1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 trust-anchor: "example.net. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}" 6 val-override-date: "20070916134226" 7 access-control: 127.0.0.1 allow_snoop 8 target-fetch-policy: "0 0 0 0 0" 9 qname-minimisation: "no" 10 fake-sha1: yes 11 trust-anchor-signaling: no 12 rrset-roundrobin: no 13 14stub-zone: 15 name: "." 16 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 17CONFIG_END 18 19SCENARIO_BEGIN Test validator with a referral with unsigned additional 20; but the additional record is from a signed zone, 21; and a proper proof for no DS or DSNKEY types is forthcoming. 22 23; K.ROOT-SERVERS.NET. 24RANGE_BEGIN 0 100 25 ADDRESS 193.0.14.129 26ENTRY_BEGIN 27MATCH opcode qtype qname 28ADJUST copy_id 29REPLY QR NOERROR 30SECTION QUESTION 31. IN NS 32SECTION ANSWER 33. IN NS K.ROOT-SERVERS.NET. 34SECTION ADDITIONAL 35K.ROOT-SERVERS.NET. IN A 193.0.14.129 36ENTRY_END 37 38ENTRY_BEGIN 39MATCH opcode qname 40ADJUST copy_id copy_query 41REPLY QR NOERROR 42SECTION QUESTION 43www.example.com. IN A 44SECTION AUTHORITY 45; Skip .com, to provide unsigned referral A record for ns.example.net 46; and go straight to example.com. 47example.com. IN NS ns.example.com. 48example.com. IN NS ns.example.net. 49SECTION ADDITIONAL 50ns.example.com. IN A 1.2.3.4 51ns.example.net IN A 1.2.3.5 52ENTRY_END 53 54ENTRY_BEGIN 55MATCH opcode qname 56ADJUST copy_id copy_query 57REPLY QR NOERROR 58SECTION QUESTION 59example.net. IN A 60SECTION AUTHORITY 61net. IN NS a.gtld-servers.net. 62SECTION ADDITIONAL 63a.gtld-servers.net. IN A 192.5.6.30 64ENTRY_END 65RANGE_END 66 67; a.gtld-servers.net. 68RANGE_BEGIN 0 100 69 ADDRESS 192.5.6.30 70ENTRY_BEGIN 71MATCH opcode qtype qname 72ADJUST copy_id 73REPLY QR NOERROR 74SECTION QUESTION 75com. IN NS 76SECTION ANSWER 77com. IN NS a.gtld-servers.net. 78SECTION ADDITIONAL 79a.gtld-servers.net. IN A 192.5.6.30 80ENTRY_END 81 82ENTRY_BEGIN 83MATCH opcode qtype qname 84ADJUST copy_id 85REPLY QR NOERROR 86SECTION QUESTION 87net. IN NS 88SECTION ANSWER 89net. IN NS a.gtld-servers.net. 90SECTION ADDITIONAL 91a.gtld-servers.net. IN A 192.5.6.30 92ENTRY_END 93 94ENTRY_BEGIN 95MATCH opcode qname 96ADJUST copy_id copy_query 97REPLY QR NOERROR 98SECTION QUESTION 99www.example.com. IN A 100SECTION AUTHORITY 101example.com. IN NS ns.example.com. 102example.com. IN NS ns.example.net. 103SECTION ADDITIONAL 104ns.example.com. IN A 1.2.3.4 105ns.example.net IN A 1.2.3.5 106ENTRY_END 107ENTRY_BEGIN 108MATCH opcode qname 109ADJUST copy_id copy_query 110REPLY QR NOERROR 111SECTION QUESTION 112example.net. IN A 113SECTION AUTHORITY 114example.net. IN NS ns.example.net. 115SECTION ADDITIONAL 116ns.example.net. IN A 1.2.3.5 117ENTRY_END 118RANGE_END 119 120; ns.example.com. 121RANGE_BEGIN 0 100 122 ADDRESS 1.2.3.4 123ENTRY_BEGIN 124MATCH opcode qtype qname 125ADJUST copy_id 126REPLY QR NOERROR 127SECTION QUESTION 128example.com. IN NS 129SECTION ANSWER 130example.com. IN NS ns.example.com. 131example.com. IN NS ns.example.net. 132example.com. 3600 IN RRSIG NS 3 2 3600 20070926135752 20070829135752 2854 example.com. MCwCFEsWNXjGDFwH/0NGClonWUQlBaiFAhR/dt0asVj8M0VKs7PdTEKN/Y9i5w== ;{id = 2854} 133SECTION ADDITIONAL 134ns.example.com. IN A 1.2.3.4 135ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 136ENTRY_END 137 138; response to example.com. DNSKEY priming query 139ENTRY_BEGIN 140MATCH opcode qtype qname 141ADJUST copy_id 142REPLY QR NOERROR 143SECTION QUESTION 144example.com. IN DNSKEY 145SECTION ANSWER 146example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 147example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854} 148SECTION AUTHORITY 149example.com. IN NS ns.example.com. 150example.com. IN NS ns.example.net. 151example.com. 3600 IN RRSIG NS 3 2 3600 20070926135752 20070829135752 2854 example.com. MCwCFEsWNXjGDFwH/0NGClonWUQlBaiFAhR/dt0asVj8M0VKs7PdTEKN/Y9i5w== ;{id = 2854} 152SECTION ADDITIONAL 153ns.example.com. IN A 1.2.3.4 154ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 155ENTRY_END 156 157ENTRY_BEGIN 158MATCH opcode qtype qname 159ADJUST copy_id 160REPLY QR NOERROR 161SECTION QUESTION 162www.example.com. IN A 163SECTION ANSWER 164www.example.com. IN A 11.12.13.14 165www.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFC6+BbFcL95vH6SOhMLGotcBospIAhUAhjfof+1VY5GsCp5b9UOD7UydBzI= ;{id = 2854} 166SECTION AUTHORITY 167SECTION ADDITIONAL 168ENTRY_END 169RANGE_END 170 171; ns.example.net. 172RANGE_BEGIN 0 100 173 ADDRESS 1.2.3.5 174ENTRY_BEGIN 175MATCH opcode qtype qname 176ADJUST copy_id 177REPLY QR NOERROR 178SECTION QUESTION 179example.com. IN NS 180SECTION ANSWER 181example.com. IN NS ns.example.com. 182example.com. IN NS ns.example.net. 183example.com. 3600 IN RRSIG NS 3 2 3600 20070926135752 20070829135752 2854 example.com. MCwCFEsWNXjGDFwH/0NGClonWUQlBaiFAhR/dt0asVj8M0VKs7PdTEKN/Y9i5w== ;{id = 2854} 184SECTION ADDITIONAL 185ns.example.com. IN A 1.2.3.4 186ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 187ENTRY_END 188 189; example.com zone in ns.example.net. 190; response to example.com. DNSKEY priming query 191ENTRY_BEGIN 192MATCH opcode qtype qname 193ADJUST copy_id 194REPLY QR NOERROR 195SECTION QUESTION 196example.com. IN DNSKEY 197SECTION ANSWER 198example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 199example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854} 200SECTION AUTHORITY 201example.com. IN NS ns.example.com. 202example.com. IN NS ns.example.net. 203example.com. 3600 IN RRSIG NS 3 2 3600 20070926135752 20070829135752 2854 example.com. MCwCFEsWNXjGDFwH/0NGClonWUQlBaiFAhR/dt0asVj8M0VKs7PdTEKN/Y9i5w== ;{id = 2854} 204SECTION ADDITIONAL 205ns.example.com. IN A 1.2.3.4 206ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 207ENTRY_END 208 209ENTRY_BEGIN 210MATCH opcode qtype qname 211ADJUST copy_id 212REPLY QR NOERROR 213SECTION QUESTION 214www.example.com. IN A 215SECTION ANSWER 216www.example.com. IN A 11.12.13.14 217www.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFC6+BbFcL95vH6SOhMLGotcBospIAhUAhjfof+1VY5GsCp5b9UOD7UydBzI= ;{id = 2854} 218SECTION AUTHORITY 219SECTION ADDITIONAL 220ENTRY_END 221 222; example.net zone in ns.example.net. 223ENTRY_BEGIN 224MATCH opcode qtype qname 225ADJUST copy_id 226REPLY QR NOERROR 227SECTION QUESTION 228example.net. IN NS 229SECTION ANSWER 230example.net. IN NS ns.example.net. 231example.net. 3600 IN RRSIG NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899} 232SECTION ADDITIONAL 233ns.example.net. IN A 1.2.3.5 234ns.example.net. 3600 IN RRSIG A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899} 235ENTRY_END 236 237; response to DNSKEY priming query 238ENTRY_BEGIN 239MATCH opcode qtype qname 240ADJUST copy_id 241REPLY QR NOERROR 242SECTION QUESTION 243example.net. IN DNSKEY 244SECTION ANSWER 245example.net. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 246example.net. 3600 IN RRSIG DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899} 247SECTION AUTHORITY 248example.net. IN NS ns.example.net. 249example.net. 3600 IN RRSIG NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899} 250SECTION ADDITIONAL 251ns.example.net. IN A 1.2.3.5 252ns.example.net. 3600 IN RRSIG A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899} 253ENTRY_END 254 255; deny DS and DNSKEY types 256ENTRY_BEGIN 257MATCH opcode qtype qname 258ADJUST copy_id 259REPLY QR NOERROR 260SECTION QUESTION 261ns.example.net. IN DS 262SECTION AUTHORITY 263example.net. IN SOA ns-pri.ripe.net. ops.ripe.net. 2007092101 3600 7200 1209600 7200 264example.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 example.net. E1T+LAsAk7rtA6mnKRlgca5Lk+NJYUNNkfco1CrUp5IZZ1+QL7u7CINQBcndJkvoBwKhdVI8rz2LLW19wIywTw== ;{id = 30899} 265ns.example.net IN NSEC ns-new.example.net. A AAAA RRSIG NSEC 266ns.example.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 example.net. HLkPBWA8Hstub8e/zdp/A8xyI6+fnnMsA9oiZ20VBuSTaBknX0SXmVulNhVGfdmz9fYmYFUr1zjqvPFG+ErO8A== ;{id = 30899} 267ENTRY_END 268 269ENTRY_BEGIN 270MATCH opcode qtype qname 271ADJUST copy_id 272REPLY QR NOERROR 273SECTION QUESTION 274ns.example.net. IN DNSKEY 275SECTION AUTHORITY 276example.net. IN SOA ns-pri.ripe.net. ops.ripe.net. 2007092101 3600 7200 1209600 7200 277example.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 example.net. E1T+LAsAk7rtA6mnKRlgca5Lk+NJYUNNkfco1CrUp5IZZ1+QL7u7CINQBcndJkvoBwKhdVI8rz2LLW19wIywTw== ;{id = 30899} 278ns.example.net IN NSEC ns-new.example.net. A RRSIG NSEC 279ns.example.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 example.net. fAbDxuMP6lMqi71Wa9nsByG7buoJpfxyQhjps6HXOPzOC24UCCjdvZfZltlRy7Yrfrs28MjHwYEmHFmCeFpfPw== ;{id = 30899} 280ENTRY_END 281 282ENTRY_BEGIN 283MATCH opcode qtype qname 284ADJUST copy_id 285REPLY QR NOERROR 286SECTION QUESTION 287ns.example.net. IN A 288SECTION ANSWER 289ns.example.net. IN A 1.2.3.5 290ns.example.net. 3600 IN RRSIG A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899} 291ENTRY_END 292 293ENTRY_BEGIN 294MATCH opcode qtype qname 295ADJUST copy_id 296REPLY QR NOERROR 297SECTION QUESTION 298ns.example.net. IN AAAA 299SECTION AUTHORITY 300example.net. IN SOA ns-pri.ripe.net. ops.ripe.net. 2007092101 3600 7200 1209600 7200 301example.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 example.net. E1T+LAsAk7rtA6mnKRlgca5Lk+NJYUNNkfco1CrUp5IZZ1+QL7u7CINQBcndJkvoBwKhdVI8rz2LLW19wIywTw== ;{id = 30899} 302ns.example.net IN NSEC ns-new.example.net. A RRSIG NSEC 303ns.example.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 example.net. fAbDxuMP6lMqi71Wa9nsByG7buoJpfxyQhjps6HXOPzOC24UCCjdvZfZltlRy7Yrfrs28MjHwYEmHFmCeFpfPw== ;{id = 30899} 304ENTRY_END 305 306RANGE_END 307 308; prime cache with example.com. NS rrset. 309STEP 1 QUERY 310ENTRY_BEGIN 311REPLY RD DO 312SECTION QUESTION 313www.example.com. IN A 314ENTRY_END 315 316; recursion happens here. 317STEP 10 CHECK_ANSWER 318ENTRY_BEGIN 319MATCH all 320REPLY QR RD RA AD DO NOERROR 321SECTION QUESTION 322www.example.com. IN A 323SECTION ANSWER 324www.example.com. IN A 11.12.13.14 325www.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFC6+BbFcL95vH6SOhMLGotcBospIAhUAhjfof+1VY5GsCp5b9UOD7UydBzI= ;{id = 2854} 326SECTION AUTHORITY 327SECTION ADDITIONAL 328ENTRY_END 329 330; test nonrec referral validation 331STEP 11 QUERY 332ENTRY_BEGIN 333REPLY DO 334SECTION QUESTION 335bla.example.com. IN A 336ENTRY_END 337 338STEP 12 CHECK_ANSWER 339ENTRY_BEGIN 340MATCH all 341REPLY QR RA AD DO NOERROR 342SECTION QUESTION 343bla.example.com. IN A 344SECTION ANSWER 345SECTION AUTHORITY 346example.com. IN NS ns.example.com. 347example.com. IN NS ns.example.net. 348example.com. 3600 IN RRSIG NS 3 2 3600 20070926135752 20070829135752 2854 example.com. MCwCFEsWNXjGDFwH/0NGClonWUQlBaiFAhR/dt0asVj8M0VKs7PdTEKN/Y9i5w== ;{id = 2854} 349SECTION ADDITIONAL 350ns.example.com. IN A 1.2.3.4 351ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 352ENTRY_END 353 354SCENARIO_END 355