summaryrefslogtreecommitdiffstats
path: root/tests/integration/deckard/sets/resolver/val_dname_bogus.rpl
diff options
context:
space:
mode:
Diffstat (limited to 'tests/integration/deckard/sets/resolver/val_dname_bogus.rpl')
-rw-r--r--tests/integration/deckard/sets/resolver/val_dname_bogus.rpl319
1 files changed, 319 insertions, 0 deletions
diff --git a/tests/integration/deckard/sets/resolver/val_dname_bogus.rpl b/tests/integration/deckard/sets/resolver/val_dname_bogus.rpl
new file mode 100644
index 0000000..6180320
--- /dev/null
+++ b/tests/integration/deckard/sets/resolver/val_dname_bogus.rpl
@@ -0,0 +1,319 @@
+do-ip6: no
+
+; config options
+trust-anchor: ". IN DS 37471 5 1 da74e4e0fe4067c2afd1d4a3cceb852a3c0d4401"
+stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+val-override-date: "20170301000000"
+query-minimization: off # missing net. NS proof for NODATA, so we'd need to resign everything
+CONFIG_END
+
+SCENARIO_BEGIN Test DNAME validation
+
+; all the data are on the "root servers"
+RANGE_BEGIN 0 10000000
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. 360000 IN NS K.ROOT-SERVERS.NET.
+. 360000 IN RRSIG NS 5 0 3600 20170315140518 20170215140518 37471 . izsEk9W7bSaEcIzfa+ks0fl1OsW64yiRLdy6fWh674WQcxs/C6k/FViAPsUCtUOysSWqiZgT+KZrRXOLEbNLzKp5gYkySXW+B9LR49vtUzu4r2zAGyqiTkSH2+TYHo98fPr+wzdB1w7c2S3FIjYAsBanYaSW0emffB2a+nkPy4BClu9+4kpjpsE7FetenOqTUst0v6kdPQ+yaun+fbhBSSU4vlXPmDEolsfXM6tnOXljynUcFCNZfF3g9O0BzU34ev0eDUIdn20e2So4f7wZ1Xw6X6cv7Gt7xKOOBzYQBbeyaHiaUaHlFqSSZ07AfMIntE8fCSAhEOsDSNtVBpLD9w==
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. 360000 IN A 193.0.14.129
+k.root-servers.net. 360000 IN RRSIG A 5 3 3600 20170315140518 20170215140518 37471 . nFA+6UiLEGaw3p112+wsa7P+jucQ2RahwXkzSGPfF+ljqLpNnktPj0UUhW9urI+I/lK5idV9ffHISjrhTS+0fgoJb6CfDZBSAxQj6ccZ+Sd5HsqYO/GvqZ3eYL5AmXm/FVNhWgtk/5zLczTRqqseo7YVk6d+osVQe0GS/MNAMed4G9ZagmY4xihu2xkX1a8h+JT8KaIV50wAmKLtDx6cXHJqThZs5S9QIpm9a9AB7jC1vjtn87d5E6cgxlNGFviEzUs5THHHJkId+EBAyhS2QAxJCswVD1ELWsIc8srVuFhk5gBzfB6rIlw4sB4dRrGd0fs+McnTZmYBJqIbcYcrCQ==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+. IN DNSKEY
+SECTION ANSWER
+. 86400 IN DNSKEY 257 3 5 AwEAAcgM97sxsTSBW9OAvo3Xmu4BPa8Egpk4TbpCnTwzIC3jU7/0D9xI6fWvFl2HVMNICJw+6fiPKwBWYIOd1OI2lsVXNvV26QoSEQwAh5zZjfE8M1cjIJxV/NY7svRL87YwGChgDI2Y00+CSsXyuPIFzJL1BSXCFdJqzIAHsBXmww9JGQZ/t3oxqIfykzTLEDWi0rwb27dk29kHdUf3QIK20CcC+13rNZUYY4sz8Jrr5M/MstT5QcXyFuACzJRS7pdzpz9dNJqBnx/nGADAWgzL89S/FUUrMRmF8ol0Lqq3h03dtmCsYlyBUsbUGyktf6YYE5tE0s4MyKzSGLUGp6mqoJk= ;{id = 37471 (ksk), size = 2048b}
+. 86400 IN RRSIG DNSKEY 5 0 86400 20170315140518 20170215140518 37471 . AVx9OlHQ4OkaRNi2YYy5HVOXdAqE3P/+mj92wVTl4/Sn54Z0C0vc0nDKt+vDDlJhJneJiWoJmoeGURK7uV0Rv7XZkxa+Nw/2EwplflFlicK7g50EdHjTfHCJdnJdEWQGqEcqLc2E8YUsNCsf9vBrFxyzWSOT9D0VzWy78IxHHoyRvcxtjBEqri+yosJ5iO/SFT0ZFXV1BmZ7VXFkxd+4gLNWgkIcebaD0Unq8R+oALELDEO7tJGdAvv5vTyXSIsvsrB8GTH5sLFi5MpAZ1IRh1TxMYKdrg/dVJ4mcdDx7fahz/9w/IddFazpMxRQufSmQcmuG7BlmRzbj2gSPL73Iw==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+K.ROOT-SERVERS.NET. IN A
+SECTION ANSWER
+K.ROOT-SERVERS.NET. 360000 IN A 193.0.14.129
+k.root-servers.net. 360000 IN RRSIG A 5 3 3600 20170315140518 20170215140518 37471 . nFA+6UiLEGaw3p112+wsa7P+jucQ2RahwXkzSGPfF+ljqLpNnktPj0UUhW9urI+I/lK5idV9ffHISjrhTS+0fgoJb6CfDZBSAxQj6ccZ+Sd5HsqYO/GvqZ3eYL5AmXm/FVNhWgtk/5zLczTRqqseo7YVk6d+osVQe0GS/MNAMed4G9ZagmY4xihu2xkX1a8h+JT8KaIV50wAmKLtDx6cXHJqThZs5S9QIpm9a9AB7jC1vjtn87d5E6cgxlNGFviEzUs5THHHJkId+EBAyhS2QAxJCswVD1ELWsIc8srVuFhk5gBzfB6rIlw4sB4dRrGd0fs+McnTZmYBJqIbcYcrCQ==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname opcode
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+K.ROOT-SERVERS.NET. IN AAAA
+SECTION AUTHORITY
+. 86400 IN SOA . . 2017021500 1800 900 604800 86400
+. 86400 IN RRSIG SOA 5 0 86400 20170315140518 20170215140518 37471 . drrv7SjrOkuNwlILiziPxHTuIKs/tO2WcVEdipA/LNkt0h09zuWbr3Rk5gtEDTSECbZEXYTa4YaeJs3ODmikzVaJd5EVLsDdGnV3mZ/w7WYHA0Uc1GH5HZm1uQwA4DlwY5e5Ry80pIhInZ1Lqiz1ut9yWbHzODdcUOdpE+XiPzYCKR1hRWi099dIQtDhZYottvQNXXmsJDY41PwvWaxqbXGYgiQCX3cN/W5PM0hs7xMxAjanKh32PXKcHSfTeko87BvERMZnibc2O8efl7S62Zp68Q4guMfe4P++ue22PctjwfeR5nDi31c3+USi63ujrKSDGujaIsIMyIHNFm1/zQ==
+K.ROOT-SERVERS.NET. 86400 IN NSEC shortloop. A RRSIG NSEC
+k.root-servers.net. 86400 IN RRSIG NSEC 5 3 86400 20170315140518 20170215140518 37471 . eAxOWct9VumUnYLk9w+Z8Us7u70VNgjTlVlilZSCifvIEQ2Q2BOfuS9UbpwOGPIaDkXRpDQyXTZ3IxPaVb3XVtJdUNgbIjkQnbu4FE+jf6qCSMONgR531ykW+n8HvodRaGnhp/OZobt4TtMEFzZwjq7E35dnn6krBpy+uZ/X31Wt0MI2U7JupLW5zO5AeeDYxNpaAXdw9MrZrzCtRojz0q2Z8ax/6SPBOBxhhqx8zyXhwWM3HDNSP7D8pcFx6Vz4nq7MCbqivDzm6oRM31Kg3585+ivht+d6WssmdYiRgYjKUuSk51srESwy5K6uS9PZ8Y284j/cFNZsJdNpYTLzyQ==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+shortloop. IN TXT
+SECTION ANSWER
+;. 86400 IN SOA . . 2017021500 1800 900 604800 86400
+;. 86400 IN RRSIG SOA 5 0 86400 20170315140518 20170215140518 37471 . drrv7SjrOkuNwlILiziPxHTuIKs/tO2WcVEdipA/LNkt0h09zuWbr3Rk5gtEDTSECbZEXYTa4YaeJs3ODmikzVaJd5EVLsDdGnV3mZ/w7WYHA0Uc1GH5HZm1uQwA4DlwY5e5Ry80pIhInZ1Lqiz1ut9yWbHzODdcUOdpE+XiPzYCKR1hRWi099dIQtDhZYottvQNXXmsJDY41PwvWaxqbXGYgiQCX3cN/W5PM0hs7xMxAjanKh32PXKcHSfTeko87BvERMZnibc2O8efl7S62Zp68Q4guMfe4P++ue22PctjwfeR5nDi31c3+USi63ujrKSDGujaIsIMyIHNFm1/zQ==
+shortloop. 3600 IN TXT "shortloop end"
+shortloop. 3600 IN RRSIG TXT 5 1 3600 20170315140518 20170215140518 37471 . EJaF7yRFRv01nvv6I9HYaxGukSu92cuRXHYQGTRUtj0TNVI53SmNNs89Vk+8L34vhtw+fy1e62WZ3JSat5xAVVRWVmvp220+RlF9FAYltqpPblVXKQraDACWkO31YftgI2obGqmwByAgh7yW1Kfwq6JgUzwjT8LKeove6HNMRc0jipDXXEIRsWd3I6Yjx66YewVeHU55/UrKCeeozOQ4lMJZF0OBQsmTukfq72j6wIXjrjS8vx6Dz8o3pgGy14LG8NQCKcYbQysD1tmtiDDKDbNmwDCfbu+AA3Xd1XNiQpZUjUOxQpWtOxYA/qG7nJmY9VMdoXJ2wIW91B2vv+xbxw==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname opcode
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+shortloop. IN DS
+SECTION AUTHORITY
+. 86400 IN SOA . . 2017021500 1800 900 604800 86400
+. 86400 IN RRSIG SOA 5 0 86400 20170315140518 20170215140518 37471 . drrv7SjrOkuNwlILiziPxHTuIKs/tO2WcVEdipA/LNkt0h09zuWbr3Rk5gtEDTSECbZEXYTa4YaeJs3ODmikzVaJd5EVLsDdGnV3mZ/w7WYHA0Uc1GH5HZm1uQwA4DlwY5e5Ry80pIhInZ1Lqiz1ut9yWbHzODdcUOdpE+XiPzYCKR1hRWi099dIQtDhZYottvQNXXmsJDY41PwvWaxqbXGYgiQCX3cN/W5PM0hs7xMxAjanKh32PXKcHSfTeko87BvERMZnibc2O8efl7S62Zp68Q4guMfe4P++ue22PctjwfeR5nDi31c3+USi63ujrKSDGujaIsIMyIHNFm1/zQ==
+shortloop. 86400 IN NSEC x. TXT RRSIG NSEC
+shortloop. 86400 IN RRSIG NSEC 5 1 86400 20170315140518 20170215140518 37471 . BO48qjNHF9l46CUOeZVG9TV+DRwd7bP60likdnICAx6OMHX/sC5lxd+bQVYqG9DEh+HySqiwE4GnXKGxvdYIQUHuyM/OWQ2NkJPUU++FbXkDCNFPjpX16ejyc244aLOL3gXIOS1aILG9uSbz/0LFQ+N0P9Pq57Cv9I5cc6z0Xa/x8s2fIM8GAP9NoaFAMCdocYW8yckvbyxBoHLqlo0MZQIhiZh1ahorJTDxbJ2BbPRN5cf71PCztEjSjPn2zVlAsfp0XWJG79P3IZiWwBG8aFED1KvUP1+MWxGL+cb0d1bb60U4MzZIt4iWGM5r+wdc27L8vINFCug6RwETQHAJpg==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+x. IN DNAME
+SECTION ANSWER
+x. 3600 IN DNAME .
+x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname opcode
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+x. IN DS
+SECTION AUTHORITY
+. 3600 IN SOA . . 2017021500 1800 900 604800 86400
+. 3600 IN RRSIG SOA 5 0 86400 20170315140518 20170215140518 37471 . drrv7SjrOkuNwlILiziPxHTuIKs/tO2WcVEdipA/LNkt0h09zuWbr3Rk5gtEDTSECbZEXYTa4YaeJs3ODmikzVaJd5EVLsDdGnV3mZ/w7WYHA0Uc1GH5HZm1uQwA4DlwY5e5Ry80pIhInZ1Lqiz1ut9yWbHzODdcUOdpE+XiPzYCKR1hRWi099dIQtDhZYottvQNXXmsJDY41PwvWaxqbXGYgiQCX3cN/W5PM0hs7xMxAjanKh32PXKcHSfTeko87BvERMZnibc2O8efl7S62Zp68Q4guMfe4P++ue22PctjwfeR5nDi31c3+USi63ujrKSDGujaIsIMyIHNFm1/zQ==
+x. 3600 IN NSEC . DNAME RRSIG NSEC
+x. 3600 IN RRSIG NSEC 5 1 86400 20170315140518 20170215140518 37471 . TqFcpOvTT2x64L4gKTI43EJV4cMO+ys2BV8EILftXVID9wZTKK9SI0n4Pxfl5EIwnTpaWev1ZzIyAQ20ROi0t8E6qFuWKW6450k9qBb1d0HgR9dUMByHpQqcusg0kIkId9yHvb3FsKDimpn+5bDq4wT5Ijb/FHb5YpdY+F7Z8xfQpIplr+HYHkEADstqmDcHz3nbIuCjOQTdOongkzNj3IOHCcILU3GFLr5PPhhtx6M1N+EPkJQe92ukjlav/KdZQx+/D8/VLMqi7MKH9eDuEpzGeyRS6wm+Uuwf/DzWRgkImIMfWHXaTi/RZpa5UxNFzRchfucfNxAL9MjPT+NqAQ==
+ENTRY_END
+
+
+ENTRY_BEGIN
+MATCH qname opcode
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+shortloop.x.x. IN CNAME
+SECTION ANSWER
+x. 3600 IN DNAME .
+x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w==
+; attack! CNAME was modified to point elsewhere
+shortloop.x.x. 3600 IN CNAME K.ROOT-SERVERS.NET.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname opcode
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+shortloop.x. IN CNAME
+SECTION ANSWER
+x. 3600 IN DNAME .
+x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w==
+; attack! CNAME was modified to point elsewhere
+shortloop.x. 3600 IN CNAME K.ROOT-SERVERS.NET.
+SECTION AUTHORITY
+. 86400 IN SOA . . 2017021500 1800 900 604800 86400
+shortloop. 86400 IN NSEC x. TXT RRSIG NSEC
+. 86400 IN RRSIG SOA 5 0 86400 20170315140518 20170215140518 37471 . drrv7SjrOkuNwlILiziPxHTuIKs/tO2WcVEdipA/LNkt0h09zuWbr3Rk 5gtEDTSECbZEXYTa4YaeJs3ODmikzVaJd5EVLsDdGnV3mZ/w7WYHA0Uc 1GH5HZm1uQwA4DlwY5e5Ry80pIhInZ1Lqiz1ut9yWbHzODdcUOdpE+Xi PzYCKR1hRWi099dIQtDhZYottvQNXXmsJDY41PwvWaxqbXGYgiQCX3cN /W5PM0hs7xMxAjanKh32PXKcHSfTeko87BvERMZnibc2O8efl7S62Zp6 8Q4guMfe4P++ue22PctjwfeR5nDi31c3+USi63ujrKSDGujaIsIMyIHN Fm1/zQ==
+shortloop. 86400 IN RRSIG NSEC 5 1 86400 20170315140518 20170215140518 37471 . BO48qjNHF9l46CUOeZVG9TV+DRwd7bP60likdnICAx6OMHX/sC5lxd+b QVYqG9DEh+HySqiwE4GnXKGxvdYIQUHuyM/OWQ2NkJPUU++FbXkDCNFP jpX16ejyc244aLOL3gXIOS1aILG9uSbz/0LFQ+N0P9Pq57Cv9I5cc6z0 Xa/x8s2fIM8GAP9NoaFAMCdocYW8yckvbyxBoHLqlo0MZQIhiZh1ahor JTDxbJ2BbPRN5cf71PCztEjSjPn2zVlAsfp0XWJG79P3IZiWwBG8aFED 1KvUP1+MWxGL+cb0d1bb60U4MzZIt4iWGM5r+wdc27L8vINFCug6RwET QHAJpg==
+ENTRY_END
+
+RANGE_END
+; end of a.gtld-servers.net.
+
+; RFC 6672 section 2.2. The DNAME Substitution table tests
+;# QNAME owner DNAME target result
+;-- ---------------- -------------- -------------- -----------------
+;11 shortloop.x.x. x. . shortloop.x.
+;12 shortloop.x. x. . shortloop.
+; Table 1. DNAME Substitution Examples
+
+STEP 221101 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+shortloop.x.x. A
+ENTRY_END
+
+; attacker spoofed shortloop.x.x. CNAME so we end up with SERVFAIL
+STEP 221102 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY SERVFAIL QR RD RA
+SECTION QUESTION
+shortloop.x.x. IN A
+SECTION ANSWER
+ENTRY_END
+
+;# QNAME owner DNAME target result
+;-- ---------------- -------------- -------------- -----------------
+;12 shortloop.x. x. . shortloop.
+
+STEP 221201 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+shortloop.x.x. TXT
+ENTRY_END
+
+; We now reuse cached secure RRset x. DNAME . from the previous query
+; so we do not hit the bogus answer again. Of course we must get correct data
+; and not the spoofed entry.
+STEP 221202 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY NOERROR QR RD RA AD
+SECTION QUESTION
+shortloop.x.x. IN TXT
+SECTION ANSWER
+x. 3600 IN DNAME .
+x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w==
+shortloop.x.x. 3600 IN CNAME shortloop.x.
+shortloop.x. 3600 IN CNAME shortloop.
+shortloop. 3600 IN TXT "shortloop end"
+shortloop. 3600 IN RRSIG TXT 5 1 3600 20170315140518 20170215140518 37471 . EJaF7yRFRv01nvv6I9HYaxGukSu92cuRXHYQGTRUtj0TNVI53SmNNs89Vk+8L34vhtw+fy1e62WZ3JSat5xAVVRWVmvp220+RlF9FAYltqpPblVXKQraDACWkO31YftgI2obGqmwByAgh7yW1Kfwq6JgUzwjT8LKeove6HNMRc0jipDXXEIRsWd3I6Yjx66YewVeHU55/UrKCeeozOQ4lMJZF0OBQsmTukfq72j6wIXjrjS8vx6Dz8o3pgGy14LG8NQCKcYbQysD1tmtiDDKDbNmwDCfbu+AA3Xd1XNiQpZUjUOxQpWtOxYA/qG7nJmY9VMdoXJ2wIW91B2vv+xbxw==
+ENTRY_END
+
+STEP 221213 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+shortloop.x. TXT
+ENTRY_END
+
+; non-exact match
+; We again reuse cached secure RRset x. DNAME . from the first query
+; so we do not hit the bogus answer again. Of course we must get correct data
+; and not the spoofed entry.
+STEP 221214 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY NOERROR QR RD RA AD
+SECTION QUESTION
+shortloop.x. IN TXT
+SECTION ANSWER
+x. 3600 IN DNAME .
+x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w==
+shortloop.x. 3600 IN CNAME shortloop.
+shortloop. 3600 IN TXT "shortloop end"
+shortloop. 3600 IN RRSIG TXT 5 1 3600 20170315140518 20170215140518 37471 . EJaF7yRFRv01nvv6I9HYaxGukSu92cuRXHYQGTRUtj0TNVI53SmNNs89Vk+8L34vhtw+fy1e62WZ3JSat5xAVVRWVmvp220+RlF9FAYltqpPblVXKQraDACWkO31YftgI2obGqmwByAgh7yW1Kfwq6JgUzwjT8LKeove6HNMRc0jipDXXEIRsWd3I6Yjx66YewVeHU55/UrKCeeozOQ4lMJZF0OBQsmTukfq72j6wIXjrjS8vx6Dz8o3pgGy14LG8NQCKcYbQysD1tmtiDDKDbNmwDCfbu+AA3Xd1XNiQpZUjUOxQpWtOxYA/qG7nJmY9VMdoXJ2wIW91B2vv+xbxw==
+ENTRY_END
+
+; make sure all caches expired
+STEP 900000 TIME_PASSES ELAPSE 4000
+
+
+; simulate situation when DNAME expires at different time than synthetized CNAMEs
+; put only the DNAME into the cache
+STEP 900001 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+x. IN DNAME
+ENTRY_END
+
+STEP 900002 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY NOERROR QR RD RA AD
+SECTION QUESTION
+x. IN DNAME
+SECTION ANSWER
+x. 3600 IN DNAME .
+x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w==
+ENTRY_END
+
+;; let half of DNAME TTL pass
+STEP 900005 TIME_PASSES ELAPSE 2000
+
+; now fill cache with rest of the records from CNAME chain
+; this should renew TTL on DNAME
+STEP 900100 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+shortloop.x. TXT
+ENTRY_END
+
+STEP 900101 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY NOERROR QR RD RA AD
+SECTION QUESTION
+shortloop.x. IN TXT
+SECTION ANSWER
+x. 3600 IN DNAME .
+x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w==
+shortloop.x. 3600 IN CNAME shortloop.
+shortloop. 3600 IN TXT "shortloop end"
+shortloop. 3600 IN RRSIG TXT 5 1 3600 20170315140518 20170215140518 37471 . EJaF7yRFRv01nvv6I9HYaxGukSu92cuRXHYQGTRUtj0TNVI53SmNNs89Vk+8L34vhtw+fy1e62WZ3JSat5xAVVRWVmvp220+RlF9FAYltqpPblVXKQraDACWkO31YftgI2obGqmwByAgh7yW1Kfwq6JgUzwjT8LKeove6HNMRc0jipDXXEIRsWd3I6Yjx66YewVeHU55/UrKCeeozOQ4lMJZF0OBQsmTukfq72j6wIXjrjS8vx6Dz8o3pgGy14LG8NQCKcYbQysD1tmtiDDKDbNmwDCfbu+AA3Xd1XNiQpZUjUOxQpWtOxYA/qG7nJmY9VMdoXJ2wIW91B2vv+xbxw==
+ENTRY_END
+
+; let DNAME expire from cache but keep CNAMEs in cache
+STEP 900200 TIME_PASSES ELAPSE 2000
+
+; check that fake CNAME is properly validated even if DNAME if already expired
+STEP 900201 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+shortloop.x. TXT
+ENTRY_END
+
+; attacker spoofed shortloop.x. CNAME so we end up with SERVFAIL
+STEP 900202 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY SERVFAIL QR RD RA
+SECTION QUESTION
+shortloop.x. IN TXT
+SECTION ANSWER
+ENTRY_END
+
+
+; check that query for the synthetized CNAMEs does not return the fake data
+STEP 900301 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+shortloop.x. CNAME
+ENTRY_END
+
+STEP 900302 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY NOERROR QR RD RA AD
+SECTION QUESTION
+shortloop.x. IN CNAME
+SECTION ANSWER
+x. 3600 IN DNAME .
+x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w==
+shortloop.x. 3600 IN CNAME shortloop.
+ENTRY_END
+
+SCENARIO_END