1; config options 2server: 3 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 4 val-override-date: "20070916134226" 5 fake-sha1: yes 6 trust-anchor-signaling: no 7 8stub-zone: 9 name: "." 10 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 11 12CONFIG_END 13 14SCENARIO_BEGIN Test dnssec-lame detection at anchor point. 15 16; K.ROOT-SERVERS.NET. 17RANGE_BEGIN 0 100 18 ADDRESS 193.0.14.129 19ENTRY_BEGIN 20MATCH opcode qtype qname 21ADJUST copy_id 22REPLY QR NOERROR 23SECTION QUESTION 24. IN NS 25SECTION ANSWER 26. IN NS K.ROOT-SERVERS.NET. 27SECTION ADDITIONAL 28K.ROOT-SERVERS.NET. IN A 193.0.14.129 29ENTRY_END 30 31ENTRY_BEGIN 32MATCH opcode subdomain 33ADJUST copy_id copy_query 34REPLY QR NOERROR 35SECTION QUESTION 36com. IN A 37SECTION AUTHORITY 38com. IN NS a.gtld-servers.net. 39SECTION ADDITIONAL 40a.gtld-servers.net. IN A 192.5.6.30 41ENTRY_END 42 43ENTRY_BEGIN 44MATCH opcode subdomain 45ADJUST copy_id copy_query 46REPLY QR NOERROR 47SECTION QUESTION 48net. IN A 49SECTION AUTHORITY 50net. IN NS e.gtld-servers.net. 51SECTION ADDITIONAL 52e.gtld-servers.net. IN A 192.12.94.30 53ENTRY_END 54 55ENTRY_BEGIN 56MATCH opcode qtype qname 57ADJUST copy_id 58REPLY QR NOERROR 59SECTION QUESTION 60ns.example.net. IN AAAA 61SECTION AUTHORITY 62net. IN NS e.gtld-servers.net. 63SECTION ADDITIONAL 64e.gtld-servers.net. IN A 192.12.94.30 65ENTRY_END 66RANGE_END 67 68; a.gtld-servers.net. 69RANGE_BEGIN 0 100 70 ADDRESS 192.5.6.30 71ENTRY_BEGIN 72MATCH opcode qtype qname 73ADJUST copy_id 74REPLY QR NOERROR 75SECTION QUESTION 76com. IN NS 77SECTION ANSWER 78com. IN NS a.gtld-servers.net. 79SECTION ADDITIONAL 80a.gtld-servers.net. IN A 192.5.6.30 81ENTRY_END 82 83ENTRY_BEGIN 84MATCH opcode subdomain 85ADJUST copy_id copy_query 86REPLY QR NOERROR 87SECTION QUESTION 88example.com. IN A 89SECTION AUTHORITY 90example.com. IN NS ns.example.com. 91example.com. IN NS ns.example.net. 92SECTION ADDITIONAL 93; this entry; glue will make unbound take this reference first. 94; it is however, the lame server. 95ns.example.com. IN A 1.2.3.55 96ENTRY_END 97RANGE_END 98 99; e.gtld-servers.net. 100RANGE_BEGIN 0 100 101 ADDRESS 192.12.94.30 102ENTRY_BEGIN 103MATCH opcode qtype qname 104ADJUST copy_id 105REPLY QR NOERROR 106SECTION QUESTION 107net. IN NS 108SECTION ANSWER 109net. IN NS e.gtld-servers.net. 110SECTION ADDITIONAL 111e.gtld-servers.net. IN A 192.12.94.30 112ENTRY_END 113 114ENTRY_BEGIN 115MATCH opcode qtype qname 116ADJUST copy_id 117REPLY QR NOERROR 118SECTION QUESTION 119a.gtld-servers.net. IN AAAA 120SECTION ANSWER 121ENTRY_END 122 123ENTRY_BEGIN 124MATCH opcode qtype qname 125ADJUST copy_id 126REPLY QR NOERROR 127SECTION QUESTION 128e.gtld-servers.net. IN AAAA 129SECTION ANSWER 130ENTRY_END 131 132ENTRY_BEGIN 133MATCH opcode qtype qname 134ADJUST copy_id 135REPLY QR NOERROR 136SECTION QUESTION 137ns.example.net. IN A 138SECTION AUTHORITY 139example.net. IN NS ns.example.net. 140SECTION ADDITIONAL 141ns.example.net. IN A 1.2.3.44 142ENTRY_END 143 144ENTRY_BEGIN 145MATCH opcode qtype qname 146ADJUST copy_id 147REPLY QR NOERROR 148SECTION QUESTION 149ns.example.net. IN AAAA 150SECTION AUTHORITY 151example.net. IN NS ns.example.net. 152SECTION ADDITIONAL 153ns.example.net. IN A 1.2.3.44 154ENTRY_END 155RANGE_END 156 157; ns.example.net. 158RANGE_BEGIN 0 100 159 ADDRESS 1.2.3.44 160ENTRY_BEGIN 161MATCH opcode qtype qname 162ADJUST copy_id 163REPLY QR NOERROR 164SECTION QUESTION 165example.net. IN NS 166SECTION ANSWER 167example.net. IN NS ns.example.net. 168SECTION ADDITIONAL 169ns.example.net. IN A 1.2.3.44 170ENTRY_END 171 172ENTRY_BEGIN 173MATCH opcode qtype qname 174ADJUST copy_id 175REPLY QR AA NOERROR 176SECTION QUESTION 177ns.example.net. IN A 178SECTION ANSWER 179ns.example.net. IN A 1.2.3.44 180SECTION AUTHORITY 181example.net. IN NS ns.example.net. 182ENTRY_END 183 184ENTRY_BEGIN 185MATCH opcode qtype qname 186ADJUST copy_id 187REPLY QR AA NOERROR 188SECTION QUESTION 189ns.example.net. IN AAAA 190SECTION AUTHORITY 191example.net. IN NS ns.example.net. 192SECTION ADDITIONAL 193ns.example.net. IN A 1.2.3.44 194ENTRY_END 195 196; response to DNSKEY priming query 197ENTRY_BEGIN 198MATCH opcode qtype qname 199ADJUST copy_id 200REPLY QR AA NOERROR 201SECTION QUESTION 202example.com. IN DNSKEY 203SECTION ANSWER 204example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 205example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854} 206ENTRY_END 207 208ENTRY_BEGIN 209MATCH opcode qtype qname 210ADJUST copy_id 211REPLY QR NOERROR 212SECTION QUESTION 213example.com. IN NS 214SECTION ANSWER 215example.com. IN NS ns.example.com. 216example.com. IN NS ns.example.net. 217example.com. 3600 IN RRSIG NS 3 2 3600 20070926134802 20070829134802 2854 example.com. AJwwYIUGH7HgjehzPVkrVUFmFkSGGksGjUX+/zqpCOG9a/cgGC+n40I= ;{id = 2854} 218SECTION ADDITIONAL 219ns.example.com. IN A 1.2.3.55 220ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134802 20070829134802 2854 example.com. ABUu7ITHLl6vfuWzedIp03igXknUR1gYPBl8X6uIDrvraN1bjQJPXME= ;{id = 2854} 221ENTRY_END 222 223ENTRY_BEGIN 224MATCH opcode qtype qname 225ADJUST copy_id 226REPLY QR AA NOERROR 227SECTION QUESTION 228www.example.com. IN A 229SECTION ANSWER 230www.example.com. IN A 10.20.30.40 231www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} 232ENTRY_END 233 234ENTRY_BEGIN 235MATCH opcode qtype qname 236ADJUST copy_id 237REPLY QR AA NOERROR 238SECTION QUESTION 239ns.example.com. IN AAAA 240SECTION ANSWER 241ENTRY_END 242RANGE_END 243 244; ns.example.com. 245RANGE_BEGIN 0 100 246 ADDRESS 1.2.3.55 247ENTRY_BEGIN 248MATCH opcode qtype qname 249ADJUST copy_id 250REPLY QR AA NOERROR 251SECTION QUESTION 252ns.example.com. IN A 253SECTION ANSWER 254ns.example.com. IN A 1.2.3.55 255ENTRY_END 256 257ENTRY_BEGIN 258MATCH opcode qtype qname 259ADJUST copy_id 260REPLY QR AA NOERROR 261SECTION QUESTION 262ns.example.com. IN AAAA 263ENTRY_END 264 265; lame DNSKEY response. 266; here without sigs (assuming server does unknown-RR type handling) 267ENTRY_BEGIN 268MATCH opcode qtype qname 269ADJUST copy_id 270REPLY QR AA NOERROR 271SECTION QUESTION 272example.com. IN DNSKEY 273SECTION ANSWER 274example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 275ENTRY_END 276 277; lame NS response 278ENTRY_BEGIN 279MATCH opcode qtype qname 280ADJUST copy_id 281REPLY QR NOERROR 282SECTION QUESTION 283example.com. IN NS 284SECTION ANSWER 285example.com. IN NS ns.example.com. 286example.com. IN NS ns.example.net. 287SECTION ADDITIONAL 288ns.example.com. IN A 1.2.3.55 289ENTRY_END 290 291; the lame response. No RRSIGS. 292ENTRY_BEGIN 293MATCH opcode qtype qname 294ADJUST copy_id 295REPLY QR AA NOERROR 296SECTION QUESTION 297www.example.com. IN A 298SECTION ANSWER 299; the wrong answer. 300www.example.com. IN A 10.20.30.40 301SECTION AUTHORITY 302; dnssec-lameness detection depends on this information 303example.com. IN NS ns.example.com. 304example.com. IN NS ns.example.net. 305SECTION ADDITIONAL 306ns.example.com. IN A 1.2.3.55 307ENTRY_END 308RANGE_END 309 310STEP 1 QUERY 311ENTRY_BEGIN 312REPLY RD DO 313SECTION QUESTION 314www.example.com. IN A 315ENTRY_END 316 317; recursion happens here. 318STEP 20 CHECK_ANSWER 319ENTRY_BEGIN 320MATCH all 321REPLY QR RD RA AD DO NOERROR 322SECTION QUESTION 323www.example.com. IN A 324SECTION ANSWER 325www.example.com. IN A 10.20.30.40 326www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} 327ENTRY_END 328 329SCENARIO_END 330