1; config options 2server: 3 target-fetch-policy: "0 0 0 0 0" 4 5auth-zone: 6 name: "test-ns-signed.dev.internet.nl." 7 ## zonefile (or none). 8 ## zonefile: "example.com.zone" 9 ## master by IP address or hostname 10 ## can list multiple masters, each on one line. 11 ## master: 12 ## url for http fetch 13 ## url: 14 ## queries from downstream clients get authoritative answers. 15 ## for-downstream: yes 16 for-downstream: yes 17 ## queries are used to fetch authoritative answers from this zone, 18 ## instead of unbound itself sending queries there. 19 ## for-upstream: yes 20 for-upstream: yes 21 ## on failures with for-upstream, fallback to sending queries to 22 ## the authority servers 23 ## fallback-enabled: no 24 25 ## this line generates zonefile: \n"/tmp/xxx.example.com"\n 26 zonefile: 27TEMPFILE_NAME test-ns-signed.dev.internet.nl 28 ## this is the inline file /tmp/xxx.test-ns-signed.dev.internet.nl 29 ## the tempfiles are deleted when the testrun is over. 30TEMPFILE_CONTENTS test-ns-signed.dev.internet.nl 31test-ns-signed.dev.internet.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 4 14400 3600 604800 3600 32test-ns-signed.dev.internet.nl. 3600 IN RRSIG SOA 8 4 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. ybb0Hc7NC+QOFEEv4cX2+Umlk+miiOAHmeP2Uwvg6lqfxkk+3g7yWBEKMinXjLKz0odWZ6fki6M/3yBPQX8SV0OCRY5gYvAHAjbxAIHozIM+5iwOkRQhNF1DRgQ3BLjL93f6T5e5Z4y1812iOpu4GYswXW/UTOZACXz2UiaCPAg= 33test-ns-signed.dev.internet.nl. 3600 IN NS ns.test-ns-signed.dev.internet.nl. 34test-ns-signed.dev.internet.nl. 3600 IN RRSIG NS 8 4 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. KqiwTF3hKm1ZHGbgx6MVzZYHlS1p7+Xrikx4izMHFbWiD6ki6lrJBJsnH9j/hH1cwHxjXslOeJh0hdBdbn8la0meZPsebOyUbEjoLPzRLzKNLDBuA4BUJnRGQJy21CX7XooXAMAmR8YFipO8CojI9EogU2m2o9YkfbpacFWQoTk= 35test-ns-signed.dev.internet.nl. 3600 IN DNSKEY 256 3 8 AwEAAc6c8tpMXBSOFLu/9n4aUUDK43wN4B7A2UDqZi0IOkyptxWCFghleyZeeN5uq6p9MoUt8lS73mFmIYC0ux5zBO3uVaJQ9u+00qRAEVg/RgBwa58y2f/zNtFV/f7mBSPcPTiEjUh0bwHSiTvUn/8JkrvjyAcbQMO0YOsRof5q6tzl ;{id = 32784 (zsk), size = 1024b} 36test-ns-signed.dev.internet.nl. 3600 IN DNSKEY 257 3 8 AwEAAdC0hBJP1U8lbZ6JFXn0ouK6VipiraN7I8oog62SuEd/fqAupys7A/Ih6WK/UoJorjlnccEL8euNMaS4kNogvoBrFx8ciIWKcbot5mtwc4WDr3cnR+HIZNCUFVkIxsMqE7HCD0yn0zhkB60shED+ZHs8zpyU+cjnsOSizxOnIY+F ;{id = 54502 (ksk), size = 1024b} 37test-ns-signed.dev.internet.nl. 3600 IN RRSIG DNSKEY 8 4 3600 20190205132351 20190108132351 54502 test-ns-signed.dev.internet.nl. X3qN+plfjf45FA4pr/tcUqUCR9ajDqwtNe4TS19WOJogVL/Gf/N5/ToOCrs3s+a7VrJl58WvSJquDM8xAS8f4oJggKgHFhopce8tMTGRxkRvJo4y+tt3vCveh/zjHLAnbOaBGA4CJ/IPhRqzHzcX/SjSv0EACWd6XpQIWogRv6c= 38test-ns-signed.dev.internet.nl. 3600 IN NSEC3PARAM 1 0 1 - 39test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3PARAM 8 4 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. A/1xUGO46uIz+9vjPGfWVD99akwU9bd/UlnVG9LPfoTzG7TMWSoZ4ksg8k8ub8K1TrkDmQokNHSW0Gt6qwoRh17c+p1h/SFlDVL83wgTc4NqG43OQjgGU9RV035XU+VESlO3lavifhlu8rHWBJTlhiXcMGq6H+zvoz4sx9p5GNM= 4093stp7o7i5n9gb83uu7vv6h8qltk14ig.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - fee0c2kfhi6bnljce6vehaenqq3pbupu NS SOA RRSIG DNSKEY NSEC3PARAM 4193stp7o7i5n9gb83uu7vv6h8qltk14ig.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. YoTRDQ7sSvERcY1WwAH4oRRR7DmaAwA8/H70jdMeSU4wsnM/VM03kDcc2sgq5edmHiZoTWnq7nEb/1Y7Ro0YrqTUQdYFZvXi6UjZQrKI9nqAGnhdXZWlZJHmYpn2+2Emd+bYHkwvKaPnfnnKjUoGVBH8Hly0HBYKPUF1/viquB0= 42kl94uofq16t2vlq0bmampf6e4o9k5hbi.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - 7ag3p2pfrvq09dpn63cvga8ub1rnrrg1 43kl94uofq16t2vlq0bmampf6e4o9k5hbi.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. NI5zJ/k1kPVZ1abms5OoME/wazb77Ltduyk6ZevAnt4tKydZYwSsjEd0Ixknw9xnakCABn5rAYEXctARN0KCwCkNHR7TYlTAJT14hlDYjbad2u2HT9L1kzAnfj3BeLZl/LRADeMbTtzrkTSF3Dnezurb94fMnUnKt2hPfQfj560= 44fee0c2kfhi6bnljce6vehaenqq3pbupu.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv 45fee0c2kfhi6bnljce6vehaenqq3pbupu.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. WIb3ISP1nlafbyWoWa4z7sG5IS+V86PyvEMHdD/64hgsFkrCu483XK7VNnBz28SL/631JXA1R19O+UxeWhTUyctp8QSt6cEZcMPY8b7yG97rNFNvhSw75rSXXt+JwgIYHPHQV5oqPtVmEpQM5SfJd+hs+Nn1bJcWB3UaESNNAMQ= 46*.a.b.test-ns-signed.dev.internet.nl. 3600 IN TXT "a" 47*.a.b.test-ns-signed.dev.internet.nl. 3600 IN RRSIG TXT 8 6 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. eNcJkQXdTO1z21od0sXbgqtABhhr/9tNC/Zx8zYbhXkfj7rufN71yk9xqgu6TG0MeJV26ISrqIGRVFJFmTRvO1LLxoKkEPhqe+08nqRztxXZajCV+dDeFoGIDcXJg6tAxB+MJznkKDtZPpIWvyt1WwdYfcMrGtE9AmR3K1/P/xE= 487ag3p2pfrvq09dpn63cvga8ub1rnrrg1.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - 93stp7o7i5n9gb83uu7vv6h8qltk14ig TXT RRSIG 497ag3p2pfrvq09dpn63cvga8ub1rnrrg1.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. gtxoiTa3FRUqoRLvkWSxmWQ+DfijVd26gpKH3+GmGIcNB/sr/Cf8kERRwVVHvgzYIcvdJcys5b2LUXnZJwcdAlx7efZPWgNZzWxJrw6ES25LCWJOrp31isWn9FlAZGIbnpyEXxD2apBSmtyPnKbTgU6lHHS9jrsYHu4G8Zouv3k= 50ns.test-ns-signed.dev.internet.nl. 3600 IN A 185.49.141.11 51ns.test-ns-signed.dev.internet.nl. 3600 IN RRSIG A 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. F9sXEVAmlRn+/84WbuvegiCwstNxMDMQLl0Obv2CTPpee4U6psbmXrlzczjjjkE6aLjsIHYdcXCzEWTrmukT+V9jzaGPRJvxNvC0ASWyzggAoh0Z++Hl4cVa9587o6I9ODayehFI9Pgdem+RVdb4zlWuzi9FmKXgeTlgWN54tPg= 52ns.test-ns-signed.dev.internet.nl. 3600 IN AAAA 2a04:b900:0:100::11 53ns.test-ns-signed.dev.internet.nl. 3600 IN RRSIG AAAA 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. F1XRrx/QgfzJ1RS7d0m23QoIPx1G8WL1SrlTOm7pk5vWTL07w7HEw2TETblkjnitJGKfN9ebsIum/cDPUZc3UqLkguP2UCWpePnlllTJuwmG0Z+wyINIR4xF4PQlqttvzThBkD2JKWb/o0W8dQyXTj+jJ1vCZ0NjjA2N4+iJIQE= 54i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - kl94uofq16t2vlq0bmampf6e4o9k5hbi A AAAA RRSIG 55i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. xLysIqn3r3rdHE3GvwVjZwUyuFClhkhgrQdwyc66RuHKE3MfSuhVr9cHTCJzhipF5TwQTbUpLOr74r99bzdiIY8Xkgjy2M0nc76v1ObSGJdPPjGTevbhDOnavUURwOR/q0NqqO2iPrgFjOVMZ+8uwRJtCty2iAVZfVG+qDzs8hU= 56TEMPFILE_END 57 58stub-zone: 59 name: "." 60 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 61CONFIG_END 62 63SCENARIO_BEGIN Test authority zone with NSEC3 wildcard 64 65; K.ROOT-SERVERS.NET. 66RANGE_BEGIN 0 100 67 ADDRESS 193.0.14.129 68ENTRY_BEGIN 69MATCH opcode qtype qname 70ADJUST copy_id 71REPLY QR NOERROR 72SECTION QUESTION 73. IN NS 74SECTION ANSWER 75. IN NS K.ROOT-SERVERS.NET. 76SECTION ADDITIONAL 77K.ROOT-SERVERS.NET. IN A 193.0.14.129 78ENTRY_END 79 80ENTRY_BEGIN 81MATCH opcode subdomain 82ADJUST copy_id copy_query 83REPLY QR NOERROR 84SECTION QUESTION 85com. IN NS 86SECTION AUTHORITY 87com. IN NS a.gtld-servers.net. 88SECTION ADDITIONAL 89a.gtld-servers.net. IN A 192.5.6.30 90ENTRY_END 91RANGE_END 92 93; a.gtld-servers.net. 94RANGE_BEGIN 0 100 95 ADDRESS 192.5.6.30 96ENTRY_BEGIN 97MATCH opcode qtype qname 98ADJUST copy_id 99REPLY QR NOERROR 100SECTION QUESTION 101com. IN NS 102SECTION ANSWER 103com. IN NS a.gtld-servers.net. 104SECTION ADDITIONAL 105a.gtld-servers.net. IN A 192.5.6.30 106ENTRY_END 107 108ENTRY_BEGIN 109MATCH opcode subdomain 110ADJUST copy_id copy_query 111REPLY QR NOERROR 112SECTION QUESTION 113example.com. IN NS 114SECTION AUTHORITY 115example.com. IN NS ns.example.com. 116SECTION ADDITIONAL 117ns.example.com. IN A 1.2.3.44 118ENTRY_END 119RANGE_END 120 121; ns.example.net. 122RANGE_BEGIN 0 100 123 ADDRESS 1.2.3.44 124ENTRY_BEGIN 125MATCH opcode qtype qname 126ADJUST copy_id 127REPLY QR NOERROR 128SECTION QUESTION 129example.net. IN NS 130SECTION ANSWER 131example.net. IN NS ns.example.net. 132SECTION ADDITIONAL 133ns.example.net. IN A 1.2.3.44 134ENTRY_END 135 136ENTRY_BEGIN 137MATCH opcode qtype qname 138ADJUST copy_id 139REPLY QR NOERROR 140SECTION QUESTION 141ns.example.net. IN A 142SECTION ANSWER 143ns.example.net. IN A 1.2.3.44 144SECTION AUTHORITY 145example.net. IN NS ns.example.net. 146ENTRY_END 147 148ENTRY_BEGIN 149MATCH opcode qtype qname 150ADJUST copy_id 151REPLY QR NOERROR 152SECTION QUESTION 153ns.example.net. IN AAAA 154SECTION AUTHORITY 155example.net. IN NS ns.example.net. 156SECTION ADDITIONAL 157www.example.net. IN A 1.2.3.44 158ENTRY_END 159 160ENTRY_BEGIN 161MATCH opcode qtype qname 162ADJUST copy_id 163REPLY QR NOERROR 164SECTION QUESTION 165example.com. IN NS 166SECTION ANSWER 167example.com. IN NS ns.example.net. 168ENTRY_END 169 170ENTRY_BEGIN 171MATCH opcode qtype qname 172ADJUST copy_id 173REPLY QR NOERROR 174SECTION QUESTION 175www.example.com. IN A 176SECTION ANSWER 177www.example.com. IN A 10.20.30.40 178ENTRY_END 179RANGE_END 180 181STEP 1 QUERY 182ENTRY_BEGIN 183REPLY RD DO 184SECTION QUESTION 185something.a.b.test-ns-signed.dev.internet.nl. IN TXT 186ENTRY_END 187 188; recursion happens here. 189STEP 20 CHECK_ANSWER 190ENTRY_BEGIN 191MATCH all 192REPLY QR AA RD RA DO NOERROR 193SECTION QUESTION 194something.a.b.test-ns-signed.dev.internet.nl. IN TXT 195SECTION ANSWER 196something.a.b.test-ns-signed.dev.internet.nl. IN TXT "a" 197something.a.b.test-ns-signed.dev.internet.nl. 3600 IN RRSIG TXT 8 6 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. eNcJkQXdTO1z21od0sXbgqtABhhr/9tNC/Zx8zYbhXkfj7rufN71yk9xqgu6TG0MeJV26ISrqIGRVFJFmTRvO1LLxoKkEPhqe+08nqRztxXZajCV+dDeFoGIDcXJg6tAxB+MJznkKDtZPpIWvyt1WwdYfcMrGtE9AmR3K1/P/xE= 198SECTION AUTHORITY 199i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - KL94UOFQ16T2VLQ0BMAMPF6E4O9K5HBI A AAAA RRSIG 200i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. xLysIqn3r3rdHE3GvwVjZwUyuFClhkhgrQdwyc66RuHKE3MfSuhVr9cHTCJzhipF5TwQTbUpLOr74r99bzdiIY8Xkgjy2M0nc76v1ObSGJdPPjGTevbhDOnavUURwOR/q0NqqO2iPrgFjOVMZ+8uwRJtCty2iAVZfVG+qDzs8hU= 201ENTRY_END 202 203; Check that the reply for a wildcard nodata answer contains the NSEC3s. 204; qname denial NSEC3, closest encloser NSEC3, and type bitmap NSEC3. 205STEP 30 QUERY 206ENTRY_BEGIN 207REPLY RD DO 208SECTION QUESTION 209something.a.b.test-ns-signed.dev.internet.nl. IN AAAA 210ENTRY_END 211 212STEP 40 CHECK_ANSWER 213ENTRY_BEGIN 214MATCH all 215REPLY QR AA RD RA DO NOERROR 216SECTION QUESTION 217something.a.b.test-ns-signed.dev.internet.nl. IN AAAA 218SECTION ANSWER 219SECTION AUTHORITY 220test-ns-signed.dev.internet.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 4 14400 3600 604800 3600 221test-ns-signed.dev.internet.nl. 3600 IN RRSIG SOA 8 4 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. ybb0Hc7NC+QOFEEv4cX2+Umlk+miiOAHmeP2Uwvg6lqfxkk+3g7yWBEKMinXjLKz0odWZ6fki6M/3yBPQX8SV0OCRY5gYvAHAjbxAIHozIM+5iwOkRQhNF1DRgQ3BLjL93f6T5e5Z4y1812iOpu4GYswXW/UTOZACXz2UiaCPAg= ;{id = 32784} 2227ag3p2pfrvq09dpn63cvga8ub1rnrrg1.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - 93stp7o7i5n9gb83uu7vv6h8qltk14ig TXT RRSIG 2237ag3p2pfrvq09dpn63cvga8ub1rnrrg1.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. gtxoiTa3FRUqoRLvkWSxmWQ+DfijVd26gpKH3+GmGIcNB/sr/Cf8kERRwVVHvgzYIcvdJcys5b2LUXnZJwcdAlx7efZPWgNZzWxJrw6ES25LCWJOrp31isWn9FlAZGIbnpyEXxD2apBSmtyPnKbTgU6lHHS9jrsYHu4G8Zouv3k= ;{id = 32784} 224fee0c2kfhi6bnljce6vehaenqq3pbupu.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv 225fee0c2kfhi6bnljce6vehaenqq3pbupu.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. WIb3ISP1nlafbyWoWa4z7sG5IS+V86PyvEMHdD/64hgsFkrCu483XK7VNnBz28SL/631JXA1R19O+UxeWhTUyctp8QSt6cEZcMPY8b7yG97rNFNvhSw75rSXXt+JwgIYHPHQV5oqPtVmEpQM5SfJd+hs+Nn1bJcWB3UaESNNAMQ= ;{id = 32784} 226i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - kl94uofq16t2vlq0bmampf6e4o9k5hbi A AAAA RRSIG 227i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. xLysIqn3r3rdHE3GvwVjZwUyuFClhkhgrQdwyc66RuHKE3MfSuhVr9cHTCJzhipF5TwQTbUpLOr74r99bzdiIY8Xkgjy2M0nc76v1ObSGJdPPjGTevbhDOnavUURwOR/q0NqqO2iPrgFjOVMZ+8uwRJtCty2iAVZfVG+qDzs8hU= ;{id = 32784} 228ENTRY_END 229 230SCENARIO_END 231