1; config options 2server: 3 target-fetch-policy: "0 0 0 0 0" 4 trust-anchor: "com. DS 1444 8 2 0d72034e3e18a9ef383c164b68302433bbde957616e10cf44575fea2abae469c" 5 trust-anchor-signaling: no 6 val-override-date: 20201020135527 7 8auth-zone: 9 name: "example.com." 10 ## zonefile (or none). 11 ## zonefile: "example.com.zone" 12 ## master by IP address or hostname 13 ## can list multiple masters, each on one line. 14 ## master: 15 ## url for http fetch 16 ## url: 17 ## queries from downstream clients get authoritative answers. 18 ## for-downstream: yes 19 for-downstream: no 20 ## queries are used to fetch authoritative answers from this zone, 21 ## instead of unbound itself sending queries there. 22 ## for-upstream: yes 23 for-upstream: yes 24 ## on failures with for-upstream, fallback to sending queries to 25 ## the authority servers 26 ## fallback-enabled: no 27 zonemd-check: yes 28 29 ## this line generates zonefile: \n"/tmp/xxx.example.com"\n 30 zonefile: 31TEMPFILE_NAME example.com 32 ## this is the inline file /tmp/xxx.example.com 33 ## the tempfiles are deleted when the testrun is over. 34TEMPFILE_CONTENTS example.com 35example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600 36example.com. IN NS ns.example.com. 37; the missing ZONEMD record 38;example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22 39www.example.com. IN A 127.0.0.1 40ns.example.com. IN A 127.0.0.1 41bar.example.com. IN A 1.2.3.4 42ding.example.com. IN A 1.2.3.4 43foo.example.com. IN A 1.2.3.4 44TEMPFILE_END 45 46stub-zone: 47 name: "." 48 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 49CONFIG_END 50 51SCENARIO_BEGIN Test authority zone with absent ZONEMD that is securely insecure 52; the trust anchor finds an online delegation with an insecure DS referral. 53; the ZONEMD is not there. 54 55; K.ROOT-SERVERS.NET. 56RANGE_BEGIN 0 100 57 ADDRESS 193.0.14.129 58ENTRY_BEGIN 59MATCH opcode qtype qname 60ADJUST copy_id 61REPLY QR NOERROR 62SECTION QUESTION 63. IN NS 64SECTION ANSWER 65. IN NS K.ROOT-SERVERS.NET. 66SECTION ADDITIONAL 67K.ROOT-SERVERS.NET. IN A 193.0.14.129 68ENTRY_END 69 70ENTRY_BEGIN 71MATCH opcode subdomain 72ADJUST copy_id copy_query 73REPLY QR NOERROR 74SECTION QUESTION 75com. IN NS 76SECTION AUTHORITY 77com. IN NS a.gtld-servers.net. 78SECTION ADDITIONAL 79a.gtld-servers.net. IN A 192.5.6.30 80ENTRY_END 81RANGE_END 82 83; a.gtld-servers.net. 84RANGE_BEGIN 0 100 85 ADDRESS 192.5.6.30 86ENTRY_BEGIN 87MATCH opcode qtype qname 88ADJUST copy_id 89REPLY QR NOERROR 90SECTION QUESTION 91com. IN NS 92SECTION ANSWER 93com. IN NS a.gtld-servers.net. 94SECTION ADDITIONAL 95a.gtld-servers.net. IN A 192.5.6.30 96ENTRY_END 97 98ENTRY_BEGIN 99MATCH opcode qname qtype 100ADJUST copy_id 101REPLY QR AA NOERROR 102SECTION QUESTION 103example.com. IN DS 104SECTION AUTHORITY 105com. SOA a.gtld-servers.net. nstld.verisign-grs.com. 1603979208 1800 900 604800 86400 106com. 3600 IN RRSIG SOA 8 1 3600 20201116135527 20201019135527 1444 com. LTUZ8PlkMLX+dBZLGcJcahrzOgf1PgYbi/s5VKyR9iyYKeP6qdxO5VehUVHdXfmUiXrsszvhAHzo4AZnfRbDkK6uTfMKCSIB1aXOU4A74LpjhJBsXjyo3CN3IK/dMS/FpJfAb6JnuQV1E3ytDd34yNsoBazEjYeoN1kymGAttbM= 107example.com. IN NSEC foo.com. NS RRSIG 108example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 1444 com. KK6ci3DUnGJ9gaBBqS+71TiFBGcl51YLZAYGADDWuSgFOLLbh1nV//la08zE1i8ITQjjsqyRw7/MA8LWpPR3TnUjJLk6mBd/kB3dJ8BHWRqcyreFo6Pu383oCcXTpwkFcL4ulhp54LUxbA3arWVjWbx8815vvNKsEtWUyrz4LN8= 109ENTRY_END 110 111ENTRY_BEGIN 112MATCH opcode subdomain 113ADJUST copy_id copy_query 114REPLY QR NOERROR 115SECTION QUESTION 116example.com. IN NS 117SECTION AUTHORITY 118example.com. IN NS ns.example.com. 119example.com. IN NSEC foo.com. NS RRSIG 120example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 1444 com. KK6ci3DUnGJ9gaBBqS+71TiFBGcl51YLZAYGADDWuSgFOLLbh1nV//la08zE1i8ITQjjsqyRw7/MA8LWpPR3TnUjJLk6mBd/kB3dJ8BHWRqcyreFo6Pu383oCcXTpwkFcL4ulhp54LUxbA3arWVjWbx8815vvNKsEtWUyrz4LN8= 121SECTION ADDITIONAL 122ns.example.com. IN A 1.2.3.44 123ENTRY_END 124 125ENTRY_BEGIN 126MATCH opcode qtype qname 127ADJUST copy_id 128REPLY QR AA NOERROR 129SECTION QUESTION 130com. IN DNSKEY 131SECTION ANSWER 132com. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b} 133com. 3600 IN RRSIG DNSKEY 8 1 3600 20201116135527 20201019135527 1444 com. BEOMfWvi6RgnHaHsst+Ed265hBuCkgMR7gDpu89J7ZrVL6DzMKnNVFdgjl/9xwLj/pkukc7qeLSHjAfLlN0E4THW7PVshscQnjvXCkktG2Ejx9fTyllAqeGDh9z9QDGlQZIGTMgb9413qZhNqe2Tda9PTJRpiZ8b4bdQp6V1kVo= 134SECTION ADDITIONAL 135ENTRY_END 136 137RANGE_END 138 139; ns.example.net. 140RANGE_BEGIN 0 100 141 ADDRESS 1.2.3.44 142ENTRY_BEGIN 143MATCH opcode qtype qname 144ADJUST copy_id 145REPLY QR NOERROR 146SECTION QUESTION 147example.net. IN NS 148SECTION ANSWER 149example.net. IN NS ns.example.net. 150SECTION ADDITIONAL 151ns.example.net. IN A 1.2.3.44 152ENTRY_END 153 154ENTRY_BEGIN 155MATCH opcode qtype qname 156ADJUST copy_id 157REPLY QR NOERROR 158SECTION QUESTION 159ns.example.net. IN A 160SECTION ANSWER 161ns.example.net. IN A 1.2.3.44 162SECTION AUTHORITY 163example.net. IN NS ns.example.net. 164ENTRY_END 165 166ENTRY_BEGIN 167MATCH opcode qtype qname 168ADJUST copy_id 169REPLY QR NOERROR 170SECTION QUESTION 171ns.example.net. IN AAAA 172SECTION AUTHORITY 173example.net. IN NS ns.example.net. 174SECTION ADDITIONAL 175www.example.net. IN A 1.2.3.44 176ENTRY_END 177 178ENTRY_BEGIN 179MATCH opcode qtype qname 180ADJUST copy_id 181REPLY QR NOERROR 182SECTION QUESTION 183example.com. IN NS 184SECTION ANSWER 185example.com. IN NS ns.example.net. 186ENTRY_END 187 188ENTRY_BEGIN 189MATCH opcode qtype qname 190ADJUST copy_id 191REPLY QR NOERROR 192SECTION QUESTION 193www.example.com. IN A 194SECTION ANSWER 195www.example.com. IN A 10.20.30.40 196ENTRY_END 197RANGE_END 198 199STEP 1 QUERY 200ENTRY_BEGIN 201REPLY RD 202SECTION QUESTION 203www.example.com. IN A 204ENTRY_END 205 206; recursion happens here. 207STEP 20 CHECK_ANSWER 208ENTRY_BEGIN 209MATCH all 210REPLY QR RD RA NOERROR 211SECTION QUESTION 212www.example.com. IN A 213SECTION ANSWER 214www.example.com. IN A 127.0.0.1 215ENTRY_END 216 217SCENARIO_END 218