1; config options 2server: 3 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 4 val-override-date: "20070916134226" 5 6stub-zone: 7 name: "." 8 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 9 10CONFIG_END 11 12SCENARIO_BEGIN Test dnssec-lame detection at anchor point. 13 14; K.ROOT-SERVERS.NET. 15RANGE_BEGIN 0 100 16 ADDRESS 193.0.14.129 17ENTRY_BEGIN 18MATCH opcode qtype qname 19ADJUST copy_id 20REPLY QR NOERROR 21SECTION QUESTION 22. IN NS 23SECTION ANSWER 24. IN NS K.ROOT-SERVERS.NET. 25SECTION ADDITIONAL 26K.ROOT-SERVERS.NET. IN A 193.0.14.129 27ENTRY_END 28 29ENTRY_BEGIN 30MATCH opcode subdomain 31ADJUST copy_id copy_query 32REPLY QR NOERROR 33SECTION QUESTION 34com. IN A 35SECTION AUTHORITY 36com. IN NS a.gtld-servers.net. 37SECTION ADDITIONAL 38a.gtld-servers.net. IN A 192.5.6.30 39ENTRY_END 40 41ENTRY_BEGIN 42MATCH opcode subdomain 43ADJUST copy_id copy_query 44REPLY QR NOERROR 45SECTION QUESTION 46net. IN A 47SECTION AUTHORITY 48net. IN NS e.gtld-servers.net. 49SECTION ADDITIONAL 50e.gtld-servers.net. IN A 192.12.94.30 51ENTRY_END 52 53ENTRY_BEGIN 54MATCH opcode qtype qname 55ADJUST copy_id 56REPLY QR NOERROR 57SECTION QUESTION 58ns.example.net. IN AAAA 59SECTION AUTHORITY 60net. IN NS e.gtld-servers.net. 61SECTION ADDITIONAL 62e.gtld-servers.net. IN A 192.12.94.30 63ENTRY_END 64RANGE_END 65 66; a.gtld-servers.net. 67RANGE_BEGIN 0 100 68 ADDRESS 192.5.6.30 69ENTRY_BEGIN 70MATCH opcode qtype qname 71ADJUST copy_id 72REPLY QR NOERROR 73SECTION QUESTION 74com. IN NS 75SECTION ANSWER 76com. IN NS a.gtld-servers.net. 77SECTION ADDITIONAL 78a.gtld-servers.net. IN A 192.5.6.30 79ENTRY_END 80 81ENTRY_BEGIN 82MATCH opcode subdomain 83ADJUST copy_id copy_query 84REPLY QR NOERROR 85SECTION QUESTION 86example.com. IN A 87SECTION AUTHORITY 88example.com. IN NS ns.example.com. 89example.com. IN NS ns.example.net. 90SECTION ADDITIONAL 91; this entry; glue will make unbound take this reference first. 92; it is however, the lame server. 93ns.example.com. IN A 1.2.3.55 94ENTRY_END 95RANGE_END 96 97; e.gtld-servers.net. 98RANGE_BEGIN 0 100 99 ADDRESS 192.12.94.30 100ENTRY_BEGIN 101MATCH opcode qtype qname 102ADJUST copy_id 103REPLY QR NOERROR 104SECTION QUESTION 105net. IN NS 106SECTION ANSWER 107net. IN NS e.gtld-servers.net. 108SECTION ADDITIONAL 109e.gtld-servers.net. IN A 192.12.94.30 110ENTRY_END 111 112ENTRY_BEGIN 113MATCH opcode qtype qname 114ADJUST copy_id 115REPLY QR NOERROR 116SECTION QUESTION 117a.gtld-servers.net. IN AAAA 118SECTION ANSWER 119ENTRY_END 120 121ENTRY_BEGIN 122MATCH opcode qtype qname 123ADJUST copy_id 124REPLY QR NOERROR 125SECTION QUESTION 126e.gtld-servers.net. IN AAAA 127SECTION ANSWER 128ENTRY_END 129 130ENTRY_BEGIN 131MATCH opcode qtype qname 132ADJUST copy_id 133REPLY QR NOERROR 134SECTION QUESTION 135ns.example.net. IN A 136SECTION AUTHORITY 137example.net. IN NS ns.example.net. 138SECTION ADDITIONAL 139ns.example.net. IN A 1.2.3.44 140ENTRY_END 141 142ENTRY_BEGIN 143MATCH opcode qtype qname 144ADJUST copy_id 145REPLY QR NOERROR 146SECTION QUESTION 147ns.example.net. IN AAAA 148SECTION AUTHORITY 149example.net. IN NS ns.example.net. 150SECTION ADDITIONAL 151ns.example.net. IN A 1.2.3.44 152ENTRY_END 153RANGE_END 154 155; ns.example.net. 156RANGE_BEGIN 0 100 157 ADDRESS 1.2.3.44 158ENTRY_BEGIN 159MATCH opcode qtype qname 160ADJUST copy_id 161REPLY QR NOERROR 162SECTION QUESTION 163example.net. IN NS 164SECTION ANSWER 165example.net. IN NS ns.example.net. 166SECTION ADDITIONAL 167ns.example.net. IN A 1.2.3.44 168ENTRY_END 169 170ENTRY_BEGIN 171MATCH opcode qtype qname 172ADJUST copy_id 173REPLY QR AA NOERROR 174SECTION QUESTION 175ns.example.net. IN A 176SECTION ANSWER 177ns.example.net. IN A 1.2.3.44 178SECTION AUTHORITY 179example.net. IN NS ns.example.net. 180ENTRY_END 181 182ENTRY_BEGIN 183MATCH opcode qtype qname 184ADJUST copy_id 185REPLY QR AA NOERROR 186SECTION QUESTION 187ns.example.net. IN AAAA 188SECTION AUTHORITY 189example.net. IN NS ns.example.net. 190SECTION ADDITIONAL 191ns.example.net. IN A 1.2.3.44 192ENTRY_END 193 194; response to DNSKEY priming query 195ENTRY_BEGIN 196MATCH opcode qtype qname 197ADJUST copy_id 198REPLY QR AA NOERROR 199SECTION QUESTION 200example.com. IN DNSKEY 201SECTION ANSWER 202example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 203example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854} 204ENTRY_END 205 206ENTRY_BEGIN 207MATCH opcode qtype qname 208ADJUST copy_id 209REPLY QR NOERROR 210SECTION QUESTION 211example.com. IN NS 212SECTION ANSWER 213example.com. IN NS ns.example.com. 214example.com. IN NS ns.example.net. 215example.com. 3600 IN RRSIG NS 3 2 3600 20070926134802 20070829134802 2854 example.com. AJwwYIUGH7HgjehzPVkrVUFmFkSGGksGjUX+/zqpCOG9a/cgGC+n40I= ;{id = 2854} 216SECTION ADDITIONAL 217ns.example.com. IN A 1.2.3.55 218ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134802 20070829134802 2854 example.com. ABUu7ITHLl6vfuWzedIp03igXknUR1gYPBl8X6uIDrvraN1bjQJPXME= ;{id = 2854} 219ENTRY_END 220 221ENTRY_BEGIN 222MATCH opcode qtype qname 223ADJUST copy_id 224REPLY QR AA NOERROR 225SECTION QUESTION 226www.example.com. IN A 227SECTION ANSWER 228www.example.com. IN A 10.20.30.40 229www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} 230ENTRY_END 231 232ENTRY_BEGIN 233MATCH opcode qtype qname 234ADJUST copy_id 235REPLY QR AA NOERROR 236SECTION QUESTION 237ns.example.com. IN AAAA 238SECTION ANSWER 239ENTRY_END 240RANGE_END 241 242; ns.example.com. 243RANGE_BEGIN 0 100 244 ADDRESS 1.2.3.55 245ENTRY_BEGIN 246MATCH opcode qtype qname 247ADJUST copy_id 248REPLY QR AA NOERROR 249SECTION QUESTION 250ns.example.com. IN A 251SECTION ANSWER 252ns.example.com. IN A 1.2.3.55 253ENTRY_END 254 255ENTRY_BEGIN 256MATCH opcode qtype qname 257ADJUST copy_id 258REPLY QR AA NOERROR 259SECTION QUESTION 260ns.example.com. IN AAAA 261ENTRY_END 262 263; lame DNSKEY response. 264; here without sigs (assuming server does unknown-RR type handling) 265ENTRY_BEGIN 266MATCH opcode qtype qname 267ADJUST copy_id 268REPLY QR AA NOERROR 269SECTION QUESTION 270example.com. IN DNSKEY 271SECTION ANSWER 272example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 273ENTRY_END 274 275; lame NS response 276ENTRY_BEGIN 277MATCH opcode qtype qname 278ADJUST copy_id 279REPLY QR NOERROR 280SECTION QUESTION 281example.com. IN NS 282SECTION ANSWER 283example.com. IN NS ns.example.com. 284example.com. IN NS ns.example.net. 285SECTION ADDITIONAL 286ns.example.com. IN A 1.2.3.55 287ENTRY_END 288 289; the lame response. No RRSIGS. 290ENTRY_BEGIN 291MATCH opcode qtype qname 292ADJUST copy_id 293REPLY QR AA NOERROR 294SECTION QUESTION 295www.example.com. IN A 296SECTION ANSWER 297; the wrong answer. 298www.example.com. IN A 10.20.30.40 299SECTION AUTHORITY 300; dnssec-lameness detection depends on this information 301example.com. IN NS ns.example.com. 302example.com. IN NS ns.example.net. 303SECTION ADDITIONAL 304ns.example.com. IN A 1.2.3.55 305ENTRY_END 306RANGE_END 307 308STEP 1 QUERY 309ENTRY_BEGIN 310REPLY RD DO 311SECTION QUESTION 312www.example.com. IN A 313ENTRY_END 314 315; recursion happens here. 316STEP 20 CHECK_ANSWER 317ENTRY_BEGIN 318MATCH all 319REPLY QR RD RA AD DO NOERROR 320SECTION QUESTION 321www.example.com. IN A 322SECTION ANSWER 323www.example.com. IN A 10.20.30.40 324www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} 325ENTRY_END 326 327SCENARIO_END 328