xref: /netbsd-src/external/bsd/unbound/dist/testdata/ipsecmod_strict.crpl (revision f42d8de7d1744f0ae38eedac13b4320e5351d1d6) 
1; Test ipsecmod-strict option
2
3; config options
4server:
5	access-control: 127.0.0.1 allow_snoop
6	module-config: "ipsecmod validator iterator"
7	; ../../ is there because the test runs from testdata/03-testbound.dir
8	ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
9	ipsecmod-strict: yes
10	ipsecmod-max-ttl: 200
11	qname-minimisation: "no"
12	minimal-responses: no
13
14stub-zone:
15	name: "."
16	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
17CONFIG_END
18
19SCENARIO_BEGIN Test ipsecmod-strict option
20; Scenario overview:
21; - query for example.com. IN A
22; - check that query for example.com. IN IPSECKEY is generated
23; - check that we get SERVFAIL as answer (the hook failed)
24; - check that the example.com. IN A answer is not cached
25; - check that the example.com. IN IPSECKEY answer is cached
26
27; K.ROOT-SERVERS.NET.
28RANGE_BEGIN 0 100
29	ADDRESS 193.0.14.129
30	ENTRY_BEGIN
31		MATCH opcode qtype qname
32		ADJUST copy_id
33		REPLY QR NOERROR
34		SECTION QUESTION
35			. IN NS
36		SECTION ANSWER
37			. IN NS	K.ROOT-SERVERS.NET.
38		SECTION ADDITIONAL
39			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
40	ENTRY_END
41
42	ENTRY_BEGIN
43		MATCH opcode qtype qname
44		ADJUST copy_id
45		REPLY QR AA NOERROR
46		SECTION QUESTION
47			a.gtld-servers.net.	IN AAAA
48		SECTION AUTHORITY
49			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
50	ENTRY_END
51
52	ENTRY_BEGIN
53		MATCH opcode qtype qname
54		ADJUST copy_id
55		REPLY QR AA NOERROR
56		SECTION QUESTION
57			K.ROOT-SERVERS.NET.	IN	AAAA
58		SECTION AUTHORITY
59			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
60	ENTRY_END
61
62	ENTRY_BEGIN
63		MATCH opcode subdomain
64		ADJUST copy_id copy_query
65		REPLY QR NOERROR
66		SECTION QUESTION
67			com. IN A
68		SECTION AUTHORITY
69			com. IN NS	a.gtld-servers.net.
70		SECTION ADDITIONAL
71			a.gtld-servers.net.	IN 	A	192.5.6.30
72	ENTRY_END
73RANGE_END
74
75; a.gtld-servers.net.
76RANGE_BEGIN 0 100
77	ADDRESS 192.5.6.30
78	ENTRY_BEGIN
79		MATCH opcode qtype qname
80		ADJUST copy_id
81		REPLY QR NOERROR
82		SECTION QUESTION
83			com. IN NS
84		SECTION ANSWER
85			com.    IN NS   a.gtld-servers.net.
86		SECTION ADDITIONAL
87			a.gtld-servers.net.     IN      A       192.5.6.30
88	ENTRY_END
89
90	ENTRY_BEGIN
91		MATCH opcode subdomain
92		ADJUST copy_id copy_query
93		REPLY QR NOERROR
94		SECTION QUESTION
95			example.com. IN A
96		SECTION AUTHORITY
97			example.com.	IN NS	ns.example.com.
98		SECTION ADDITIONAL
99			ns.example.com.		IN 	A	1.2.3.4
100	ENTRY_END
101RANGE_END
102
103; ns.example.com.
104RANGE_BEGIN 0 100
105	ADDRESS 1.2.3.4
106	ENTRY_BEGIN
107		MATCH opcode qtype qname
108		ADJUST copy_id
109		REPLY QR NOERROR
110		SECTION QUESTION
111			example.com. IN NS
112		SECTION ANSWER
113			example.com.    IN NS   ns.example.com.
114		SECTION ADDITIONAL
115			ns.example.com.         IN      A       1.2.3.4
116	ENTRY_END
117
118	ENTRY_BEGIN
119		MATCH opcode qtype qname
120		ADJUST copy_id
121		REPLY QR AA NOERROR
122		SECTION QUESTION
123			ns.example.com. IN AAAA
124		SECTION AUTHORITY
125			example.com. 10 IN SOA . . 15 28800 7200 604800 10
126	ENTRY_END
127
128	; response to A query
129	ENTRY_BEGIN
130		MATCH opcode qtype qname
131		ADJUST copy_id
132		REPLY QR NOERROR
133		SECTION QUESTION
134			example.com. IN A
135		SECTION ANSWER
136			example.com.    3600 IN      A       5.6.7.8
137		SECTION AUTHORITY
138			example.com.	IN NS	ns.example.com.
139		SECTION ADDITIONAL
140			ns.example.com.		IN 	A	1.2.3.4
141	ENTRY_END
142
143	; response to IPSECKEY query
144	ENTRY_BEGIN
145		MATCH opcode qtype qname
146		ADJUST copy_id
147		REPLY QR NOERROR
148		SECTION QUESTION
149			example.com. IN IPSECKEY
150		SECTION ANSWER
151			example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
152		SECTION AUTHORITY
153			example.com.	IN NS	ns.example.com.
154		SECTION ADDITIONAL
155			ns.example.com.		IN 	A	1.2.3.4
156	ENTRY_END
157RANGE_END
158
159STEP 1 QUERY
160ENTRY_BEGIN
161	REPLY RD
162	SECTION QUESTION
163		example.com. IN A
164ENTRY_END
165
166STEP 2 CHECK_OUT_QUERY
167ENTRY_BEGIN
168	MATCH qname qtype opcode
169	SECTION QUESTION
170		example.com. IN IPSECKEY
171ENTRY_END
172
173STEP 10 CHECK_ANSWER
174ENTRY_BEGIN
175	MATCH all
176	REPLY QR RD RA SERVFAIL
177	SECTION QUESTION
178		example.com. IN A
179ENTRY_END
180
181STEP 11 QUERY
182ENTRY_BEGIN
183	SECTION QUESTION
184		example.com. IN A
185ENTRY_END
186
187STEP 20 CHECK_ANSWER
188ENTRY_BEGIN
189	MATCH all
190	REPLY QR RA NOERROR
191	SECTION QUESTION
192		example.com. IN A
193	SECTION AUTHORITY
194		example.com.	IN NS	ns.example.com.
195	SECTION ADDITIONAL
196		ns.example.com.		IN 	A	1.2.3.4
197ENTRY_END
198
199STEP 21 QUERY
200ENTRY_BEGIN
201	SECTION QUESTION
202		example.com. IN IPSECKEY
203ENTRY_END
204
205STEP 30 CHECK_ANSWER
206ENTRY_BEGIN
207	MATCH all
208	REPLY QR RA NOERROR
209	SECTION QUESTION
210		example.com. IN IPSECKEY
211	SECTION ANSWER
212		example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
213	SECTION AUTHORITY
214		example.com.	IN NS	ns.example.com.
215	SECTION ADDITIONAL
216		ns.example.com.		IN 	A	1.2.3.4
217ENTRY_END
218
219SCENARIO_END
220