1; config options 2server: 3 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 4 val-override-date: "20070916134226" 5 target-fetch-policy: "0 0 0 0 0" 6 fake-sha1: yes 7 trust-anchor-signaling: no 8 9stub-zone: 10 name: "." 11 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 12 13CONFIG_END 14 15SCENARIO_BEGIN Test dnssec-lame detection at ds point, which is ok. 16 17; K.ROOT-SERVERS.NET. 18RANGE_BEGIN 0 100 19 ADDRESS 193.0.14.129 20ENTRY_BEGIN 21MATCH opcode qtype qname 22ADJUST copy_id 23REPLY QR NOERROR 24SECTION QUESTION 25. IN NS 26SECTION ANSWER 27. IN NS K.ROOT-SERVERS.NET. 28SECTION ADDITIONAL 29K.ROOT-SERVERS.NET. IN A 193.0.14.129 30ENTRY_END 31 32ENTRY_BEGIN 33MATCH opcode qtype qname 34ADJUST copy_id 35REPLY QR NOERROR 36SECTION QUESTION 37www.sub.example.com. IN A 38SECTION AUTHORITY 39com. IN NS a.gtld-servers.net. 40SECTION ADDITIONAL 41a.gtld-servers.net. IN A 192.5.6.30 42ENTRY_END 43 44ENTRY_BEGIN 45MATCH opcode qtype qname 46ADJUST copy_id 47REPLY QR NOERROR 48SECTION QUESTION 49ns.example.net. IN A 50SECTION AUTHORITY 51net. IN NS e.gtld-servers.net. 52SECTION ADDITIONAL 53e.gtld-servers.net. IN A 192.12.94.30 54ENTRY_END 55 56ENTRY_BEGIN 57MATCH opcode qtype qname 58ADJUST copy_id 59REPLY QR NOERROR 60SECTION QUESTION 61ns.example.net. IN AAAA 62SECTION AUTHORITY 63net. IN NS e.gtld-servers.net. 64SECTION ADDITIONAL 65e.gtld-servers.net. IN A 192.12.94.30 66ENTRY_END 67 68RANGE_END 69 70; a.gtld-servers.net. 71RANGE_BEGIN 0 100 72 ADDRESS 192.5.6.30 73ENTRY_BEGIN 74MATCH opcode qtype qname 75ADJUST copy_id 76REPLY QR AA NOERROR 77SECTION QUESTION 78com. IN NS 79SECTION ANSWER 80com. IN NS a.gtld-servers.net. 81SECTION ADDITIONAL 82a.gtld-servers.net. IN A 192.5.6.30 83ENTRY_END 84 85ENTRY_BEGIN 86MATCH opcode qtype qname 87ADJUST copy_id 88REPLY QR NOERROR 89SECTION QUESTION 90www.sub.example.com. IN A 91SECTION AUTHORITY 92example.com. IN NS ns.example.com. 93SECTION ADDITIONAL 94ns.example.com. IN A 1.2.3.55 95ENTRY_END 96RANGE_END 97 98; e.gtld-servers.net. 99RANGE_BEGIN 0 100 100 ADDRESS 192.12.94.30 101ENTRY_BEGIN 102MATCH opcode qtype qname 103ADJUST copy_id 104REPLY QR NOERROR 105SECTION QUESTION 106net. IN NS 107SECTION ANSWER 108net. IN NS e.gtld-servers.net. 109SECTION ADDITIONAL 110e.gtld-servers.net. IN A 192.12.94.30 111ENTRY_END 112 113ENTRY_BEGIN 114MATCH opcode qtype qname 115ADJUST copy_id 116REPLY QR NOERROR 117SECTION QUESTION 118ns.example.net. IN A 119SECTION AUTHORITY 120example.net. IN NS ns.example.net. 121SECTION ADDITIONAL 122ns.example.net. IN A 1.2.3.44 123ENTRY_END 124 125ENTRY_BEGIN 126MATCH opcode qtype qname 127ADJUST copy_id 128REPLY QR NOERROR 129SECTION QUESTION 130ns.example.net. IN AAAA 131SECTION AUTHORITY 132example.net. IN NS ns.example.net. 133SECTION ADDITIONAL 134ns.example.net. IN A 1.2.3.44 135ENTRY_END 136RANGE_END 137 138; ns.example.net. 139RANGE_BEGIN 0 100 140 ADDRESS 1.2.3.44 141ENTRY_BEGIN 142MATCH opcode qtype qname 143ADJUST copy_id 144REPLY QR NOERROR 145SECTION QUESTION 146example.net. IN NS 147SECTION ANSWER 148example.net. IN NS ns.example.net. 149SECTION ADDITIONAL 150ns.example.net. IN A 1.2.3.44 151ENTRY_END 152 153ENTRY_BEGIN 154MATCH opcode qtype qname 155ADJUST copy_id 156REPLY QR AA NOERROR 157SECTION QUESTION 158ns.example.net. IN A 159SECTION ANSWER 160ns.example.net. IN A 1.2.3.44 161SECTION AUTHORITY 162example.net. IN NS ns.example.net. 163ENTRY_END 164 165ENTRY_BEGIN 166MATCH opcode qtype qname 167ADJUST copy_id 168REPLY QR AA NOERROR 169SECTION QUESTION 170ns.example.net. IN AAAA 171SECTION AUTHORITY 172example.net. IN NS ns.example.net. 173SECTION ADDITIONAL 174ns.example.net. IN A 1.2.3.44 175ENTRY_END 176 177; response to DNSKEY priming query 178; sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 179ENTRY_BEGIN 180MATCH opcode qtype qname 181ADJUST copy_id 182REPLY QR AA NOERROR 183SECTION QUESTION 184sub.example.com. IN DNSKEY 185SECTION ANSWER 186sub.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 187sub.example.com. 3600 IN RRSIG DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. uNGp99iznjD7oOX02XnQbDnbg75UwBHRvZSKYUorTKvPUnCWMHKdRsQ+mf+Fx3GZ+Fz9BVjoCmQqpnfgXLEYqw== ;{id = 30899} 188SECTION AUTHORITY 189; no NS set. not needed for this test. 190SECTION ADDITIONAL 191ns.sub.example.com. IN A 1.2.3.6 192ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899} 193ENTRY_END 194 195; response to query of interest 196ENTRY_BEGIN 197MATCH opcode qtype qname 198ADJUST copy_id 199REPLY QR AA NOERROR 200SECTION QUESTION 201www.sub.example.com. IN A 202SECTION ANSWER 203www.sub.example.com. IN A 11.11.11.11 204www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899} 205SECTION AUTHORITY 206SECTION ADDITIONAL 207ENTRY_END 208RANGE_END 209 210; ns.example.com. 211RANGE_BEGIN 0 100 212 ADDRESS 1.2.3.55 213ENTRY_BEGIN 214MATCH opcode qtype qname 215ADJUST copy_id 216REPLY QR NOERROR 217SECTION QUESTION 218example.com. IN NS 219SECTION ANSWER 220example.com. IN NS ns.example.com. 221SECTION ADDITIONAL 222ns.example.com. IN A 1.2.3.55 223ENTRY_END 224 225ENTRY_BEGIN 226MATCH opcode qtype qname 227ADJUST copy_id 228REPLY QR AA NOERROR 229SECTION QUESTION 230ns.example.com. IN A 231SECTION ANSWER 232ns.example.com. IN A 1.2.3.55 233ENTRY_END 234 235ENTRY_BEGIN 236MATCH opcode qtype qname 237ADJUST copy_id 238REPLY QR AA NOERROR 239SECTION QUESTION 240ns.example.com. IN AAAA 241ENTRY_END 242 243; fine DNSKEY response. 244ENTRY_BEGIN 245MATCH opcode qtype qname 246ADJUST copy_id 247REPLY QR AA NOERROR 248SECTION QUESTION 249example.com. IN DNSKEY 250SECTION ANSWER 251example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 252example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854} 253SECTION AUTHORITY 254example.com. IN NS ns.example.com. 255example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 256ENTRY_END 257 258; correct delegation with DS 259ENTRY_BEGIN 260MATCH opcode qtype qname 261ADJUST copy_id 262REPLY QR AA NOERROR 263SECTION QUESTION 264www.sub.example.com. IN A 265SECTION ANSWER 266SECTION AUTHORITY 267sub.example.com. IN NS ns.sub.example.com. 268sub.example.com. IN NS ns.example.net. 269sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 270sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFCW3ix0GD4BSvNLWIbROCJt5DAW9AhRt/kg9kBKJ20UBUdumrBUHqnskdA== ;{id = 2854} 271SECTION ADDITIONAL 272ns.sub.example.com. IN A 1.2.3.6 273ENTRY_END 274 275; response for delegation to sub.example.com. 276ENTRY_BEGIN 277MATCH opcode qtype qname 278ADJUST copy_id 279REPLY QR NOERROR 280SECTION QUESTION 281sub.example.com. IN DNSKEY 282SECTION ANSWER 283SECTION AUTHORITY 284sub.example.com. IN NS ns.sub.example.com. 285sub.example.com. IN NS ns.example.net. 286sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 287sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFCW3ix0GD4BSvNLWIbROCJt5DAW9AhRt/kg9kBKJ20UBUdumrBUHqnskdA== ;{id = 2854} 288SECTION ADDITIONAL 289ns.sub.example.com. IN A 1.2.3.6 290ENTRY_END 291RANGE_END 292 293; server is not DNSSEC lame. 294; ns.sub.example.com. 295RANGE_BEGIN 0 100 296 ADDRESS 1.2.3.6 297 298ENTRY_BEGIN 299MATCH opcode qtype qname 300ADJUST copy_id 301REPLY QR NOERROR 302SECTION QUESTION 303sub.example.com. IN NS 304SECTION ANSWER 305sub.example.com. IN NS ns.sub.example.com. 306sub.example.com. IN NS ns.example.net. 307sub.example.com. 3600 IN RRSIG NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. C/0b+sqlsdSTkhd+aDXb6ELyuQreosIGBzLCtWxYGD+Q9QGB5rN8uB+4+48yhw36pd3MfeAn06AgAnJ6eu8tJg== ;{id = 30899} 308SECTION ADDITIONAL 309ns.sub.example.com. IN A 1.2.3.6 310ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899} 311ENTRY_END 312 313; response to DNSKEY priming query 314; sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 315ENTRY_BEGIN 316MATCH opcode qtype qname 317ADJUST copy_id 318REPLY QR AA NOERROR 319SECTION QUESTION 320sub.example.com. IN DNSKEY 321SECTION ANSWER 322sub.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 323sub.example.com. 3600 IN RRSIG DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. uNGp99iznjD7oOX02XnQbDnbg75UwBHRvZSKYUorTKvPUnCWMHKdRsQ+mf+Fx3GZ+Fz9BVjoCmQqpnfgXLEYqw== ;{id = 30899} 324ENTRY_END 325 326; response to query of interest 327ENTRY_BEGIN 328MATCH opcode qtype qname 329ADJUST copy_id 330REPLY QR AA NOERROR 331SECTION QUESTION 332www.sub.example.com. IN A 333SECTION ANSWER 334www.sub.example.com. IN A 11.11.11.11 335www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899} 336ENTRY_END 337 338ENTRY_BEGIN 339MATCH opcode qtype qname 340ADJUST copy_id 341REPLY QR AA NOERROR 342SECTION QUESTION 343ns.sub.example.com. IN AAAA 344SECTION ANSWER 345ENTRY_END 346RANGE_END 347 348 349 350STEP 1 QUERY 351ENTRY_BEGIN 352REPLY RD DO 353SECTION QUESTION 354www.sub.example.com. IN A 355ENTRY_END 356 357; recursion happens here. 358STEP 20 CHECK_ANSWER 359ENTRY_BEGIN 360MATCH all 361REPLY QR RD RA AD DO NOERROR 362SECTION QUESTION 363www.sub.example.com. IN A 364SECTION ANSWER 365www.sub.example.com. IN A 11.11.11.11 366www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899} 367ENTRY_END 368 369SCENARIO_END 370