1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 val-override-date: "20070916134226" 6 target-fetch-policy: "0 0 0 0 0" 7 fake-sha1: yes 8 trust-anchor-signaling: no 9 10stub-zone: 11 name: "." 12 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 13CONFIG_END 14 15SCENARIO_BEGIN Test validator with NSEC3 with no DS referral abuse of apex. 16; abusing subzone apex NSEC3. 17 18; K.ROOT-SERVERS.NET. 19RANGE_BEGIN 0 100 20 ADDRESS 193.0.14.129 21ENTRY_BEGIN 22MATCH opcode qtype qname 23ADJUST copy_id 24REPLY QR NOERROR 25SECTION QUESTION 26. IN NS 27SECTION ANSWER 28. IN NS K.ROOT-SERVERS.NET. 29SECTION ADDITIONAL 30K.ROOT-SERVERS.NET. IN A 193.0.14.129 31ENTRY_END 32 33ENTRY_BEGIN 34MATCH opcode subdomain 35ADJUST copy_id copy_query 36REPLY QR NOERROR 37SECTION QUESTION 38com. IN A 39SECTION AUTHORITY 40com. IN NS a.gtld-servers.net. 41SECTION ADDITIONAL 42a.gtld-servers.net. IN A 192.5.6.30 43ENTRY_END 44RANGE_END 45 46; a.gtld-servers.net. 47RANGE_BEGIN 0 100 48 ADDRESS 192.5.6.30 49ENTRY_BEGIN 50MATCH opcode qtype qname 51ADJUST copy_id 52REPLY QR NOERROR 53SECTION QUESTION 54com. IN NS 55SECTION ANSWER 56com. IN NS a.gtld-servers.net. 57SECTION ADDITIONAL 58a.gtld-servers.net. IN A 192.5.6.30 59ENTRY_END 60 61ENTRY_BEGIN 62MATCH opcode subdomain 63ADJUST copy_id copy_query 64REPLY QR NOERROR 65SECTION QUESTION 66example.com. IN A 67SECTION AUTHORITY 68example.com. IN NS ns.example.com. 69SECTION ADDITIONAL 70ns.example.com. IN A 1.2.3.4 71ENTRY_END 72RANGE_END 73 74; ns.example.com. 75RANGE_BEGIN 0 100 76 ADDRESS 1.2.3.4 77ENTRY_BEGIN 78MATCH opcode qtype qname 79ADJUST copy_id 80REPLY QR AA SERVFAIL 81SECTION QUESTION 82ns.example.com. IN A 83SECTION ANSWER 84ENTRY_END 85 86ENTRY_BEGIN 87MATCH opcode qtype qname 88ADJUST copy_id 89REPLY QR AA SERVFAIL 90SECTION QUESTION 91ns.example.com. IN AAAA 92SECTION ANSWER 93ENTRY_END 94 95ENTRY_BEGIN 96MATCH opcode qtype qname 97ADJUST copy_id 98REPLY QR NOERROR 99SECTION QUESTION 100example.com. IN NS 101SECTION ANSWER 102example.com. IN NS ns.example.com. 103example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 104SECTION ADDITIONAL 105ns.example.com. IN A 1.2.3.4 106ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 107ENTRY_END 108 109; response to DNSKEY priming query 110ENTRY_BEGIN 111MATCH opcode qtype qname 112ADJUST copy_id 113REPLY QR NOERROR 114SECTION QUESTION 115example.com. IN DNSKEY 116SECTION ANSWER 117example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 118example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854} 119SECTION AUTHORITY 120example.com. IN NS ns.example.com. 121example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 122SECTION ADDITIONAL 123ns.example.com. IN A 1.2.3.4 124ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 125ENTRY_END 126 127; response to query of interest 128ENTRY_BEGIN 129MATCH opcode qtype qname 130ADJUST copy_id 131REPLY QR NOERROR 132SECTION QUESTION 133www.example.com. IN A 134SECTION AUTHORITY 135example.com. IN SOA ns.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000 136example.com. 3600 IN RRSIG SOA 3 2 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCM6lsu9byZIQ1yYjJmyYfFWM2RWAIUcR5t84r2La824oWCkLjmHXRQlco= ;{id = 2854} 137 138; NODATA response. H(www.example.com.) = s1unhcti19bkdr98fegs0v46mbu3t4m3 139s1unhcti19bkdr98fegs0v46mbu3t4m3.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd s1unhcti19bkdr98fegs0v46mbu3t4m4 MX RRSIG 140s1unhcti19bkdr98fegs0v46mbu3t4m3.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MCwCFE/a24nsY2luhQmZjY/ObAIgNSMkAhQWd4MUOUVK55bD6AbMHWrDA0yvEA== ;{id = 2854} 141 142ENTRY_END 143 144ENTRY_BEGIN 145MATCH opcode qtype qname 146ADJUST copy_id 147REPLY QR NOERROR 148SECTION QUESTION 149sub.example.com. IN DS 150SECTION AUTHORITY 151; proof that there is no DS here. 152;sub.example.com. 3600 IN DS 2854 DSA 1 be4d46cd7489cce25a31af0dff2968ce0425dd31 153;sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQC1WMTfb25sTgeUEXCFR4+YiJqecwIUc2R/jrO4amyQxovSnld2reg8eyo= ;{id = 2854} 154; sub.example.com. -> 8r1f0ieoutlnjc03meng9e3bn2n0o9pd. 1558r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 8r1f0ieoutlnjc03meng9e3bn3n0o9pd NS SOA DNSKEY RRSIG 1568r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC4CFQCeKcyw76yvOvfa2+qtxv8bKcEyJwIVAJBeIGST4Y8Tk8YkQI0suee3Bxb1 ;{id = 2854} 157ENTRY_END 158 159; refer to server one down 160ENTRY_BEGIN 161MATCH opcode subdomain 162ADJUST copy_id copy_query 163REPLY QR NOERROR 164SECTION QUESTION 165sub.example.com. IN A 166SECTION AUTHORITY 167sub.example.com. IN NS ns.sub.example.com. 168; proof that there is no DS here. 169;sub.example.com. 3600 IN DS 2854 DSA 1 be4d46cd7489cce25a31af0dff2968ce0425dd31 170;sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQC1WMTfb25sTgeUEXCFR4+YiJqecwIUc2R/jrO4amyQxovSnld2reg8eyo= ;{id = 2854} 171; sub.example.com. -> 8r1f0ieoutlnjc03meng9e3bn2n0o9pd. 1728r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 8r1f0ieoutlnjc03meng9e3bn3n0o9pd NS SOA DNSKEY RRSIG 1738r1f0ieoutlnjc03meng9e3bn2n0o9pd.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. MC4CFQCeKcyw76yvOvfa2+qtxv8bKcEyJwIVAJBeIGST4Y8Tk8YkQI0suee3Bxb1 ;{id = 2854} 174 175SECTION ADDITIONAL 176ns.sub.example.com. IN A 1.2.3.10 177ENTRY_END 178RANGE_END 179 180; ns.sub.example.com. 181RANGE_BEGIN 0 100 182 ADDRESS 1.2.3.10 183ENTRY_BEGIN 184MATCH opcode qtype qname 185ADJUST copy_id 186REPLY QR AA REFUSED 187SECTION QUESTION 188ns.sub.example.com. IN A 189ENTRY_END 190 191ENTRY_BEGIN 192MATCH opcode qtype qname 193ADJUST copy_id 194REPLY QR AA REFUSED 195SECTION QUESTION 196ns.sub.example.com. IN AAAA 197SECTION ANSWER 198ENTRY_END 199 200ENTRY_BEGIN 201MATCH opcode qtype qname 202ADJUST copy_id 203REPLY QR REFUSED 204SECTION QUESTION 205sub.example.com. IN NS 206SECTION ANSWER 207ENTRY_END 208 209; response to DNSKEY priming query 210ENTRY_BEGIN 211MATCH opcode qtype qname 212ADJUST copy_id 213REPLY QR NOERROR 214SECTION QUESTION 215sub.example.com. IN DNSKEY 216SECTION ANSWER 217sub.example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 218sub.example.com. 3600 IN RRSIG DNSKEY 3 3 3600 20070926135752 20070829135752 2854 sub.example.com. MCwCFBznBTYM/SrdUnjQdBnLtRO79KAaAhQReG5nRuL7Xsdf6D0KKwPa1GpWyQ== ;{id = 2854} 219 220ENTRY_END 221 222ENTRY_BEGIN 223MATCH opcode qtype qname 224ADJUST copy_id 225REPLY QR NOERROR 226SECTION QUESTION 227www.sub.example.com. IN A 228SECTION ANSWER 229www.sub.example.com. IN A 1.2.3.123 230www.sub.example.com. 3600 IN RRSIG A 3 4 3600 20070926135752 20070829135752 2854 sub.example.com. MC0CFEExteiCsLkRi/md6o5K8BhRJAKFAhUAgg2tkvwaDn8Xbm9q+5xnjvgIB8k= ;{id = 2854} 231ENTRY_END 232RANGE_END 233 234STEP 1 QUERY 235ENTRY_BEGIN 236REPLY RD 237SECTION QUESTION 238www.sub.example.com. IN A 239ENTRY_END 240 241; recursion happens here. 242STEP 10 CHECK_ANSWER 243ENTRY_BEGIN 244MATCH all 245REPLY QR RD RA SERVFAIL 246SECTION QUESTION 247www.sub.example.com. IN A 248SECTION ANSWER 249SECTION AUTHORITY 250SECTION ADDITIONAL 251ENTRY_END 252 253SCENARIO_END 254