1 ; This is a testing zone file for use when testing DNS handling in Exim. This
2 ; is a fake zone of no real use. The zone name is
3 ; test.ex. This file is passed through the substitution mechanism before being
4 ; used by the fakens auxiliary program. This inserts the actual IP addresses
5 ; of the local host into the zone.
7 ; NOTE (1): apart from ::1, IPv6 addresses must always have 8 components. Do
8 ; not abbreviate them by using the :: feature. Leading zeros in components may,
11 ; NOTE (2): the fakens program is very simple and assumes that the buffer into
12 ; which is puts the response is always going to be big enough. In other words,
13 ; the expectation is for just a few RRs for each query.
15 ; NOTE (3): the top-level networks for testing addresses are parameterized by
16 ; the use of V4NET and V6NET. These networks should be such that no real
17 ; host ever uses them.
19 ; Several prefixes may be used, see the source in src/fakens.c for a complete list
22 test.ex. NS exim.test.ex.
23 test.ex. SOA exim.test.ex. hostmaster.exim.test.ex 1430683638 1200 120 604800 3000
25 test.ex. TXT "A TXT record for test.ex."
26 s/lash TXT "A TXT record for s/lash.test.ex."
27 long TXT "This is a max-length chunk 789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234" "A short chunk" "A final chunk"
32 ptr PTR data.for.ptr.test.ex.
34 ; Standard localhost handling
39 ; This name exists only if qualified; it is never automatically qualified
41 dontqualify A V4NET.255.255.254
43 ; A host with upper case letters in its canonical name
47 ; A host with punycoded UTF-8 characters used for its lookup ( mx.π.test.ex )
49 mx.xn--1xa A V4NET.255.255.255
51 ; A non-standard name for localhost
54 localhost4 A 127.0.0.1
56 ; A localhost with short TTL
58 TTL=2 shorthost A 127.0.0.1
61 ; Something that gives both the IP and the loopback
66 ; Something that gives an unreachable IP and the loopback
71 ; Another host with both A and AAAA records
74 AAAA V6NET:ffff:836f:0a00:000a:0800:200a:c031
79 AAAA V6NET:ffff:836f:0a00:000a:0800:200a:c033
81 ; A working IPv4 address and a non-working IPv6 address, with different
82 ; names so they can have different MX values
84 46c AAAA V6NET:ffff:836f:0a00:000a:0800:200a:c033
87 ; A host with just a non-local IPv6 address
89 v6 AAAA V6NET:ffff:836f:0a00:000a:0800:200a:c032
91 ; Alias A and CNAME records for the local host, under the name "eximtesthost"
92 ; Make the A covered by DNSSEC and add a TLSA for it.
94 eximtesthost A HOSTIPV4
95 alias-eximtesthost CNAME eximtesthost.test.ex.
99 badcname CNAME rhubarb.test.ex.
101 ; Test a name containing an underscore
105 ; The reverse registration for this name is an empty string
107 empty A V4NET.255.255.255
111 eximtesthost.ipv6 AAAA HOSTIPV6
112 test2.ipv6 AAAA V6NET:2101:12:1:a00:20ff:fe86:a062
113 test3.ipv6 AAAA V6NET:1234:5:6:7:8:abc:0d
115 ; A case of forward and backward pointers disagreeing
117 badA A V4NET.99.99.99
118 badB A V4NET.99.99.98
120 ; A host with multiple names in different (sub) domains
121 ; These are intended to be within test.ex - absence of final dots is deliberate
123 x.gov.uk A V4NET.99.99.97
124 x.co.uk A V4NET.99.99.97
126 ; A host, the reverse lookup of whose IP address gives this name plus another
127 ; that does not forward resolve to the same address
129 oneback A V4NET.99.99.90
130 host1.masq A V4NET.90.90.90
132 ; Fake hosts are registered in the V4NET.0.0.0 subnet. In the past, the
133 ; 10.0.0.0/8 network was used; hence the names of the hosts.
138 ten-3-alias A V4NET.0.0.3
139 ten-3xtra A V4NET.0.0.3
143 ten-5-6 A V4NET.0.0.5
146 ten-99 A V4NET.0.0.99
148 black-1 A V4NET.11.12.13
149 black-2 A V4NET.11.12.14
151 myhost A V4NET.10.10.10
152 myhost2 A V4NET.10.10.10
154 other1 A V4NET.12.4.5
155 other2 A V4NET.12.3.1
158 other99 A V4NET.99.0.1
160 testsub.sub A V4NET.99.0.3
162 ; This one's real name really is recurse.test.ex.test.ex. It is done like
163 ; this for testing host widening, without getting tangled up in qualify issues.
165 recurse.test.ex A V4NET.99.0.2
167 ; a CNAME pointing to a name with both ipv4 and ipv6 A-records
168 ; and one with only ipv4
170 cname46 CNAME localhost
171 cname4 CNAME thishost
173 ; -------- Testing RBL records -------
175 ; V4NET.11.12.13 is deliberately not reverse-registered
177 TTL=3 13.12.11.V4NET.rbl A 127.0.0.2
178 TXT "This is a test blacklisting message"
179 TTL=2 14.12.11.V4NET.rbl A 127.0.0.2
180 TXT "This is a test blacklisting message"
181 15.12.11.V4NET.rbl A 127.0.0.2
182 TXT "This is a very long blacklisting message, continuing for ages and ages and certainly being longer than 128 characters which was a previous limit on the length that Exim was prepared to handle."
184 14.12.11.V4NET.rbl2 A 127.0.0.2
185 TXT "This is a test blacklisting2 message"
186 16.12.11.V4NET.rbl2 A 127.0.0.2
187 TXT "This is a test blacklisting2 message"
189 14.12.11.V4NET.rbl3 A 127.0.0.2
190 TXT "This is a test blacklisting3 message"
191 15.12.11.V4NET.rbl3 A 127.0.0.3
192 TXT "This is a very long blacklisting message, continuing for ages and ages and certainly being longer than 128 characters which was a previous limit on the length that Exim was prepared to handle."
194 20.12.11.V4NET.rbl4 A 127.0.0.6
195 21.12.11.V4NET.rbl4 A 127.0.0.7
196 22.12.11.V4NET.rbl4 A 127.0.0.128
197 TXT "This is a test blacklisting4 message"
199 22.12.11.V4NET.rbl5 A 127.0.0.1
200 TXT "This is a test blacklisting5 message"
202 1.13.13.V4NET.rbl CNAME non-exist.test.ex.
203 2.13.13.V4NET.rbl A 127.0.0.1
206 ; Foolish return values outside 127.0/8
208 100.13.13.V4NET.rbl A 0.0.0.0
209 101.13.13.V4NET.rbl A 126.255.255.255
210 102.13.13.V4NET.rbl A 128.0.0.0
211 103.13.13.V4NET.rbl A 255.255.255.255
212 104.13.13.V4NET.rbl A 255.255.255.255
214 105.13.13.V4NET.rbl A 255.255.255.255
217 ; -------- Testing MX records --------
219 mxcased MX 5 ten-99.TEST.EX.
221 ; Points to a host with both A and AAAA
223 mx46 MX 46 46.test.ex.
225 ; Points to two hosts with both kinds of address, equal precedence
227 mx4646 MX 46 46.test.ex.
230 ; Ditto, with a third IPv6 host
232 mx46466 MX 46 46.test.ex.
236 ; This time, change precedence
238 mx46466b MX 46 46.test.ex.
242 ; Points to a host with a working IPv4 and a non-working IPv6 record
244 mx46cd MX 10 46c.test.ex.
247 ; Two equal precedence pointing to a v4 and a v6 host
249 mx246 MX 10 v6.test.ex.
252 ; Lowest-numbered points to local host
254 mxt1 MX 5 eximtesthost.test.ex.
256 ; Points only to non-existent hosts
258 mxt2 MX 5 not-exist.test.ex.
260 ; Points to some non-existent hosts;
261 ; Lowest numbered existing points to local host
263 mxt3 MX 5 not-exist.test.ex.
264 MX 6 eximtesthost.test.ex.
266 ; Points to some non-existent hosts;
267 ; Lowest numbered existing points to non-local host
269 mxt3r MX 5 not-exist.test.ex.
274 mxt4 MX 5 alias-eximtesthost.test.ex.
276 ; Various combinations of precedence and local host
278 mxt5 MX 5 eximtesthost.test.ex.
281 mxt6 MX 5 ten-1.test.ex.
282 MX 6 eximtesthost.test.ex.
285 mxt7 MX 5 ten-2.test.ex.
287 MX 7 eximtesthost.test.ex.
290 mxt8 MX 5 ten-2.test.ex.
292 MX 7 eximtesthost.test.ex.
296 ; Same host appearing twice; make some variants in different orders to
297 ; simulate a real nameserver and its round robinning
299 mxt9 MX 5 ten-1.test.ex.
304 mxt9a MX 6 ten-2.test.ex.
309 mxt9b MX 7 ten-3.test.ex.
314 ; MX pointing to IP address
316 mxt10 MX 5 V4NET.0.0.1.
318 ; Several MXs pointing to local host
320 mxt11 MX 5 localhost.test.ex.
321 MX 6 localhost.test.ex.
323 mxt11a MX 5 localhost.test.ex.
326 mxt12 MX 5 local1.test.ex.
334 mxt13 MX 4 other1.test.ex.
337 ; Different hosts with same IP addresses in the list
339 mxt14 MX 4 ten-5-6.test.ex.
343 ; Non-local hosts with different precedence
345 mxt15 MX 10 ten-1.test.ex.
348 ; Large number of IP addresses at one MX value, and then some
349 ; at another, to check that hosts_max_try tries the MX different
352 mxt99 MX 1 ten-1.test.ex.
358 MX 3 black-1.test.ex.
359 MX 3 black-2.test.ex.
361 ; Special case test for @mx_any (to doublecheck a reported Exim 3 bug isn't
362 ; in Exim 4). The MX points to two names, each with multiple addresses. The
363 ; very last address is the local host. When Exim is testing, it will sort
364 ; these addresses into ascending order.
366 mxt98 MX 1 98-1.test.ex.
375 ; IP addresses with the same MX value
377 mxt97 MX 1 ten-1.test.ex.
382 ; MX pointing to a single-component name that exists if qualified, but not
383 ; if not. We use the special name dontqualify to stop the fake resolver
386 mxt1c MX 1 dontqualify.
388 ; MX with punycoded UTF-8 characters used for its lookup ( π.test.ex )
390 xn--1xa MX 0 mx.π.test.ex.
392 ; MX with actual UTF-8 characters in its name, for allow_utf8_domains mode test
394 π MX 0 mx.xn--1xa.test.ex.
396 ; -------- Testing SRV records --------
398 _smtp._tcp.srv01 SRV 0 0 25 ten-1.test.ex.
400 _smtp._tcp.srv02 SRV 1 3 99 ten-1.test.ex.
401 SRV 1 1 99 ten-2.test.ex.
402 SRV 3 0 66 ten-3.test.ex.
404 _smtp._tcp.nosmtp SRV 0 0 0 .
406 _smtp2._tcp.srv03 SRV 0 0 88 ten-4.test.ex.
408 _smtp._tcp.srv27 SRV 0 0 PORT_S localhost
411 ; -------- With some for CSA testing plus their A records -------
413 _client._smtp.csa1 SRV 1 2 0 csa1.test.ex.
414 _client._smtp.csa2 SRV 1 1 0 csa2.test.ex.
419 ; ------- Testing DNSSEC ----------
421 mx-unsec-a-unsec MX 5 a-unsec
422 mx-unsec-a-sec MX 5 a-sec
423 DNSSEC mx-sec-a-unsec MX 5 a-unsec
424 DNSSEC mx-sec-a-sec MX 5 a-sec
425 DNSSEC mx-sec-a-aa MX 5 a-aa
426 AA mx-aa-a-sec MX 5 a-sec
428 a-unsec A V4NET.0.0.100
429 DNSSEC a-sec A V4NET.0.0.100
430 DNSSEC l-sec A 127.0.0.1
432 AA a-aa A V4NET.0.0.100
434 ; ------- Testing DANE ------------
435 ; Since these refer to certs in the exim-ca tree, they must be regenerated any time that tree is.
438 ; full suite dns chain, sha512
441 ; openssl x509 -in aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem -noout -pubkey \
442 ; | openssl pkey -pubin -outform DER \
443 ; | openssl dgst -sha512 \
446 DNSSEC mxnodane MX 1 nodane
447 DNSSEC mxdane512ee MX 1 dane512ee
448 DNSSEC mxdane512ee1 MX 1 dane512ee
449 mxnondane512ee MX 1 dane512ee
450 DNSSEC dane512ee A HOSTIPV4
451 DNSSEC nodane A HOSTIPV4
453 DNSSEC _1225._tcp.dane512ee TLSA 3 1 2 e8173aaefffadc6c96700f7f396a17b8e590ebd15b081f1455abb152afecceb16a5534707ecd64611c8b6d8b9111f82e3fa954b98c6b230cda0e9be386747b71
455 # mx of mxdane owns a secure A and TLSA record
457 DNSSEC mxdane MX 1 dane512ee
459 # mx of mxdanesecchain is a CNAME, with a secure target, that owns a secure A and TLSA record
460 DNSSEC mxdanesecchain MX 1 danesecchain
461 DNSSEC danesecchain CNAME dane512ee
463 # mx of mxdaneinsecchain is CNAME, with an insecure target that own a secure A and TLSA record
464 # DANE should report a failure if the message is for ...@mxdaneinsecurechain
465 DNSSEC mxdaneinsecchain MX 1 daneinsecchain
466 daneinsecchain CNAME dane512ee
471 ; openssl x509 -in aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem -noout -pubkey \
472 ; | openssl pkey -pubin -outform DER \
473 ; | openssl dgst -sha256 \
476 DNSSEC dane256ee A HOSTIPV4
477 DNSSEC _1225._tcp.dane256ee TLSA 3 1 1 e9f6e8fe73b130c720eb1fb5c94eaff522ec6f9759ed4c6815351d827b1226a7
479 ; full MX, sha256, TA-mode
482 ; openssl x509 -in aux-fixed/exim-ca/example.com/CA/CA.pem -fingerprint -sha256 -noout \
483 ; | awk -F= '{print $2}' | tr -d : | tr '[A-F]' '[a-f]'
485 DNSSEC mxdane256ta MX 1 dane256ta
486 DNSSEC dane256ta A HOSTIPV4
487 DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 0d643c1ebcdf2cb83634e0c2f5102c1e268983401c9f4d8711d60b44d7fb7a3e
490 ; full MX, sha256, TA-mode, cert-key-only
491 ; Indicates a trust-anchor for a chain involving an Authority Key ID extension
492 ; linkage, as this excites a bug in OpenSSL 1.0.2 which the DANE code has to
493 ; work around, while synthesizing a selfsigned parent for it.
494 ; As it happens it is also an intermediate cert in the CA-rooted chain, as this
495 ; was initially thought to be a factor.
498 ; openssl x509 -in aux-fixed/exim-ca/example.com/CA/Signer.pem -noout -pubkey \
499 ; | openssl pkey -pubin -outform DER \
500 ; | openssl dgst -sha256 \
503 DNSSEC mxdane256tak MX 1 dane256tak
504 DNSSEC dane256tak A HOSTIPV4
505 DNSSEC _1225._tcp.dane256tak TLSA 2 1 1 beabbe636030e4c26d15a015e878c2a607ed5a87774443ffbc6991ec01d2b6b1
509 ; A multiple-return MX where all TLSA lookups defer
510 DNSSEC mxdanelazy MX 1 danelazy
511 DNSSEC MX 2 danelazy2
513 DNSSEC danelazy A HOSTIPV4
514 DNSSEC danelazy2 A 127.0.0.1
516 DNSSEC _1225._tcp.danelazy CNAME test.again.dns.
517 DNSSEC _1225._tcp.danelazy2 CNAME test.again.dns.
519 ; hosts with no TLSA (just missing here, hence the TLSA NXDMAIN is _insecure_; a broken dane config)
520 ; 1 for dane-required, 2 for merely requested
521 DNSSEC dane.no.1 A HOSTIPV4
522 DNSSEC dane.no.2 A 127.0.0.1
524 ; a broken dane config (or under attack) where the TLSA lookup fails (as opposed to there not being one)
525 DNSSEC danebroken1 A 127.0.0.1
526 _1225._tcp.danebroken1 CNAME test.fail.dns.
528 ; a broken dane config (or under attack) where the TLSA record is wrong
529 ; (127.0.0.1 for merely dane-requested, but having gotten the TLSA it is supposedly definitive)
530 DNSSEC danebroken2 A 127.0.0.1
531 DNSSEC _1225._tcp.danebroken2 TLSA 2 0 1 cb0fa60000000000000000000000000000000000000000000000000000000000
533 ; a broken dane config (or under attack) where the TLSA record is correct but not DNSSEC-assured
534 ; (record copied from dane256ee above)
536 ; openssl x509 -in aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem -noout -pubkey \
537 ; | openssl pkey -pubin -outform DER \
538 ; | openssl dgst -sha256 \
540 ; 3 for dane-requested, 4 for dane-required
541 DNSSEC danebroken3 A 127.0.0.1
542 _1225._tcp.danebroken3 TLSA 2 0 1 beabbe636030e4c26d15a015e878c2a607ed5a87774443ffbc6991ec01d2b6b1
544 ; openssl x509 -in aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem -noout -pubkey \
545 ; | openssl pkey -pubin -outform DER \
546 ; | openssl dgst -sha256 \
548 DNSSEC danebroken4 A HOSTIPV4
549 _1225._tcp.danebroken4 TLSA 2 0 1 beabbe636030e4c26d15a015e878c2a607ed5a87774443ffbc6991ec01d2b6b1
551 ; a broken dane config (or under attack) where the address record is correct but not DNSSEC-assured
552 ; (TLSA record copied from dane256ee above)
553 ; 5 for dane-requested, 6 for dane-required
555 ; openssl x509 -in aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem -noout -pubkey \
556 ; | openssl pkey -pubin -outform DER \
557 ; | openssl dgst -sha256 \
559 danebroken5 A 127.0.0.1
560 DNSSEC _1225._tcp.danebroken5 TLSA 2 0 1 beabbe636030e4c26d15a015e878c2a607ed5a87774443ffbc6991ec01d2b6b1
562 ; openssl x509 -in aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem -noout -pubkey \
563 ; | openssl pkey -pubin -outform DER \
564 ; | openssl dgst -sha256 \
566 danebroken6 A HOSTIPV4
567 DNSSEC _1225._tcp.danebroken6 TLSA 2 0 1 beabbe636030e4c26d15a015e878c2a607ed5a87774443ffbc6991ec01d2b6b1
569 ; a good dns config saying there is no dane support, by securely returning NOXDOMAIN for TLSA lookups
570 ; 3 for dane-required, 4 for merely requested
571 ; the TLSA data here is dummy; ignored
572 DNSSEC dane.no.3 A HOSTIPV4
573 DNSSEC dane.no.4 A 127.0.0.1
575 DNSSEC NXDOMAIN _1225._tcp.dane.no.3 TLSA 2 0 1 eec923139018c540a344c5191660ecba1ac3708525a98bfc338e17f31d3fa741
576 DNSSEC NXDOMAIN _1225._tcp.dane.no.4 TLSA 2 0 1 eec923139018c540a344c5191660ecba1ac3708525a98bfc338e17f31d3fa741
578 ; a mixed-usage set of TLSA records, EE one failing. TA one coped from dane256ta.
581 ; openssl x509 -in aux-fixed/exim-ca/example.com/CA/CA.pem -fingerprint -sha256 -noout \
582 ; | awk -F= '{print $2}' | tr -d : | tr '[A-F]' '[a-f]'
584 DNSSEC danemixed A 127.0.0.1
585 DNSSEC _1225._tcp.danemixed TLSA 2 0 1 0d643c1ebcdf2cb83634e0c2f5102c1e268983401c9f4d8711d60b44d7fb7a3e
586 DNSSEC TLSA 3 1 1 8276000000000000000000000000000000000000000000000000000000000000
588 ; have the TLSA lookup, only, return SERVFAIL
590 DNSSEC daneservfail A 127.0.0.1
591 DNSSEC _1225._tcp.daneservfail CNAME test.again.dns.
593 ; ------- Testing delays ------------
595 DELAY=500 delay500 A HOSTIPV4
596 DELAY=1500 delay1500 A HOSTIPV4
598 ; ------- DKIM ---------
600 ; public key, base64 - matches private key in aux-fixed/dkim/dkim.private
601 ; openssl genrsa -out aux-fixed/dkim/dkim.private 1024
602 ; openssl rsa -in aux-fixed/dkim/dkim.private -out /dev/stdout -pubout -outform PEM
604 ; Deliberate bad version, having extra backslashes
605 ; sha256-hash-only version.... appears to be too long, gets truncated
606 ; Bad records, missing a value for the key
608 ; Another, 512-bit (with a Notes field)
609 ; 512 requiring sha1 hash
610 ; 512 requiring sha256 hash
612 sel._domainkey TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXRFf+VhT+lCgFhhSkinZKcFNeRzjYdW8vT29Rbb3NadvTFwAd+cVLPFwZL8H5tUD/7JbUPqNTCPxmpgIL+V5T4tEZMorHatvvUM2qfcpQ45IfsZ+YdhbIiAslHCpy4xNxIR3zylgqRUF4+Dtsaqy3a5LhwMiKCLrnzhXk1F1hxwIDAQAB"
613 sel_bad._domainkey TXT "v=DKIM1\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXRFf+VhT+lCgFhhSkinZKcFNeRzjYdW8vT29Rbb3NadvTFwAd+cVLPFwZL8H5tUD/7JbUPqNTCPxmpgIL+V5T4tEZMorHatvvUM2qfcpQ45IfsZ+YdhbIiAslHCpy4xNxIR3zylgqRUF4+Dtsaqy3a5LhwMiKCLrnzhXk1F1hxwIDAQAB"
614 sel_sha256._domainkey TXT "v=DKIM1; h=sha256; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXRFf+VhT+lCgFhhSkinZKcFNeRzjYdW8vT29Rbb3NadvTFwAd+cVLPFwZL8H5tUD/7JbUPqNTCPxmpgIL+V5T4tEZMorHatvvUM2qfcpQ45IfsZ+YdhbIiAslHCpy4xNxIR3zylgqRUF4+Dtsaqy3a5LhwMiKCLrnzhXk1F1hxwIDAQAB"
615 sel_nullkey._domainkey TXT "v=DKIM1; p="
616 sel_snullkey._domainkey TXT "v=DKIM1; p= "
618 ses._domainkey TXT "v=DKIM1; n=halfkilo; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL6eAQxd9didJ0/+05iDwJOqT6ly826Vi8aGPecsBiYK5/tAT97fxXk+dPWMZp9kQxtknEzYjYjAydzf+HQ2yJMCAwEAAQ=="
619 ses_sha1._domainkey TXT "v=DKIM1; h=sha1; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL6eAQxd9didJ0/+05iDwJOqT6ly826Vi8aGPecsBiYK5/tAT97fxXk+dPWMZp9kQxtknEzYjYjAydzf+HQ2yJMCAwEAAQ=="
620 ses_sha256._domainkey TXT "v=DKIM1; h=sha256; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAL6eAQxd9didJ0/+05iDwJOqT6ly826Vi8aGPecsBiYK5/tAT97fxXk+dPWMZp9kQxtknEzYjYjAydzf+HQ2yJMCAwEAAQ=="
622 sel2._domainkey TXT "v=spf1 mx a include:spf.nl2go.com -all"
623 sel2._domainkey TXT "v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDXRFf+VhT+lCgFhhSkinZKcFNeRzjYdW8vT29Rbb3NadvTFwAd+cVLPFwZL8H5tUD/7JbUPqNTCPxmpgIL+V5T4tEZMorHatvvUM2qfcpQ45IfsZ+YdhbIiAslHCpy4xNxIR3zylgqRUF4+Dtsaqy3a5LhwMiKCLrnzhXk1F1hxwIDAQAB"
625 ; EC signing, using Ed25519
626 ; - needs GnuTLS 3.6.0 (fedora rawhide has that)
627 ; certtool --generate-privkey --key-type=ed25519 --outfile=dkim_ed25519.private
628 ; certtool --load_privkey=dkim_ed25519.private --pubkey_info --outder | tail -c +13 | base64
630 sed._domainkey TXT "v=DKIM1; k=ed25519; p=sPs07Vu29FpHT/80UXUcYHFOHifD4o2ZlP2+XUh9g6E="
632 ; version of the above wrapped in SubjectPublicKeyInfo, in case the WG plumps in that direction
633 ; certtool --load_privkey=aux-fixed/dkim/dkim_ed25519.private --pubkey_info
634 ; (and grab the b64 content from between the pem headers)
636 sedw._domainkey TXT "v=DKIM1; k=ed25519; p=MCowBQYDK2VwAyEAsPs07Vu29FpHT/80UXUcYHFOHifD4o2ZlP2+XUh9g6E="
639 ; ------- DMARC ---------
641 _dmarc TXT v=DMARC1; p=none