1; config options 2server: 3 trust-anchor: "example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= )" 4 val-override-date: "20120420235959" 5 target-fetch-policy: "0 0 0 0 0" 6 qname-minimisation: "no" 7 fake-sha1: yes 8 trust-anchor-signaling: no 9 10stub-zone: 11 name: "." 12 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 13CONFIG_END 14 15SCENARIO_BEGIN Test validator NSEC3 B.2.1 no data empty nonterminal, wrong rr. 16 17; K.ROOT-SERVERS.NET. 18RANGE_BEGIN 0 100 19 ADDRESS 193.0.14.129 20ENTRY_BEGIN 21MATCH opcode qtype qname 22ADJUST copy_id 23REPLY QR NOERROR 24SECTION QUESTION 25. IN NS 26SECTION ANSWER 27. IN NS K.ROOT-SERVERS.NET. 28SECTION ADDITIONAL 29K.ROOT-SERVERS.NET. IN A 193.0.14.129 30ENTRY_END 31 32ENTRY_BEGIN 33MATCH opcode subdomain 34ADJUST copy_id copy_query 35REPLY QR NOERROR 36SECTION QUESTION 37example. IN A 38SECTION AUTHORITY 39example. IN NS ns1.example. 40; leave out to make unbound take ns1 41;example. IN NS ns2.example. 42SECTION ADDITIONAL 43ns1.example. IN A 192.0.2.1 44; leave out to make unbound take ns1 45;ns2.example. IN A 192.0.2.2 46ENTRY_END 47RANGE_END 48 49; ns1.example. 50RANGE_BEGIN 0 100 51 ADDRESS 192.0.2.1 52ENTRY_BEGIN 53MATCH opcode qtype qname 54ADJUST copy_id copy_query 55REPLY QR REFUSED 56SECTION QUESTION 57ns1.example. IN A 58SECTION ANSWER 59ENTRY_END 60 61ENTRY_BEGIN 62MATCH opcode qtype qname 63ADJUST copy_id copy_query 64REPLY QR REFUSED 65SECTION QUESTION 66ns1.example. IN AAAA 67SECTION ANSWER 68ENTRY_END 69 70ENTRY_BEGIN 71MATCH opcode qtype qname 72ADJUST copy_id copy_query 73REPLY QR REFUSED 74SECTION QUESTION 75example. IN NS 76SECTION ANSWER 77ENTRY_END 78 79; response to DNSKEY priming query 80 81ENTRY_BEGIN 82MATCH opcode qtype qname 83ADJUST copy_id 84REPLY QR NOERROR 85SECTION QUESTION 86example. IN DNSKEY 87SECTION ANSWER 88example. DNSKEY 256 3 7 AwEAAaetidLzsKWUt4swWR8yu0wPHPiUi8LU ( sAD0QPWU+wzt89epO6tHzkMBVDkC7qphQO2h TY4hHn9npWFRw5BYubE= ) 89example. DNSKEY 257 3 7 AwEAAcUlFV1vhmqx6NSOUOq2R/dsR7Xm3upJ ( j7IommWSpJABVfW8Q0rOvXdM6kzt+TAu92L9 AbsUdblMFin8CVF3n4s= ) 90example. RRSIG DNSKEY 7 1 3600 20150420235959 ( 20051021000000 12708 example. AuU4juU9RaxescSmStrQks3Gh9FblGBlVU31 uzMZ/U/FpsUb8aC6QZS+sTsJXnLnz7flGOsm MGQZf3bH+QsCtg== ) 91ENTRY_END 92 93ENTRY_BEGIN 94MATCH opcode qtype qname 95ADJUST copy_id 96REPLY QR AA DO NOERROR 97SECTION QUESTION 98y.w.example. IN A 99SECTION AUTHORITY 100example. SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 ) 101example. RRSIG SOA 7 1 3600 20150420235959 20051021000000 ( 40430 example. Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd VI2LmKusbZsT0Q== ) 102 103;; NSEC3 RR matches the QNAME and shows that the A type bit is not set. 104;ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. NSEC3 1 1 12 aabbccdd ( k8udemvp1j2f7eg6jebps17vp3n8i58h ) 105;ji6neoaepv8b5o6k4ev33abha8ht9fgc.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. gPkFp1s2QDQ6wQzcg1uSebZ61W33rUBDcTj7 2F3kQ490fEdp7k1BUIfbcZtPbX3YCpE+sIt0 MpzVSKfTwx4uYA== ) 106 107; instead the wrong NSEC3 rr is included 10835mthgpgcu1qg68fab165klnsnk3dpvl.example. NSEC3 1 1 12 aabbccdd ( b4um86eghhds6nea196smvmlo4ors995 NS DS RRSIG ) 10935mthgpgcu1qg68fab165klnsnk3dpvl.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. g6jPUUpduAJKRljUsN8gB4UagAX0NxY9shwQ Aynzo8EUWH+z6hEIBlUTPGj15eZll6VhQqgZ XtAIR3chwgW+SA== ) 110 111SECTION ADDITIONAL 112ENTRY_END 113 114RANGE_END 115 116STEP 1 QUERY 117ENTRY_BEGIN 118REPLY RD 119SECTION QUESTION 120y.w.example. IN A 121ENTRY_END 122 123; recursion happens here. 124STEP 10 CHECK_ANSWER 125ENTRY_BEGIN 126MATCH all 127REPLY QR RD RA SERVFAIL 128SECTION QUESTION 129y.w.example. IN A 130SECTION ANSWER 131SECTION AUTHORITY 132SECTION ADDITIONAL 133ENTRY_END 134 135SCENARIO_END 136