1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 val-override-date: "20070916134226" 6 target-fetch-policy: "0 0 0 0 0" 7 qname-minimisation: "no" 8 fake-sha1: yes 9 trust-anchor-signaling: no 10 11stub-zone: 12 name: "." 13 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 14CONFIG_END 15 16SCENARIO_BEGIN Test validator with DS nodata as nxdomain on trust chain 17; This is a bug in ANS 2.8.1.0 where it gives an NXDOMAIN instead of 18; NOERROR for an empty nonterminal DS query. The proof for this NXDOMAIN 19; is the NSEC that proves emptynonterminal. 20 21; K.ROOT-SERVERS.NET. 22RANGE_BEGIN 0 100 23 ADDRESS 193.0.14.129 24ENTRY_BEGIN 25MATCH opcode qtype qname 26ADJUST copy_id 27REPLY QR NOERROR 28SECTION QUESTION 29. IN NS 30SECTION ANSWER 31. IN NS K.ROOT-SERVERS.NET. 32SECTION ADDITIONAL 33K.ROOT-SERVERS.NET. IN A 193.0.14.129 34ENTRY_END 35 36ENTRY_BEGIN 37MATCH opcode qtype qname 38ADJUST copy_id 39REPLY QR NOERROR 40SECTION QUESTION 41328.0.0.194.example.com. IN A 42SECTION AUTHORITY 43com. IN NS a.gtld-servers.net. 44SECTION ADDITIONAL 45a.gtld-servers.net. IN A 192.5.6.30 46ENTRY_END 47RANGE_END 48 49; a.gtld-servers.net. 50RANGE_BEGIN 0 100 51 ADDRESS 192.5.6.30 52ENTRY_BEGIN 53MATCH opcode qtype qname 54ADJUST copy_id 55REPLY QR NOERROR 56SECTION QUESTION 57com. IN NS 58SECTION ANSWER 59com. IN NS a.gtld-servers.net. 60SECTION ADDITIONAL 61a.gtld-servers.net. IN A 192.5.6.30 62ENTRY_END 63 64ENTRY_BEGIN 65MATCH opcode qtype qname 66ADJUST copy_id 67REPLY QR NOERROR 68SECTION QUESTION 69328.0.0.194.example.com. IN A 70SECTION AUTHORITY 71example.com. IN NS ns.example.com. 72SECTION ADDITIONAL 73ns.example.com. IN A 1.2.3.4 74ENTRY_END 75RANGE_END 76 77; ns.example.com. 78RANGE_BEGIN 0 100 79 ADDRESS 1.2.3.4 80ENTRY_BEGIN 81MATCH opcode qtype qname 82ADJUST copy_id 83REPLY QR NOERROR 84SECTION QUESTION 85example.com. IN NS 86SECTION ANSWER 87example.com. IN NS ns.example.com. 88example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 89SECTION ADDITIONAL 90ns.example.com. IN A 1.2.3.4 91ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 92ENTRY_END 93 94; response to DNSKEY priming query 95ENTRY_BEGIN 96MATCH opcode qtype qname 97ADJUST copy_id 98REPLY QR NOERROR 99SECTION QUESTION 100example.com. IN DNSKEY 101SECTION ANSWER 102example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 103example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854} 104SECTION AUTHORITY 105example.com. IN NS ns.example.com. 106example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 107SECTION ADDITIONAL 108ns.example.com. IN A 1.2.3.4 109ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 110ENTRY_END 111 112; responses to DS empty nonterminal queries. 113ENTRY_BEGIN 114MATCH opcode qtype qname 115ADJUST copy_id 116REPLY QR AA NOERROR 117SECTION QUESTION 118194.example.com. IN DS 119SECTION AUTHORITY 120example.com. 3600 IN SOA ns.example.com. host.example.com. 2007091980 3600 7200 1209600 7200 121example.com. 3600 IN RRSIG SOA 3 2 3600 20070926135752 20070829135752 2854 example.com. MC0CFCOn5qKBIV7bwFMBA+Qqiblx0cylAhUAoFiGtFm2wHhJpq9MooTYdeVw45s= ;{id = 2854} 122 123; This NSEC proves the NOERROR/NODATA case. 124194.example.com. IN NSEC 0.0.194.example.com. A RRSIG NSEC 125194.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFDcoKl74U9FjsuYF3Vc0E8GQ2GgzAhUAhlyhO2MMcAWQMxIhEZ4MguokN5g= ;{id = 2854} 126 127ENTRY_END 128 129ENTRY_BEGIN 130MATCH opcode qtype qname 131ADJUST copy_id 132; Bad NXDOMAIN response, this should be NOERROR. 133REPLY QR AA NXDOMAIN 134SECTION QUESTION 1350.194.example.com. IN DS 136SECTION AUTHORITY 137example.com. 3600 IN SOA ns.example.com. host.example.com. 2007091980 3600 7200 1209600 7200 138example.com. 3600 IN RRSIG SOA 3 2 3600 20070926135752 20070829135752 2854 example.com. MC0CFCOn5qKBIV7bwFMBA+Qqiblx0cylAhUAoFiGtFm2wHhJpq9MooTYdeVw45s= ;{id = 2854} 139 140; This NSEC proves the NOERROR/NODATA case. 141194.example.com. IN NSEC 0.0.194.example.com. A RRSIG NSEC 142194.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFDcoKl74U9FjsuYF3Vc0E8GQ2GgzAhUAhlyhO2MMcAWQMxIhEZ4MguokN5g= ;{id = 2854} 143 144ENTRY_END 145 146; response for delegation to sub zone. 147ENTRY_BEGIN 148MATCH opcode qtype qname 149ADJUST copy_id 150REPLY QR NOERROR 151SECTION QUESTION 152328.0.0.194.example.com. IN A 153SECTION ANSWER 154SECTION AUTHORITY 1550.0.194.example.com. IN NS ns.sub.example.com. 1560.0.194.example.com. 3600 IN DS 30899 RSASHA1 1 aa46f0717075d9750ac3596c659a2e326b33c28c 1570.0.194.example.com. 3600 IN RRSIG DS 3 5 3600 20070926135752 20070829135752 2854 example.com. MCwCFC9GIqtp/103hktw6bPpD83gr+0iAhQ8yev2yUaR9l64rYBUYTJqOoTKdw== ;{id = 2854} 158SECTION ADDITIONAL 159ns.sub.example.com. IN A 1.2.3.6 160ENTRY_END 161 162; response for delegation to sub zone 163ENTRY_BEGIN 164MATCH opcode qtype qname 165ADJUST copy_id 166REPLY QR NOERROR 167SECTION QUESTION 1680.0.194.example.com. IN DNSKEY 169SECTION ANSWER 170SECTION AUTHORITY 1710.0.194.example.com. IN NS ns.sub.example.com. 1720.0.194.example.com. 3600 IN DS 30899 RSASHA1 1 aa46f0717075d9750ac3596c659a2e326b33c28c 1730.0.194.example.com. 3600 IN RRSIG DS 3 5 3600 20070926135752 20070829135752 2854 example.com. MCwCFC9GIqtp/103hktw6bPpD83gr+0iAhQ8yev2yUaR9l64rYBUYTJqOoTKdw== ;{id = 2854} 174SECTION ADDITIONAL 175ns.sub.example.com. IN A 1.2.3.6 176ENTRY_END 177RANGE_END 178 179; ns.sub.example.com. for zone 0.0.194.example.com. 180RANGE_BEGIN 0 100 181 ADDRESS 1.2.3.6 182ENTRY_BEGIN 183MATCH opcode qtype qname 184ADJUST copy_id 185REPLY QR NOERROR 186SECTION QUESTION 1870.0.194.example.com. IN NS 188SECTION ANSWER 1890.0.194.example.com. IN NS ns.sub.example.com. 1900.0.194.example.com. 3600 IN RRSIG NS 5 5 3600 20070926135752 20070829135752 30899 0.0.194.example.com. KXDA+/PJAE+dXhv6O6Z0ZovDwabSRJcIt+GT5AL6ewlj46hzo/SDKUtEhYCeT1IVQvYtXrESwFZjpp7N0rXXBg== ;{id = 30899} 191SECTION ADDITIONAL 192ns.sub.example.com. IN A 1.2.3.6 193ENTRY_END 194 195; response to DNSKEY priming query 196; 0.0.194.example.com. 3600 IN DS 30899 RSASHA1 1 aa46f0717075d9750ac3596c659a2e326b33c28c 197ENTRY_BEGIN 198MATCH opcode qtype qname 199ADJUST copy_id 200REPLY QR NOERROR 201SECTION QUESTION 2020.0.194.example.com. IN DNSKEY 203SECTION ANSWER 2040.0.194.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 2050.0.194.example.com. 3600 IN RRSIG DNSKEY 5 5 3600 20070926135752 20070829135752 30899 0.0.194.example.com. fSmc7ef6NwbDXC0o4wPc/aa8LakW5ZJwEZ4xPYl3tTZKmPNM7hPXskl1tFlvst9Va4u37F62v+16trprHb+SCQ== ;{id = 30899} 206SECTION AUTHORITY 2070.0.194.example.com. IN NS ns.sub.example.com. 2080.0.194.example.com. 3600 IN RRSIG NS 5 5 3600 20070926135752 20070829135752 30899 0.0.194.example.com. KXDA+/PJAE+dXhv6O6Z0ZovDwabSRJcIt+GT5AL6ewlj46hzo/SDKUtEhYCeT1IVQvYtXrESwFZjpp7N0rXXBg== ;{id = 30899} 209SECTION ADDITIONAL 210ns.sub.example.com. IN A 1.2.3.6 211ENTRY_END 212 213; response to query of interest 214ENTRY_BEGIN 215MATCH opcode qtype qname 216ADJUST copy_id 217REPLY QR NOERROR 218SECTION QUESTION 219328.0.0.194.example.com. IN A 220SECTION ANSWER 221328.0.0.194.example.com. IN A 11.11.11.11 222328.0.0.194.example.com. 3600 IN RRSIG A 5 6 3600 20070926135752 20070829135752 30899 0.0.194.example.com. chZW77mqywhw/4ch6BxXQ4EbFgb9zgh2xF75FLlKq/7ey6CfHSJRpJRjRqtMTn+1i18UL2B4nPS/WnK5DZeqlA== ;{id = 30899} 223SECTION AUTHORITY 224SECTION ADDITIONAL 225ENTRY_END 226RANGE_END 227 228STEP 1 QUERY 229ENTRY_BEGIN 230REPLY RD DO 231SECTION QUESTION 232328.0.0.194.example.com. IN A 233ENTRY_END 234 235; recursion happens here. 236STEP 10 CHECK_ANSWER 237ENTRY_BEGIN 238MATCH all 239REPLY QR RD RA AD DO NOERROR 240SECTION QUESTION 241328.0.0.194.example.com. IN A 242SECTION ANSWER 243328.0.0.194.example.com. 3600 IN A 11.11.11.11 244328.0.0.194.example.com. 3600 IN RRSIG A 5 6 3600 20070926135752 20070829135752 30899 0.0.194.example.com. chZW77mqywhw/4ch6BxXQ4EbFgb9zgh2xF75FLlKq/7ey6CfHSJRpJRjRqtMTn+1i18UL2B4nPS/WnK5DZeqlA== ;{id = 30899} 245SECTION AUTHORITY 246SECTION ADDITIONAL 247ENTRY_END 248 249SCENARIO_END 250