1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 val-override-date: "20070916134226" 6 target-fetch-policy: "0 0 0 0 0" 7 qname-minimisation: "no" 8 prefetch-key: yes 9 prefetch: yes 10 fake-sha1: yes 11 trust-anchor-signaling: no 12 minimal-responses: no 13 14stub-zone: 15 name: "." 16 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 17CONFIG_END 18 19SCENARIO_BEGIN Test validator with key prefetch and verify with the anchor 20 21 22; K.ROOT-SERVERS.NET. 23RANGE_BEGIN 0 100 24 ADDRESS 193.0.14.129 25ENTRY_BEGIN 26MATCH opcode qtype qname 27ADJUST copy_id 28REPLY QR NOERROR 29SECTION QUESTION 30. IN NS 31SECTION ANSWER 32. IN NS K.ROOT-SERVERS.NET. 33SECTION ADDITIONAL 34K.ROOT-SERVERS.NET. IN A 193.0.14.129 35ENTRY_END 36 37ENTRY_BEGIN 38MATCH opcode qtype qname 39ADJUST copy_id 40REPLY QR NOERROR 41SECTION QUESTION 42www.sub.example.com. IN A 43SECTION AUTHORITY 44com. IN NS a.gtld-servers.net. 45SECTION ADDITIONAL 46a.gtld-servers.net. IN A 192.5.6.30 47ENTRY_END 48RANGE_END 49 50; a.gtld-servers.net. 51RANGE_BEGIN 0 100 52 ADDRESS 192.5.6.30 53ENTRY_BEGIN 54MATCH opcode qtype qname 55ADJUST copy_id 56REPLY QR NOERROR 57SECTION QUESTION 58com. IN NS 59SECTION ANSWER 60com. IN NS a.gtld-servers.net. 61SECTION ADDITIONAL 62a.gtld-servers.net. IN A 192.5.6.30 63ENTRY_END 64 65ENTRY_BEGIN 66MATCH opcode qtype qname 67ADJUST copy_id 68REPLY QR NOERROR 69SECTION QUESTION 70www.sub.example.com. IN A 71SECTION AUTHORITY 72example.com. IN NS ns.example.com. 73SECTION ADDITIONAL 74ns.example.com. IN A 1.2.3.4 75ENTRY_END 76RANGE_END 77 78; ns.example.com. 79RANGE_BEGIN 0 100 80 ADDRESS 1.2.3.4 81ENTRY_BEGIN 82MATCH opcode qtype qname 83ADJUST copy_id 84REPLY QR NOERROR 85SECTION QUESTION 86example.com. IN NS 87SECTION ANSWER 88example.com. IN NS ns.example.com. 89example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 90SECTION ADDITIONAL 91ns.example.com. IN A 1.2.3.4 92ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 93ENTRY_END 94 95; response to DNSKEY priming query 96ENTRY_BEGIN 97MATCH opcode qtype qname 98ADJUST copy_id 99REPLY QR NOERROR 100SECTION QUESTION 101example.com. IN DNSKEY 102SECTION ANSWER 103example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 104example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854} 105SECTION AUTHORITY 106example.com. IN NS ns.example.com. 107example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 108SECTION ADDITIONAL 109ns.example.com. IN A 1.2.3.4 110ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 111ENTRY_END 112 113; response for delegation to sub.example.com. 114ENTRY_BEGIN 115MATCH opcode qtype qname 116ADJUST copy_id 117REPLY QR NOERROR 118SECTION QUESTION 119www.sub.example.com. IN A 120SECTION ANSWER 121SECTION AUTHORITY 122sub.example.com. IN NS ns.sub.example.com. 123sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 124sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFCW3ix0GD4BSvNLWIbROCJt5DAW9AhRt/kg9kBKJ20UBUdumrBUHqnskdA== ;{id = 2854} 125SECTION ADDITIONAL 126ns.sub.example.com. IN A 1.2.3.6 127ENTRY_END 128 129; response for delegation to sub.example.com. 130ENTRY_BEGIN 131MATCH opcode qtype qname 132ADJUST copy_id 133REPLY QR NOERROR 134SECTION QUESTION 135sub.example.com. IN DNSKEY 136SECTION ANSWER 137SECTION AUTHORITY 138sub.example.com. IN NS ns.sub.example.com. 139sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 140sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFCW3ix0GD4BSvNLWIbROCJt5DAW9AhRt/kg9kBKJ20UBUdumrBUHqnskdA== ;{id = 2854} 141SECTION ADDITIONAL 142ns.sub.example.com. IN A 1.2.3.6 143ENTRY_END 144RANGE_END 145 146; ns.sub.example.com. 147RANGE_BEGIN 0 100 148 ADDRESS 1.2.3.6 149ENTRY_BEGIN 150MATCH opcode qtype qname 151ADJUST copy_id 152REPLY QR NOERROR 153SECTION QUESTION 154sub.example.com. IN NS 155SECTION ANSWER 156sub.example.com. IN NS ns.sub.example.com. 157sub.example.com. 3600 IN RRSIG NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. wcpHeBILHfo8C9uxMhcW03gcURZeUffiKdSTb50ZjzTHgMNhRyMfpcvSpXEd9548A9UTmWKeLZChfr5Z/glONw== ;{id = 30899} 158SECTION ADDITIONAL 159ns.sub.example.com. IN A 1.2.3.6 160ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899} 161ENTRY_END 162 163; response to DNSKEY priming query 164; sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 165ENTRY_BEGIN 166MATCH opcode qtype qname 167ADJUST copy_id 168REPLY QR NOERROR 169SECTION QUESTION 170sub.example.com. IN DNSKEY 171SECTION ANSWER 172sub.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 173sub.example.com. 3600 IN RRSIG DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. uNGp99iznjD7oOX02XnQbDnbg75UwBHRvZSKYUorTKvPUnCWMHKdRsQ+mf+Fx3GZ+Fz9BVjoCmQqpnfgXLEYqw== ;{id = 30899} 174SECTION AUTHORITY 175sub.example.com. IN NS ns.sub.example.com. 176sub.example.com. 3600 IN RRSIG NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. wcpHeBILHfo8C9uxMhcW03gcURZeUffiKdSTb50ZjzTHgMNhRyMfpcvSpXEd9548A9UTmWKeLZChfr5Z/glONw== ;{id = 30899} 177SECTION ADDITIONAL 178ns.sub.example.com. IN A 1.2.3.6 179ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899} 180ENTRY_END 181 182; response to query of interest 183ENTRY_BEGIN 184MATCH opcode qtype qname 185ADJUST copy_id 186REPLY QR NOERROR 187SECTION QUESTION 188www.sub.example.com. IN A 189SECTION ANSWER 190www.sub.example.com. IN A 11.11.11.11 191www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899} 192SECTION AUTHORITY 193SECTION ADDITIONAL 194ENTRY_END 195RANGE_END 196 197STEP 1 QUERY 198ENTRY_BEGIN 199REPLY RD DO 200SECTION QUESTION 201www.sub.example.com. IN A 202ENTRY_END 203 204; recursion happens here. 205STEP 10 CHECK_ANSWER 206ENTRY_BEGIN 207MATCH all 208REPLY QR RD RA AD DO NOERROR 209SECTION QUESTION 210www.sub.example.com. IN A 211SECTION ANSWER 212www.sub.example.com. 3600 IN A 11.11.11.11 213www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899} 214SECTION AUTHORITY 215SECTION ADDITIONAL 216ENTRY_END 217 218STEP 20 TIME_PASSES ELAPSE 3400 219 220; now the key gets prefetched and has to be verified with the anchor, 221; not with the key itself. 222; this answer is from cache anyway. 223STEP 30 QUERY 224ENTRY_BEGIN 225REPLY RD DO 226SECTION QUESTION 227sub.example.com. IN DNSKEY 228ENTRY_END 229 230STEP 40 CHECK_ANSWER 231ENTRY_BEGIN 232MATCH all 233REPLY QR RD RA AD DO NOERROR 234SECTION QUESTION 235sub.example.com. IN DNSKEY 236SECTION ANSWER 237sub.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 238sub.example.com. 3600 IN RRSIG DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. uNGp99iznjD7oOX02XnQbDnbg75UwBHRvZSKYUorTKvPUnCWMHKdRsQ+mf+Fx3GZ+Fz9BVjoCmQqpnfgXLEYqw== ;{id = 30899} 239SECTION AUTHORITY 240sub.example.com. IN NS ns.sub.example.com. 241sub.example.com. 3600 IN RRSIG NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. wcpHeBILHfo8C9uxMhcW03gcURZeUffiKdSTb50ZjzTHgMNhRyMfpcvSpXEd9548A9UTmWKeLZChfr5Z/glONw== ;{id = 30899} 242SECTION ADDITIONAL 243ns.sub.example.com. IN A 1.2.3.6 244ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899} 245ENTRY_END 246 247STEP 50 TRAFFIC 248 249SCENARIO_END 250