1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 val-override-date: "20070916134226" 6 target-fetch-policy: "0 0 0 0 0" 7 # test that default value of harden-dnssec-stripped is still yes. 8 fake-sha1: yes 9 trust-anchor-signaling: no 10 ede: yes 11 access-control: 127.0.0.0/8 allow_snoop 12 13stub-zone: 14 name: "." 15 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 16CONFIG_END 17 18SCENARIO_BEGIN Test validator with failed DNSKEY request 19 20; K.ROOT-SERVERS.NET. 21RANGE_BEGIN 0 100 22 ADDRESS 193.0.14.129 23ENTRY_BEGIN 24MATCH opcode qtype qname 25ADJUST copy_id 26REPLY QR NOERROR 27SECTION QUESTION 28. IN NS 29SECTION ANSWER 30. IN NS K.ROOT-SERVERS.NET. 31SECTION ADDITIONAL 32K.ROOT-SERVERS.NET. IN A 193.0.14.129 33ENTRY_END 34 35ENTRY_BEGIN 36MATCH opcode subdomain 37ADJUST copy_id copy_query 38REPLY QR NOERROR 39SECTION QUESTION 40com. IN A 41SECTION AUTHORITY 42com. IN NS a.gtld-servers.net. 43SECTION ADDITIONAL 44a.gtld-servers.net. IN A 192.5.6.30 45ENTRY_END 46RANGE_END 47 48; a.gtld-servers.net. 49RANGE_BEGIN 0 100 50 ADDRESS 192.5.6.30 51ENTRY_BEGIN 52MATCH opcode qtype qname 53ADJUST copy_id 54REPLY QR NOERROR 55SECTION QUESTION 56com. IN NS 57SECTION ANSWER 58com. IN NS a.gtld-servers.net. 59SECTION ADDITIONAL 60a.gtld-servers.net. IN A 192.5.6.30 61ENTRY_END 62 63ENTRY_BEGIN 64MATCH opcode subdomain 65ADJUST copy_id copy_query 66REPLY QR NOERROR 67SECTION QUESTION 68example.com. IN A 69SECTION AUTHORITY 70example.com. IN NS ns.example.com. 71SECTION ADDITIONAL 72ns.example.com. IN A 1.2.3.4 73ENTRY_END 74RANGE_END 75 76; ns.example.com. 77RANGE_BEGIN 0 100 78 ADDRESS 1.2.3.4 79ENTRY_BEGIN 80MATCH opcode qtype qname 81ADJUST copy_id 82REPLY QR NOERROR 83SECTION QUESTION 84example.com. IN NS 85SECTION ANSWER 86example.com. IN NS ns.example.com. 87example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 88SECTION ADDITIONAL 89ns.example.com. IN A 1.2.3.4 90ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 91ENTRY_END 92 93ENTRY_BEGIN 94MATCH opcode qtype qname 95ADJUST copy_id 96REPLY QR NOERROR 97SECTION QUESTION 98ns.example.com. IN A 99SECTION ANSWER 100ns.example.com. IN A 1.2.3.4 101ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 102SECTION AUTHORITY 103example.com. IN NS ns.example.com. 104example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 105ENTRY_END 106 107; response to DNSKEY priming query 108ENTRY_BEGIN 109MATCH opcode qtype qname 110ADJUST copy_id 111;REPLY QR AA NOERROR 112REPLY QR AA SERVFAIL 113SECTION QUESTION 114example.com. IN DNSKEY 115SECTION ANSWER 116;example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 117;example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854} 118;SECTION AUTHORITY 119;example.com. IN NS ns.example.com. 120;example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 121;SECTION ADDITIONAL 122;ns.example.com. IN A 1.2.3.4 123;ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 124ENTRY_END 125 126; response to query of interest 127ENTRY_BEGIN 128MATCH opcode qtype qname 129ADJUST copy_id 130REPLY QR NOERROR 131SECTION QUESTION 132www.example.com. IN A 133SECTION ANSWER 134www.example.com. IN A 10.20.30.40 135ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854} 136SECTION AUTHORITY 137example.com. IN NS ns.example.com. 138example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 139SECTION ADDITIONAL 140ns.example.com. IN A 1.2.3.4 141www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} 142ENTRY_END 143 144ENTRY_BEGIN 145MATCH opcode qtype qname 146ADJUST copy_id 147REPLY QR AA NOERROR 148SECTION QUESTION 149ns.example.com. IN AAAA 150SECTION ANSWER 151SECTION AUTHORITY 152example.com. IN NS ns.example.com. 153example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 154ENTRY_END 155 156RANGE_END 157 158STEP 1 QUERY 159ENTRY_BEGIN 160REPLY RD DO 161SECTION QUESTION 162www.example.com. IN A 163ENTRY_END 164 165; recursion happens here. 166STEP 10 CHECK_ANSWER 167ENTRY_BEGIN 168MATCH all ede=9 169REPLY QR RD RA DO SERVFAIL 170SECTION QUESTION 171www.example.com. IN A 172SECTION ANSWER 173ENTRY_END 174 175; Redo the query without RD to check EDE caching. 176STEP 11 QUERY 177ENTRY_BEGIN 178REPLY DO 179SECTION QUESTION 180www.example.com. IN A 181ENTRY_END 182 183STEP 12 CHECK_ANSWER 184ENTRY_BEGIN 185MATCH all ede=9 186REPLY QR RA DO SERVFAIL 187SECTION QUESTION 188www.example.com. IN A 189SECTION ANSWER 190ENTRY_END 191 192SCENARIO_END 193