do-ip6: no ; config options trust-anchor: ". IN DS 37471 5 1 da74e4e0fe4067c2afd1d4a3cceb852a3c0d4401" stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. val-override-date: "20170301000000" query-minimization: off # missing net. NS proof for NODATA, so we'd need to resign everything CONFIG_END SCENARIO_BEGIN Test DNAME validation ; all the data are on the "root servers" RANGE_BEGIN 0 10000000 ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH qname qtype opcode ADJUST copy_id REPLY QR AA NOERROR SECTION QUESTION . IN NS SECTION ANSWER . 360000 IN NS K.ROOT-SERVERS.NET. . 360000 IN RRSIG NS 5 0 3600 20170315140518 20170215140518 37471 . izsEk9W7bSaEcIzfa+ks0fl1OsW64yiRLdy6fWh674WQcxs/C6k/FViAPsUCtUOysSWqiZgT+KZrRXOLEbNLzKp5gYkySXW+B9LR49vtUzu4r2zAGyqiTkSH2+TYHo98fPr+wzdB1w7c2S3FIjYAsBanYaSW0emffB2a+nkPy4BClu9+4kpjpsE7FetenOqTUst0v6kdPQ+yaun+fbhBSSU4vlXPmDEolsfXM6tnOXljynUcFCNZfF3g9O0BzU34ev0eDUIdn20e2So4f7wZ1Xw6X6cv7Gt7xKOOBzYQBbeyaHiaUaHlFqSSZ07AfMIntE8fCSAhEOsDSNtVBpLD9w== SECTION ADDITIONAL K.ROOT-SERVERS.NET. 360000 IN A 193.0.14.129 k.root-servers.net. 360000 IN RRSIG A 5 3 3600 20170315140518 20170215140518 37471 . nFA+6UiLEGaw3p112+wsa7P+jucQ2RahwXkzSGPfF+ljqLpNnktPj0UUhW9urI+I/lK5idV9ffHISjrhTS+0fgoJb6CfDZBSAxQj6ccZ+Sd5HsqYO/GvqZ3eYL5AmXm/FVNhWgtk/5zLczTRqqseo7YVk6d+osVQe0GS/MNAMed4G9ZagmY4xihu2xkX1a8h+JT8KaIV50wAmKLtDx6cXHJqThZs5S9QIpm9a9AB7jC1vjtn87d5E6cgxlNGFviEzUs5THHHJkId+EBAyhS2QAxJCswVD1ELWsIc8srVuFhk5gBzfB6rIlw4sB4dRrGd0fs+McnTZmYBJqIbcYcrCQ== ENTRY_END ENTRY_BEGIN MATCH qname qtype opcode ADJUST copy_id REPLY QR AA NOERROR SECTION QUESTION . IN DNSKEY SECTION ANSWER . 86400 IN DNSKEY 257 3 5 AwEAAcgM97sxsTSBW9OAvo3Xmu4BPa8Egpk4TbpCnTwzIC3jU7/0D9xI6fWvFl2HVMNICJw+6fiPKwBWYIOd1OI2lsVXNvV26QoSEQwAh5zZjfE8M1cjIJxV/NY7svRL87YwGChgDI2Y00+CSsXyuPIFzJL1BSXCFdJqzIAHsBXmww9JGQZ/t3oxqIfykzTLEDWi0rwb27dk29kHdUf3QIK20CcC+13rNZUYY4sz8Jrr5M/MstT5QcXyFuACzJRS7pdzpz9dNJqBnx/nGADAWgzL89S/FUUrMRmF8ol0Lqq3h03dtmCsYlyBUsbUGyktf6YYE5tE0s4MyKzSGLUGp6mqoJk= ;{id = 37471 (ksk), size = 2048b} . 86400 IN RRSIG DNSKEY 5 0 86400 20170315140518 20170215140518 37471 . AVx9OlHQ4OkaRNi2YYy5HVOXdAqE3P/+mj92wVTl4/Sn54Z0C0vc0nDKt+vDDlJhJneJiWoJmoeGURK7uV0Rv7XZkxa+Nw/2EwplflFlicK7g50EdHjTfHCJdnJdEWQGqEcqLc2E8YUsNCsf9vBrFxyzWSOT9D0VzWy78IxHHoyRvcxtjBEqri+yosJ5iO/SFT0ZFXV1BmZ7VXFkxd+4gLNWgkIcebaD0Unq8R+oALELDEO7tJGdAvv5vTyXSIsvsrB8GTH5sLFi5MpAZ1IRh1TxMYKdrg/dVJ4mcdDx7fahz/9w/IddFazpMxRQufSmQcmuG7BlmRzbj2gSPL73Iw== ENTRY_END ENTRY_BEGIN MATCH qname qtype opcode ADJUST copy_id REPLY QR AA NOERROR SECTION QUESTION K.ROOT-SERVERS.NET. IN A SECTION ANSWER K.ROOT-SERVERS.NET. 360000 IN A 193.0.14.129 k.root-servers.net. 360000 IN RRSIG A 5 3 3600 20170315140518 20170215140518 37471 . nFA+6UiLEGaw3p112+wsa7P+jucQ2RahwXkzSGPfF+ljqLpNnktPj0UUhW9urI+I/lK5idV9ffHISjrhTS+0fgoJb6CfDZBSAxQj6ccZ+Sd5HsqYO/GvqZ3eYL5AmXm/FVNhWgtk/5zLczTRqqseo7YVk6d+osVQe0GS/MNAMed4G9ZagmY4xihu2xkX1a8h+JT8KaIV50wAmKLtDx6cXHJqThZs5S9QIpm9a9AB7jC1vjtn87d5E6cgxlNGFviEzUs5THHHJkId+EBAyhS2QAxJCswVD1ELWsIc8srVuFhk5gBzfB6rIlw4sB4dRrGd0fs+McnTZmYBJqIbcYcrCQ== ENTRY_END ENTRY_BEGIN MATCH qname opcode ADJUST copy_id copy_query REPLY QR AA NOERROR SECTION QUESTION K.ROOT-SERVERS.NET. IN AAAA SECTION AUTHORITY . 86400 IN SOA . . 2017021500 1800 900 604800 86400 . 86400 IN RRSIG SOA 5 0 86400 20170315140518 20170215140518 37471 . drrv7SjrOkuNwlILiziPxHTuIKs/tO2WcVEdipA/LNkt0h09zuWbr3Rk5gtEDTSECbZEXYTa4YaeJs3ODmikzVaJd5EVLsDdGnV3mZ/w7WYHA0Uc1GH5HZm1uQwA4DlwY5e5Ry80pIhInZ1Lqiz1ut9yWbHzODdcUOdpE+XiPzYCKR1hRWi099dIQtDhZYottvQNXXmsJDY41PwvWaxqbXGYgiQCX3cN/W5PM0hs7xMxAjanKh32PXKcHSfTeko87BvERMZnibc2O8efl7S62Zp68Q4guMfe4P++ue22PctjwfeR5nDi31c3+USi63ujrKSDGujaIsIMyIHNFm1/zQ== K.ROOT-SERVERS.NET. 86400 IN NSEC shortloop. A RRSIG NSEC k.root-servers.net. 86400 IN RRSIG NSEC 5 3 86400 20170315140518 20170215140518 37471 . eAxOWct9VumUnYLk9w+Z8Us7u70VNgjTlVlilZSCifvIEQ2Q2BOfuS9UbpwOGPIaDkXRpDQyXTZ3IxPaVb3XVtJdUNgbIjkQnbu4FE+jf6qCSMONgR531ykW+n8HvodRaGnhp/OZobt4TtMEFzZwjq7E35dnn6krBpy+uZ/X31Wt0MI2U7JupLW5zO5AeeDYxNpaAXdw9MrZrzCtRojz0q2Z8ax/6SPBOBxhhqx8zyXhwWM3HDNSP7D8pcFx6Vz4nq7MCbqivDzm6oRM31Kg3585+ivht+d6WssmdYiRgYjKUuSk51srESwy5K6uS9PZ8Y284j/cFNZsJdNpYTLzyQ== ENTRY_END ENTRY_BEGIN MATCH qname qtype opcode ADJUST copy_id REPLY QR AA NOERROR SECTION QUESTION shortloop. IN TXT SECTION ANSWER ;. 86400 IN SOA . . 2017021500 1800 900 604800 86400 ;. 86400 IN RRSIG SOA 5 0 86400 20170315140518 20170215140518 37471 . drrv7SjrOkuNwlILiziPxHTuIKs/tO2WcVEdipA/LNkt0h09zuWbr3Rk5gtEDTSECbZEXYTa4YaeJs3ODmikzVaJd5EVLsDdGnV3mZ/w7WYHA0Uc1GH5HZm1uQwA4DlwY5e5Ry80pIhInZ1Lqiz1ut9yWbHzODdcUOdpE+XiPzYCKR1hRWi099dIQtDhZYottvQNXXmsJDY41PwvWaxqbXGYgiQCX3cN/W5PM0hs7xMxAjanKh32PXKcHSfTeko87BvERMZnibc2O8efl7S62Zp68Q4guMfe4P++ue22PctjwfeR5nDi31c3+USi63ujrKSDGujaIsIMyIHNFm1/zQ== shortloop. 3600 IN TXT "shortloop end" shortloop. 3600 IN RRSIG TXT 5 1 3600 20170315140518 20170215140518 37471 . EJaF7yRFRv01nvv6I9HYaxGukSu92cuRXHYQGTRUtj0TNVI53SmNNs89Vk+8L34vhtw+fy1e62WZ3JSat5xAVVRWVmvp220+RlF9FAYltqpPblVXKQraDACWkO31YftgI2obGqmwByAgh7yW1Kfwq6JgUzwjT8LKeove6HNMRc0jipDXXEIRsWd3I6Yjx66YewVeHU55/UrKCeeozOQ4lMJZF0OBQsmTukfq72j6wIXjrjS8vx6Dz8o3pgGy14LG8NQCKcYbQysD1tmtiDDKDbNmwDCfbu+AA3Xd1XNiQpZUjUOxQpWtOxYA/qG7nJmY9VMdoXJ2wIW91B2vv+xbxw== ENTRY_END ENTRY_BEGIN MATCH qname opcode ADJUST copy_id copy_query REPLY QR AA NOERROR SECTION QUESTION shortloop. IN DS SECTION AUTHORITY . 86400 IN SOA . . 2017021500 1800 900 604800 86400 . 86400 IN RRSIG SOA 5 0 86400 20170315140518 20170215140518 37471 . drrv7SjrOkuNwlILiziPxHTuIKs/tO2WcVEdipA/LNkt0h09zuWbr3Rk5gtEDTSECbZEXYTa4YaeJs3ODmikzVaJd5EVLsDdGnV3mZ/w7WYHA0Uc1GH5HZm1uQwA4DlwY5e5Ry80pIhInZ1Lqiz1ut9yWbHzODdcUOdpE+XiPzYCKR1hRWi099dIQtDhZYottvQNXXmsJDY41PwvWaxqbXGYgiQCX3cN/W5PM0hs7xMxAjanKh32PXKcHSfTeko87BvERMZnibc2O8efl7S62Zp68Q4guMfe4P++ue22PctjwfeR5nDi31c3+USi63ujrKSDGujaIsIMyIHNFm1/zQ== shortloop. 86400 IN NSEC x. TXT RRSIG NSEC shortloop. 86400 IN RRSIG NSEC 5 1 86400 20170315140518 20170215140518 37471 . BO48qjNHF9l46CUOeZVG9TV+DRwd7bP60likdnICAx6OMHX/sC5lxd+bQVYqG9DEh+HySqiwE4GnXKGxvdYIQUHuyM/OWQ2NkJPUU++FbXkDCNFPjpX16ejyc244aLOL3gXIOS1aILG9uSbz/0LFQ+N0P9Pq57Cv9I5cc6z0Xa/x8s2fIM8GAP9NoaFAMCdocYW8yckvbyxBoHLqlo0MZQIhiZh1ahorJTDxbJ2BbPRN5cf71PCztEjSjPn2zVlAsfp0XWJG79P3IZiWwBG8aFED1KvUP1+MWxGL+cb0d1bb60U4MzZIt4iWGM5r+wdc27L8vINFCug6RwETQHAJpg== ENTRY_END ENTRY_BEGIN MATCH qname qtype opcode ADJUST copy_id REPLY QR NOERROR SECTION QUESTION x. IN DNAME SECTION ANSWER x. 3600 IN DNAME . x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w== ENTRY_END ENTRY_BEGIN MATCH qname opcode ADJUST copy_id copy_query REPLY QR AA NOERROR SECTION QUESTION x. IN DS SECTION AUTHORITY . 3600 IN SOA . . 2017021500 1800 900 604800 86400 . 3600 IN RRSIG SOA 5 0 86400 20170315140518 20170215140518 37471 . drrv7SjrOkuNwlILiziPxHTuIKs/tO2WcVEdipA/LNkt0h09zuWbr3Rk5gtEDTSECbZEXYTa4YaeJs3ODmikzVaJd5EVLsDdGnV3mZ/w7WYHA0Uc1GH5HZm1uQwA4DlwY5e5Ry80pIhInZ1Lqiz1ut9yWbHzODdcUOdpE+XiPzYCKR1hRWi099dIQtDhZYottvQNXXmsJDY41PwvWaxqbXGYgiQCX3cN/W5PM0hs7xMxAjanKh32PXKcHSfTeko87BvERMZnibc2O8efl7S62Zp68Q4guMfe4P++ue22PctjwfeR5nDi31c3+USi63ujrKSDGujaIsIMyIHNFm1/zQ== x. 3600 IN NSEC . DNAME RRSIG NSEC x. 3600 IN RRSIG NSEC 5 1 86400 20170315140518 20170215140518 37471 . TqFcpOvTT2x64L4gKTI43EJV4cMO+ys2BV8EILftXVID9wZTKK9SI0n4Pxfl5EIwnTpaWev1ZzIyAQ20ROi0t8E6qFuWKW6450k9qBb1d0HgR9dUMByHpQqcusg0kIkId9yHvb3FsKDimpn+5bDq4wT5Ijb/FHb5YpdY+F7Z8xfQpIplr+HYHkEADstqmDcHz3nbIuCjOQTdOongkzNj3IOHCcILU3GFLr5PPhhtx6M1N+EPkJQe92ukjlav/KdZQx+/D8/VLMqi7MKH9eDuEpzGeyRS6wm+Uuwf/DzWRgkImIMfWHXaTi/RZpa5UxNFzRchfucfNxAL9MjPT+NqAQ== ENTRY_END ENTRY_BEGIN MATCH qname opcode ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION shortloop.x.x. IN CNAME SECTION ANSWER x. 3600 IN DNAME . x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w== ; attack! CNAME was modified to point elsewhere shortloop.x.x. 3600 IN CNAME K.ROOT-SERVERS.NET. ENTRY_END ENTRY_BEGIN MATCH qname opcode ADJUST copy_id copy_query REPLY QR AA NOERROR SECTION QUESTION shortloop.x. IN CNAME SECTION ANSWER x. 3600 IN DNAME . x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w== ; attack! CNAME was modified to point elsewhere shortloop.x. 3600 IN CNAME K.ROOT-SERVERS.NET. SECTION AUTHORITY . 86400 IN SOA . . 2017021500 1800 900 604800 86400 shortloop. 86400 IN NSEC x. TXT RRSIG NSEC . 86400 IN RRSIG SOA 5 0 86400 20170315140518 20170215140518 37471 . drrv7SjrOkuNwlILiziPxHTuIKs/tO2WcVEdipA/LNkt0h09zuWbr3Rk 5gtEDTSECbZEXYTa4YaeJs3ODmikzVaJd5EVLsDdGnV3mZ/w7WYHA0Uc 1GH5HZm1uQwA4DlwY5e5Ry80pIhInZ1Lqiz1ut9yWbHzODdcUOdpE+Xi PzYCKR1hRWi099dIQtDhZYottvQNXXmsJDY41PwvWaxqbXGYgiQCX3cN /W5PM0hs7xMxAjanKh32PXKcHSfTeko87BvERMZnibc2O8efl7S62Zp6 8Q4guMfe4P++ue22PctjwfeR5nDi31c3+USi63ujrKSDGujaIsIMyIHN Fm1/zQ== shortloop. 86400 IN RRSIG NSEC 5 1 86400 20170315140518 20170215140518 37471 . BO48qjNHF9l46CUOeZVG9TV+DRwd7bP60likdnICAx6OMHX/sC5lxd+b QVYqG9DEh+HySqiwE4GnXKGxvdYIQUHuyM/OWQ2NkJPUU++FbXkDCNFP jpX16ejyc244aLOL3gXIOS1aILG9uSbz/0LFQ+N0P9Pq57Cv9I5cc6z0 Xa/x8s2fIM8GAP9NoaFAMCdocYW8yckvbyxBoHLqlo0MZQIhiZh1ahor JTDxbJ2BbPRN5cf71PCztEjSjPn2zVlAsfp0XWJG79P3IZiWwBG8aFED 1KvUP1+MWxGL+cb0d1bb60U4MzZIt4iWGM5r+wdc27L8vINFCug6RwET QHAJpg== ENTRY_END RANGE_END ; end of a.gtld-servers.net. ; RFC 6672 section 2.2. The DNAME Substitution table tests ;# QNAME owner DNAME target result ;-- ---------------- -------------- -------------- ----------------- ;11 shortloop.x.x. x. . shortloop.x. ;12 shortloop.x. x. . shortloop. ; Table 1. DNAME Substitution Examples STEP 221101 QUERY ENTRY_BEGIN REPLY RD DO SECTION QUESTION shortloop.x.x. A ENTRY_END ; attacker spoofed shortloop.x.x. CNAME so we end up with SERVFAIL STEP 221102 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY SERVFAIL QR RD RA SECTION QUESTION shortloop.x.x. IN A SECTION ANSWER ENTRY_END ;# QNAME owner DNAME target result ;-- ---------------- -------------- -------------- ----------------- ;12 shortloop.x. x. . shortloop. STEP 221201 QUERY ENTRY_BEGIN REPLY RD DO SECTION QUESTION shortloop.x.x. TXT ENTRY_END ; We now reuse cached secure RRset x. DNAME . from the previous query ; so we do not hit the bogus answer again. Of course we must get correct data ; and not the spoofed entry. STEP 221202 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY NOERROR QR RD RA AD SECTION QUESTION shortloop.x.x. IN TXT SECTION ANSWER x. 3600 IN DNAME . x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w== shortloop.x.x. 3600 IN CNAME shortloop.x. shortloop.x. 3600 IN CNAME shortloop. shortloop. 3600 IN TXT "shortloop end" shortloop. 3600 IN RRSIG TXT 5 1 3600 20170315140518 20170215140518 37471 . EJaF7yRFRv01nvv6I9HYaxGukSu92cuRXHYQGTRUtj0TNVI53SmNNs89Vk+8L34vhtw+fy1e62WZ3JSat5xAVVRWVmvp220+RlF9FAYltqpPblVXKQraDACWkO31YftgI2obGqmwByAgh7yW1Kfwq6JgUzwjT8LKeove6HNMRc0jipDXXEIRsWd3I6Yjx66YewVeHU55/UrKCeeozOQ4lMJZF0OBQsmTukfq72j6wIXjrjS8vx6Dz8o3pgGy14LG8NQCKcYbQysD1tmtiDDKDbNmwDCfbu+AA3Xd1XNiQpZUjUOxQpWtOxYA/qG7nJmY9VMdoXJ2wIW91B2vv+xbxw== ENTRY_END STEP 221213 QUERY ENTRY_BEGIN REPLY RD DO SECTION QUESTION shortloop.x. TXT ENTRY_END ; non-exact match ; We again reuse cached secure RRset x. DNAME . from the first query ; so we do not hit the bogus answer again. Of course we must get correct data ; and not the spoofed entry. STEP 221214 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY NOERROR QR RD RA AD SECTION QUESTION shortloop.x. IN TXT SECTION ANSWER x. 3600 IN DNAME . x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w== shortloop.x. 3600 IN CNAME shortloop. shortloop. 3600 IN TXT "shortloop end" shortloop. 3600 IN RRSIG TXT 5 1 3600 20170315140518 20170215140518 37471 . EJaF7yRFRv01nvv6I9HYaxGukSu92cuRXHYQGTRUtj0TNVI53SmNNs89Vk+8L34vhtw+fy1e62WZ3JSat5xAVVRWVmvp220+RlF9FAYltqpPblVXKQraDACWkO31YftgI2obGqmwByAgh7yW1Kfwq6JgUzwjT8LKeove6HNMRc0jipDXXEIRsWd3I6Yjx66YewVeHU55/UrKCeeozOQ4lMJZF0OBQsmTukfq72j6wIXjrjS8vx6Dz8o3pgGy14LG8NQCKcYbQysD1tmtiDDKDbNmwDCfbu+AA3Xd1XNiQpZUjUOxQpWtOxYA/qG7nJmY9VMdoXJ2wIW91B2vv+xbxw== ENTRY_END ; make sure all caches expired STEP 900000 TIME_PASSES ELAPSE 4000 ; simulate situation when DNAME expires at different time than synthetized CNAMEs ; put only the DNAME into the cache STEP 900001 QUERY ENTRY_BEGIN REPLY RD DO SECTION QUESTION x. IN DNAME ENTRY_END STEP 900002 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY NOERROR QR RD RA AD SECTION QUESTION x. IN DNAME SECTION ANSWER x. 3600 IN DNAME . x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w== ENTRY_END ;; let half of DNAME TTL pass STEP 900005 TIME_PASSES ELAPSE 2000 ; now fill cache with rest of the records from CNAME chain ; this should renew TTL on DNAME STEP 900100 QUERY ENTRY_BEGIN REPLY RD DO SECTION QUESTION shortloop.x. TXT ENTRY_END STEP 900101 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY NOERROR QR RD RA AD SECTION QUESTION shortloop.x. IN TXT SECTION ANSWER x. 3600 IN DNAME . x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w== shortloop.x. 3600 IN CNAME shortloop. shortloop. 3600 IN TXT "shortloop end" shortloop. 3600 IN RRSIG TXT 5 1 3600 20170315140518 20170215140518 37471 . EJaF7yRFRv01nvv6I9HYaxGukSu92cuRXHYQGTRUtj0TNVI53SmNNs89Vk+8L34vhtw+fy1e62WZ3JSat5xAVVRWVmvp220+RlF9FAYltqpPblVXKQraDACWkO31YftgI2obGqmwByAgh7yW1Kfwq6JgUzwjT8LKeove6HNMRc0jipDXXEIRsWd3I6Yjx66YewVeHU55/UrKCeeozOQ4lMJZF0OBQsmTukfq72j6wIXjrjS8vx6Dz8o3pgGy14LG8NQCKcYbQysD1tmtiDDKDbNmwDCfbu+AA3Xd1XNiQpZUjUOxQpWtOxYA/qG7nJmY9VMdoXJ2wIW91B2vv+xbxw== ENTRY_END ; let DNAME expire from cache but keep CNAMEs in cache STEP 900200 TIME_PASSES ELAPSE 2000 ; check that fake CNAME is properly validated even if DNAME if already expired STEP 900201 QUERY ENTRY_BEGIN REPLY RD DO SECTION QUESTION shortloop.x. TXT ENTRY_END ; attacker spoofed shortloop.x. CNAME so we end up with SERVFAIL STEP 900202 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY SERVFAIL QR RD RA SECTION QUESTION shortloop.x. IN TXT SECTION ANSWER ENTRY_END ; check that query for the synthetized CNAMEs does not return the fake data STEP 900301 QUERY ENTRY_BEGIN REPLY RD DO SECTION QUESTION shortloop.x. CNAME ENTRY_END STEP 900302 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY NOERROR QR RD RA AD SECTION QUESTION shortloop.x. IN CNAME SECTION ANSWER x. 3600 IN DNAME . x. 3600 IN RRSIG DNAME 5 1 3600 20170315140518 20170215140518 37471 . ao9vqbmh78RP84/nOaFaI/bxPk+Y/Qsknt+WWtBIY2qcPZb1I+ZCxh9g9cYo1RKQuOriAJKrHkrv9ObAc9fse/2tNM+vtjemLWIGBvPtSo3vOwZGTTwI8spvFvMa+f6wnI5Oj9Phvdk17d+FnX9nIl6NRZb84bIxUjqSuhBIMJRmSGXWM0beQqEf0PNLQBTpeI6tUXsOwtFxrnG/zGzpB/W/1whh0nSmLf39lxyA+441H2o1OjSRu6ijmVrCDwOrbb/SXj+LZTGThEcIepbVb3ol+Mft2Kff5IcIhLM9I2YfBtgRwqHmue8v6z12AA9GuXBB/xvTkwFhUOXxNbSh+w== shortloop.x. 3600 IN CNAME shortloop. ENTRY_END SCENARIO_END