1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 val-override-date: "20070916134226" 6 target-fetch-policy: "0 0 0 0 0" 7 fake-sha1: yes 8 trust-anchor-signaling: no 9 10stub-zone: 11 name: "." 12 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 13CONFIG_END 14 15SCENARIO_BEGIN Test validator with insecure delegation and DS negative cache 16 17; K.ROOT-SERVERS.NET. 18RANGE_BEGIN 0 100 19 ADDRESS 193.0.14.129 20ENTRY_BEGIN 21MATCH opcode qtype qname 22ADJUST copy_id 23REPLY QR NOERROR 24SECTION QUESTION 25. IN NS 26SECTION ANSWER 27. IN NS K.ROOT-SERVERS.NET. 28SECTION ADDITIONAL 29K.ROOT-SERVERS.NET. IN A 193.0.14.129 30ENTRY_END 31 32ENTRY_BEGIN 33MATCH opcode qtype qname 34ADJUST copy_id 35REPLY QR NOERROR 36SECTION QUESTION 37www.sub.example.com. IN A 38SECTION AUTHORITY 39com. IN NS a.gtld-servers.net. 40SECTION ADDITIONAL 41a.gtld-servers.net. IN A 192.5.6.30 42ENTRY_END 43RANGE_END 44 45; a.gtld-servers.net. 46RANGE_BEGIN 0 100 47 ADDRESS 192.5.6.30 48ENTRY_BEGIN 49MATCH opcode qtype qname 50ADJUST copy_id 51REPLY QR NOERROR 52SECTION QUESTION 53com. IN NS 54SECTION ANSWER 55com. IN NS a.gtld-servers.net. 56SECTION ADDITIONAL 57a.gtld-servers.net. IN A 192.5.6.30 58ENTRY_END 59 60ENTRY_BEGIN 61MATCH opcode qtype qname 62ADJUST copy_id 63REPLY QR NOERROR 64SECTION QUESTION 65www.sub.example.com. IN A 66SECTION AUTHORITY 67example.com. IN NS ns.example.com. 68SECTION ADDITIONAL 69ns.example.com. IN A 1.2.3.4 70ENTRY_END 71RANGE_END 72 73; ns.example.com. 74RANGE_BEGIN 0 100 75 ADDRESS 1.2.3.4 76ENTRY_BEGIN 77MATCH opcode qtype qname 78ADJUST copy_id 79REPLY QR NOERROR 80SECTION QUESTION 81example.com. IN NS 82SECTION ANSWER 83example.com. IN NS ns.example.com. 84example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 85SECTION ADDITIONAL 86ns.example.com. IN A 1.2.3.4 87ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 88ENTRY_END 89 90; response to DNSKEY priming query 91ENTRY_BEGIN 92MATCH opcode qtype qname 93ADJUST copy_id 94REPLY QR NOERROR 95SECTION QUESTION 96example.com. IN DNSKEY 97SECTION ANSWER 98example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 99example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854} 100SECTION AUTHORITY 101example.com. IN NS ns.example.com. 102example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 103SECTION ADDITIONAL 104ns.example.com. IN A 1.2.3.4 105ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 106ENTRY_END 107 108; response for delegation to sub.example.com. 109ENTRY_BEGIN 110MATCH opcode qtype qname 111ADJUST copy_id 112REPLY QR NOERROR 113SECTION QUESTION 114www.sub.example.com. IN A 115SECTION ANSWER 116SECTION AUTHORITY 117sub.example.com. IN NS ns.sub.example.com. 118sub.example.com. IN NSEC www.example.com. NS RRSIG NSEC 119sub.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFDCaiDM6G+glwNW276HWdH+McmjgAhRSwF5OfimNQCqkWgnYotLOwUghKQ== ;{id = 2854} 120SECTION ADDITIONAL 121ns.sub.example.com. IN A 1.2.3.6 122ENTRY_END 123 124; query for missing DS record. 125; get it from the negative cache instead! 126;ENTRY_BEGIN 127;MATCH opcode qtype qname 128;ADJUST copy_id 129;REPLY QR NOERROR 130;SECTION QUESTION 131;sub.example.com. IN DS 132;SECTION ANSWER 133;SECTION AUTHORITY 134;example.com. IN SOA ns.example.com. h.example.com. 2007090504 1800 1800 2419200 7200 135;example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFC5uwIHSehZtetK2CMNXttSFUB0XAhROFDAgy/FaxR8zFXJzyPdpQG93Sw== ;{id = 2854} 136;sub.example.com. IN NSEC www.example.com. NS RRSIG NSEC 137;sub.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFDCaiDM6G+glwNW276HWdH+McmjgAhRSwF5OfimNQCqkWgnYotLOwUghKQ== ;{id = 2854} 138;SECTION ADDITIONAL 139;ns.sub.example.com. IN A 1.2.3.6 140;ENTRY_END 141 142 143RANGE_END 144 145; ns.sub.example.com. 146RANGE_BEGIN 0 100 147 ADDRESS 1.2.3.6 148ENTRY_BEGIN 149MATCH opcode qtype qname 150ADJUST copy_id 151REPLY QR NOERROR 152SECTION QUESTION 153sub.example.com. IN NS 154SECTION ANSWER 155sub.example.com. IN NS ns.sub.example.com. 156SECTION ADDITIONAL 157ns.sub.example.com. IN A 1.2.3.6 158ENTRY_END 159 160; response to query of interest 161ENTRY_BEGIN 162MATCH opcode qtype qname 163ADJUST copy_id 164REPLY QR NOERROR 165SECTION QUESTION 166www.sub.example.com. IN A 167SECTION ANSWER 168www.sub.example.com. IN A 11.11.11.11 169SECTION AUTHORITY 170SECTION ADDITIONAL 171ENTRY_END 172RANGE_END 173 174STEP 1 QUERY 175ENTRY_BEGIN 176REPLY RD DO 177SECTION QUESTION 178www.sub.example.com. IN A 179ENTRY_END 180 181; recursion happens here. 182STEP 10 CHECK_ANSWER 183ENTRY_BEGIN 184MATCH all 185REPLY QR RD RA DO NOERROR 186SECTION QUESTION 187www.sub.example.com. IN A 188SECTION ANSWER 189www.sub.example.com. 3600 IN A 11.11.11.11 190SECTION AUTHORITY 191SECTION ADDITIONAL 192ENTRY_END 193 194SCENARIO_END 195