1; config options 2server: 3 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 4 val-override-date: "20070916134226" 5 fake-sha1: yes 6 trust-anchor-signaling: no 7 qname-minimisation: "no" 8 9stub-zone: 10 name: "." 11 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 12 13CONFIG_END 14 15SCENARIO_BEGIN Bug test dnssec-lame detection at ds point with target queries. 16 17; K.ROOT-SERVERS.NET. 18RANGE_BEGIN 0 100 19 ADDRESS 193.0.14.129 20ENTRY_BEGIN 21MATCH opcode qtype qname 22ADJUST copy_id 23REPLY QR NOERROR 24SECTION QUESTION 25. IN NS 26SECTION ANSWER 27. IN NS K.ROOT-SERVERS.NET. 28SECTION ADDITIONAL 29K.ROOT-SERVERS.NET. IN A 193.0.14.129 30ENTRY_END 31 32ENTRY_BEGIN 33MATCH opcode subdomain 34ADJUST copy_id copy_query 35REPLY QR NOERROR 36SECTION QUESTION 37com. IN A 38SECTION AUTHORITY 39com. IN NS a.gtld-servers.net. 40SECTION ADDITIONAL 41a.gtld-servers.net. IN A 192.5.6.30 42ENTRY_END 43 44ENTRY_BEGIN 45MATCH opcode subdomain 46ADJUST copy_id copy_query 47REPLY QR NOERROR 48SECTION QUESTION 49net. IN A 50SECTION AUTHORITY 51net. IN NS e.gtld-servers.net. 52SECTION ADDITIONAL 53e.gtld-servers.net. IN A 192.12.94.30 54ENTRY_END 55 56ENTRY_BEGIN 57MATCH opcode qtype qname 58ADJUST copy_id 59REPLY QR NOERROR 60SECTION QUESTION 61ns.example.net. IN AAAA 62SECTION AUTHORITY 63net. IN NS e.gtld-servers.net. 64SECTION ADDITIONAL 65e.gtld-servers.net. IN A 192.12.94.30 66ENTRY_END 67RANGE_END 68 69; a.gtld-servers.net. 70RANGE_BEGIN 0 100 71 ADDRESS 192.5.6.30 72ENTRY_BEGIN 73MATCH opcode qtype qname 74ADJUST copy_id 75REPLY QR NOERROR 76SECTION QUESTION 77com. IN NS 78SECTION ANSWER 79com. IN NS a.gtld-servers.net. 80SECTION ADDITIONAL 81a.gtld-servers.net. IN A 192.5.6.30 82ENTRY_END 83 84ENTRY_BEGIN 85MATCH opcode subdomain 86ADJUST copy_id copy_query 87REPLY QR NOERROR 88SECTION QUESTION 89example.com. IN A 90SECTION AUTHORITY 91example.com. IN NS ns.example.com. 92SECTION ADDITIONAL 93ns.example.com. IN A 1.2.3.55 94ENTRY_END 95RANGE_END 96 97; e.gtld-servers.net. 98; Note this timing is so it will provide answers at the beginning. 99RANGE_BEGIN 0 30 100 ADDRESS 192.12.94.30 101ENTRY_BEGIN 102MATCH opcode qtype qname 103ADJUST copy_id 104REPLY QR NOERROR 105SECTION QUESTION 106net. IN NS 107SECTION ANSWER 108net. IN NS e.gtld-servers.net. 109SECTION ADDITIONAL 110e.gtld-servers.net. IN A 192.12.94.30 111ENTRY_END 112 113ENTRY_BEGIN 114MATCH opcode qtype qname 115ADJUST copy_id 116REPLY QR AA NOERROR 117SECTION QUESTION 118e.gtld-servers.net. IN AAAA 119SECTION ANSWER 120SECTION AUTHORITY 121net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600 122ENTRY_END 123 124ENTRY_BEGIN 125MATCH opcode qtype qname 126ADJUST copy_id 127REPLY QR AA NOERROR 128SECTION QUESTION 129a.gtld-servers.net. IN AAAA 130SECTION ANSWER 131SECTION AUTHORITY 132net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600 133ENTRY_END 134 135; no example.net delegation answers yet. 136 137RANGE_END 138 139; e.gtld-servers.net. 140; Note this timing is so it will not provide answers at the beginning, 141; but only later on. 142RANGE_BEGIN 30 100 143 ADDRESS 192.12.94.30 144ENTRY_BEGIN 145MATCH opcode qtype qname 146ADJUST copy_id 147REPLY QR NOERROR 148SECTION QUESTION 149net. IN NS 150SECTION ANSWER 151net. IN NS e.gtld-servers.net. 152SECTION ADDITIONAL 153e.gtld-servers.net. IN A 192.12.94.30 154ENTRY_END 155 156ENTRY_BEGIN 157MATCH opcode qtype qname 158ADJUST copy_id 159REPLY QR AA NOERROR 160SECTION QUESTION 161e.gtld-servers.net. IN AAAA 162SECTION ANSWER 163SECTION AUTHORITY 164net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600 165ENTRY_END 166 167ENTRY_BEGIN 168MATCH opcode qtype qname 169ADJUST copy_id 170REPLY QR AA NOERROR 171SECTION QUESTION 172a.gtld-servers.net. IN AAAA 173SECTION ANSWER 174SECTION AUTHORITY 175net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600 176ENTRY_END 177 178ENTRY_BEGIN 179MATCH opcode qtype qname 180ADJUST copy_id 181REPLY QR NOERROR 182SECTION QUESTION 183ns.example.net. IN A 184SECTION AUTHORITY 185example.net. IN NS ns.example.net. 186SECTION ADDITIONAL 187ns.example.net. IN A 1.2.3.44 188ENTRY_END 189 190ENTRY_BEGIN 191MATCH opcode qtype qname 192ADJUST copy_id 193REPLY QR NOERROR 194SECTION QUESTION 195ns.example.net. IN AAAA 196SECTION AUTHORITY 197example.net. IN NS ns.example.net. 198SECTION ADDITIONAL 199ns.example.net. IN A 1.2.3.44 200ENTRY_END 201RANGE_END 202 203; ns.example.net. 204; Note this timing is so it will not provide answers at the beginning, 205; but only later on. 206RANGE_BEGIN 30 100 207 ADDRESS 1.2.3.44 208ENTRY_BEGIN 209MATCH opcode qtype qname 210ADJUST copy_id 211REPLY QR NOERROR 212SECTION QUESTION 213example.net. IN NS 214SECTION ANSWER 215example.net. IN NS ns.example.net. 216SECTION ADDITIONAL 217ns.example.net. IN A 1.2.3.44 218ENTRY_END 219 220ENTRY_BEGIN 221MATCH opcode qtype qname 222ADJUST copy_id 223REPLY QR AA NOERROR 224SECTION QUESTION 225ns.example.net. IN A 226SECTION ANSWER 227ns.example.net. IN A 1.2.3.44 228SECTION AUTHORITY 229example.net. IN NS ns.example.net. 230ENTRY_END 231 232ENTRY_BEGIN 233MATCH opcode qtype qname 234ADJUST copy_id 235REPLY QR AA NOERROR 236SECTION QUESTION 237ns.example.net. IN AAAA 238SECTION AUTHORITY 239example.net. IN NS ns.example.net. 240SECTION ADDITIONAL 241ns.example.net. IN A 1.2.3.44 242ENTRY_END 243 244; response to DNSKEY priming query 245; sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 246ENTRY_BEGIN 247MATCH opcode qtype qname 248ADJUST copy_id 249REPLY QR AA NOERROR 250SECTION QUESTION 251sub.example.com. IN DNSKEY 252SECTION ANSWER 253sub.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 254sub.example.com. 3600 IN RRSIG DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. uNGp99iznjD7oOX02XnQbDnbg75UwBHRvZSKYUorTKvPUnCWMHKdRsQ+mf+Fx3GZ+Fz9BVjoCmQqpnfgXLEYqw== ;{id = 30899} 255SECTION AUTHORITY 256; no NS set. not needed for this test. 257SECTION ADDITIONAL 258ns.sub.example.com. IN A 1.2.3.6 259ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899} 260ENTRY_END 261 262ENTRY_BEGIN 263MATCH opcode qtype qname 264ADJUST copy_id 265REPLY QR AA NOERROR 266SECTION QUESTION 267sub.example.com. IN NS 268SECTION ANSWER 269sub.example.com. IN NS ns.sub.example.com. 270sub.example.com. IN NS ns.example.net. 271sub.example.com. 3600 IN RRSIG NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. C/0b+sqlsdSTkhd+aDXb6ELyuQreosIGBzLCtWxYGD+Q9QGB5rN8uB+4+48yhw36pd3MfeAn06AgAnJ6eu8tJg== ;{id = 30899} 272SECTION ADDITIONAL 273ns.sub.example.com. IN A 1.2.3.6 274ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899} 275ENTRY_END 276 277; response to query of interest 278ENTRY_BEGIN 279MATCH opcode qtype qname 280ADJUST copy_id 281REPLY QR AA NOERROR 282SECTION QUESTION 283www.sub.example.com. IN A 284SECTION ANSWER 285www.sub.example.com. IN A 11.11.11.11 286www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899} 287SECTION AUTHORITY 288SECTION ADDITIONAL 289ENTRY_END 290 291ENTRY_BEGIN 292MATCH opcode qtype qname 293ADJUST copy_id 294REPLY QR AA NOERROR 295SECTION QUESTION 296ns.sub.example.com. IN AAAA 297SECTION ANSWER 298SECTION AUTHORITY 299sub.example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600 300ENTRY_END 301RANGE_END 302 303; ns.example.com. 304RANGE_BEGIN 0 100 305 ADDRESS 1.2.3.55 306ENTRY_BEGIN 307MATCH opcode qtype qname 308ADJUST copy_id 309REPLY QR NOERROR 310SECTION QUESTION 311example.com. IN NS 312SECTION ANSWER 313example.com. IN NS ns.example.com. 314SECTION ADDITIONAL 315ns.example.com. IN A 1.2.3.55 316ENTRY_END 317 318ENTRY_BEGIN 319MATCH opcode qtype qname 320ADJUST copy_id 321REPLY QR AA NOERROR 322SECTION QUESTION 323ns.example.com. IN A 324SECTION ANSWER 325ns.example.com. IN A 1.2.3.55 326ENTRY_END 327 328ENTRY_BEGIN 329MATCH opcode qtype qname 330ADJUST copy_id 331REPLY QR AA NOERROR 332SECTION QUESTION 333ns.example.com. IN AAAA 334SECTION AUTHORITY 335example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600 336ENTRY_END 337 338; fine DNSKEY response. 339ENTRY_BEGIN 340MATCH opcode qtype qname 341ADJUST copy_id 342REPLY QR AA NOERROR 343SECTION QUESTION 344example.com. IN DNSKEY 345SECTION ANSWER 346example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 347example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854} 348SECTION AUTHORITY 349example.com. IN NS ns.example.com. 350example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 351ENTRY_END 352 353 354; correct delegation with DS 355ENTRY_BEGIN 356MATCH opcode subdomain 357ADJUST copy_id copy_query 358REPLY QR AA NOERROR 359SECTION QUESTION 360sub.example.com. IN A 361SECTION ANSWER 362SECTION AUTHORITY 363sub.example.com. IN NS ns.sub.example.com. 364sub.example.com. IN NS ns.example.net. 365sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 366sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFCW3ix0GD4BSvNLWIbROCJt5DAW9AhRt/kg9kBKJ20UBUdumrBUHqnskdA== ;{id = 2854} 367SECTION ADDITIONAL 368ns.sub.example.com. IN A 1.2.3.6 369ENTRY_END 370 371; response for delegation to sub.example.com. 372ENTRY_BEGIN 373MATCH opcode qtype qname 374ADJUST copy_id 375REPLY QR NOERROR 376SECTION QUESTION 377sub.example.com. IN DNSKEY 378SECTION ANSWER 379SECTION AUTHORITY 380sub.example.com. IN NS ns.sub.example.com. 381sub.example.com. IN NS ns.example.net. 382sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 383sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFCW3ix0GD4BSvNLWIbROCJt5DAW9AhRt/kg9kBKJ20UBUdumrBUHqnskdA== ;{id = 2854} 384SECTION ADDITIONAL 385ns.sub.example.com. IN A 1.2.3.6 386ENTRY_END 387RANGE_END 388 389; This server is DNSSEC LAME! 390; ns.sub.example.com. 391RANGE_BEGIN 0 100 392 ADDRESS 1.2.3.6 393 394ENTRY_BEGIN 395MATCH opcode qtype qname 396ADJUST copy_id 397REPLY QR AA NOERROR 398SECTION QUESTION 399sub.example.com. IN NS 400SECTION ANSWER 401sub.example.com. IN NS ns.sub.example.com. 402sub.example.com. IN NS ns.example.net. 403SECTION ADDITIONAL 404ns.sub.example.com. IN A 1.2.3.6 405ENTRY_END 406 407 408; response to DNSKEY priming query 409; sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 410ENTRY_BEGIN 411MATCH opcode qtype qname 412ADJUST copy_id 413REPLY QR AA NOERROR 414SECTION QUESTION 415sub.example.com. IN DNSKEY 416SECTION ANSWER 417sub.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 418SECTION AUTHORITY 419sub.example.com. IN NS ns.sub.example.com. 420sub.example.com. IN NS ns.example.net. 421SECTION ADDITIONAL 422ns.sub.example.com. IN A 1.2.3.6 423ENTRY_END 424 425ENTRY_BEGIN 426MATCH opcode qtype qname 427ADJUST copy_id 428REPLY QR AA NOERROR 429SECTION QUESTION 430ns.sub.example.com. IN AAAA 431SECTION ANSWER 432SECTION AUTHORITY 433sub.example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600 434ENTRY_END 435 436; response to query of interest 437ENTRY_BEGIN 438MATCH opcode qtype qname 439ADJUST copy_id 440REPLY QR AA NOERROR 441SECTION QUESTION 442www.sub.example.com. IN A 443SECTION ANSWER 444www.sub.example.com. IN A 11.11.11.11 445SECTION AUTHORITY 446; dnssec-lameness detection depends on this information 447sub.example.com. IN NS ns.sub.example.com. 448sub.example.com. IN NS ns.example.net. 449SECTION ADDITIONAL 450ns.sub.example.com. IN A 1.2.3.6 451ENTRY_END 452RANGE_END 453 454 455STEP 1 QUERY 456ENTRY_BEGIN 457REPLY RD DO 458SECTION QUESTION 459www.sub.example.com. IN A 460ENTRY_END 461 462STEP 10 NOTHING 463; recursion at time 10. 464; first recursion with answers in 0-30 time 465; with bug it now resolves to the bad version 466; fixed, it stops waiting for more target queries. 467 468STEP 40 NOTHING 469; next recursion with more answers at time 40. 470 471; recursion happens here. 472STEP 50 CHECK_ANSWER 473ENTRY_BEGIN 474MATCH all 475REPLY QR RD RA AD DO NOERROR 476SECTION QUESTION 477www.sub.example.com. IN A 478SECTION ANSWER 479www.sub.example.com. IN A 11.11.11.11 480www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899} 481ENTRY_END 482SCENARIO_END 483