1; Test ipsecmod-ignore-bogus option 2 3; config options 4; The island of trust is at example.com 5server: 6 trust-anchor: "example.com. IN DS 48069 8 2 fce2bcb0d88b828064faad58e935ca2e32ff0bbd8bd8407a8f344d8f8e8c438a" 7 val-override-date: "-1" 8 target-fetch-policy: "0 0 0 0 0" 9 # test that default value of harden-dnssec-stripped is still yes. 10 fake-sha1: yes 11 trust-anchor-signaling: no 12 access-control: 127.0.0.1 allow_snoop 13 module-config: "ipsecmod validator iterator" 14 ; ../../ is there because the test runs from testdata/03-testbound.dir 15 ipsecmod-hook: "../../testdata/ipsecmod_hook.sh" 16 ipsecmod-strict: no 17 ipsecmod-max-ttl: 200 18 ipsecmod-ignore-bogus: yes 19 qname-minimisation: "no" 20 minimal-responses: no 21 22stub-zone: 23 name: "." 24 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 25CONFIG_END 26 27SCENARIO_BEGIN Test ipsecmod-ignore-bogus option 28; Scenario overview: 29; - query for example.com. IN A 30; - check that query for example.com. IN IPSECKEY is generated 31; - check that we get an answer for example.com. IN A with the correct TTL 32; - check that the get the same answer from cache 33; - check that we don't get the IPSECKEY answer from cache (bogus) 34 35; K.ROOT-SERVERS.NET. 36RANGE_BEGIN 0 100 37 ADDRESS 193.0.14.129 38 ENTRY_BEGIN 39 MATCH opcode qtype qname 40 ADJUST copy_id 41 REPLY QR NOERROR 42 SECTION QUESTION 43 . IN NS 44 SECTION ANSWER 45 . IN NS K.ROOT-SERVERS.NET. 46 SECTION ADDITIONAL 47 K.ROOT-SERVERS.NET. IN A 193.0.14.129 48 ENTRY_END 49 50 ENTRY_BEGIN 51 MATCH opcode qtype qname 52 ADJUST copy_id 53 REPLY QR AA NOERROR 54 SECTION QUESTION 55 a.gtld-servers.net. IN AAAA 56 SECTION AUTHORITY 57 . 86400 IN SOA . . 20070304 28800 7200 604800 86400 58 ENTRY_END 59 60 ENTRY_BEGIN 61 MATCH opcode qtype qname 62 ADJUST copy_id 63 REPLY QR AA NOERROR 64 SECTION QUESTION 65 K.ROOT-SERVERS.NET. IN AAAA 66 SECTION AUTHORITY 67 . 86400 IN SOA . . 20070304 28800 7200 604800 86400 68 ENTRY_END 69 70 ENTRY_BEGIN 71 MATCH opcode subdomain 72 ADJUST copy_id copy_query 73 REPLY QR NOERROR 74 SECTION QUESTION 75 com. IN A 76 SECTION AUTHORITY 77 com. IN NS a.gtld-servers.net. 78 SECTION ADDITIONAL 79 a.gtld-servers.net. IN A 192.5.6.30 80 ENTRY_END 81RANGE_END 82 83; a.gtld-servers.net. 84RANGE_BEGIN 0 100 85 ADDRESS 192.5.6.30 86 ENTRY_BEGIN 87 MATCH opcode qtype qname 88 ADJUST copy_id 89 REPLY QR NOERROR 90 SECTION QUESTION 91 com. IN NS 92 SECTION ANSWER 93 com. IN NS a.gtld-servers.net. 94 SECTION ADDITIONAL 95 a.gtld-servers.net. IN A 192.5.6.30 96 ENTRY_END 97 98 ENTRY_BEGIN 99 MATCH opcode subdomain 100 ADJUST copy_id copy_query 101 REPLY QR NOERROR 102 SECTION QUESTION 103 example.com. IN A 104 SECTION AUTHORITY 105 example.com. IN NS ns.example.com. 106 SECTION ADDITIONAL 107 ns.example.com. IN A 1.2.3.4 108 ENTRY_END 109RANGE_END 110 111; ns.example.com. 112RANGE_BEGIN 0 100 113 ADDRESS 1.2.3.4 114 ENTRY_BEGIN 115 MATCH opcode qtype qname 116 ADJUST copy_id 117 REPLY QR NOERROR 118 SECTION QUESTION 119 example.com. IN NS 120 SECTION ANSWER 121 example.com. IN NS ns.example.com. 122 example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes= 123 SECTION ADDITIONAL 124 ns.example.com. IN A 1.2.3.4 125 ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM= 126 ENTRY_END 127 128 ENTRY_BEGIN 129 MATCH opcode qtype qname 130 ADJUST copy_id 131 REPLY QR AA NOERROR 132 SECTION QUESTION 133 ns.example.com. IN AAAA 134 SECTION AUTHORITY 135 example.com. 86400 IN SOA ns.example.com. example.com. 2002022401 10800 15 604800 10800 136 example.com. 86400 IN RRSIG SOA 8 2 86400 20170609142855 20170512142855 48069 example.com. fr6oVOsRMnm3D8N01LxzPvT9lWdNDhTlmwR1co42c3H2ra1EjbbKqkLcrXQAsq7E/ddzqgL3RnYS+3USojXycI1xhjXC8YT2xsW3uH8uTY1Qvk1K75lu1OXmDiU6wvHplFowl0OX7sx76lB1itbvsau4bMPMt03sf4u8po7V35s= 137 ENTRY_END 138 139 ; response to A query 140 ENTRY_BEGIN 141 MATCH opcode qtype qname 142 ADJUST copy_id 143 REPLY QR NOERROR 144 SECTION QUESTION 145 example.com. IN A 146 SECTION ANSWER 147 example.com. 3600 IN A 5.6.7.8 148 example.com. 3600 IN RRSIG A 8 2 3600 20170609142855 20170512142855 48069 example.com. Qviw6w8ReMG2WZxenvzj/YwoeM3Ln59Fnw6s1MRWGsD2yA3+y0loFdUEHZdRhrEiV0kvtQGC+kBhMuSMq/cyjprbKLw5pkS9+MMDDnVPP1PQb17LY4NIxPtq710AN1sjhBK6PVa6XN+3ciUmCcLs1ESviQkVKpgAY/QlV0TaarQ= 149 SECTION AUTHORITY 150 example.com. IN NS ns.example.com. 151 example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes= 152 SECTION ADDITIONAL 153 ns.example.com. IN A 1.2.3.4 154 ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM= 155 ENTRY_END 156 157 ; response to IPSECKEY query 158 ENTRY_BEGIN 159 MATCH opcode qtype qname 160 ADJUST copy_id 161 REPLY QR NOERROR 162 SECTION QUESTION 163 example.com. IN IPSECKEY 164 SECTION ANSWER 165 example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ== 166 ;(correct answer) example.com. 3600 IN RRSIG IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. UqRbG6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE= 167 ; (bogus answer) 168 example.com. 3600 IN RRSIG IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. Bogus6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE= 169 SECTION AUTHORITY 170 example.com. IN NS ns.example.com. 171 example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes= 172 SECTION ADDITIONAL 173 ns.example.com. IN A 1.2.3.4 174 ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM= 175 ENTRY_END 176 177; response to DNSKEY priming query 178 ENTRY_BEGIN 179 MATCH opcode qtype qname 180 ADJUST copy_id 181 REPLY QR AA NOERROR 182 SECTION QUESTION 183 example.com. IN DNSKEY 184 SECTION ANSWER 185 example.com. 86400 IN DNSKEY 256 3 8 AwEAAddE7q1HL4Id+gpQ7imk+RyNEhCWgtew5tstsqIR/fXq0RBn0rF4SI1H6ysbb3nfqAV1xRDJ01ddpgfGyz9zXXHQ/H/9qEpeWapqfNTQ5GHHdxBL2iST7XusThfXEyX/pouKIpvtknvtLs8tmH64dajxoJkaejU2EKXKaBaRKcYx ;{id = 48069 (zsk), size = 1024b} 186 example.com. 86400 IN RRSIG DNSKEY 8 2 86400 20170609144114 20170512144114 48069 example.com. mJU3LnubfYW7vhksiC1STWbrSjCe6TG1kEpnk4jRrYovues6bzOTIFSXEMjPW1mikulapnx3nMtTWdrW2InjfP9wLV/u2Wx1Vu3s9uzli/27y//3DOkZSeBa5RZdKpC1h8UB5GAxq4MRiSidgEBB1qaDIaE29sWmn9kPHEgNcgI= 187 SECTION AUTHORITY 188 example.com. IN NS ns.example.com. 189 example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes= 190 SECTION ADDITIONAL 191 ns.example.com. IN A 1.2.3.4 192 ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM= 193 ENTRY_END 194RANGE_END 195 196STEP 1 QUERY 197ENTRY_BEGIN 198 REPLY RD 199 SECTION QUESTION 200 example.com. IN A 201ENTRY_END 202 203STEP 2 CHECK_OUT_QUERY 204ENTRY_BEGIN 205 MATCH qname qtype opcode 206 SECTION QUESTION 207 example.com. IN IPSECKEY 208ENTRY_END 209 210STEP 10 CHECK_ANSWER 211ENTRY_BEGIN 212 MATCH all ttl 213 REPLY QR RD RA NOERROR 214 SECTION QUESTION 215 example.com. IN A 216 SECTION ANSWER 217 example.com. 200 IN A 5.6.7.8 218 SECTION AUTHORITY 219 example.com. IN NS ns.example.com. 220 SECTION ADDITIONAL 221 ns.example.com. IN A 1.2.3.4 222ENTRY_END 223 224; Query without RD, check if cached and with correct TTL 225STEP 11 QUERY 226ENTRY_BEGIN 227 SECTION QUESTION 228 example.com. IN A 229ENTRY_END 230 231STEP 20 CHECK_ANSWER 232ENTRY_BEGIN 233 MATCH all ttl 234 REPLY QR RA NOERROR 235 SECTION QUESTION 236 example.com. IN A 237 SECTION ANSWER 238 example.com. 200 IN A 5.6.7.8 239 SECTION AUTHORITY 240 example.com. IN NS ns.example.com. 241 SECTION ADDITIONAL 242 ns.example.com. IN A 1.2.3.4 243ENTRY_END 244 245; Query without RD, check if IPSECKEY is not cached 246STEP 21 QUERY 247ENTRY_BEGIN 248 SECTION QUESTION 249 example.com. IN IPSECKEY 250ENTRY_END 251 252STEP 30 CHECK_ANSWER 253ENTRY_BEGIN 254 MATCH all 255 REPLY QR RA SERVFAIL 256 SECTION QUESTION 257 example.com. IN IPSECKEY 258ENTRY_END 259 260SCENARIO_END 261