1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 val-override-date: "20070916134226" 6 target-fetch-policy: "0 0 0 0 0" 7 fake-sha1: yes 8 trust-anchor-signaling: no 9 10stub-zone: 11 name: "." 12 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 13CONFIG_END 14 15SCENARIO_BEGIN Test validator with DS, unsec, cname sequence. 16 17; K.ROOT-SERVERS.NET. 18RANGE_BEGIN 0 100 19 ADDRESS 193.0.14.129 20ENTRY_BEGIN 21MATCH opcode qtype qname 22ADJUST copy_id 23REPLY QR NOERROR 24SECTION QUESTION 25. IN NS 26SECTION ANSWER 27. IN NS K.ROOT-SERVERS.NET. 28SECTION ADDITIONAL 29K.ROOT-SERVERS.NET. IN A 193.0.14.129 30ENTRY_END 31 32ENTRY_BEGIN 33MATCH opcode qtype qname 34ADJUST copy_id 35REPLY QR NOERROR 36SECTION QUESTION 37a.b.sub.example.com. IN A 38SECTION AUTHORITY 39com. IN NS a.gtld-servers.net. 40SECTION ADDITIONAL 41a.gtld-servers.net. IN A 192.5.6.30 42ENTRY_END 43RANGE_END 44 45; a.gtld-servers.net. 46RANGE_BEGIN 0 100 47 ADDRESS 192.5.6.30 48ENTRY_BEGIN 49MATCH opcode qtype qname 50ADJUST copy_id 51REPLY QR NOERROR 52SECTION QUESTION 53com. IN NS 54SECTION ANSWER 55com. IN NS a.gtld-servers.net. 56SECTION ADDITIONAL 57a.gtld-servers.net. IN A 192.5.6.30 58ENTRY_END 59 60ENTRY_BEGIN 61MATCH opcode qtype qname 62ADJUST copy_id 63REPLY QR NOERROR 64SECTION QUESTION 65a.b.sub.example.com. IN A 66SECTION AUTHORITY 67example.com. IN NS ns.example.com. 68SECTION ADDITIONAL 69ns.example.com. IN A 1.2.3.4 70ENTRY_END 71RANGE_END 72 73; ns.example.com. 74RANGE_BEGIN 0 100 75 ADDRESS 1.2.3.4 76ENTRY_BEGIN 77MATCH opcode qtype qname 78ADJUST copy_id 79REPLY QR NOERROR 80SECTION QUESTION 81example.com. IN NS 82SECTION ANSWER 83example.com. IN NS ns.example.com. 84example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 85SECTION ADDITIONAL 86ns.example.com. IN A 1.2.3.4 87ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 88ENTRY_END 89 90; response to DNSKEY priming query 91ENTRY_BEGIN 92MATCH opcode qtype qname 93ADJUST copy_id 94REPLY QR NOERROR 95SECTION QUESTION 96example.com. IN DNSKEY 97SECTION ANSWER 98example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 99example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854} 100SECTION AUTHORITY 101example.com. IN NS ns.example.com. 102example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 103SECTION ADDITIONAL 104ns.example.com. IN A 1.2.3.4 105ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 106ENTRY_END 107 108; response for delegation to c.example.com. 109ENTRY_BEGIN 110MATCH opcode qtype qname 111ADJUST copy_id 112REPLY QR NOERROR 113SECTION QUESTION 114c.c.example.com. IN A 115SECTION ANSWER 116SECTION AUTHORITY 117c.example.com. IN NS ns.c.example.com. 118c.example.com. IN NSEC d.example.com. NS RRSIG NSEC 119c.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFDQ1xBqQ8Yxy7d7MbfAOg9g+dInHAhUAgP2w61bvME+hLWFiNg42Ny02/vo= ;{id = 2854} 120SECTION ADDITIONAL 121ns.c.example.com. IN A 1.2.3.8 122ENTRY_END 123 124ENTRY_BEGIN 125MATCH opcode qtype qname 126ADJUST copy_id 127REPLY QR AA NOERROR 128SECTION QUESTION 129c.example.com. IN DS 130SECTION ANSWER 131SECTION AUTHORITY 132c.example.com. IN NSEC d.example.com. NS RRSIG NSEC 133c.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFDQ1xBqQ8Yxy7d7MbfAOg9g+dInHAhUAgP2w61bvME+hLWFiNg42Ny02/vo= ;{id = 2854} 134SECTION ADDITIONAL 135ENTRY_END 136 137; response for delegation to sub.example.com. 138ENTRY_BEGIN 139MATCH opcode qtype qname 140ADJUST copy_id 141REPLY QR NOERROR 142SECTION QUESTION 143a.b.sub.example.com. IN A 144SECTION ANSWER 145SECTION AUTHORITY 146sub.example.com. IN NS ns.sub.example.com. 147sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 148sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFCW3ix0GD4BSvNLWIbROCJt5DAW9AhRt/kg9kBKJ20UBUdumrBUHqnskdA== ;{id = 2854} 149SECTION ADDITIONAL 150ns.sub.example.com. IN A 1.2.3.6 151ENTRY_END 152 153; response for delegation to sub.example.com. 154ENTRY_BEGIN 155MATCH opcode qtype qname 156ADJUST copy_id 157REPLY QR NOERROR 158SECTION QUESTION 159sub.example.com. IN DNSKEY 160SECTION ANSWER 161SECTION AUTHORITY 162sub.example.com. IN NS ns.sub.example.com. 163sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 164sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFCW3ix0GD4BSvNLWIbROCJt5DAW9AhRt/kg9kBKJ20UBUdumrBUHqnskdA== ;{id = 2854} 165SECTION ADDITIONAL 166ns.sub.example.com. IN A 1.2.3.6 167ENTRY_END 168RANGE_END 169 170; ns.sub.example.com. 171RANGE_BEGIN 0 100 172 ADDRESS 1.2.3.6 173ENTRY_BEGIN 174MATCH opcode qtype qname 175ADJUST copy_id 176REPLY QR NOERROR 177SECTION QUESTION 178sub.example.com. IN NS 179SECTION ANSWER 180sub.example.com. IN NS ns.sub.example.com. 181sub.example.com. 3600 IN RRSIG NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. wcpHeBILHfo8C9uxMhcW03gcURZeUffiKdSTb50ZjzTHgMNhRyMfpcvSpXEd9548A9UTmWKeLZChfr5Z/glONw== ;{id = 30899} 182SECTION ADDITIONAL 183ns.sub.example.com. IN A 1.2.3.6 184ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899} 185ENTRY_END 186 187; response to DNSKEY priming query 188; sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 189ENTRY_BEGIN 190MATCH opcode qtype qname 191ADJUST copy_id 192REPLY QR NOERROR 193SECTION QUESTION 194sub.example.com. IN DNSKEY 195SECTION ANSWER 196sub.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 197sub.example.com. 3600 IN RRSIG DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. uNGp99iznjD7oOX02XnQbDnbg75UwBHRvZSKYUorTKvPUnCWMHKdRsQ+mf+Fx3GZ+Fz9BVjoCmQqpnfgXLEYqw== ;{id = 30899} 198SECTION AUTHORITY 199sub.example.com. IN NS ns.sub.example.com. 200sub.example.com. 3600 IN RRSIG NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. wcpHeBILHfo8C9uxMhcW03gcURZeUffiKdSTb50ZjzTHgMNhRyMfpcvSpXEd9548A9UTmWKeLZChfr5Z/glONw== ;{id = 30899} 201SECTION ADDITIONAL 202ns.sub.example.com. IN A 1.2.3.6 203ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899} 204ENTRY_END 205 206; response to query of interest 207; another delegation, validated unsecure. 208ENTRY_BEGIN 209MATCH opcode qtype qname 210ADJUST copy_id 211REPLY QR NOERROR 212SECTION QUESTION 213a.b.sub.example.com. IN A 214SECTION ANSWER 215SECTION AUTHORITY 216b.sub.example.com. IN NS ns.b.sub.example.com. 217b.sub.example.com. IN NSEC c.sub.example.com. NS NSEC RRSIG 218b.sub.example.com. 3600 IN RRSIG NSEC 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. KPdURTUrbQvc6OXtDZaH3+14uO2qPUPIFO86aTNZ/Ujy3d2RMSB7fkSSulDO6QDSBEUhr9WgbQr0/YoljCBirA== ;{id = 30899} 219SECTION ADDITIONAL 220ns.b.sub.example.com. IN A 1.2.3.7 221ENTRY_END 222 223; b DS query. 224ENTRY_BEGIN 225MATCH opcode qtype qname 226ADJUST copy_id 227REPLY QR AA NOERROR 228SECTION QUESTION 229b.sub.example.com. IN DS 230SECTION AUTHORITY 231b.sub.example.com. IN NSEC c.sub.example.com. NS NSEC RRSIG 232b.sub.example.com. 3600 IN RRSIG NSEC 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. KPdURTUrbQvc6OXtDZaH3+14uO2qPUPIFO86aTNZ/Ujy3d2RMSB7fkSSulDO6QDSBEUhr9WgbQr0/YoljCBirA== ;{id = 30899} 233ENTRY_END 234RANGE_END 235 236; server ns.b.sub.example.com. 237RANGE_BEGIN 0 100 238 ADDRESS 1.2.3.7 239ENTRY_BEGIN 240MATCH opcode qtype qname 241ADJUST copy_id 242REPLY QR AA NOERROR 243SECTION QUESTION 244b.sub.example.com. IN NS 245SECTION ANSWER 246b.sub.example.com. IN NS ns.b.sub.example.com. 247SECTION ADDITIONAL 248ns.b.sub.example.com. IN A 1.2.3.7 249ENTRY_END 250 251ENTRY_BEGIN 252; query of interest, give a cname to another unsecure zone. 253MATCH opcode qtype qname 254ADJUST copy_id 255REPLY QR AA NOERROR 256SECTION QUESTION 257a.b.sub.example.com. IN A 258SECTION ANSWER 259a.b.sub.example.com. IN CNAME c.c.example.com. 260ENTRY_END 261 262ENTRY_BEGIN 263MATCH opcode qtype qname 264ADJUST copy_id 265REPLY QR AA NOERROR 266SECTION QUESTION 267a.b.sub.example.com. IN DS 268SECTION AUTHORITY 269b.sub.example.com. IN SOA B-EXAMPLE. b-example. 1 2 3 7 7 270ENTRY_END 271RANGE_END 272 273; server ns.c.example.com. 274RANGE_BEGIN 0 100 275 ADDRESS 1.2.3.8 276ENTRY_BEGIN 277MATCH opcode qtype qname 278ADJUST copy_id 279REPLY QR AA NOERROR 280SECTION QUESTION 281c.sub.example.com. IN NS 282SECTION ANSWER 283c.sub.example.com. IN NS ns.c.sub.example.com. 284SECTION ADDITIONAL 285ns.c.sub.example.com. IN A 1.2.3.8 286ENTRY_END 287 288ENTRY_BEGIN 289MATCH opcode qtype qname 290ADJUST copy_id 291REPLY QR NOERROR 292SECTION QUESTION 293c.example.com. IN NS 294SECTION ANSWER 295c.example.com. IN NS ns.c.example.com. 296SECTION ADDITIONAL 297ns.c.example.com. IN A 1.2.3.8 298ENTRY_END 299 300ENTRY_BEGIN 301MATCH opcode qtype qname 302ADJUST copy_id 303REPLY QR AA NOERROR 304SECTION QUESTION 305c.c.example.com. IN A 306SECTION ANSWER 307c.c.example.com. IN A 11.11.11.11 308ENTRY_END 309 310ENTRY_BEGIN 311MATCH opcode qtype qname 312ADJUST copy_id 313REPLY QR AA NOERROR 314SECTION QUESTION 315c.c.example.com. IN DS 316SECTION AUTHORITY 317c.example.com. IN SOA C-EXAMPLE. c-example. 1 2 3 4 5 318ENTRY_END 319RANGE_END 320 321STEP 1 QUERY 322ENTRY_BEGIN 323REPLY RD DO 324SECTION QUESTION 325a.b.sub.example.com. IN A 326ENTRY_END 327 328; recursion happens here. 329STEP 10 CHECK_ANSWER 330ENTRY_BEGIN 331MATCH all 332REPLY QR RD RA DO NOERROR 333SECTION QUESTION 334a.b.sub.example.com. IN A 335SECTION ANSWER 336a.b.sub.example.com. IN CNAME c.c.example.com. 337c.c.example.com. 3600 IN A 11.11.11.11 338SECTION AUTHORITY 339SECTION ADDITIONAL 340ENTRY_END 341 342; test that a DS query does not get CNAME redirected, but instead 343; asked to the right server that has to respond to it. 344STEP 20 QUERY 345ENTRY_BEGIN 346REPLY RD DO 347SECTION QUESTION 348a.b.sub.example.com. IN DS 349ENTRY_END 350 351STEP 30 CHECK_ANSWER 352ENTRY_BEGIN 353MATCH all 354REPLY QR RD RA DO NOERROR 355SECTION QUESTION 356a.b.sub.example.com. IN DS 357SECTION AUTHORITY 358b.sub.example.com. IN SOA B-EXAMPLE. b-example. 1 2 3 7 7 359ENTRY_END 360 361SCENARIO_END 362