1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 val-override-date: "20070916134226" 6 target-fetch-policy: "0 0 0 0 0" 7 qname-minimisation: "no" 8 fake-dsa: yes 9 fake-sha1: yes 10 trust-anchor-signaling: no 11 harden-algo-downgrade: no 12 13stub-zone: 14 name: "." 15 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 16CONFIG_END 17 18SCENARIO_BEGIN Test validator with SHA256 DS downgrade to SHA1 lenience 19 20; K.ROOT-SERVERS.NET. 21RANGE_BEGIN 0 100 22 ADDRESS 193.0.14.129 23ENTRY_BEGIN 24MATCH opcode qtype qname 25ADJUST copy_id 26REPLY QR NOERROR 27SECTION QUESTION 28. IN NS 29SECTION ANSWER 30. IN NS K.ROOT-SERVERS.NET. 31SECTION ADDITIONAL 32K.ROOT-SERVERS.NET. IN A 193.0.14.129 33ENTRY_END 34 35ENTRY_BEGIN 36MATCH opcode qtype qname 37ADJUST copy_id 38REPLY QR NOERROR 39SECTION QUESTION 40www.sub.example.com. IN A 41SECTION AUTHORITY 42com. IN NS a.gtld-servers.net. 43SECTION ADDITIONAL 44a.gtld-servers.net. IN A 192.5.6.30 45ENTRY_END 46RANGE_END 47 48; a.gtld-servers.net. 49RANGE_BEGIN 0 100 50 ADDRESS 192.5.6.30 51ENTRY_BEGIN 52MATCH opcode qtype qname 53ADJUST copy_id 54REPLY QR NOERROR 55SECTION QUESTION 56com. IN NS 57SECTION ANSWER 58com. IN NS a.gtld-servers.net. 59SECTION ADDITIONAL 60a.gtld-servers.net. IN A 192.5.6.30 61ENTRY_END 62 63ENTRY_BEGIN 64MATCH opcode qtype qname 65ADJUST copy_id 66REPLY QR NOERROR 67SECTION QUESTION 68www.sub.example.com. IN A 69SECTION AUTHORITY 70example.com. IN NS ns.example.com. 71SECTION ADDITIONAL 72ns.example.com. IN A 1.2.3.4 73ENTRY_END 74RANGE_END 75 76; ns.example.com. 77RANGE_BEGIN 0 100 78 ADDRESS 1.2.3.4 79ENTRY_BEGIN 80MATCH opcode qtype qname 81ADJUST copy_id 82REPLY QR NOERROR 83SECTION QUESTION 84example.com. IN NS 85SECTION ANSWER 86example.com. IN NS ns.example.com. 87example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 88SECTION ADDITIONAL 89ns.example.com. IN A 1.2.3.4 90ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 91ENTRY_END 92 93; response to DNSKEY priming query 94ENTRY_BEGIN 95MATCH opcode qtype qname 96ADJUST copy_id 97REPLY QR NOERROR 98SECTION QUESTION 99example.com. IN DNSKEY 100SECTION ANSWER 101example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 102example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854} 103SECTION AUTHORITY 104example.com. IN NS ns.example.com. 105example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 106SECTION ADDITIONAL 107ns.example.com. IN A 1.2.3.4 108ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 109ENTRY_END 110 111; response for delegation to sub.example.com. 112ENTRY_BEGIN 113MATCH opcode subdomain 114ADJUST copy_id copy_query 115REPLY QR NOERROR 116SECTION QUESTION 117sub.example.com. IN A 118SECTION ANSWER 119SECTION AUTHORITY 120sub.example.com. IN NS ns.sub.example.com. 121 122; Downgrade attack: false SHA2, correct SHA1 123 124; SHA256 DS for sub.example.com. 125;sub.example.com. 3600 IN DS 30899 5 2 51be8e847cc663f2775d0f2b6d15e41553c97ecb99b8dd667f18244e2f652033 126; BAD SHA256 DS 127sub.example.com. 3600 IN DS 30899 5 2 51be8e847cc663f2775d0f2b6d15e41553c97ecb99b8dd667f18244e2f652000 128 129; SHA1 DS for sub.example.com. 130sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 131sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926135752 20070829135752 2854 example.com. ACqqpk1ow07XJvN1orEpiWOeqMLdDKQtTgWB8Mp6CF/9VTfHuWWmsu8= ;{id = 2854} 132 133SECTION ADDITIONAL 134ns.sub.example.com. IN A 1.2.3.6 135ENTRY_END 136 137RANGE_END 138 139; ns.sub.example.com. 140RANGE_BEGIN 0 100 141 ADDRESS 1.2.3.6 142ENTRY_BEGIN 143MATCH opcode qtype qname 144ADJUST copy_id 145REPLY QR NOERROR 146SECTION QUESTION 147sub.example.com. IN NS 148SECTION ANSWER 149sub.example.com. IN NS ns.sub.example.com. 150sub.example.com. 3600 IN RRSIG NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. wcpHeBILHfo8C9uxMhcW03gcURZeUffiKdSTb50ZjzTHgMNhRyMfpcvSpXEd9548A9UTmWKeLZChfr5Z/glONw== ;{id = 30899} 151SECTION ADDITIONAL 152ns.sub.example.com. IN A 1.2.3.6 153ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899} 154ENTRY_END 155 156; response to DNSKEY priming query 157; sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 158ENTRY_BEGIN 159MATCH opcode qtype qname 160ADJUST copy_id 161REPLY QR NOERROR 162SECTION QUESTION 163sub.example.com. IN DNSKEY 164SECTION ANSWER 165sub.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 166sub.example.com. 3600 IN RRSIG DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. uNGp99iznjD7oOX02XnQbDnbg75UwBHRvZSKYUorTKvPUnCWMHKdRsQ+mf+Fx3GZ+Fz9BVjoCmQqpnfgXLEYqw== ;{id = 30899} 167SECTION AUTHORITY 168sub.example.com. IN NS ns.sub.example.com. 169sub.example.com. 3600 IN RRSIG NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. wcpHeBILHfo8C9uxMhcW03gcURZeUffiKdSTb50ZjzTHgMNhRyMfpcvSpXEd9548A9UTmWKeLZChfr5Z/glONw== ;{id = 30899} 170SECTION ADDITIONAL 171ns.sub.example.com. IN A 1.2.3.6 172ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899} 173ENTRY_END 174 175; response to query of interest 176ENTRY_BEGIN 177MATCH opcode qtype qname 178ADJUST copy_id 179REPLY QR NOERROR 180SECTION QUESTION 181www.sub.example.com. IN A 182SECTION ANSWER 183www.sub.example.com. IN A 11.11.11.11 184www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899} 185SECTION AUTHORITY 186SECTION ADDITIONAL 187ENTRY_END 188 189ENTRY_BEGIN 190MATCH opcode qtype qname 191ADJUST copy_id 192REPLY QR AA REFUSED 193SECTION QUESTION 194ns.sub.example.com. IN A 195ENTRY_END 196 197ENTRY_BEGIN 198MATCH opcode qtype qname 199ADJUST copy_id 200REPLY QR AA REFUSED 201SECTION QUESTION 202ns.sub.example.com. IN AAAA 203ENTRY_END 204 205RANGE_END 206 207STEP 1 QUERY 208ENTRY_BEGIN 209REPLY RD DO 210SECTION QUESTION 211www.sub.example.com. IN A 212ENTRY_END 213 214; recursion happens here. 215; must servfail, BOGUS 216STEP 10 CHECK_ANSWER 217ENTRY_BEGIN 218MATCH all 219REPLY QR RD RA AD DO NOERROR 220SECTION QUESTION 221www.sub.example.com. IN A 222SECTION ANSWER 223www.sub.example.com. 3600 IN A 11.11.11.11 224www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899} 225SECTION AUTHORITY 226SECTION ADDITIONAL 227ENTRY_END 228 229SCENARIO_END 230