1; config options 2server: 3 target-fetch-policy: "0 0 0 0 0" 4 log-time-ascii: yes 5stub-zone: 6 name: "." 7 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 8; initial content (say from dig example.com DNSKEY > example.com.key) 9AUTOTRUST_FILE example.com 10example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} 11example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 12AUTOTRUST_END 13CONFIG_END 14 15SCENARIO_BEGIN Test autotrust with failed initial trust anchor 16 17; K-ROOT 18RANGE_BEGIN 0 100 19 ADDRESS 193.0.14.129 20ENTRY_BEGIN 21MATCH opcode qname qtype 22ADJUST copy_id copy_query 23REPLY QR AA 24SECTION QUESTION 25. IN NS 26SECTION ANSWER 27. IN NS k.root-servers.net. 28SECTION ADDITIONAL 29k.root-servers.net IN A 193.0.14.129 30ENTRY_END 31 32ENTRY_BEGIN 33MATCH opcode subdomain 34ADJUST copy_id copy_query 35REPLY QR 36SECTION QUESTION 37com. IN NS 38SECTION AUTHORITY 39com. IN NS a.gtld-servers.net. 40SECTION ADDITIONAL 41a.gtld-servers.net. IN A 192.5.6.30 42ENTRY_END 43RANGE_END 44 45; a.gtld-servers.net. 46RANGE_BEGIN 0 100 47 ADDRESS 192.5.6.30 48ENTRY_BEGIN 49MATCH opcode subdomain 50ADJUST copy_id copy_query 51REPLY QR 52SECTION QUESTION 53example.com. IN NS 54SECTION AUTHORITY 55example.com. IN NS ns.example.com. 56SECTION ADDITIONAL 57ns.example.com. IN A 1.2.3.4 58ENTRY_END 59RANGE_END 60 61; ns.example.com. 62RANGE_BEGIN 0 100 63 ADDRESS 1.2.3.4 64ENTRY_BEGIN 65MATCH opcode qname qtype 66ADJUST copy_id 67REPLY QR AA 68SECTION QUESTION 69ns.example.com. IN AAAA 70SECTION ANSWER 71ns.example.com. IN NSEC nugget.example.com. A NSEC RRSIG 72ns.example.com. 3600 IN RRSIG NSEC 5 3 3600 20090924111500 20090821111500 30899 example.com. WRUQ5d5aBO5AXbvnfCd0AWfKGvQIuAjT2qydGkUIaLZaiP4nj+JdquEy1nGvBwYQ9gWyP7b6C6UGrUnVcNBpcw== ;{id = 30899} 73SECTION AUTHORITY 74example.com. 3600 IN NS ns.example.com. 75example.com. 3600 IN RRSIG NS 5 2 3600 20090924111500 20090821111500 30899 example.com. J5wxRq0jgwQL6yy530kvo9cHqNAUHV8IF4dvaYZL0bNraO2Oe6dVXqlJl4+cxNHI2TMsstwFPr2Zz8tv6Az2mQ== ;{id = 30899} 76SECTION ADDITIONAL 77ENTRY_END 78 79ENTRY_BEGIN 80MATCH opcode qname qtype 81ADJUST copy_id 82REPLY QR AA 83SECTION QUESTION 84ns.example.com. IN A 85SECTION ANSWER 86ns.example.com. 3600 IN A 1.2.3.4 87ns.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. JsXbS18oyc0zkVaOWGSFdIQuOsZKflT0GraT9afDPoWLCgH4ApF7jNgfJV7Pqy1sTBRajME5IUAhpANwGBuW4A== ;{id = 30899} 88SECTION AUTHORITY 89example.com. 3600 IN NS ns.example.com. 90example.com. 3600 IN RRSIG NS 5 2 3600 20090924111500 20090821111500 30899 example.com. J5wxRq0jgwQL6yy530kvo9cHqNAUHV8IF4dvaYZL0bNraO2Oe6dVXqlJl4+cxNHI2TMsstwFPr2Zz8tv6Az2mQ== ;{id = 30899} 91SECTION ADDITIONAL 92ENTRY_END 93 94ENTRY_BEGIN 95MATCH opcode qname qtype 96ADJUST copy_id 97REPLY QR AA 98SECTION QUESTION 99www.example.com. IN A 100SECTION ANSWER 101www.example.com. 3600 IN A 10.20.30.40 102www.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. pYGxVLsWUvOp1wSf0iwPap+JnECfC5GAm1lRqy3YEqecNGld7U7x/5Imo3CerbdZrVptUQs2oH0lcjwYJXMnsw== ;{id = 30899} 103SECTION AUTHORITY 104example.com. 3600 IN NS ns.example.com. 105example.com. 3600 IN RRSIG NS 5 2 3600 20090924111500 20090821111500 30899 example.com. J5wxRq0jgwQL6yy530kvo9cHqNAUHV8IF4dvaYZL0bNraO2Oe6dVXqlJl4+cxNHI2TMsstwFPr2Zz8tv6Az2mQ== ;{id = 30899} 106SECTION ADDITIONAL 107ns.example.com. 3600 IN A 1.2.3.4 108ns.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. JsXbS18oyc0zkVaOWGSFdIQuOsZKflT0GraT9afDPoWLCgH4ApF7jNgfJV7Pqy1sTBRajME5IUAhpANwGBuW4A== ;{id = 30899} 109ENTRY_END 110 111ENTRY_BEGIN 112MATCH opcode qname qtype 113ADJUST copy_id 114REPLY QR AA SERVFAIL 115SECTION QUESTION 116example.com. IN DNSKEY 117SECTION ANSWER 118; KSK 1 119example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} 120; ZSK 1 121example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (ksk), size = 512b} 122; signatures 123example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20090924111500 20090821111500 30899 example.com. b/HK231jIQLX8IhlZfup3r0yhpXaasbPE6LzxoEVVvWaTZWcLmeV8jDIcn0qO7Yvs7bIJN20lwVAV0GcHH3hWQ== ;{id = 30899} 124example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20090924111500 20090821111500 55582 example.com. PCHme1QLoULxqjhg5tMlpR0qJlBfstEUVq18TtNoKQe9le1YhJ9caheXcTWoK+boLhXxg9u6Yyvq8FboQh0OjA== ;{id = 55582} 125 126ENTRY_END 127RANGE_END 128 129; set date/time to Aug 24 07:46:40 (2009). 130STEP 5 TIME_PASSES ELAPSE 1251100000 131STEP 6 ASSIGN t0 = ${time} 132STEP 7 ASSIGN probe = ${range 3200 ${timeout} 3600} 133 134; the auto probing should have been done now. 135STEP 8 CHECK_AUTOTRUST example.com 136FILE_BEGIN 137example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} 138example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 139FILE_END 140 141 142STEP 10 QUERY 143ENTRY_BEGIN 144REPLY RD DO 145SECTION QUESTION 146www.example.com. IN A 147ENTRY_END 148 149STEP 20 CHECK_ANSWER 150ENTRY_BEGIN 151MATCH all 152REPLY QR RD RA DO SERVFAIL 153SECTION QUESTION 154www.example.com. IN A 155SECTION ANSWER 156ENTRY_END 157 158; The autotrust anchor was probed due to the query. 159 160STEP 30 CHECK_AUTOTRUST example.com 161FILE_BEGIN 162example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} 163example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 164FILE_END 165 166; wait and see if autotrust probes (the unchanged) domain again. 167STEP 40 TIME_PASSES EVAL ${$probe} 168 169STEP 50 TRAFFIC 170 171STEP 65 ASSIGN probe2 = ${range 3200 ${timeout} 3600} 172 173STEP 70 CHECK_AUTOTRUST example.com 174FILE_BEGIN 175example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} 176example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 177FILE_END 178 179SCENARIO_END 180