# loading rule file
# /usr/local/share/dnssec-tools/donuts/rules/check_nameservers.txt
# Rules Run:
# DNS_SERVERS_MATCH_DATA

# loading rule file
# /usr/local/share/dnssec-tools/donuts/rules/dns.errors.txt
# Rules Run:
# DNS_NS_NO_CNAME DNS_SOA_REQUIRED DNS_SERVERS_MATCH_DATA

# loading rule file
# /usr/local/share/dnssec-tools/donuts/rules/dnssec.rules.txt
# Rules Run:
# DNSSEC_MISSING_RRSIG_RECORD1 DNSSEC_BOGUS_NS_MEMORIZE
# DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_MISSING_NSEC_RECORD1
# DNSSEC_OPENSSL_KEY_ISSUES DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE
# DNSSEC_RRSIG_TTL_MATCH_ORGTTL DNSSEC_NSEC_FOR_NS_GLUE_RECORD
# DNS_SOA_REQUIRED DNS_SERVERS_MATCH_DATA DNSSEC_MISSING_NSEC_RECORD2
# DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD DNSSEC_RRSIGS_VERIFY
# DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_RRSIG_SIGEXP
# DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME DNSSEC_TWO_ZSKS DNS_NS_NO_CNAME
# DNSSEC_RRSIG_FOR_NS_GLUE_RECORD DNSSEC_NSEC_TTL
# DNSSEC_MISSING_RRSIG_RECORD2 DNSSEC_RRSIG_NOT_SIGNING_RRSIG
# DNSSEC_NSEC3_TTL

# loading rule file
# /usr/local/share/dnssec-tools/donuts/rules/nsec_check.rules.txt
# Rules Run:
# DNSSEC_MISSING_RRSIG_RECORD1 DNSSEC_BOGUS_NS_MEMORIZE
# DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_MISSING_NSEC_RECORD1
# DNSSEC_NSEC_MEMORIZE DNSSEC_OPENSSL_KEY_ISSUES
# DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE DNSSEC_RRSIG_TTL_MATCH_ORGTTL
# DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNSSEC_NSEC_CHECK DNS_SOA_REQUIRED
# DNS_SERVERS_MATCH_DATA DNSSEC_NSEC3_MEMORIZE DNSSEC_MISSING_NSEC_RECORD2
# DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD DNSSEC_RRSIGS_VERIFY
# DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_RRSIG_SIGEXP
# DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME DNSSEC_NSEC3_CHECK DNSSEC_TWO_ZSKS
# DNS_NS_NO_CNAME DNSSEC_RRSIG_FOR_NS_GLUE_RECORD DNSSEC_NSEC_TTL
# DNSSEC_MISSING_RRSIG_RECORD2 DNSSEC_RRSIG_NOT_SIGNING_RRSIG
# DNSSEC_NSEC3_TTL

# loading rule file
# /usr/local/share/dnssec-tools/donuts/rules/parent_child.rules.txt
# Rules Run:
# DNSSEC_MISSING_RRSIG_RECORD1 DNSSEC_BOGUS_NS_MEMORIZE
# DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3 DNSSEC_DS_CHILD_HAS_MATCHING_DNSKEY
# DNSSEC_MISSING_NSEC_RECORD1 DNSSEC_NSEC_MEMORIZE
# DNSSEC_OPENSSL_KEY_ISSUES DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE
# DNSSEC_DNSKEY_PARENT_HAS_VALID_DS DNSSEC_RRSIG_TTL_MATCH_ORGTTL
# DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNSSEC_NSEC_CHECK DNS_SOA_REQUIRED
# DNS_SERVERS_MATCH_DATA DNS_MULTIPLE_NS DNSSEC_NSEC3_MEMORIZE
# DNSSEC_MISSING_NSEC_RECORD2 DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD
# DNSSEC_RRSIGS_VERIFY DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_RRSIG_SIGEXP
# DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME DNSSEC_NSEC3_CHECK DNSSEC_TWO_ZSKS
# DNS_NS_NO_CNAME DNSSEC_SUB_NOT_SECURE DNSSEC_RRSIG_FOR_NS_GLUE_RECORD
# DNSSEC_NSEC_TTL DNSSEC_MISSING_RRSIG_RECORD2
# DNSSEC_RRSIG_NOT_SIGNING_RRSIG DNSSEC_NSEC3_TTL

# loading rule file
# /usr/local/share/dnssec-tools/donuts/rules/recommendations.rules.txt
# Rules Run:
# DNSSEC_BOGUS_NS_MEMORIZE DNSSEC_DNSKEY_PROTOCOL_MUST_BE_3
# DNSSEC_MISSING_NSEC_RECORD1 DNSSEC_NSEC_RRSEC_MUST_NOT_BE_ALONE
# DNSSEC_NSEC_FOR_NS_GLUE_RECORD DNS_MULTIPLE_NS
# DNSSEC_RRSIG_TTL_MUST_MATCH_RECORD DNSSEC_RRSIGS_VERIFY
# DNSSEC_RRSIG_SIGNER_NAME_MATCHES DNSSEC_RRSIG_SIGEXP
# DNS_NO_DOMAIN_MX_RECORDS DNSSEC_NSEC3_CHECK DNSSEC_SUB_NOT_SECURE
# DNSSEC_MISSING_RRSIG_RECORD2 DNSSEC_MISSING_RRSIG_RECORD1
# DNSSEC_DS_CHILD_HAS_MATCHING_DNSKEY DNSSEC_OPENSSL_KEY_ISSUES
# DNSSEC_NSEC_MEMORIZE DNSSEC_DNSKEY_PARENT_HAS_VALID_DS
# DNSSEC_RRSIG_TTL_MATCH_ORGTTL DNSSEC_NSEC_CHECK DNS_SOA_REQUIRED
# DNS_SERVERS_MATCH_DATA DNSSEC_MISSING_NSEC_RECORD2 DNSSEC_NSEC3_MEMORIZE
# DNS_REASONABLE_TTLS DNSSEC_DNSKEY_MUST_HAVE_SAME_NAME DNS_NS_NO_CNAME
# DNSSEC_TWO_ZSKS DNSSEC_RRSIG_FOR_NS_GLUE_RECORD DNSSEC_NSEC_TTL
# DNSSEC_NSEC3_TTL DNSSEC_RRSIG_NOT_SIGNING_RRSIG


Donuts Analysis: insecure-ns.test.dnssec-tools.org
  Donuts Results: insecure-ns.test.dnssec-tools.org
    Source:	 db.insecure-ns.test.dnssec-tools.org.zs.signed.modified
    Record Results: 
      # Analyzing individual records in
      # db.insecure-ns.test.dnssec-tools.org.zs.signed.modified
    Name Results: 
      # Analyzing records for each name in
      # db.insecure-ns.test.dnssec-tools.org.zs.signed.modified
      Error: *.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name *.insecure-ns.test.dnssec-tools.org does not have
		     an NSEC record, which is required for secure domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: *.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name *.insecure-ns.test.dnssec-tools.org does not have
		     a RRSIG record, which is required for secure domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: pastdate-a.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name pastdate-a.insecure-ns.test.dnssec-tools.org does
		     not have an NSEC record, which is required for secure
		     domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: pastdate-a.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name pastdate-a.insecure-ns.test.dnssec-tools.org does
		     not have a RRSIG record, which is required for secure
		     domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: good-a.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name good-a.insecure-ns.test.dnssec-tools.org does not
		     have an NSEC record, which is required for secure
		     domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: good-a.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name good-a.insecure-ns.test.dnssec-tools.org does not
		     have a RRSIG record, which is required for secure
		     domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: good-aaaa.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name good-aaaa.insecure-ns.test.dnssec-tools.org does
		     not have an NSEC record, which is required for secure
		     domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: good-aaaa.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name good-aaaa.insecure-ns.test.dnssec-tools.org does
		     not have a RRSIG record, which is required for secure
		     domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: reverseddates-aaaa.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name
		     reverseddates-aaaa.insecure-ns.test.dnssec-tools.org
		     does not have an NSEC record, which is required for
		     secure domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: reverseddates-aaaa.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name
		     reverseddates-aaaa.insecure-ns.test.dnssec-tools.org
		     does not have a RRSIG record, which is required for
		     secure domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: futuredate-a.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name futuredate-a.insecure-ns.test.dnssec-tools.org
		     does not have an NSEC record, which is required for
		     secure domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: futuredate-a.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name futuredate-a.insecure-ns.test.dnssec-tools.org
		     does not have a RRSIG record, which is required for
		     secure domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: baddata-aaaa.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name baddata-aaaa.insecure-ns.test.dnssec-tools.org
		     does not have an NSEC record, which is required for
		     secure domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: baddata-aaaa.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name baddata-aaaa.insecure-ns.test.dnssec-tools.org
		     does not have a RRSIG record, which is required for
		     secure domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: dns1.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name dns1.insecure-ns.test.dnssec-tools.org does not
		     have an NSEC record, which is required for secure
		     domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: dns1.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name dns1.insecure-ns.test.dnssec-tools.org does not
		     have a RRSIG record, which is required for secure
		     domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: dns2.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name dns2.insecure-ns.test.dnssec-tools.org does not
		     have an NSEC record, which is required for secure
		     domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: dns2.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name dns2.insecure-ns.test.dnssec-tools.org does not
		     have a RRSIG record, which is required for secure
		     domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: nosig-a.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name nosig-a.insecure-ns.test.dnssec-tools.org does
		     not have an NSEC record, which is required for secure
		     domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: nosig-a.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name nosig-a.insecure-ns.test.dnssec-tools.org does
		     not have a RRSIG record, which is required for secure
		     domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: extra-txt.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name extra-txt.insecure-ns.test.dnssec-tools.org does
		     not have an NSEC record, which is required for secure
		     domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: extra-txt.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name extra-txt.insecure-ns.test.dnssec-tools.org does
		     not have a RRSIG record, which is required for secure
		     domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: nsectest.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name nsectest.insecure-ns.test.dnssec-tools.org does
		     not have an NSEC record, which is required for secure
		     domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: nsectest.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name nsectest.insecure-ns.test.dnssec-tools.org does
		     not have a RRSIG record, which is required for secure
		     domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: longlabel-01234567890123456789012345678901234567890123456789012.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name
		     longlabel-01234567890123456789012345678901234567890123
		     456789012.insecure-ns.test.dnssec-tools.org does not
		     have an NSEC record, which is required for secure
		     domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: longlabel-01234567890123456789012345678901234567890123456789012.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name
		     longlabel-01234567890123456789012345678901234567890123
		     456789012.insecure-ns.test.dnssec-tools.org does not
		     have a RRSIG record, which is required for secure
		     domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: other-aaaa.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name other-aaaa.insecure-ns.test.dnssec-tools.org does
		     not have an NSEC record, which is required for secure
		     domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: other-aaaa.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name other-aaaa.insecure-ns.test.dnssec-tools.org does
		     not have a RRSIG record, which is required for secure
		     domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: pastdate-aaaa.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name pastdate-aaaa.insecure-ns.test.dnssec-tools.org
		     does not have an NSEC record, which is required for
		     secure domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: pastdate-aaaa.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name pastdate-aaaa.insecure-ns.test.dnssec-tools.org
		     does not have a RRSIG record, which is required for
		     secure domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: badsign-a.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name badsign-a.insecure-ns.test.dnssec-tools.org does
		     not have an NSEC record, which is required for secure
		     domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: badsign-a.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name badsign-a.insecure-ns.test.dnssec-tools.org does
		     not have a RRSIG record, which is required for secure
		     domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: reverseddates-a.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name reverseddates-a.insecure-ns.test.dnssec-tools.org
		     does not have an NSEC record, which is required for
		     secure domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: reverseddates-a.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name reverseddates-a.insecure-ns.test.dnssec-tools.org
		     does not have a RRSIG record, which is required for
		     secure domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: other-a.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name other-a.insecure-ns.test.dnssec-tools.org does
		     not have an NSEC record, which is required for secure
		     domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: other-a.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name other-a.insecure-ns.test.dnssec-tools.org does
		     not have a RRSIG record, which is required for secure
		     domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: futuredate-aaaa.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name futuredate-aaaa.insecure-ns.test.dnssec-tools.org
		     does not have an NSEC record, which is required for
		     secure domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: futuredate-aaaa.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name futuredate-aaaa.insecure-ns.test.dnssec-tools.org
		     does not have a RRSIG record, which is required for
		     secure domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: badsign-aaaa.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name badsign-aaaa.insecure-ns.test.dnssec-tools.org
		     does not have an NSEC record, which is required for
		     secure domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: badsign-aaaa.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name badsign-aaaa.insecure-ns.test.dnssec-tools.org
		     does not have a RRSIG record, which is required for
		     secure domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: nosig-aaaa.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name nosig-aaaa.insecure-ns.test.dnssec-tools.org does
		     not have an NSEC record, which is required for secure
		     domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: nosig-aaaa.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name nosig-aaaa.insecure-ns.test.dnssec-tools.org does
		     not have a RRSIG record, which is required for secure
		     domains.
	Details:     Checks to see if a name contains a RRSIG record.

      Error: baddata-a.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name baddata-a.insecure-ns.test.dnssec-tools.org does
		     not have an NSEC record, which is required for secure
		     domains.
	Details:     checks to see if a given name is missing an NSEC
		     record, which is require for dnssec to prove
		     non-existence.

      Error: baddata-a.insecure-ns.test.dnssec-tools.org
	Rule Type:   Error
	Message:     name baddata-a.insecure-ns.test.dnssec-tools.org does
		     not have a RRSIG record, which is required for secure
		     domains.
	Details:     Checks to see if a name contains a RRSIG record.

  Donuts Summary: insecure-ns.test.dnssec-tools.org
    Rules Considered: 33
    Rules Tested: 21
    Records Analyzed: 26
    Names Analyzed: 23
    Errors Found: 44
