Parse DNSSEC AD and CD bits

Parse authentic data (AD) and checking disabled (CD) bits according to
RFC 2535. Leaves the Z field as-is, in case users are already handling
this elsewhere and depend on the value being the integer for all 3 bits.

https://www.rfc-editor.org/rfc/rfc2535#section-6.1

Fixes #2672

scripts/base/init-bare.zeek

@@ -3837,7 +3837,9 @@ type dns_msg: record {
 	TC: bool;	##< Truncated packet flag.
 	RD: bool;	##< Recursion desired flag.
 	RA: bool;	##< Recursion available flag.
-	Z: count;	##< TODO.
+	Z: count;	##< 3 bit field (includes AD and CD)
+	AD: bool;	##< authentic data
+	CD: bool;	##< checking disabled
 
 	num_queries: count;	##< Number of query records.
 	num_answers: count;	##< Number of answer records.

scripts/base/protocols/dns/main.zeek

@@ -60,9 +60,17 @@ export {
 		## The Recursion Available bit in a response message indicates
 		## that the name server supports recursive queries.
 		RA:            bool               &log &default=F;
-		## A reserved field that is usually zero in
-		## queries and responses.
+		## A reserved field that is zero in queries and responses unless
+		## using DNSSEC. This field represents the 3-bit Z field using
+		## the specification from RFC 1035.
 		Z:             count              &log &default=0;
+		## The DNSSEC Authentic Data bit in a response message indicates
+		## that the name server has authenticated all the data in the 
+		## answer and authority sections.
+		AD: 	       bool              &log &default=F;
+		## The DNSSEC Checking Disabled bit in a query indicates that
+		## pending, non-authenticated data is acceptable to the sender
+		CD: 	       bool              &log &default=F;
 		## The set of resource descriptions in the query answer.
 		answers:       vector of string   &log &optional;
 		## The caching intervals of the associated RRs described by the
@@ -359,6 +367,8 @@ hook DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
 		# Currently only standard queries are tracked.
 		return;
 
+	c$dns$AD = msg$AD;
+
 	if ( ! msg$QR )
 		# This is weird: the inquirer must also be providing answers in
 		# the request, which is not what we want to track.
@@ -428,6 +438,8 @@ event dns_request(c: connection, msg: dns_msg, query: string, qtype: count, qcla
 	c$dns$qtype       = qtype;
 	c$dns$qtype_name  = query_types[qtype];
 	c$dns$Z           = msg$Z;
+	c$dns$AD          = msg$AD;
+	c$dns$CD          = msg$CD;
 
 	# Decode netbios name queries
 	# Note: I'm ignoring the name type for now.  Not sure if this should be

src/analyzer/protocol/dns/DNS.cc

@@ -1791,6 +1791,8 @@ DNS_MsgInfo::DNS_MsgInfo(DNS_RawMsgHdr* hdr, int arg_is_query)
 	RD = (flags & 0x0100) != 0;
 	RA = (flags & 0x0080) != 0;
 	Z = (flags & 0x0070) >> 4;
+	AD = (flags & 0x0020) >> 5;
+	CD = (flags & 0x0010) >> 4;
 	rcode = (flags & 0x000f);
 
 	qdcount = ntohs(hdr->qdcount);
@@ -1823,10 +1825,12 @@ RecordValPtr DNS_MsgInfo::BuildHdrVal()
 	r->Assign(6, static_cast<bool>(RD));
 	r->Assign(7, static_cast<bool>(RA));
 	r->Assign(8, Z);
-	r->Assign(9, qdcount);
-	r->Assign(10, ancount);
-	r->Assign(11, nscount);
-	r->Assign(12, arcount);
+	r->Assign(9, static_cast<bool>(AD));
+	r->Assign(10, static_cast<bool>(CD));
+	r->Assign(11, qdcount);
+	r->Assign(12, ancount);
+	r->Assign(13, nscount);
+	r->Assign(14, arcount);
 
 	return r;
 	}

src/analyzer/protocol/dns/DNS.h

@@ -321,7 +321,9 @@ public:
 	int TC; ///< truncated - size > 512 bytes for udp
 	int RD; ///< recursion desired
 	int RA; ///< recursion available
-	int Z; ///< zero - this 3 bit field *must* be zero
+	int Z; ///< 3 bit field (includes AD and CD)
+	int AD; ///< authentic data
+	int CD; ///< checking disabled
 	int qdcount; ///< number of questions
 	int ancount; ///< number of answers
 	int nscount; ///< number of authority RRs

testing/btest/Baseline/core.ipv6-frag/dns.log

@@ -5,9 +5,9 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51850	2607:f740:b::f93	53	udp	3903	0.079300	txtpadding_323.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 136 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX	1.000000	F
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	5.084025	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 192 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX	1.000000	F
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	-	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	-	-	F	F	T	F	0	-	-	F
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51850	2607:f740:b::f93	53	udp	3903	0.079300	txtpadding_323.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	F	F	TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 136 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX	1.000000	F
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	5.084025	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	0	NOERROR	T	F	T	F	0	F	F	TXT 33 This TXT record should be ignored TXT 21 As it is just padding TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 189 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TXT 192 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX	1.000000	F
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	2001:470:1f11:81f:d138:5f55:6d4:1fe2	51851	2607:f740:b::f93	53	udp	40849	-	txtpadding_3230.n1.netalyzr.icsi.berkeley.edu	1	C_INTERNET	16	TXT	-	-	F	F	T	F	0	F	F	-	-	F
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/core.tunnels.gre-pptp/dns.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.16.44.3	40768	8.8.8.8	53	udp	42540	-	xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678	1	C_INTERNET	28	AAAA	3	NXDOMAIN	F	F	T	F	0	-	-	F
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.16.44.3	40768	8.8.8.8	53	udp	42540	-	xqt-detect-mode2-97712e88-167a-45b9-93ee-913140e76678	1	C_INTERNET	28	AAAA	3	NXDOMAIN	F	F	T	F	0	F	F	-	-	F
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/core.tunnels.gre/dns.log

@@ -5,8 +5,8 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	66.59.111.190	37675	172.28.2.3	53	udp	48554	-	www.gleeble.org	1	C_INTERNET	255	*	-	-	F	F	T	F	0	-	-	F
-XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	66.59.111.190	37675	172.28.2.3	53	udp	48554	-	www.gleeble.org	1	C_INTERNET	255	*	-	-	F	F	T	F	0	-	-	F
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	66.59.111.190	37675	172.28.2.3	53	udp	48554	-	www.gleeble.org	1	C_INTERNET	255	*	-	-	F	F	T	F	0	F	F	-	-	F
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	66.59.111.190	37675	172.28.2.3	53	udp	48554	-	www.gleeble.org	1	C_INTERNET	255	*	-	-	F	F	T	F	0	F	F	-	-	F
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/core.tunnels.gtp.false_gtp/dns.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.131.24.6	2152	195.178.38.3	53	udp	27595	-	abcd.efg.hijklm.nm	1	C_INTERNET	1	A	-	-	F	F	T	F	0	-	-	F
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.131.24.6	2152	195.178.38.3	53	udp	27595	-	abcd.efg.hijklm.nm	1	C_INTERNET	1	A	-	-	F	F	T	F	0	F	F	-	-	F
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.binds/dns.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected	auth	addl
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool	set[string]	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.87.3.74	51871	10.87.1.10	53	udp	27571	0.002004	example.net	1	C_INTERNET	65534	query-65534	0	NOERROR	T	F	T	T	2	BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal	0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000	F	-	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected	auth	addl
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool	set[string]	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.87.3.74	51871	10.87.1.10	53	udp	27571	0.002004	example.net	1	C_INTERNET	65534	query-65534	0	NOERROR	T	F	T	T	2	F	F	BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal,BIND9 signing signal	0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000,0.000000	F	-	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.dns-key/dns.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.6.10	53209	192.168.129.36	53	udp	41477	0.075138	paypal.com	1	C_INTERNET	48	DNSKEY	0	NOERROR	F	F	T	T	1	DNSKEY 5,DNSKEY 5,RRSIG 48 paypal.com,RRSIG 48 paypal.com	455.000000,455.000000,455.000000,455.000000	F
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.6.10	53209	192.168.129.36	53	udp	41477	0.075138	paypal.com	1	C_INTERNET	48	DNSKEY	0	NOERROR	F	F	T	T	1	F	T	DNSKEY 5,DNSKEY 5,RRSIG 48 paypal.com,RRSIG 48 paypal.com	455.000000,455.000000,455.000000,455.000000	F
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.dnskey/dns.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.153.129	50729	192.168.153.2	53	udp	22666	0.018166	upenn.edu	1	C_INTERNET	48	DNSKEY	0	NOERROR	F	F	T	T	2	DNSKEY 5,DNSKEY 5,DNSKEY 5,RRSIG 48 upenn.edu,RRSIG 48 upenn.edu	5.000000,5.000000,5.000000,3444.000000,3444.000000	F
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.153.129	50729	192.168.153.2	53	udp	22666	0.018166	upenn.edu	1	C_INTERNET	48	DNSKEY	0	NOERROR	F	F	T	T	2	F	F	DNSKEY 5,DNSKEY 5,DNSKEY 5,RRSIG 48 upenn.edu,RRSIG 48 upenn.edu	5.000000,5.000000,5.000000,3444.000000,3444.000000	F
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.ds/dns.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.153.129	50729	192.168.153.2	53	udp	39080	0.017821	upenn.edu	1	C_INTERNET	43	DS	0	NOERROR	F	F	T	T	2	DS 5 1,DS 5 2,RRSIG 43 edu	5.000000,5.000000,5.000000	F
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.153.129	50729	192.168.153.2	53	udp	39080	0.017821	upenn.edu	1	C_INTERNET	43	DS	0	NOERROR	F	F	T	T	2	F	F	DS 5 1,DS 5 2,RRSIG 43 edu	5.000000,5.000000,5.000000	F
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.duplicate-reponses/dns.log

@@ -5,8 +5,8 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	55.247.223.174	27285	222.195.43.124	53	udp	21140	0.000214	www.cmu.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163	86400.000000,86400.000000,5.000000,21600.000000	F
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	55.247.223.174	27285	222.195.43.124	53	udp	21140	-	www.cmu.edu	-	-	-	-	0	NOERROR	T	F	F	F	0	www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163	86400.000000,86400.000000,5.000000,21600.000000	F
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	55.247.223.174	27285	222.195.43.124	53	udp	21140	0.000214	www.cmu.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	F	T	www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163	86400.000000,86400.000000,5.000000,21600.000000	F
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	55.247.223.174	27285	222.195.43.124	53	udp	21140	-	www.cmu.edu	-	-	-	-	0	NOERROR	T	F	F	F	0	F	F	www-cmu.andrew.cmu.edu,RRSIG 5 cmu.edu,www-cmu-2.andrew.cmu.edu,128.2.10.163	86400.000000,86400.000000,5.000000,21600.000000	F
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.flip/dns.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.20.1.31	53	207.158.192.40	53	udp	25701	-	us.v27.distributed.net	-	-	-	-	0	NOERROR	T	F	F	T	0	206.109.64.186,216.1.205.81,205.149.163.211,134.53.131.135,134.53.131.192,128.104.18.148,204.152.186.139,63.77.33.226	900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000	F
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.20.1.31	53	207.158.192.40	53	udp	25701	-	us.v27.distributed.net	-	-	-	-	0	NOERROR	T	F	F	T	0	F	F	206.109.64.186,216.1.205.81,205.149.163.211,134.53.131.135,134.53.131.192,128.104.18.148,204.152.186.139,63.77.33.226	900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000,900.000000	F
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.hinfo/.stdout

@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-HINFO, [id=51592, opcode=0, rcode=0, QR=T, AA=T, TC=F, RD=T, RA=T, Z=0, num_queries=1, num_answers=1, num_auth=0, num_addl=1], [answer_type=1, query=zeek.example.net, qtype=13, qclass=1, TTL=1.0 hr], INTEL-386, Windows
+HINFO, [id=51592, opcode=0, rcode=0, QR=T, AA=T, TC=F, RD=T, RA=T, Z=0, AD=F, CD=F, num_queries=1, num_answers=1, num_auth=0, num_addl=1], [answer_type=1, query=zeek.example.net, qtype=13, qclass=1, TTL=1.0 hr], INTEL-386, Windows

testing/btest/Baseline/scripts.base.protocols.dns.loc/dns.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	79.141.82.250	57483	192.188.22.52	53	udp	33295	0.000195	sunn-pt1.es.net	1	C_INTERNET	255	*	0	NOERROR	T	F	F	F	0	LOC:  18 21 19,RRSIG 29 es.net	600.000000,600.000000	F
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	79.141.82.250	57483	192.188.22.52	53	udp	33295	0.000195	sunn-pt1.es.net	1	C_INTERNET	255	*	0	NOERROR	T	F	F	F	0	F	F	LOC:  18 21 19,RRSIG 29 es.net	600.000000,600.000000	F
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.multiple-txt-strings/dns.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.150.187.50	51946	68.142.255.16	53	udp	28079	-	flkr._domainkey.flickr.com	-	-	-	-	0	NOERROR	T	F	F	F	0	fa14._domainkey.flickr.com,fa14._domainkey.yahoo.com,TXT 127 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPdPfyJM2R2GqMyZM1flTzFeDIU+e7KmiKRw5yz3Xht+cgEIiHmm5lIGBuWCc5rtiy0CcxePpqccPKjn TXT 98 HSrDI23PU+HOuqJ6ergE1IOsL6LOEgG6YT53vMb8Z6UiBSsYPlrDEC+8CUIkTLMLXJauRK5bNRKV1ATGzGFpf3TjZtWwIDAQAB	900.000000,900.000000,7200.000000	F
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.150.187.50	51946	68.142.255.16	53	udp	28079	-	flkr._domainkey.flickr.com	-	-	-	-	0	NOERROR	T	F	F	F	0	F	F	fa14._domainkey.flickr.com,fa14._domainkey.yahoo.com,TXT 127 k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPdPfyJM2R2GqMyZM1flTzFeDIU+e7KmiKRw5yz3Xht+cgEIiHmm5lIGBuWCc5rtiy0CcxePpqccPKjn TXT 98 HSrDI23PU+HOuqJ6ergE1IOsL6LOEgG6YT53vMb8Z6UiBSsYPlrDEC+8CUIkTLMLXJauRK5bNRKV1ATGzGFpf3TjZtWwIDAQAB	900.000000,900.000000,7200.000000	F
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.nsec/dns.log

@@ -5,8 +5,8 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected	auth	addl
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool	set[string]	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	35.184.172.191	57073	128.175.13.16	53	udp	130	-	dla.library.upenn.edu	1	C_INTERNET	28	AAAA	0	NOERROR	F	F	F	F	1	-	-	F	RRSIG 47 upenn.edu,RRSIG 6 upenn.edu,NSEC dla.library.upenn.edu dlxssvr.library.upenn.edu,assailants.net.isc.upenn.edu	-
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	35.184.172.191	50693	128.175.13.16	53	udp	51063	0.001515	www.upenn.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	www.upenn.edgekey.net,RRSIG 5 upenn.edu	300.000000,300.000000	F	-	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected	auth	addl
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool	set[string]	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	35.184.172.191	57073	128.175.13.16	53	udp	130	-	dla.library.upenn.edu	1	C_INTERNET	28	AAAA	0	NOERROR	F	F	F	F	1	F	T	-	-	F	RRSIG 47 upenn.edu,RRSIG 6 upenn.edu,NSEC dla.library.upenn.edu dlxssvr.library.upenn.edu,assailants.net.isc.upenn.edu	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	35.184.172.191	50693	128.175.13.16	53	udp	51063	0.001515	www.upenn.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	F	T	www.upenn.edgekey.net,RRSIG 5 upenn.edu	300.000000,300.000000	F	-	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.nsec3/dns.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected	auth	addl
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool	set[string]	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.102	49324	192.168.1.1	53	udp	9835	-	foobar.sshfp.net	1	C_INTERNET	1	A	3	NXDOMAIN	F	F	T	F	2	-	-	F	ns0.weberdns.de,RRSIG 6 sshfp.net,NSEC3,RRSIG 50 sshfp.net	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected	auth	addl
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool	set[string]	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.1.102	49324	192.168.1.1	53	udp	9835	-	foobar.sshfp.net	1	C_INTERNET	1	A	3	NXDOMAIN	F	F	T	F	2	F	F	-	-	F	ns0.weberdns.de,RRSIG 6 sshfp.net,NSEC3,RRSIG 50 sshfp.net	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.nsec3param/dns.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected	auth	addl
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool	set[string]	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.87.3.18	53540	10.87.1.54	53	udp	15626	0.522010	sshfp.net	1	C_INTERNET	51	NSEC3PARAM	0	NOERROR	F	F	T	T	2	NSEC3PARAM	0.000000	F	-	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected	auth	addl
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool	set[string]	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.87.3.18	53540	10.87.1.54	53	udp	15626	0.522010	sshfp.net	1	C_INTERNET	51	NSEC3PARAM	0	NOERROR	F	F	T	T	2	F	F	NSEC3PARAM	0.000000	F	-	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.rrsig/dns.log

@@ -5,10 +5,10 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	35.184.172.191	10267	128.175.13.16	53	udp	17129	0.003405	virgo.sas.upenn.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	128.91.234.142,RRSIG 1 upenn.edu	30.000000,30.000000	F
-XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	35.184.172.191	50056	128.175.13.16	53	udp	26222	0.003363	virgo.sas.upenn.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	128.91.234.142,RRSIG 1 upenn.edu	30.000000,30.000000	F
-XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	35.184.172.191	39975	128.175.13.16	53	udp	27118	0.003748	workfamily.sas.upenn.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	quasar.sas.upenn.edu,RRSIG 5 upenn.edu,128.91.234.145,RRSIG 1 upenn.edu	900.000000,900.000000,30.000000,30.000000	F
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	35.184.172.191	5386	128.175.13.16	53	udp	62809	-	virgo.sas.upenn.edu	1	C_INTERNET	1	A	-	-	F	F	F	F	1	-	-	F
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	35.184.172.191	10267	128.175.13.16	53	udp	17129	0.003405	virgo.sas.upenn.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	F	T	128.91.234.142,RRSIG 1 upenn.edu	30.000000,30.000000	F
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	35.184.172.191	50056	128.175.13.16	53	udp	26222	0.003363	virgo.sas.upenn.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	F	T	128.91.234.142,RRSIG 1 upenn.edu	30.000000,30.000000	F
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	35.184.172.191	39975	128.175.13.16	53	udp	27118	0.003748	workfamily.sas.upenn.edu	1	C_INTERNET	1	A	0	NOERROR	T	F	F	F	1	F	T	quasar.sas.upenn.edu,RRSIG 5 upenn.edu,128.91.234.145,RRSIG 1 upenn.edu	900.000000,900.000000,30.000000,30.000000	F
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	35.184.172.191	5386	128.175.13.16	53	udp	62809	-	virgo.sas.upenn.edu	1	C_INTERNET	1	A	-	-	F	F	F	F	1	F	T	-	-	F
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.spf/dns.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.91.0.62	57806	10.91.1.59	53	udp	64161	-	mail.vladg.net	-	-	-	-	0	NOERROR	F	F	F	T	0	SPF 19 v=spf1 mx -all test,SPF 14 v=spf1 mx -all	300.000000,300.000000	F
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.91.0.62	57806	10.91.1.59	53	udp	64161	-	mail.vladg.net	-	-	-	-	0	NOERROR	F	F	F	T	0	F	F	SPF 19 v=spf1 mx -all test,SPF 14 v=spf1 mx -all	300.000000,300.000000	F
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.sshfp/dns.log

@@ -5,8 +5,8 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	128.3.121.180	54109	192.188.22.52	53	udp	40916	0.000200	mon.lbl.gov	1	C_INTERNET	44	SSHFP	0	NOERROR	T	F	F	F	1	SSHFP: a6b95f9eba1104a7272a362e8bfbcbebd5726dcf,SSHFP: 520711b47c300b819cfb696a845007c420de4df30ae3953004b6cfb2bd2c6a46,SSHFP: 5b72c59cceaea2c210f14156e20e6aff829b3e3b,SSHFP: c052721a978470b36fe5b9222f234400f369172b,SSHFP: 0b24d970aa05b708804d35eea3a8c1a6c355e545,SSHFP: 2870056915073c1e189fc7bf04bbce4512be09a0104f64ae3cfa072b8e06dd2b,SSHFP: 562cb91a82129b62ee4fd92ca202a72b844b7e84ac29dec75654453550201e82,SSHFP: c692deb7667ceee670d3e6863b5de7b140fe0ba0183a52f6ccbb4247f7b0ab29,RRSIG 44 lbl.gov	43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000	F
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	128.3.121.180	54109	192.188.22.52	53	udp	22044	-	n0019.savio1.lbl.gov	1	C_INTERNET	1	A	3	NXDOMAIN	F	F	F	F	0	-	-	F
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	128.3.121.180	54109	192.188.22.52	53	udp	40916	0.000200	mon.lbl.gov	1	C_INTERNET	44	SSHFP	0	NOERROR	T	F	F	F	1	F	T	SSHFP: a6b95f9eba1104a7272a362e8bfbcbebd5726dcf,SSHFP: 520711b47c300b819cfb696a845007c420de4df30ae3953004b6cfb2bd2c6a46,SSHFP: 5b72c59cceaea2c210f14156e20e6aff829b3e3b,SSHFP: c052721a978470b36fe5b9222f234400f369172b,SSHFP: 0b24d970aa05b708804d35eea3a8c1a6c355e545,SSHFP: 2870056915073c1e189fc7bf04bbce4512be09a0104f64ae3cfa072b8e06dd2b,SSHFP: 562cb91a82129b62ee4fd92ca202a72b844b7e84ac29dec75654453550201e82,SSHFP: c692deb7667ceee670d3e6863b5de7b140fe0ba0183a52f6ccbb4247f7b0ab29,RRSIG 44 lbl.gov	43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000,43200.000000	F
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	128.3.121.180	54109	192.188.22.52	53	udp	22044	-	n0019.savio1.lbl.gov	1	C_INTERNET	1	A	3	NXDOMAIN	F	F	F	F	0	F	F	-	-	F
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.wks/dns.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected	auth	addl
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool	set[string]	set[string]
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.87.3.18	60059	10.87.1.10	53	udp	63119	0.001993	zeek.example.net	1	C_INTERNET	11	WKS	0	NOERROR	T	F	T	T	2	-	-	F	-	-
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected	auth	addl
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool	set[string]	set[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.87.3.18	60059	10.87.1.10	53	udp	63119	0.001993	zeek.example.net	1	C_INTERNET	11	WKS	0	NOERROR	T	F	T	T	2	F	F	-	-	F	-	-
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.base.protocols.dns.zero-responses/dns.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.64	49204	146.186.163.66	53	udp	17323	-	psu.edu	1	C_INTERNET	28	AAAA	0	NOERROR	F	F	T	F	0	-	-	F
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.0.0.64	49204	146.186.163.66	53	udp	17323	-	psu.edu	1	C_INTERNET	28	AAAA	0	NOERROR	F	F	T	F	0	F	F	-	-	F
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/Baseline/scripts.policy.protocols.dns.original_case/dns.log

@@ -5,7 +5,7 @@
 #unset_field	-
 #path	dns
 #open XXXX-XX-XX-XX-XX-XX
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected	original_query
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.3.138	63374	192.168.3.1	53	udp	20877	-	us.v27.distributed.net	1	C_INTERNET	1	A	-	-	F	F	T	F	2	-	-	F	Us.V27.DiStRiBuTeD.NET
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	AD	CD	answers	TTLs	rejected	original_query
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	bool	bool	vector[string]	vector[interval]	bool	string
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.3.138	63374	192.168.3.1	53	udp	20877	-	us.v27.distributed.net	1	C_INTERNET	1	A	-	-	F	F	T	F	2	T	F	-	-	F	Us.V27.DiStRiBuTeD.NET
 #close XXXX-XX-XX-XX-XX-XX