1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 val-override-date: "20070916134226" 6 target-fetch-policy: "0 0 0 0 0" 7 fake-sha1: yes 8 trust-anchor-signaling: no 9 ede: yes 10 access-control: 127.0.0.0/8 allow_snoop 11 12stub-zone: 13 name: "." 14 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 15CONFIG_END 16 17SCENARIO_BEGIN Test validator with NSEC3 response for NODATA ENT with optout. 18 19; K.ROOT-SERVERS.NET. 20RANGE_BEGIN 0 100 21 ADDRESS 193.0.14.129 22ENTRY_BEGIN 23MATCH opcode qtype qname 24ADJUST copy_id 25REPLY QR NOERROR 26SECTION QUESTION 27. IN NS 28SECTION ANSWER 29. IN NS K.ROOT-SERVERS.NET. 30SECTION ADDITIONAL 31K.ROOT-SERVERS.NET. IN A 193.0.14.129 32ENTRY_END 33 34ENTRY_BEGIN 35MATCH opcode subdomain 36ADJUST copy_id copy_query 37REPLY QR NOERROR 38SECTION QUESTION 39com. IN A 40SECTION AUTHORITY 41com. IN NS a.gtld-servers.net. 42SECTION ADDITIONAL 43a.gtld-servers.net. IN A 192.5.6.30 44ENTRY_END 45RANGE_END 46 47; a.gtld-servers.net. 48RANGE_BEGIN 0 100 49 ADDRESS 192.5.6.30 50ENTRY_BEGIN 51MATCH opcode qtype qname 52ADJUST copy_id 53REPLY QR NOERROR 54SECTION QUESTION 55com. IN NS 56SECTION ANSWER 57com. IN NS a.gtld-servers.net. 58SECTION ADDITIONAL 59a.gtld-servers.net. IN A 192.5.6.30 60ENTRY_END 61 62ENTRY_BEGIN 63MATCH opcode subdomain 64ADJUST copy_id copy_query 65REPLY QR NOERROR 66SECTION QUESTION 67example.com. IN A 68SECTION AUTHORITY 69example.com. IN NS ns.example.com. 70SECTION ADDITIONAL 71ns.example.com. IN A 1.2.3.4 72ENTRY_END 73RANGE_END 74 75; ns.example.com. 76RANGE_BEGIN 0 100 77 ADDRESS 1.2.3.4 78ENTRY_BEGIN 79MATCH opcode qtype qname 80ADJUST copy_id 81REPLY QR AA REFUSED 82SECTION QUESTION 83ns.example.com. IN A 84ENTRY_END 85 86ENTRY_BEGIN 87MATCH opcode qtype qname 88ADJUST copy_id 89REPLY QR AA REFUSED 90SECTION QUESTION 91ns.example.com. IN AAAA 92ENTRY_END 93 94ENTRY_BEGIN 95MATCH opcode qtype qname 96ADJUST copy_id 97REPLY QR NOERROR 98SECTION QUESTION 99example.com. IN NS 100SECTION ANSWER 101example.com. IN NS ns.example.com. 102example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 103SECTION ADDITIONAL 104ns.example.com. IN A 1.2.3.4 105ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 106ENTRY_END 107 108; response to DNSKEY priming query 109ENTRY_BEGIN 110MATCH opcode qtype qname 111ADJUST copy_id 112REPLY QR NOERROR 113SECTION QUESTION 114example.com. IN DNSKEY 115SECTION ANSWER 116example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 117example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854} 118SECTION AUTHORITY 119example.com. IN NS ns.example.com. 120example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 121SECTION ADDITIONAL 122ns.example.com. IN A 1.2.3.4 123ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 124ENTRY_END 125 126ENTRY_BEGIN 127MATCH opcode qtype qname 128ADJUST copy_id 129REPLY QR NOERROR 130SECTION QUESTION 131www.example.com. IN A 132SECTION AUTHORITY 133example.com. IN SOA ns.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000 134example.com. 3600 IN RRSIG SOA 3 2 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCM6lsu9byZIQ1yYjJmyYfFWM2RWAIUcR5t84r2La824oWCkLjmHXRQlco= ;{id = 2854} 135 136; NODATA response. H(www.example.com.) = s1unhcti19bkdr98fegs0v46mbu3t4m3 137s1unhcti19bkdr98fegs0v46mbu3t4m3.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd s1unhcti19bkdr98fegs0v46mbu3t4m4 MX RRSIG 138s1unhcti19bkdr98fegs0v46mbu3t4m3.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MCwCFE/a24nsY2luhQmZjY/ObAIgNSMkAhQWd4MUOUVK55bD6AbMHWrDA0yvEA== ;{id = 2854} 139 140ENTRY_END 141 142ENTRY_BEGIN 143MATCH opcode qtype qname 144ADJUST copy_id 145REPLY QR NOERROR 146SECTION QUESTION 147ent.example.com. IN DS 148SECTION AUTHORITY 149; example.com. -> b6fuorg741ufili49mg9j4328ig53sqg. 150; OPTOUT 151b6fuorg741ufili49mg9j4328ig53sqg.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd b6fuorg741ufili49mg9j4328ig54sqg NS SOA DNSKEY RRSIG 152b6fuorg741ufili49mg9j4328ig53sqg.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AHNLlpOM8cBFBBdzUO9nQC/O6mw3rDUrqcdiSwMKAIckd3k5WZvoP78= 153 154; ent.example.com. -> 2kekcu37chvrqjb272ptidu9jhk8oqag. 155; the span does not have OPTOUT 1562kekcu37chvrqjb272ptidu9jhk7oqag.example.com. IN NSEC3 1 0 123 aabb00123456bbccdd 2kekcu37chvrqjb272ptidu9jhk9oqag 1572kekcu37chvrqjb272ptidu9jhk7oqag.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AAaGjBrmbElksOWsOAU0vdNwbRKsbsQgOwhFkONaynSk9M+2QpJQ6+k= 158ENTRY_END 159 160; refer to server one down 161ENTRY_BEGIN 162MATCH opcode subdomain 163ADJUST copy_id copy_query 164REPLY QR NOERROR 165SECTION QUESTION 166ent.example.com. IN A 167SECTION AUTHORITY 168; example.com. -> b6fuorg741ufili49mg9j4328ig53sqg. 169; OPTOUT 170b6fuorg741ufili49mg9j4328ig53sqg.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd b6fuorg741ufili49mg9j4328ig54sqg NS SOA DNSKEY RRSIG 171b6fuorg741ufili49mg9j4328ig53sqg.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AHNLlpOM8cBFBBdzUO9nQC/O6mw3rDUrqcdiSwMKAIckd3k5WZvoP78= 172 173; ent.example.com. -> 2kekcu37chvrqjb272ptidu9jhk8oqag. 174; the span does not have OPTOUT 1752kekcu37chvrqjb272ptidu9jhk7oqag.example.com. IN NSEC3 1 0 123 aabb00123456bbccdd 2kekcu37chvrqjb272ptidu9jhk9oqag 1762kekcu37chvrqjb272ptidu9jhk7oqag.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AAaGjBrmbElksOWsOAU0vdNwbRKsbsQgOwhFkONaynSk9M+2QpJQ6+k= 177ENTRY_END 178 179RANGE_END 180 181STEP 1 QUERY 182ENTRY_BEGIN 183REPLY RD DO 184SECTION QUESTION 185ent.example.com. IN A 186ENTRY_END 187 188; recursion happens here. 189STEP 10 CHECK_ANSWER 190ENTRY_BEGIN 191MATCH all ede=6 192REPLY QR RD RA DO SERVFAIL 193SECTION QUESTION 194ent.example.com. IN A 195SECTION ANSWER 196ENTRY_END 197 198; Redo the query without RD to check EDE caching. 199STEP 11 QUERY 200ENTRY_BEGIN 201REPLY DO 202SECTION QUESTION 203ent.example.com. IN A 204ENTRY_END 205 206STEP 12 CHECK_ANSWER 207ENTRY_BEGIN 208MATCH all ede=6 209REPLY QR RA DO SERVFAIL 210SECTION QUESTION 211ent.example.com. IN A 212SECTION ANSWER 213ENTRY_END 214 215SCENARIO_END 216