xref: /netbsd-src/external/bsd/unbound/dist/testdata/ipsecmod_bogus_ipseckey.crpl (revision c38e7cc395b1472a774ff828e46123de44c628e9) 
1; Test ipsecmod with bogus IPSECKEY
2
3; config options
4; The island of trust is at example.com
5server:
6	trust-anchor: "example.com.    IN      DS      48069 8 2 fce2bcb0d88b828064faad58e935ca2e32ff0bbd8bd8407a8f344d8f8e8c438a"
7	val-override-date: "-1"
8	target-fetch-policy: "0 0 0 0 0"
9	# test that default value of harden-dnssec-stripped is still yes.
10	fake-sha1: yes
11	trust-anchor-signaling: no
12	access-control: 127.0.0.1 allow_snoop
13	module-config: "ipsecmod validator iterator"
14	; ../../ is there because the test runs from testdata/03-testbound.dir
15	ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
16	ipsecmod-strict: no
17	ipsecmod-max-ttl: 200
18
19stub-zone:
20	name: "."
21	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
22CONFIG_END
23
24SCENARIO_BEGIN Test ipsecmod with bogus IPSECKEY
25; Scenario overview:
26; - query for example.com. IN A
27; - check that query for example.com. IN IPSECKEY is generated
28; - check that we get an answer for example.com. IN A with the correct TTL
29; - check that the get the same answer from cache
30; - check that we don't get the IPSECKEY answer from cache (bogus)
31
32; K.ROOT-SERVERS.NET.
33RANGE_BEGIN 0 100
34	ADDRESS 193.0.14.129
35	ENTRY_BEGIN
36		MATCH opcode qtype qname
37		ADJUST copy_id
38		REPLY QR NOERROR
39		SECTION QUESTION
40			. IN NS
41		SECTION ANSWER
42			. IN NS	K.ROOT-SERVERS.NET.
43		SECTION ADDITIONAL
44			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
45	ENTRY_END
46
47	ENTRY_BEGIN
48		MATCH opcode qtype qname
49		ADJUST copy_id
50		REPLY QR AA NOERROR
51		SECTION QUESTION
52			a.gtld-servers.net.	IN AAAA
53		SECTION AUTHORITY
54			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
55	ENTRY_END
56
57	ENTRY_BEGIN
58		MATCH opcode qtype qname
59		ADJUST copy_id
60		REPLY QR AA NOERROR
61		SECTION QUESTION
62			K.ROOT-SERVERS.NET.	IN	AAAA
63		SECTION AUTHORITY
64			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
65	ENTRY_END
66
67	ENTRY_BEGIN
68		MATCH opcode subdomain
69		ADJUST copy_id copy_query
70		REPLY QR NOERROR
71		SECTION QUESTION
72			com. IN A
73		SECTION AUTHORITY
74			com. IN NS	a.gtld-servers.net.
75		SECTION ADDITIONAL
76			a.gtld-servers.net.	IN 	A	192.5.6.30
77	ENTRY_END
78RANGE_END
79
80; a.gtld-servers.net.
81RANGE_BEGIN 0 100
82	ADDRESS 192.5.6.30
83	ENTRY_BEGIN
84		MATCH opcode qtype qname
85		ADJUST copy_id
86		REPLY QR NOERROR
87		SECTION QUESTION
88			com. IN NS
89		SECTION ANSWER
90			com.    IN NS   a.gtld-servers.net.
91		SECTION ADDITIONAL
92			a.gtld-servers.net.     IN      A       192.5.6.30
93	ENTRY_END
94
95	ENTRY_BEGIN
96		MATCH opcode subdomain
97		ADJUST copy_id copy_query
98		REPLY QR NOERROR
99		SECTION QUESTION
100			example.com. IN A
101		SECTION AUTHORITY
102			example.com.	IN NS	ns.example.com.
103		SECTION ADDITIONAL
104			ns.example.com.		IN 	A	1.2.3.4
105	ENTRY_END
106RANGE_END
107
108; ns.example.com.
109RANGE_BEGIN 0 100
110	ADDRESS 1.2.3.4
111	ENTRY_BEGIN
112		MATCH opcode qtype qname
113		ADJUST copy_id
114		REPLY QR NOERROR
115		SECTION QUESTION
116			example.com. IN NS
117		SECTION ANSWER
118			example.com.    IN NS   ns.example.com.
119			example.com.    3600    IN      RRSIG   NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
120		SECTION ADDITIONAL
121			ns.example.com.         IN      A       1.2.3.4
122			ns.example.com. 3600    IN      RRSIG   A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
123	ENTRY_END
124
125	ENTRY_BEGIN
126		MATCH opcode qtype qname
127		ADJUST copy_id
128		REPLY QR AA NOERROR
129		SECTION QUESTION
130			ns.example.com. IN AAAA
131		SECTION AUTHORITY
132			example.com.    86400   IN      SOA     ns.example.com. example.com. 2002022401 10800 15 604800 10800
133			example.com.    86400   IN      RRSIG   SOA 8 2 86400 20170609142855 20170512142855 48069 example.com. fr6oVOsRMnm3D8N01LxzPvT9lWdNDhTlmwR1co42c3H2ra1EjbbKqkLcrXQAsq7E/ddzqgL3RnYS+3USojXycI1xhjXC8YT2xsW3uH8uTY1Qvk1K75lu1OXmDiU6wvHplFowl0OX7sx76lB1itbvsau4bMPMt03sf4u8po7V35s=
134	ENTRY_END
135
136	; response to A query
137	ENTRY_BEGIN
138		MATCH opcode qtype qname
139		ADJUST copy_id
140		REPLY QR NOERROR
141		SECTION QUESTION
142			example.com. IN A
143		SECTION ANSWER
144			example.com.    3600	IN      A       5.6.7.8
145			example.com.    3600    IN      RRSIG   A 8 2 3600 20170609142855 20170512142855 48069 example.com. Qviw6w8ReMG2WZxenvzj/YwoeM3Ln59Fnw6s1MRWGsD2yA3+y0loFdUEHZdRhrEiV0kvtQGC+kBhMuSMq/cyjprbKLw5pkS9+MMDDnVPP1PQb17LY4NIxPtq710AN1sjhBK6PVa6XN+3ciUmCcLs1ESviQkVKpgAY/QlV0TaarQ=
146		SECTION AUTHORITY
147			example.com.    IN NS   ns.example.com.
148			example.com.    3600    IN      RRSIG   NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
149		SECTION ADDITIONAL
150			ns.example.com.         IN      A       1.2.3.4
151			ns.example.com. 3600    IN      RRSIG   A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
152	ENTRY_END
153
154	; response to IPSECKEY query
155	ENTRY_BEGIN
156		MATCH opcode qtype qname
157		ADJUST copy_id
158		REPLY QR NOERROR
159		SECTION QUESTION
160			example.com. IN IPSECKEY
161		SECTION ANSWER
162			example.com.    3600    IN      IPSECKEY        10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
163			;(correct answer) example.com.    3600    IN      RRSIG   IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. UqRbG6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE=
164			; (bogus answer)
165			example.com.    3600    IN      RRSIG   IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. Bogus6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE=
166		SECTION AUTHORITY
167			example.com.    IN NS   ns.example.com.
168			example.com.    3600    IN      RRSIG   NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
169		SECTION ADDITIONAL
170			ns.example.com.         IN      A       1.2.3.4
171			ns.example.com. 3600    IN      RRSIG   A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
172	ENTRY_END
173
174; response to DNSKEY priming query
175	ENTRY_BEGIN
176		MATCH opcode qtype qname
177		ADJUST copy_id
178		REPLY QR AA NOERROR
179		SECTION QUESTION
180			example.com. IN DNSKEY
181		SECTION ANSWER
182			example.com.    86400   IN      DNSKEY  256 3 8 AwEAAddE7q1HL4Id+gpQ7imk+RyNEhCWgtew5tstsqIR/fXq0RBn0rF4SI1H6ysbb3nfqAV1xRDJ01ddpgfGyz9zXXHQ/H/9qEpeWapqfNTQ5GHHdxBL2iST7XusThfXEyX/pouKIpvtknvtLs8tmH64dajxoJkaejU2EKXKaBaRKcYx ;{id = 48069 (zsk), size = 1024b}
183			example.com.    86400   IN      RRSIG   DNSKEY 8 2 86400 20170609144114 20170512144114 48069 example.com. mJU3LnubfYW7vhksiC1STWbrSjCe6TG1kEpnk4jRrYovues6bzOTIFSXEMjPW1mikulapnx3nMtTWdrW2InjfP9wLV/u2Wx1Vu3s9uzli/27y//3DOkZSeBa5RZdKpC1h8UB5GAxq4MRiSidgEBB1qaDIaE29sWmn9kPHEgNcgI=
184		SECTION AUTHORITY
185			example.com.    IN NS   ns.example.com.
186			example.com.    3600    IN      RRSIG   NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
187		SECTION ADDITIONAL
188			ns.example.com.         IN      A       1.2.3.4
189			ns.example.com. 3600    IN      RRSIG   A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
190	ENTRY_END
191RANGE_END
192
193STEP 1 QUERY
194ENTRY_BEGIN
195	REPLY RD
196	SECTION QUESTION
197		example.com. IN A
198ENTRY_END
199
200STEP 2 CHECK_OUT_QUERY
201ENTRY_BEGIN
202	MATCH qname qtype opcode
203	SECTION QUESTION
204		example.com. IN IPSECKEY
205ENTRY_END
206
207; recursion happens here.
208STEP 10 CHECK_ANSWER
209	ENTRY_BEGIN
210	MATCH all
211	REPLY QR RD RA SERVFAIL
212	SECTION QUESTION
213		example.com. IN A
214	SECTION ANSWER
215ENTRY_END
216
217; Query without RD, check if not cached
218STEP 11 QUERY
219ENTRY_BEGIN
220	SECTION QUESTION
221		example.com. IN A
222ENTRY_END
223
224STEP 20 CHECK_ANSWER
225	ENTRY_BEGIN
226	MATCH all
227	REPLY QR RA NOERROR
228	SECTION QUESTION
229		example.com. IN A
230	SECTION ANSWER
231	SECTION AUTHORITY
232		example.com.	IN NS	ns.example.com.
233	SECTION ADDITIONAL
234		ns.example.com.		IN 	A	1.2.3.4
235ENTRY_END
236
237SCENARIO_END
238