1; config options 2server: 3 target-fetch-policy: "0 0 0 0 0" 4 5auth-zone: 6 name: "test-ns-signed.dev.internet.nl." 7 ## zonefile (or none). 8 ## zonefile: "example.com.zone" 9 ## master by IP address or hostname 10 ## can list multiple masters, each on one line. 11 ## master: 12 ## url for http fetch 13 ## url: 14 ## queries from downstream clients get authoritative answers. 15 ## for-downstream: yes 16 for-downstream: yes 17 ## queries are used to fetch authoritative answers from this zone, 18 ## instead of unbound itself sending queries there. 19 ## for-upstream: yes 20 for-upstream: yes 21 ## on failures with for-upstream, fallback to sending queries to 22 ## the authority servers 23 ## fallback-enabled: no 24 25 ## this line generates zonefile: \n"/tmp/xxx.example.com"\n 26 zonefile: 27TEMPFILE_NAME test-ns-signed.dev.internet.nl 28 ## this is the inline file /tmp/xxx.test-ns-signed.dev.internet.nl 29 ## the tempfiles are deleted when the testrun is over. 30TEMPFILE_CONTENTS test-ns-signed.dev.internet.nl 31test-ns-signed.dev.internet.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 4 14400 3600 604800 3600 32test-ns-signed.dev.internet.nl. 3600 IN RRSIG SOA 8 4 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. ybb0Hc7NC+QOFEEv4cX2+Umlk+miiOAHmeP2Uwvg6lqfxkk+3g7yWBEKMinXjLKz0odWZ6fki6M/3yBPQX8SV0OCRY5gYvAHAjbxAIHozIM+5iwOkRQhNF1DRgQ3BLjL93f6T5e5Z4y1812iOpu4GYswXW/UTOZACXz2UiaCPAg= 33;; Out of zone record that shouldn't break NSEC3 proofs. 34;; There was a bug that would keep removing labels and use this out of zone 35;; record. 36dev.internet.nl. 3600 IN NS ns.test-ns-signed.dev.internet.nl. 37test-ns-signed.dev.internet.nl. 3600 IN NS ns.test-ns-signed.dev.internet.nl. 38test-ns-signed.dev.internet.nl. 3600 IN RRSIG NS 8 4 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. KqiwTF3hKm1ZHGbgx6MVzZYHlS1p7+Xrikx4izMHFbWiD6ki6lrJBJsnH9j/hH1cwHxjXslOeJh0hdBdbn8la0meZPsebOyUbEjoLPzRLzKNLDBuA4BUJnRGQJy21CX7XooXAMAmR8YFipO8CojI9EogU2m2o9YkfbpacFWQoTk= 39test-ns-signed.dev.internet.nl. 3600 IN DNSKEY 256 3 8 AwEAAc6c8tpMXBSOFLu/9n4aUUDK43wN4B7A2UDqZi0IOkyptxWCFghleyZeeN5uq6p9MoUt8lS73mFmIYC0ux5zBO3uVaJQ9u+00qRAEVg/RgBwa58y2f/zNtFV/f7mBSPcPTiEjUh0bwHSiTvUn/8JkrvjyAcbQMO0YOsRof5q6tzl ;{id = 32784 (zsk), size = 1024b} 40test-ns-signed.dev.internet.nl. 3600 IN DNSKEY 257 3 8 AwEAAdC0hBJP1U8lbZ6JFXn0ouK6VipiraN7I8oog62SuEd/fqAupys7A/Ih6WK/UoJorjlnccEL8euNMaS4kNogvoBrFx8ciIWKcbot5mtwc4WDr3cnR+HIZNCUFVkIxsMqE7HCD0yn0zhkB60shED+ZHs8zpyU+cjnsOSizxOnIY+F ;{id = 54502 (ksk), size = 1024b} 41test-ns-signed.dev.internet.nl. 3600 IN RRSIG DNSKEY 8 4 3600 20190205132351 20190108132351 54502 test-ns-signed.dev.internet.nl. X3qN+plfjf45FA4pr/tcUqUCR9ajDqwtNe4TS19WOJogVL/Gf/N5/ToOCrs3s+a7VrJl58WvSJquDM8xAS8f4oJggKgHFhopce8tMTGRxkRvJo4y+tt3vCveh/zjHLAnbOaBGA4CJ/IPhRqzHzcX/SjSv0EACWd6XpQIWogRv6c= 42test-ns-signed.dev.internet.nl. 3600 IN NSEC3PARAM 1 0 1 - 43test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3PARAM 8 4 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. A/1xUGO46uIz+9vjPGfWVD99akwU9bd/UlnVG9LPfoTzG7TMWSoZ4ksg8k8ub8K1TrkDmQokNHSW0Gt6qwoRh17c+p1h/SFlDVL83wgTc4NqG43OQjgGU9RV035XU+VESlO3lavifhlu8rHWBJTlhiXcMGq6H+zvoz4sx9p5GNM= 4493stp7o7i5n9gb83uu7vv6h8qltk14ig.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - fee0c2kfhi6bnljce6vehaenqq3pbupu NS SOA RRSIG DNSKEY NSEC3PARAM 4593stp7o7i5n9gb83uu7vv6h8qltk14ig.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. YoTRDQ7sSvERcY1WwAH4oRRR7DmaAwA8/H70jdMeSU4wsnM/VM03kDcc2sgq5edmHiZoTWnq7nEb/1Y7Ro0YrqTUQdYFZvXi6UjZQrKI9nqAGnhdXZWlZJHmYpn2+2Emd+bYHkwvKaPnfnnKjUoGVBH8Hly0HBYKPUF1/viquB0= 46kl94uofq16t2vlq0bmampf6e4o9k5hbi.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - 7ag3p2pfrvq09dpn63cvga8ub1rnrrg1 47kl94uofq16t2vlq0bmampf6e4o9k5hbi.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. NI5zJ/k1kPVZ1abms5OoME/wazb77Ltduyk6ZevAnt4tKydZYwSsjEd0Ixknw9xnakCABn5rAYEXctARN0KCwCkNHR7TYlTAJT14hlDYjbad2u2HT9L1kzAnfj3BeLZl/LRADeMbTtzrkTSF3Dnezurb94fMnUnKt2hPfQfj560= 48fee0c2kfhi6bnljce6vehaenqq3pbupu.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv 49fee0c2kfhi6bnljce6vehaenqq3pbupu.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. WIb3ISP1nlafbyWoWa4z7sG5IS+V86PyvEMHdD/64hgsFkrCu483XK7VNnBz28SL/631JXA1R19O+UxeWhTUyctp8QSt6cEZcMPY8b7yG97rNFNvhSw75rSXXt+JwgIYHPHQV5oqPtVmEpQM5SfJd+hs+Nn1bJcWB3UaESNNAMQ= 50*.a.b.test-ns-signed.dev.internet.nl. 3600 IN TXT "a" 51*.a.b.test-ns-signed.dev.internet.nl. 3600 IN RRSIG TXT 8 6 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. eNcJkQXdTO1z21od0sXbgqtABhhr/9tNC/Zx8zYbhXkfj7rufN71yk9xqgu6TG0MeJV26ISrqIGRVFJFmTRvO1LLxoKkEPhqe+08nqRztxXZajCV+dDeFoGIDcXJg6tAxB+MJznkKDtZPpIWvyt1WwdYfcMrGtE9AmR3K1/P/xE= 527ag3p2pfrvq09dpn63cvga8ub1rnrrg1.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - 93stp7o7i5n9gb83uu7vv6h8qltk14ig TXT RRSIG 537ag3p2pfrvq09dpn63cvga8ub1rnrrg1.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. gtxoiTa3FRUqoRLvkWSxmWQ+DfijVd26gpKH3+GmGIcNB/sr/Cf8kERRwVVHvgzYIcvdJcys5b2LUXnZJwcdAlx7efZPWgNZzWxJrw6ES25LCWJOrp31isWn9FlAZGIbnpyEXxD2apBSmtyPnKbTgU6lHHS9jrsYHu4G8Zouv3k= 54ns.test-ns-signed.dev.internet.nl. 3600 IN A 185.49.141.11 55ns.test-ns-signed.dev.internet.nl. 3600 IN RRSIG A 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. F9sXEVAmlRn+/84WbuvegiCwstNxMDMQLl0Obv2CTPpee4U6psbmXrlzczjjjkE6aLjsIHYdcXCzEWTrmukT+V9jzaGPRJvxNvC0ASWyzggAoh0Z++Hl4cVa9587o6I9ODayehFI9Pgdem+RVdb4zlWuzi9FmKXgeTlgWN54tPg= 56ns.test-ns-signed.dev.internet.nl. 3600 IN AAAA 2a04:b900:0:100::11 57ns.test-ns-signed.dev.internet.nl. 3600 IN RRSIG AAAA 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. F1XRrx/QgfzJ1RS7d0m23QoIPx1G8WL1SrlTOm7pk5vWTL07w7HEw2TETblkjnitJGKfN9ebsIum/cDPUZc3UqLkguP2UCWpePnlllTJuwmG0Z+wyINIR4xF4PQlqttvzThBkD2JKWb/o0W8dQyXTj+jJ1vCZ0NjjA2N4+iJIQE= 58i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - kl94uofq16t2vlq0bmampf6e4o9k5hbi A AAAA RRSIG 59i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. xLysIqn3r3rdHE3GvwVjZwUyuFClhkhgrQdwyc66RuHKE3MfSuhVr9cHTCJzhipF5TwQTbUpLOr74r99bzdiIY8Xkgjy2M0nc76v1ObSGJdPPjGTevbhDOnavUURwOR/q0NqqO2iPrgFjOVMZ+8uwRJtCty2iAVZfVG+qDzs8hU= 60TEMPFILE_END 61 62stub-zone: 63 name: "." 64 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 65CONFIG_END 66 67SCENARIO_BEGIN Test authority zone with NSEC3 wildcard 68 69; K.ROOT-SERVERS.NET. 70RANGE_BEGIN 0 100 71 ADDRESS 193.0.14.129 72ENTRY_BEGIN 73MATCH opcode qtype qname 74ADJUST copy_id 75REPLY QR NOERROR 76SECTION QUESTION 77. IN NS 78SECTION ANSWER 79. IN NS K.ROOT-SERVERS.NET. 80SECTION ADDITIONAL 81K.ROOT-SERVERS.NET. IN A 193.0.14.129 82ENTRY_END 83 84ENTRY_BEGIN 85MATCH opcode subdomain 86ADJUST copy_id copy_query 87REPLY QR NOERROR 88SECTION QUESTION 89com. IN NS 90SECTION AUTHORITY 91com. IN NS a.gtld-servers.net. 92SECTION ADDITIONAL 93a.gtld-servers.net. IN A 192.5.6.30 94ENTRY_END 95RANGE_END 96 97; a.gtld-servers.net. 98RANGE_BEGIN 0 100 99 ADDRESS 192.5.6.30 100ENTRY_BEGIN 101MATCH opcode qtype qname 102ADJUST copy_id 103REPLY QR NOERROR 104SECTION QUESTION 105com. IN NS 106SECTION ANSWER 107com. IN NS a.gtld-servers.net. 108SECTION ADDITIONAL 109a.gtld-servers.net. IN A 192.5.6.30 110ENTRY_END 111 112ENTRY_BEGIN 113MATCH opcode subdomain 114ADJUST copy_id copy_query 115REPLY QR NOERROR 116SECTION QUESTION 117example.com. IN NS 118SECTION AUTHORITY 119example.com. IN NS ns.example.com. 120SECTION ADDITIONAL 121ns.example.com. IN A 1.2.3.44 122ENTRY_END 123RANGE_END 124 125; ns.example.net. 126RANGE_BEGIN 0 100 127 ADDRESS 1.2.3.44 128ENTRY_BEGIN 129MATCH opcode qtype qname 130ADJUST copy_id 131REPLY QR NOERROR 132SECTION QUESTION 133example.net. IN NS 134SECTION ANSWER 135example.net. IN NS ns.example.net. 136SECTION ADDITIONAL 137ns.example.net. IN A 1.2.3.44 138ENTRY_END 139 140ENTRY_BEGIN 141MATCH opcode qtype qname 142ADJUST copy_id 143REPLY QR NOERROR 144SECTION QUESTION 145ns.example.net. IN A 146SECTION ANSWER 147ns.example.net. IN A 1.2.3.44 148SECTION AUTHORITY 149example.net. IN NS ns.example.net. 150ENTRY_END 151 152ENTRY_BEGIN 153MATCH opcode qtype qname 154ADJUST copy_id 155REPLY QR NOERROR 156SECTION QUESTION 157ns.example.net. IN AAAA 158SECTION AUTHORITY 159example.net. IN NS ns.example.net. 160SECTION ADDITIONAL 161www.example.net. IN A 1.2.3.44 162ENTRY_END 163 164ENTRY_BEGIN 165MATCH opcode qtype qname 166ADJUST copy_id 167REPLY QR NOERROR 168SECTION QUESTION 169example.com. IN NS 170SECTION ANSWER 171example.com. IN NS ns.example.net. 172ENTRY_END 173 174ENTRY_BEGIN 175MATCH opcode qtype qname 176ADJUST copy_id 177REPLY QR NOERROR 178SECTION QUESTION 179www.example.com. IN A 180SECTION ANSWER 181www.example.com. IN A 10.20.30.40 182ENTRY_END 183RANGE_END 184 185STEP 1 QUERY 186ENTRY_BEGIN 187REPLY RD DO 188SECTION QUESTION 189something.a.b.test-ns-signed.dev.internet.nl. IN TXT 190ENTRY_END 191 192; recursion happens here. 193STEP 20 CHECK_ANSWER 194ENTRY_BEGIN 195MATCH all 196REPLY QR AA RD RA DO NOERROR 197SECTION QUESTION 198something.a.b.test-ns-signed.dev.internet.nl. IN TXT 199SECTION ANSWER 200something.a.b.test-ns-signed.dev.internet.nl. IN TXT "a" 201something.a.b.test-ns-signed.dev.internet.nl. 3600 IN RRSIG TXT 8 6 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. eNcJkQXdTO1z21od0sXbgqtABhhr/9tNC/Zx8zYbhXkfj7rufN71yk9xqgu6TG0MeJV26ISrqIGRVFJFmTRvO1LLxoKkEPhqe+08nqRztxXZajCV+dDeFoGIDcXJg6tAxB+MJznkKDtZPpIWvyt1WwdYfcMrGtE9AmR3K1/P/xE= 202SECTION AUTHORITY 203i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - KL94UOFQ16T2VLQ0BMAMPF6E4O9K5HBI A AAAA RRSIG 204i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. xLysIqn3r3rdHE3GvwVjZwUyuFClhkhgrQdwyc66RuHKE3MfSuhVr9cHTCJzhipF5TwQTbUpLOr74r99bzdiIY8Xkgjy2M0nc76v1ObSGJdPPjGTevbhDOnavUURwOR/q0NqqO2iPrgFjOVMZ+8uwRJtCty2iAVZfVG+qDzs8hU= 205ENTRY_END 206 207; Check that the reply for a wildcard nodata answer contains the NSEC3s. 208; qname denial NSEC3, closest encloser NSEC3, and type bitmap NSEC3. 209STEP 30 QUERY 210ENTRY_BEGIN 211REPLY RD DO 212SECTION QUESTION 213something.a.b.test-ns-signed.dev.internet.nl. IN AAAA 214ENTRY_END 215 216STEP 40 CHECK_ANSWER 217ENTRY_BEGIN 218MATCH all 219REPLY QR AA RD RA DO NOERROR 220SECTION QUESTION 221something.a.b.test-ns-signed.dev.internet.nl. IN AAAA 222SECTION ANSWER 223SECTION AUTHORITY 224test-ns-signed.dev.internet.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 4 14400 3600 604800 3600 225test-ns-signed.dev.internet.nl. 3600 IN RRSIG SOA 8 4 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. ybb0Hc7NC+QOFEEv4cX2+Umlk+miiOAHmeP2Uwvg6lqfxkk+3g7yWBEKMinXjLKz0odWZ6fki6M/3yBPQX8SV0OCRY5gYvAHAjbxAIHozIM+5iwOkRQhNF1DRgQ3BLjL93f6T5e5Z4y1812iOpu4GYswXW/UTOZACXz2UiaCPAg= ;{id = 32784} 2267ag3p2pfrvq09dpn63cvga8ub1rnrrg1.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - 93stp7o7i5n9gb83uu7vv6h8qltk14ig TXT RRSIG 2277ag3p2pfrvq09dpn63cvga8ub1rnrrg1.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. gtxoiTa3FRUqoRLvkWSxmWQ+DfijVd26gpKH3+GmGIcNB/sr/Cf8kERRwVVHvgzYIcvdJcys5b2LUXnZJwcdAlx7efZPWgNZzWxJrw6ES25LCWJOrp31isWn9FlAZGIbnpyEXxD2apBSmtyPnKbTgU6lHHS9jrsYHu4G8Zouv3k= ;{id = 32784} 228fee0c2kfhi6bnljce6vehaenqq3pbupu.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv 229fee0c2kfhi6bnljce6vehaenqq3pbupu.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. WIb3ISP1nlafbyWoWa4z7sG5IS+V86PyvEMHdD/64hgsFkrCu483XK7VNnBz28SL/631JXA1R19O+UxeWhTUyctp8QSt6cEZcMPY8b7yG97rNFNvhSw75rSXXt+JwgIYHPHQV5oqPtVmEpQM5SfJd+hs+Nn1bJcWB3UaESNNAMQ= ;{id = 32784} 230i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN NSEC3 1 0 1 - kl94uofq16t2vlq0bmampf6e4o9k5hbi A AAAA RRSIG 231i6pi4e3o98e7vtkpjfhqn7g77d3mjcnv.test-ns-signed.dev.internet.nl. 3600 IN RRSIG NSEC3 8 5 3600 20190205132351 20190108132351 32784 test-ns-signed.dev.internet.nl. xLysIqn3r3rdHE3GvwVjZwUyuFClhkhgrQdwyc66RuHKE3MfSuhVr9cHTCJzhipF5TwQTbUpLOr74r99bzdiIY8Xkgjy2M0nc76v1ObSGJdPPjGTevbhDOnavUURwOR/q0NqqO2iPrgFjOVMZ+8uwRJtCty2iAVZfVG+qDzs8hU= ;{id = 32784} 232ENTRY_END 233 234SCENARIO_END 235