1; config options 2server: 3 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 4 val-override-date: "20070916134226" 5 fake-sha1: yes 6 trust-anchor-signaling: no 7 qname-minimisation: "no" 8 9stub-zone: 10 name: "." 11 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 12 13CONFIG_END 14 15SCENARIO_BEGIN Test dnssec-lame detection at ds point. 16 17; K.ROOT-SERVERS.NET. 18RANGE_BEGIN 0 100 19 ADDRESS 193.0.14.129 20ENTRY_BEGIN 21MATCH opcode qtype qname 22ADJUST copy_id 23REPLY QR NOERROR 24SECTION QUESTION 25. IN NS 26SECTION ANSWER 27. IN NS K.ROOT-SERVERS.NET. 28SECTION ADDITIONAL 29K.ROOT-SERVERS.NET. IN A 193.0.14.129 30ENTRY_END 31 32ENTRY_BEGIN 33MATCH opcode subdomain 34ADJUST copy_id copy_query 35REPLY QR NOERROR 36SECTION QUESTION 37com. IN A 38SECTION AUTHORITY 39com. IN NS a.gtld-servers.net. 40SECTION ADDITIONAL 41a.gtld-servers.net. IN A 192.5.6.30 42ENTRY_END 43 44ENTRY_BEGIN 45MATCH opcode subdomain 46ADJUST copy_id copy_query 47REPLY QR NOERROR 48SECTION QUESTION 49net. IN A 50SECTION AUTHORITY 51net. IN NS e.gtld-servers.net. 52SECTION ADDITIONAL 53e.gtld-servers.net. IN A 192.12.94.30 54ENTRY_END 55 56ENTRY_BEGIN 57MATCH opcode qtype qname 58ADJUST copy_id 59REPLY QR NOERROR 60SECTION QUESTION 61ns.example.net. IN AAAA 62SECTION AUTHORITY 63net. IN NS e.gtld-servers.net. 64SECTION ADDITIONAL 65e.gtld-servers.net. IN A 192.12.94.30 66ENTRY_END 67RANGE_END 68 69; a.gtld-servers.net. 70RANGE_BEGIN 0 100 71 ADDRESS 192.5.6.30 72ENTRY_BEGIN 73MATCH opcode qtype qname 74ADJUST copy_id 75REPLY QR NOERROR 76SECTION QUESTION 77com. IN NS 78SECTION ANSWER 79com. IN NS a.gtld-servers.net. 80SECTION ADDITIONAL 81a.gtld-servers.net. IN A 192.5.6.30 82ENTRY_END 83 84ENTRY_BEGIN 85MATCH opcode subdomain 86ADJUST copy_id copy_query 87REPLY QR NOERROR 88SECTION QUESTION 89example.com. IN A 90SECTION AUTHORITY 91example.com. IN NS ns.example.com. 92SECTION ADDITIONAL 93ns.example.com. IN A 1.2.3.55 94ENTRY_END 95RANGE_END 96 97; e.gtld-servers.net. 98RANGE_BEGIN 0 100 99 ADDRESS 192.12.94.30 100ENTRY_BEGIN 101MATCH opcode qtype qname 102ADJUST copy_id 103REPLY QR NOERROR 104SECTION QUESTION 105net. IN NS 106SECTION ANSWER 107net. IN NS e.gtld-servers.net. 108SECTION ADDITIONAL 109e.gtld-servers.net. IN A 192.12.94.30 110ENTRY_END 111 112ENTRY_BEGIN 113MATCH opcode qtype qname 114ADJUST copy_id 115REPLY QR AA NOERROR 116SECTION QUESTION 117e.gtld-servers.net. IN AAAA 118SECTION ANSWER 119ENTRY_END 120 121ENTRY_BEGIN 122MATCH opcode qtype qname 123ADJUST copy_id 124REPLY QR AA NOERROR 125SECTION QUESTION 126a.gtld-servers.net. IN AAAA 127SECTION ANSWER 128ENTRY_END 129 130ENTRY_BEGIN 131MATCH opcode qtype qname 132ADJUST copy_id 133REPLY QR NOERROR 134SECTION QUESTION 135ns.example.net. IN A 136SECTION AUTHORITY 137example.net. IN NS ns.example.net. 138SECTION ADDITIONAL 139ns.example.net. IN A 1.2.3.44 140ENTRY_END 141 142ENTRY_BEGIN 143MATCH opcode qtype qname 144ADJUST copy_id 145REPLY QR NOERROR 146SECTION QUESTION 147ns.example.net. IN AAAA 148SECTION AUTHORITY 149example.net. IN NS ns.example.net. 150SECTION ADDITIONAL 151ns.example.net. IN A 1.2.3.44 152ENTRY_END 153RANGE_END 154 155; ns.example.net. 156RANGE_BEGIN 0 100 157 ADDRESS 1.2.3.44 158ENTRY_BEGIN 159MATCH opcode qtype qname 160ADJUST copy_id 161REPLY QR NOERROR 162SECTION QUESTION 163example.net. IN NS 164SECTION ANSWER 165example.net. IN NS ns.example.net. 166SECTION ADDITIONAL 167ns.example.net. IN A 1.2.3.44 168ENTRY_END 169 170ENTRY_BEGIN 171MATCH opcode qtype qname 172ADJUST copy_id 173REPLY QR AA NOERROR 174SECTION QUESTION 175ns.example.net. IN A 176SECTION ANSWER 177ns.example.net. IN A 1.2.3.44 178SECTION AUTHORITY 179example.net. IN NS ns.example.net. 180ENTRY_END 181 182ENTRY_BEGIN 183MATCH opcode qtype qname 184ADJUST copy_id 185REPLY QR AA NOERROR 186SECTION QUESTION 187ns.example.net. IN AAAA 188SECTION AUTHORITY 189example.net. IN NS ns.example.net. 190SECTION ADDITIONAL 191ns.example.net. IN A 1.2.3.44 192ENTRY_END 193 194; response to DNSKEY priming query 195; sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 196ENTRY_BEGIN 197MATCH opcode qtype qname 198ADJUST copy_id 199REPLY QR AA NOERROR 200SECTION QUESTION 201sub.example.com. IN DNSKEY 202SECTION ANSWER 203sub.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 204sub.example.com. 3600 IN RRSIG DNSKEY 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. uNGp99iznjD7oOX02XnQbDnbg75UwBHRvZSKYUorTKvPUnCWMHKdRsQ+mf+Fx3GZ+Fz9BVjoCmQqpnfgXLEYqw== ;{id = 30899} 205SECTION AUTHORITY 206; no NS set. not needed for this test. 207SECTION ADDITIONAL 208ns.sub.example.com. IN A 1.2.3.6 209ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899} 210ENTRY_END 211 212ENTRY_BEGIN 213MATCH opcode qtype qname 214ADJUST copy_id 215REPLY QR AA NOERROR 216SECTION QUESTION 217sub.example.com. IN NS 218SECTION ANSWER 219sub.example.com. IN NS ns.sub.example.com. 220sub.example.com. IN NS ns.example.net. 221sub.example.com. 3600 IN RRSIG NS 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. C/0b+sqlsdSTkhd+aDXb6ELyuQreosIGBzLCtWxYGD+Q9QGB5rN8uB+4+48yhw36pd3MfeAn06AgAnJ6eu8tJg== ;{id = 30899} 222SECTION ADDITIONAL 223ns.sub.example.com. IN A 1.2.3.6 224ns.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. UF7shD/gt1FOp2UHgLTNbPzVykklSXFMEtJ1xD+Hholwf/PIzd7zoaIttIYibNa4fUXCqMg22H9P7MRhfmFe6g== ;{id = 30899} 225ENTRY_END 226 227; response to query of interest 228ENTRY_BEGIN 229MATCH opcode qtype qname 230ADJUST copy_id 231REPLY QR AA NOERROR 232SECTION QUESTION 233www.sub.example.com. IN A 234SECTION ANSWER 235www.sub.example.com. IN A 11.11.11.11 236www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899} 237SECTION AUTHORITY 238SECTION ADDITIONAL 239ENTRY_END 240 241ENTRY_BEGIN 242MATCH opcode qtype qname 243ADJUST copy_id 244REPLY QR AA NOERROR 245SECTION QUESTION 246ns.sub.example.com. IN AAAA 247SECTION ANSWER 248ENTRY_END 249RANGE_END 250 251; ns.example.com. 252RANGE_BEGIN 0 100 253 ADDRESS 1.2.3.55 254ENTRY_BEGIN 255MATCH opcode qtype qname 256ADJUST copy_id 257REPLY QR NOERROR 258SECTION QUESTION 259example.com. IN NS 260SECTION ANSWER 261example.com. IN NS ns.example.com. 262SECTION ADDITIONAL 263ns.example.com. IN A 1.2.3.55 264ENTRY_END 265 266ENTRY_BEGIN 267MATCH opcode qtype qname 268ADJUST copy_id 269REPLY QR AA NOERROR 270SECTION QUESTION 271ns.example.com. IN A 272SECTION ANSWER 273ns.example.com. IN A 1.2.3.55 274ENTRY_END 275 276ENTRY_BEGIN 277MATCH opcode qtype qname 278ADJUST copy_id 279REPLY QR AA NOERROR 280SECTION QUESTION 281ns.example.com. IN AAAA 282ENTRY_END 283 284; fine DNSKEY response. 285ENTRY_BEGIN 286MATCH opcode qtype qname 287ADJUST copy_id 288REPLY QR AA NOERROR 289SECTION QUESTION 290example.com. IN DNSKEY 291SECTION ANSWER 292example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 293example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854} 294SECTION AUTHORITY 295example.com. IN NS ns.example.com. 296example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 297ENTRY_END 298 299 300; correct delegation with DS 301ENTRY_BEGIN 302MATCH opcode subdomain 303ADJUST copy_id copy_query 304REPLY QR AA NOERROR 305SECTION QUESTION 306sub.example.com. IN A 307SECTION ANSWER 308SECTION AUTHORITY 309sub.example.com. IN NS ns.sub.example.com. 310sub.example.com. IN NS ns.example.net. 311sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 312sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFCW3ix0GD4BSvNLWIbROCJt5DAW9AhRt/kg9kBKJ20UBUdumrBUHqnskdA== ;{id = 2854} 313SECTION ADDITIONAL 314ns.sub.example.com. IN A 1.2.3.6 315ENTRY_END 316 317; response for delegation to sub.example.com. 318ENTRY_BEGIN 319MATCH opcode qtype qname 320ADJUST copy_id 321REPLY QR NOERROR 322SECTION QUESTION 323sub.example.com. IN DNSKEY 324SECTION ANSWER 325SECTION AUTHORITY 326sub.example.com. IN NS ns.sub.example.com. 327sub.example.com. IN NS ns.example.net. 328sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 329sub.example.com. 3600 IN RRSIG DS 3 3 3600 20070926134150 20070829134150 2854 example.com. MCwCFCW3ix0GD4BSvNLWIbROCJt5DAW9AhRt/kg9kBKJ20UBUdumrBUHqnskdA== ;{id = 2854} 330SECTION ADDITIONAL 331ns.sub.example.com. IN A 1.2.3.6 332ENTRY_END 333RANGE_END 334 335; This server is DNSSEC LAME! 336; ns.sub.example.com. 337RANGE_BEGIN 0 100 338 ADDRESS 1.2.3.6 339 340ENTRY_BEGIN 341MATCH opcode qtype qname 342ADJUST copy_id 343REPLY QR AA NOERROR 344SECTION QUESTION 345sub.example.com. IN NS 346SECTION ANSWER 347sub.example.com. IN NS ns.sub.example.com. 348sub.example.com. IN NS ns.example.net. 349SECTION ADDITIONAL 350ns.sub.example.com. IN A 1.2.3.6 351ENTRY_END 352 353 354; response to DNSKEY priming query 355; sub.example.com. 3600 IN DS 30899 RSASHA1 1 f7ed618f24d5e5202927e1d27bc2e84a141cb4b3 356ENTRY_BEGIN 357MATCH opcode qtype qname 358ADJUST copy_id 359REPLY QR AA NOERROR 360SECTION QUESTION 361sub.example.com. IN DNSKEY 362SECTION ANSWER 363sub.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 364SECTION AUTHORITY 365sub.example.com. IN NS ns.sub.example.com. 366sub.example.com. IN NS ns.example.net. 367SECTION ADDITIONAL 368ns.sub.example.com. IN A 1.2.3.6 369ENTRY_END 370 371ENTRY_BEGIN 372MATCH opcode qtype qname 373ADJUST copy_id 374REPLY QR AA NOERROR 375SECTION QUESTION 376ns.sub.example.com. IN AAAA 377SECTION ANSWER 378ENTRY_END 379 380; response to query of interest 381ENTRY_BEGIN 382MATCH opcode qtype qname 383ADJUST copy_id 384REPLY QR AA NOERROR 385SECTION QUESTION 386www.sub.example.com. IN A 387SECTION ANSWER 388www.sub.example.com. IN A 11.11.11.11 389SECTION AUTHORITY 390; dnssec-lameness detection depends on this information 391sub.example.com. IN NS ns.sub.example.com. 392sub.example.com. IN NS ns.example.net. 393SECTION ADDITIONAL 394ns.sub.example.com. IN A 1.2.3.6 395ENTRY_END 396RANGE_END 397 398 399STEP 1 QUERY 400ENTRY_BEGIN 401REPLY RD DO 402SECTION QUESTION 403www.sub.example.com. IN A 404ENTRY_END 405 406; recursion happens here. 407STEP 20 CHECK_ANSWER 408ENTRY_BEGIN 409MATCH all 410REPLY QR RD RA AD DO NOERROR 411SECTION QUESTION 412www.sub.example.com. IN A 413SECTION ANSWER 414www.sub.example.com. IN A 11.11.11.11 415www.sub.example.com. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 sub.example.com. 0DqqRfRtm7VSEQ4mmBbzrKRqQAay3JAE8DPDGmjtokrrjN9F1G/HxozDV7bjdIh2EChlQea8FPwf/GepJMUVxg== ;{id = 30899} 416ENTRY_END 417SCENARIO_END 418