1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 val-override-date: "20070916134226" 6 target-fetch-policy: "0 0 0 0 0" 7 8stub-zone: 9 name: "." 10 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 11CONFIG_END 12 13SCENARIO_BEGIN Test validator with NSEC3 with no DS referral with bad signature. 14 15; K.ROOT-SERVERS.NET. 16RANGE_BEGIN 0 100 17 ADDRESS 193.0.14.129 18ENTRY_BEGIN 19MATCH opcode qtype qname 20ADJUST copy_id 21REPLY QR NOERROR 22SECTION QUESTION 23. IN NS 24SECTION ANSWER 25. IN NS K.ROOT-SERVERS.NET. 26SECTION ADDITIONAL 27K.ROOT-SERVERS.NET. IN A 193.0.14.129 28ENTRY_END 29 30ENTRY_BEGIN 31MATCH opcode subdomain 32ADJUST copy_id copy_query 33REPLY QR NOERROR 34SECTION QUESTION 35com. IN A 36SECTION AUTHORITY 37com. IN NS a.gtld-servers.net. 38SECTION ADDITIONAL 39a.gtld-servers.net. IN A 192.5.6.30 40ENTRY_END 41RANGE_END 42 43; a.gtld-servers.net. 44RANGE_BEGIN 0 100 45 ADDRESS 192.5.6.30 46ENTRY_BEGIN 47MATCH opcode qtype qname 48ADJUST copy_id 49REPLY QR NOERROR 50SECTION QUESTION 51com. IN NS 52SECTION ANSWER 53com. IN NS a.gtld-servers.net. 54SECTION ADDITIONAL 55a.gtld-servers.net. IN A 192.5.6.30 56ENTRY_END 57 58ENTRY_BEGIN 59MATCH opcode subdomain 60ADJUST copy_id copy_query 61REPLY QR NOERROR 62SECTION QUESTION 63example.com. IN A 64SECTION AUTHORITY 65example.com. IN NS ns.example.com. 66SECTION ADDITIONAL 67ns.example.com. IN A 1.2.3.4 68ENTRY_END 69RANGE_END 70 71; ns.example.com. 72RANGE_BEGIN 0 100 73 ADDRESS 1.2.3.4 74ENTRY_BEGIN 75MATCH opcode qtype qname 76ADJUST copy_id 77REPLY QR AA REFUSED 78SECTION QUESTION 79ns.example.com. IN A 80ENTRY_END 81 82ENTRY_BEGIN 83MATCH opcode qtype qname 84ADJUST copy_id 85REPLY QR AA REFUSED 86SECTION QUESTION 87ns.example.com. IN AAAA 88ENTRY_END 89 90ENTRY_BEGIN 91MATCH opcode qtype qname 92ADJUST copy_id 93REPLY QR NOERROR 94SECTION QUESTION 95example.com. IN NS 96SECTION ANSWER 97example.com. IN NS ns.example.com. 98example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 99SECTION ADDITIONAL 100ns.example.com. IN A 1.2.3.4 101ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 102ENTRY_END 103 104; response to DNSKEY priming query 105ENTRY_BEGIN 106MATCH opcode qtype qname 107ADJUST copy_id 108REPLY QR NOERROR 109SECTION QUESTION 110example.com. IN DNSKEY 111SECTION ANSWER 112example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 113example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854} 114SECTION AUTHORITY 115example.com. IN NS ns.example.com. 116example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 117SECTION ADDITIONAL 118ns.example.com. IN A 1.2.3.4 119ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 120ENTRY_END 121 122; response to query of interest 123ENTRY_BEGIN 124MATCH opcode qtype qname 125ADJUST copy_id 126REPLY QR NOERROR 127SECTION QUESTION 128www.example.com. IN A 129SECTION AUTHORITY 130example.com. IN SOA ns.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000 131example.com. 3600 IN RRSIG SOA 3 2 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCM6lsu9byZIQ1yYjJmyYfFWM2RWAIUcR5t84r2La824oWCkLjmHXRQlco= ;{id = 2854} 132 133; NODATA response. H(www.example.com.) = s1unhcti19bkdr98fegs0v46mbu3t4m3 134s1unhcti19bkdr98fegs0v46mbu3t4m3.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd s1unhcti19bkdr98fegs0v46mbu3t4m4 MX RRSIG 135s1unhcti19bkdr98fegs0v46mbu3t4m3.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MCwCFE/a24nsY2luhQmZjY/ObAIgNSMkAhQWd4MUOUVK55bD6AbMHWrDA0yvEA== ;{id = 2854} 136 137ENTRY_END 138 139; refer to server one down 140ENTRY_BEGIN 141MATCH opcode qtype qname 142ADJUST copy_id 143REPLY QR NOERROR 144SECTION QUESTION 145www.sub.example.com. IN A 146SECTION AUTHORITY 147sub.example.com. IN NS ns.sub.example.com. 148; proof that there is no DS here. 149;sub.example.com. 3600 IN DS 2854 DSA 1 be4d46cd7489cce25a31af0dff2968ce0425dd31 150;sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQC1WMTfb25sTgeUEXCFR4+YiJqecwIUc2R/jrO4amyQxovSnld2reg8eyo= ;{id = 2854} 151; sub.example.com. -> 8r1f0ieoutlnjc03meng9e3bn2n0o9pd. 1528r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 8r1f0ieoutlnjc03meng9e3bn3n0o9pd NS RRSIG 153; bad signature: 1548r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20010926135752 20010829135752 2854 example.com. MC0CFEC78oZJjqlV6kVyQb4X0o6tsUpUAhUAk+bgth7eeN+aO8ts2+yLSyzSX9g= ;{id = 2854} 155;8r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFEC78oZJjqlV6kVyQb4X0o6tsUpUAhUAk+bgth7eeN+aO8ts2+yLSyzSX9g= ;{id = 2854} 156SECTION ADDITIONAL 157ns.sub.example.com. IN A 1.2.3.10 158ENTRY_END 159 160ENTRY_BEGIN 161MATCH opcode qtype qname 162ADJUST copy_id 163REPLY QR NOERROR 164SECTION QUESTION 165sub.example.com. IN DS 166SECTION AUTHORITY 167; proof that there is no DS here. 168;sub.example.com. 3600 IN DS 2854 DSA 1 be4d46cd7489cce25a31af0dff2968ce0425dd31 169;sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQC1WMTfb25sTgeUEXCFR4+YiJqecwIUc2R/jrO4amyQxovSnld2reg8eyo= ;{id = 2854} 170; sub.example.com. -> 8r1f0ieoutlnjc03meng9e3bn2n0o9pd. 1718r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 8r1f0ieoutlnjc03meng9e3bn3n0o9pd NS RRSIG 172; bad signature 1738r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20010926135752 20010829135752 2854 example.com. MC0CFEC78oZJjqlV6kVyQb4X0o6tsUpUAhUAk+bgth7eeN+aO8ts2+yLSyzSX9g= ;{id = 2854} 174;8r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFEC78oZJjqlV6kVyQb4X0o6tsUpUAhUAk+bgth7eeN+aO8ts2+yLSyzSX9g= ;{id = 2854} 175ENTRY_END 176RANGE_END 177 178; ns.sub.example.com. 179RANGE_BEGIN 0 100 180 ADDRESS 1.2.3.10 181ENTRY_BEGIN 182MATCH opcode qtype qname 183ADJUST copy_id 184REPLY QR REFUSED 185SECTION QUESTION 186sub.example.com. IN NS 187SECTION ANSWER 188ENTRY_END 189 190 191; response to DNSKEY priming query 192ENTRY_BEGIN 193MATCH opcode qtype qname 194ADJUST copy_id 195REPLY QR NOERROR 196SECTION QUESTION 197sub.example.com. IN DNSKEY 198SECTION ANSWER 199sub.example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 200sub.example.com. 3600 IN RRSIG DNSKEY 3 3 3600 20070926135752 20070829135752 2854 sub.example.com. MCwCFBznBTYM/SrdUnjQdBnLtRO79KAaAhQReG5nRuL7Xsdf6D0KKwPa1GpWyQ== ;{id = 2854} 201 202ENTRY_END 203 204ENTRY_BEGIN 205MATCH opcode qtype qname 206ADJUST copy_id 207REPLY QR NOERROR 208SECTION QUESTION 209www.sub.example.com. IN A 210SECTION ANSWER 211www.sub.example.com. IN A 1.2.3.123 212www.sub.example.com. 3600 IN RRSIG A 3 4 3600 20070926135752 20070829135752 2854 sub.example.com. MC0CFEExteiCsLkRi/md6o5K8BhRJAKFAhUAgg2tkvwaDn8Xbm9q+5xnjvgIB8k= ;{id = 2854} 213ENTRY_END 214RANGE_END 215 216STEP 1 QUERY 217ENTRY_BEGIN 218REPLY RD DO 219SECTION QUESTION 220www.sub.example.com. IN A 221ENTRY_END 222 223; recursion happens here. 224STEP 10 CHECK_ANSWER 225ENTRY_BEGIN 226MATCH all 227REPLY QR RD RA DO SERVFAIL 228SECTION QUESTION 229www.sub.example.com. IN A 230SECTION ANSWER 231SECTION AUTHORITY 232SECTION ADDITIONAL 233ENTRY_END 234 235SCENARIO_END 236