projects / exim.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
DANE/GnuTLS: ignore traditional CA anchor validation in DANE-EE mode
[exim.git] / test / dnszones-src / db.example.com
diff --git a/test/dnszones-src/db.example.com b/test/dnszones-src/db.example.com
index bc209ce5a6039679906e32b6672deff1c43ce82d..b00c87d130b4ac060f565a0a10a7321923bcb71a 100644 (file)
--- a/test/dnszones-src/db.example.com
+++ b/test/dnszones-src/db.example.com
@@ -22,4 +22,24 @@ example.com.     NS      exim.example.com.
 
 server1     A       HOSTIPV4
 
+; DANE testing
+
+; a broken dane config where the name does not match in the cert, TA-mode, dane-requested
+; NOTE: the server uses the example.net cert hence the mismatch
+;
+; openssl x509 -in aux-fixed/exim-ca/example.net/CA/CA.pem -fingerprint -sha256 -noout \
+;  | awk -F= '{print $2}' | tr -d : | tr '[A-F]' '[a-f]'
+;
+;
+DNSSEC danebroken7  A       127.0.0.1
+DNSSEC _1225._tcp.danebroken7 TLSA 2 0 1 13646cc92c038932f57f752559271b893045eda39f765fc8369b05b2b9c3ac88
+
+; the same, EE-mode
+;
+; openssl x509 -in aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.pem -noout -pubkey \
+; | openssl pkey -pubin -outform DER | openssl dgst -sha256 | awk '{print $2}'
+;
+DNSSEC danebroken8  A       127.0.0.1
+DNSSEC _1225._tcp.danebroken8 TLSA 3 1 1 3cc2a6efabd847663b92f827681fd8612fd4d001ea85057d79ea541fb2de02ac
+
 ; End
Unnamed repository; edit this file 'description' to name the repository.