1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 val-override-date: "20070916134226" 6 target-fetch-policy: "0 0 0 0 0" 7 qname-minimisation: "no" 8 fake-sha1: yes 9 trust-anchor-signaling: no 10 minimal-responses: no 11 nsid: "ascii_hopsa kidee" 12 ede: yes 13 14stub-zone: 15 name: "." 16 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 17CONFIG_END 18 19SCENARIO_BEGIN Test for NSID in SERVFAIL response due to DNSSEC bogus 20 21; K.ROOT-SERVERS.NET. 22RANGE_BEGIN 0 100 23 ADDRESS 193.0.14.129 24ENTRY_BEGIN 25MATCH opcode qtype qname 26ADJUST copy_id 27REPLY QR NOERROR 28SECTION QUESTION 29. IN NS 30SECTION ANSWER 31. IN NS K.ROOT-SERVERS.NET. 32SECTION ADDITIONAL 33K.ROOT-SERVERS.NET. IN A 193.0.14.129 34ENTRY_END 35 36ENTRY_BEGIN 37MATCH opcode qtype qname 38ADJUST copy_id 39REPLY QR NOERROR 40SECTION QUESTION 41www.example.com. IN A 42SECTION AUTHORITY 43com. IN NS a.gtld-servers.net. 44SECTION ADDITIONAL 45a.gtld-servers.net. IN A 192.5.6.30 46ENTRY_END 47RANGE_END 48 49; a.gtld-servers.net. 50RANGE_BEGIN 0 100 51 ADDRESS 192.5.6.30 52ENTRY_BEGIN 53MATCH opcode qtype qname 54ADJUST copy_id 55REPLY QR NOERROR 56SECTION QUESTION 57com. IN NS 58SECTION ANSWER 59com. IN NS a.gtld-servers.net. 60SECTION ADDITIONAL 61a.gtld-servers.net. IN A 192.5.6.30 62ENTRY_END 63 64ENTRY_BEGIN 65MATCH opcode qtype qname 66ADJUST copy_id 67REPLY QR NOERROR 68SECTION QUESTION 69www.example.com. IN A 70SECTION AUTHORITY 71example.com. IN NS ns.example.com. 72SECTION ADDITIONAL 73ns.example.com. IN A 1.2.3.4 74ENTRY_END 75RANGE_END 76 77; ns.example.com. 78RANGE_BEGIN 0 100 79 ADDRESS 1.2.3.4 80ENTRY_BEGIN 81MATCH opcode qtype qname 82ADJUST copy_id 83REPLY QR NOERROR 84SECTION QUESTION 85example.com. IN NS 86SECTION ANSWER 87example.com. IN NS ns.example.com. 88example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 89SECTION ADDITIONAL 90ns.example.com. IN A 1.2.3.4 91ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 92ENTRY_END 93 94; response to DNSKEY priming query 95ENTRY_BEGIN 96MATCH opcode qtype qname 97ADJUST copy_id 98REPLY QR NOERROR 99SECTION QUESTION 100example.com. IN DNSKEY 101SECTION ANSWER 102example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 103example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854} 104SECTION AUTHORITY 105example.com. IN NS ns.example.com. 106example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 107SECTION ADDITIONAL 108ns.example.com. IN A 1.2.3.4 109ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 110ENTRY_END 111 112; nodata for ns.example.com AAAA 113ENTRY_BEGIN 114MATCH opcode qtype qname 115ADJUST copy_id 116REPLY QR AA NOERROR 117SECTION QUESTION 118ns.example.com. IN AAAA 119SECTION ANSWER 120SECTION ADDITIONAL 121ENTRY_END 122 123 124; response to query of interest 125ENTRY_BEGIN 126MATCH opcode qtype qname 127ADJUST copy_id 128REPLY QR NOERROR 129SECTION QUESTION 130www.example.com. IN A 131SECTION ANSWER 132www.example.com. IN A 10.20.30.40 133;good signature 134;www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} 135;missing 136www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2855 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= 137SECTION AUTHORITY 138example.com. IN NS ns.example.com. 139example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 140SECTION ADDITIONAL 141ns.example.com. IN A 1.2.3.4 142ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854} 143ENTRY_END 144RANGE_END 145 146STEP 1 QUERY 147ENTRY_BEGIN 148REPLY RD DO 149SECTION QUESTION 150www.example.com. IN A 151SECTION ADDITIONAL 152 HEX_EDNSDATA_BEGIN 153 00 03 ; Opcode NSID (3) 154 00 00 ; Length 0 155 HEX_EDNSDATA_END 156ENTRY_END 157 158; recursion happens here. 159STEP 10 CHECK_ANSWER 160ENTRY_BEGIN 161MATCH all ede=9 162REPLY QR RD RA DO SERVFAIL 163SECTION QUESTION 164www.example.com. IN A 165SECTION ANSWER 166SECTION ADDITIONAL 167 HEX_EDNSDATA_BEGIN 168 00 03 ; Opcode NSID (3) 169 00 0b ; Length 11 170 68 6F 70 73 61 20 ; "hopsa " 171 6B 69 64 65 65 ; "kidee" 172 HEX_EDNSDATA_END 173ENTRY_END 174 175SCENARIO_END 176