do-ip6: no ; config options ; The island of trust is at example.com ;server: trust-anchor: "example.com. 3600 IN DS 21095 7 1 1A16E6CECEBF9305C5AB107B5BD5993BFF8716C5 " val-override-date: "20181130121925" ; target-fetch-policy: "0 0 0 0 0" ; fake-sha1: yes ;stub-zone: ; name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. query-minimization: off CONFIG_END SCENARIO_BEGIN Test validator with insecure delegation and DS negative cache ; K.ROOT-SERVERS.NET. RANGE_BEGIN 0 100 ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION . IN NS SECTION ANSWER . IN NS K.ROOT-SERVERS.NET. SECTION ADDITIONAL K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION www.sub.example.com. IN A SECTION AUTHORITY com. IN NS a.gtld-servers.net. SECTION ADDITIONAL a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END RANGE_END ; a.gtld-servers.net. RANGE_BEGIN 0 100 ADDRESS 192.5.6.30 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION com. IN NS SECTION ANSWER com. IN NS a.gtld-servers.net. SECTION ADDITIONAL a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION www.sub.example.com. IN A SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 ENTRY_END RANGE_END ; ns.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.4 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION example.com. IN NS SECTION ANSWER example.com. IN NS ns.example.com. example.com. 3600 IN RRSIG NS 7 2 3600 20181230101925 20181130101925 21095 example.com. W2tTjoEHLswOuMEbbkRAUV3yacfvMGWiVk4Dow+tF1+yeVDGmhk+5+Pm XNJJ4KJQ3caIWjoQicEj4yUIwb7bRA4awFGbC4NoXMlx7c1rWSZ/HRf3 Iw2BuBFP+74GS/c+HMDQAL3qfkJXKToGYJq/5IfUxOYwOnus8ia9ecAB K5A= ;{id = 2854} SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101925 20181130101925 21095 example.com. EyF7Iiq36OLwYxp4sMaecCI/sAFrfDIg75XepCMwr8yVW+LdST0dVA9j 6tls8QaEDg5raQhtJB2RtTHe2NmvAt2pPOH+bil5zpri4FO9fAZA7B4q I9UgzxyG+eej+Ee7TgBBsw7I72kPZuv2FCGuoTqXmVNIpr5vDJ/V/q3M lkk= ;{id = 2854} ENTRY_END ; response to DNSKEY priming query ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION example.com. IN DNSKEY SECTION ANSWER example.com. 3600 IN DNSKEY 256 3 7 AwEAAcE4pogrNoVZ7QNbp63zNoH6uzv+Ohz66upXmXfe9xFEYEYjmqI8 QEYCkuY+s7YgfoukU+XIigoE7dl8FgVyFH2rm3j76raYT+hJzKQJt4T1 B6oiSO8SR6V2fghmbxE8+L3uWjsE2n3LzzKRNM4x9nYpqLbAVLjgWCh2 4NcAXnbn ;{id = 2854 (zsk), size = 1688b} example.com. 3600 IN RRSIG DNSKEY 7 2 3600 20181230101925 20181130101925 21095 example.com. SWWwowWn1/R2gXg4oUXL5K/71YtgYj2Q8pj10DRLGW5ZDomkbvVw9jin FaHbMgRAB+1WoY+lsbHdF3gwtva8w9QulAdn+stJeCypIS3tR0oDFIqC rR5DbiduTrS0qE/AfITERWDYtXVmQwqV4FG3L0W6j7ak4/Hj7rZjlx/a juE= ;{id = 2854} SECTION AUTHORITY example.com. IN NS ns.example.com. example.com. 3600 IN RRSIG NS 7 2 3600 20181230101925 20181130101925 21095 example.com. W2tTjoEHLswOuMEbbkRAUV3yacfvMGWiVk4Dow+tF1+yeVDGmhk+5+Pm XNJJ4KJQ3caIWjoQicEj4yUIwb7bRA4awFGbC4NoXMlx7c1rWSZ/HRf3 Iw2BuBFP+74GS/c+HMDQAL3qfkJXKToGYJq/5IfUxOYwOnus8ia9ecAB K5A= ;{id = 2854} SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 ns.example.com. 3600 IN RRSIG A 7 3 3600 20181230101925 20181130101925 21095 example.com. EyF7Iiq36OLwYxp4sMaecCI/sAFrfDIg75XepCMwr8yVW+LdST0dVA9j 6tls8QaEDg5raQhtJB2RtTHe2NmvAt2pPOH+bil5zpri4FO9fAZA7B4q I9UgzxyG+eej+Ee7TgBBsw7I72kPZuv2FCGuoTqXmVNIpr5vDJ/V/q3M lkk= ;{id = 2854} ENTRY_END ; response for delegation to sub.example.com. ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION www.sub.example.com. IN A SECTION ANSWER SECTION AUTHORITY sub.example.com. IN NS ns.sub.example.com. sub.example.com. IN NSEC www.example.com. NS RRSIG NSEC sub.example.com. 3600 IN RRSIG NSEC 7 3 3600 20181230101925 20181130101925 21095 example.com. Xkw2D18bwT1N9/584gwEPiMmUYjJgWCBqax8HIhvCHF2bSdSwAk1ZXDN muy7gkLTTkCb+J9pfkcwsr7j0HqNb8h3FJoF+vfgT3vSMx6V7kATkSVa wR/pllcYDoCq99/Y0fMdHAbGLE5fhoRCqv/6GkMic6rSIjI3RfcQ1y2p D7U= ;{id = 2854} SECTION ADDITIONAL ns.sub.example.com. IN A 1.2.3.6 ENTRY_END ; query for missing DS record. ; get it from the negative cache instead! ;ENTRY_BEGIN ;MATCH opcode qtype qname ;ADJUST copy_id ;REPLY QR NOERROR ;SECTION QUESTION ;sub.example.com. IN DS ;SECTION ANSWER ;SECTION AUTHORITY ;example.com. IN SOA ns.example.com. h.example.com. 2007090504 1800 1800 2419200 7200 ;example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFC5uwIHSehZtetK2CMNXttSFUB0XAhROFDAgy/FaxR8zFXJzyPdpQG93Sw== ;{id = 2854} ;sub.example.com. IN NSEC www.example.com. NS RRSIG NSEC ;sub.example.com. 3600 IN RRSIG NSEC 7 3 3600 20181230101925 20181130101925 21095 example.com. Xkw2D18bwT1N9/584gwEPiMmUYjJgWCBqax8HIhvCHF2bSdSwAk1ZXDN muy7gkLTTkCb+J9pfkcwsr7j0HqNb8h3FJoF+vfgT3vSMx6V7kATkSVa wR/pllcYDoCq99/Y0fMdHAbGLE5fhoRCqv/6GkMic6rSIjI3RfcQ1y2p D7U= ;{id = 2854} ;SECTION ADDITIONAL ;ns.sub.example.com. IN A 1.2.3.6 ;ENTRY_END RANGE_END ; ns.sub.example.com. RANGE_BEGIN 0 100 ADDRESS 1.2.3.6 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION sub.example.com. IN NS SECTION ANSWER sub.example.com. IN NS ns.sub.example.com. SECTION ADDITIONAL ns.sub.example.com. IN A 1.2.3.6 ENTRY_END ; response to query of interest ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION www.sub.example.com. IN A SECTION ANSWER www.sub.example.com. IN A 11.11.11.11 SECTION AUTHORITY SECTION ADDITIONAL ENTRY_END RANGE_END STEP 1 QUERY ENTRY_BEGIN REPLY RD DO SECTION QUESTION www.sub.example.com. IN A ENTRY_END ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR RD RA DO NOERROR SECTION QUESTION www.sub.example.com. IN A SECTION ANSWER www.sub.example.com. 3600 IN A 11.11.11.11 SECTION AUTHORITY SECTION ADDITIONAL ENTRY_END SCENARIO_END