DNSSEC Walker

Simon Josefsson

What is this?

This is a proof-of-concept of a utility to download DNS zone contents even when AXFR is disabled on the server, assuming DNSSEC is used. Optionally it can also verify all digital signature RRs within a zone against the zone key. If you do not know what DNSSEC is, please refer to:

The tool support both the old DNSSEC according to RFC 2535 (i.e., KEY/SIG) and the latest DNSSEC version according to RFC 4033 (i.e., DNSKEY/RRSIG).

The DNSSEC Walker is licensed under the GNU General Public License.

I am a consultant in the network security area, and I am available on a commercial basis. If you find this tool useful, and would like to extend it or want me to do similar work, please contact me. If you find this tool useful, a donation would be greatly appreciated. No amount is too small!


Download

This program requires the Net::DNS and Net::DNS::SEC packages.

The software packages are signed using my PGP key.

walker-3.8.tar.gz [PGP signature]
2005-09-20 Version 3.8. Able to verify more then one signature per owner name, and also print which key tag was used for verification. Added parameter -x to enable EDNS.0 DNSSEC when retrieving SIG/RRSIG types, because some servers doesn't return it otherwise.
walker-3.7.tar.gz [PGP signature]
2005-09-19 Version 3.7. Support for an optional "startname" parameter, to specify which owner name to start walking on (useful when interrupted half way through a big zone).
walker-3.6.tar.gz [PGP signature]
2005-09-14 Version 3.6. Verification of data in zone's with multiple keys (e.g., "se") now work.
walker-3.5.tar.gz [PGP signature]
2004-06-03 Version 3.5. Slight bug fix. Improved output.
walker-3.4.tar.gz [PGP signature]
2004-06-02 Version 3.4. Support RRSIG/DNSKEY (as well as old-style SIG/KEY). The -n parameter now enable non-recursiveness for everything. Improved output.
walker-3.3.tar.gz
2004-02-27 Version 3.3. Minor feature enhancement: Support NSEC as well as NXT, see draf-ietf-dnssec-nsec-rdata.
walker-3.2.tar.gz
2003-02-18 Version 3.2. Minor feature enhancement: New -n parameter to optimize big zone traversals. Bugfix: Prints SIG RRs even when -y isn't used. Other: Now tries to verify CERT/SRV/CNAME even though Net::DNS(::SEC) may print warnings.
walker-3.1.tar.gz
2002-11-13 Version 3.1, bugfix: disable defnames to make TLD recursion work.
walker-3.0.tar.gz
2002-11-13 Version 3.0, added SIG verification.
walker-2.0.tar.gz
2001-11-28 Version 2.0, rewritten using Net::DNS.
walker-1.0.tar.gz
2001-01-03 Version 1.0, initial release.

Earlier distribution archives doesn't mention what license it is distributed under, but to make it clear: all versions are released under the GPL. Recent releases include copying conditions.


Development

Source code is available via CVS (just press enter at the password prompt):

	$ cvs -d :pserver:[email protected]:/home/cvs/public-cvs login
	Logging in to :pserver:[email protected]:2401/home/cvs/public-cvs
	CVS password:
	$ cvs -d :pserver:[email protected]:/home/cvs/public-cvs co walker
      

The CVS repository can also be access by using the HTML interface.


Known problems

Please report any other problems to me.


Documentation

WALKER(1)             User Contributed Perl Documentation            WALKER(1)

NAME
       walker - Retrieve a DNS zone using NXT/NSEC traversal

SYNOPSIS
       walker [-y] [-n] [-d] [-x] [ @nameserver ] zone [ startname ]

DESCRIPTION
       walker retrieves a DNS zone from the default or supplied name server
       and prints each record to the standard output.  AXFR is not used,
       instead the DNSSEC NXT/NSEC record chain is traversed.  The zone must
       use DNSSEC.  The output should conform to the standard DNS master file
       format (but see BUGS).  Optionally, walker can also verify DNSSEC sig‐
       natures on the RRsets within the zone.

OPTIONS
       -y  Additionally perform verification on each RRset within the zone and
           print result of verification (in a zone file comment).

       -n  When querying for records, ask the nameserver non-recursively,
           instead of going through the full resolver logic.  This parameter
           is useful when you know that the default name server (or the sup‐
           plied specific nameserver) can respond correctly, which it typi‐
           cally only would if it is responsible for the zone.

           The original motivation for the -n parameter was to improve speed
           when asking parents for NS records on delegated zones, which would
           make the server recursively ask the child servers.

       -d  Enable debugging in the resolver (this will print all DNS packets,
           just like dig).

       -x  Enable the EDNS.0 DNSSEC flag for SIG/RRSIG queries.  Not effective
           if -y is used.  This is needed for some servers to return SIG/RRSIG
           at all.

 @nameserver
           Query nameserver instead of the default nameserver.

       zone
           Name of the zone to retrieve master file for.  For example, "com".

       startname
           Optional name to start the zone walk at.  The default is to start
           walking from the start.  This option is useful if the tool failed
           or was intterupted in the middle of a large zone.

AUTHOR
       Simon Josefsson 

BUGS
       CNAME, CERT and/or SRV RRs is known to cause perl warnings during veri‐
       fications with some versions of Net::DNS and Net::DNS::SEC.  The cause
       is belived to be in Perl, Net::DNS or Net::DNS::SEC.  The reader is
       encouraged to track down and fix these bugs.

SEE ALSO
       perl(1), axfr, perldig, Net::DNS, Net::DNS::SEC, resolv.conf

perl v5.8.7                       2005-09-14                         WALKER(1)

Example usage

Here is how you would recover the zone file for "dnssec.se", which uses DNSSEC. The -y parameter is used as well, so walker prints out verification results in comments as well.

jas@latte:~$ walker -y @ns1.dnssec.se dnssec.se
;; Walker by Simon Josefsson
;; $Id: index.html,v 1.46 2005/11/21 21:31:45 jas Exp $
;; Net::DNS 0.53
;; Net::DNS::SEC 0.12_02

	;; Using key RR type: DNSKEY
	;; Key(s) used to verify signatures:
	;; dnssec.se.	300	IN	DNSKEY	256  3  5 ( 
	;; 			AQPMj1b/Qn/0YAsqlsU6Ei69Sq0zjmSCKnOj
	;; 			6fx3iMYaXUwBbq+L+iO16FOIkEBm86lL6UWT
	;; 			2aHNQuR4Xn2nI+TmFphcI+WctHXaG7AmozxM
	;; 			4EZr8vE7JkQnbBzGGxeTyCS4j3mGdtkWlNpp
	;; 			QSV6iYzaTBGrh/eFACnIws1N+9L4kQ== 
	;; 			) ; Key ID = 32672

	;; dnssec.se.	300	IN	DNSKEY	257  3  1 ( 
	;; 			AQO9cBGWVBhvrONPJ8cLtigL1yYR2RYL/hLs
	;; 			/GpTksVZ5rSDrr4WLLGCqkPuauczDTGUDOv8
	;; 			F4If71PU4oNPlpq/ 
	;; 			) ; Key ID = 38554

	;; dnssec.se.	300	IN	DNSKEY	257  3  5 ( 
	;; 			AQPAt5E2t/Pf3Yz8/4fRp6r1eN4vIUIpvcrE
	;; 			23B9ldrsWYcyD4s6EXoErqTqdf4XVwMhGfLu
	;; 			ZjPpmfaTzGE9vC4v0OR9rS9QfY/l6FpXksFS
	;; 			97n7ypGF7JFG2xViQwXpxflVV32+W0Qy+Fn+
	;; 			y84VzUrASm5t0IKn2lAeFCkMNFtZUQ== 
	;; 			) ; Key ID = 47940

	;; dnssec.se.	300	IN	DNSKEY	257  3  5 ( 
	;; 			AQPQDE29ghF/wcdlfbKLGLvsRUHMdMVcL6XN
	;; 			2X263BehAzcJIj+fe46eI3rWJcHP9I5l0YoF
	;; 			LnXjPqmNsUEnwlIr4W8B9gFQeNnmiVEoq2o2
	;; 			fp/WjPvl19grODvmMH9xTO9s7NVn9NTUEacV
	;; 			octWwApZLTHWGmdXGApybJF8McJOgQ== 
	;; 			) ; Key ID = 38577

	;; dnssec.se.	300	IN	DNSKEY	256  3  5 ( 
	;; 			AQPcYh4LTPd7VBzZYz+Z0GoIdqcklqUP6aSm
	;; 			IxXVQfuzp/x8PQWRIU3as/V56JusLvcpFHdC
	;; 			7uY/kv0XKFGyLTs10hCMvY32nVV8Z2IUnhb8
	;; 			OKMo0xxpIXoS+Aeajl7WUBQZ9baEH+0A1EtQ
	;; 			BgEjIV1NcOIDpEUD9l0yHrzIv+1utw== 
	;; 			) ; Key ID = 18476

	;; dnssec.se.	300	IN	DNSKEY	257  3  3 ( 
	;; 			AKUJoB5D0ucsobRDSc1H2Ga4I+QPo6CcOhba
	;; 			xW0VqM4GOIL2+M9YAI+NmiZNpF5/fECOqbXi
	;; 			cq11I3INOUJvm2Hwo//sGs0I/eX7sWgLzPhN
	;; 			Nk4qI1NpbX2AFUeRn1XvgeGFHP/B61IU+jvi
	;; 			bNbPue8yt4va+j+QPtD4espCNwRbx43onodW
	;; 			gsewvCWhUWPChmgkWq1pmNAmRcOuNZqCc7tj
	;; 			uhw923vzOR4dBHtKxOwDDAoH0FAMugXP+K6/
	;; 			Ee1dcOkt6jR1f3eod0aHKaVMy1RnSGPi 
	;; 			) ; Key ID = 57551

	;; Using next RR type: NSEC
	;; Using signature RR type: RRSIG
	;; First SOA:
dnssec.se.	300	IN	SOA	ns1.dnssec.se. jakob.nic.se. (
					2005091200	; Serial
					3600	; Refresh
					600	; Retry
					3600	; Expire
					300 )	; Minimum TTL

	;; Getting NXT/NSEC for dnssec.se.
	;; Thu Sep 22 10:03:46 2005
	;; dnssec.se.	300	IN	NSEC	bind.dnssec.se  DNSKEY NS NSEC RRSIG SOA
	;; Looking at type DNSKEY for domain dnssec.se.
dnssec.se.	300	IN	DNSKEY	256  3  5 ( 
			AQPcYh4LTPd7VBzZYz+Z0GoIdqcklqUP6aSm
			IxXVQfuzp/x8PQWRIU3as/V56JusLvcpFHdC
			7uY/kv0XKFGyLTs10hCMvY32nVV8Z2IUnhb8
			OKMo0xxpIXoS+Aeajl7WUBQZ9baEH+0A1EtQ
			BgEjIV1NcOIDpEUD9l0yHrzIv+1utw== 
			) ; Key ID = 18476
dnssec.se.	300	IN	DNSKEY	257  3  1 ( 
			AQO9cBGWVBhvrONPJ8cLtigL1yYR2RYL/hLs
			/GpTksVZ5rSDrr4WLLGCqkPuauczDTGUDOv8
			F4If71PU4oNPlpq/ 
			) ; Key ID = 38554
dnssec.se.	300	IN	DNSKEY	257  3  3 ( 
			AKUJoB5D0ucsobRDSc1H2Ga4I+QPo6CcOhba
			xW0VqM4GOIL2+M9YAI+NmiZNpF5/fECOqbXi
			cq11I3INOUJvm2Hwo//sGs0I/eX7sWgLzPhN
			Nk4qI1NpbX2AFUeRn1XvgeGFHP/B61IU+jvi
			bNbPue8yt4va+j+QPtD4espCNwRbx43onodW
			gsewvCWhUWPChmgkWq1pmNAmRcOuNZqCc7tj
			uhw923vzOR4dBHtKxOwDDAoH0FAMugXP+K6/
			Ee1dcOkt6jR1f3eod0aHKaVMy1RnSGPi 
			) ; Key ID = 57551
dnssec.se.	300	IN	DNSKEY	257  3  5 ( 
			AQPAt5E2t/Pf3Yz8/4fRp6r1eN4vIUIpvcrE
			23B9ldrsWYcyD4s6EXoErqTqdf4XVwMhGfLu
			ZjPpmfaTzGE9vC4v0OR9rS9QfY/l6FpXksFS
			97n7ypGF7JFG2xViQwXpxflVV32+W0Qy+Fn+
			y84VzUrASm5t0IKn2lAeFCkMNFtZUQ== 
			) ; Key ID = 47940
dnssec.se.	300	IN	DNSKEY	257  3  5 ( 
			AQPQDE29ghF/wcdlfbKLGLvsRUHMdMVcL6XN
			2X263BehAzcJIj+fe46eI3rWJcHP9I5l0YoF
			LnXjPqmNsUEnwlIr4W8B9gFQeNnmiVEoq2o2
			fp/WjPvl19grODvmMH9xTO9s7NVn9NTUEacV
			octWwApZLTHWGmdXGApybJF8McJOgQ== 
			) ; Key ID = 38577
dnssec.se.	300	IN	DNSKEY	256  3  5 ( 
			AQPMj1b/Qn/0YAsqlsU6Ei69Sq0zjmSCKnOj
			6fx3iMYaXUwBbq+L+iO16FOIkEBm86lL6UWT
			2aHNQuR4Xn2nI+TmFphcI+WctHXaG7AmozxM
			4EZr8vE7JkQnbBzGGxeTyCS4j3mGdtkWlNpp
			QSV6iYzaTBGrh/eFACnIws1N+9L4kQ== 
			) ; Key ID = 32672
dnssec.se.	300	IN	RRSIG	DNSKEY  5  2  300  20051111130901 (
			20050912130901 32672  dnssec.se.
			sQ0TmA4c+IVpnKOcfyZb0UCnoaOjBgK7cJTfjt/apjazM
			DLRJ+gKvmD5VbgqCefAn4poAZC1GAoZUJvW9WF2ucSUhG
			A3JzxzuO9amszC518eJWB1OpxyWLPz2kQbZBMomb9Gy0z
			3hrtBsqbLD7G9vSAeHDhGYszR8vQ3GTVNEWs= )
dnssec.se.	300	IN	RRSIG	DNSKEY  5  2  300  20051111130901 (
			20050912130901 38577  dnssec.se.
			A9DGMW/BgxjX1kgRY89t7bZSLuyenQZ/XkV1FqNOONqXg
			8SL3IYzqBw2fSKxe/vT03JhV+awA9Now33rPvjS11UW24
			Q9M0qzJ7A5mD3XItzzuPerKKqGv5EMrBTWMw1DRoaXU58
			ao1zeQQNTAfSI8Il0rNUBG2Md/ce+QsjHufE= )
dnssec.se.	300	IN	RRSIG	DNSKEY  5  2  300  20051111130901 (
			20050912130901 47940  dnssec.se.
			ZleFtA+3+pVroQ4h35n8ezEsWgjjgB6elVAK0zQmVwDmv
			XNZfh/SLB6EWGROIsYEOAN4ZIN436Z1GdsMv3+KvWsSrx
			J3pGd4cLMRYdgYQTRVyg9kqdDTefWrJPenjd3Lw6k+UZV
			qZs6qwuhVmrgNWd2diSdIuNeSaWl4yBAYMyE= )
	;; verify ok (key 32672)
	;; verify ok (key 47940)
	;; verify ok (key 38577)
	;; Looking at type NS for domain dnssec.se.
dnssec.se.	300	IN	NS	ns1.dnssec.se.
dnssec.se.	300	IN	NS	ns2.dnssec.se.
dnssec.se.	300	IN	RRSIG	NS  5  2  300  20051111130901 (
			20050912130901 32672  dnssec.se.
			kc/ywUShTYoFEsZBGwtLLd0He0D6V41egCWiKuoiZF3+K
			U8QkMJH6ZptqCnf4B/V4r82EUJK20m074GeI5YPxrIqOI
			IB++ueJB48Fje4Oa6N7u3FdvgJQInjvEYGkmxSqPA48DI
			TSvuBPPcN5SLuD8c4HMJgtQyNPCUEcsuxEG8= )
	;; verify ok (key 32672)
	;; Looking at type NSEC for domain dnssec.se.
dnssec.se.	300	IN	NSEC	bind.dnssec.se  DNSKEY NS NSEC RRSIG SOA
dnssec.se.	300	IN	RRSIG	NSEC  5  2  300  20051111130901 (
			20050912130901 32672  dnssec.se.
			K349ZYno74X2LNemskeeN+0K5UUvprEbxtoOnP8sSMbFH
			d9teEcT/r+uRC79nt06S13ftbJxhaIVm7Ewoa9mmAwZU1
			T0+TVeaAA+yBV/uvvDho5XVHYkPsOHZ6buFQZR7vvh7rY
			FR/G3AuAjKOMn/9Q8Z7qnyLV773VuilnUGHs= )
	;; verify ok (key 32672)

	;; Getting NXT/NSEC for bind.dnssec.se.
	;; Thu Sep 22 10:03:46 2005
	;; bind.dnssec.se.	300	IN	NSEC	cns.dnssec.se  A NSEC RRSIG
	;; Looking at type A for domain bind.dnssec.se.
bind.dnssec.se.	300	IN	A	212.247.204.243
bind.dnssec.se.	300	IN	RRSIG	A  5  3  300  20051111130901 (
			20050912130901 32672  dnssec.se.
			OOT3LNPz79btkmMb90xNNE3tXmvmXc3BuRzVBXlexmj69
			OUMJbWSuHSrQVki6AnrggoEKcySQs6sjpqX3wbWrrtp0t
			WRC7UtklOP9U+MoTrjp6cGMMcCGtyfrrypAjC1dbpzIwA
			Vvk79zyF+BKjNJm0ij5JNVnHlsNmCRN6ntWM= )
	;; verify ok (key 32672)
	;; Looking at type NSEC for domain bind.dnssec.se.
bind.dnssec.se.	300	IN	NSEC	cns.dnssec.se  A NSEC RRSIG
bind.dnssec.se.	300	IN	RRSIG	NSEC  5  3  300  20051111130901 (
			20050912130901 32672  dnssec.se.
			T9n4suTCcbMz/3CdgkAFtg2o5kUR+9UvJYDp8CFogOk4g
			CxdeYQoQjX7n8bon4IgPzFpdF3l61TGkWAaxVi9BbJX9v
			9MQsHCmxivf8hPkSBMy/JKqMpUKkjts9sKz3XBq3myr87
			7HNVZEPWWhZsCOh6ggw5pKT90gjG/sn2H1Pw= )
	;; verify ok (key 32672)

	;; Getting NXT/NSEC for cns.dnssec.se.
	;; Thu Sep 22 10:03:46 2005
	;; cns.dnssec.se.	300	IN	NSEC	ns1.dnssec.se  A NSEC RRSIG
	;; Looking at type A for domain cns.dnssec.se.
cns.dnssec.se.	300	IN	A	212.247.204.244
cns.dnssec.se.	300	IN	RRSIG	A  5  3  300  20051111130901 (
			20050912130901 32672  dnssec.se.
			ss/iqq8Wq4H8pa6BZ6k+WT2pk6WCuWsnoUxZJkYX7/D4/
			Ebi886NbjtbQ0TipC8luTMbIqUymEo0/aRRwkYJ7Baj/g
			zIJ+9JaltIfLZTeLMeka6WxDTp1mqiZSNcMNzO6xCTrNT
			mb34qcp9Syrt7pNOMKILkdNqMt6UjXwqe2eY= )
	;; verify ok (key 32672)
	;; Looking at type NSEC for domain cns.dnssec.se.
cns.dnssec.se.	300	IN	NSEC	ns1.dnssec.se  A NSEC RRSIG
cns.dnssec.se.	300	IN	RRSIG	NSEC  5  3  300  20051111130901 (
			20050912130901 32672  dnssec.se.
			QoL7uVU7NaD9VmIWMAKBP6szvewXKZaxWaDmCE+BnLPE1
			CLRLDTjw6qzu4MsL46Kg1UDy8oLrkYEPL2awzqYZZ4SIJ
			c6wzsVAirJ7WGUW3Xj4JKlpNI9UC+TDBZdnOCUJFZ2XWV
			qSnKOt6313iUe5h9Q9RdfFXF/E0aPmhsTbz4= )
	;; verify ok (key 32672)

	;; Getting NXT/NSEC for ns1.dnssec.se.
	;; Thu Sep 22 10:03:46 2005
	;; ns1.dnssec.se.	300	IN	NSEC	ns2.dnssec.se  A NSEC RRSIG
	;; Looking at type A for domain ns1.dnssec.se.
ns1.dnssec.se.	300	IN	A	212.247.204.242
ns1.dnssec.se.	300	IN	RRSIG	A  5  3  300  20051111130901 (
			20050912130901 32672  dnssec.se.
			JCDwdXO98jnMwwtLE+77iHJL4o865mS7yv5LxFyuRS7Tx
			5IriBoYV0SW5ZdCja/j1FthrMGrcs9RkBG0FFtzZI8hfL
			sNJ2Cfcruk+Vg9nSDWDTfQEu2qUOOyHZQMsyvZfMY7Nyu
			75JYNKzLh/dg9vz+bXgWAxtOFOAbTN05tV5A= )
	;; verify ok (key 32672)
	;; Looking at type NSEC for domain ns1.dnssec.se.
ns1.dnssec.se.	300	IN	NSEC	ns2.dnssec.se  A NSEC RRSIG
ns1.dnssec.se.	300	IN	RRSIG	NSEC  5  3  300  20051111130901 (
			20050912130901 32672  dnssec.se.
			fxJB60R1c7byFSLqIyhZDUqGlC74/w4rDvzaSxN3YOVKt
			M/lIu+wsnB/nqkhYb3Wz4EkdaRh/Y81VO9Vf+Gv0f9mEH
			V284nF8mBk32uwWgiVAeKrBXFKOleBb/Zgva5e5kpRAZt
			yTs/lFfX5AYt5RahFNMh58vi7yKoYGrEeY/w= )
	;; verify ok (key 32672)

	;; Getting NXT/NSEC for ns2.dnssec.se.
	;; Thu Sep 22 10:03:46 2005
	;; ns2.dnssec.se.	300	IN	NSEC	version.dnssec.se  A NSEC RRSIG
	;; Looking at type A for domain ns2.dnssec.se.
ns2.dnssec.se.	300	IN	A	195.47.254.20
ns2.dnssec.se.	300	IN	RRSIG	A  5  3  300  20051111130901 (
			20050912130901 32672  dnssec.se.
			fduUKZMvKvxECqImtbif8sSpEWUYZ4bvi8usdoqth0siY
			I2/Ff6jL9W3E1/RTIAwk17yHbDcW8SzIIlYoBfNSCeGv1
			uttEpx9ts1SILZuGy+0vIXAiIOC9H0B+PXb19VORQzrOy
			aM95cxbUWCtsOmMbh1/30R14RHDbrPO2wnfM= )
	;; verify ok (key 32672)
	;; Looking at type NSEC for domain ns2.dnssec.se.
ns2.dnssec.se.	300	IN	NSEC	version.dnssec.se  A NSEC RRSIG
ns2.dnssec.se.	300	IN	RRSIG	NSEC  5  3  300  20051111130901 (
			20050912130901 32672  dnssec.se.
			aRiFCaCVIQ/PGRpjpxdxTk1HqOSY29MIA0UxLCVcvL/TV
			7wEhiqaxZWUith7/xOrPK08tIwXBIV3JvF/VkRdeg80QG
			ANiRS6Jfai8265uTh4ebqjkM6leBrxhUg+CCQGtICFM9h
			Ap0ea+HAxQdLBO4NNVavncmc5KUd2yomiheI= )
	;; verify ok (key 32672)

	;; Getting NXT/NSEC for version.dnssec.se.
	;; Thu Sep 22 10:03:46 2005
	;; version.dnssec.se.	300	IN	NSEC	dnssec.se  NSEC RRSIG TXT
	;; Looking at type NSEC for domain version.dnssec.se.
version.dnssec.se.	300	IN	NSEC	dnssec.se  NSEC RRSIG TXT
version.dnssec.se.	300	IN	RRSIG	NSEC  5  3  300  20051111130901 (
			20050912130901 32672  dnssec.se.
			Aa9bnii2fkUOkA7NSLv/RBG0bqr5SAdz1qtFPY/gh/ntJ
			kxIqWiQjF8zDw68uXfLNLLTaDccdJVNLHc7PJonucJw61
			IihhHXYZqv2MibQR6S0oyxtiuDj1pg4KiBwfxIDd/pwuN
			/8g4XN57GZ4Uq9izlMXtWP5H7XdDinJv91rE= )
	;; verify ok (key 32672)
	;; Looking at type TXT for domain version.dnssec.se.
version.dnssec.se.	300	IN	TXT	"$Revision: 1.46 $"
version.dnssec.se.	300	IN	RRSIG	TXT  5  3  300  20051111130901 (
			20050912130901 32672  dnssec.se.
			u3Lje403MHDwGWj4BTgTvBUmrXQqzKX2QuDdz/E2Fb3d8
			3yMLFzCG9F6cXhvYlQjYQIoGyoO1sG2g7rZd+V7Q12v4r
			QtMcdTu1UG58TQfRZqYd14pdQR9WucCiE907t0j3Wv3dV
			/WUvctr+Kq56hpeSjZZabC5ULfeYSwcwO+lE= )
	;; verify ok (key 32672)

	;; Last SOA:
dnssec.se.	300	IN	SOA	ns1.dnssec.se. jakob.nic.se. (
					2005091200	; Serial
					3600	; Refresh
					600	; Retry
					3600	; Expire
					300 )	; Minimum TTL
jas@latte:~$

$Id: index.html,v 1.46 2005/11/21 21:31:45 jas Exp $