diff options
Diffstat (limited to 'tests/integration/deckard/sets/resolver/val_dname_bogus.rpl')
-rw-r--r-- | tests/integration/deckard/sets/resolver/val_dname_bogus.rpl | 319 |
1 files changed, 319 insertions, 0 deletions
diff --git a/tests/integration/deckard/sets/resolver/val_dname_bogus.rpl b/tests/integration/deckard/sets/resolver/val_dname_bogus.rpl new file mode 100644 index 0000000..6180320 --- /dev/null +++ b/tests/integration/deckard/sets/resolver/val_dname_bogus.rpl @@ -0,0 +1,319 @@ +do-ip6: no + +; config options +trust-anchor: ". IN DS 37471 5 1 da74e4e0fe4067c2afd1d4a3cceb852a3c0d4401" +stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +val-override-date: "20170301000000" +query-minimization: off # missing net. NS proof for NODATA, so we'd need to resign everything +CONFIG_END + +SCENARIO_BEGIN Test DNAME validation + +; all the data are on the "root servers" +RANGE_BEGIN 0 10000000 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH qname qtype opcode +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. 360000 IN NS K.ROOT-SERVERS.NET. +. 360000 IN RRSIG NS 5 0 3600 20170315140518 20170215140518 37471 . izsEk9W7bSaEcIzfa+ks0fl1OsW64yiRLdy6fWh674WQcxs/C6k/FViAPsUCtUOysSWqiZgT+KZrRXOLEbNLzKp5gYkySXW+B9LR49vtUzu4r2zAGyqiTkSH2+TYHo98fPr+wzdB1w7c2S3FIjYAsBanYaSW0emffB2a+nkPy4BClu9+4kpjpsE7FetenOqTUst0v6kdPQ+yaun+fbhBSSU4vlXPmDEolsfXM6tnOXljynUcFCNZfF3g9O0BzU34ev0eDUIdn20e2So4f7wZ1Xw6X6cv7Gt7xKOOBzYQBbeyaHiaUaHlFqSSZ07AfMIntE8fCSAhEOsDSNtVBpLD9w== +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. 360000 IN A 193.0.14.129 +k.root-servers.net. 360000 IN RRSIG A 5 3 3600 20170315140518 20170215140518 37471 . nFA+6UiLEGaw3p112+wsa7P+jucQ2RahwXkzSGPfF+ljqLpNnktPj0UUhW9urI+I/lK5idV9ffHISjrhTS+0fgoJb6CfDZBSAxQj6ccZ+Sd5HsqYO/GvqZ3eYL5AmXm/FVNhWgtk/5zLczTRqqseo7YVk6d+osVQe0GS/MNAMed4G9ZagmY4xihu2xkX1a8h+JT8KaIV50wAmKLtDx6cXHJqThZs5S9QIpm9a9AB7jC1vjtn87d5E6cgxlNGFviEzUs5THHHJkId+EBAyhS2QAxJCswVD1ELWsIc8srVuFhk5gBzfB6rIlw4sB4dRrGd0fs+McnTZmYBJqIbcYcrCQ== +ENTRY_END + +ENTRY_BEGIN +MATCH qname qtype opcode +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +. IN DNSKEY +SECTION ANSWER +. 86400 IN DNSKEY 257 3 5 AwEAAcgM97sxsTSBW9OAvo3Xmu4BPa8Egpk4TbpCnTwzIC3jU7/0D9xI6fWvFl2HVMNICJw+6fiPKwBWYIOd1OI2lsVXNvV26QoSEQwAh5zZjfE8M1cjIJxV/NY7svRL87YwGChgDI2Y00+CSsXyuPIFzJL1BSXCFdJqzIAHsBXmww9JGQZ/t3oxqIfykzTLEDWi0rwb27dk29kHdUf3QIK20CcC+13rNZUYY4sz8Jrr5M/MstT5QcXyFuACzJRS7pdzpz9dNJqBnx/nGADAWgzL89S/FUUrMRmF8ol0Lqq3h03dtmCsYlyBUsbUGyktf6YYE5tE0s4MyKzSGLUGp6mqoJk= ;{id = 37471 (ksk), size = 2048b} +. 86400 IN RRSIG DNSKEY 5 0 86400 20170315140518 20170215140518 37471 . AVx9OlHQ4OkaRNi2YYy5HVOXdAqE3P/+mj92wVTl4/Sn54Z0C0vc0nDKt+vDDlJhJneJiWoJmoeGURK7uV0Rv7XZkxa+Nw/2EwplflFlicK7g50EdHjTfHCJdnJdEWQGqEcqLc2E8YUsNCsf9vBrFxyzWSOT9D0VzWy78IxHHoyRvcxtjBEqri+yosJ5iO/SFT0ZFXV1BmZ7VXFkxd+4gLNWgkIcebaD0Unq8R+oALELDEO7tJGdAvv5vTyXSIsvsrB8GTH5sLFi5MpAZ1IRh1TxMYKdrg/dVJ4mcdDx7fahz/9w/IddFazpMxRQufSmQcmuG7BlmRzbj2gSPL73Iw== +ENTRY_END + +ENTRY_BEGIN +MATCH qname qtype opcode +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +K.ROOT-SERVERS.NET. IN A +SECTION ANSWER +K.ROOT-SERVERS.NET. 360000 IN A 193.0.14.129 +k.root-servers.net. 360000 IN RRSIG A 5 3 3600 20170315140518 20170215140518 37471 . nFA+6UiLEGaw3p112+wsa7P+jucQ2RahwXkzSGPfF+ljqLpNnktPj0UUhW9urI+I/lK5idV9ffHISjrhTS+0fgoJb6CfDZBSAxQj6ccZ+Sd5HsqYO/GvqZ3eYL5AmXm/FVNhWgtk/5zLczTRqqseo7YVk6d+osVQe0GS/MNAMed4G9ZagmY4xihu2xkX1a8h+JT8KaIV50wAmKLtDx6cXHJqThZs5S9QIpm9a9AB7jC1vjtn87d5E6cgxlNGFviEzUs5THHHJkId+EBAyhS2QAxJCswVD1ELWsIc8srVuFhk5gBzfB6rIlw4sB4dRrGd0fs+McnTZmYBJqIbcYcrCQ== +ENTRY_END + +ENTRY_BEGIN +MATCH qname opcode +ADJUST copy_id copy_query +REPLY QR AA NOERROR +SECTION QUESTION +K.ROOT-SERVERS.NET. IN AAAA +SECTION AUTHORITY +. 86400 IN SOA . . 2017021500 1800 900 604800 86400 +. 86400 IN RRSIG SOA 5 0 86400 20170315140518 20170215140518 37471 . drrv7SjrOkuNwlILiziPxHTuIKs/tO2WcVEdipA/LNkt0h09zuWbr3Rk5gtEDTSECbZEXYTa4YaeJs3ODmikzVaJd5EVLsDdGnV3mZ/w7WYHA0Uc1GH5HZm1uQwA4DlwY5e5Ry80pIhInZ1Lqiz1ut9yWbHzODdcUOdpE+XiPzYCKR1hRWi099dIQtDhZYottvQNXXmsJDY41PwvWaxqbXGYgiQCX3cN/W5PM0hs7xMxAjanKh32PXKcHSfTeko87BvERMZnibc2O8efl7S62Zp68Q4guMfe4P++ue22PctjwfeR5nDi31c3+USi63ujrKSDGujaIsIMyIHNFm1/zQ== +K.ROOT-SERVERS.NET. 86400 IN NSEC shortloop. A RRSIG NSEC +k.root-servers.net. 86400 IN RRSIG NSEC 5 3 86400 20170315140518 20170215140518 37471 . eAxOWct9VumUnYLk9w+Z8Us7u70VNgjTlVlilZSCifvIEQ2Q2BOfuS9UbpwOGPIaDkXRpDQyXTZ3IxPaVb3XVtJdUNgbIjkQnbu4FE+jf6qCSMONgR531ykW+n8HvodRaGnhp/OZobt4TtMEFzZwjq7E35dnn6krBpy+uZ/X31Wt0MI2U7JupLW5zO5AeeDYxNpaAXdw9MrZrzCtRojz0q2Z8ax/6SPBOBxhhqx8zyXhwWM3HDNSP7D8pcFx6Vz4nq7MCbqivDzm6oRM31Kg3585+ivht+d6WssmdYiRgYjKUuSk51srESwy5K6uS9PZ8Y284j/cFNZsJdNpYTLzyQ== +ENTRY_END + +ENTRY_BEGIN +MATCH qname qtype opcode +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +shortloop. IN TXT +SECTION ANSWER +;. 86400 IN SOA . . 2017021500 1800 900 604800 86400 +;. 86400 IN RRSIG SOA 5 0 86400 20170315140518 20170215140518 37471 . drrv7SjrOkuNwlILiziPxHTuIKs/tO2WcVEdipA/LNkt0h09zuWbr3Rk5gtEDTSECbZEXYTa4YaeJs3ODmikzVaJd5EVLsDdGnV3mZ/w7WYHA0Uc1GH5HZm1uQwA4DlwY5e5Ry80pIhInZ1Lqiz1ut9yWbHzODdcUOdpE+XiPzYCKR1hRWi099dIQtDhZYottvQNXXmsJDY41PwvWaxqbXGYgiQCX3cN/W5PM0hs7xMxAjanKh32PXKcHSfTeko87BvERMZnibc2O8efl7S62Zp68Q4guMfe4P++ue22PctjwfeR5nDi31c3+USi63ujrKSDGujaIsIMyIHNFm1/zQ== +shortloop. 3600 IN TXT "shortloop end" +shortloop. 3600 IN RRSIG TXT 5 1 3600 20170315140518 20170215140518 37471 . EJaF7yRFRv01nvv6I9HYaxGukSu92cuRXHYQGTRUtj0TNVI53SmNNs89Vk+8L34vhtw+fy1e62WZ3JSat5xAVVRWVmvp220+RlF9FAYltqpPblVXKQraDACWkO31YftgI2obGqmwByAgh7yW1Kfwq6JgUzwjT8LKeove6HNMRc0jipDXXEIRsWd3I6Yjx66YewVeHU55/UrKCeeozOQ4lMJZF0OBQsmTukfq72j6wIXjrjS8vx6Dz8o3pgGy14LG8NQCKcYbQysD1tmtiDDKDbNmwDCfbu+AA3Xd1XNiQpZUjUOxQpWtOxYA/qG7nJmY9VMdoXJ2wIW91B2vv+xbxw== +ENTRY_END + +ENTRY_BEGIN +MATCH qname opcode +ADJUST copy_id copy_query +REPLY QR AA NOERROR +SECTION QUESTION +shortloop. IN DS +SECTION AUTHORITY +. 86400 IN SOA . . 2017021500 1800 900 604800 86400 +. 86400 IN RRSIG SOA 5 0 86400 20170315140518 20170215140518 37471 . drrv7SjrOkuNwlILiziPxHTuIKs/tO2WcVEdipA/LNkt0h09zuWbr3Rk5gtEDTSECbZEXYTa4YaeJs3ODmikzVaJd5EVLsDdGnV3mZ/w7WYHA0Uc1GH5HZm1uQwA4DlwY5e5Ry80pIhInZ1Lqiz1ut9yWbHzODdcUOdpE+XiPzYCKR1hRWi099dIQtDhZYottvQNXXmsJDY41PwvWaxqbXGYgiQCX3cN/W5PM0hs7xMxAjanKh32PXKcHSfTeko87BvERMZnibc2O8efl7S62Zp68Q4guMfe4P++ue22PctjwfeR5nDi31c3+USi63ujrKSDGujaIsIMyIHNFm1/zQ== +shortloop. 86400 IN NSEC x. TXT RRSIG NSEC +shortloop. 86400 IN RRSIG NSEC 5 1 86400 20170315140518 20170215140518 37471 . BO48qjNHF9l46CUOeZVG9TV+DRwd7bP60likdnICAx6OMHX/sC5lxd+bQVYqG9DEh+HySqiwE4GnXKGxvdYIQUHuyM/OWQ2NkJPUU++FbXkDCNFPjpX16ejyc244aLOL3gXIOS1aILG9uSbz/0LFQ+N0P9Pq57Cv9I5cc6z0Xa/x8s2fIM8GAP9NoaFAMCdocYW8yckvbyxBoHLqlo0MZQIhiZh1ahorJTDxbJ2BbPRN5cf71PCztEjSjPn2zVlAsfp0XWJG79P3IZiWwBG8aFED1KvUP1+MWxGL+cb0d1bb60U4MzZIt4iWGM5r+wdc27L8vINFCug6RwETQHAJpg== +ENTRY_END + +ENTRY_BEGIN +MATCH qname qtype opcode +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +x. IN DNAME +SECTION ANSWER +x. 3600 IN DNAME . +x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w== +ENTRY_END + +ENTRY_BEGIN +MATCH qname opcode +ADJUST copy_id copy_query +REPLY QR AA NOERROR +SECTION QUESTION +x. IN DS +SECTION AUTHORITY +. 3600 IN SOA . . 2017021500 1800 900 604800 86400 +. 3600 IN RRSIG SOA 5 0 86400 20170315140518 20170215140518 37471 . drrv7SjrOkuNwlILiziPxHTuIKs/tO2WcVEdipA/LNkt0h09zuWbr3Rk5gtEDTSECbZEXYTa4YaeJs3ODmikzVaJd5EVLsDdGnV3mZ/w7WYHA0Uc1GH5HZm1uQwA4DlwY5e5Ry80pIhInZ1Lqiz1ut9yWbHzODdcUOdpE+XiPzYCKR1hRWi099dIQtDhZYottvQNXXmsJDY41PwvWaxqbXGYgiQCX3cN/W5PM0hs7xMxAjanKh32PXKcHSfTeko87BvERMZnibc2O8efl7S62Zp68Q4guMfe4P++ue22PctjwfeR5nDi31c3+USi63ujrKSDGujaIsIMyIHNFm1/zQ== +x. 3600 IN NSEC . DNAME RRSIG NSEC +x. 3600 IN RRSIG NSEC 5 1 86400 20170315140518 20170215140518 37471 . TqFcpOvTT2x64L4gKTI43EJV4cMO+ys2BV8EILftXVID9wZTKK9SI0n4Pxfl5EIwnTpaWev1ZzIyAQ20ROi0t8E6qFuWKW6450k9qBb1d0HgR9dUMByHpQqcusg0kIkId9yHvb3FsKDimpn+5bDq4wT5Ijb/FHb5YpdY+F7Z8xfQpIplr+HYHkEADstqmDcHz3nbIuCjOQTdOongkzNj3IOHCcILU3GFLr5PPhhtx6M1N+EPkJQe92ukjlav/KdZQx+/D8/VLMqi7MKH9eDuEpzGeyRS6wm+Uuwf/DzWRgkImIMfWHXaTi/RZpa5UxNFzRchfucfNxAL9MjPT+NqAQ== +ENTRY_END + + +ENTRY_BEGIN +MATCH qname opcode +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +shortloop.x.x. IN CNAME +SECTION ANSWER +x. 3600 IN DNAME . +x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w== +; attack! CNAME was modified to point elsewhere +shortloop.x.x. 3600 IN CNAME K.ROOT-SERVERS.NET. +ENTRY_END + +ENTRY_BEGIN +MATCH qname opcode +ADJUST copy_id copy_query +REPLY QR AA NOERROR +SECTION QUESTION +shortloop.x. IN CNAME +SECTION ANSWER +x. 3600 IN DNAME . +x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w== +; attack! CNAME was modified to point elsewhere +shortloop.x. 3600 IN CNAME K.ROOT-SERVERS.NET. +SECTION AUTHORITY +. 86400 IN SOA . . 2017021500 1800 900 604800 86400 +shortloop. 86400 IN NSEC x. TXT RRSIG NSEC +. 86400 IN RRSIG SOA 5 0 86400 20170315140518 20170215140518 37471 . drrv7SjrOkuNwlILiziPxHTuIKs/tO2WcVEdipA/LNkt0h09zuWbr3Rk 5gtEDTSECbZEXYTa4YaeJs3ODmikzVaJd5EVLsDdGnV3mZ/w7WYHA0Uc 1GH5HZm1uQwA4DlwY5e5Ry80pIhInZ1Lqiz1ut9yWbHzODdcUOdpE+Xi PzYCKR1hRWi099dIQtDhZYottvQNXXmsJDY41PwvWaxqbXGYgiQCX3cN /W5PM0hs7xMxAjanKh32PXKcHSfTeko87BvERMZnibc2O8efl7S62Zp6 8Q4guMfe4P++ue22PctjwfeR5nDi31c3+USi63ujrKSDGujaIsIMyIHN Fm1/zQ== +shortloop. 86400 IN RRSIG NSEC 5 1 86400 20170315140518 20170215140518 37471 . BO48qjNHF9l46CUOeZVG9TV+DRwd7bP60likdnICAx6OMHX/sC5lxd+b QVYqG9DEh+HySqiwE4GnXKGxvdYIQUHuyM/OWQ2NkJPUU++FbXkDCNFP jpX16ejyc244aLOL3gXIOS1aILG9uSbz/0LFQ+N0P9Pq57Cv9I5cc6z0 Xa/x8s2fIM8GAP9NoaFAMCdocYW8yckvbyxBoHLqlo0MZQIhiZh1ahor JTDxbJ2BbPRN5cf71PCztEjSjPn2zVlAsfp0XWJG79P3IZiWwBG8aFED 1KvUP1+MWxGL+cb0d1bb60U4MzZIt4iWGM5r+wdc27L8vINFCug6RwET QHAJpg== +ENTRY_END + +RANGE_END +; end of a.gtld-servers.net. + +; RFC 6672 section 2.2. The DNAME Substitution table tests +;# QNAME owner DNAME target result +;-- ---------------- -------------- -------------- ----------------- +;11 shortloop.x.x. x. . shortloop.x. +;12 shortloop.x. x. . shortloop. +; Table 1. DNAME Substitution Examples + +STEP 221101 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +shortloop.x.x. A +ENTRY_END + +; attacker spoofed shortloop.x.x. CNAME so we end up with SERVFAIL +STEP 221102 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY SERVFAIL QR RD RA +SECTION QUESTION +shortloop.x.x. IN A +SECTION ANSWER +ENTRY_END + +;# QNAME owner DNAME target result +;-- ---------------- -------------- -------------- ----------------- +;12 shortloop.x. x. . shortloop. + +STEP 221201 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +shortloop.x.x. TXT +ENTRY_END + +; We now reuse cached secure RRset x. DNAME . from the previous query +; so we do not hit the bogus answer again. Of course we must get correct data +; and not the spoofed entry. +STEP 221202 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY NOERROR QR RD RA AD +SECTION QUESTION +shortloop.x.x. IN TXT +SECTION ANSWER +x. 3600 IN DNAME . +x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w== +shortloop.x.x. 3600 IN CNAME shortloop.x. +shortloop.x. 3600 IN CNAME shortloop. +shortloop. 3600 IN TXT "shortloop end" +shortloop. 3600 IN RRSIG TXT 5 1 3600 20170315140518 20170215140518 37471 . EJaF7yRFRv01nvv6I9HYaxGukSu92cuRXHYQGTRUtj0TNVI53SmNNs89Vk+8L34vhtw+fy1e62WZ3JSat5xAVVRWVmvp220+RlF9FAYltqpPblVXKQraDACWkO31YftgI2obGqmwByAgh7yW1Kfwq6JgUzwjT8LKeove6HNMRc0jipDXXEIRsWd3I6Yjx66YewVeHU55/UrKCeeozOQ4lMJZF0OBQsmTukfq72j6wIXjrjS8vx6Dz8o3pgGy14LG8NQCKcYbQysD1tmtiDDKDbNmwDCfbu+AA3Xd1XNiQpZUjUOxQpWtOxYA/qG7nJmY9VMdoXJ2wIW91B2vv+xbxw== +ENTRY_END + +STEP 221213 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +shortloop.x. TXT +ENTRY_END + +; non-exact match +; We again reuse cached secure RRset x. DNAME . from the first query +; so we do not hit the bogus answer again. Of course we must get correct data +; and not the spoofed entry. +STEP 221214 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY NOERROR QR RD RA AD +SECTION QUESTION +shortloop.x. IN TXT +SECTION ANSWER +x. 3600 IN DNAME . +x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w== +shortloop.x. 3600 IN CNAME shortloop. +shortloop. 3600 IN TXT "shortloop end" +shortloop. 3600 IN RRSIG TXT 5 1 3600 20170315140518 20170215140518 37471 . EJaF7yRFRv01nvv6I9HYaxGukSu92cuRXHYQGTRUtj0TNVI53SmNNs89Vk+8L34vhtw+fy1e62WZ3JSat5xAVVRWVmvp220+RlF9FAYltqpPblVXKQraDACWkO31YftgI2obGqmwByAgh7yW1Kfwq6JgUzwjT8LKeove6HNMRc0jipDXXEIRsWd3I6Yjx66YewVeHU55/UrKCeeozOQ4lMJZF0OBQsmTukfq72j6wIXjrjS8vx6Dz8o3pgGy14LG8NQCKcYbQysD1tmtiDDKDbNmwDCfbu+AA3Xd1XNiQpZUjUOxQpWtOxYA/qG7nJmY9VMdoXJ2wIW91B2vv+xbxw== +ENTRY_END + +; make sure all caches expired +STEP 900000 TIME_PASSES ELAPSE 4000 + + +; simulate situation when DNAME expires at different time than synthetized CNAMEs +; put only the DNAME into the cache +STEP 900001 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +x. IN DNAME +ENTRY_END + +STEP 900002 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY NOERROR QR RD RA AD +SECTION QUESTION +x. IN DNAME +SECTION ANSWER +x. 3600 IN DNAME . +x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w== +ENTRY_END + +;; let half of DNAME TTL pass +STEP 900005 TIME_PASSES ELAPSE 2000 + +; now fill cache with rest of the records from CNAME chain +; this should renew TTL on DNAME +STEP 900100 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +shortloop.x. TXT +ENTRY_END + +STEP 900101 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY NOERROR QR RD RA AD +SECTION QUESTION +shortloop.x. IN TXT +SECTION ANSWER +x. 3600 IN DNAME . +x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w== +shortloop.x. 3600 IN CNAME shortloop. +shortloop. 3600 IN TXT "shortloop end" +shortloop. 3600 IN RRSIG TXT 5 1 3600 20170315140518 20170215140518 37471 . EJaF7yRFRv01nvv6I9HYaxGukSu92cuRXHYQGTRUtj0TNVI53SmNNs89Vk+8L34vhtw+fy1e62WZ3JSat5xAVVRWVmvp220+RlF9FAYltqpPblVXKQraDACWkO31YftgI2obGqmwByAgh7yW1Kfwq6JgUzwjT8LKeove6HNMRc0jipDXXEIRsWd3I6Yjx66YewVeHU55/UrKCeeozOQ4lMJZF0OBQsmTukfq72j6wIXjrjS8vx6Dz8o3pgGy14LG8NQCKcYbQysD1tmtiDDKDbNmwDCfbu+AA3Xd1XNiQpZUjUOxQpWtOxYA/qG7nJmY9VMdoXJ2wIW91B2vv+xbxw== +ENTRY_END + +; let DNAME expire from cache but keep CNAMEs in cache +STEP 900200 TIME_PASSES ELAPSE 2000 + +; check that fake CNAME is properly validated even if DNAME if already expired +STEP 900201 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +shortloop.x. TXT +ENTRY_END + +; attacker spoofed shortloop.x. CNAME so we end up with SERVFAIL +STEP 900202 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY SERVFAIL QR RD RA +SECTION QUESTION +shortloop.x. IN TXT +SECTION ANSWER +ENTRY_END + + +; check that query for the synthetized CNAMEs does not return the fake data +STEP 900301 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +shortloop.x. CNAME +ENTRY_END + +STEP 900302 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY NOERROR QR RD RA AD +SECTION QUESTION +shortloop.x. IN CNAME +SECTION ANSWER +x. 3600 IN DNAME . +x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w== +shortloop.x. 3600 IN CNAME shortloop. +ENTRY_END + +SCENARIO_END |