1; config options 2; The island of trust is at nsecwc.nlnetlabs.nl 3server: 4 trust-anchor: "nsecwc.nlnetlabs.nl. 10024 IN DS 565 8 2 0C15C04C022700C8713028F6F64CF2343DE627B8F83CDA1C421C65DB 52908A2E" 5 val-override-date: "20181202115531" 6 target-fetch-policy: "0 0 0 0 0" 7 qname-minimisation: "no" 8 fake-sha1: yes 9 trust-anchor-signaling: no 10 ede: yes 11 12stub-zone: 13 name: "nsecwc.nlnetlabs.nl" 14 stub-addr: "185.49.140.60" 15 16CONFIG_END 17 18SCENARIO_BEGIN Test validator with nodata response with wildcard expanded NSEC record, original NSEC owner does not provide proof for QNAME. CVE-2017-15105 test. 19 20 ; ns.example.com. 21RANGE_BEGIN 0 100 22 ADDRESS 185.49.140.60 23 24; response to DNSKEY priming query 25ENTRY_BEGIN 26MATCH opcode qtype qname 27ADJUST copy_id 28REPLY QR NOERROR 29SECTION QUESTION 30nsecwc.nlnetlabs.nl. IN DNSKEY 31SECTION ANSWER 32nsecwc.nlnetlabs.nl. 3600 IN DNSKEY 257 3 8 AwEAAbTluF4BfJ/FT7Ak5a3VvYG1AqhT8FXxOsVwGTyueyE/hW+fMFMd QlLMf2Lf/gmsnFgn/p7GDmJBLlPTATmLeP3isvAZbK3MDEP2O5UjTVmt LZriTv8xfxYW6emCM54EQjWii64BFWrOeLm9zQqzyaLl53CbIIXqiacV KPteh8GX 33nsecwc.nlnetlabs.nl. 3600 IN RRSIG DNSKEY 8 3 3600 20200101000000 20171108114635 565 nsecwc.nlnetlabs.nl. q3bG4e8EtvXKDcNWcyYHeQxLF9l9aJKdmeSubyN6Qc3UVHugd6t3YSxD hlD+g43y7FcdnNHdAPh/jpgC4wtOb5J+5XAuESDHwesmIXOCTJjrb+A8 r+xQK+vsY8FhNZ2r81JZ/KQ/+TcCS5tbYeNZQgENduWAxgGiw3fdrMOV xiU= 34ENTRY_END 35 36; response to query of interest 37ENTRY_BEGIN 38MATCH opcode qtype qname 39ADJUST copy_id 40REPLY QR NOERROR 41SECTION QUESTION 42_25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA 43SECTION ANSWER 44SECTION AUTHORITY 45nsecwc.nlnetlabs.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600 46nsecwc.nlnetlabs.nl. 3600 IN RRSIG SOA 8 3 3600 20200101000000 20171108114635 565 nsecwc.nlnetlabs.nl. bYibpCDg1LgrnYJgVahgu94LBqLIcNs4iC0SW8LV7pTI1hhuFKbLkO2O ekPdkJAWmu/KTytf8D+cdcK6X/9VS8QCVIF5S0hraHtNezu0f1B5ztg3 7Rqy+uJSucNKoykueAsz2z43GMgO0rGH3bqM7+3ii8p2E2rhzqEtG/D3 qyY= 47; NSEC has a label length of 3, indication that the original owner name is: 48; *.nsecwc.nlnetlabs.nl. The NSEC therefore does no prove the NODATA answer. 49_25._tcp.mail.nsecwc.nlnetlabs.nl. 3600 IN NSEC delegation.nsecwc.nlnetlabs.nl. TXT RRSIG NSEC 50_25._tcp.mail.nsecwc.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 3 3600 20200101000000 20171108114635 565 nsecwc.nlnetlabs.nl. ddy1MRbshFuFJswlouNGHsZUF/tYu8BOCztY2JuHeTMyWL7rhRKp73q/ 1RAXMwywKsynT5ioY0bMtEQszeIEn29IYaPDHieLAobjF6BMu1kO7U2/ oEBrSHM/fx28BcaM5G4nfCIm3BlhQhWvk1NDHLn3Q26x4hF/dnmFOUet aXw= 51SECTION ADDITIONAL 52ENTRY_END 53RANGE_END 54 55STEP 1 QUERY 56ENTRY_BEGIN 57REPLY RD DO 58SECTION QUESTION 59_25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA 60ENTRY_END 61 62; recursion happens here. 63STEP 10 CHECK_ANSWER 64ENTRY_BEGIN 65MATCH all ede=6 66REPLY QR RD RA DO SERVFAIL 67SECTION QUESTION 68_25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA 69SECTION ANSWER 70ENTRY_END 71 72SCENARIO_END 73