1; config options 2server: 3 target-fetch-policy: "0 0 0 0 0" 4 log-time-ascii: yes 5 val-override-date: '20091018111500' 6 fake-sha1: yes 7stub-zone: 8 name: "." 9 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 10AUTOTRUST_FILE example.com 11; autotrust trust anchor file 12;;REVOKED 13; The zone has all keys revoked, and is 14; considered as if it has no trust anchors. 15; the remainder of the file is the last probe. 16; to restart the trust anchor, overwrite this file. 17; with one containing valid DNSKEYs or DSes. 18;;id: example.com. 1 19;;last_queried: 1258962400 ;;Mon Nov 23 08:46:40 2009 20;;last_success: 1258962400 ;;Mon Nov 23 08:46:40 2009 21;;next_probe_time: ${0} ;;${ctime 0} 22;;query_failed: 0 23;;query_interval: 5400 24;;retry_time: 3600 25example.com. 10800 IN DNSKEY 385 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55710 (ksk), size = 512b} ;;state=4 [ REVOKED ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 08:46:40 2009 26example.com. 10800 IN DNSKEY 385 3 5 AwEAAas/cAhCFXvBUgTSNZCvQp0pLx1dY+7rXR0hH4/3EUgWmsmbYUpI1qD0xhwKD/oYGEwAm291fyWJ9c0oVxXDEK8= ;{id = 16614 (ksk), size = 512b} ;;state=4 [ REVOKED ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 08:46:40 2009 27AUTOTRUST_END 28CONFIG_END 29 30SCENARIO_BEGIN Test autotrust with revoked trust point read back from config 31 32; K-ROOT 33RANGE_BEGIN 0 100 34 ADDRESS 193.0.14.129 35ENTRY_BEGIN 36MATCH opcode qname qtype 37ADJUST copy_id copy_query 38REPLY QR AA 39SECTION QUESTION 40. IN NS 41SECTION ANSWER 42. IN NS k.root-servers.net. 43SECTION ADDITIONAL 44k.root-servers.net IN A 193.0.14.129 45ENTRY_END 46 47ENTRY_BEGIN 48MATCH opcode subdomain 49ADJUST copy_id copy_query 50REPLY QR 51SECTION QUESTION 52com. IN NS 53SECTION AUTHORITY 54com. IN NS a.gtld-servers.net. 55SECTION ADDITIONAL 56a.gtld-servers.net. IN A 192.5.6.30 57ENTRY_END 58RANGE_END 59 60; a.gtld-servers.net. 61RANGE_BEGIN 0 100 62 ADDRESS 192.5.6.30 63ENTRY_BEGIN 64MATCH opcode subdomain 65ADJUST copy_id copy_query 66REPLY QR 67SECTION QUESTION 68example.com. IN NS 69SECTION AUTHORITY 70example.com. IN NS ns.example.com. 71SECTION ADDITIONAL 72ns.example.com. IN A 1.2.3.4 73ENTRY_END 74RANGE_END 75 76; ns.example.com. 77RANGE_BEGIN 0 100 78 ADDRESS 1.2.3.4 79ENTRY_BEGIN 80MATCH opcode subdomain 81ADJUST copy_id copy_query 82REPLY QR 83SECTION QUESTION 84www.example.com. IN A 85SECTION ANSWER 86www.example.com. IN A 10.20.30.40 87ENTRY_END 88 89RANGE_END 90 91STEP 20 QUERY 92ENTRY_BEGIN 93REPLY RD DO 94SECTION QUESTION 95www.example.com. IN A 96ENTRY_END 97 98; correct unsigned response works after trust point revocation. 99STEP 30 CHECK_ANSWER 100ENTRY_BEGIN 101MATCH all 102REPLY QR RD RA DO NOERROR 103SECTION QUESTION 104www.example.com. IN A 105SECTION ANSWER 106www.example.com. IN A 10.20.30.40 107ENTRY_END 108 109SCENARIO_END 110