	_smtp2._tcp.srv03 SRV 0 0 88 ten-4.test.ex.
	394
	395	_smtp._tcp.srv27 SRV 0 0 PORT_S localhost
	396
	397
	398	; -------- With some for CSA testing plus their A records -------
	399
	400	_client._smtp.csa1 SRV 1 2 0 csa1.test.ex.
	401	_client._smtp.csa2 SRV 1 1 0 csa2.test.ex.
	402
	403	csa1 A V4NET.9.8.7
	404	csa2 A V4NET.9.8.8
	405
abe1353e HSHR	406	; ------- Testing DNSSEC ----------
	407
	408	mx-unsec-a-unsec MX 5 a-unsec
	409	mx-unsec-a-sec MX 5 a-sec
	410	DNSSEC mx-sec-a-unsec MX 5 a-unsec
	411	DNSSEC mx-sec-a-sec MX 5 a-sec
da830d08	412	DNSSEC mx-sec-a-aa MX 5 a-aa
6aa849d3	413	AA mx-aa-a-sec MX 5 a-sec
abe1353e	414
6aa849d3 JH	415	a-unsec A V4NET.0.0.100
	416	DNSSEC a-sec A V4NET.0.0.100
	417	DNSSEC l-sec A 127.0.0.1
1705dd20	418
6aa849d3	419	AA a-aa A V4NET.0.0.100
da830d08	420
101de477 JH	421	; ------- Testing DANE ------------
	422
	423	; full suite dns chain, sha512
6975138c JH	424	;
	425	; openssl x509 -in aux-fixed/cert1 -noout -pubkey \
	426	; \| openssl pkey -pubin -outform DER \
	427	; \| openssl dgst -sha512 \
	428	; \| awk '{print $2}'
	429	;
6aa849d3 JH	430	DNSSEC mxdane512ee MX 1 dane512ee
6aa849d3 JH	431	DNSSEC dane512ee A HOSTIPV4
101de477 JH	432	DNSSEC _1225._tcp.dane512ee TLSA 3 1 2 3d5eb81b1dfc3f93c1fa8819e3fb3fdb41bb590441d5f3811db17772f4bc6de29bdd7c4f4b723750dda871b99379192b3f979f03db1252c4f08b03ef7176528d
	433
	434	; A-only, sha256
6975138c JH	435	;
	436	; openssl x509 -in aux-fixed/cert1 -noout -pubkey \
	437	; \| openssl pkey -pubin -outform DER \
	438	; \| openssl dgst -sha256 \
	439	; \| awk '{print $2}'
	440	;
6aa849d3	441	DNSSEC dane256ee A HOSTIPV4
101de477 JH	442	DNSSEC _1225._tcp.dane256ee TLSA 3 1 1 2bb55f418bb03411a5007cecbfcd3ec1c94404312c0d53a44bb2166b32654db3
101de477 JH	443
82525c6f	444	; full MX, sha256, TA-mode
6975138c JH	445	;
	446	; openssl x509 -in aux-fixed/exim-ca/example.com/CA/CA.pem -fingerprint -sha256 -noout \
	447	; \| awk -F= '{print $2}' \| tr -d : \| tr '[A-F]' '[a-f]'
	448	;
854586e1 JH	449	; Since this refers to a cert in the exim-ca tree, it must be regenerated any time that tree is.
854586e1 JH	450	;
6aa849d3 JH	451	DNSSEC mxdane256ta MX 1 dane256ta
6aa849d3 JH	452	DNSSEC dane256ta A HOSTIPV4
854586e1 JH	453	DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 6ec4a7b5f5310953ea3d6deb3f210ba60923be16bf1450b7a45e7567e98287bc
	454
	455
	456	; full MX, sha256, TA-mode, cert-key-only
	457	; Indicates a trust-anchor for a chain involving an Authority Key ID extension
	458	; linkage, as this excites a bug in OpenSSL 1.0.2 which the DANE code has to
	459	; work around, while synthesizing a selfsigned parent for it.
	460	; As it happens it is also an intermediate cert in the CA-rooted chain, as this
	461	; was initially thought ot be a factor.
	462	;
	463	; openssl x509 -in aux-fixed/exim-ca/example.com/CA/Signer.pem -noout -pubkey \
	464	; \| openssl pkey -pubin -outform DER \
	465	; \| openssl dgst -sha256 \
	466	; \| awk '{print $2}'
	467	;
	468	; Since this refers to a cert in the exim-ca tree, it must be regenerated any time that tree is.
	469	;
	470	DNSSEC mxdane256tak MX 1 dane256tak
	471	DNSSEC dane256tak A HOSTIPV4
	472	DNSSEC _1225._tcp.dane256tak TLSA 2 1 1 7e241508cffb12c85b1b06a00268f6f7f926ba742db671f3994cbebc81368816
82525c6f	473
4cea764f	474
6aa849d3 JH	475	; A multiple-return MX where all TLSA lookups defer
	476	DNSSEC mxdanelazy MX 1 danelazy
	477	DNSSEC MX 2 danelazy2
	478
	479	DNSSEC danelazy A HOSTIPV4
	480	DNSSEC danelazy2 A 127.0.0.1
4cea764f	481
6aa849d3 JH	482	DNSSEC _1225._tcp.danelazy CNAME test.again.dns.
6aa849d3 JH	483	DNSSEC _1225._tcp.danelazy2 CNAME test.again.dns.
4cea764f	484
ce889807 JH	485	; hosts with no TLSA (just missing here, hence the TLSA NXDMAIN is _insecure_; a broken dane config)
ce889807 JH	486	; 1 for dane-required, 2 for merely requested
6aa849d3 JH	487	DNSSEC dane.no.1 A HOSTIPV4
6aa849d3 JH	488	DNSSEC dane.no.2 A 127.0.0.1
4cea764f	489
b7e4352c JH	490	; a broken dane config (or under attack) where the TLSA lookup fails (as opposed to there not being one)
	491	DNSSEC danebroken1 A 127.0.0.1
	492	_1225._tcp.danebroken1 CNAME test.fail.dns.
	493
ce889807 JH	494	; a good dns config saying there is no dane support, by securely returning NOXDOMAIN for TLSA lookups
	495	; 3 for dane-required, 4 for merely requested
	496	; the TLSA data here is dummy; ignored
	497	DNSSEC dane.no.3 A HOSTIPV4
	498	DNSSEC dane.no.4 A 127.0.0.1
	499
	500	DNSSEC NXDOMAIN _1225._tcp.dane.no.3 TLSA 2 0 1 eec923139018c540a344c5191660ecba1ac3708525a98bfc338e17f31d3fa741
	501	DNSSEC NXDOMAIN _1225._tcp.dane.no.4 TLSA 2 0 1 eec923139018c540a344c5191660ecba1ac3708525a98bfc338e17f31d3fa741
	502
846430d9 JH	503	; ------- Testing delays ------------
846430d9 JH	504
0539a19d	505	DELAY=500 delay500 A HOSTIPV4
846430d9 JH	506	DELAY=1500 delay1500 A HOSTIPV4
846430d9 JH	507
6a11a9e6 JH	508	; ------- DKIM ---------
6a11a9e6 JH	509
69a70afa	510	; public key, base64 - matches private key in aux-fixed/dkim/dkim.private
6a11a9e6 JH	511	; openssl genrsa -out aux-fixed/dkim/dkim.private 1024
	512	; openssl rsa -in aux-fixed/dkim/dkim.private -out /dev/stdout -pubout -outform PEM
	513	;
e21a4d00	514	; Deliberate bad version, having extra backslashes
135e9496	515	; sha256-hash-only version.... appears to be too long, gets truncated
e21a4d00	516	;
abe1010c	517	; Another, 512-bit (with a Notes field)
135e9496 JH	518	; 512 requiring sha1 hash
135e9496 JH	519	; 512 requiring sha256 hash
abe1010c	520	;
6a11a9e6	521	sel._domainkey TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXRFf+VhT+lCgFhhSkinZKcFNeRzjYdW8vT29Rbb3NadvTFwAd+cVLPFwZL8H5tUD/7JbUPqNTCPxmpgIL+V5T4tEZMorHatvvUM2qfcpQ45IfsZ+YdhbIiAslHCpy4xNxIR3zylgqRUF4+Dtsaqy3a5LhwMiKCLrnzhXk1F1hxwIDAQAB"
e21a4d00	522	sel_bad._domainkey TXT "v=DKIM1\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXRFf+VhT+lCgFhhSkinZKcFNeRzjYdW8vT29Rbb3NadvTFwAd+cVLPFwZL8H5tUD/7JbUPqNTCPxmpgIL+V5T4tEZMorHatvvUM2qfcpQ45IfsZ+YdhbIiAslHCpy4xNxIR3zylgqRUF4+Dtsaqy3a5LhwMiKCLrnzhXk1F1hxwIDAQAB"
135e9496	523	sel_sha256._domainkey TXT "v=DKIM1; h=sha256; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXRFf+VhT+lCgFhhSkinZKcFNeRzjYdW8vT29Rbb3NadvTFwAd+cVLPFwZL8H5tUD/7JbUPqNTCPxmpgIL+V5T4tEZMorHatvvUM2qfcpQ45IfsZ+YdhbIiAslHCpy4xNxIR3zylgqRUF4+Dtsaqy3a5LhwMiKCLrnzhXk1F1hxwIDAQAB"
6a11a9e6	524
abe1010c	525	ses._domainkey TXT "v=DKIM1; n=halfkilo; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL6eAQxd9didJ0/+05iDwJOqT6ly826Vi8aGPecsBiYK5/tAT97fxXk+dPWMZp9kQxtknEzYjYjAydzf+HQ2yJMCAwEAAQ=="
135e9496 JH	526	ses_sha1._domainkey TXT "v=DKIM1; h=sha1; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL6eAQxd9didJ0/+05iDwJOqT6ly826Vi8aGPecsBiYK5/tAT97fxXk+dPWMZp9kQxtknEzYjYjAydzf+HQ2yJMCAwEAAQ=="
135e9496 JH	527	ses_sha256._domainkey TXT "v=DKIM1; h=sha256; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL6eAQxd9didJ0/+05iDwJOqT6ly826Vi8aGPecsBiYK5/tAT97fxXk+dPWMZp9kQxtknEzYjYjAydzf+HQ2yJMCAwEAAQ=="
abe1010c	528
a91fd779 JH	529	sel2._domainkey TXT "v=spf1 mx a include:spf.nl2go.com -all"
a91fd779 JH	530	sel2._domainkey TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXRFf+VhT+lCgFhhSkinZKcFNeRzjYdW8vT29Rbb3NadvTFwAd+cVLPFwZL8H5tUD/7JbUPqNTCPxmpgIL+V5T4tEZMorHatvvUM2qfcpQ45IfsZ+YdhbIiAslHCpy4xNxIR3zylgqRUF4+Dtsaqy3a5LhwMiKCLrnzhXk1F1hxwIDAQAB"
846430d9	531
c55a77db	532	; End