1; config options 2server: 3 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 4 val-override-date: "20070916134226" 5 6stub-zone: 7 name: "." 8 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 9 10CONFIG_END 11 12SCENARIO_BEGIN Bug test dnssec-lame detection at ds point with target queries. 13 14; K.ROOT-SERVERS.NET. 15RANGE_BEGIN 0 100 16 ADDRESS 193.0.14.129 17ENTRY_BEGIN 18MATCH opcode qtype qname 19ADJUST copy_id 20REPLY QR NOERROR 21SECTION QUESTION 22. IN NS 23SECTION ANSWER 24. IN NS K.ROOT-SERVERS.NET. 25SECTION ADDITIONAL 26K.ROOT-SERVERS.NET. IN A 193.0.14.129 27ENTRY_END 28 29ENTRY_BEGIN 30MATCH opcode subdomain 31ADJUST copy_id copy_query 32REPLY QR NOERROR 33SECTION QUESTION 34com. IN A 35SECTION AUTHORITY 36com. IN NS a.gtld-servers.net. 37SECTION ADDITIONAL 38a.gtld-servers.net. IN A 192.5.6.30 39ENTRY_END 40 41ENTRY_BEGIN 42MATCH opcode subdomain 43ADJUST copy_id copy_query 44REPLY QR NOERROR 45SECTION QUESTION 46net. IN A 47SECTION AUTHORITY 48net. IN NS e.gtld-servers.net. 49SECTION ADDITIONAL 50e.gtld-servers.net. IN A 192.12.94.30 51ENTRY_END 52 53ENTRY_BEGIN 54MATCH opcode qtype qname 55ADJUST copy_id 56REPLY QR NOERROR 57SECTION QUESTION 58ns.example.net. IN AAAA 59SECTION AUTHORITY 60net. IN NS e.gtld-servers.net. 61SECTION ADDITIONAL 62e.gtld-servers.net. IN A 192.12.94.30 63ENTRY_END 64RANGE_END 65 66; a.gtld-servers.net. 67RANGE_BEGIN 0 100 68 ADDRESS 192.5.6.30 69ENTRY_BEGIN 70MATCH opcode qtype qname 71ADJUST copy_id 72REPLY QR NOERROR 73SECTION QUESTION 74com. IN NS 75SECTION ANSWER 76com. IN NS a.gtld-servers.net. 77SECTION ADDITIONAL 78a.gtld-servers.net. IN A 192.5.6.30 79ENTRY_END 80 81ENTRY_BEGIN 82MATCH opcode subdomain 83ADJUST copy_id copy_query 84REPLY QR NOERROR 85SECTION QUESTION 86example.com. IN A 87SECTION AUTHORITY 88example.com. IN NS ns.example.com. 89SECTION ADDITIONAL 90ns.example.com. IN A 1.2.3.55 91ENTRY_END 92RANGE_END 93 94; e.gtld-servers.net. 95; Note this timing is so it will provide answers at the beginning. 96RANGE_BEGIN 0 30 97 ADDRESS 192.12.94.30 98ENTRY_BEGIN 99MATCH opcode qtype qname 100ADJUST copy_id 101REPLY QR NOERROR 102SECTION QUESTION 103net. IN NS 104SECTION ANSWER 105net. IN NS e.gtld-servers.net. 106SECTION ADDITIONAL 107e.gtld-servers.net. IN A 192.12.94.30 108ENTRY_END 109 110ENTRY_BEGIN 111MATCH opcode qtype qname 112ADJUST copy_id 113REPLY QR AA NOERROR 114SECTION QUESTION 115e.gtld-servers.net. IN AAAA 116SECTION ANSWER 117ENTRY_END 118 119ENTRY_BEGIN 120MATCH opcode qtype qname 121ADJUST copy_id 122REPLY QR AA NOERROR 123SECTION QUESTION 124a.gtld-servers.net. IN AAAA 125SECTION ANSWER 126ENTRY_END 127 128; no example.net delegation answers yet. 129 130RANGE_END 131 132; e.gtld-servers.net. 133; Note this timing is so it will not provide answers at the beginning, 134; but only later on. 135RANGE_BEGIN 30 100 136 ADDRESS 192.12.94.30 137ENTRY_BEGIN 138MATCH opcode qtype qname 139ADJUST copy_id 140REPLY QR NOERROR 141SECTION QUESTION 142net. IN NS 143SECTION ANSWER 144net. IN NS e.gtld-servers.net. 145SECTION ADDITIONAL 146e.gtld-servers.net. IN A 192.12.94.30 147ENTRY_END 148 149ENTRY_BEGIN 150MATCH opcode qtype qname 151ADJUST copy_id 152REPLY QR AA NOERROR 153SECTION QUESTION 154e.gtld-servers.net. IN AAAA 155SECTION ANSWER 156ENTRY_END 157 158ENTRY_BEGIN 159MATCH opcode qtype qname 160ADJUST copy_id 161REPLY QR AA NOERROR 162SECTION QUESTION 163a.gtld-servers.net. IN AAAA 164SECTION ANSWER 165ENTRY_END 166 167ENTRY_BEGIN 168MATCH opcode qtype qname 169ADJUST copy_id 170REPLY QR NOERROR 171SECTION QUESTION 172ns.example.net. IN A 173SECTION AUTHORITY 174example.net. IN NS ns.example.net. 175SECTION ADDITIONAL 176ns.example.net. IN A 1.2.3.44 177ENTRY_END 178 179ENTRY_BEGIN 180MATCH opcode qtype qname 181ADJUST copy_id 182REPLY QR NOERROR 183SECTION QUESTION 184ns.example.net. IN AAAA 185SECTION AUTHORITY 186example.net. IN NS ns.example.net. 187SECTION ADDITIONAL 188ns.example.net. IN A 1.2.3.44 189ENTRY_END 190RANGE_END 191 192; ns.example.net. 193; Note this timing is so it will not provide answers at the beginning, 194; but only later on. 195RANGE_BEGIN 30 100 196 ADDRESS 1.2.3.44 197ENTRY_BEGIN 198MATCH opcode qtype qname 199ADJUST copy_id 200REPLY QR NOERROR 201SECTION QUESTION 202example.net. IN NS 203SECTION ANSWER 204example.net. IN NS ns.example.net. 205SECTION ADDITIONAL 206ns.example.net. IN A 1.2.3.44 207ENTRY_END 208 209ENTRY_BEGIN 210MATCH opcode qtype qname 211ADJUST copy_id 212REPLY QR AA NOERROR 213SECTION QUESTION 214ns.example.net. IN A 215SECTION ANSWER 216ns.example.net. IN A 1.2.3.44 217SECTION AUTHORITY 218example.net. IN NS ns.example.net. 219ENTRY_END 220 221ENTRY_BEGIN 222MATCH opcode qtype qname 223ADJUST copy_id 224REPLY QR AA NOERROR 225SECTION QUESTION 226ns.example.net. IN AAAA 227SECTION AUTHORITY 228example.net. IN NS ns.example.net. 229SECTION ADDITIONAL 230ns.example.net. IN A 1.2.3.44 231ENTRY_END 232 233; response to DNSKEY priming query 234; sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 235ENTRY_BEGIN 236MATCH opcode qtype qname 237ADJUST copy_id 238REPLY QR AA NOERROR 239SECTION QUESTION 240sub.example.com. IN DNSKEY 241SECTION ANSWER 242sub.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 243sub.example.com. 3600 IN RRSIG DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. uNGp99iznjD7oOX02XnQbDnbg75UwBHRvZSKYUorTKvPUnCWMHKdRsQ+mf+Fx3GZ+Fz9BVjoCmQqpnfgXLEYqw== ;{id = 30899} 244SECTION AUTHORITY 245; no NS set. not needed for this test. 246SECTION ADDITIONAL 247ns.sub.example.com. IN A 1.2.3.6 248ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899} 249ENTRY_END 250 251ENTRY_BEGIN 252MATCH opcode qtype qname 253ADJUST copy_id 254REPLY QR AA NOERROR 255SECTION QUESTION 256sub.example.com. IN NS 257SECTION ANSWER 258sub.example.com. IN NS ns.sub.example.com. 259sub.example.com. IN NS ns.example.net. 260sub.example.com. 3600 IN RRSIG NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. C/0b+sqlsdSTkhd+aDXb6ELyuQreosIGBzLCtWxYGD+Q9QGB5rN8uB+4+48yhw36pd3MfeAn06AgAnJ6eu8tJg== ;{id = 30899} 261SECTION ADDITIONAL 262ns.sub.example.com. IN A 1.2.3.6 263ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899} 264ENTRY_END 265 266; response to query of interest 267ENTRY_BEGIN 268MATCH opcode qtype qname 269ADJUST copy_id 270REPLY QR AA NOERROR 271SECTION QUESTION 272www.sub.example.com. IN A 273SECTION ANSWER 274www.sub.example.com. IN A 11.11.11.11 275www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899} 276SECTION AUTHORITY 277SECTION ADDITIONAL 278ENTRY_END 279 280ENTRY_BEGIN 281MATCH opcode qtype qname 282ADJUST copy_id 283REPLY QR AA NOERROR 284SECTION QUESTION 285ns.sub.example.com. IN AAAA 286SECTION ANSWER 287ENTRY_END 288RANGE_END 289 290; ns.example.com. 291RANGE_BEGIN 0 100 292 ADDRESS 1.2.3.55 293ENTRY_BEGIN 294MATCH opcode qtype qname 295ADJUST copy_id 296REPLY QR NOERROR 297SECTION QUESTION 298example.com. IN NS 299SECTION ANSWER 300example.com. IN NS ns.example.com. 301SECTION ADDITIONAL 302ns.example.com. IN A 1.2.3.55 303ENTRY_END 304 305ENTRY_BEGIN 306MATCH opcode qtype qname 307ADJUST copy_id 308REPLY QR AA NOERROR 309SECTION QUESTION 310ns.example.com. IN A 311SECTION ANSWER 312ns.example.com. IN A 1.2.3.55 313ENTRY_END 314 315ENTRY_BEGIN 316MATCH opcode qtype qname 317ADJUST copy_id 318REPLY QR AA NOERROR 319SECTION QUESTION 320ns.example.com. IN AAAA 321ENTRY_END 322 323; fine DNSKEY response. 324ENTRY_BEGIN 325MATCH opcode qtype qname 326ADJUST copy_id 327REPLY QR AA NOERROR 328SECTION QUESTION 329example.com. IN DNSKEY 330SECTION ANSWER 331example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 332example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854} 333SECTION AUTHORITY 334example.com. IN NS ns.example.com. 335example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 336ENTRY_END 337 338 339; correct delegation with DS 340ENTRY_BEGIN 341MATCH opcode subdomain 342ADJUST copy_id copy_query 343REPLY QR AA NOERROR 344SECTION QUESTION 345sub.example.com. IN A 346SECTION ANSWER 347SECTION AUTHORITY 348sub.example.com. IN NS ns.sub.example.com. 349sub.example.com. IN NS ns.example.net. 350sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 351sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFCW3ix0GD4BSvNLWIbROCJt5DAW9AhRt/kg9kBKJ20UBUdumrBUHqnskdA== ;{id = 2854} 352SECTION ADDITIONAL 353ns.sub.example.com. IN A 1.2.3.6 354ENTRY_END 355 356; response for delegation to sub.example.com. 357ENTRY_BEGIN 358MATCH opcode qtype qname 359ADJUST copy_id 360REPLY QR NOERROR 361SECTION QUESTION 362sub.example.com. IN DNSKEY 363SECTION ANSWER 364SECTION AUTHORITY 365sub.example.com. IN NS ns.sub.example.com. 366sub.example.com. IN NS ns.example.net. 367sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 368sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFCW3ix0GD4BSvNLWIbROCJt5DAW9AhRt/kg9kBKJ20UBUdumrBUHqnskdA== ;{id = 2854} 369SECTION ADDITIONAL 370ns.sub.example.com. IN A 1.2.3.6 371ENTRY_END 372RANGE_END 373 374; This server is DNSSEC LAME! 375; ns.sub.example.com. 376RANGE_BEGIN 0 100 377 ADDRESS 1.2.3.6 378 379ENTRY_BEGIN 380MATCH opcode qtype qname 381ADJUST copy_id 382REPLY QR AA NOERROR 383SECTION QUESTION 384sub.example.com. IN NS 385SECTION ANSWER 386sub.example.com. IN NS ns.sub.example.com. 387sub.example.com. IN NS ns.example.net. 388SECTION ADDITIONAL 389ns.sub.example.com. IN A 1.2.3.6 390ENTRY_END 391 392 393; response to DNSKEY priming query 394; sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 395ENTRY_BEGIN 396MATCH opcode qtype qname 397ADJUST copy_id 398REPLY QR AA NOERROR 399SECTION QUESTION 400sub.example.com. IN DNSKEY 401SECTION ANSWER 402sub.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 403SECTION AUTHORITY 404sub.example.com. IN NS ns.sub.example.com. 405sub.example.com. IN NS ns.example.net. 406SECTION ADDITIONAL 407ns.sub.example.com. IN A 1.2.3.6 408ENTRY_END 409 410ENTRY_BEGIN 411MATCH opcode qtype qname 412ADJUST copy_id 413REPLY QR AA NOERROR 414SECTION QUESTION 415ns.sub.example.com. IN AAAA 416SECTION ANSWER 417ENTRY_END 418 419; response to query of interest 420ENTRY_BEGIN 421MATCH opcode qtype qname 422ADJUST copy_id 423REPLY QR AA NOERROR 424SECTION QUESTION 425www.sub.example.com. IN A 426SECTION ANSWER 427www.sub.example.com. IN A 11.11.11.11 428SECTION AUTHORITY 429; dnssec-lameness detection depends on this information 430sub.example.com. IN NS ns.sub.example.com. 431sub.example.com. IN NS ns.example.net. 432SECTION ADDITIONAL 433ns.sub.example.com. IN A 1.2.3.6 434ENTRY_END 435RANGE_END 436 437 438STEP 1 QUERY 439ENTRY_BEGIN 440REPLY RD DO 441SECTION QUESTION 442www.sub.example.com. IN A 443ENTRY_END 444 445STEP 10 NOTHING 446; recursion at time 10. 447; first recursion with answers in 0-30 time 448; with bug it now resolves to the bad version 449; fixed, it stops waiting for more target queries. 450 451STEP 40 NOTHING 452; next recursion with more answers at time 40. 453 454; recursion happens here. 455STEP 50 CHECK_ANSWER 456ENTRY_BEGIN 457MATCH all 458REPLY QR RD RA AD DO NOERROR 459SECTION QUESTION 460www.sub.example.com. IN A 461SECTION ANSWER 462www.sub.example.com. IN A 11.11.11.11 463www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899} 464ENTRY_END 465SCENARIO_END 466