1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 val-override-date: "20070916134226" 6 target-fetch-policy: "0 0 0 0 0" 7 qname-minimisation: "no" 8 fake-sha1: yes 9 trust-anchor-signaling: no 10 ede: yes 11 access-control: 127.0.0.0/8 allow_snoop 12 13stub-zone: 14 name: "." 15 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 16CONFIG_END 17 18SCENARIO_BEGIN Test validator with unsigned delegation with no NS bit in NSEC 19 20; K.ROOT-SERVERS.NET. 21RANGE_BEGIN 0 100 22 ADDRESS 193.0.14.129 23ENTRY_BEGIN 24MATCH opcode qtype qname 25ADJUST copy_id 26REPLY QR NOERROR 27SECTION QUESTION 28. IN NS 29SECTION ANSWER 30. IN NS K.ROOT-SERVERS.NET. 31SECTION ADDITIONAL 32K.ROOT-SERVERS.NET. IN A 193.0.14.129 33ENTRY_END 34 35ENTRY_BEGIN 36MATCH opcode subdomain 37ADJUST copy_id copy_query 38REPLY QR NOERROR 39SECTION QUESTION 40com. IN A 41SECTION AUTHORITY 42com. IN NS a.gtld-servers.net. 43SECTION ADDITIONAL 44a.gtld-servers.net. IN A 192.5.6.30 45ENTRY_END 46RANGE_END 47 48; a.gtld-servers.net. 49RANGE_BEGIN 0 100 50 ADDRESS 192.5.6.30 51ENTRY_BEGIN 52MATCH opcode qtype qname 53ADJUST copy_id 54REPLY QR NOERROR 55SECTION QUESTION 56com. IN NS 57SECTION ANSWER 58com. IN NS a.gtld-servers.net. 59SECTION ADDITIONAL 60a.gtld-servers.net. IN A 192.5.6.30 61ENTRY_END 62 63ENTRY_BEGIN 64MATCH opcode subdomain 65ADJUST copy_id copy_query 66REPLY QR NOERROR 67SECTION QUESTION 68example.com. IN A 69SECTION AUTHORITY 70example.com. IN NS ns.example.com. 71SECTION ADDITIONAL 72ns.example.com. IN A 1.2.3.4 73ENTRY_END 74 75ENTRY_BEGIN 76MATCH opcode qtype qname 77ADJUST copy_id 78REPLY QR AA NOERROR 79SECTION QUESTION 80ns.example.com. IN AAAA 81SECTION ANSWER 82ENTRY_END 83RANGE_END 84 85; ns.example.com. 86RANGE_BEGIN 0 100 87 ADDRESS 1.2.3.4 88ENTRY_BEGIN 89MATCH opcode qtype qname 90ADJUST copy_id 91REPLY QR NOERROR 92SECTION QUESTION 93ns.example.com. IN AAAA 94SECTION ANSWER 95SECTION AUTHORITY 96example.com. IN SOA alfa.ns.example.com.cz. hostmaster.example.com. 2010030800 10800 86400 604800 86400 97example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. ADsxLOHjxFzwFmwIiGOubqD9nKWAp4RccRIXQ0+EAUGfSDZMCB0ZiFA= ;{id = 2854} 98SECTION ADDITIONAL 99ENTRY_END 100 101ENTRY_BEGIN 102MATCH opcode qtype qname 103ADJUST copy_id 104REPLY QR NOERROR 105SECTION QUESTION 106ns3.example.com. IN AAAA 107SECTION ANSWER 108SECTION AUTHORITY 109example.com. IN SOA alfa.ns.example.com.cz. hostmaster.example.com. 2010030800 10800 86400 604800 86400 110example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. ADsxLOHjxFzwFmwIiGOubqD9nKWAp4RccRIXQ0+EAUGfSDZMCB0ZiFA= ;{id = 2854} 111SECTION ADDITIONAL 112ENTRY_END 113 114ENTRY_BEGIN 115MATCH opcode qtype qname 116ADJUST copy_id 117REPLY QR NOERROR 118SECTION QUESTION 119ns.example.com. IN A 120SECTION ANSWER 121ns.example.com. IN A 1.2.3.4 122ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 123SECTION AUTHORITY 124example.com. IN NS ns.example.com. 125example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 126SECTION ADDITIONAL 127ENTRY_END 128 129ENTRY_BEGIN 130MATCH opcode qtype qname 131ADJUST copy_id 132REPLY QR NOERROR 133SECTION QUESTION 134example.com. IN NS 135SECTION ANSWER 136example.com. IN NS ns.example.com. 137example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 138SECTION ADDITIONAL 139ns.example.com. IN A 1.2.3.4 140ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 141ENTRY_END 142 143; response to DNSKEY priming query 144ENTRY_BEGIN 145MATCH opcode qtype qname 146ADJUST copy_id 147REPLY QR NOERROR 148SECTION QUESTION 149example.com. IN DNSKEY 150SECTION ANSWER 151example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 152example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854} 153SECTION AUTHORITY 154example.com. IN NS ns.example.com. 155example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 156SECTION ADDITIONAL 157ns.example.com. IN A 1.2.3.4 158ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 159ENTRY_END 160 161; response to query of interest 162ENTRY_BEGIN 163MATCH opcode qtype qname 164ADJUST copy_id 165REPLY QR AA NOERROR 166SECTION QUESTION 167foo.www.example.com. IN A 168SECTION ANSWER 169foo.www.example.com. IN A 1.2.3.4 170; unsigned, no delegation. 171ENTRY_END 172 173; DS query 174ENTRY_BEGIN 175MATCH opcode qtype qname 176ADJUST copy_id 177REPLY QR AA NOERROR 178SECTION QUESTION 179www.example.com. IN DS 180SECTION ANSWER 181SECTION AUTHORITY 182; NSEC3 here: 1 0 1 1234 183; www.example.com. -> h8c0nvkuibedn7ia997iegdl7h0i6h8b. 184h8c0nvkuibedn7ia997iegdl7h0i6h8b.example.com. IN NSEC3 1 0 1 1234 h8c0nvkuibedn7ia997iegdl7h0i6h8c TXT 185h8c0nvkuibedn7ia997iegdl7h0i6h8b.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926134150 20070829134150 2854 example.com. AH+bPQZST3COwJ1vSe05N7E5BM2GmXzJUKsiWwXKrmm/XjYKSxSuNPE= 186 187;www.example.com. IN NSEC zzz.example.com. RRSIG NSEC 188;www.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AA9Dm626WvHXHPQXJkVyjyTqJ/dCHfZgt6PWCn9gd8ZmPxyl3STW3iI= 189example.com. IN SOA alfa.ns.example.com.cz. hostmaster.example.com. 2010030800 10800 86400 604800 86400 190example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. ADsxLOHjxFzwFmwIiGOubqD9nKWAp4RccRIXQ0+EAUGfSDZMCB0ZiFA= ;{id = 2854} 191SECTION ADDITIONAL 192ENTRY_END 193 194; DS query for foo.www.example.com returns the referral without record. 195ENTRY_BEGIN 196MATCH opcode qtype qname 197ADJUST copy_id 198REPLY QR AA NOERROR 199SECTION QUESTION 200foo.www.example.com. IN DS 201SECTION ANSWER 202SECTION AUTHORITY 203mipf0g23547qunto04vboegh9vadsrpo.example.com. IN NSEC3 1 0 1 1234 mipf0g23547qunto04vboegh9vadsrpq TXT 204mipf0g23547qunto04vboegh9vadsrpo.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926134150 20070829134150 2854 example.com. ADc6JrdKuTmIJe4sAjpKZSUZKdHdfhmREk2F5A5cftU9053b0/3ILQM= 205 206example.com. IN SOA alfa.ns.example.com.cz. hostmaster.example.com. 2010030800 10800 86400 604800 86400 207example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. ADsxLOHjxFzwFmwIiGOubqD9nKWAp4RccRIXQ0+EAUGfSDZMCB0ZiFA= ;{id = 2854} 208 209 210;www.example.com. IN NS ns3.example.com. 211;h8c0nvkuibedn7ia997iegdl7h0i6h8b.example.com. IN NSEC3 1 0 1 1234 h8c0nvkuibedn7ia997iegdl7h0i6h8c TXT 212;h8c0nvkuibedn7ia997iegdl7h0i6h8b.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926134150 20070829134150 2854 example.com. AH+bPQZST3COwJ1vSe05N7E5BM2GmXzJUKsiWwXKrmm/XjYKSxSuNPE= 213;SECTION ADDITIONAL 214;ns3.example.com. IN A 1.2.3.5 215 216 217; NSEC3 here: 1 0 1 1234 218; www.example.com. -> h8c0nvkuibedn7ia997iegdl7h0i6h8b. 219; *.www.example.com. -> cg2lpgpr8k7ck69h7bqu3od9pkht2o79. 220; foo.www.example.com. -> mipf0g23547qunto04vboegh9vadsrpo. 221 222;h8c0nvkuibedn7ia997iegdl7h0i6h8b.example.com. IN NSEC3 1 0 1 1234 h8c0nvkuibedn7ia997iegdl7h0i6h8c TXT 223;h8c0nvkuibedn7ia997iegdl7h0i6h8b.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926134150 20070829134150 2854 example.com. AH+bPQZST3COwJ1vSe05N7E5BM2GmXzJUKsiWwXKrmm/XjYKSxSuNPE= 224;cg2lpgpr8k7ck69h7bqu3od9pkht2o78.example.com. IN NSEC3 1 0 1 1234 cg2lpgpr8k7ck69h7bqu3od9pkht2o89 TXT 225;cg2lpgpr8k7ck69h7bqu3od9pkht2o78.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926134150 20070829134150 2854 example.com. ACzxBHMyDB5tTrXijboPSsB0ws1lJe3/B62QNAMcZv7l9DYNDEDKsXY= 226;mipf0g23547qunto04vboegh9vadsrph.example.com. IN NSEC3 1 0 1 1234 mipf0g23547qunto04vboegh9vadsrpp TXT 227;mipf0g23547qunto04vboegh9vadsrph.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926134150 20070829134150 2854 example.com. AG2B7lrIVtBgg+WIt0yNYekGDBKkY7xkKfI0GLQ8q3brGy/+jubxba0= 228 229;www.example.com. IN NSEC zzz.example.com. RRSIG NSEC 230;www.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AA9Dm626WvHXHPQXJkVyjyTqJ/dCHfZgt6PWCn9gd8ZmPxyl3STW3iI= 231 232;example.com. IN SOA alfa.ns.example.com.cz. hostmaster.example.com. 2010030800 10800 86400 604800 86400 233;example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. ADsxLOHjxFzwFmwIiGOubqD9nKWAp4RccRIXQ0+EAUGfSDZMCB0ZiFA= ;{id = 2854} 234SECTION ADDITIONAL 235ENTRY_END 236 237RANGE_END 238 239; ns3.example.com. 240RANGE_BEGIN 0 100 241 ADDRESS 1.2.3.5 242ENTRY_BEGIN 243MATCH opcode qtype qname 244ADJUST copy_id 245REPLY QR NOERROR 246SECTION QUESTION 247foo.www.example.com. IN DS 248SECTION ANSWER 249SECTION AUTHORITY 250foo.www.example.com. IN SOA alfa.ns.example.com.cz. hostmaster.example.com. 2010030800 10800 86400 604800 86400 251SECTION ADDITIONAL 252ENTRY_END 253RANGE_END 254 255 256STEP 1 QUERY 257ENTRY_BEGIN 258REPLY RD DO 259SECTION QUESTION 260foo.www.example.com. IN A 261ENTRY_END 262 263; recursion happens here. 264STEP 10 CHECK_ANSWER 265ENTRY_BEGIN 266MATCH all ede=10 267REPLY QR RD RA DO SERVFAIL 268SECTION QUESTION 269foo.www.example.com. IN A 270SECTION ANSWER 271ENTRY_END 272 273; Redo the query without RD to check EDE caching. 274STEP 11 QUERY 275ENTRY_BEGIN 276REPLY DO 277SECTION QUESTION 278foo.www.example.com. IN A 279ENTRY_END 280 281STEP 12 CHECK_ANSWER 282ENTRY_BEGIN 283MATCH all ede=10 284REPLY QR RA DO SERVFAIL 285SECTION QUESTION 286foo.www.example.com. IN A 287SECTION ANSWER 288ENTRY_END 289 290SCENARIO_END 291