xref: /netbsd-src/external/bsd/unbound/dist/testdata/auth_zonemd_insecure_absent_reject.rpl (revision 7a540f2bd4f5b968566c2607d6462c7f2fb452cf) 
1; config options
2server:
3	target-fetch-policy: "0 0 0 0 0"
4	trust-anchor: "com. DS 1444 8 2 0d72034e3e18a9ef383c164b68302433bbde957616e10cf44575fea2abae469c"
5	trust-anchor-signaling: no
6	val-override-date: 20201020135527
7
8auth-zone:
9	name: "example.com."
10	zonemd-check: yes
11	zonemd-reject-absence: yes
12	## zonefile (or none).
13	## zonefile: "example.com.zone"
14	## master by IP address or hostname
15	## can list multiple masters, each on one line.
16	## master:
17	## url for http fetch
18	## url:
19	## queries from downstream clients get authoritative answers.
20	## for-downstream: yes
21	for-downstream: no
22	## queries are used to fetch authoritative answers from this zone,
23	## instead of unbound itself sending queries there.
24	## for-upstream: yes
25	for-upstream: yes
26	## on failures with for-upstream, fallback to sending queries to
27	## the authority servers
28	## fallback-enabled: no
29
30	## this line generates zonefile: \n"/tmp/xxx.example.com"\n
31	zonefile:
32TEMPFILE_NAME example.com
33	## this is the inline file /tmp/xxx.example.com
34	## the tempfiles are deleted when the testrun is over.
35TEMPFILE_CONTENTS example.com
36example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
37example.com. IN NS ns.example.com.
38; the missing ZONEMD record
39;example.com. IN ZONEMD 200154054 1 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
40www.example.com. IN A 127.0.0.1
41ns.example.com. IN A 127.0.0.1
42bar.example.com. IN A 1.2.3.4
43ding.example.com. IN A 1.2.3.4
44foo.example.com. IN A 1.2.3.4
45TEMPFILE_END
46
47stub-zone:
48	name: "."
49	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
50CONFIG_END
51
52SCENARIO_BEGIN Test authority zone with reject-absence ZONEMD that is securely insecure
53; the trust anchor finds an online delegation with an insecure DS referral.
54; the ZONEMD is not there.  This is not allowed by the zonemd-reject-absence
55; option in config, so it fails the zone.
56
57; K.ROOT-SERVERS.NET.
58RANGE_BEGIN 0 100
59	ADDRESS 193.0.14.129
60ENTRY_BEGIN
61MATCH opcode qtype qname
62ADJUST copy_id
63REPLY QR NOERROR
64SECTION QUESTION
65. IN NS
66SECTION ANSWER
67. IN NS	K.ROOT-SERVERS.NET.
68SECTION ADDITIONAL
69K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
70ENTRY_END
71
72ENTRY_BEGIN
73MATCH opcode subdomain
74ADJUST copy_id copy_query
75REPLY QR NOERROR
76SECTION QUESTION
77com. IN NS
78SECTION AUTHORITY
79com.	IN NS	a.gtld-servers.net.
80SECTION ADDITIONAL
81a.gtld-servers.net.	IN 	A	192.5.6.30
82ENTRY_END
83RANGE_END
84
85; a.gtld-servers.net.
86RANGE_BEGIN 0 100
87	ADDRESS 192.5.6.30
88ENTRY_BEGIN
89MATCH opcode qtype qname
90ADJUST copy_id
91REPLY QR NOERROR
92SECTION QUESTION
93com. IN NS
94SECTION ANSWER
95com.	IN NS	a.gtld-servers.net.
96SECTION ADDITIONAL
97a.gtld-servers.net.	IN 	A	192.5.6.30
98ENTRY_END
99
100ENTRY_BEGIN
101MATCH opcode qname qtype
102ADJUST copy_id
103REPLY QR AA NOERROR
104SECTION QUESTION
105example.com. IN DS
106SECTION AUTHORITY
107com. SOA a.gtld-servers.net. nstld.verisign-grs.com. 1603979208 1800 900 604800 86400
108com.	3600	IN	RRSIG	SOA 8 1 3600 20201116135527 20201019135527 1444 com. LTUZ8PlkMLX+dBZLGcJcahrzOgf1PgYbi/s5VKyR9iyYKeP6qdxO5VehUVHdXfmUiXrsszvhAHzo4AZnfRbDkK6uTfMKCSIB1aXOU4A74LpjhJBsXjyo3CN3IK/dMS/FpJfAb6JnuQV1E3ytDd34yNsoBazEjYeoN1kymGAttbM=
109example.com. IN NSEC foo.com. NS RRSIG
110example.com.	3600	IN	RRSIG	NSEC 8 2 3600 20201116135527 20201019135527 1444 com. KK6ci3DUnGJ9gaBBqS+71TiFBGcl51YLZAYGADDWuSgFOLLbh1nV//la08zE1i8ITQjjsqyRw7/MA8LWpPR3TnUjJLk6mBd/kB3dJ8BHWRqcyreFo6Pu383oCcXTpwkFcL4ulhp54LUxbA3arWVjWbx8815vvNKsEtWUyrz4LN8=
111ENTRY_END
112
113ENTRY_BEGIN
114MATCH opcode subdomain
115ADJUST copy_id copy_query
116REPLY QR NOERROR
117SECTION QUESTION
118example.com. IN NS
119SECTION AUTHORITY
120example.com.	IN NS	ns.example.com.
121example.com. IN NSEC foo.com. NS RRSIG
122example.com.	3600	IN	RRSIG	NSEC 8 2 3600 20201116135527 20201019135527 1444 com. KK6ci3DUnGJ9gaBBqS+71TiFBGcl51YLZAYGADDWuSgFOLLbh1nV//la08zE1i8ITQjjsqyRw7/MA8LWpPR3TnUjJLk6mBd/kB3dJ8BHWRqcyreFo6Pu383oCcXTpwkFcL4ulhp54LUxbA3arWVjWbx8815vvNKsEtWUyrz4LN8=
123SECTION ADDITIONAL
124ns.example.com. IN A 1.2.3.44
125ENTRY_END
126
127ENTRY_BEGIN
128MATCH opcode qtype qname
129ADJUST copy_id
130REPLY QR AA NOERROR
131SECTION QUESTION
132com. IN DNSKEY
133SECTION ANSWER
134com.	3600	IN	DNSKEY	257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b}
135com.	3600	IN	RRSIG	DNSKEY 8 1 3600 20201116135527 20201019135527 1444 com. BEOMfWvi6RgnHaHsst+Ed265hBuCkgMR7gDpu89J7ZrVL6DzMKnNVFdgjl/9xwLj/pkukc7qeLSHjAfLlN0E4THW7PVshscQnjvXCkktG2Ejx9fTyllAqeGDh9z9QDGlQZIGTMgb9413qZhNqe2Tda9PTJRpiZ8b4bdQp6V1kVo=
136SECTION ADDITIONAL
137ENTRY_END
138
139RANGE_END
140
141; ns.example.net.
142RANGE_BEGIN 0 100
143	ADDRESS 1.2.3.44
144ENTRY_BEGIN
145MATCH opcode qtype qname
146ADJUST copy_id
147REPLY QR NOERROR
148SECTION QUESTION
149example.net. IN NS
150SECTION ANSWER
151example.net.	IN NS	ns.example.net.
152SECTION ADDITIONAL
153ns.example.net.		IN 	A	1.2.3.44
154ENTRY_END
155
156ENTRY_BEGIN
157MATCH opcode qtype qname
158ADJUST copy_id
159REPLY QR NOERROR
160SECTION QUESTION
161ns.example.net. IN A
162SECTION ANSWER
163ns.example.net. IN A	1.2.3.44
164SECTION AUTHORITY
165example.net.	IN NS	ns.example.net.
166ENTRY_END
167
168ENTRY_BEGIN
169MATCH opcode qtype qname
170ADJUST copy_id
171REPLY QR NOERROR
172SECTION QUESTION
173ns.example.net. IN AAAA
174SECTION AUTHORITY
175example.net.	IN NS	ns.example.net.
176SECTION ADDITIONAL
177www.example.net. IN A	1.2.3.44
178ENTRY_END
179
180ENTRY_BEGIN
181MATCH opcode qtype qname
182ADJUST copy_id
183REPLY QR NOERROR
184SECTION QUESTION
185example.com. IN NS
186SECTION ANSWER
187example.com.	IN NS	ns.example.net.
188ENTRY_END
189
190ENTRY_BEGIN
191MATCH opcode qtype qname
192ADJUST copy_id
193REPLY QR NOERROR
194SECTION QUESTION
195www.example.com. IN A
196SECTION ANSWER
197www.example.com. IN A	10.20.30.40
198ENTRY_END
199RANGE_END
200
201STEP 1 QUERY
202ENTRY_BEGIN
203REPLY RD
204SECTION QUESTION
205www.example.com. IN A
206ENTRY_END
207
208; recursion happens here.
209STEP 20 CHECK_ANSWER
210ENTRY_BEGIN
211MATCH all
212REPLY QR RD RA SERVFAIL
213SECTION QUESTION
214www.example.com. IN A
215SECTION ANSWER
216ENTRY_END
217
218SCENARIO_END
219