1; config options 2server: 3 target-fetch-policy: "0 0 0 0 0" 4 log-time-ascii: yes 5 fake-sha1: yes 6 trust-anchor-signaling: no 7stub-zone: 8 name: "." 9 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 10; initial content (say from dig example.com DNSKEY > example.com.key) 11AUTOTRUST_FILE example.com 12example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} 13example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 14AUTOTRUST_END 15CONFIG_END 16 17SCENARIO_BEGIN Test autotrust with ADDPEND seen once 18; this should fail. 19 20; K-ROOT 21RANGE_BEGIN 0 100 22 ADDRESS 193.0.14.129 23ENTRY_BEGIN 24MATCH opcode qname qtype 25ADJUST copy_id copy_query 26REPLY QR AA 27SECTION QUESTION 28. IN NS 29SECTION ANSWER 30. IN NS k.root-servers.net. 31SECTION ADDITIONAL 32k.root-servers.net IN A 193.0.14.129 33ENTRY_END 34 35ENTRY_BEGIN 36MATCH opcode subdomain 37ADJUST copy_id copy_query 38REPLY QR 39SECTION QUESTION 40com. IN NS 41SECTION AUTHORITY 42com. IN NS a.gtld-servers.net. 43SECTION ADDITIONAL 44a.gtld-servers.net. IN A 192.5.6.30 45ENTRY_END 46RANGE_END 47 48; a.gtld-servers.net. 49RANGE_BEGIN 0 100 50 ADDRESS 192.5.6.30 51ENTRY_BEGIN 52MATCH opcode subdomain 53ADJUST copy_id copy_query 54REPLY QR 55SECTION QUESTION 56example.com. IN NS 57SECTION AUTHORITY 58example.com. IN NS ns.example.com. 59SECTION ADDITIONAL 60ns.example.com. IN A 1.2.3.4 61ENTRY_END 62RANGE_END 63 64; ns.example.com. KSK 55582 65RANGE_BEGIN 0 10 66 ADDRESS 1.2.3.4 67ENTRY_BEGIN 68MATCH opcode qname qtype 69ADJUST copy_id 70REPLY QR AA 71SECTION QUESTION 72www.example.com. IN A 73SECTION ANSWER 74www.example.com. 3600 IN A 10.20.30.40 75www.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. pYGxVLsWUvOp1wSf0iwPap+JnECfC5GAm1lRqy3YEqecNGld7U7x/5Imo3CerbdZrVptUQs2oH0lcjwYJXMnsw== ;{id = 30899} 76SECTION AUTHORITY 77example.com. 3600 IN NS ns.example.com. 78example.com. 3600 IN RRSIG NS 5 2 3600 20090924111500 20090821111500 30899 example.com. J5wxRq0jgwQL6yy530kvo9cHqNAUHV8IF4dvaYZL0bNraO2Oe6dVXqlJl4+cxNHI2TMsstwFPr2Zz8tv6Az2mQ== ;{id = 30899} 79SECTION ADDITIONAL 80ns.example.com. 3600 IN A 1.2.3.4 81ns.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. JsXbS18oyc0zkVaOWGSFdIQuOsZKflT0GraT9afDPoWLCgH4ApF7jNgfJV7Pqy1sTBRajME5IUAhpANwGBuW4A== ;{id = 30899} 82ENTRY_END 83 84ENTRY_BEGIN 85MATCH opcode qname qtype 86ADJUST copy_id 87REPLY QR AA 88SECTION QUESTION 89example.com. IN DNSKEY 90SECTION ANSWER 91; KSK 1 92example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} 93; ZSK 1 94example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 95; signatures 96example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20090924111500 20090821111500 30899 example.com. b/HK231jIQLX8IhlZfup3r0yhpXaasbPE6LzxoEVVvWaTZWcLmeV8jDIcn0qO7Yvs7bIJN20lwVAV0GcHH3hWQ== ;{id = 30899} 97example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20090924111500 20090821111500 55582 example.com. PCHme1QLoULxqjhg5tMlpR0qJlBfstEUVq18TtNoKQe9le1YhJ9caheXcTWoK+boLhXxg9u6Yyvq8FboQh0OjA== ;{id = 55582} 98ENTRY_END 99RANGE_END 100 101; ns.example.com. KSK 55582 and 60946 102RANGE_BEGIN 11 40 103 ADDRESS 1.2.3.4 104ENTRY_BEGIN 105MATCH opcode qname qtype 106ADJUST copy_id 107REPLY QR AA 108SECTION QUESTION 109example.com. IN DNSKEY 110SECTION ANSWER 111; KSK 1 112example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} 113; KSK 2 114example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} 115; ZSK 1 116example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 117; signatures 118example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091024111500 20090921111500 30899 example.com. rkaCUpTFPWVu4Om5oMTR+39Mct6ZMs56xrE0rbxMMOokfvIQheIxsAEc5BFJeA/2y5WTewl6diCD6yQXCybrDg== ;{id = 30899} 119example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091024111500 20090921111500 55582 example.com. CoMon+lWPAsUvgfpCTDPx8Zn8dQpky3lu2O6T+oJ2Mat9a/u1YwGhSQHGPn7ZNG/4vKM97tx84sSlUGz3geD1w== ;{id = 55582} 120example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091024111500 20090921111500 60946 example.com. o+Cbs7DcYPYlSLd4hi3vkSVQpXGnKgKSi9MpHGfu1Uahv5190U2DUOxP1du/HOYbf+IHYL8zLbMZjVEG5wgnTg== ;{id = 60946} 121ENTRY_END 122RANGE_END 123 124; ns.example.com. KSK 55582 and 60946 (signatures updated) 125RANGE_BEGIN 41 50 126 ADDRESS 1.2.3.4 127ENTRY_BEGIN 128MATCH opcode qname qtype 129ADJUST copy_id 130REPLY QR AA 131SECTION QUESTION 132example.com. IN DNSKEY 133SECTION ANSWER 134; KSK 1 135example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} 136; KSK 2 137example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} 138; ZSK 1 139example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 140; signatures 141example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091124111500 20091018111500 30899 example.com. rkaCUpTFPWVu4Om5oMTR+39Mct6ZMs56xrE0rbxMMOokfvIQheIxsAEc5BFJeA/2y5WTewl6diCD6yQXCybrDg== ;{id = 30899} 142;example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091124111500 20091018111500 55582 example.com. v/HJbdpeVMpbhwYXrT1EDGpAFMvEgdKQII1cAbP6o8KHYNKDh8TIJ25/pXe3daEXfej6/Z5kpqJ79okPKUoi1Q== ;{id = 55582} 143example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091124111500 20091018111500 60946 example.com. HgXol1hdvbomOM1CFRW8qsHd3D0qOnN72EeMHTcpxIBBiuNLKZn4n1M14Voxj3vo0eAMNuG/y7EjQkxKvSsaDA== ;{id = 60946} 144ENTRY_END 145 146ENTRY_BEGIN 147MATCH opcode qname qtype 148ADJUST copy_id 149REPLY QR AA REFUSED 150SECTION QUESTION 151ns.example.com. IN A 152ENTRY_END 153 154ENTRY_BEGIN 155MATCH opcode qname qtype 156ADJUST copy_id 157REPLY QR AA REFUSED 158SECTION QUESTION 159ns.example.com. IN AAAA 160ENTRY_END 161RANGE_END 162 163; ns.example.com. KSK 55582-REVOKED and 60946 164RANGE_BEGIN 51 60 165 ADDRESS 1.2.3.4 166ENTRY_BEGIN 167MATCH opcode qname qtype 168ADJUST copy_id 169REPLY QR AA 170SECTION QUESTION 171example.com. IN DNSKEY 172SECTION ANSWER 173; KSK 1 174example.com. 10800 IN DNSKEY 385 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55710 (ksk), size = 512b} 175; KSK 2 176example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} 177; ZSK 1 178example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 179; signatures 180example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091224111500 20091118111500 30899 example.com. qLKZUJEi3ajSJ4/b7xl0BwhzW6JtjsojpZ+2nUx1PvaeQVoTmyWxjxc2tAmJGcBPqMqzeY470xvyMDvGTOiQCQ== ;{id = 30899} 181example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091224111500 20091118111500 55710 example.com. EW2YB+2yNX9LTNDPVwkcGnRTTx38pOiwBaixdwxmDgqWKXLDLM6Kd2Xv9tveS39RnSZ5H1inRXE55q+rL6Re3g== ;{id = 55710} 182; wrong keytag: 183;example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091224111500 20091118111500 55582 example.com. nH/6HauVJI4GGz78UoK/38cOOrEqsYZP0jFzfCC3OyIlclVTjAFvjVPlVMGK7sA5Nw1v20YtFTQkXZgbrRuInQ== ;{id = 55582} 184example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20091224111500 20091118111500 60946 example.com. xKSBZr4vOsEUKlVoNb6SOV69DM7xFOJI4gPFKq5Tv4APIMJ/9G3odoDmNcLCVyYGzhoDik5hciJnZio6UHgzAA== ;{id = 60946} 185ENTRY_END 186 187ENTRY_BEGIN 188MATCH opcode qname qtype 189ADJUST copy_id 190REPLY QR AA REFUSED 191SECTION QUESTION 192ns.example.com. IN AAAA 193ENTRY_END 194RANGE_END 195 196; ns.example.com. KSK 60946 197RANGE_BEGIN 61 70 198 ADDRESS 1.2.3.4 199ENTRY_BEGIN 200MATCH opcode qname qtype 201ADJUST copy_id 202REPLY QR AA 203SECTION QUESTION 204example.com. IN DNSKEY 205SECTION ANSWER 206; KSK 2 207example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} 208; ZSK 1 209example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 210; signatures 211example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20101224111500 20101118111500 30899 example.com. TfFGz1kDtkn3ixbKMJvQDZ0uGw/eW+inIiPqQVPQtO2WiocKrnYnzwv/AqwnFvEar70dF15/zffNIF+ipOS5/g== ;{id = 30899} 212example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20101224111500 20101118111500 60946 example.com. X0Ci//w0czN/J5RvypHGqp56n1tLdapi92ODAqjM7QpZXbSHaJ7wfPG1PZzvdxHUZUVyf8uy2stjg/XoLGHMWA== ;{id = 60946} 213ENTRY_END 214RANGE_END 215 216; set date/time to Aug 24 07:46:40 (2009). 217STEP 5 TIME_PASSES ELAPSE 1251100000 218STEP 6 TRAFFIC ; the initial probe 219STEP 7 ASSIGN t0 = ${time} 220STEP 8 ASSIGN probe0 = ${range 4800 ${timeout} 5400} 221 222; the auto probing should have been done now. 223STEP 10 CHECK_AUTOTRUST example.com 224FILE_BEGIN 225; autotrust trust anchor file 226;;id: example.com. 1 227;;last_queried: ${$t0} ;;${ctime $t0} 228;;last_success: ${$t0} ;;${ctime $t0} 229;;next_probe_time: ${$t0 + $probe0} ;;${ctime $t0 + $probe0} 230;;query_failed: 0 231;;query_interval: 5400 232;;retry_time: 3600 233example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0} 234FILE_END 235 236; key prepublished. First poll. 30 days later 237STEP 11 TIME_PASSES EVAL ${30*24*3600} 238STEP 12 TRAFFIC 239STEP 13 ASSIGN t1 = ${time} 240STEP 14 ASSIGN probe1 = ${range 4800 ${timeout} 5400} 241STEP 15 CHECK_AUTOTRUST example.com 242FILE_BEGIN 243; autotrust trust anchor file 244;;id: example.com. 1 245;;last_queried: ${$t1} ;;${ctime $t1} 246;;last_success: ${$t1} ;;${ctime $t1} 247;;next_probe_time: ${$t1 + $probe1} ;;${ctime $t1 + $probe1} 248;;query_failed: 0 249;;query_interval: 5400 250;;retry_time: 3600 251example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} ;;state=1 [ ADDPEND ] ;;count=1 ;;lastchange=${$t1} ;;${ctime $t1} 252example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0} 253FILE_END 254 255; t2 is removed second poll time. 256; t3 is removed third poll time. 257 258; 31 days later, hold down has lapsed. 259STEP 41 TIME_PASSES EVAL ${31*24*3600} 260STEP 42 TRAFFIC 261STEP 43 ASSIGN t4 = ${time} 262; it fails! ADDPEND not valid for signing this answer. 263STEP 44 ASSIGN probe4 = ${range 3200 ${timeout} 3600} 264STEP 45 CHECK_AUTOTRUST example.com 265FILE_BEGIN 266; autotrust trust anchor file 267;;id: example.com. 1 268;;last_queried: ${$t4} ;;${ctime $t4} 269;;last_success: ${$t1} ;;${ctime $t1} 270;;next_probe_time: ${$t4 + $probe4} ;;${ctime $t4 + $probe4} 271;;query_failed: 6 272;;query_interval: 5400 273;;retry_time: 3600 274example.com. 10800 IN DNSKEY 257 3 5 AwEAAeiaUiUIpWMfYz5L0sfJTZWnuN9IyBX4em9VjsoqQTsOD1HDQpNb4buvJo7pN2aBCxNS7e0OL8e2mVB6CLZ+8ek= ;{id = 60946 (ksk), size = 512b} ;;state=1 [ ADDPEND ] ;;count=1 ;;lastchange=${$t1} ;;${ctime $t1} 275example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0} 276FILE_END 277 278SCENARIO_END 279