This is a page just like the normal DNSSEC test page, only here the test tree is signed with NSEC3.
Note that this does not contain NSEC3-specific errors, the only difference is that NSEC3 is used for denial of existence.
Test Tree
I created a complete tree to test your chaser/tracer/verifier/whatever with. At the moment it goes down 4 levels from nsec3.tjeb.nl.
The address of the server is the same as this webserver.
Every zone has 6 delegations:
- ok
these are signed correctly.
- nods
A zone, but without the DS RR for the child zone
- bogussig
the RRSIGs of zones starting with this name contain bad signature data.
- sigexpired
the RRSIGs of zones starting with this name have an expiration date in the past.
- signotincepted
the RRSIGs of zones starting with this name have an inception date in the future.
- unknownalgorithm
the RRSIGS of zones starting with this name are signed correctly (with a known algorithm), but have the algorithm field set to another value.
The result is that you can test your programs with a range of domains, for example:
- ok.ok.ok.nsec3.tjeb.nl
- ok.ok.nods.ok.nsec3.tjeb.nl
- ok.bogussig.ok.nsec3.tjeb.nl
- ok.ok.ok.nsec3.tjeb.nl
- ok.bogussig.ok.ok.nsec3.tjeb.nl
- ok.unknownalgorithm.ok.sigexpired.ok.nsec3.tjeb.nl
- signotincepted.bogussig.sigexpired.bogussig.nsec3.tjeb.nl
- bogussig.nsec3.tjeb.nl
- sigexpired.nsec3.tjeb.nl
- signotincepted.nsec3.tjeb.nl
- unknownalgorithm.nsec3.tjeb.nl