DNSSEC _1225._tcp.dane256tak TLSA 2 1 1 73e279c0f5f5a9ee9851bbbc39023603d7b266acfd0764419c3b07cc380b79f9
+; full MX, both TA & EE modes, cert is selfsigned
+; for testing an issue in the gnutls impl
+;
+; tas:
+; openssl x509 -in aux-fixed/cert1 -fingerprint -sha256 -noout \
+; | awk -F= '{print $2}' | tr -d : | tr '[A-F]' '[a-f]'
+;
+DNSSEC mxdane256tas MX 1 dane256tas
+DNSSEC dane256tas A HOSTIPV4
+DNSSEC _1225._tcp.dane256tas TLSA 2 0 1 34d3624101b954d667c1a5ac18078b196cd17fbd61e23df73249c1afab747124
+DNSSEC mxdane256task MX 1 dane256task
+DNSSEC dane256task A HOSTIPV4
+DNSSEC _1225._tcp.dane256task TLSA 2 1 1 c1241d8cc61401079437240467a47e21db921d3398883cd9bb038cc461d7beab
+DNSSEC mxdane256ees MX 1 dane256ees
+DNSSEC dane256ees A HOSTIPV4
+DNSSEC _1225._tcp.dane256ees TLSA 3 1 1 c1241d8cc61401079437240467a47e21db921d3398883cd9bb038cc461d7beab
+
+
+
; A multiple-return MX where all TLSA lookups defer
DNSSEC mxdanelazy MX 1 danelazy
DNSSEC MX 2 danelazy2
; EC signing, using Ed25519
; - needs GnuTLS 3.6.0 (fedora rawhide has that)
; certtool --generate-privkey --key-type=ed25519 --outfile=dkim_ed25519.private
-; ../src/util/ed25519_privkey_pem_to_pubkey_raw_b64 dkim_ed25519.private
+; certtool --load_privkey=dkim_ed25519.private --pubkey_info --outder | tail -c +13 | base64
sed._domainkey TXT "v=DKIM1; k=ed25519; p=sPs07Vu29FpHT/80UXUcYHFOHifD4o2ZlP2+XUh9g6E="
+; version of the above wrapped in SubjectPublicKeyInfo, in case the WG plumps in that direction
+; certtool --load_privkey=aux-fixed/dkim/dkim_ed25519.private --pubkey_info
+; (and grab the b64 content from between the pem headers)
+
+sedw._domainkey TXT "v=DKIM1; k=ed25519; p=MCowBQYDK2VwAyEAsPs07Vu29FpHT/80UXUcYHFOHifD4o2ZlP2+XUh9g6E="
+
; End