Merge branch 'fatemabw/bro' of https://github.com/fatemabw/bro into dev/2.7

* 'fatemabw/bro' of https://github.com/fatemabw/bro:
  DNSSEC support in Bro

I made several changes:

  - renamed event/record types
  - reformatted the info added to dns.log
  - removed the "addl" scripts that added extended dnssec info to dns.log
  - simplifications/improvements to the internal parsing logic

NEWS

@@ -4,6 +4,30 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file
 (note that submodules, such as BroControl and Broccoli, come with
 their own ``CHANGES``.)
 
+Bro 2.7
+=======
+
+New Functionality
+-----------------
+
+- Added support for DNSSEC resource records RRSIG, DNSKEY, DS, NSEC, and NSEC3.
+  The associated events are:
+
+  - dns_RRSIG
+  - dns_DNSKEY
+  - dns_DS
+  - dns_NSEC
+  - dns_NSEC3
+
+Changed Functionality
+---------------------
+
+Removed Functionality
+---------------------
+
+Deprecated Functionality
+------------------------
+
 Bro 2.6
 =======
 

scripts/base/init-bare.bro

@@ -3544,6 +3544,67 @@ type dns_tsig_additional: record {
 	is_query: count;	##< TODO.
 };
 
+## A DNSSEC RRSIG record.
+##
+## .. bro:see:: dns_RRSIG
+type dns_rrsig_rr: record {
+	query: string;			##< Query.
+	answer_type: count;		##< Ans type.
+	type_covered: count;	##< qtype covered by RRSIG RR.
+	algorithm: count;		##< Algorithm.
+	labels: count;			##< Labels in the owner's name.
+	orig_ttl: interval;		##< Original TTL.
+	sig_exp: time;			##< Time when signed RR expires.
+	sig_incep: time;		##< Time when signed.
+	key_tag: count;			##< Key tag value.
+	signer_name: string;	##< Signature.
+	signature: string;		##< Hash of the RRDATA.
+	is_query: count;		##< The RR is a query/Response.
+};
+
+## A DNSSEC DNSKEY record.
+##
+## .. bro:see:: dns_DNSKEY
+type dns_dnskey_rr: record {
+	query: string;		##< Query.
+	answer_type: count;	##< Ans type.
+	flags: count;		##< flags filed.
+	protocol: count;	##< Protocol, should be always 3 for DNSSEC.
+	algorithm: count;	##< Algorithm for Public Key.
+	public_key: string;	##< Public Key
+	is_query: count;	##< The RR is a query/Response.
+};
+
+## A DNSSEC NSEC3 record.
+##
+## .. bro:see:: dns_NSEC3
+type dns_nsec3_rr: record {
+	query: string;			##< Query.
+	answer_type: count;		##< Ans type.
+	nsec_flags: count;		##< flags field.
+	nsec_hash_algo: count;	##< Hash algorithm.
+	nsec_iter: count;		##< Iterations.
+	nsec_salt_len: count; 	##< Salt length.
+	nsec_salt: string;		##< Salt value
+	nsec_hlen: count;		##< Hash length.
+	nsec_hash: string;		##< Hash value.
+	bitmaps: string_vec;	##< Type Bit Maps.
+	is_query: count;		##< The RR is a query/Response.
+};
+
+## A DNSSEC DS record.
+##
+## .. bro:see:: dns_DS
+type dns_ds_rr: record {
+	query: string;		##< Query.
+	answer_type: count;	##< Ans type.
+	key_tag: count;		##< flags filed.
+	algorithm: count;	##< Algorithm for Public Key.
+	digest_type: count;	##< Digest Type.
+	digest_val: string;	##< Digest Value.
+	is_query: count;	##< The RR is a query/Response.
+};
+
 # DNS answer types.
 #
 # .. bro:see:: dns_answerr

scripts/base/protocols/dns/consts.bro

@@ -76,4 +76,37 @@ export {
 		[254] = "C_NONE",
 		[255] = "C_ANY",
 	} &default = function(n: count): string { return fmt("qclass-%d", n); };
+
+	## Possible values of the algorithms used in DNSKEY, DS and RRSIG records
+	const algorithms = {
+		[0] = "reserved0",
+		[1] = "RSA_MD5",
+		[2] = "Diffie_Hellman",
+		[3] = "DSA_SHA1",
+		[4] = "Elliptic_Curve",
+		[5] = "RSA_SHA1",
+		[6] = "DSA_NSEC3_SHA1",
+		[7] = "RSA_SHA1_NSEC3_SHA1",
+		[8] = "RSA_SHA256",
+		[10] = "RSA_SHA512",
+		[12] = "GOST_R_34_10_2001",
+		[13] = "ECDSA_curveP256withSHA256",
+		[14] = "ECDSA_curveP384withSHA384",
+		[15] = "Ed25519",
+		[16] = "Ed448",
+		[252] = "Indirect",
+		[253] = "PrivateDNS",
+		[254] = "PrivateOID",
+		[255] = "reserved255",
+	} &default = function(n: count): string { return fmt("algorithm-%d", n); };
+
+	## Possible digest types used in DNSSEC.
+	const digests = {
+		[0] = "reserved0",
+		[1] = "SHA1",
+		[2] = "SHA256",
+		[3] = "GOST_R_34_11_94",
+		[4] = "SHA384",
+	} &default = function(n: count): string { return fmt("digest-%d", n); };
+
 }

scripts/base/protocols/dns/main.bro

@@ -466,6 +466,38 @@ event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer, target: string
 #
 #	}
 
+event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)
+	{
+	local s: string;
+	s = fmt("RRSIG %s %s", rrsig$type_covered,
+	        rrsig$signer_name == "" ? "<Root>" : rrsig$signer_name);
+	hook DNS::do_reply(c, msg, ans, s);
+	}
+
+event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr)
+	{
+	local s: string;
+	s = fmt("DNSKEY %s", dnskey$algorithm);
+	hook DNS::do_reply(c, msg, ans, s);
+	}
+
+event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec)
+	{
+	hook DNS::do_reply(c, msg, ans, fmt("NSEC %s %s", ans$query, next_name));
+	}
+
+event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr)
+	{
+	hook DNS::do_reply(c, msg, ans, "NSEC3");
+	}
+
+event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr)
+	{
+	local s: string;
+	s = fmt("DS %s %s", ds$algorithm, ds$digest_type);
+	hook DNS::do_reply(c, msg, ans, s);
+	}
+
 event dns_rejected(c: connection, msg: dns_msg, query: string, qtype: count, qclass: count) &priority=5
 	{
 	if ( c?$dns )

src/NetVar.cc

@@ -115,6 +115,10 @@ RecordType* dns_answer;
 RecordType* dns_soa;
 RecordType* dns_edns_additional;
 RecordType* dns_tsig_additional;
+RecordType* dns_rrsig_rr;
+RecordType* dns_dnskey_rr;
+RecordType* dns_nsec3_rr;
+RecordType* dns_ds_rr;
 TableVal* dns_skip_auth;
 TableVal* dns_skip_addl;
 int dns_skip_all_auth;
@@ -430,7 +434,10 @@ void init_net_var()
 		internal_type("dns_edns_additional")->AsRecordType();
 	dns_tsig_additional =
 		internal_type("dns_tsig_additional")->AsRecordType();
-
+	dns_rrsig_rr = internal_type("dns_rrsig_rr")->AsRecordType();
+	dns_dnskey_rr = internal_type("dns_dnskey_rr")->AsRecordType();
+	dns_nsec3_rr = internal_type("dns_nsec3_rr")->AsRecordType();
+	dns_ds_rr = internal_type("dns_ds_rr")->AsRecordType();
 	dns_skip_auth = internal_val("dns_skip_auth")->AsTableVal();
 	dns_skip_addl = internal_val("dns_skip_addl")->AsTableVal();
 	dns_skip_all_auth = opt_internal_int("dns_skip_all_auth");

src/NetVar.h

@@ -118,6 +118,10 @@ extern RecordType* dns_answer;
 extern RecordType* dns_soa;
 extern RecordType* dns_edns_additional;
 extern RecordType* dns_tsig_additional;
+extern RecordType* dns_rrsig_rr;
+extern RecordType* dns_dnskey_rr;
+extern RecordType* dns_nsec3_rr;
+extern RecordType* dns_ds_rr;
 extern TableVal* dns_skip_auth;
 extern TableVal* dns_skip_addl;
 extern int dns_skip_all_auth;

src/analyzer/protocol/dns/DNS.cc

@@ -312,6 +312,26 @@ int DNS_Interpreter::ParseAnswer(DNS_MsgInfo* msg,
 			status = ParseRR_TSIG(msg, data, len, rdlength, msg_start);
 			break;
 
+		case TYPE_RRSIG:
+			status = ParseRR_RRSIG(msg, data, len, rdlength, msg_start);
+			break;
+
+		case TYPE_DNSKEY:
+			status = ParseRR_DNSKEY(msg, data, len, rdlength, msg_start);
+			break;
+
+		case TYPE_NSEC:
+			status = ParseRR_NSEC(msg, data, len, rdlength, msg_start);
+			break;
+
+		case TYPE_NSEC3:
+			status = ParseRR_NSEC3(msg, data, len, rdlength, msg_start);
+			break;
+
+		case TYPE_DS:
+			status = ParseRR_DS(msg, data, len, rdlength, msg_start);
+			break;
+
 		default:
 
 			if ( dns_unknown_reply && ! msg->skip_event )
@@ -724,6 +744,17 @@ void DNS_Interpreter::ExtractOctets(const u_char*& data, int& len,
 	len -= dlen;
 	}
 
+BroString* DNS_Interpreter::ExtractStream(const u_char*& data, int& len, int l)
+	{
+	l = max(l, 0);
+	int dlen = min(len, l); // Len in bytes of the algorithm use
+	auto rval = new BroString(data, dlen, 0);
+
+	data += dlen;
+	len -= dlen;
+	return rval;
+	}
+
 int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
 				const u_char*& data, int& len, int rdlength,
 				const u_char* msg_start)
@@ -769,6 +800,389 @@ int DNS_Interpreter::ParseRR_TSIG(DNS_MsgInfo* msg,
 	return 1;
 	}
 
+int DNS_Interpreter::ParseRR_RRSIG(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start)
+	{
+	if ( ! dns_RRSIG || msg->skip_event )
+		{
+		data += rdlength;
+		len -= rdlength;
+		return 1;
+		}
+
+	if ( len < 18 )
+		return 0;
+
+	unsigned int type_covered = ExtractShort(data, len);
+	// split the two bytes for algo and labels extraction
+	uint32 algo_lab = ExtractShort(data, len);
+	unsigned int algo = (algo_lab >> 8) & 0xff;
+	unsigned int lab = algo_lab & 0xff;
+
+	uint32 orig_ttl = ExtractLong(data, len);
+	uint32 sign_exp = ExtractLong(data, len);
+	uint32 sign_incp = ExtractLong(data, len);
+	unsigned int key_tag = ExtractShort(data, len);
+
+	//implement signer's name with the msg_start offset
+	const u_char* data_start = data;
+	u_char name[513];
+	int name_len = sizeof(name) - 1;
+
+	u_char* name_end = ExtractName(data, len, name, name_len, msg_start);
+	if ( ! name_end )
+		return 0;
+
+	int sig_len = rdlength - ((data - data_start) + 18);
+	DNSSEC_Algo dsa = DNSSEC_Algo(algo);
+	BroString* sign = ExtractStream(data, len, sig_len);
+
+	switch ( dsa ) {
+		case RSA_MD5:
+			analyzer->Weird("DNSSEC_RRSIG_NotRecommended_ZoneSignAlgo", fmt("%d", algo));
+			break;
+		case Diffie_Hellman:
+			break;
+		case DSA_SHA1:
+			break;
+		case Elliptic_Curve:
+			break;
+		case RSA_SHA1:
+			break;
+		case DSA_NSEC3_SHA1:
+			break;
+		case RSA_SHA1_NSEC3_SHA1:
+			break;
+		case RSA_SHA256:
+			break;
+		case RSA_SHA512:
+			break;
+		case GOST_R_34_10_2001:
+			break;
+		case ECDSA_curveP256withSHA256:
+			break;
+		case ECDSA_curveP384withSHA384:
+			break;
+		case Indirect:
+			analyzer->Weird("DNSSEC_RRSIG_Indirect_ZoneSignAlgo", fmt("%d", algo));
+			break;
+		case PrivateDNS:
+			analyzer->Weird("DNSSEC_RRSIG_PrivateDNS_ZoneSignAlgo", fmt("%d", algo));
+			break;
+		case PrivateOID:
+			analyzer->Weird("DNSSEC_RRSIG_PrivateOID_ZoneSignAlgo", fmt("%d", algo));
+			break;
+		default:
+			analyzer->Weird("DNSSEC_RRSIG_unknown_ZoneSignAlgo", fmt("%d", algo));
+			break;
+	}
+
+	RRSIG_DATA rrsig;
+	rrsig.type_covered = type_covered;
+	rrsig.algorithm = algo;
+	rrsig.labels = lab;
+	rrsig.orig_ttl = orig_ttl;
+	rrsig.sig_exp = sign_exp;
+	rrsig.sig_incep = sign_incp;
+	rrsig.key_tag = key_tag;
+	rrsig.signer_name = new BroString(name, name_end - name, 1);
+	rrsig.signature = sign;
+
+	val_list* vl = new val_list;
+
+	vl->append(analyzer->BuildConnVal());
+	vl->append(msg->BuildHdrVal());
+	vl->append(msg->BuildAnswerVal());
+	vl->append(msg->BuildRRSIG_Val(&rrsig));
+
+	analyzer->ConnectionEvent(dns_RRSIG, vl);
+
+	return 1;
+	}
+
+int DNS_Interpreter::ParseRR_DNSKEY(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start)
+	{
+	if ( ! dns_DNSKEY || msg->skip_event )
+		{
+		data += rdlength;
+		len -= rdlength;
+		return 1;
+		}
+
+	if ( len < 4 )
+		return 0;
+
+	auto dflags = ExtractShort(data, len);
+	// split the two bytes for protocol and algorithm extraction
+	auto proto_algo = ExtractShort(data, len);
+	unsigned int dprotocol = (proto_algo >> 8) & 0xff;
+	unsigned int dalgorithm = proto_algo & 0xff;
+	DNSSEC_Algo dsa = DNSSEC_Algo(dalgorithm);
+	//Evaluating the size of remaining bytes for Public Key
+	BroString* key = ExtractStream(data, len, rdlength - 4);
+
+	if ( dflags != 256 and dflags != 257 and dflags != 0 )
+		analyzer->Weird("DNSSEC_DNSKEY_Invalid_Flag", fmt("%d", dflags));
+
+	if ( dprotocol != 3 )
+		analyzer->Weird("DNSSEC_DNSKEY_Invalid_Protocol", fmt("%d", dprotocol));
+
+	switch ( dsa ) {
+		case RSA_MD5:
+			analyzer->Weird("DNSSEC_DNSKEY_NotRecommended_ZoneSignAlgo", fmt("%d", dalgorithm));
+			break;
+		case Diffie_Hellman:
+			break;
+		case DSA_SHA1:
+			break;
+		case Elliptic_Curve:
+			break;
+		case RSA_SHA1:
+			break;
+		case DSA_NSEC3_SHA1:
+			break;
+		case RSA_SHA1_NSEC3_SHA1:
+			break;
+		case RSA_SHA256:
+			break;
+		case RSA_SHA512:
+			break;
+		case GOST_R_34_10_2001:
+			break;
+		case ECDSA_curveP256withSHA256:
+			break;
+		case ECDSA_curveP384withSHA384:
+			break;
+		case Indirect:
+			analyzer->Weird("DNSSEC_DNSKEY_Indirect_ZoneSignAlgo", fmt("%d", dalgorithm));
+			break;
+		case PrivateDNS:
+			analyzer->Weird("DNSSEC_DNSKEY_PrivateDNS_ZoneSignAlgo", fmt("%d", dalgorithm));
+			break;
+		case PrivateOID:
+			analyzer->Weird("DNSSEC_DNSKEY_PrivateOID_ZoneSignAlgo", fmt("%d", dalgorithm));
+			break;
+		default:
+			analyzer->Weird("DNSSEC_DNSKEY_unknown_ZoneSignAlgo", fmt("%d", dalgorithm));
+			break;
+	}
+
+	DNSKEY_DATA dnskey;
+	dnskey.dflags = dflags;
+	dnskey.dalgorithm = dalgorithm;
+	dnskey.dprotocol = dprotocol;
+	dnskey.public_key = key;
+
+	val_list* vl = new val_list;
+
+	vl->append(analyzer->BuildConnVal());
+	vl->append(msg->BuildHdrVal());
+	vl->append(msg->BuildAnswerVal());
+	vl->append(msg->BuildDNSKEY_Val(&dnskey));
+
+	analyzer->ConnectionEvent(dns_DNSKEY, vl);
+
+	return 1;
+	}
+
+int DNS_Interpreter::ParseRR_NSEC(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start)
+	{
+	if ( ! dns_NSEC || msg->skip_event )
+		{
+		data += rdlength;
+		len -= rdlength;
+		return 1;
+		}
+
+	const u_char* data_start = data;
+	u_char name[513];
+	int name_len = sizeof(name) - 1;
+
+	u_char* name_end = ExtractName(data, len, name, name_len, msg_start);
+	if ( ! name_end )
+		return 0;
+
+	int typebitmaps_len = rdlength - (data - data_start);
+
+	VectorVal* char_strings = new VectorVal(string_vec);
+
+	while ( typebitmaps_len > 0 && len > 0 )
+		{
+		uint32 block_bmlen = ExtractShort(data, len);
+		unsigned int win_blck = (block_bmlen >> 8) & 0xff;
+		unsigned int bmlen = block_bmlen & 0xff;
+
+		if ( bmlen == 0 )
+			{
+			analyzer->Weird("DNSSEC_NSEC_bitmapLen0", fmt("%d", win_blck));
+			break;
+			}
+
+		BroString* bitmap = ExtractStream(data, len, bmlen);
+		char_strings->Assign(char_strings->Size(), new StringVal(bitmap));
+		typebitmaps_len = typebitmaps_len - (2 + bmlen);
+		}
+
+	val_list* vl = new val_list;
+
+	vl->append(analyzer->BuildConnVal());
+	vl->append(msg->BuildHdrVal());
+	vl->append(msg->BuildAnswerVal());
+	vl->append(new StringVal(new BroString(name, name_end - name, 1)));
+	vl->append(char_strings);
+
+	analyzer->ConnectionEvent(dns_NSEC, vl);
+
+	return 1;
+	}
+
+int DNS_Interpreter::ParseRR_NSEC3(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start)
+	{
+	if ( ! dns_NSEC3 || msg->skip_event )
+		{
+		data += rdlength;
+		len -= rdlength;
+		return 1;
+		}
+
+	if ( len < 6 )
+		return 0;
+
+	const u_char* data_start = data;
+	uint32 halgo_flags = ExtractShort(data, len);
+	unsigned int hash_algo = (halgo_flags >> 8) & 0xff;
+	unsigned int nsec_flags = halgo_flags & 0xff;
+	unsigned int iter = ExtractShort(data, len);
+
+	uint8 salt_len = 0;
+
+	if ( len > 0 )
+		{
+		salt_len = data[0];
+		++data;
+		--len;
+		}
+
+	auto salt_val = ExtractStream(data, len, static_cast<int>(salt_len));
+
+	uint8 hash_len = 0;
+
+	if ( len > 0 )
+		{
+		hash_len = data[0];
+		++data;
+		--len;
+		}
+
+	auto hash_val = ExtractStream(data, len, static_cast<int>(hash_len));
+
+	int typebitmaps_len = rdlength - (data - data_start);
+
+	VectorVal* char_strings = new VectorVal(string_vec);
+
+	while ( typebitmaps_len > 0 && len > 0 )
+		{
+		uint32 block_bmlen = ExtractShort(data, len);
+		unsigned int win_blck = ( block_bmlen >> 8) & 0xff;
+		unsigned int bmlen = block_bmlen & 0xff;
+
+		if ( bmlen == 0 )
+			{
+			analyzer->Weird("DNSSEC_NSEC3_bitmapLen0", fmt("%d", win_blck));
+			break;
+			}
+
+		BroString* bitmap = ExtractStream(data, len, bmlen);
+		char_strings->Assign(char_strings->Size(), new StringVal(bitmap));
+		typebitmaps_len = typebitmaps_len - (2 + bmlen);
+		}
+
+	NSEC3_DATA nsec3;
+	nsec3.nsec_flags = nsec_flags;
+	nsec3.nsec_hash_algo = hash_algo;
+	nsec3.nsec_iter = iter;
+	nsec3.nsec_salt_len = salt_len;
+	nsec3.nsec_salt = salt_val;
+	nsec3.nsec_hlen = hash_len;
+	nsec3.nsec_hash = hash_val;
+	nsec3.bitmaps = char_strings;
+
+	val_list* vl = new val_list;
+
+	vl->append(analyzer->BuildConnVal());
+	vl->append(msg->BuildHdrVal());
+	vl->append(msg->BuildAnswerVal());
+	vl->append(msg->BuildNSEC3_Val(&nsec3));
+
+	analyzer->ConnectionEvent(dns_NSEC3, vl);
+
+	return 1;
+	}
+
+int DNS_Interpreter::ParseRR_DS(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start)
+	{
+	if ( ! dns_DS || msg->skip_event )
+		{
+		data += rdlength;
+		len -= rdlength;
+		return 1;
+		}
+
+	if ( len < 4 )
+		return 0;
+
+	unsigned int ds_key_tag = ExtractShort(data, len);
+	// split the two bytes for algorithm and digest type extraction
+	uint32 ds_algo_dtype = ExtractShort(data, len);
+	unsigned int ds_algo = (ds_algo_dtype >> 8) & 0xff;
+	unsigned int ds_dtype = ds_algo_dtype & 0xff;
+	DNSSEC_Digest ds_digest_type = DNSSEC_Digest(ds_dtype);
+	BroString* ds_digest = ExtractStream(data, len, rdlength - 4);
+
+	switch ( ds_digest_type ) {
+		case SHA1:
+			break;
+		case SHA256:
+			break;
+		case GOST_R_34_11_94:
+			break;
+		case SHA384:
+			break;
+		case reserved0:
+			analyzer->Weird("DNSSEC_DS_ResrevedDigestType", fmt("%d", ds_dtype));
+			break;
+		default:
+			analyzer->Weird("DNSSEC_DS_unknown_DigestType", fmt("%d", ds_dtype));
+			break;
+	}
+
+	DS_DATA ds;
+	ds.key_tag = ds_key_tag;
+	ds.algorithm = ds_algo;
+	ds.digest_type = ds_dtype;
+	ds.digest_val = ds_digest;
+
+	val_list* vl = new val_list;
+
+	vl->append(analyzer->BuildConnVal());
+	vl->append(msg->BuildHdrVal());
+	vl->append(msg->BuildAnswerVal());
+	vl->append(msg->BuildDS_Val(&ds));
+
+	analyzer->ConnectionEvent(dns_DS, vl);
+
+	return 1;
+	}
+
 int DNS_Interpreter::ParseRR_A(DNS_MsgInfo* msg,
 				const u_char*& data, int& len, int rdlength)
 	{
@@ -1063,7 +1477,7 @@ Val* DNS_MsgInfo::BuildEDNS_Val()
 
 	// Need to break the TTL field into three components:
 	// initial: [------------- ttl (32) ---------------------]
-	// after:   [DO][ ext rcode (7)][ver # (8)][ Z field (16)]
+	// after:   [ ext rcode (8)][ver # (8)][   Z field (16)  ]
 
 	unsigned int ercode = (ttl >> 24) & 0xff;
 	unsigned int version = (ttl >> 16) & 0xff;
@@ -1104,6 +1518,79 @@ Val* DNS_MsgInfo::BuildTSIG_Val()
 	return r;
 	}
 
+Val* DNS_MsgInfo::BuildRRSIG_Val(RRSIG_DATA* rrsig)
+	{
+	RecordVal* r = new RecordVal(dns_rrsig_rr);
+
+	Ref(query_name);
+	r->Assign(0, query_name);
+	r->Assign(1, new Val(int(answer_type), TYPE_COUNT));
+	r->Assign(2, new Val(rrsig->type_covered, TYPE_COUNT));
+	r->Assign(3, new Val(rrsig->algorithm, TYPE_COUNT));
+	r->Assign(4, new Val(rrsig->labels, TYPE_COUNT));
+	r->Assign(5, new IntervalVal(double(rrsig->orig_ttl), Seconds));
+	r->Assign(6, new Val(double(rrsig->sig_exp), TYPE_TIME));
+	r->Assign(7, new Val(double(rrsig->sig_incep), TYPE_TIME));
+	r->Assign(8, new Val(rrsig->key_tag, TYPE_COUNT));
+	r->Assign(9, new StringVal(rrsig->signer_name));
+	r->Assign(10, new StringVal(rrsig->signature));
+	r->Assign(11, new Val(is_query, TYPE_COUNT));
+
+	return r;
+	}
+
+Val* DNS_MsgInfo::BuildDNSKEY_Val(DNSKEY_DATA* dnskey)
+	{
+	RecordVal* r = new RecordVal(dns_dnskey_rr);
+
+	Ref(query_name);
+	r->Assign(0, query_name);
+	r->Assign(1, new Val(int(answer_type), TYPE_COUNT));
+	r->Assign(2, new Val(dnskey->dflags, TYPE_COUNT));
+	r->Assign(3, new Val(dnskey->dprotocol, TYPE_COUNT));
+	r->Assign(4, new Val(dnskey->dalgorithm, TYPE_COUNT));
+	r->Assign(5, new StringVal(dnskey->public_key));
+	r->Assign(6, new Val(is_query, TYPE_COUNT));
+
+	return r;
+	}
+
+Val* DNS_MsgInfo::BuildNSEC3_Val(NSEC3_DATA* nsec3)
+	{
+	RecordVal* r = new RecordVal(dns_nsec3_rr);
+
+	Ref(query_name);
+	r->Assign(0, query_name);
+	r->Assign(1, new Val(int(answer_type), TYPE_COUNT));
+	r->Assign(2, new Val(nsec3->nsec_flags, TYPE_COUNT));
+	r->Assign(3, new Val(nsec3->nsec_hash_algo, TYPE_COUNT));
+	r->Assign(4, new Val(nsec3->nsec_iter, TYPE_COUNT));
+	r->Assign(5, new Val(nsec3->nsec_salt_len, TYPE_COUNT));
+	r->Assign(6, new StringVal(nsec3->nsec_salt));
+	r->Assign(7, new Val(nsec3->nsec_hlen, TYPE_COUNT));
+	r->Assign(8, new StringVal(nsec3->nsec_hash));
+	r->Assign(9, nsec3->bitmaps);
+	r->Assign(10, new Val(is_query, TYPE_COUNT));
+
+	return r;
+	}
+
+Val* DNS_MsgInfo::BuildDS_Val(DS_DATA* ds)
+	{
+	RecordVal* r = new RecordVal(dns_ds_rr);
+
+	Ref(query_name);
+	r->Assign(0, query_name);
+	r->Assign(1, new Val(int(answer_type), TYPE_COUNT));
+	r->Assign(2, new Val(ds->key_tag, TYPE_COUNT));
+	r->Assign(3, new Val(ds->algorithm, TYPE_COUNT));
+	r->Assign(4, new Val(ds->digest_type, TYPE_COUNT));
+	r->Assign(5, new StringVal(ds->digest_val));
+	r->Assign(6, new Val(is_query, TYPE_COUNT));
+
+	return r;
+	}
+
 Contents_DNS::Contents_DNS(Connection* conn, bool orig,
 				DNS_Interpreter* arg_interp)
 : tcp::TCP_SupportAnalyzer("CONTENTS_DNS", conn, orig)

src/analyzer/protocol/dns/DNS.h

@@ -57,7 +57,12 @@ typedef enum {
 	TYPE_TKEY = 249,	///< Transaction Key (RFC 2930)
 	TYPE_TSIG = 250,	///< Transaction Signature (RFC 2845)
 	TYPE_CAA = 257,		///< Certification Authority Authorization (RFC 6844)
-
+	// DNSSEC RR's
+	TYPE_RRSIG = 46,	///< RR Signature record type (RFC4043)
+	TYPE_NSEC = 47,		///< Next Secure record (RFC4043)
+	TYPE_DNSKEY = 48,	///< DNS Key record (RFC 4034)
+	TYPE_DS = 43,		///< Delegation signer (RFC 4034)
+	TYPE_NSEC3 = 50,
 	// The following are only valid in queries.
 	TYPE_AXFR = 252,
 	TYPE_ALL = 255,
@@ -75,6 +80,33 @@ typedef enum {
 	DNS_ADDITIONAL,
 } DNS_AnswerType;
 
+typedef enum {
+	reserved0 = 0,
+	RSA_MD5 = 1,          ///<	[RFC2537]  NOT RECOMMENDED
+	Diffie_Hellman = 2,	///< [RFC2539]
+	DSA_SHA1 = 3,	///< [RFC2536]  OPTIONAL
+	Elliptic_Curve = 4,
+	RSA_SHA1 = 5,	///< [RFC3110]  MANDATORY
+	DSA_NSEC3_SHA1 = 6,
+	RSA_SHA1_NSEC3_SHA1 = 7,
+	RSA_SHA256 = 8,
+	RSA_SHA512 = 10,
+	GOST_R_34_10_2001 = 12,
+	ECDSA_curveP256withSHA256 = 13,
+	ECDSA_curveP384withSHA384 =14,
+	Indirect = 252,	///<
+	PrivateDNS = 253,	///<  OPTIONAL
+	PrivateOID = 254,	///<  OPTIONAL
+	reserved255 = 255,
+} DNSSEC_Algo;
+
+typedef enum {
+	reserved = 0,
+	SHA1 = 1,          ///< [RFC3110]  MANDATORY
+	SHA256 = 2,
+	GOST_R_34_11_94 = 3,
+	SHA384 = 4,
+} DNSSEC_Digest;
 
 struct DNS_RawMsgHdr {
 	unsigned short id;
@@ -105,6 +137,43 @@ struct TSIG_DATA {
 	unsigned short rr_error;
 };
 
+struct RRSIG_DATA {
+	unsigned short type_covered;	// 16 : ExtractShort(data, len)
+	unsigned short algorithm;		// 8
+	unsigned short labels;			// 8
+	uint32 orig_ttl;				// 32
+	unsigned long sig_exp;			// 32
+	unsigned long sig_incep;		// 32
+	unsigned short key_tag;			//16
+	BroString* signer_name;
+	BroString* signature;
+};
+
+struct DNSKEY_DATA {
+	unsigned short dflags;			// 16 : ExtractShort(data, len)
+	unsigned short dalgorithm;		// 8
+	unsigned short dprotocol;		// 8
+	BroString* public_key;			// Variable lenght Public Key
+};
+
+struct NSEC3_DATA {
+	unsigned short nsec_flags;
+	unsigned short nsec_hash_algo;
+	unsigned short nsec_iter;
+	unsigned short nsec_salt_len;
+	BroString* nsec_salt;
+	unsigned short nsec_hlen;
+	BroString* nsec_hash;
+	VectorVal* bitmaps;
+};
+
+struct DS_DATA {
+	unsigned short key_tag;			// 16 : ExtractShort(data, len)
+	unsigned short algorithm;		// 8
+	unsigned short digest_type;		// 8
+	BroString* digest_val;			// Variable lenght Digest of DNSKEY RR
+};
+
 class DNS_MsgInfo {
 public:
 	DNS_MsgInfo(DNS_RawMsgHdr* hdr, int is_query);
@@ -114,6 +183,10 @@ public:
 	Val* BuildAnswerVal();
 	Val* BuildEDNS_Val();
 	Val* BuildTSIG_Val();
+	Val* BuildRRSIG_Val(struct RRSIG_DATA*);
+	Val* BuildDNSKEY_Val(struct DNSKEY_DATA*);
+	Val* BuildNSEC3_Val(struct NSEC3_DATA*);
+	Val* BuildDS_Val(struct DS_DATA*);
 
 	int id;
 	int opcode;	///< query type, see DNS_Opcode
@@ -143,8 +216,7 @@ public:
 				///< for forward lookups
 
 	// More values for spesific DNS types.
-	// struct EDNS_ADDITIONAL* edns;
+	//struct EDNS_ADDITIONAL* edns;
-
 	struct TSIG_DATA* tsig;
 };
 
@@ -183,6 +255,8 @@ protected:
 	uint32 ExtractLong(const u_char*& data, int& len);
 	void ExtractOctets(const u_char*& data, int& len, BroString** p);
 
+	BroString* ExtractStream(const u_char*& data, int& len, int sig_len);
+
 	int ParseRR_Name(DNS_MsgInfo* msg,
 				const u_char*& data, int& len, int rdlength,
 				const u_char* msg_start);
@@ -218,7 +292,21 @@ protected:
 	int ParseRR_TSIG(DNS_MsgInfo* msg,
 				const u_char*& data, int& len, int rdlength,
 				const u_char* msg_start);
-
+	int ParseRR_RRSIG(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start);
+	int ParseRR_DNSKEY(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start);
+	int ParseRR_NSEC(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start);
+	int ParseRR_NSEC3(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start);
+	int ParseRR_DS(DNS_MsgInfo* msg,
+				const u_char*& data, int& len, int rdlength,
+				const u_char* msg_start);
 	void SendReplyOrRejectEvent(DNS_MsgInfo* msg, EventHandlerPtr event,
 					const u_char*& data, int& len,
 					BroString* question_name);
@@ -270,7 +358,6 @@ public:
 	void Done() override;
 	void ConnectionClosed(tcp::TCP_Endpoint* endpoint,
 					tcp::TCP_Endpoint* peer, int gen_event) override;
-
 	void ExpireTimer(double t);
 
 	static analyzer::Analyzer* Instantiate(Connection* conn)

src/analyzer/protocol/dns/events.bif

@@ -493,6 +493,73 @@ event dns_EDNS_addl%(c: connection, msg: dns_msg, ans: dns_edns_additional%);
 ##    dns_skip_addl dns_skip_all_addl dns_skip_all_auth dns_skip_auth
 event dns_TSIG_addl%(c: connection, msg: dns_msg, ans: dns_tsig_additional%);
 
+## Generated for DNS replies of type *RRSIG*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## rrsig: The parsed RRSIG record.
+event dns_RRSIG%(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr%);
+
+## Generated for DNS replies of type *DNSKEY*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## dnskey: The parsed DNSKEY record.
+event dns_DNSKEY%(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr%);
+
+## Generated for DNS replies of type *NSEC*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## next_name: The parsed next secure domain name.
+##
+## bitmaps: vector of strings in hex for the bit maps present.
+event dns_NSEC%(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec%);
+
+## Generated for DNS replies of type *NSEC3*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## nsec3: The parsed RDATA of Nsec3 record.
+event dns_NSEC3%(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr%);
+
+## Generated for DNS replies of type *DS*. For replies with multiple answers,
+## an individual event of the corresponding type is raised for each.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## ds: The parsed RDATA of DS record.
+event dns_DS%(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr%);
+
 ## Generated at the end of processing a DNS packet. This event is the last
 ## ``dns_*`` event that will be raised for a DNS query/reply and signals that
 ## all resource records have been passed on.

testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log

@@ -3,8 +3,8 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dns
-#open	2016-07-13-16-16-11
+#open	2018-09-21-21-01-10
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
 #types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-1359565680.761790	CHhAvVGS1DHFjwGM9	192.168.6.10	53209	192.168.129.36	53	udp	41477	0.075138	paypal.com	1	C_INTERNET	48	DNSKEY	0	NOERROR	F	F	T	T	1	<unknown type=48>,<unknown type=48>,<unknown type=46>,<unknown type=46>	455.000000,455.000000,455.000000,455.000000	F
+1359565680.761790	CHhAvVGS1DHFjwGM9	192.168.6.10	53209	192.168.129.36	53	udp	41477	0.075138	paypal.com	1	C_INTERNET	48	DNSKEY	0	NOERROR	F	F	T	T	1	DNSKEY 5,DNSKEY 5,RRSIG 48 paypal.com,RRSIG 48 paypal.com	455.000000,455.000000,455.000000,455.000000	F
-#close	2016-07-13-16-16-11
+#close	2018-09-21-21-01-10

testing/btest/Baseline/scripts.base.protocols.dns.dnskey/dns.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#open	2018-09-21-21-02-08
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+1537557808.534727	CHhAvVGS1DHFjwGM9	192.168.153.129	50729	192.168.153.2	53	udp	22666	0.018166	upenn.edu	1	C_INTERNET	48	DNSKEY	0	NOERROR	F	F	T	T	2	DNSKEY 5,DNSKEY 5,DNSKEY 5,RRSIG 48 upenn.edu,RRSIG 48 upenn.edu	5.000000,5.000000,5.000000,3444.000000,3444.000000	F
+#close	2018-09-21-21-02-08

testing/btest/Baseline/scripts.base.protocols.dns.dnskey/output

@@ -0,0 +1,5 @@
+DNSKEY, [query=upenn.edu, answer_type=1, flags=256, protocol=3, algorithm=5, public_key=\x03\x01\x00\x01\xa83\xd4\x99\xe7\x9bz\x7f\xe8\xf4\x15\xeb\x80F\xc9\x1e\xfdo5\xff\x8dAd\xa8\x84\x81\xa2PB\xfc\xc6{!\x1f\xd9\xfc/\x08S_\x97\x89O;\x09\x1a*\x99\x94\x19"\x90\xf8R\xcb\xad\x10\x00\xd4\xef\x91\x02\x16\xab\x1f\xb2\xee\xe8\xde\x06\x95\xb2\x8c\x8f\x03\xe3\x8a,\x06\x99X\x11\xae\x0d\x9f\xcf\xe8\x15\xb9\xd0\xc3\x02%\xbfI\x8bC\x1e \xc3\xdb]\x9e\xda\xc4\xbf\xdf\x97\xfe\xf6.\x8cr\x00zhW\xdd\x08\xd9\x996?\x19''\xa0\x8f, is_query=0], 03010001a833d499e79b7a7fe8f415eb8046c91efd6f35ff8d4164a88481a25042fcc67b211fd9fc2f08535f97894f3b091a2a9994192290f852cbad1000d4ef910216ab1fb2eee8de0695b28c8f03e38a2c06995811ae0d9fcfe815b9d0c30225bf498b431e20c3db5d9edac4bfdf97fef62e8c72007a6857dd08d999363f192727a08f
+DNSKEY, [query=upenn.edu, answer_type=1, flags=256, protocol=3, algorithm=5, public_key=\x03\x01\x00\x01\xf7a\x0b\x04\x88\x99/\xef\xaaS\xd5\xeet\x0c< \xa3w\xb3\xfc\xcd\xad\xfc<Q\xfa\xd3\xac\xe1\xcf\xbc\xdc\xeeX\xabU\xec\x14\xa6\x16"\x8e\x90\xd3y\xe5\xf6\x9cG\xea\xdeW\x85*a\xeaC\x0e\x0es\xb2q\xa7\xbf\xc1u\xfa\xf6\xb9\x97\xde\x0b\x0b4\xcf\x06\xa5\xdaFC%\x7f\xce\xfb\x00M\xaa\xd2%\xb5\xce\xadw\x0c\xd7\xb4e6\xd5Q/\x0e\xc1]\x97|bB\x94G\x91{}=\xc9U"\xa9\xc6\xbf\x7fa+\xd9\xa2\x9b\x1e\xdb, is_query=0], 03010001f7610b0488992fefaa53d5ee740c3c20a377b3fccdadfc3c51fad3ace1cfbcdcee58ab55ec14a616228e90d379e5f69c47eade57852a61ea430e0e73b271a7bfc175faf6b997de0b0b34cf06a5da4643257fcefb004daad225b5cead770cd7b46536d5512f0ec15d977c62429447917b7d3dc95522a9c6bf7f612bd9a29b1edb
+DNSKEY, [query=upenn.edu, answer_type=1, flags=257, protocol=3, algorithm=5, public_key=\x03\x01\x00\x01\xfd6\xc1\x96L\xb5\x00\x00\x00\x05\x9f'\xfchA\xf7\xe7\xd7\xb3E%]\x18\xe6\xce\x05\xde\xd3\x1d\x92KB\xfd\xa6\xc3k\x1f\x92\x07C\x09Y\x10\x1c\xcex\xa0*\x88\xabuR\xfbe\xb5R\xd86\x11\xa1K\xc9\xbf\x8e\x15-\x1bK\x95\xb8 \xc49\xe1\xa4\xfe\x1f\x08\x9f<b\xed\xf7\xff\x91\x85g\x09\xa0\xc5\xca88\x0e\xb2\xc6\x1c\x04\x9e"/y\x0eA\xec\xb2tV\x1f\x0a\xc9\xfa\x94\xea\x86\xee\xef\x01Q\xee\x94\x95\xd5Erl\xb6_\x17y\xf5)\xbf\xba)\x15\xadj\xf7\xb9$\xb6\xe1}\x87\xd7c\x18T\xa5U\xa5m\xe2\x98\x9a\x8a\xe8;\xd4\x87\xb1\x06\xa8G{\xeb\xec\xbdz\xf0\xc1\x1e\xe1TD\xf9"\x9c\xb8\xd4d\xcc\xb0F\xe5t\x03\x9c\x89\x98j{\xfa=\xfe-a\xa3S\x19\x83\xe0\x91t\x95$\xa7\x86Q\xd9\xdc$\xecY\xf0\xda\xc0\xa8\xe9\xdc\x188\x100\xbd\xf1\x00\xb1\x96\x1dik\xa6g\x8d\xe8D\x1d\x7f\xbf\xaa\xbf[\xe6\xee\xe1\xf17R\xf42\x14\xbb\x07\x85, is_query=0], 03010001fd36c1964cb5000000059f27fc6841f7e7d7b345255d18e6ce05ded31d924b42fda6c36b1f9207430959101cce78a02a88ab7552fb65b552d83611a14bc9bf8e152d1b4b95b820c439e1a4fe1f089f3c62edf7ff91856709a0c5ca38380eb2c61c049e222f790e41ecb274561f0ac9fa94ea86eeef0151ee9495d545726cb65f1779f529bfba2915ad6af7b924b6e17d87d7631854a555a56de2989a8ae83bd487b106a8477bebecbd7af0c11ee15444f9229cb8d464ccb046e574039c89986a7bfa3dfe2d61a3531983e091749524a78651d9dc24ec59f0dac0a8e9dc18381030bdf100b1961d696ba6678de8441d7fbfaabf5be6eee1f13752f43214bb0785
+RRSIG, [query=upenn.edu, answer_type=1, type_covered=48, algorithm=5, labels=2, orig_ttl=2.0 hrs, sig_exp=1538431668.0, sig_incep=1535838004.0, key_tag=18463, signer_name=upenn.edu, signature=t\xca\xfd\xe33v\x01\xd7Hi\x9c5j\xa7\xda2.\xa7\x9fO\x7f\xad\xd8\xb4\x02:w\xa3\x93Wgy\xba\xc4S\xbe\x19O$A\xe0\x1fD\xec\x9dL\xf1\xdfz\x82\xb4\xdd\xf2\x82K\xa2+\xcc\x89\xe6\xc6m\xfb\x1a\xeb\xc4)6\x8e8\xc6\x18\x8ba\xc6\x8a\xe9X\xbdzIT\x15[h\x81hH\x89\x95\xc9\x0b\x81\x05\x93\xbe\xc0\xb3\x8d\xbe\xc0\xa4\xa0a\xea\xc2\x09\xa7\xd5\x09/\x17u\xa8R?\x9e\xd3\x9e\x172H:\x83\xb6\xc6\xb5c\x13\xb4\xfc\x1b\xa1\xfd\x94\xd0\xd7:\xa59\xe9oz;u\x15R]\xd9\x09Xq-\x06e\x93\x03#\xe5\x94\xc9\xe7B\xa4pC\x19\xda\xa9\x91\xa8\xed\xd6\xad\x0e\xee\x84\xe9/\x90\xf2\xbd\x16\x12\x0b\x03j\xcf\xb6u\x88\xb7[\x1aO\x7f\xf2CK\xccS\x88\x1d\xd0\x13\x0b\xfe\xa9XJiQ\x06\xe3"!\xc2E\xd5s\x9d?\xbf\xcdn\xf1\x87\x02$O\x9b\x0a\x9c\x06\x81\xc4V\xf3-\x07t>(k\x12)i\xdd\xc1\xf6S.a\x8b\xd3\x15, is_query=0], 74cafde3337601d748699c356aa7da322ea79f4f7fadd8b4023a77a393576779bac453be194f2441e01f44ec9d4cf1df7a82b4ddf2824ba22bcc89e6c66dfb1aebc429368e38c6188b61c68ae958bd7a4954155b688168488995c90b810593bec0b38dbec0a4a061eac209a7d5092f1775a8523f9ed39e1732483a83b6c6b56313b4fc1ba1fd94d0d73aa539e96f7a3b7515525dd90958712d0665930323e594c9e742a4704319daa991a8edd6ad0eee84e92f90f2bd16120b036acfb67588b75b1a4f7ff2434bcc53881dd0130bfea9584a695106e32221c245d5739d3fbfcd6ef18702244f9b0a9c0681c456f32d07743e286b122969ddc1f6532e618bd315
+RRSIG, [query=upenn.edu, answer_type=1, type_covered=48, algorithm=5, labels=2, orig_ttl=2.0 hrs, sig_exp=1538431668.0, sig_incep=1535838004.0, key_tag=50475, signer_name=upenn.edu, signature=S\x88\xbd\x1aP\xb4]\xc3y\xeb\xb1\xc0\xb8\x12~\x8f\xfc\x94\xf8\xa90`\xc5\x93\x8c[\xcb\xf5\xdc(J\x9e\xaf\x9854!\xd9\xca\xb1\xd5>\xab\xe2\xa2\xc7q\xb3\xf1\xcf\xf50\x7fc\x83Z\x9af\xcb\xcb\xae\x8f\xcc\xe5\xa6@}\x8cG\xdf\xe2?\xe405\xff\xdf\xf9|\xd61\xb3\xb2M+\xc9y"\x93\xd0\xc6\xee\xa0o\xbb\x87\xdaa\x92Q\xef\xfds\x9e\xf7\xcbw\x7fL\xc6\x06\xe4\x95\xd3j\xc6e\x1a-\xb6C}e\xdb3\x88m\xd0, is_query=0], 5388bd1a50b45dc379ebb1c0b8127e8ffc94f8a93060c5938c5bcbf5dc284a9eaf98353421d9cab1d53eabe2a2c771b3f1cff5307f63835a9a66cbcbae8fcce5a6407d8c47dfe23fe43035ffdff97cd631b3b24d2bc9792293d0c6eea06fbb87da619251effd739ef7cb777f4cc606e495d36ac6651a2db6437d65db33886dd0

testing/btest/Baseline/scripts.base.protocols.dns.ds/dns.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#open	2018-09-21-21-02-51
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+1537557828.343603	CHhAvVGS1DHFjwGM9	192.168.153.129	50729	192.168.153.2	53	udp	39080	0.017821	upenn.edu	1	C_INTERNET	43	DS	0	NOERROR	F	F	T	T	2	DS 5 1,DS 5 2,RRSIG 43 edu	5.000000,5.000000,5.000000	F
+#close	2018-09-21-21-02-51

testing/btest/Baseline/scripts.base.protocols.dns.ds/output

@@ -0,0 +1,3 @@
+DS, [query=upenn.edu, answer_type=1, key_tag=18463, algorithm=5, digest_type=1, digest_val=\x0cE\xb3\xd0\x90\xb2!\xe0\xe3;\xbe\xb5\xa6\x19\xd8\x94\x16\xba\xf1\x97, is_query=0], 0c45b3d090b221e0e33bbeb5a619d89416baf197
+DS, [query=upenn.edu, answer_type=1, key_tag=18463, algorithm=5, digest_type=2, digest_val=`\x03\x99#&\xda\x06x\\x9e0\xb2Yu\x0f\xab\x09`\xbfW\x05K\xdd\xff\xde\xee\x11\x88\x97}\xab\xb8, is_query=0], 6003992326da06785c9e30b259750fab0960bf57054bddffdeee1188977dabb8
+RRSIG, [query=upenn.edu, answer_type=1, type_covered=43, algorithm=8, labels=2, orig_ttl=1.0 day, sig_exp=1538112220.0, sig_incep=1537503220.0, key_tag=50219, signer_name=edu, signature=\x9a\xd4`ppv\x154\x98\xe9\x9d\xf9#|\xa2\xb2v\xf6\x1dj\x1a\x07d\x8c\xd2\xea\xd8\xeeG`\x14=\xc33\xd4)\xb3C\xb9T\xe8r\xba.4\xcb\x96\xa7\xe3\x95\xf4#\xfd<"\xa8\x1c\x1b1R\x18\xd1\xac.x\xa0\xb1\xef\xf4\x163y\x85\xb4K\x0e\x84\xd2\x16\x05\x9et\xa7\xc5|\x0d9f\xd4\x8ea\xdd\x8d&\x863\x14\xd6i\xe6\xf6|%\xbf\xd8\x91\xb3\x87\xd1\x918r\x0a\xb8\x0e\x87\xdf?\xee\xf3Pyn\xdd=%\xd3p, is_query=0], 9ad460707076153498e99df9237ca2b276f61d6a1a07648cd2ead8ee4760143dc333d429b343b954e872ba2e34cb96a7e395f423fd3c22a81c1b315218d1ac2e78a0b1eff416337985b44b0e84d216059e74a7c57c0d3966d48e61dd8d26863314d669e6f67c25bfd891b387d19138720ab80e87df3feef350796edd3d25d370

testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log

@@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	dns
-#open	2016-07-13-16-16-12
+#open	2018-09-21-21-07-55
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
 #types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-1363716396.798072	CHhAvVGS1DHFjwGM9	55.247.223.174	27285	222.195.43.124	53	udp	21140	0.000214	www.cmu.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	www-cmu.andrew.cmu.edu,<unknown type=46>,www-cmu-2.andrew.cmu.edu,128.2.10.163	86400.000000,86400.000000,5.000000,21600.000000	F
+1363716396.798072	CHhAvVGS1DHFjwGM9	55.247.223.174	27285	222.195.43.124	53	udp	21140	0.000214	www.cmu.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163	86400.000000,86400.000000,5.000000,21600.000000	F
-1363716396.798374	CHhAvVGS1DHFjwGM9	55.247.223.174	27285	222.195.43.124	53	udp	21140	-	www.cmu.edu	-	-	-	-	0	NOERROR	T	F	F	F	0	www-cmu.andrew.cmu.edu,<unknown type=46>,www-cmu-2.andrew.cmu.edu,128.2.10.163	86400.000000,86400.000000,5.000000,21600.000000	F
+1363716396.798374	CHhAvVGS1DHFjwGM9	55.247.223.174	27285	222.195.43.124	53	udp	21140	-	www.cmu.edu	-	-	-	-	0	NOERROR	T	F	F	F	0	www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163	86400.000000,86400.000000,5.000000,21600.000000	F
-#close	2016-07-13-16-16-12
+#close	2018-09-21-21-07-55

testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/weird.log

@@ -1,10 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	weird
-#open	2017-12-13-19-40-49
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
-#types	time	string	addr	port	addr	port	string	string	bool	string
-1363716396.798286	CHhAvVGS1DHFjwGM9	55.247.223.174	27285	222.195.43.124	53	DNS_RR_unknown_type	46	F	bro
-#close	2017-12-13-19-40-49

testing/btest/Baseline/scripts.base.protocols.dns.nsec/dns.log

@@ -0,0 +1,11 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#open	2018-09-21-21-04-27
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected	auth	addl
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool	set[string]	set[string]
+1533310046.924340	CHhAvVGS1DHFjwGM9	35.184.172.191	57073	128.175.13.16	53	udp	130	-	dla.library.upenn.edu	1	C_INTERNET	28	AAAA	0	NOERROR	F	F	F	F	1	-	-	F	NSEC dla.library.upenn.edu dlxssvr.library.upenn.edu,assailants.net.isc.upenn.edu,RRSIG 6 upenn.edu,RRSIG 47 upenn.edu	-
+1533310049.812056	ClEkJM2Vm5giqnMf4h	35.184.172.191	50693	128.175.13.16	53	udp	51063	0.001515	www.upenn.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	www.upenn.edgekey.net,RRSIG 5 upenn.edu	300.000000,300.000000	F	-	-
+#close	2018-09-21-21-04-27

testing/btest/Baseline/scripts.base.protocols.dns.nsec/output

@@ -0,0 +1,5 @@
+RRSIG, [query=upenn.edu, answer_type=2, type_covered=6, algorithm=5, labels=2, orig_ttl=1.0 hr, sig_exp=1535901996.0, sig_incep=1533306396.0, key_tag=50475, signer_name=upenn.edu, signature=\xdd=,iY\xd9\x0b\xdbmi\xc9L<\xdd\x03-\xaa\xda5Z\x1b\x0aK\x94.\x97p\xd8\x96\x7f\xa8*Cc\x9c\xa4\x86\xee\xd4\xc4\x0c\x88\x03v\xdf\x14\xef\x0c"|l\xfc)\xc7E\xd1I\xa3\x0dM/^\x98\xe9\xd8P\xbbDZ\xb1|z\xd5H8\xde\xf0\xeb\x14\x19\x99gm\xbdg\xbf\xe0\xe9CU\xf5_\xf0\x01\xe5\x1a\x8f7\x0e\x7foJ\xc1`\x09\xd9%\xc0x9\xe7\x81\xfco\xad\xa5\xd8\xfa\xf5I\xb6\x9f\xca\x9b#\xd9d\xd0, is_query=0], dd3d2c6959d90bdb6d69c94c3cdd032daada355a1b0a4b942e9770d8967fa82a43639ca486eed4c40c880376df14ef0c227c6cfc29c745d149a30d4d2f5e98e9d850bb445ab17c7ad54838def0eb141999676dbd67bfe0e94355f55ff001e51a8f370e7f6f4ac16009d925c07839e781fc6fada5d8faf549b69fca9b23d964d0
+NSEC, dlxssvr.library.upenn.edu, [@\x00\x00\x00\x00\x03]
+400000000003
+RRSIG, [query=dla.library.upenn.edu, answer_type=2, type_covered=47, algorithm=5, labels=4, orig_ttl=1.0 hr, sig_exp=1534400915.0, sig_incep=1531807585.0, key_tag=50475, signer_name=upenn.edu, signature=\x9fhH\x95K7\xd5u\xa5\xbc\xf5\x17\xccM\xe3=T\xd05u\xfa\xea\xfa\xfe\x0eH-W\xbb\xa3l\xa9\xe2\x8f\xef\x05\xf0\xdc\xb1\xf2\xe8u\x8c<v\x80WsaJ\xfc\xc1\x90qr\x1e\x0b\xd0k`B\x8c\x0c\x88\xb2\xf2{D\xf9\xb2M\xd2\xd6\x85W\xb9^\xd9\xea\xc7W\x0c\xc5\x99Td\x83D\xa1\x00,8\xfaYoh\xff\xb2\x08K\x19\xe6\xcdo\x98\x1c\xaa\xe5\x89\x09G\x9c\xf1\x9f\x0bx\xdc\xf6l\xfc\x1d8\x07b\x0a\x1b\xde1, is_query=0], 9f6848954b37d575a5bcf517cc4de33d54d03575faeafafe0e482d57bba36ca9e28fef05f0dcb1f2e8758c3c76805773614afcc19071721e0bd06b60428c0c88b2f27b44f9b24dd2d68557b95ed9eac7570cc59954648344a1002c38fa596f68ffb2084b19e6cd6f981caae58909479cf19f0b78dcf66cfc1d3807620a1bde31
+RRSIG, [query=www.upenn.edu, answer_type=1, type_covered=5, algorithm=5, labels=3, orig_ttl=5.0 mins, sig_exp=1534786816.0, sig_incep=1532193166.0, key_tag=50475, signer_name=upenn.edu, signature=\xa4\xac\x18\x14\xcac\x9d\x81\xbck[5\x1c\xf53F\x10\xf0w\xec/\xb3Z{\xe5\x11\xff\xfc\xfdu\xa1\xa7o\xdd\x19\x82G2]\xcb[\xcd\xc7\?\xa7,\xc8\xfa;\xdb#=\xc4\x08\xe0WJJ\x19\x87Pp<\xc9\xa8E\xdcM\xb2.\xc1P\xa4\xb7\xe1G\xde<\xb0\xa6>d\xf72\x02\xfd;u\xde\x19\xe8\xda\xe9\x0aAVz!\xa7\xa5\xc2\x8d\xad\xa9\xe1\x87\x136\xd7\xfal\x827\xd1\xb1\xcd\x11c\x15F(\xd0=\x967\xc3\x1b, is_query=0], a4ac1814ca639d81bc6b5b351cf5334610f077ec2fb35a7be511fffcfd75a1a76fdd198247325dcb5bcdc75c3fa72cc8fa3bdb233dc408e0574a4a198750703cc9a845dc4db22ec150a4b7e147de3cb0a63e64f73202fd3b75de19e8dae90a41567a21a7a5c28dada9e1871336d7fa6c8237d1b1cd1163154628d03d9637c31b

testing/btest/Baseline/scripts.base.protocols.dns.nsec3/dns.log

@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#open	2018-09-21-21-04-55
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected	auth	addl
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool	set[string]	set[string]
+1537560385.602565	CHhAvVGS1DHFjwGM9	192.168.1.102	49324	192.168.1.1	53	udp	9835	-	foobar.sshfp.net	1	C_INTERNET	1	A	3	NXDOMAIN	F	F	T	F	2	-	-	F	ns0.weberdns.de,RRSIG 6 sshfp.net,NSEC3,RRSIG 50 sshfp.net	-
+#close	2018-09-21-21-04-55

testing/btest/Baseline/scripts.base.protocols.dns.nsec3/output

@@ -0,0 +1,5 @@
+NSEC3, [query=vlq247qi8p1tt3a8cgmd7glfndtigsdu.sshfp.net, answer_type=2, nsec_flags=0, nsec_hash_algo=1, nsec_iter=20, nsec_salt_len=16, nsec_salt=\x80c}\x8a\xf0U\xb5\xee\xca*b\x1e\xda\xaa<^, nsec_hlen=20, nsec_hash==\x8a>\xb6\x1a\x9d\xfa\x95\x1aB\xd7w\x9c\x1f\x15\x06\x85\xa0\x19G, bitmaps=[b\x01\x80\x08\x00\x02\x90], is_query=0], 80637d8af055b5eeca2a621edaaa3c5e, 3d8a3eb61a9dfa951a42d7779c1f150685a01947
+RRSIG, [query=vlq247qi8p1tt3a8cgmd7glfndtigsdu.sshfp.net, answer_type=2, type_covered=50, algorithm=10, labels=3, orig_ttl=3.0 mins, sig_exp=1538967745.0, sig_incep=1536374962.0, key_tag=31055, signer_name=sshfp.net, signature=es\xe2\x01:\x10B$|\x93\xdf\xc8\x8c\xc0\x0bk\x8e\x8f\xad\xf44y3\x81x\x11\xeb H\xef\xb5\x941^\xc4\xba\x91\x12\xb7\xcdHua"\xa6\x13o\xe1\x86\xc6z\x80\x9c\xc2\x00\x93\xe2\xaa@\x15YH\xea^0\xfd\xf0:\xbej-\xe2\xb9K\x87wN\xdc\xc3_\x0c\x0ew\x96c\xd2\x09\x0e;i\xbef\xb9\xc22\xdf#\xdfy\xa7\x9f\xc4S\x8d-\x84\xfa0\xd0\xbc\xf3|c3\x04\x9e*\xbd\x82\x9fC\x89`\x15V\x08o\xea\xd6\xd0I\xc5b\x94WpOJ\x82\x12Z\xd6A\xad\x1cV\xb5\x15sCv\xe2Tq>\xffU\x88Ji\xa7I\xd4\xc6$\xb8\xdd\xc1\x8a4_a\xd9\xb6\xdbk\xde\x80\xc7\xad\xea\x16\xe4\xf5\x09\xdd<\x8fR\xcb\x00\x04|\xbc\xc3\xae\xac\xd1+\xc0\xf7\xe3\xad\x09d\xd0!\xc4AL\xfd\xb0=p\x86\x84\x89\x18\xd8\xab\x9d\xbb\xf1\xe4\xd9\x8ak\xfc\xb8\x98a )\xffX\x0cj>D\xe9oi\xbfh\x13`\xfco%0\xc5O\xe2\xa2i\x1b, is_query=0], 6573e2013a1042247c93dfc88cc00b6b8e8fadf4347933817811eb2048efb594315ec4ba9112b7cd48756122a6136fe186c67a809cc20093e2aa40155948ea5e30fdf03abe6a2de2b94b87774edcc35f0c0e779663d2090e3b69be66b9c232df23df79a79fc4538d2d84fa30d0bcf37c6333049e2abd829f4389601556086fead6d049c5629457704f4a82125ad641ad1c56b515734376e254713eff55884a69a749d4c624b8ddc18a345f61d9b6db6bde80c7adea16e4f509dd3c8f52cb00047cbcc3aeacd12bc0f7e3ad0964d021c4414cfdb03d7086848918d8ab9dbbf1e4d98a6bfcb898612029ff580c6a3e44e96f69bf681360fc6f2530c54fe2a2691b
+NSEC3, [query=l0oop5o98lf6fb7e620sabaqf0nctco6.sshfp.net, answer_type=2, nsec_flags=0, nsec_hash_algo=1, nsec_iter=20, nsec_salt_len=16, nsec_salt=\x80c}\x8a\xf0U\xb5\xee\xca*b\x1e\xda\xaa<^, nsec_hlen=20, nsec_hash=\xe6\x0f\x07\xa33z\x0c\xd9kaT^\x12D\x96\xfa\xe35K\xc6, bitmaps=[@\x00\x00\x08\x00\x02], is_query=0], 80637d8af055b5eeca2a621edaaa3c5e, e60f07a3337a0cd96b61545e124496fae3354bc6
+RRSIG, [query=l0oop5o98lf6fb7e620sabaqf0nctco6.sshfp.net, answer_type=2, type_covered=50, algorithm=10, labels=3, orig_ttl=3.0 mins, sig_exp=1539303070.0, sig_incep=1536708214.0, key_tag=31055, signer_name=sshfp.net, signature=V\xa0\x1f\xa69\xd4H\xffWQ1"n\x89\xc5\x14_\x15ow[\xfbv9h\xd4\xcfd|\xfc\x9f\x83Y\x0ax\x81D@\xb5\x9e\x8fQEp\x99\xb6\x91ovG\\x86\xf2W5\xe9\\x99-\xa6\x91\xe7\xd8\x96\x1e\xa9f\x0e\xc82\xde\xb1"\x1bu\x80cL\x95\x06\xae\x9a\x996\xe3\x98\xd6\x10\x1awJ\x0fX\x00z@\xd9\x0b\x93\xda\xcf\xe2i\x8f1\xf5\x99\xf1\xb3S|\x8b\x13\xf3\xed/\xab\xb8\x0b\x04\xc9\xe5Y/\xe7\xcb\x84\x03\xfaB\xf4C\xa5q\xfe\xd6\xed\xc7/\xbd&\xf2;\xad\xcb\xad\xb8q\xd0[O\xdaM\xcf\x89m\x8f\x983\x163\xdb\xf3?\xd6s\xb6D\xe2\x80v\x83M\x136\xd1\xb3>:p0B\xd8\x1d\x07\x87\\x99\x12V\x96\xeb\xb6%\xef^\xebS\xf0\xbb\x1fF\\xc3\x16\xe1\x16T\xa84<c6a\xf6\xf8\x89\xc4\xce\xb4\x81P]D0\xa5:\x08\x81\xaa> \x14\xac\xe7G\x0b:E\x98\x01U\xf8`\x15\xcc(\x83\x19\xce\xba\xb8\x18\xcd\xd5L, is_query=0], 56a01fa639d448ff575131226e89c5145f156f775bfb763968d4cf647cfc9f83590a78814440b59e8f51457099b6916f76475c86f25735e95c992da691e7d8961ea9660ec832deb1221b7580634c9506ae9a9936e398d6101a774a0f58007a40d90b93dacfe2698f31f599f1b3537c8b13f3ed2fabb80b04c9e5592fe7cb8403fa42f443a571fed6edc72fbd26f23badcbadb871d05b4fda4dcf896d8f98331633dbf33fd673b644e28076834d1336d1b33e3a703042d81d07875c99125696ebb625ef5eeb53f0bb1f465cc316e11654a8343c633661f6f889c4ceb481505d4430a53a0881aa3e2014ace7470b3a45980155f86015cc288319cebab818cdd54c
+RRSIG, [query=sshfp.net, answer_type=2, type_covered=6, algorithm=10, labels=2, orig_ttl=1.0 day, sig_exp=1540066160.0, sig_incep=1537470560.0, key_tag=31055, signer_name=sshfp.net, signature=|\x9aJ\xc1\x8c\xc6\x0e\x051l1Jz<\x19\x07Xv\x06\xea\xe5\xf7n\x0b\x09\xc0K\xcf\xa1\x10\xb2\xfb\xa3\x84\xe3\xc9\xeer\xa1Z\x0a\x1a\xb6B\xb6-\x98\x8f\x97\xd4E*\x99a\x0cI\xba\xd3(\xdf\xbe\xaa\xd1\xd4\x1b\xcb\x8a\x96\xe8\xc6\x07\xf2W\xa3\xba\x15^\xf7;\xa9\x99\xeb`@\xe5F`\xcd\xc6\xb5aw\xd8\xc5bkl\xc1 \xa7\x93T\xaa\xbf\x15\x0e\xd8\xf8\x9cY\xdfe\xda\x811\x09\x9a\x10\x10S},E\x94]>\xc2\xecD9\x19\x9al\x9c[\x82\xf1'Ri\x8e\xb4\x0d*\xa4\x07D&%\xa5\xf1\xb18\xd6l\xd6\xee\xbe`\x06\x96\x8cU\xe6\x04y\x84\xf9[\x08\xb9\xb6\xe6P\xba?\x88F\x81I>\xb1\xef\xbf\x993\x0d[O}#s\x83\xa5\x14\xe7_\x98\xdd\xf5}\xf9A\xf1\x1e\xc0\x12\xed\x0b\xf3\x99\x91\x1ay\xaa;\xa4\xef&6\x86y`\xb4\xee\xf2u/\x9c\xda\xfc>\x8d\xdb\xaf\m\x8e]\xb2\xf8\xce\xd9\xa1\x8d\xe6<\xb8\xe5\xb9\x8cEd\x97\xdb\xbd, is_query=0], 7c9a4ac18cc60e05316c314a7a3c1907587606eae5f76e0b09c04bcfa110b2fba384e3c9ee72a15a0a1ab642b62d988f97d4452a99610c49bad328dfbeaad1d41bcb8a96e8c607f257a3ba155ef73ba999eb6040e54660cdc6b56177d8c5626b6cc120a79354aabf150ed8f89c59df65da8131099a1010537d2c45945d3ec2ec4439199a6c9c5b82f12752698eb40d2aa407442625a5f1b138d66cd6eebe6006968c55e6047984f95b08b9b6e650ba3f884681493eb1efbf99330d5b4f7d237383a514e75f98ddf57df941f11ec012ed0bf399911a79aa3ba4ef2636867960b4eef2752f9cdafc3e8ddbaf5c6d8e5db2f8ced9a18de63cb8e5b98c456497dbbd

testing/btest/Baseline/scripts.base.protocols.dns.rrsig/dns.log

@@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#open	2018-09-21-20-48-53
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
+1533309955.393636	ClEkJM2Vm5giqnMf4h	35.184.172.191	10267	128.175.13.16	53	udp	17129	0.003405	virgo.sas.upenn.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	128.91.234.142,RRSIG 1 upenn.edu	30.000000,30.000000	F
+1533309959.571738	C4J4Th3PJpwUYZZ6gc	35.184.172.191	50056	128.175.13.16	53	udp	26222	0.003363	virgo.sas.upenn.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	128.91.234.142,RRSIG 1 upenn.edu	30.000000,30.000000	F
+1533309959.968589	CtPZjS20MLrsMUOJi2	35.184.172.191	39975	128.175.13.16	53	udp	27118	0.003748	workfamily.sas.upenn.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	quasar.sas.upenn.edu,RRSIG 5 upenn.edu,128.91.234.145,RRSIG 1 upenn.edu	900.000000,900.000000,30.000000,30.000000	F
+1533309950.391966	CHhAvVGS1DHFjwGM9	35.184.172.191	5386	128.175.13.16	53	udp	62809	-	virgo.sas.upenn.edu	1	C_INTERNET	1	A	-	-	F	F	F	F	1	-	-	F
+#close	2018-09-21-20-48-53

testing/btest/Baseline/scripts.base.protocols.dns.rrsig/output

@@ -0,0 +1,4 @@
+RRSIG, [query=virgo.sas.upenn.edu, answer_type=1, type_covered=1, algorithm=5, labels=4, orig_ttl=30.0 secs, sig_exp=1535441489.0, sig_incep=1532846032.0, key_tag=50475, signer_name=upenn.edu, signature=k:\xbd\\?)\xa4\x03\x1fw\xd4\x18#\x1d\\x9fV\xe6\xc5\x06w\xa7\x97\xb9\xc9\x7f\xa9\xe3<\xc8h\xf8\x81\xd5D\x09\Z\x19\x0a\xb7\x87`\x9d\xcbp\x9c\xcf\xcc\xf1#J\xc6\xd1P{\x11\xf5J\xcb\x02\x14n"y\x0e\xcb\x8f\x1cR\x14;B\x94]\xda\x9d~\x93\xe9\x96*U\xc7\xa7\xde\x02\xfeD\xbb\xab\xfa\xc2In\xed?\x8e\xe3D\xfb\xf1\xd3I\x9dj\xab\xcan\xa7\x16\xd4M]\xe0\xc5\xcbm\xf6\xd0\x8cAV\xaau\xa2\xd4, is_query=0], 6b3abd5c5c3f29a4031f77d418231d5c9f56e6c50677a797b9c97fa9e33cc868f881d544095c5a190ab787609dcb709ccfccf1234ac6d1507b11f54acb02146e22790ecb8f1c52143b42945dda9d7e93e9962a55c7a7de02fe44bbabfac2496eed3f8ee344fbf1d3499d6aabca6ea716d44d5de0c5cb6df6d08c4156aa75a2d4
+RRSIG, [query=virgo.sas.upenn.edu, answer_type=1, type_covered=1, algorithm=5, labels=4, orig_ttl=30.0 secs, sig_exp=1535441489.0, sig_incep=1532846032.0, key_tag=50475, signer_name=upenn.edu, signature=k:\xbd\\?)\xa4\x03\x1fw\xd4\x18#\x1d\\x9fV\xe6\xc5\x06w\xa7\x97\xb9\xc9\x7f\xa9\xe3<\xc8h\xf8\x81\xd5D\x09\Z\x19\x0a\xb7\x87`\x9d\xcbp\x9c\xcf\xcc\xf1#J\xc6\xd1P{\x11\xf5J\xcb\x02\x14n"y\x0e\xcb\x8f\x1cR\x14;B\x94]\xda\x9d~\x93\xe9\x96*U\xc7\xa7\xde\x02\xfeD\xbb\xab\xfa\xc2In\xed?\x8e\xe3D\xfb\xf1\xd3I\x9dj\xab\xcan\xa7\x16\xd4M]\xe0\xc5\xcbm\xf6\xd0\x8cAV\xaau\xa2\xd4, is_query=0], 6b3abd5c5c3f29a4031f77d418231d5c9f56e6c50677a797b9c97fa9e33cc868f881d544095c5a190ab787609dcb709ccfccf1234ac6d1507b11f54acb02146e22790ecb8f1c52143b42945dda9d7e93e9962a55c7a7de02fe44bbabfac2496eed3f8ee344fbf1d3499d6aabca6ea716d44d5de0c5cb6df6d08c4156aa75a2d4
+RRSIG, [query=workfamily.sas.upenn.edu, answer_type=1, type_covered=5, algorithm=5, labels=4, orig_ttl=15.0 mins, sig_exp=1534263016.0, sig_incep=1531669322.0, key_tag=50475, signer_name=upenn.edu, signature='I\xe2_d\xe4\xe6S\x85\xe5\x8a\xe2w\xcd\xd4\xe0\xc4j7<\xf8\x02\xf2\xc1\x07\x9d\x05\xe8\x84\x01\xe8|t\x98\x07\xdb5\xba\xf3T\xcc%\x91\x0d&\xe3\x8f\xfd@ZS\xf7\xf4\xa9\xe6\xe6\x13\x17\x99^\xd8\xa7g\xe2\xa5+\xcb\x9cyZ\xeb$4\xfd}\xa5\xe4N\xa8\xb9\xb63\x8a\xebe\x0f\xd8\x80\xd4\xa8\x13#S\xe57d\xd8\xd8\x08\xa2%\x0c\x99K\xa7!\x08\xac\x1byi!\xe0\xeb\x9cX\xfc\xd8E\xdeH\xf4\xad\xc8/#\x19a, is_query=0], 2749e25f64e4e65385e58ae277cdd4e0c46a373cf802f2c1079d05e88401e87c749807db35baf354cc25910d26e38ffd405a53f7f4a9e6e61317995ed8a767e2a52bcb9c795aeb2434fd7da5e44ea8b9b6338aeb650fd880d4a8132353e53764d8d808a2250c994ba72108ac1b796921e0eb9c58fcd845de48f4adc82f231961
+RRSIG, [query=quasar.sas.upenn.edu, answer_type=1, type_covered=1, algorithm=5, labels=4, orig_ttl=30.0 secs, sig_exp=1535438502.0, sig_incep=1532845422.0, key_tag=50475, signer_name=upenn.edu, signature=a8"\x80\xc3\x92\xa3\x83lu{H>\xd4\xc3H\x8d.\xb4\x96/E\x09\x99\x9d\x0c\x17\xdd\x10\xb8ZT&\xb1H\x10\x1ak,\x98\x0d\xaf\x8dx}\xac\xf9\x9asyf\xce\xf8L\x04\x06\xc5y\xc4A,\xf6|\xaa\xc3tG\xb6\xcc^\xae\x9e\xb2\xb6ok`V\x15b\xd6\xab\xa4\xe3\x04\xe6\x019\xaf\x9f\xb0\xf6yM {P\xb0C\xa0\x85CVR\xfd\x97@,\xe0\xad\xdc7\xa4\xfc\x12\xc4\xee2)\x12\xefIkk\xdaA11, is_query=0], 61382280c392a3836c757b483ed4c3488d2eb4962f4509999d0c17dd10b85a5426b148101a6b2c980daf8d787dacf99a737966cef84c0406c579c4412cf67caac37447b6cc5eae9eb2b66f6b60561562d6aba4e304e60139af9fb0f6794d207b50b043a085435652fd97402ce0addc37a4fc12c4ee322912ef496b6bda413131

testing/btest/core/leaks/dns-nsec3.bro

@@ -0,0 +1,40 @@
+# Needs perftools support.
+#
+# @TEST-GROUP: leaks
+#
+# @TEST-REQUIRES: bro  --help 2>&1 | grep -q mem-leaks
+#
+# @TEST-EXEC: HEAP_CHECK_DUMP_DIRECTORY=. HEAPCHECK=local btest-bg-run bro bro -b -C -m -r $TRACES/dnssec/nsec3.pcap %INPUT
+# @TEST-EXEC: btest-bg-wait 60
+
+@load policy/protocols/dns/auth-addl
+
+event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)
+	{
+	print "RRSIG", rrsig, bytestring_to_hexstr(rrsig$signature);
+	}
+
+event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr)
+	{
+	print "DNSKEY", dnskey, bytestring_to_hexstr(dnskey$public_key);
+	}
+
+event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec)
+	{
+	print "NSEC", next_name, bitmaps;
+
+	for ( i in bitmaps )
+		print bytestring_to_hexstr(bitmaps[i]);
+	}
+
+event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr)
+	{
+	print "NSEC3", nsec3,
+	      bytestring_to_hexstr(nsec3$nsec_salt),
+	      bytestring_to_hexstr(nsec3$nsec_hash);
+	}
+
+event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr)
+	{
+	print "DS", ds, bytestring_to_hexstr(ds$digest_val);
+	}

testing/btest/scripts/base/protocols/dns/dns-key.bro

@@ -1,4 +1,4 @@
 # Making sure DNSKEY gets logged as such.
 #
-# @TEST-EXEC: bro -r $TRACES/dns-dnskey.trace
+# @TEST-EXEC: bro -r $TRACES/dnssec/dnskey2.pcap
 # @TEST-EXEC: btest-diff dns.log

testing/btest/scripts/base/protocols/dns/dnskey.bro

@@ -0,0 +1,35 @@
+# @TEST-EXEC: bro -C -r $TRACES/dnssec/dnskey.pcap %INPUT > output
+# @TEST-EXEC: btest-diff dns.log
+# @TEST-EXEC: btest-diff output
+
+#@load policy/protocols/dns/auth-addl
+
+event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)
+	{
+	print "RRSIG", rrsig, bytestring_to_hexstr(rrsig$signature);
+	}
+
+event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr)
+	{
+	print "DNSKEY", dnskey, bytestring_to_hexstr(dnskey$public_key);
+	}
+
+event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec)
+	{
+	print "NSEC", next_name, bitmaps;
+
+	for ( i in bitmaps )
+		print bytestring_to_hexstr(bitmaps[i]);
+	}
+
+event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr)
+	{
+	print "NSEC3", nsec3,
+	      bytestring_to_hexstr(nsec3$nsec_salt),
+	      bytestring_to_hexstr(nsec3$nsec_hash);
+	}
+
+event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr)
+	{
+	print "DS", ds, bytestring_to_hexstr(ds$digest_val);
+	}

testing/btest/scripts/base/protocols/dns/ds.bro

@@ -0,0 +1,35 @@
+# @TEST-EXEC: bro -C -r $TRACES/dnssec/ds.pcap %INPUT > output
+# @TEST-EXEC: btest-diff dns.log
+# @TEST-EXEC: btest-diff output
+
+#@load policy/protocols/dns/auth-addl
+
+event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)
+	{
+	print "RRSIG", rrsig, bytestring_to_hexstr(rrsig$signature);
+	}
+
+event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr)
+	{
+	print "DNSKEY", dnskey, bytestring_to_hexstr(dnskey$public_key);
+	}
+
+event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec)
+	{
+	print "NSEC", next_name, bitmaps;
+
+	for ( i in bitmaps )
+		print bytestring_to_hexstr(bitmaps[i]);
+	}
+
+event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr)
+	{
+	print "NSEC3", nsec3,
+	      bytestring_to_hexstr(nsec3$nsec_salt),
+	      bytestring_to_hexstr(nsec3$nsec_hash);
+	}
+
+event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr)
+	{
+	print "DS", ds, bytestring_to_hexstr(ds$digest_val);
+	}

testing/btest/scripts/base/protocols/dns/duplicate-reponses.bro

@@ -2,4 +2,3 @@
 #
 # @TEST-EXEC: bro -r $TRACES/dns-two-responses.trace
 # @TEST-EXEC: btest-diff dns.log
-# @TEST-EXEC: btest-diff weird.log

testing/btest/scripts/base/protocols/dns/nsec.bro

@@ -0,0 +1,35 @@
+# @TEST-EXEC: bro -C -r $TRACES/dnssec/nsec.pcap %INPUT > output
+# @TEST-EXEC: btest-diff dns.log
+# @TEST-EXEC: btest-diff output
+
+@load policy/protocols/dns/auth-addl
+
+event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)
+	{
+	print "RRSIG", rrsig, bytestring_to_hexstr(rrsig$signature);
+	}
+
+event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr)
+	{
+	print "DNSKEY", dnskey, bytestring_to_hexstr(dnskey$public_key);
+	}
+
+event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec)
+	{
+	print "NSEC", next_name, bitmaps;
+
+	for ( i in bitmaps )
+		print bytestring_to_hexstr(bitmaps[i]);
+	}
+
+event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr)
+	{
+	print "NSEC3", nsec3,
+	      bytestring_to_hexstr(nsec3$nsec_salt),
+	      bytestring_to_hexstr(nsec3$nsec_hash);
+	}
+
+event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr)
+	{
+	print "DS", ds, bytestring_to_hexstr(ds$digest_val);
+	}

testing/btest/scripts/base/protocols/dns/nsec3.bro

@@ -0,0 +1,35 @@
+# @TEST-EXEC: bro -C -r $TRACES/dnssec/nsec3.pcap %INPUT > output
+# @TEST-EXEC: btest-diff dns.log
+# @TEST-EXEC: btest-diff output
+
+@load policy/protocols/dns/auth-addl
+
+event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)
+	{
+	print "RRSIG", rrsig, bytestring_to_hexstr(rrsig$signature);
+	}
+
+event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr)
+	{
+	print "DNSKEY", dnskey, bytestring_to_hexstr(dnskey$public_key);
+	}
+
+event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec)
+	{
+	print "NSEC", next_name, bitmaps;
+
+	for ( i in bitmaps )
+		print bytestring_to_hexstr(bitmaps[i]);
+	}
+
+event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr)
+	{
+	print "NSEC3", nsec3,
+	      bytestring_to_hexstr(nsec3$nsec_salt),
+	      bytestring_to_hexstr(nsec3$nsec_hash);
+	}
+
+event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr)
+	{
+	print "DS", ds, bytestring_to_hexstr(ds$digest_val);
+	}

testing/btest/scripts/base/protocols/dns/rrsig.bro

@@ -0,0 +1,35 @@
+# @TEST-EXEC: bro -C -r $TRACES/dnssec/rrsig.pcap %INPUT > output
+# @TEST-EXEC: btest-diff dns.log
+# @TEST-EXEC: btest-diff output
+
+#@load policy/protocols/dns/auth-addl
+
+event dns_RRSIG(c: connection, msg: dns_msg, ans: dns_answer, rrsig: dns_rrsig_rr)
+	{
+	print "RRSIG", rrsig, bytestring_to_hexstr(rrsig$signature);
+	}
+
+event dns_DNSKEY(c: connection, msg: dns_msg, ans: dns_answer, dnskey: dns_dnskey_rr)
+	{
+	print "DNSKEY", dnskey, bytestring_to_hexstr(dnskey$public_key);
+	}
+
+event dns_NSEC(c: connection, msg: dns_msg, ans: dns_answer, next_name: string, bitmaps: string_vec)
+	{
+	print "NSEC", next_name, bitmaps;
+
+	for ( i in bitmaps )
+		print bytestring_to_hexstr(bitmaps[i]);
+	}
+
+event dns_NSEC3(c: connection, msg: dns_msg, ans: dns_answer, nsec3: dns_nsec3_rr)
+	{
+	print "NSEC3", nsec3,
+	      bytestring_to_hexstr(nsec3$nsec_salt),
+	      bytestring_to_hexstr(nsec3$nsec_hash);
+	}
+
+event dns_DS(c: connection, msg: dns_msg, ans: dns_answer, ds: dns_ds_rr)
+	{
+	print "DS", ds, bytestring_to_hexstr(ds$digest_val);
+	}

testing/external/commit-hash.bro-testing

@@ -1 +1 @@
-afac6ebba8eda2a8fcad0248ecb6e6dbd8be220f
+b6dd014d2227695bff21eab627ba15528bf5151f