1; config options 2server: 3 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 4 val-override-date: "20070916134226" 5 fake-sha1: yes 6 trust-anchor-signaling: no 7 qname-minimisation: "no" 8 9stub-zone: 10 name: "." 11 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 12 13CONFIG_END 14 15SCENARIO_BEGIN Bug test dnssec-lame detection at ds point with target queries. 16 17; K.ROOT-SERVERS.NET. 18RANGE_BEGIN 0 100 19 ADDRESS 193.0.14.129 20ENTRY_BEGIN 21MATCH opcode qtype qname 22ADJUST copy_id 23REPLY QR NOERROR 24SECTION QUESTION 25. IN NS 26SECTION ANSWER 27. IN NS K.ROOT-SERVERS.NET. 28SECTION ADDITIONAL 29K.ROOT-SERVERS.NET. IN A 193.0.14.129 30ENTRY_END 31 32ENTRY_BEGIN 33MATCH opcode subdomain 34ADJUST copy_id copy_query 35REPLY QR NOERROR 36SECTION QUESTION 37com. IN A 38SECTION AUTHORITY 39com. IN NS a.gtld-servers.net. 40SECTION ADDITIONAL 41a.gtld-servers.net. IN A 192.5.6.30 42ENTRY_END 43 44ENTRY_BEGIN 45MATCH opcode subdomain 46ADJUST copy_id copy_query 47REPLY QR NOERROR 48SECTION QUESTION 49net. IN A 50SECTION AUTHORITY 51net. IN NS e.gtld-servers.net. 52SECTION ADDITIONAL 53e.gtld-servers.net. IN A 192.12.94.30 54ENTRY_END 55 56ENTRY_BEGIN 57MATCH opcode qtype qname 58ADJUST copy_id 59REPLY QR NOERROR 60SECTION QUESTION 61ns.example.net. IN AAAA 62SECTION AUTHORITY 63net. IN NS e.gtld-servers.net. 64SECTION ADDITIONAL 65e.gtld-servers.net. IN A 192.12.94.30 66ENTRY_END 67RANGE_END 68 69; a.gtld-servers.net. 70RANGE_BEGIN 0 100 71 ADDRESS 192.5.6.30 72ENTRY_BEGIN 73MATCH opcode qtype qname 74ADJUST copy_id 75REPLY QR NOERROR 76SECTION QUESTION 77com. IN NS 78SECTION ANSWER 79com. IN NS a.gtld-servers.net. 80SECTION ADDITIONAL 81a.gtld-servers.net. IN A 192.5.6.30 82ENTRY_END 83 84ENTRY_BEGIN 85MATCH opcode subdomain 86ADJUST copy_id copy_query 87REPLY QR NOERROR 88SECTION QUESTION 89example.com. IN A 90SECTION AUTHORITY 91example.com. IN NS ns.example.com. 92SECTION ADDITIONAL 93ns.example.com. IN A 1.2.3.55 94ENTRY_END 95RANGE_END 96 97; e.gtld-servers.net. 98; Note this timing is so it will provide answers at the beginning. 99RANGE_BEGIN 0 30 100 ADDRESS 192.12.94.30 101ENTRY_BEGIN 102MATCH opcode qtype qname 103ADJUST copy_id 104REPLY QR NOERROR 105SECTION QUESTION 106net. IN NS 107SECTION ANSWER 108net. IN NS e.gtld-servers.net. 109SECTION ADDITIONAL 110e.gtld-servers.net. IN A 192.12.94.30 111ENTRY_END 112 113ENTRY_BEGIN 114MATCH opcode qtype qname 115ADJUST copy_id 116REPLY QR AA NOERROR 117SECTION QUESTION 118e.gtld-servers.net. IN AAAA 119SECTION ANSWER 120ENTRY_END 121 122ENTRY_BEGIN 123MATCH opcode qtype qname 124ADJUST copy_id 125REPLY QR AA NOERROR 126SECTION QUESTION 127a.gtld-servers.net. IN AAAA 128SECTION ANSWER 129ENTRY_END 130 131; no example.net delegation answers yet. 132 133RANGE_END 134 135; e.gtld-servers.net. 136; Note this timing is so it will not provide answers at the beginning, 137; but only later on. 138RANGE_BEGIN 30 100 139 ADDRESS 192.12.94.30 140ENTRY_BEGIN 141MATCH opcode qtype qname 142ADJUST copy_id 143REPLY QR NOERROR 144SECTION QUESTION 145net. IN NS 146SECTION ANSWER 147net. IN NS e.gtld-servers.net. 148SECTION ADDITIONAL 149e.gtld-servers.net. IN A 192.12.94.30 150ENTRY_END 151 152ENTRY_BEGIN 153MATCH opcode qtype qname 154ADJUST copy_id 155REPLY QR AA NOERROR 156SECTION QUESTION 157e.gtld-servers.net. IN AAAA 158SECTION ANSWER 159ENTRY_END 160 161ENTRY_BEGIN 162MATCH opcode qtype qname 163ADJUST copy_id 164REPLY QR AA NOERROR 165SECTION QUESTION 166a.gtld-servers.net. IN AAAA 167SECTION ANSWER 168ENTRY_END 169 170ENTRY_BEGIN 171MATCH opcode qtype qname 172ADJUST copy_id 173REPLY QR NOERROR 174SECTION QUESTION 175ns.example.net. IN A 176SECTION AUTHORITY 177example.net. IN NS ns.example.net. 178SECTION ADDITIONAL 179ns.example.net. IN A 1.2.3.44 180ENTRY_END 181 182ENTRY_BEGIN 183MATCH opcode qtype qname 184ADJUST copy_id 185REPLY QR NOERROR 186SECTION QUESTION 187ns.example.net. IN AAAA 188SECTION AUTHORITY 189example.net. IN NS ns.example.net. 190SECTION ADDITIONAL 191ns.example.net. IN A 1.2.3.44 192ENTRY_END 193RANGE_END 194 195; ns.example.net. 196; Note this timing is so it will not provide answers at the beginning, 197; but only later on. 198RANGE_BEGIN 30 100 199 ADDRESS 1.2.3.44 200ENTRY_BEGIN 201MATCH opcode qtype qname 202ADJUST copy_id 203REPLY QR NOERROR 204SECTION QUESTION 205example.net. IN NS 206SECTION ANSWER 207example.net. IN NS ns.example.net. 208SECTION ADDITIONAL 209ns.example.net. IN A 1.2.3.44 210ENTRY_END 211 212ENTRY_BEGIN 213MATCH opcode qtype qname 214ADJUST copy_id 215REPLY QR AA NOERROR 216SECTION QUESTION 217ns.example.net. IN A 218SECTION ANSWER 219ns.example.net. IN A 1.2.3.44 220SECTION AUTHORITY 221example.net. IN NS ns.example.net. 222ENTRY_END 223 224ENTRY_BEGIN 225MATCH opcode qtype qname 226ADJUST copy_id 227REPLY QR AA NOERROR 228SECTION QUESTION 229ns.example.net. IN AAAA 230SECTION AUTHORITY 231example.net. IN NS ns.example.net. 232SECTION ADDITIONAL 233ns.example.net. IN A 1.2.3.44 234ENTRY_END 235 236; response to DNSKEY priming query 237; sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 238ENTRY_BEGIN 239MATCH opcode qtype qname 240ADJUST copy_id 241REPLY QR AA NOERROR 242SECTION QUESTION 243sub.example.com. IN DNSKEY 244SECTION ANSWER 245sub.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 246sub.example.com. 3600 IN RRSIG DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. uNGp99iznjD7oOX02XnQbDnbg75UwBHRvZSKYUorTKvPUnCWMHKdRsQ+mf+Fx3GZ+Fz9BVjoCmQqpnfgXLEYqw== ;{id = 30899} 247SECTION AUTHORITY 248; no NS set. not needed for this test. 249SECTION ADDITIONAL 250ns.sub.example.com. IN A 1.2.3.6 251ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899} 252ENTRY_END 253 254ENTRY_BEGIN 255MATCH opcode qtype qname 256ADJUST copy_id 257REPLY QR AA NOERROR 258SECTION QUESTION 259sub.example.com. IN NS 260SECTION ANSWER 261sub.example.com. IN NS ns.sub.example.com. 262sub.example.com. IN NS ns.example.net. 263sub.example.com. 3600 IN RRSIG NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. C/0b+sqlsdSTkhd+aDXb6ELyuQreosIGBzLCtWxYGD+Q9QGB5rN8uB+4+48yhw36pd3MfeAn06AgAnJ6eu8tJg== ;{id = 30899} 264SECTION ADDITIONAL 265ns.sub.example.com. IN A 1.2.3.6 266ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899} 267ENTRY_END 268 269; response to query of interest 270ENTRY_BEGIN 271MATCH opcode qtype qname 272ADJUST copy_id 273REPLY QR AA NOERROR 274SECTION QUESTION 275www.sub.example.com. IN A 276SECTION ANSWER 277www.sub.example.com. IN A 11.11.11.11 278www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899} 279SECTION AUTHORITY 280SECTION ADDITIONAL 281ENTRY_END 282 283ENTRY_BEGIN 284MATCH opcode qtype qname 285ADJUST copy_id 286REPLY QR AA NOERROR 287SECTION QUESTION 288ns.sub.example.com. IN AAAA 289SECTION ANSWER 290ENTRY_END 291RANGE_END 292 293; ns.example.com. 294RANGE_BEGIN 0 100 295 ADDRESS 1.2.3.55 296ENTRY_BEGIN 297MATCH opcode qtype qname 298ADJUST copy_id 299REPLY QR NOERROR 300SECTION QUESTION 301example.com. IN NS 302SECTION ANSWER 303example.com. IN NS ns.example.com. 304SECTION ADDITIONAL 305ns.example.com. IN A 1.2.3.55 306ENTRY_END 307 308ENTRY_BEGIN 309MATCH opcode qtype qname 310ADJUST copy_id 311REPLY QR AA NOERROR 312SECTION QUESTION 313ns.example.com. IN A 314SECTION ANSWER 315ns.example.com. IN A 1.2.3.55 316ENTRY_END 317 318ENTRY_BEGIN 319MATCH opcode qtype qname 320ADJUST copy_id 321REPLY QR AA NOERROR 322SECTION QUESTION 323ns.example.com. IN AAAA 324ENTRY_END 325 326; fine DNSKEY response. 327ENTRY_BEGIN 328MATCH opcode qtype qname 329ADJUST copy_id 330REPLY QR AA NOERROR 331SECTION QUESTION 332example.com. IN DNSKEY 333SECTION ANSWER 334example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 335example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854} 336SECTION AUTHORITY 337example.com. IN NS ns.example.com. 338example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 339ENTRY_END 340 341 342; correct delegation with DS 343ENTRY_BEGIN 344MATCH opcode subdomain 345ADJUST copy_id copy_query 346REPLY QR AA NOERROR 347SECTION QUESTION 348sub.example.com. IN A 349SECTION ANSWER 350SECTION AUTHORITY 351sub.example.com. IN NS ns.sub.example.com. 352sub.example.com. IN NS ns.example.net. 353sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 354sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFCW3ix0GD4BSvNLWIbROCJt5DAW9AhRt/kg9kBKJ20UBUdumrBUHqnskdA== ;{id = 2854} 355SECTION ADDITIONAL 356ns.sub.example.com. IN A 1.2.3.6 357ENTRY_END 358 359; response for delegation to sub.example.com. 360ENTRY_BEGIN 361MATCH opcode qtype qname 362ADJUST copy_id 363REPLY QR NOERROR 364SECTION QUESTION 365sub.example.com. IN DNSKEY 366SECTION ANSWER 367SECTION AUTHORITY 368sub.example.com. IN NS ns.sub.example.com. 369sub.example.com. IN NS ns.example.net. 370sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 371sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFCW3ix0GD4BSvNLWIbROCJt5DAW9AhRt/kg9kBKJ20UBUdumrBUHqnskdA== ;{id = 2854} 372SECTION ADDITIONAL 373ns.sub.example.com. IN A 1.2.3.6 374ENTRY_END 375RANGE_END 376 377; This server is DNSSEC LAME! 378; ns.sub.example.com. 379RANGE_BEGIN 0 100 380 ADDRESS 1.2.3.6 381 382ENTRY_BEGIN 383MATCH opcode qtype qname 384ADJUST copy_id 385REPLY QR AA NOERROR 386SECTION QUESTION 387sub.example.com. IN NS 388SECTION ANSWER 389sub.example.com. IN NS ns.sub.example.com. 390sub.example.com. IN NS ns.example.net. 391SECTION ADDITIONAL 392ns.sub.example.com. IN A 1.2.3.6 393ENTRY_END 394 395 396; response to DNSKEY priming query 397; sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 398ENTRY_BEGIN 399MATCH opcode qtype qname 400ADJUST copy_id 401REPLY QR AA NOERROR 402SECTION QUESTION 403sub.example.com. IN DNSKEY 404SECTION ANSWER 405sub.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 406SECTION AUTHORITY 407sub.example.com. IN NS ns.sub.example.com. 408sub.example.com. IN NS ns.example.net. 409SECTION ADDITIONAL 410ns.sub.example.com. IN A 1.2.3.6 411ENTRY_END 412 413ENTRY_BEGIN 414MATCH opcode qtype qname 415ADJUST copy_id 416REPLY QR AA NOERROR 417SECTION QUESTION 418ns.sub.example.com. IN AAAA 419SECTION ANSWER 420ENTRY_END 421 422; response to query of interest 423ENTRY_BEGIN 424MATCH opcode qtype qname 425ADJUST copy_id 426REPLY QR AA NOERROR 427SECTION QUESTION 428www.sub.example.com. IN A 429SECTION ANSWER 430www.sub.example.com. IN A 11.11.11.11 431SECTION AUTHORITY 432; dnssec-lameness detection depends on this information 433sub.example.com. IN NS ns.sub.example.com. 434sub.example.com. IN NS ns.example.net. 435SECTION ADDITIONAL 436ns.sub.example.com. IN A 1.2.3.6 437ENTRY_END 438RANGE_END 439 440 441STEP 1 QUERY 442ENTRY_BEGIN 443REPLY RD DO 444SECTION QUESTION 445www.sub.example.com. IN A 446ENTRY_END 447 448STEP 10 NOTHING 449; recursion at time 10. 450; first recursion with answers in 0-30 time 451; with bug it now resolves to the bad version 452; fixed, it stops waiting for more target queries. 453 454STEP 40 NOTHING 455; next recursion with more answers at time 40. 456 457; recursion happens here. 458STEP 50 CHECK_ANSWER 459ENTRY_BEGIN 460MATCH all 461REPLY QR RD RA AD DO NOERROR 462SECTION QUESTION 463www.sub.example.com. IN A 464SECTION ANSWER 465www.sub.example.com. IN A 11.11.11.11 466www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899} 467ENTRY_END 468SCENARIO_END 469