xref: /netbsd-src/external/bsd/unbound/dist/testdata/ipsecmod_bogus_ipseckey.crpl (revision 7cd94d692f099dff0c03996f61fd7a476e40159b) 
1; Test ipsecmod with bogus IPSECKEY
2
3; config options
4; The island of trust is at example.com
5server:
6	trust-anchor: "example.com.    IN      DS      48069 8 2 fce2bcb0d88b828064faad58e935ca2e32ff0bbd8bd8407a8f344d8f8e8c438a"
7	val-override-date: "-1"
8	target-fetch-policy: "0 0 0 0 0"
9	qname-minimisation: "no"
10	# test that default value of harden-dnssec-stripped is still yes.
11	fake-sha1: yes
12	trust-anchor-signaling: no
13	access-control: 127.0.0.1 allow_snoop
14	module-config: "ipsecmod validator iterator"
15	; ../../ is there because the test runs from testdata/03-testbound.dir
16	ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
17	ipsecmod-strict: no
18	ipsecmod-max-ttl: 200
19
20stub-zone:
21	name: "."
22	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
23CONFIG_END
24
25SCENARIO_BEGIN Test ipsecmod with bogus IPSECKEY
26; Scenario overview:
27; - query for example.com. IN A
28; - check that query for example.com. IN IPSECKEY is generated
29; - check that we get an answer for example.com. IN A with the correct TTL
30; - check that the get the same answer from cache
31; - check that we don't get the IPSECKEY answer from cache (bogus)
32
33; K.ROOT-SERVERS.NET.
34RANGE_BEGIN 0 100
35	ADDRESS 193.0.14.129
36	ENTRY_BEGIN
37		MATCH opcode qtype qname
38		ADJUST copy_id
39		REPLY QR NOERROR
40		SECTION QUESTION
41			. IN NS
42		SECTION ANSWER
43			. IN NS	K.ROOT-SERVERS.NET.
44		SECTION ADDITIONAL
45			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
46	ENTRY_END
47
48	ENTRY_BEGIN
49		MATCH opcode qtype qname
50		ADJUST copy_id
51		REPLY QR AA NOERROR
52		SECTION QUESTION
53			a.gtld-servers.net.	IN AAAA
54		SECTION AUTHORITY
55			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
56	ENTRY_END
57
58	ENTRY_BEGIN
59		MATCH opcode qtype qname
60		ADJUST copy_id
61		REPLY QR AA NOERROR
62		SECTION QUESTION
63			K.ROOT-SERVERS.NET.	IN	AAAA
64		SECTION AUTHORITY
65			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
66	ENTRY_END
67
68	ENTRY_BEGIN
69		MATCH opcode subdomain
70		ADJUST copy_id copy_query
71		REPLY QR NOERROR
72		SECTION QUESTION
73			com. IN A
74		SECTION AUTHORITY
75			com. IN NS	a.gtld-servers.net.
76		SECTION ADDITIONAL
77			a.gtld-servers.net.	IN 	A	192.5.6.30
78	ENTRY_END
79RANGE_END
80
81; a.gtld-servers.net.
82RANGE_BEGIN 0 100
83	ADDRESS 192.5.6.30
84	ENTRY_BEGIN
85		MATCH opcode qtype qname
86		ADJUST copy_id
87		REPLY QR NOERROR
88		SECTION QUESTION
89			com. IN NS
90		SECTION ANSWER
91			com.    IN NS   a.gtld-servers.net.
92		SECTION ADDITIONAL
93			a.gtld-servers.net.     IN      A       192.5.6.30
94	ENTRY_END
95
96	ENTRY_BEGIN
97		MATCH opcode subdomain
98		ADJUST copy_id copy_query
99		REPLY QR NOERROR
100		SECTION QUESTION
101			example.com. IN A
102		SECTION AUTHORITY
103			example.com.	IN NS	ns.example.com.
104		SECTION ADDITIONAL
105			ns.example.com.		IN 	A	1.2.3.4
106	ENTRY_END
107RANGE_END
108
109; ns.example.com.
110RANGE_BEGIN 0 100
111	ADDRESS 1.2.3.4
112	ENTRY_BEGIN
113		MATCH opcode qtype qname
114		ADJUST copy_id
115		REPLY QR NOERROR
116		SECTION QUESTION
117			example.com. IN NS
118		SECTION ANSWER
119			example.com.    IN NS   ns.example.com.
120			example.com.    3600    IN      RRSIG   NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
121		SECTION ADDITIONAL
122			ns.example.com.         IN      A       1.2.3.4
123			ns.example.com. 3600    IN      RRSIG   A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
124	ENTRY_END
125
126	ENTRY_BEGIN
127		MATCH opcode qtype qname
128		ADJUST copy_id
129		REPLY QR AA NOERROR
130		SECTION QUESTION
131			ns.example.com. IN AAAA
132		SECTION AUTHORITY
133			example.com.    86400   IN      SOA     ns.example.com. example.com. 2002022401 10800 15 604800 10800
134			example.com.    86400   IN      RRSIG   SOA 8 2 86400 20170609142855 20170512142855 48069 example.com. fr6oVOsRMnm3D8N01LxzPvT9lWdNDhTlmwR1co42c3H2ra1EjbbKqkLcrXQAsq7E/ddzqgL3RnYS+3USojXycI1xhjXC8YT2xsW3uH8uTY1Qvk1K75lu1OXmDiU6wvHplFowl0OX7sx76lB1itbvsau4bMPMt03sf4u8po7V35s=
135	ENTRY_END
136
137	; response to A query
138	ENTRY_BEGIN
139		MATCH opcode qtype qname
140		ADJUST copy_id
141		REPLY QR NOERROR
142		SECTION QUESTION
143			example.com. IN A
144		SECTION ANSWER
145			example.com.    3600	IN      A       5.6.7.8
146			example.com.    3600    IN      RRSIG   A 8 2 3600 20170609142855 20170512142855 48069 example.com. Qviw6w8ReMG2WZxenvzj/YwoeM3Ln59Fnw6s1MRWGsD2yA3+y0loFdUEHZdRhrEiV0kvtQGC+kBhMuSMq/cyjprbKLw5pkS9+MMDDnVPP1PQb17LY4NIxPtq710AN1sjhBK6PVa6XN+3ciUmCcLs1ESviQkVKpgAY/QlV0TaarQ=
147		SECTION AUTHORITY
148			example.com.    IN NS   ns.example.com.
149			example.com.    3600    IN      RRSIG   NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
150		SECTION ADDITIONAL
151			ns.example.com.         IN      A       1.2.3.4
152			ns.example.com. 3600    IN      RRSIG   A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
153	ENTRY_END
154
155	; response to IPSECKEY query
156	ENTRY_BEGIN
157		MATCH opcode qtype qname
158		ADJUST copy_id
159		REPLY QR NOERROR
160		SECTION QUESTION
161			example.com. IN IPSECKEY
162		SECTION ANSWER
163			example.com.    3600    IN      IPSECKEY        10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
164			;(correct answer) example.com.    3600    IN      RRSIG   IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. UqRbG6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE=
165			; (bogus answer)
166			example.com.    3600    IN      RRSIG   IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. Bogus6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE=
167		SECTION AUTHORITY
168			example.com.    IN NS   ns.example.com.
169			example.com.    3600    IN      RRSIG   NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
170		SECTION ADDITIONAL
171			ns.example.com.         IN      A       1.2.3.4
172			ns.example.com. 3600    IN      RRSIG   A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
173	ENTRY_END
174
175; response to DNSKEY priming query
176	ENTRY_BEGIN
177		MATCH opcode qtype qname
178		ADJUST copy_id
179		REPLY QR AA NOERROR
180		SECTION QUESTION
181			example.com. IN DNSKEY
182		SECTION ANSWER
183			example.com.    86400   IN      DNSKEY  256 3 8 AwEAAddE7q1HL4Id+gpQ7imk+RyNEhCWgtew5tstsqIR/fXq0RBn0rF4SI1H6ysbb3nfqAV1xRDJ01ddpgfGyz9zXXHQ/H/9qEpeWapqfNTQ5GHHdxBL2iST7XusThfXEyX/pouKIpvtknvtLs8tmH64dajxoJkaejU2EKXKaBaRKcYx ;{id = 48069 (zsk), size = 1024b}
184			example.com.    86400   IN      RRSIG   DNSKEY 8 2 86400 20170609144114 20170512144114 48069 example.com. mJU3LnubfYW7vhksiC1STWbrSjCe6TG1kEpnk4jRrYovues6bzOTIFSXEMjPW1mikulapnx3nMtTWdrW2InjfP9wLV/u2Wx1Vu3s9uzli/27y//3DOkZSeBa5RZdKpC1h8UB5GAxq4MRiSidgEBB1qaDIaE29sWmn9kPHEgNcgI=
185		SECTION AUTHORITY
186			example.com.    IN NS   ns.example.com.
187			example.com.    3600    IN      RRSIG   NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
188		SECTION ADDITIONAL
189			ns.example.com.         IN      A       1.2.3.4
190			ns.example.com. 3600    IN      RRSIG   A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
191	ENTRY_END
192RANGE_END
193
194STEP 1 QUERY
195ENTRY_BEGIN
196	REPLY RD
197	SECTION QUESTION
198		example.com. IN A
199ENTRY_END
200
201STEP 2 CHECK_OUT_QUERY
202ENTRY_BEGIN
203	MATCH qname qtype opcode
204	SECTION QUESTION
205		example.com. IN IPSECKEY
206ENTRY_END
207
208; recursion happens here.
209STEP 10 CHECK_ANSWER
210	ENTRY_BEGIN
211	MATCH all
212	REPLY QR RD RA SERVFAIL
213	SECTION QUESTION
214		example.com. IN A
215	SECTION ANSWER
216ENTRY_END
217
218; Query without RD, check if not cached
219STEP 11 QUERY
220ENTRY_BEGIN
221	SECTION QUESTION
222		example.com. IN A
223ENTRY_END
224
225STEP 20 CHECK_ANSWER
226	ENTRY_BEGIN
227	MATCH all
228	REPLY QR RA NOERROR
229	SECTION QUESTION
230		example.com. IN A
231	SECTION ANSWER
232	SECTION AUTHORITY
233		example.com.	IN NS	ns.example.com.
234	SECTION ADDITIONAL
235		ns.example.com.		IN 	A	1.2.3.4
236ENTRY_END
237
238SCENARIO_END
239