1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 val-override-date: "20070916134226" 6 target-fetch-policy: "0 0 0 0 0" 7 fake-sha1: yes 8 trust-anchor-signaling: no 9 10stub-zone: 11 name: "." 12 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 13CONFIG_END 14 15SCENARIO_BEGIN Test validator with empty nonterminals on the trust chain. 16 17; K.ROOT-SERVERS.NET. 18RANGE_BEGIN 0 100 19 ADDRESS 193.0.14.129 20ENTRY_BEGIN 21MATCH opcode qtype qname 22ADJUST copy_id 23REPLY QR NOERROR 24SECTION QUESTION 25. IN NS 26SECTION ANSWER 27. IN NS K.ROOT-SERVERS.NET. 28SECTION ADDITIONAL 29K.ROOT-SERVERS.NET. IN A 193.0.14.129 30ENTRY_END 31 32ENTRY_BEGIN 33MATCH opcode qtype qname 34ADJUST copy_id 35REPLY QR NOERROR 36SECTION QUESTION 37328.0.0.194.example.com. IN A 38SECTION AUTHORITY 39com. IN NS a.gtld-servers.net. 40SECTION ADDITIONAL 41a.gtld-servers.net. IN A 192.5.6.30 42ENTRY_END 43RANGE_END 44 45; a.gtld-servers.net. 46RANGE_BEGIN 0 100 47 ADDRESS 192.5.6.30 48ENTRY_BEGIN 49MATCH opcode qtype qname 50ADJUST copy_id 51REPLY QR NOERROR 52SECTION QUESTION 53com. IN NS 54SECTION ANSWER 55com. IN NS a.gtld-servers.net. 56SECTION ADDITIONAL 57a.gtld-servers.net. IN A 192.5.6.30 58ENTRY_END 59 60ENTRY_BEGIN 61MATCH opcode qtype qname 62ADJUST copy_id 63REPLY QR NOERROR 64SECTION QUESTION 65328.0.0.194.example.com. IN A 66SECTION AUTHORITY 67example.com. IN NS ns.example.com. 68SECTION ADDITIONAL 69ns.example.com. IN A 1.2.3.4 70ENTRY_END 71RANGE_END 72 73; ns.example.com. 74RANGE_BEGIN 0 100 75 ADDRESS 1.2.3.4 76ENTRY_BEGIN 77MATCH opcode qtype qname 78ADJUST copy_id 79REPLY QR NOERROR 80SECTION QUESTION 81example.com. IN NS 82SECTION ANSWER 83example.com. IN NS ns.example.com. 84example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 85SECTION ADDITIONAL 86ns.example.com. IN A 1.2.3.4 87ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 88ENTRY_END 89 90; response to DNSKEY priming query 91ENTRY_BEGIN 92MATCH opcode qtype qname 93ADJUST copy_id 94REPLY QR NOERROR 95SECTION QUESTION 96example.com. IN DNSKEY 97SECTION ANSWER 98example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 99example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854} 100SECTION AUTHORITY 101example.com. IN NS ns.example.com. 102example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 103SECTION ADDITIONAL 104ns.example.com. IN A 1.2.3.4 105ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 106ENTRY_END 107 108; responses to DS empty nonterminal queries. 109ENTRY_BEGIN 110MATCH opcode qtype qname 111ADJUST copy_id 112REPLY QR AA NOERROR 113SECTION QUESTION 114194.example.com. IN DS 115SECTION AUTHORITY 116example.com. 3600 IN SOA ns.example.com. host.example.com. 2007091980 3600 7200 1209600 7200 117example.com. 3600 IN RRSIG SOA 3 2 3600 20070926135752 20070829135752 2854 example.com. MC0CFCOn5qKBIV7bwFMBA+Qqiblx0cylAhUAoFiGtFm2wHhJpq9MooTYdeVw45s= ;{id = 2854} 118 119; This NSEC proves the NOERROR/NODATA case. 120194.example.com. IN NSEC 0.0.194.example.com. A RRSIG NSEC 121194.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFDcoKl74U9FjsuYF3Vc0E8GQ2GgzAhUAhlyhO2MMcAWQMxIhEZ4MguokN5g= ;{id = 2854} 122 123ENTRY_END 124 125ENTRY_BEGIN 126MATCH opcode qtype qname 127ADJUST copy_id 128; this should be NOERROR. 129REPLY QR AA NOERROR 130SECTION QUESTION 1310.194.example.com. IN DS 132SECTION AUTHORITY 133example.com. 3600 IN SOA ns.example.com. host.example.com. 2007091980 3600 7200 1209600 7200 134example.com. 3600 IN RRSIG SOA 3 2 3600 20070926135752 20070829135752 2854 example.com. MC0CFCOn5qKBIV7bwFMBA+Qqiblx0cylAhUAoFiGtFm2wHhJpq9MooTYdeVw45s= ;{id = 2854} 135 136; This NSEC proves the NOERROR/NODATA case. 137194.example.com. IN NSEC 0.0.194.example.com. A RRSIG NSEC 138194.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFDcoKl74U9FjsuYF3Vc0E8GQ2GgzAhUAhlyhO2MMcAWQMxIhEZ4MguokN5g= ;{id = 2854} 139 140ENTRY_END 141 142; response for delegation to sub zone. 143ENTRY_BEGIN 144MATCH opcode qtype qname 145ADJUST copy_id 146REPLY QR NOERROR 147SECTION QUESTION 148328.0.0.194.example.com. IN A 149SECTION ANSWER 150SECTION AUTHORITY 1510.0.194.example.com. IN NS ns.sub.example.com. 1520.0.194.example.com. 3600 IN DS 30899 RSASHA1 1 aa46f0717075d9750ac3596c659a2e326b33c28c 1530.0.194.example.com. 3600 IN RRSIG DS 3 5 3600 20070926135752 20070829135752 2854 example.com. MCwCFC9GIqtp/103hktw6bPpD83gr+0iAhQ8yev2yUaR9l64rYBUYTJqOoTKdw== ;{id = 2854} 154SECTION ADDITIONAL 155ns.sub.example.com. IN A 1.2.3.6 156ENTRY_END 157 158; response for delegation to sub zone 159ENTRY_BEGIN 160MATCH opcode qtype qname 161ADJUST copy_id 162REPLY QR NOERROR 163SECTION QUESTION 1640.0.194.example.com. IN DNSKEY 165SECTION ANSWER 166SECTION AUTHORITY 1670.0.194.example.com. IN NS ns.sub.example.com. 1680.0.194.example.com. 3600 IN DS 30899 RSASHA1 1 aa46f0717075d9750ac3596c659a2e326b33c28c 1690.0.194.example.com. 3600 IN RRSIG DS 3 5 3600 20070926135752 20070829135752 2854 example.com. MCwCFC9GIqtp/103hktw6bPpD83gr+0iAhQ8yev2yUaR9l64rYBUYTJqOoTKdw== ;{id = 2854} 170SECTION ADDITIONAL 171ns.sub.example.com. IN A 1.2.3.6 172ENTRY_END 173RANGE_END 174 175; ns.sub.example.com. for zone 0.0.194.example.com. 176RANGE_BEGIN 0 100 177 ADDRESS 1.2.3.6 178ENTRY_BEGIN 179MATCH opcode qtype qname 180ADJUST copy_id 181REPLY QR NOERROR 182SECTION QUESTION 1830.0.194.example.com. IN NS 184SECTION ANSWER 1850.0.194.example.com. IN NS ns.sub.example.com. 1860.0.194.example.com. 3600 IN RRSIG NS 5 5 3600 20070926135752 20070829135752 30899 0.0.194.example.com. KXDA+/PJAE+dXhv6O6Z0ZovDwabSRJcIt+GT5AL6ewlj46hzo/SDKUtEhYCeT1IVQvYtXrESwFZjpp7N0rXXBg== ;{id = 30899} 187SECTION ADDITIONAL 188ns.sub.example.com. IN A 1.2.3.6 189ENTRY_END 190 191 192; response to DNSKEY priming query 193; 0.0.194.example.com. 3600 IN DS 30899 RSASHA1 1 aa46f0717075d9750ac3596c659a2e326b33c28c 194ENTRY_BEGIN 195MATCH opcode qtype qname 196ADJUST copy_id 197REPLY QR NOERROR 198SECTION QUESTION 1990.0.194.example.com. IN DNSKEY 200SECTION ANSWER 2010.0.194.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 2020.0.194.example.com. 3600 IN RRSIG DNSKEY 5 5 3600 20070926135752 20070829135752 30899 0.0.194.example.com. fSmc7ef6NwbDXC0o4wPc/aa8LakW5ZJwEZ4xPYl3tTZKmPNM7hPXskl1tFlvst9Va4u37F62v+16trprHb+SCQ== ;{id = 30899} 203SECTION AUTHORITY 2040.0.194.example.com. IN NS ns.sub.example.com. 2050.0.194.example.com. 3600 IN RRSIG NS 5 5 3600 20070926135752 20070829135752 30899 0.0.194.example.com. KXDA+/PJAE+dXhv6O6Z0ZovDwabSRJcIt+GT5AL6ewlj46hzo/SDKUtEhYCeT1IVQvYtXrESwFZjpp7N0rXXBg== ;{id = 30899} 206SECTION ADDITIONAL 207ns.sub.example.com. IN A 1.2.3.6 208ENTRY_END 209 210; response to query of interest 211ENTRY_BEGIN 212MATCH opcode qtype qname 213ADJUST copy_id 214REPLY QR NOERROR 215SECTION QUESTION 216328.0.0.194.example.com. IN A 217SECTION ANSWER 218328.0.0.194.example.com. IN A 11.11.11.11 219328.0.0.194.example.com. 3600 IN RRSIG A 5 6 3600 20070926135752 20070829135752 30899 0.0.194.example.com. chZW77mqywhw/4ch6BxXQ4EbFgb9zgh2xF75FLlKq/7ey6CfHSJRpJRjRqtMTn+1i18UL2B4nPS/WnK5DZeqlA== ;{id = 30899} 220SECTION AUTHORITY 221SECTION ADDITIONAL 222ENTRY_END 223RANGE_END 224 225STEP 1 QUERY 226ENTRY_BEGIN 227REPLY RD DO 228SECTION QUESTION 229328.0.0.194.example.com. IN A 230ENTRY_END 231 232; recursion happens here. 233STEP 10 CHECK_ANSWER 234ENTRY_BEGIN 235MATCH all 236REPLY QR RD RA AD DO NOERROR 237SECTION QUESTION 238328.0.0.194.example.com. IN A 239SECTION ANSWER 240328.0.0.194.example.com. 3600 IN A 11.11.11.11 241328.0.0.194.example.com. 3600 IN RRSIG A 5 6 3600 20070926135752 20070829135752 30899 0.0.194.example.com. chZW77mqywhw/4ch6BxXQ4EbFgb9zgh2xF75FLlKq/7ey6CfHSJRpJRjRqtMTn+1i18UL2B4nPS/WnK5DZeqlA== ;{id = 30899} 242SECTION AUTHORITY 243SECTION ADDITIONAL 244ENTRY_END 245 246SCENARIO_END 247