1; config options 2server: 3 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 4 val-override-date: "20070916134226" 5 fake-sha1: yes 6 trust-anchor-signaling: no 7 qname-minimisation: "no" 8 9stub-zone: 10 name: "." 11 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 12 13CONFIG_END 14 15SCENARIO_BEGIN Test dnssec-lame detection at anchor point. 16 17; K.ROOT-SERVERS.NET. 18RANGE_BEGIN 0 100 19 ADDRESS 193.0.14.129 20ENTRY_BEGIN 21MATCH opcode qtype qname 22ADJUST copy_id 23REPLY QR NOERROR 24SECTION QUESTION 25. IN NS 26SECTION ANSWER 27. IN NS K.ROOT-SERVERS.NET. 28SECTION ADDITIONAL 29K.ROOT-SERVERS.NET. IN A 193.0.14.129 30ENTRY_END 31 32ENTRY_BEGIN 33MATCH opcode subdomain 34ADJUST copy_id copy_query 35REPLY QR NOERROR 36SECTION QUESTION 37com. IN A 38SECTION AUTHORITY 39com. IN NS a.gtld-servers.net. 40SECTION ADDITIONAL 41a.gtld-servers.net. IN A 192.5.6.30 42ENTRY_END 43 44ENTRY_BEGIN 45MATCH opcode subdomain 46ADJUST copy_id copy_query 47REPLY QR NOERROR 48SECTION QUESTION 49net. IN A 50SECTION AUTHORITY 51net. IN NS e.gtld-servers.net. 52SECTION ADDITIONAL 53e.gtld-servers.net. IN A 192.12.94.30 54ENTRY_END 55 56ENTRY_BEGIN 57MATCH opcode qtype qname 58ADJUST copy_id 59REPLY QR NOERROR 60SECTION QUESTION 61ns.example.net. IN AAAA 62SECTION AUTHORITY 63net. IN NS e.gtld-servers.net. 64SECTION ADDITIONAL 65e.gtld-servers.net. IN A 192.12.94.30 66ENTRY_END 67RANGE_END 68 69; a.gtld-servers.net. 70RANGE_BEGIN 0 100 71 ADDRESS 192.5.6.30 72ENTRY_BEGIN 73MATCH opcode qtype qname 74ADJUST copy_id 75REPLY QR NOERROR 76SECTION QUESTION 77com. IN NS 78SECTION ANSWER 79com. IN NS a.gtld-servers.net. 80SECTION ADDITIONAL 81a.gtld-servers.net. IN A 192.5.6.30 82ENTRY_END 83 84ENTRY_BEGIN 85MATCH opcode subdomain 86ADJUST copy_id copy_query 87REPLY QR NOERROR 88SECTION QUESTION 89example.com. IN A 90SECTION AUTHORITY 91example.com. IN NS ns.example.com. 92example.com. IN NS ns.example.net. 93SECTION ADDITIONAL 94; this entry; glue will make unbound take this reference first. 95; it is however, the lame server. 96ns.example.com. IN A 1.2.3.55 97ENTRY_END 98RANGE_END 99 100; e.gtld-servers.net. 101RANGE_BEGIN 0 100 102 ADDRESS 192.12.94.30 103ENTRY_BEGIN 104MATCH opcode qtype qname 105ADJUST copy_id 106REPLY QR NOERROR 107SECTION QUESTION 108net. IN NS 109SECTION ANSWER 110net. IN NS e.gtld-servers.net. 111SECTION ADDITIONAL 112e.gtld-servers.net. IN A 192.12.94.30 113ENTRY_END 114 115ENTRY_BEGIN 116MATCH opcode qtype qname 117ADJUST copy_id 118REPLY QR NOERROR 119SECTION QUESTION 120a.gtld-servers.net. IN AAAA 121SECTION ANSWER 122ENTRY_END 123 124ENTRY_BEGIN 125MATCH opcode qtype qname 126ADJUST copy_id 127REPLY QR NOERROR 128SECTION QUESTION 129e.gtld-servers.net. IN AAAA 130SECTION ANSWER 131ENTRY_END 132 133ENTRY_BEGIN 134MATCH opcode qtype qname 135ADJUST copy_id 136REPLY QR NOERROR 137SECTION QUESTION 138ns.example.net. IN A 139SECTION AUTHORITY 140example.net. IN NS ns.example.net. 141SECTION ADDITIONAL 142ns.example.net. IN A 1.2.3.44 143ENTRY_END 144 145ENTRY_BEGIN 146MATCH opcode qtype qname 147ADJUST copy_id 148REPLY QR NOERROR 149SECTION QUESTION 150ns.example.net. IN AAAA 151SECTION AUTHORITY 152example.net. IN NS ns.example.net. 153SECTION ADDITIONAL 154ns.example.net. IN A 1.2.3.44 155ENTRY_END 156RANGE_END 157 158; ns.example.net. 159RANGE_BEGIN 0 100 160 ADDRESS 1.2.3.44 161ENTRY_BEGIN 162MATCH opcode qtype qname 163ADJUST copy_id 164REPLY QR NOERROR 165SECTION QUESTION 166example.net. IN NS 167SECTION ANSWER 168example.net. IN NS ns.example.net. 169SECTION ADDITIONAL 170ns.example.net. IN A 1.2.3.44 171ENTRY_END 172 173ENTRY_BEGIN 174MATCH opcode qtype qname 175ADJUST copy_id 176REPLY QR AA NOERROR 177SECTION QUESTION 178ns.example.net. IN A 179SECTION ANSWER 180ns.example.net. IN A 1.2.3.44 181SECTION AUTHORITY 182example.net. IN NS ns.example.net. 183ENTRY_END 184 185ENTRY_BEGIN 186MATCH opcode qtype qname 187ADJUST copy_id 188REPLY QR AA NOERROR 189SECTION QUESTION 190ns.example.net. IN AAAA 191SECTION AUTHORITY 192example.net. IN NS ns.example.net. 193SECTION ADDITIONAL 194ns.example.net. IN A 1.2.3.44 195ENTRY_END 196 197; response to DNSKEY priming query 198ENTRY_BEGIN 199MATCH opcode qtype qname 200ADJUST copy_id 201REPLY QR AA NOERROR 202SECTION QUESTION 203example.com. IN DNSKEY 204SECTION ANSWER 205example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 206example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854} 207ENTRY_END 208 209ENTRY_BEGIN 210MATCH opcode qtype qname 211ADJUST copy_id 212REPLY QR NOERROR 213SECTION QUESTION 214example.com. IN NS 215SECTION ANSWER 216example.com. IN NS ns.example.com. 217example.com. IN NS ns.example.net. 218example.com. 3600 IN RRSIG NS 3 2 3600 20070926134802 20070829134802 2854 example.com. AJwwYIUGH7HgjehzPVkrVUFmFkSGGksGjUX+/zqpCOG9a/cgGC+n40I= ;{id = 2854} 219SECTION ADDITIONAL 220ns.example.com. IN A 1.2.3.55 221ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134802 20070829134802 2854 example.com. ABUu7ITHLl6vfuWzedIp03igXknUR1gYPBl8X6uIDrvraN1bjQJPXME= ;{id = 2854} 222ENTRY_END 223 224ENTRY_BEGIN 225MATCH opcode qtype qname 226ADJUST copy_id 227REPLY QR AA NOERROR 228SECTION QUESTION 229www.example.com. IN A 230SECTION ANSWER 231www.example.com. IN A 10.20.30.40 232www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} 233ENTRY_END 234 235ENTRY_BEGIN 236MATCH opcode qtype qname 237ADJUST copy_id 238REPLY QR AA NOERROR 239SECTION QUESTION 240ns.example.com. IN AAAA 241SECTION ANSWER 242ENTRY_END 243RANGE_END 244 245; ns.example.com. 246RANGE_BEGIN 0 100 247 ADDRESS 1.2.3.55 248ENTRY_BEGIN 249MATCH opcode qtype qname 250ADJUST copy_id 251REPLY QR AA NOERROR 252SECTION QUESTION 253ns.example.com. IN A 254SECTION ANSWER 255ns.example.com. IN A 1.2.3.55 256ENTRY_END 257 258ENTRY_BEGIN 259MATCH opcode qtype qname 260ADJUST copy_id 261REPLY QR AA NOERROR 262SECTION QUESTION 263ns.example.com. IN AAAA 264ENTRY_END 265 266; lame DNSKEY response. 267; here without sigs (assuming server does unknown-RR type handling) 268ENTRY_BEGIN 269MATCH opcode qtype qname 270ADJUST copy_id 271REPLY QR AA NOERROR 272SECTION QUESTION 273example.com. IN DNSKEY 274SECTION ANSWER 275example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 276ENTRY_END 277 278; lame NS response 279ENTRY_BEGIN 280MATCH opcode qtype qname 281ADJUST copy_id 282REPLY QR NOERROR 283SECTION QUESTION 284example.com. IN NS 285SECTION ANSWER 286example.com. IN NS ns.example.com. 287example.com. IN NS ns.example.net. 288SECTION ADDITIONAL 289ns.example.com. IN A 1.2.3.55 290ENTRY_END 291 292; the lame response. No RRSIGS. 293ENTRY_BEGIN 294MATCH opcode qtype qname 295ADJUST copy_id 296REPLY QR AA NOERROR 297SECTION QUESTION 298www.example.com. IN A 299SECTION ANSWER 300; the wrong answer. 301www.example.com. IN A 10.20.30.40 302SECTION AUTHORITY 303; dnssec-lameness detection depends on this information 304example.com. IN NS ns.example.com. 305example.com. IN NS ns.example.net. 306SECTION ADDITIONAL 307ns.example.com. IN A 1.2.3.55 308ENTRY_END 309RANGE_END 310 311STEP 1 QUERY 312ENTRY_BEGIN 313REPLY RD DO 314SECTION QUESTION 315www.example.com. IN A 316ENTRY_END 317 318; recursion happens here. 319STEP 20 CHECK_ANSWER 320ENTRY_BEGIN 321MATCH all 322REPLY QR RD RA AD DO NOERROR 323SECTION QUESTION 324www.example.com. IN A 325SECTION ANSWER 326www.example.com. IN A 10.20.30.40 327www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} 328ENTRY_END 329 330SCENARIO_END 331