1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 val-override-date: "20070916134226" 6 target-fetch-policy: "0 0 0 0 0" 7 qname-minimisation: "no" 8 fake-sha1: yes 9 trust-anchor-signaling: no 10 ede: yes 11 12stub-zone: 13 name: "." 14 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 15CONFIG_END 16 17SCENARIO_BEGIN Test validator with blacklist prime gives bad key entry 18; the data response needs a blacklist action as well, since it also 19; comes from an 'expired signatures' name server. 20 21; K.ROOT-SERVERS.NET. 22RANGE_BEGIN 0 99 23 ADDRESS 193.0.14.129 24ENTRY_BEGIN 25MATCH opcode qtype qname 26ADJUST copy_id 27REPLY QR NOERROR 28SECTION QUESTION 29. IN NS 30SECTION ANSWER 31. IN NS K.ROOT-SERVERS.NET. 32SECTION ADDITIONAL 33K.ROOT-SERVERS.NET. IN A 193.0.14.129 34ENTRY_END 35 36ENTRY_BEGIN 37MATCH opcode qtype qname 38ADJUST copy_id 39REPLY QR NOERROR 40SECTION QUESTION 41www.example.com. IN A 42SECTION AUTHORITY 43com. IN NS a.gtld-servers.net. 44SECTION ADDITIONAL 45a.gtld-servers.net. IN A 192.5.6.30 46ENTRY_END 47RANGE_END 48 49; a.gtld-servers.net. 50RANGE_BEGIN 0 99 51 ADDRESS 192.5.6.30 52ENTRY_BEGIN 53MATCH opcode qtype qname 54ADJUST copy_id 55REPLY QR NOERROR 56SECTION QUESTION 57com. IN NS 58SECTION ANSWER 59com. IN NS a.gtld-servers.net. 60SECTION ADDITIONAL 61a.gtld-servers.net. IN A 192.5.6.30 62ENTRY_END 63 64ENTRY_BEGIN 65MATCH opcode qtype qname 66ADJUST copy_id 67REPLY QR NOERROR 68SECTION QUESTION 69ns.blabla.com. IN A 70SECTION ANSWER 71ns.blabla.com. IN A 1.2.3.5 72ENTRY_END 73 74ENTRY_BEGIN 75MATCH opcode qtype qname 76ADJUST copy_id 77REPLY QR NOERROR 78SECTION QUESTION 79ns.blabla.com. IN AAAA 80SECTION AUTHORITY 81com. IN SOA com. com. 2009100100 28800 7200 604800 3600 82ENTRY_END 83 84ENTRY_BEGIN 85MATCH opcode subdomain 86ADJUST copy_id copy_query 87REPLY QR NOERROR 88SECTION QUESTION 89example.com. IN NS 90SECTION AUTHORITY 91example.com. IN NS ns.example.com. 92;example.com. IN NS ns.blabla.com. 93SECTION ADDITIONAL 94ns.example.com. IN A 1.2.3.4 95; no ns.blabla.com, try that later 96ENTRY_END 97RANGE_END 98 99; ns.example.com. 100RANGE_BEGIN 0 99 101 ADDRESS 1.2.3.4 102ENTRY_BEGIN 103MATCH opcode qtype qname 104ADJUST copy_id 105REPLY QR NOERROR 106SECTION QUESTION 107example.com. IN NS 108SECTION ANSWER 109example.com. IN NS ns.example.com. 110example.com. IN NS ns.blabla.com. 111example.com. 3600 IN RRSIG NS 3 2 3600 20030926134150 20030829134150 2854 example.com. AKJ3xUBdSrCiOFkYajsy93d+h06rewpbmBHItTkL8R/26rw57b1gCIg= ;{id = 2854} 112SECTION ADDITIONAL 113ns.example.com. IN A 1.2.3.4 114ns.example.com. 3600 IN RRSIG A 3 3 3600 20030926134150 20030829134150 2854 example.com. AHNj99mBmP4np19V01nSq990ZIFlIiLWoeHijm/HcOG/o8+DuIp4fL8= ;{id = 2854} 115ENTRY_END 116 117ENTRY_BEGIN 118MATCH opcode qtype qname 119ADJUST copy_id 120REPLY QR NOERROR 121SECTION QUESTION 122ns.example.com. IN A 123SECTION ANSWER 124ns.example.com. IN A 1.2.3.4 125ns.example.com. 3600 IN RRSIG A 3 3 3600 20030926134150 20030829134150 2854 example.com. AHNj99mBmP4np19V01nSq990ZIFlIiLWoeHijm/HcOG/o8+DuIp4fL8= ;{id = 2854} 126SECTION ADDITIONAL 127ENTRY_END 128 129ENTRY_BEGIN 130MATCH opcode qtype qname 131ADJUST copy_id 132REPLY QR NOERROR 133SECTION QUESTION 134ns.example.com. IN AAAA 135SECTION ANSWER 136SECTION ADDITIONAL 137ns.example.com. IN NSEC oof.example.com. NSEC RRSIG A 138ns.example.com. 3600 IN RRSIG NSEC 3 3 3600 20030926134150 20030829134150 2854 example.com. ACFVLLBtuSX/1z3461tbOwDz9zTHe5S9DbVtwnSO1f2x06fYbMpzSDE= ;{id = 2854} 139ENTRY_END 140 141; response to DNSKEY priming query 142ENTRY_BEGIN 143MATCH opcode qtype qname 144ADJUST copy_id 145REPLY QR NOERROR 146SECTION QUESTION 147example.com. IN DNSKEY 148SECTION ANSWER 149example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 150example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20030926134150 20030829134150 2854 example.com. AG21xE8CFQzTq6XtHErg28b9EAmqPsoYCUcFPEAoAjFybM6AY4/bMOo= ;{id = 2854} 151SECTION AUTHORITY 152;example.com. IN NS ns.example.com. 153;example.com. IN NS ns.blabla.com. 154;example.com. 3600 IN RRSIG NS 3 2 3600 20030926134150 20030829134150 2854 example.com. ACiWu7zjBHqgEX3iUoOF7rfpOmIAHj1npKQ+XDIaNlmdkfJxoCwFl04= ;{id = 2854} 155SECTION ADDITIONAL 156;ns.example.com. IN A 1.2.3.4 157;ns.example.com. 3600 IN RRSIG A 3 3 3600 20030926134150 20030829134150 2854 example.com. ACmAsKTf7hqDaYK8CQ7FL1cGYPW+blTCnzZGkExFtEUAGrHeze87o+A= ;{id = 2854} 158ENTRY_END 159 160; response to query of interest 161ENTRY_BEGIN 162MATCH opcode qtype qname 163ADJUST copy_id 164REPLY QR NOERROR 165SECTION QUESTION 166www.example.com. IN A 167SECTION ANSWER 168www.example.com. IN A 10.20.30.40 169www.example.com. 3600 IN RRSIG A 3 3 3600 20030926134150 20030829134150 2854 example.com. AGj9kE8oW3OhOLhkmJ3HBaNIOpvGf3S8zSd5gWmhpxAMc5hh6cxZfpQ= ;{id = 2854} 170SECTION AUTHORITY 171;example.com. IN NS ns.example.com. 172;example.com. IN NS ns.blabla.com. 173;example.com. 3600 IN RRSIG NS 3 2 3600 20030926134150 20030829134150 2854 example.com. ACHETweBNPgbmRoNRdKvxuw4X9qNUUTEpSuwV+HhuiBE83gbB98asAc= ;{id = 2854} 174SECTION ADDITIONAL 175;ns.example.com. IN A 1.2.3.4 176;ns.example.com. 3600 IN RRSIG A 3 3 3600 20030926134150 20030829134150 2854 example.com. AGvu9A/nGsbatxJCmnObioIhKg2Tm0Apr0eo+DO1kIDrAHco/bt/EdY= ;{id = 2854} 177ENTRY_END 178RANGE_END 179 180; ns.blabla.com. 181RANGE_BEGIN 0 99 182 ADDRESS 1.2.3.5 183ENTRY_BEGIN 184MATCH opcode qtype qname 185ADJUST copy_id 186REPLY QR NOERROR 187SECTION QUESTION 188example.com. IN NS 189SECTION ANSWER 190example.com. IN NS ns.example.com. 191example.com. IN NS ns.blabla.com. 192example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. AAJHNhPYVG6+550zQga9ZgV8McQZHLboOWjfbdiq2ZC+gUcQeQDDlFs= ;{id = 2854} 193SECTION ADDITIONAL 194ns.example.com. IN A 1.2.3.4 195ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 196ENTRY_END 197 198ENTRY_BEGIN 199MATCH opcode qtype qname 200ADJUST copy_id 201REPLY QR NOERROR 202SECTION QUESTION 203ns.example.com. IN A 204SECTION ANSWER 205ns.example.com. IN A 1.2.3.4 206ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 207SECTION ADDITIONAL 208ENTRY_END 209 210ENTRY_BEGIN 211MATCH opcode qtype qname 212ADJUST copy_id 213REPLY QR NOERROR 214SECTION QUESTION 215ns.example.com. IN AAAA 216SECTION ANSWER 217SECTION ADDITIONAL 218ns.example.com. IN NSEC oof.example.com. NSEC RRSIG A 219ns.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. ABhDNtJramb2a4R1SK5gb/CTYJybQts6mZ++z3kLiwsrUSZInA4ikeQ= ;{id = 2854} 220ENTRY_END 221 222; response to DNSKEY priming query 223ENTRY_BEGIN 224MATCH opcode qtype qname 225ADJUST copy_id 226REPLY QR NOERROR 227SECTION QUESTION 228example.com. IN DNSKEY 229SECTION ANSWER 230example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 231example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854} 232SECTION AUTHORITY 233example.com. IN NS ns.example.com. 234example.com. IN NS ns.blabla.com. 235example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. AAJHNhPYVG6+550zQga9ZgV8McQZHLboOWjfbdiq2ZC+gUcQeQDDlFs= ;{id = 2854} 236SECTION ADDITIONAL 237ns.example.com. IN A 1.2.3.4 238ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 239ENTRY_END 240 241; response to query of interest 242ENTRY_BEGIN 243MATCH opcode qtype qname 244ADJUST copy_id 245REPLY QR NOERROR 246SECTION QUESTION 247www.example.com. IN A 248SECTION ANSWER 249www.example.com. IN A 10.20.30.40 250ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854} 251SECTION AUTHORITY 252example.com. IN NS ns.example.com. 253example.com. IN NS ns.blabla.com. 254example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. AAJHNhPYVG6+550zQga9ZgV8McQZHLboOWjfbdiq2ZC+gUcQeQDDlFs= ;{id = 2854} 255SECTION ADDITIONAL 256ns.example.com. IN A 1.2.3.4 257www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} 258ENTRY_END 259RANGE_END 260 261; ns.example.com. 262; later on, making sure DNSKEY primes give testbound failure. 263RANGE_BEGIN 100 200 264 ADDRESS 1.2.3.4 265ENTRY_BEGIN 266MATCH opcode qtype qname 267ADJUST copy_id 268REPLY QR NOERROR 269SECTION QUESTION 270ftp.example.com. IN A 271SECTION ANSWER 272ftp.example.com. IN A 10.20.33.33 273; very bad signature 274ftp.example.com. 3600 IN RRSIG A 3 3 3600 20030926134150 20030829134150 2854 example.com. AHNj99mBmP4np19V01nSq990ZIFlIiLWoeHijm/HcOG/o8+DuIp4fL8= ;{id = 2854} 275ENTRY_END 276RANGE_END 277 278 279STEP 1 QUERY 280ENTRY_BEGIN 281REPLY RD DO 282SECTION QUESTION 283www.example.com. IN A 284ENTRY_END 285 286; recursion happens here. 287STEP 10 CHECK_ANSWER 288ENTRY_BEGIN 289MATCH all ede=7 290REPLY QR RD RA DO SERVFAIL 291SECTION QUESTION 292www.example.com. IN A 293ENTRY_END 294 295STEP 100 TIME_PASSES ELAPSE 10 296 297; second query should not result in going to the network. 298STEP 110 QUERY 299ENTRY_BEGIN 300REPLY RD DO 301SECTION QUESTION 302ftp.example.com. IN A 303ENTRY_END 304 305; recursion happens here. 306STEP 120 CHECK_ANSWER 307ENTRY_BEGIN 308MATCH all ede=7 309REPLY QR RD RA DO SERVFAIL 310SECTION QUESTION 311ftp.example.com. IN A 312ENTRY_END 313 314 315SCENARIO_END 316