do-ip6: no query-minimization: off ; config options ; The island of trust is at example.com ;server: trust-anchor: "example.com. 86400 IN DS 56216 13 2 60E5A8A0A2959A0E65A79A6C149FF5E1D68C866C5F5462DB21032AF5185B728A" val-override-date: "20210501000000" ; target-fetch-policy: "0 0 0 0 0" ; fake-sha1: yes ;stub-zone: ; name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. query-minimization: off CONFIG_END SCENARIO_BEGIN Test validating NSEC3 with too many iterations ; K.ROOT-SERVERS.NET. RANGE_BEGIN 0 100 ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR AA NOERROR SECTION QUESTION . IN NS SECTION ANSWER . IN NS K.ROOT-SERVERS.NET. SECTION ADDITIONAL K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR AA NOERROR SECTION QUESTION K.ROOT-SERVERS.NET. IN A SECTION ANSWER K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION com. IN A SECTION AUTHORITY com. IN NS a.gtld-servers.net. SECTION ADDITIONAL a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR AA NOERROR SECTION QUESTION a.gtld-servers.net. IN A SECTION ANSWER a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END RANGE_END ; a.gtld-servers.net. RANGE_BEGIN 0 100 ADDRESS 192.5.6.30 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR AA NOERROR SECTION QUESTION com. IN NS SECTION ANSWER com. IN NS a.gtld-servers.net. SECTION ADDITIONAL a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION example.com. IN A SECTION AUTHORITY example.com. IN NS ns1.example.com. SECTION ADDITIONAL ns1.example.com. IN A 1.2.3.4 ENTRY_END RANGE_END ; ns1.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.4 ;;; Generated by starting knotd with this simple zone file and then querying it with kdig. ;$ORIGIN example.com. ;$TTL 86400 ;@ SOA ns1.example.com. hostmaster.example.com. ( ; 1 ; serial ; 21600 ; refresh after 6 hours ; 3600 ; retry after 1 hour ; 604800 ; expire after 1 week ; 86400 ) ; minimum TTL of 1 day ;@ NS ns1.example.com. ;ns1.example.com. A 1.2.3.4 ;*.wild.example.com. TXT "wildcard" ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR AA NOERROR SECTION QUESTION example.com. IN NS SECTION ANSWER example.com. 86400 NS ns1.example.com. example.com. 86400 RRSIG NS 13 2 86400 20210514155807 20210430142807 28964 example.com. k80kgr7N/MPVZhv4MT8CqEQBUG1Oth9buWh6d7nwO64DR7f7WJnH1yvBeQcFSXBxQcv/f0V8SJzqdcD6EmWzsw== SECTION ADDITIONAL ns1.example.com. 86400 A 1.2.3.4 ns1.example.com. 86400 RRSIG A 13 3 86400 20210514155807 20210430142807 28964 example.com. sGykdbHcEy4gnMAhIu4KGA96KS5hZKNM/C3yr61gyOOqgkV+6nAzuLBYvGxe4AexM/qA/Zpv0IyLg7bi9iufhg== ENTRY_END ; response to DNSKEY priming query ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR AA NOERROR SECTION QUESTION example.com. IN DNSKEY SECTION ANSWER example.com. 86400 DNSKEY 256 3 13 MN1ctIwG9m3p1fuH3Vn18XFLz4k6TUy1uXg/BF+7i+NrMkfbm4PLhhWflVElgowiQv/2103uHcW7a78ZaNP44g== example.com. 86400 DNSKEY 257 3 13 d7yF/Xsdi0i8bUwN8FyCOIu9XGuoVlyuW2ZtVXEfdfwDpJxoHPjG3DImr8iLK2PMu75SMqj8+nwsP9dHiKYo9A== example.com. 86400 RRSIG DNSKEY 13 2 86400 20210514155807 20210430142807 56216 example.com. BiPljLSmTP+uY5YrQ9mzxZhDsE33Bz3tBZaED8O+U3bmAfXNnZ1h8yN0FqOrJ7iRxmfK3ffNIgl3eANYi29z7A== ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR AA NOERROR SECTION QUESTION ns1.example.com. IN A SECTION ANSWER ns1.example.com. 86400 A 1.2.3.4 ns1.example.com. 86400 RRSIG A 13 3 86400 20210514155807 20210430142807 28964 example.com. sGykdbHcEy4gnMAhIu4KGA96KS5hZKNM/C3yr61gyOOqgkV+6nAzuLBYvGxe4AexM/qA/Zpv0IyLg7bi9iufhg== ENTRY_END ; response to the simple query of interest ENTRY_BEGIN MATCH opcode qname ADJUST copy_id copy_query REPLY QR AA NXDOMAIN SECTION QUESTION nxdomain.example.com. IN A SECTION AUTHORITY example.com. 86400 SOA ns1.example.com. hostmaster.example.com. 3 21600 3600 604800 86400 1cl7h356uun3lupr5ul5ok6puohj998d.example.com. 86400 NSEC3 1 0 65535 D7F1DC453FCD0B67 cf2t29nn8sqbpn6p9d1euo8k1emtvg6d NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY cf2t29nn8sqbpn6p9d1euo8k1emtvg6d.example.com. 86400 NSEC3 1 0 65535 D7F1DC453FCD0B67 marb4pbbo27u50b2jb062rmee7hu5h0d example.com. 86400 RRSIG SOA 13 2 86400 20210514161125 20210430144125 28964 example.com. cepCaZukRNjqLn52iIiH3I7C9MzosmjOaBNIgcmre8owxYyUC0Ur/lkNt0PVIGYYNGq0ZxstynleoZfebu+Hag== 1cl7h356uun3lupr5ul5ok6puohj998d.example.com. 86400 RRSIG NSEC3 13 3 86400 20210514161125 20210430144125 28964 example.com. +L2sxEcpXKOurY/KM5jL3WsaoNl3fuQYSfkF0hat/Qi7cVCFMmVVPa5nuuAaE4L6dYDyuVnJ7CkSZaJD0cYQXA== cf2t29nn8sqbpn6p9d1euo8k1emtvg6d.example.com. 86400 RRSIG NSEC3 13 3 86400 20210514161125 20210430144125 28964 example.com. I8qbPSgWDvKstK2b1QZs9ukdih1+mYLmdtZg+Y4gLJscpSgss8Ydz8L8jyvNTb079QwajT5FKPHRHJxGZZiCkQ== ENTRY_END ; response to the wildcard query of interest ENTRY_BEGIN MATCH opcode qname ADJUST copy_id copy_query REPLY QR AA NOERROR SECTION QUESTION foo.wild.example.com. IN TXT SECTION ANSWER foo.wild.example.com. 86400 TXT "wildcard" foo.wild.example.com. 86400 RRSIG TXT 13 3 86400 20210514161125 20210430144125 28964 example.com. sN/uAISiZueMg3yoRqnHpRw5Qayb0HDxht8XVvyY/C1H/DO6cBvyskTyBIU7S1B+hIOvaIKUAqd9D1+VIr58bA== SECTION AUTHORITY ti6egnlv8nsi9js84c1mv3ec7sq4293g.example.com. 86400 NSEC3 1 0 65535 D7F1DC453FCD0B67 1cl7h356uun3lupr5ul5ok6puohj998d TXT RRSIG ti6egnlv8nsi9js84c1mv3ec7sq4293g.example.com. 86400 RRSIG NSEC3 13 3 86400 20210514161125 20210430144125 28964 example.com. zeA5x5Fcqcvqq8deQT93Fa8ZOtgLA+zIZ/uKED5e4vjtNEg5cCJ6/4+YM4/ztwYnkSzkkKbzrzF7qanJNSlk3w== ENTRY_END RANGE_END STEP 10 QUERY ENTRY_BEGIN REPLY RD AD SECTION QUESTION ns1.example.com. IN A ENTRY_END ; recursion happens here STEP 11 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR RD RA AD NOERROR SECTION QUESTION ns1.example.com. IN A SECTION ANSWER ns1.example.com. 86400 IN A 1.2.3.4 ENTRY_END ; now simple non-existing entry STEP 21 QUERY ENTRY_BEGIN REPLY RD AD SECTION QUESTION nxdomain.example.com. IN A ENTRY_END ; it should get downgraded STEP 22 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR RD RA NXDOMAIN SECTION QUESTION nxdomain.example.com. IN A SECTION AUTHORITY example.com. 86400 IN SOA ns1.example.com. hostmaster.example.com. 3 21600 3600 604800 86400 ENTRY_END ; more difficult: positive wildcard expansion STEP 31 QUERY ENTRY_BEGIN REPLY RD AD SECTION QUESTION foo.wild.example.com. IN TXT ENTRY_END STEP 32 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR RD RA NOERROR SECTION QUESTION foo.wild.example.com. IN TXT SECTION ANSWER foo.wild.example.com. 86400 TXT "wildcard" ENTRY_END SCENARIO_END