Txt(Txt),
/// A TLS Certificate Association resource record
TLSA(TLSA),
+ /// A Canonical Name record
+ CName(CName),
/// A DNS (Public) Key resource record
DnsKey(DnsKey),
/// A Delegated Signer resource record
pub fn name(&self) -> &Name {
match self {
RR::Txt(rr) => &rr.name,
+ RR::CName(rr) => &rr.name,
RR::TLSA(rr) => &rr.name,
RR::DnsKey(rr) => &rr.name,
RR::DS(rr) => &rr.name,
fn ty(&self) -> u16 {
match self {
RR::Txt(_) => Txt::TYPE,
+ RR::CName(_) => CName::TYPE,
RR::TLSA(_) => TLSA::TYPE,
RR::DnsKey(_) => DnsKey::TYPE,
RR::DS(_) => DS::TYPE,
fn write_u16_len_prefixed_data(&self, out: &mut Vec<u8>) {
match self {
RR::Txt(rr) => StaticRecord::write_u16_len_prefixed_data(rr, out),
+ RR::CName(rr) => StaticRecord::write_u16_len_prefixed_data(rr, out),
RR::TLSA(rr) => StaticRecord::write_u16_len_prefixed_data(rr, out),
RR::DnsKey(rr) => StaticRecord::write_u16_len_prefixed_data(rr, out),
RR::DS(rr) => StaticRecord::write_u16_len_prefixed_data(rr, out),
}
}
impl From<Txt> for RR { fn from(txt: Txt) -> RR { RR::Txt(txt) } }
+impl From<CName> for RR { fn from(cname: CName) -> RR { RR::CName(cname) } }
impl From<TLSA> for RR { fn from(tlsa: TLSA) -> RR { RR::TLSA(tlsa) } }
impl From<DnsKey> for RR { fn from(dnskey: DnsKey) -> RR { RR::DnsKey(dnskey) } }
impl From<DS> for RR { fn from(ds: DS) -> RR { RR::DS(ds) } }
}
Ok(RR::Txt(Txt { name, data: parsed_data }))
}
+ CName::TYPE => {
+ Ok(RR::CName(CName { name, canonical_name: read_name(&mut data)? }))
+ }
TLSA::TYPE => {
if data_len <= 3 { return Err(()); }
Ok(RR::TLSA(TLSA {
}
}
+#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord)]
+/// A Canonical Name resource record, referring all queries for this name to another name.
+pub struct CName {
+ /// The name this record is at.
+ pub name: Name,
+ /// The canonical name.
+ ///
+ /// A resolver should use this name when looking up any further records for [`Self::name`].
+ pub canonical_name: Name,
+}
+impl StaticRecord for CName {
+ const TYPE: u16 = 5;
+ fn name(&self) -> &Name { &self.name }
+ fn write_u16_len_prefixed_data(&self, out: &mut Vec<u8>) {
+ let len: u16 = name_len(&self.canonical_name);
+ out.extend_from_slice(&len.to_be_bytes());
+ write_name(out, &self.canonical_name);
+ }
+}
+
#[derive(Debug, Clone, PartialEq, Eq, PartialOrd, Ord)]
/// A public key resource record which can be used to validate [`RRSig`]s.
pub struct DnsKey {
records.sort();
for record in records.iter() {
- // TODO: Handle wildcards
- write_name(&mut signed_data, record.name());
+ let periods = record.name().0.chars().filter(|c| *c == '.').count();
+ let labels = sig.labels.into();
+ if periods != 1 && periods != labels {
+ if periods < labels { return Err(ValidationError::Invalid); }
+ let signed_name = record.name().0.splitn(periods - labels + 1, ".").last();
+ debug_assert!(signed_name.is_some());
+ if let Some(name) = signed_name {
+ signed_data.extend_from_slice(b"\x01*");
+ write_name(&mut signed_data, name);
+ } else { return Err(ValidationError::Invalid); }
+ } else {
+ write_name(&mut signed_data, record.name());
+ }
signed_data.extend_from_slice(&record.ty().to_be_bytes());
signed_data.extend_from_slice(&1u16.to_be_bytes()); // The INternet class
signed_data.extend_from_slice(&sig.orig_ttl.to_be_bytes());
/// Given a set of arbitrary records, this attempts to validate DNSSEC data from the [`root_hints`]
/// through to any supported non-DNSSEC record types.
///
-/// All records which could be validated are returned.
+/// All records which could be validated are returned, though if an error is found validating any
+/// contained record, only `Err` will be returned.
pub fn verify_rr_stream<'a>(inp: &'a [RR]) -> Result<Vec<&'a RR>, ValidationError> {
let mut zone = ".";
let mut res = Vec::new();
- let mut next_ds_set = None;
- 'next_zone: while zone == "." || next_ds_set.is_some() {
+ let mut pending_ds_sets = Vec::with_capacity(1);
+ 'next_zone: while zone == "." || !pending_ds_sets.is_empty() {
let mut found_unsupported_alg = false;
+ let next_ds_set;
+ if let Some((next_zone, ds_set)) = pending_ds_sets.pop() {
+ next_ds_set = Some(ds_set);
+ zone = next_zone;
+ } else {
+ debug_assert_eq!(zone, ".");
+ next_ds_set = None;
+ }
+
for rrsig in inp.iter()
.filter_map(|rr| if let RR::RRSig(sig) = rr { Some(sig) } else { None })
.filter(|rrsig| rrsig.name.0 == zone && rrsig.ty == DnsKey::TYPE)
verify_dnskey_rrsig(rrsig, next_ds_set.clone().unwrap(), dnskeys.clone().collect())
};
if dnskeys_verified.is_ok() {
- let mut last_validated_type = None;
- next_ds_set = None;
for rrsig in inp.iter()
.filter_map(|rr| if let RR::RRSig(sig) = rr { Some(sig) } else { None })
.filter(move |rrsig| rrsig.key_name.0 == zone && rrsig.name.0 != zone)
{
if !rrsig.name.ends_with(zone) { return Err(ValidationError::Invalid); }
- if last_validated_type == Some(rrsig.ty) {
- // If we just validated all the RRs for this type, go ahead and skip it. We
- // may end up double-validating some RR Sets if there's multiple RRSigs for
- // the same sets interwoven with other RRSets, but that's okay.
- continue;
- }
let signed_records = inp.iter()
.filter(|rr| rr.name() == &rrsig.name && rr.ty() == rrsig.ty);
verify_rrsig(rrsig, dnskeys.clone(), signed_records.clone().collect())?;
// RRSigs shouldn't cover child `DnsKey`s or other `RRSig`s
RRSig::TYPE|DnsKey::TYPE => return Err(ValidationError::Invalid),
DS::TYPE => {
- next_ds_set = Some(signed_records.filter_map(|rr|
- if let RR::DS(ds) = rr { Some(ds) }
- else { debug_assert!(false, "We already filtered by type"); None }));
- zone = &rrsig.name;
+ if !pending_ds_sets.iter().any(|(pending_zone, _)| pending_zone == &rrsig.name.0) {
+ pending_ds_sets.push((
+ &rrsig.name,
+ signed_records.filter_map(|rr|
+ if let RR::DS(ds) = rr { Some(ds) }
+ else { debug_assert!(false, "We already filtered by type"); None })
+ ));
+ }
},
_ => {
- for record in signed_records { res.push(record); }
- last_validated_type = Some(rrsig.ty);
+ for record in signed_records {
+ if !res.contains(&record) { res.push(record); }
+ }
},
}
}
- if next_ds_set.is_none() { break 'next_zone; }
- else { continue 'next_zone; }
+ continue 'next_zone;
} else if dnskeys_verified == Err(ValidationError::UnsupportedAlgorithm) {
// There may be redundant signatures by different keys, where one we don't supprt
// and another we do. Ignore ones we don't support, but if there are no more,
use super::*;
use hex_conservative::FromHex;
+ use rand::seq::SliceRandom;
fn root_dnskey() -> (Vec<DnsKey>, Vec<RR>) {
let dnskeys = vec![DnsKey {
(txt_resp, txt_rrsig)
}
+ fn matcorallo_dnskey() -> (Vec<DnsKey>, Vec<RR>) {
+ let com_dnskeys = com_dnskey().0;
+ let mut matcorallo_ds = vec![DS {
+ name: "matcorallo.com.".try_into().unwrap(), key_tag: 24930, alg: 13, digest_type: 2,
+ digest: Vec::from_hex("693E990CBB1CE1095E387092D3C04BCE907C008891F32A88D41D3ECB129E5E23").unwrap(),
+ }];
+ let ds_rrsig = RRSig {
+ name: "matcorallo.com.".try_into().unwrap(), ty: DS::TYPE, alg: 13, labels: 2, orig_ttl: 86400,
+ expiration: 1707628636, inception: 1707019636, key_tag: 4534, key_name: "com.".try_into().unwrap(),
+ signature: base64::decode("l9b+DhtnJSIzR6y4Bwx+0L9kep77UNCBoTg74RTSL6oMrQd8w4OobHxzwDyXqnLfyxVP18V+AnQp4DdJ2nUW1g==").unwrap(),
+ };
+ verify_rrsig(&ds_rrsig, &com_dnskeys, matcorallo_ds.iter().collect()).unwrap();
+ let dnskeys = vec![DnsKey {
+ name: "matcorallo.com.".try_into().unwrap(), flags: 257, protocol: 3, alg: 13,
+ pubkey: base64::decode("pfO3ow3SrKhLS7AMEi3b5W9P28nCOB9vryxfSXhqMcXFP1x9V4xAt0/JLr0zNodsqRD/8d9Yhu4Wf3hnSlaavw==").unwrap(),
+ }, DnsKey {
+ name: "matcorallo.com.".try_into().unwrap(), flags: 256, protocol: 3, alg: 13,
+ pubkey: base64::decode("OO6LQTV1mnRsFgn6YQoyeo/SDqS3eajfVv8WGQVnuSYO/bTS9St1tJiox2fgU6wRWDU3chhjz1Pj0unKUAQKig==").unwrap(),
+ }];
+ let dnskey_rrsig = RRSig {
+ name: "matcorallo.com.".try_into().unwrap(), ty: DnsKey::TYPE, alg: 13, labels: 2, orig_ttl: 604800,
+ expiration: 1708309135, inception: 1707094135, key_tag: 24930, key_name: "matcorallo.com.".try_into().unwrap(),
+ signature: base64::decode("2MKg3bTn9zf4ThwCoKRFadqD6l1D6SuLksRieKxFC0QQnzUOCRgZSK2/IlT0DMEoM0+mGrJZo7UG79UILMGUyg==").unwrap(),
+ };
+ verify_dnskey_rrsig(&dnskey_rrsig, &matcorallo_ds, dnskeys.iter().collect()).unwrap();
+ let rrs = vec![matcorallo_ds.pop().unwrap().into(), ds_rrsig.into(),
+ dnskeys[0].clone().into(), dnskeys[1].clone().into(), dnskey_rrsig.into()];
+ (dnskeys, rrs)
+ }
+
+ fn matcorallo_txt_record() -> (Txt, RRSig) {
+ let txt_resp = Txt {
+ name: "txt_test.matcorallo.com.".try_into().unwrap(),
+ data: "dnssec_prover_test".to_owned().into_bytes(),
+ };
+ let txt_rrsig = RRSig {
+ name: "txt_test.matcorallo.com.".try_into().unwrap(),
+ ty: Txt::TYPE, alg: 13, labels: 3, orig_ttl: 30, expiration: 1708319203,
+ inception: 1707104203, key_tag: 34530, key_name: "matcorallo.com.".try_into().unwrap(),
+ signature: base64::decode("4vaE5Jex2VvIT39JpuMNT7Ds7O0OfzTik5f8WcRRxO0IJnGAO16syAsNUkNkNqsMYknnjHDF0lI4agszgzdpsw==").unwrap(),
+ };
+ (txt_resp, txt_rrsig)
+ }
+
+ fn matcorallo_cname_record() -> (CName, RRSig) {
+ let cname_resp = CName {
+ name: "cname_test.matcorallo.com.".try_into().unwrap(),
+ canonical_name: "txt_test.matcorallo.com.".try_into().unwrap(),
+ };
+ let cname_rrsig = RRSig {
+ name: "cname_test.matcorallo.com.".try_into().unwrap(),
+ ty: CName::TYPE, alg: 13, labels: 3, orig_ttl: 30, expiration: 1708319203,
+ inception: 1707104203, key_tag: 34530, key_name: "matcorallo.com.".try_into().unwrap(),
+ signature: base64::decode("5HIrmEotbVb95umE6SX3NrPboKsthdcY8b7DdaYQZzm0Nj5m2VgcfOmEPJYS8o1xE4GvGGF4sdfSy3Uw7TibBg==").unwrap(),
+ };
+ (cname_resp, cname_rrsig)
+ }
+
+ fn matcorallo_wildcard_record() -> (Txt, RRSig) {
+ let txt_resp = Txt {
+ name: "test.wildcard_test.matcorallo.com.".try_into().unwrap(),
+ data: "wildcard_test".to_owned().into_bytes(),
+ };
+ let txt_rrsig = RRSig {
+ name: "test.wildcard_test.matcorallo.com.".try_into().unwrap(),
+ ty: Txt::TYPE, alg: 13, labels: 3, orig_ttl: 30, expiration: 1708321778,
+ inception: 1707106778, key_tag: 34530, key_name: "matcorallo.com.".try_into().unwrap(),
+ signature: base64::decode("vdnXunPY4CnbW/BL8VOOR9o33+dqyKA/4h+u5VM7NjB30Shp8L8gL5UwE0k7TKRNgHC8j3TqEPEmNMIHz87Z4Q==").unwrap(),
+ };
+ (txt_resp, txt_rrsig)
+ }
+
+ fn matcorallo_cname_wildcard_record() -> (CName, RRSig, Txt, RRSig) {
+ let cname_resp = CName {
+ name: "test.cname_wildcard_test.matcorallo.com.".try_into().unwrap(),
+ canonical_name: "cname.wildcard_test.matcorallo.com.".try_into().unwrap(),
+ };
+ let txt_resp = Txt {
+ name: "cname.wildcard_test.matcorallo.com.".try_into().unwrap(),
+ data: "wildcard_test".to_owned().into_bytes(),
+ };
+ let cname_rrsig = RRSig {
+ name: "test.cname_wildcard_test.matcorallo.com.".try_into().unwrap(),
+ ty: CName::TYPE, alg: 13, labels: 3, orig_ttl: 30, expiration: 1708322050,
+ inception: 1707107050, key_tag: 34530, key_name: "matcorallo.com.".try_into().unwrap(),
+ signature: base64::decode("JfJuSemF5dtQYxEw6eKL4IRP8BaDt6FtbtdpZ6HjODTDflhKQRhBEbwT7kwceKPAq18q5sWHFV1bMTqE/F3WLw==").unwrap(),
+ };
+ let txt_rrsig = RRSig {
+ name: "cname.wildcard_test.matcorallo.com.".try_into().unwrap(),
+ ty: Txt::TYPE, alg: 13, labels: 3, orig_ttl: 30, expiration: 1708321778,
+ inception: 1707106778, key_tag: 34530, key_name: "matcorallo.com.".try_into().unwrap(),
+ signature: base64::decode("vdnXunPY4CnbW/BL8VOOR9o33+dqyKA/4h+u5VM7NjB30Shp8L8gL5UwE0k7TKRNgHC8j3TqEPEmNMIHz87Z4Q==").unwrap(),
+ };
+ (cname_resp, cname_rrsig, txt_resp, txt_rrsig)
+ }
+
#[test]
- fn check_txt_record() {
+ fn check_txt_record_a() {
let dnskeys = mattcorallo_dnskey().0;
let (txt, txt_rrsig) = mattcorallo_txt_record();
let txt_resp = [txt];
}
#[test]
- fn check_txt_proof() {
+ fn check_single_txt_proof() {
let mut rr_stream = Vec::new();
for rr in root_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
for rr in com_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
let (txt, txt_rrsig) = mattcorallo_txt_record();
for rr in [RR::Txt(txt), RR::RRSig(txt_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
- let rrs = parse_rr_stream(&rr_stream).unwrap();
+ let mut rrs = parse_rr_stream(&rr_stream).unwrap();
+ rrs.shuffle(&mut rand::rngs::OsRng);
let verified_rrs = verify_rr_stream(&rrs).unwrap();
assert_eq!(verified_rrs.len(), 1);
if let RR::Txt(txt) = &verified_rrs[0] {
} else { panic!(); }
}
+ #[test]
+ fn check_txt_record_b() {
+ let dnskeys = matcorallo_dnskey().0;
+ let (txt, txt_rrsig) = matcorallo_txt_record();
+ let txt_resp = [txt];
+ verify_rrsig(&txt_rrsig, &dnskeys, txt_resp.iter().collect()).unwrap();
+ }
+
+ #[test]
+ fn check_cname_record() {
+ let dnskeys = matcorallo_dnskey().0;
+ let (cname, cname_rrsig) = matcorallo_cname_record();
+ let cname_resp = [cname];
+ verify_rrsig(&cname_rrsig, &dnskeys, cname_resp.iter().collect()).unwrap();
+ }
+
+ #[test]
+ fn check_multi_zone_proof() {
+ let mut rr_stream = Vec::new();
+ for rr in root_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+ for rr in com_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+ for rr in mattcorallo_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+ let (txt, txt_rrsig) = mattcorallo_txt_record();
+ for rr in [RR::Txt(txt), RR::RRSig(txt_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
+ for rr in matcorallo_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+ let (txt, txt_rrsig) = matcorallo_txt_record();
+ for rr in [RR::Txt(txt), RR::RRSig(txt_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
+ let (cname, cname_rrsig) = matcorallo_cname_record();
+ for rr in [RR::CName(cname), RR::RRSig(cname_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
+
+ let mut rrs = parse_rr_stream(&rr_stream).unwrap();
+ rrs.shuffle(&mut rand::rngs::OsRng);
+ let mut verified_rrs = verify_rr_stream(&rrs).unwrap();
+ verified_rrs.sort();
+ assert_eq!(verified_rrs.len(), 3);
+ if let RR::Txt(txt) = &verified_rrs[0] {
+ assert_eq!(txt.name.0, "matt.user._bitcoin-payment.mattcorallo.com.");
+ assert_eq!(txt.data, b"bitcoin:?b12=lno1qsgqmqvgm96frzdg8m0gc6nzeqffvzsqzrxqy32afmr3jn9ggkwg3egfwch2hy0l6jut6vfd8vpsc3h89l6u3dm4q2d6nuamav3w27xvdmv3lpgklhg7l5teypqz9l53hj7zvuaenh34xqsz2sa967yzqkylfu9xtcd5ymcmfp32h083e805y7jfd236w9afhavqqvl8uyma7x77yun4ehe9pnhu2gekjguexmxpqjcr2j822xr7q34p078gzslf9wpwz5y57alxu99s0z2ql0kfqvwhzycqq45ehh58xnfpuek80hw6spvwrvttjrrq9pphh0dpydh06qqspp5uq4gpyt6n9mwexde44qv7lstzzq60nr40ff38u27un6y53aypmx0p4qruk2tf9mjwqlhxak4znvna5y");
+ } else { panic!(); }
+ if let RR::Txt(txt) = &verified_rrs[1] {
+ assert_eq!(txt.name.0, "txt_test.matcorallo.com.");
+ assert_eq!(txt.data, b"dnssec_prover_test");
+ } else { panic!(); }
+ if let RR::CName(cname) = &verified_rrs[2] {
+ assert_eq!(cname.name.0, "cname_test.matcorallo.com.");
+ assert_eq!(cname.canonical_name.0, "txt_test.matcorallo.com.");
+ } else { panic!(); }
+ }
+
+ #[test]
+ fn check_wildcard_record() {
+ let dnskeys = matcorallo_dnskey().0;
+ let (txt, txt_rrsig) = matcorallo_wildcard_record();
+ let txt_resp = [txt];
+ verify_rrsig(&txt_rrsig, &dnskeys, txt_resp.iter().collect()).unwrap();
+ }
+
+ #[test]
+ fn check_wildcard_proof() {
+ let mut rr_stream = Vec::new();
+ for rr in root_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+ for rr in com_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+ for rr in matcorallo_dnskey().1 { write_rr(&rr, 1, &mut rr_stream); }
+ let (cname, cname_rrsig, txt, txt_rrsig) = matcorallo_cname_wildcard_record();
+ for rr in [RR::CName(cname), RR::RRSig(cname_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
+ for rr in [RR::Txt(txt), RR::RRSig(txt_rrsig)] { write_rr(&rr, 1, &mut rr_stream); }
+
+ let mut rrs = parse_rr_stream(&rr_stream).unwrap();
+ rrs.shuffle(&mut rand::rngs::OsRng);
+ let mut verified_rrs = verify_rr_stream(&rrs).unwrap();
+ verified_rrs.sort();
+ assert_eq!(verified_rrs.len(), 2);
+ if let RR::Txt(txt) = &verified_rrs[0] {
+ assert_eq!(txt.name.0, "cname.wildcard_test.matcorallo.com.");
+ assert_eq!(txt.data, b"wildcard_test");
+ } else { panic!(); }
+ if let RR::CName(cname) = &verified_rrs[1] {
+ assert_eq!(cname.name.0, "test.cname_wildcard_test.matcorallo.com.");
+ assert_eq!(cname.canonical_name.0, "cname.wildcard_test.matcorallo.com.");
+ } else { panic!(); }
+ }
+
#[test]
fn rfc9102_parse_test() {
// Note that this is the `AuthenticationChain` field only, and ignores the
// `ExtSupportLifetime` field (stripping the top two 0 bytes from the front).
let rfc9102_test_vector = Vec::from_hex("045f343433045f74637003777777076578616d706c6503636f6d000034000100000e1000230301018bd1da95272f7fa4ffb24137fc0ed03aae67e5c4d8b3c50734e1050a7920b922045f343433045f74637003777777076578616d706c6503636f6d00002e000100000e10005f00340d0500000e105fc6d9005bfdda80074e076578616d706c6503636f6d00ce1d3adeb7dc7cee656d61cfb472c5977c8c9caeae9b765155c518fb107b6a1fe0355fbaaf753c192832fa621fa73a8b85ed79d374117387598fcc812e1ef3fb076578616d706c6503636f6d000030000100000e1000440101030d2670355e0c894d9cfea6c5af6eb7d458b57a50ba88272512d8241d8541fd54adf96ec956789a51ceb971094b3bb3f4ec49f64c686595be5b2e89e8799c7717cc076578616d706c6503636f6d00002e000100000e10005f00300d0200000e105fc6d9005bfdda80074e076578616d706c6503636f6d004628383075b8e34b743a209b27ae148d110d4e1a246138a91083249cb4a12a2d9bc4c2d7ab5eb3afb9f5d1037e4d5da8339c162a9298e9be180741a8ca74accc076578616d706c6503636f6d00002b00010002a3000024074e0d02e9b533a049798e900b5c29c90cd25a986e8a44f319ac3cd302bafc08f5b81e16076578616d706c6503636f6d00002e00010002a3000057002b0d020002a3005fc6d9005bfdda80861703636f6d00a203e704a6facbeb13fc9384fdd6de6b50de5659271f38ce81498684e6363172d47e2319fdb4a22a58a231edc2f1ff4fb2811a1807be72cb5241aa26fdaee03903636f6d00003000010002a30000440100030dec8204e43a25f2348c52a1d3bce3a265aa5d11b43dc2a471162ff341c49db9f50a2e1a41caf2e9cd20104ea0968f7511219f0bdc56b68012cc3995336751900b03636f6d00003000010002a30000440101030d45b91c3bef7a5d99a7a7c8d822e33896bc80a777a04234a605a4a8880ec7efa4e6d112c73cd3d4c65564fa74347c873723cc5f643370f166b43dedff836400ff03636f6d00003000010002a30000440101030db3373b6e22e8e49e0e1e591a9f5bd9ac5e1a0f86187fe34703f180a9d36c958f71c4af48ce0ebc5c792a724e11b43895937ee53404268129476eb1aed323939003636f6d00002e00010002a300005700300d010002a3005fc6d9005bfdda8049f303636f6d0018a948eb23d44f80abc99238fcb43c5a18debe57004f7343593f6deb6ed71e04654a433f7aa1972130d9bd921c73dcf63fcf665f2f05a0aaebafb059dc12c96503636f6d00002e00010002a300005700300d010002a3005fc6d9005bfdda80708903636f6d006170e6959bd9ed6e575837b6f580bd99dbd24a44682b0a359626a246b1812f5f9096b75e157e77848f068ae0085e1a609fc19298c33b736863fbccd4d81f5eb203636f6d00002b000100015180002449f30d0220f7a9db42d0e2042fbbb9f9ea015941202f9eabb94487e658c188e7bcb5211503636f6d00002b000100015180002470890d02ad66b3276f796223aa45eda773e92c6d98e70643bbde681db342a9e5cf2bb38003636f6d00002e0001000151800053002b0d01000151805fc6d9005bfdda807cae00122e276d45d9e9816f7922ad6ea2e73e82d26fce0a4b718625f314531ac92f8ae82418df9b898f989d32e80bc4deaba7c4a7c8f172adb57ced7fb5e77a784b0700003000010001518000440100030dccacfe0c25a4340fefba17a254f706aac1f8d14f38299025acc448ca8ce3f561f37fc3ec169fe847c8fcbe68e358ff7c71bb5ee1df0dbe518bc736d4ce8dfe1400003000010001518000440100030df303196789731ddc8a6787eff24cacfeddd032582f11a75bb1bcaa5ab321c1d7525c2658191aec01b3e98ab7915b16d571dd55b4eae51417110cc4cdd11d171100003000010001518000440101030dcaf5fe54d4d48f16621afb6bd3ad2155bacf57d1faad5bac42d17d948c421736d9389c4c4011666ea95cf17725bd0fa00ce5e714e4ec82cfdfacc9b1c863ad4600002e000100015180005300300d00000151805fc6d9005bfdda80b79d00de7a6740eeecba4bda1e5c2dd4899b2c965893f3786ce747f41e50d9de8c0a72df82560dfb48d714de3283ae99a49c0fcb50d3aaadb1a3fc62ee3a8a0988b6be").unwrap();
-
- let rrs = parse_rr_stream(&rfc9102_test_vector).unwrap();
+
+ let mut rrs = parse_rr_stream(&rfc9102_test_vector).unwrap();
+ rrs.shuffle(&mut rand::rngs::OsRng);
let verified_rrs = verify_rr_stream(&rrs).unwrap();
assert_eq!(verified_rrs.len(), 1);
if let RR::TLSA(tlsa) = &verified_rrs[0] {