1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 trust-anchor: "example.net. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}" 6 val-override-date: "20070916134226" 7 access-control: 127.0.0.1 allow_snoop 8 target-fetch-policy: "0 0 0 0 0" 9 10stub-zone: 11 name: "." 12 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 13CONFIG_END 14 15SCENARIO_BEGIN Test validator with a referral with unsigned additional 16; but the additional record is from a signed zone, 17; and a proper proof for no DS or DSNKEY types is forthcoming. 18 19; K.ROOT-SERVERS.NET. 20RANGE_BEGIN 0 100 21 ADDRESS 193.0.14.129 22ENTRY_BEGIN 23MATCH opcode qtype qname 24ADJUST copy_id 25REPLY QR NOERROR 26SECTION QUESTION 27. IN NS 28SECTION ANSWER 29. IN NS K.ROOT-SERVERS.NET. 30SECTION ADDITIONAL 31K.ROOT-SERVERS.NET. IN A 193.0.14.129 32ENTRY_END 33 34ENTRY_BEGIN 35MATCH opcode qname 36ADJUST copy_id copy_query 37REPLY QR NOERROR 38SECTION QUESTION 39www.example.com. IN A 40SECTION AUTHORITY 41; Skip .com, to provide unsigned referral A record for ns.example.net 42; and go straight to example.com. 43example.com. IN NS ns.example.com. 44example.com. IN NS ns.example.net. 45SECTION ADDITIONAL 46ns.example.com. IN A 1.2.3.4 47ns.example.net IN A 1.2.3.5 48ENTRY_END 49 50ENTRY_BEGIN 51MATCH opcode qname 52ADJUST copy_id copy_query 53REPLY QR NOERROR 54SECTION QUESTION 55example.net. IN A 56SECTION AUTHORITY 57net. IN NS a.gtld-servers.net. 58SECTION ADDITIONAL 59a.gtld-servers.net. IN A 192.5.6.30 60ENTRY_END 61RANGE_END 62 63; a.gtld-servers.net. 64RANGE_BEGIN 0 100 65 ADDRESS 192.5.6.30 66ENTRY_BEGIN 67MATCH opcode qtype qname 68ADJUST copy_id 69REPLY QR NOERROR 70SECTION QUESTION 71com. IN NS 72SECTION ANSWER 73com. IN NS a.gtld-servers.net. 74SECTION ADDITIONAL 75a.gtld-servers.net. IN A 192.5.6.30 76ENTRY_END 77 78ENTRY_BEGIN 79MATCH opcode qtype qname 80ADJUST copy_id 81REPLY QR NOERROR 82SECTION QUESTION 83net. IN NS 84SECTION ANSWER 85net. IN NS a.gtld-servers.net. 86SECTION ADDITIONAL 87a.gtld-servers.net. IN A 192.5.6.30 88ENTRY_END 89 90ENTRY_BEGIN 91MATCH opcode qname 92ADJUST copy_id copy_query 93REPLY QR NOERROR 94SECTION QUESTION 95www.example.com. IN A 96SECTION AUTHORITY 97example.com. IN NS ns.example.com. 98example.com. IN NS ns.example.net. 99SECTION ADDITIONAL 100ns.example.com. IN A 1.2.3.4 101ns.example.net IN A 1.2.3.5 102ENTRY_END 103ENTRY_BEGIN 104MATCH opcode qname 105ADJUST copy_id copy_query 106REPLY QR NOERROR 107SECTION QUESTION 108example.net. IN A 109SECTION AUTHORITY 110example.net. IN NS ns.example.net. 111SECTION ADDITIONAL 112ns.example.net. IN A 1.2.3.5 113ENTRY_END 114RANGE_END 115 116; ns.example.com. 117RANGE_BEGIN 0 100 118 ADDRESS 1.2.3.4 119ENTRY_BEGIN 120MATCH opcode qtype qname 121ADJUST copy_id 122REPLY QR NOERROR 123SECTION QUESTION 124example.com. IN NS 125SECTION ANSWER 126example.com. IN NS ns.example.com. 127example.com. IN NS ns.example.net. 128example.com. 3600 IN RRSIG NS 3 2 3600 20070926135752 20070829135752 2854 example.com. MCwCFEsWNXjGDFwH/0NGClonWUQlBaiFAhR/dt0asVj8M0VKs7PdTEKN/Y9i5w== ;{id = 2854} 129SECTION ADDITIONAL 130ns.example.com. IN A 1.2.3.4 131ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 132ENTRY_END 133 134; response to example.com. DNSKEY priming query 135ENTRY_BEGIN 136MATCH opcode qtype qname 137ADJUST copy_id 138REPLY QR NOERROR 139SECTION QUESTION 140example.com. IN DNSKEY 141SECTION ANSWER 142example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 143example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854} 144SECTION AUTHORITY 145example.com. IN NS ns.example.com. 146example.com. IN NS ns.example.net. 147example.com. 3600 IN RRSIG NS 3 2 3600 20070926135752 20070829135752 2854 example.com. MCwCFEsWNXjGDFwH/0NGClonWUQlBaiFAhR/dt0asVj8M0VKs7PdTEKN/Y9i5w== ;{id = 2854} 148SECTION ADDITIONAL 149ns.example.com. IN A 1.2.3.4 150ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 151ENTRY_END 152 153ENTRY_BEGIN 154MATCH opcode qtype qname 155ADJUST copy_id 156REPLY QR NOERROR 157SECTION QUESTION 158www.example.com. IN A 159SECTION ANSWER 160www.example.com. IN A 11.12.13.14 161www.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFC6+BbFcL95vH6SOhMLGotcBospIAhUAhjfof+1VY5GsCp5b9UOD7UydBzI= ;{id = 2854} 162SECTION AUTHORITY 163SECTION ADDITIONAL 164ENTRY_END 165RANGE_END 166 167; ns.example.net. 168RANGE_BEGIN 0 100 169 ADDRESS 1.2.3.5 170ENTRY_BEGIN 171MATCH opcode qtype qname 172ADJUST copy_id 173REPLY QR NOERROR 174SECTION QUESTION 175example.com. IN NS 176SECTION ANSWER 177example.com. IN NS ns.example.com. 178example.com. IN NS ns.example.net. 179example.com. 3600 IN RRSIG NS 3 2 3600 20070926135752 20070829135752 2854 example.com. MCwCFEsWNXjGDFwH/0NGClonWUQlBaiFAhR/dt0asVj8M0VKs7PdTEKN/Y9i5w== ;{id = 2854} 180SECTION ADDITIONAL 181ns.example.com. IN A 1.2.3.4 182ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 183ENTRY_END 184 185; example.com zone in ns.example.net. 186; response to example.com. DNSKEY priming query 187ENTRY_BEGIN 188MATCH opcode qtype qname 189ADJUST copy_id 190REPLY QR NOERROR 191SECTION QUESTION 192example.com. IN DNSKEY 193SECTION ANSWER 194example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 195example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854} 196SECTION AUTHORITY 197example.com. IN NS ns.example.com. 198example.com. IN NS ns.example.net. 199example.com. 3600 IN RRSIG NS 3 2 3600 20070926135752 20070829135752 2854 example.com. MCwCFEsWNXjGDFwH/0NGClonWUQlBaiFAhR/dt0asVj8M0VKs7PdTEKN/Y9i5w== ;{id = 2854} 200SECTION ADDITIONAL 201ns.example.com. IN A 1.2.3.4 202ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 203ENTRY_END 204 205ENTRY_BEGIN 206MATCH opcode qtype qname 207ADJUST copy_id 208REPLY QR NOERROR 209SECTION QUESTION 210www.example.com. IN A 211SECTION ANSWER 212www.example.com. IN A 11.12.13.14 213www.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFC6+BbFcL95vH6SOhMLGotcBospIAhUAhjfof+1VY5GsCp5b9UOD7UydBzI= ;{id = 2854} 214SECTION AUTHORITY 215SECTION ADDITIONAL 216ENTRY_END 217 218; example.net zone in ns.example.net. 219ENTRY_BEGIN 220MATCH opcode qtype qname 221ADJUST copy_id 222REPLY QR NOERROR 223SECTION QUESTION 224example.net. IN NS 225SECTION ANSWER 226example.net. IN NS ns.example.net. 227example.net. 3600 IN RRSIG NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899} 228SECTION ADDITIONAL 229ns.example.net. IN A 1.2.3.5 230ns.example.net. 3600 IN RRSIG A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899} 231ENTRY_END 232 233; response to DNSKEY priming query 234ENTRY_BEGIN 235MATCH opcode qtype qname 236ADJUST copy_id 237REPLY QR NOERROR 238SECTION QUESTION 239example.net. IN DNSKEY 240SECTION ANSWER 241example.net. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 242example.net. 3600 IN RRSIG DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899} 243SECTION AUTHORITY 244example.net. IN NS ns.example.net. 245example.net. 3600 IN RRSIG NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899} 246SECTION ADDITIONAL 247ns.example.net. IN A 1.2.3.5 248ns.example.net. 3600 IN RRSIG A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899} 249ENTRY_END 250 251; deny DS and DNSKEY types 252ENTRY_BEGIN 253MATCH opcode qtype qname 254ADJUST copy_id 255REPLY QR NOERROR 256SECTION QUESTION 257ns.example.net. IN DS 258SECTION AUTHORITY 259example.net. IN SOA ns-pri.ripe.net. ops.ripe.net. 2007092101 3600 7200 1209600 7200 260example.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 example.net. E1T+LAsAk7rtA6mnKRlgca5Lk+NJYUNNkfco1CrUp5IZZ1+QL7u7CINQBcndJkvoBwKhdVI8rz2LLW19wIywTw== ;{id = 30899} 261ns.example.net IN NSEC ns-new.example.net. A AAAA RRSIG NSEC 262ns.example.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 example.net. HLkPBWA8Hstub8e/zdp/A8xyI6+fnnMsA9oiZ20VBuSTaBknX0SXmVulNhVGfdmz9fYmYFUr1zjqvPFG+ErO8A== ;{id = 30899} 263ENTRY_END 264 265ENTRY_BEGIN 266MATCH opcode qtype qname 267ADJUST copy_id 268REPLY QR NOERROR 269SECTION QUESTION 270ns.example.net. IN DNSKEY 271SECTION AUTHORITY 272example.net. IN SOA ns-pri.ripe.net. ops.ripe.net. 2007092101 3600 7200 1209600 7200 273example.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 example.net. E1T+LAsAk7rtA6mnKRlgca5Lk+NJYUNNkfco1CrUp5IZZ1+QL7u7CINQBcndJkvoBwKhdVI8rz2LLW19wIywTw== ;{id = 30899} 274ns.example.net IN NSEC ns-new.example.net. A RRSIG NSEC 275ns.example.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 example.net. fAbDxuMP6lMqi71Wa9nsByG7buoJpfxyQhjps6HXOPzOC24UCCjdvZfZltlRy7Yrfrs28MjHwYEmHFmCeFpfPw== ;{id = 30899} 276ENTRY_END 277 278ENTRY_BEGIN 279MATCH opcode qtype qname 280ADJUST copy_id 281REPLY QR NOERROR 282SECTION QUESTION 283ns.example.net. IN A 284SECTION ANSWER 285ns.example.net. IN A 1.2.3.5 286ns.example.net. 3600 IN RRSIG A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899} 287ENTRY_END 288 289ENTRY_BEGIN 290MATCH opcode qtype qname 291ADJUST copy_id 292REPLY QR NOERROR 293SECTION QUESTION 294ns.example.net. IN AAAA 295SECTION AUTHORITY 296example.net. IN SOA ns-pri.ripe.net. ops.ripe.net. 2007092101 3600 7200 1209600 7200 297example.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 example.net. E1T+LAsAk7rtA6mnKRlgca5Lk+NJYUNNkfco1CrUp5IZZ1+QL7u7CINQBcndJkvoBwKhdVI8rz2LLW19wIywTw== ;{id = 30899} 298ns.example.net IN NSEC ns-new.example.net. A RRSIG NSEC 299ns.example.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 example.net. fAbDxuMP6lMqi71Wa9nsByG7buoJpfxyQhjps6HXOPzOC24UCCjdvZfZltlRy7Yrfrs28MjHwYEmHFmCeFpfPw== ;{id = 30899} 300ENTRY_END 301 302RANGE_END 303 304; prime cache with example.com. NS rrset. 305STEP 1 QUERY 306ENTRY_BEGIN 307REPLY RD DO 308SECTION QUESTION 309www.example.com. IN A 310ENTRY_END 311 312; recursion happens here. 313STEP 10 CHECK_ANSWER 314ENTRY_BEGIN 315MATCH all 316REPLY QR RD RA AD DO NOERROR 317SECTION QUESTION 318www.example.com. IN A 319SECTION ANSWER 320www.example.com. IN A 11.12.13.14 321www.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFC6+BbFcL95vH6SOhMLGotcBospIAhUAhjfof+1VY5GsCp5b9UOD7UydBzI= ;{id = 2854} 322SECTION AUTHORITY 323SECTION ADDITIONAL 324ENTRY_END 325 326; test nonrec referral validation 327STEP 11 QUERY 328ENTRY_BEGIN 329REPLY DO 330SECTION QUESTION 331bla.example.com. IN A 332ENTRY_END 333 334STEP 12 CHECK_ANSWER 335ENTRY_BEGIN 336MATCH all 337REPLY QR RA AD DO NOERROR 338SECTION QUESTION 339bla.example.com. IN A 340SECTION ANSWER 341SECTION AUTHORITY 342example.com. IN NS ns.example.com. 343example.com. IN NS ns.example.net. 344example.com. 3600 IN RRSIG NS 3 2 3600 20070926135752 20070829135752 2854 example.com. MCwCFEsWNXjGDFwH/0NGClonWUQlBaiFAhR/dt0asVj8M0VKs7PdTEKN/Y9i5w== ;{id = 2854} 345SECTION ADDITIONAL 346ns.example.com. IN A 1.2.3.4 347ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 348ENTRY_END 349 350SCENARIO_END 351