1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 val-override-date: "20070916134226" 6 target-fetch-policy: "0 0 0 0 0" 7 8stub-zone: 9 name: "." 10 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 11CONFIG_END 12 13SCENARIO_BEGIN Test validator with NSEC3 wildcard CNAME to subzone. 14; to test the zone determination routines in nsec3. 15 16; K.ROOT-SERVERS.NET. 17RANGE_BEGIN 0 100 18 ADDRESS 193.0.14.129 19ENTRY_BEGIN 20MATCH opcode qtype qname 21ADJUST copy_id 22REPLY QR NOERROR 23SECTION QUESTION 24. IN NS 25SECTION ANSWER 26. IN NS K.ROOT-SERVERS.NET. 27SECTION ADDITIONAL 28K.ROOT-SERVERS.NET. IN A 193.0.14.129 29ENTRY_END 30 31ENTRY_BEGIN 32MATCH opcode qtype qname 33ADJUST copy_id 34REPLY QR NOERROR 35SECTION QUESTION 36www.example.com. IN A 37SECTION AUTHORITY 38com. IN NS a.gtld-servers.net. 39SECTION ADDITIONAL 40a.gtld-servers.net. IN A 192.5.6.30 41ENTRY_END 42RANGE_END 43 44; a.gtld-servers.net. 45RANGE_BEGIN 0 100 46 ADDRESS 192.5.6.30 47ENTRY_BEGIN 48MATCH opcode qtype qname 49ADJUST copy_id 50REPLY QR NOERROR 51SECTION QUESTION 52com. IN NS 53SECTION ANSWER 54com. IN NS a.gtld-servers.net. 55SECTION ADDITIONAL 56a.gtld-servers.net. IN A 192.5.6.30 57ENTRY_END 58 59ENTRY_BEGIN 60MATCH opcode qtype qname 61ADJUST copy_id 62REPLY QR NOERROR 63SECTION QUESTION 64www.example.com. IN A 65SECTION AUTHORITY 66example.com. IN NS ns.example.com. 67SECTION ADDITIONAL 68ns.example.com. IN A 1.2.3.4 69ENTRY_END 70RANGE_END 71 72; ns.example.com. 73RANGE_BEGIN 0 100 74 ADDRESS 1.2.3.4 75ENTRY_BEGIN 76MATCH opcode qtype qname 77ADJUST copy_id 78REPLY QR NOERROR 79SECTION QUESTION 80example.com. IN NS 81SECTION ANSWER 82example.com. IN NS ns.example.com. 83example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 84SECTION ADDITIONAL 85ns.example.com. IN A 1.2.3.4 86ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 87ENTRY_END 88 89; response to DNSKEY priming query 90ENTRY_BEGIN 91MATCH opcode qtype qname 92ADJUST copy_id 93REPLY QR NOERROR 94SECTION QUESTION 95example.com. IN DNSKEY 96SECTION ANSWER 97example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 98example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854} 99SECTION AUTHORITY 100example.com. IN NS ns.example.com. 101example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 102SECTION ADDITIONAL 103ns.example.com. IN A 1.2.3.4 104ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 105ENTRY_END 106 107; response to query of interest 108ENTRY_BEGIN 109MATCH opcode qtype qname 110ADJUST copy_id 111REPLY QR NOERROR 112SECTION QUESTION 113www.example.com. IN A 114SECTION ANSWER 115;from *.example.com. IN CNAME www.sub.example.com. 116www.example.com. IN CNAME www.sub.example.com. 117www.example.com. 3600 IN RRSIG CNAME 3 2 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCjVxqOi0bcgHgxVkwzJqIi6iNJswIUZxbmItvoyEczTclgVtHsr9Jmf+w= ;{id = 2854} 118SECTION AUTHORITY 119; cover qname next closer name. 120; H(www.example.com.) = s1unhcti19bkdr98fegs0v46mbu3t4m3. 121s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. NSEC3 1 1 123 aabb00123456bbccdd s1unhcti19bkdr98fegs0v46mbu3t4m4 A MX RRSIG 122s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFFSH4klZKke48dYyddYDj17gjTS0AhUAltWicpFLWqW98/Af9Qlx70MH8o4= ;{id = 2854} 123ENTRY_END 124 125; refer to server one down 126ENTRY_BEGIN 127MATCH opcode qtype qname 128ADJUST copy_id 129REPLY QR NOERROR 130SECTION QUESTION 131www.sub.example.com. IN A 132SECTION AUTHORITY 133sub.example.com. IN NS ns.sub.example.com. 134sub.example.com. 3600 IN DS 2854 DSA 1 be4d46cd7489cce25a31af0dff2968ce0425dd31 135sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQC1WMTfb25sTgeUEXCFR4+YiJqecwIUc2R/jrO4amyQxovSnld2reg8eyo= ;{id = 2854} 136SECTION ADDITIONAL 137ns.sub.example.com. IN A 1.2.3.10 138ENTRY_END 139RANGE_END 140 141; ns.sub.example.com. 142RANGE_BEGIN 0 100 143 ADDRESS 1.2.3.10 144ENTRY_BEGIN 145MATCH opcode qtype qname 146ADJUST copy_id 147REPLY QR NOERROR 148SECTION QUESTION 149sub.example.com. IN NS 150SECTION ANSWER 151sub.example.com. IN NS ns.sub.example.com. 152SECTION ADDITIONAL 153ns.sub.example.com. IN A 1.2.3.10 154ENTRY_END 155 156; response to DNSKEY priming query 157ENTRY_BEGIN 158MATCH opcode qtype qname 159ADJUST copy_id 160REPLY QR NOERROR 161SECTION QUESTION 162sub.example.com. IN DNSKEY 163SECTION ANSWER 164sub.example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 165sub.example.com. 3600 IN RRSIG DNSKEY 3 3 3600 20070926135752 20070829135752 2854 sub.example.com. MCwCFBznBTYM/SrdUnjQdBnLtRO79KAaAhQReG5nRuL7Xsdf6D0KKwPa1GpWyQ== ;{id = 2854} 166 167ENTRY_END 168 169ENTRY_BEGIN 170MATCH opcode qtype qname 171ADJUST copy_id 172REPLY QR NXDOMAIN 173SECTION QUESTION 174www.sub.example.com. IN A 175SECTION AUTHORITY 176sub.example.com. IN SOA ns.sub.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000 177sub.example.com. 3600 IN RRSIG SOA 3 3 3600 20070926135752 20070829135752 2854 sub.example.com. MCwCFBLls0z0ncWxTXzDt4uLAuJsr932AhQvVeUJevgwAL6mfmLL6fAf2IZ7mg== ;{id = 2854} 178 179; closest encloser, H(sub.example.com). = 8r1f0ieoutlnjc03meng9e3bn2n0o9pd 1808r1f0ieoutlnjc03meng9e3bn2n0o9pd.sub.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 8r1f0ieoutlnjc03meng9e3bn3n0o9pd SOA NS MX RRSIG 1818r1f0ieoutlnjc03meng9e3bn2n0o9pd.sub.example.com. 3600 IN RRSIG NSEC3 3 4 3600 20070926135752 20070829135752 2854 sub.example.com. MCwCFBX1qVlth+YE+y57p5C7X00bLthDAhRIF2xoHF0exs29obE7JjVthwXfHA== ;{id = 2854} 182 183; wildcard denial, H(*.sub.example.com.) = hq432j8q183b54mejh50200pqo8rvlog 184hq432j8q183b54mejh50200pqo7rvlog.sub.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd hq432j8q183b54mejh50200pqo9rvlog A RRSIG 185hq432j8q183b54mejh50200pqo7rvlog.sub.example.com. 3600 IN RRSIG NSEC3 3 4 3600 20070926135752 20070829135752 2854 sub.example.com. MCwCFAOXoeUk1d0cxT9p1gUvBrybAQCSAhQ5eLWaK932TxxY4U6NAxgst4O4uA== ;{id = 2854} 186 187; next closer denial H(www.sub.example.com.) = ecllopkacmb753v6jlld4d371l1u8gme 188ecllopkacmb753v6jlld4d371l1u7gme.sub.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd ecllopkacmb753v6jlld4d371l1u9gme A RRSIG 189ecllopkacmb753v6jlld4d371l1u7gme.sub.example.com. 3600 IN RRSIG NSEC3 3 4 3600 20070926135752 20070829135752 2854 sub.example.com. MCwCFAuD3qb/+CWyqjBRt/RDjZvsSyCGAhQivfP3zr1+2Uknw9RhXUcUO0g6Lg== ;{id = 2854} 190ENTRY_END 191RANGE_END 192 193STEP 1 QUERY 194ENTRY_BEGIN 195REPLY RD DO 196SECTION QUESTION 197www.example.com. IN A 198ENTRY_END 199 200; recursion happens here. 201STEP 10 CHECK_ANSWER 202ENTRY_BEGIN 203MATCH all 204REPLY QR RD RA DO NXDOMAIN 205SECTION QUESTION 206www.example.com. IN A 207SECTION ANSWER 208www.example.com. IN CNAME www.sub.example.com. 209www.example.com. 3600 IN RRSIG CNAME 3 2 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCjVxqOi0bcgHgxVkwzJqIi6iNJswIUZxbmItvoyEczTclgVtHsr9Jmf+w= ;{id = 2854} 210SECTION AUTHORITY 211SECTION AUTHORITY 212s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. NSEC3 1 1 123 aabb00123456bbccdd s1unhcti19bkdr98fegs0v46mbu3t4m4 A MX RRSIG 213s1unhcti19bkdr98fegs0v46mbu3t4m2.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFFSH4klZKke48dYyddYDj17gjTS0AhUAltWicpFLWqW98/Af9Qlx70MH8o4= ;{id = 2854} 214sub.example.com. IN SOA ns.sub.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000 215sub.example.com. 3600 IN RRSIG SOA 3 3 3600 20070926135752 20070829135752 2854 sub.example.com. MCwCFBLls0z0ncWxTXzDt4uLAuJsr932AhQvVeUJevgwAL6mfmLL6fAf2IZ7mg== ;{id = 2854} 2168r1f0ieoutlnjc03meng9e3bn2n0o9pd.sub.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 8r1f0ieoutlnjc03meng9e3bn3n0o9pd SOA NS MX RRSIG 2178r1f0ieoutlnjc03meng9e3bn2n0o9pd.sub.example.com. 3600 IN RRSIG NSEC3 3 4 3600 20070926135752 20070829135752 2854 sub.example.com. MCwCFBX1qVlth+YE+y57p5C7X00bLthDAhRIF2xoHF0exs29obE7JjVthwXfHA== ;{id = 2854} 218hq432j8q183b54mejh50200pqo7rvlog.sub.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd hq432j8q183b54mejh50200pqo9rvlog A RRSIG 219hq432j8q183b54mejh50200pqo7rvlog.sub.example.com. 3600 IN RRSIG NSEC3 3 4 3600 20070926135752 20070829135752 2854 sub.example.com. MCwCFAOXoeUk1d0cxT9p1gUvBrybAQCSAhQ5eLWaK932TxxY4U6NAxgst4O4uA== ;{id = 2854} 220ecllopkacmb753v6jlld4d371l1u7gme.sub.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd ecllopkacmb753v6jlld4d371l1u9gme A RRSIG 221ecllopkacmb753v6jlld4d371l1u7gme.sub.example.com. 3600 IN RRSIG NSEC3 3 4 3600 20070926135752 20070829135752 2854 sub.example.com. MCwCFAuD3qb/+CWyqjBRt/RDjZvsSyCGAhQivfP3zr1+2Uknw9RhXUcUO0g6Lg== ;{id = 2854} 222SECTION ADDITIONAL 223ENTRY_END 224 225SCENARIO_END 226