1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 trust-anchor: "example.net. 3600 IN DS 1444 8 2 69887be92d4848c0bc10acc95682a01e7e3b57ab0750a2ee6f72cac7191a64f1" 6 val-override-date: "20070916134226" 7 target-fetch-policy: "0 0 0 0 0" 8 qname-minimisation: "no" 9 fake-sha1: yes 10 trust-anchor-signaling: no 11 minimal-responses: no 12 val-log-level: 2 13 ede: yes 14 15stub-zone: 16 name: "." 17 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 18CONFIG_END 19 20SCENARIO_BEGIN Test validator with failure for chaing of trust lookup. 21; The error message that is created, also for EDE is more extensive. 22 23; K.ROOT-SERVERS.NET. 24RANGE_BEGIN 0 100 25 ADDRESS 193.0.14.129 26ENTRY_BEGIN 27MATCH opcode qtype qname 28ADJUST copy_id 29REPLY QR NOERROR 30SECTION QUESTION 31. IN NS 32SECTION ANSWER 33. IN NS K.ROOT-SERVERS.NET. 34SECTION ADDITIONAL 35K.ROOT-SERVERS.NET. IN A 193.0.14.129 36ENTRY_END 37 38ENTRY_BEGIN 39MATCH opcode subdomain 40ADJUST copy_id copy_query 41REPLY QR NOERROR 42SECTION QUESTION 43com. IN NS 44SECTION AUTHORITY 45com. IN NS a.gtld-servers.net. 46SECTION ADDITIONAL 47a.gtld-servers.net. IN A 192.5.6.30 48ENTRY_END 49 50ENTRY_BEGIN 51MATCH opcode subdomain 52ADJUST copy_id copy_query 53REPLY QR NOERROR 54SECTION QUESTION 55net. IN NS 56SECTION AUTHORITY 57net. IN NS a.gtld-servers.net. 58SECTION ADDITIONAL 59a.gtld-servers.net. IN A 192.5.6.30 60ENTRY_END 61RANGE_END 62 63; a.gtld-servers.net. 64RANGE_BEGIN 0 100 65 ADDRESS 192.5.6.30 66ENTRY_BEGIN 67MATCH opcode qtype qname 68ADJUST copy_id 69REPLY QR NOERROR 70SECTION QUESTION 71com. IN NS 72SECTION ANSWER 73com. IN NS a.gtld-servers.net. 74SECTION ADDITIONAL 75a.gtld-servers.net. IN A 192.5.6.30 76ENTRY_END 77 78ENTRY_BEGIN 79MATCH opcode subdomain 80ADJUST copy_id copy_query 81REPLY QR NOERROR 82SECTION QUESTION 83example.com. IN NS 84SECTION AUTHORITY 85example.com. IN NS ns.example.com. 86SECTION ADDITIONAL 87ns.example.com. IN A 1.2.3.4 88ENTRY_END 89 90ENTRY_BEGIN 91MATCH opcode subdomain 92ADJUST copy_id copy_query 93REPLY QR NOERROR 94SECTION QUESTION 95example.net. IN NS 96SECTION AUTHORITY 97example.net. IN NS ns.example.net. 98SECTION ADDITIONAL 99ns.example.net. IN A 1.2.3.5 100ENTRY_END 101RANGE_END 102 103; ns.example.com. 104RANGE_BEGIN 0 100 105 ADDRESS 1.2.3.4 106ENTRY_BEGIN 107MATCH opcode qtype qname 108ADJUST copy_id 109REPLY QR NOERROR 110SECTION QUESTION 111example.com. IN NS 112SECTION ANSWER 113example.com. IN NS ns.example.com. 114example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 115SECTION ADDITIONAL 116ns.example.com. IN A 1.2.3.4 117ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 118ENTRY_END 119 120ENTRY_BEGIN 121MATCH opcode qtype qname 122ADJUST copy_id 123REPLY QR AA NOERROR 124SECTION QUESTION 125ns.example.com. IN A 126SECTION ANSWER 127ns.example.com. IN A 1.2.3.4 128ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 129ENTRY_END 130 131ENTRY_BEGIN 132MATCH opcode qtype qname 133ADJUST copy_id 134REPLY QR AA NOERROR 135SECTION QUESTION 136ns.example.com. IN AAAA 137SECTION AUTHORITY 138example.com. IN NS ns.example.com. 139example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 140SECTION ADDITIONAL 141ns.example.com. IN A 1.2.3.4 142ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 143ENTRY_END 144 145; response to DNSKEY priming query 146;ENTRY_BEGIN 147;MATCH opcode qtype qname 148;ADJUST copy_id 149;REPLY QR NOERROR 150;SECTION QUESTION 151;example.com. IN DNSKEY 152;SECTION ANSWER 153;example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 154;example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854} 155;SECTION AUTHORITY 156;example.com. IN NS ns.example.com. 157;example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 158;SECTION ADDITIONAL 159;ns.example.com. IN A 1.2.3.4 160;ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 161;ENTRY_END 162; servfail for DNSKEY priming query 163ENTRY_BEGIN 164MATCH opcode qtype qname 165ADJUST copy_id 166REPLY QR AA SERVFAIL 167SECTION QUESTION 168example.com. IN DNSKEY 169ENTRY_END 170 171; response to query of interest 172ENTRY_BEGIN 173MATCH opcode qtype qname 174ADJUST copy_id 175REPLY QR NOERROR 176SECTION QUESTION 177www.example.com. IN A 178SECTION ANSWER 179www.example.com. IN A 10.20.30.40 180ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854} 181SECTION AUTHORITY 182example.com. IN NS ns.example.com. 183example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 184SECTION ADDITIONAL 185ns.example.com. IN A 1.2.3.4 186www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} 187ENTRY_END 188RANGE_END 189 190; ns.example.com. 191RANGE_BEGIN 0 100 192 ADDRESS 1.2.3.5 193ENTRY_BEGIN 194MATCH opcode qtype qname 195ADJUST copy_id 196REPLY QR AA NOERROR 197SECTION QUESTION 198example.net. IN NS 199SECTION ANSWER 200example.net. 3600 IN NS ns.example.net. 201example.net. 3600 IN RRSIG NS 8 2 3600 20070926134150 20070829134150 1444 example.net. nHpOqZb00nIGytQ1YmVoXEHURL/75dWhlKSEtRTorjVdPGPZNN7ziCWJW303v7u07TkZ+i6oFVEWG/SDR4ejn5o31UKJy1373PEH/cvPf9/44jw9gAFaHF1eO6ZQGaRQaeEpU06+xUcnc2QXFt6rNu60EsTvMRDN83bD+r7FA7Y= 202SECTION ADDITIONAL 203ns.example.net. 3600 IN A 1.2.3.5 204ns.example.net. 3600 IN RRSIG A 8 3 3600 20070926134150 20070829134150 1444 example.net. TgQ4nfGtLHuZXlC4JJlVQ6mejf1WJbstTxsh/kgMAc2tryOxF/gvGBHaMtz6oceFZrIgk6g3RYI1Gk5gjSFNADh+EIwI422M8XPAAxRLfFahiO4lr1aCo4c94TYeZNpnDKy81rINTz2hQE1pGWr8Z03ySABqSBnTE1FQt4N/JCo= 205ENTRY_END 206 207ENTRY_BEGIN 208MATCH opcode qtype qname 209ADJUST copy_id 210REPLY QR AA NOERROR 211SECTION QUESTION 212ns.example.net. IN A 213SECTION ANSWER 214ns.example.net. 3600 IN A 1.2.3.5 215ns.example.net. 3600 IN RRSIG A 8 3 3600 20070926134150 20070829134150 1444 example.net. TgQ4nfGtLHuZXlC4JJlVQ6mejf1WJbstTxsh/kgMAc2tryOxF/gvGBHaMtz6oceFZrIgk6g3RYI1Gk5gjSFNADh+EIwI422M8XPAAxRLfFahiO4lr1aCo4c94TYeZNpnDKy81rINTz2hQE1pGWr8Z03ySABqSBnTE1FQt4N/JCo= 216ENTRY_END 217 218ENTRY_BEGIN 219MATCH opcode qtype qname 220ADJUST copy_id 221REPLY QR AA NOERROR 222SECTION QUESTION 223ns.example.net. IN AAAA 224SECTION AUTHORITY 225example.net. 3600 IN SOA ns.example.net. host.example.net. 1 3600 300 7200 3600 226example.net. 3600 IN RRSIG SOA 8 2 3600 20070926134150 20070829134150 1444 example.net. P5FRQ4A/0n5owaBhZqlYBFD2PNAWJc5oxiDwvwh0hdjxETx8ta3EAvDKtNj5XZ5EKDAhP/tivd+Bq50I0xfRBmrouxgxjgnV3ye8zU+M1fXbuKpsWme9R3S4cs9WYfggTn7X00Af8m0tE62SLH/ZtOOQi2CvOPu7PXtHYT6KW4Q= 227ENTRY_END 228 229ENTRY_BEGIN 230MATCH opcode qtype qname 231ADJUST copy_id 232REPLY QR AA NOERROR 233SECTION QUESTION 234example.net. IN DNSKEY 235SECTION ANSWER 236example.net. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b} 237example.net. 3600 IN RRSIG DNSKEY 8 2 3600 20070926134150 20070829134150 1444 example.net. hAAlJt/YwAgWBzseK0N42+ysSMaWgntcuftF8a43chLh+fbe3vPWrgwqr/Cic52tu4ZqMox592tqWDxAG7F1eDGfO0SfzS2C9Tc/Wnz5nFjFh75G4Mtt8DTv5vTyGUVX5zAFzV8SNijVC0o1F7MHaVPt3rFtjjg2zW/UOz2m9+U= 238ENTRY_END 239 240; For sub1.example.net. zone; it is co-hosted with example.net, so that 241; there can be failures for the DS lookup. But the data lookup succeeds. 242ENTRY_BEGIN 243MATCH opcode qtype qname 244ADJUST copy_id 245REPLY QR AA NOERROR 246SECTION QUESTION 247www.sub1.example.net. IN A 248SECTION ANSWER 249www.sub1.example.net. IN A 10.20.30.41 250www.sub1.example.net. 3600 IN RRSIG A 8 4 3600 20070926134150 20070829134150 29332 sub1.example.net. NcFP77Hixawt8hb+STIbbeqdF9tWTuHsbGEB4agKXlwHqS0BnyA+It6+UdE57IF0Kbnc7gSuaslX9At8ctd4HuC/9F/osbo96o23JEfnXPky/r5SsLaeN5KmUmUVjG9oxyAEc6PVlaaQ5a/RhaxmDRaDiku2gB7KjdjPxwxe+Rc54GV2eM3GtcfT+oDakLdSSACqeVjUFIOtYMpG8jAHrBe4uSnjKI7O0fWDFN5OES6sN9iUS9/ceorIoF/gSIqM7xWEuPLxE2c5TtYJyPtMCeGJ9wBP4wrTXfJ58+Lg5SFKgEuKTvAqEv9KEwg/kJb1GQ+ho5XKFO6EII2iyeUK/w== 251ENTRY_END 252 253ENTRY_BEGIN 254MATCH opcode qtype qname 255ADJUST copy_id 256REPLY QR SERVFAIL 257SECTION QUESTION 258sub1.example.net. IN DS 259SECTION ANSWER 260; no DS for sub1.example.net id=29332 algo=8 261ENTRY_END 262 263ENTRY_BEGIN 264MATCH opcode qtype qname 265ADJUST copy_id 266REPLY QR AA NOERROR 267SECTION QUESTION 268www.sub2.example.net. IN A 269SECTION ANSWER 270www.sub2.example.net. IN A 10.20.30.42 271www.sub2.example.net. 3600 IN RRSIG A 8 4 3600 20070926134150 20070829134150 29332 sub2.example.net. FOY6YxNoFyrSkBtWV7HcECmORTMedRWHdGk7Rm04icT8Bw0dWfzVaIpAkBY6FXx8UvqN7McN4IJI5dAVXptfekO+Yvy2PwkjehRUXvQK64XH5UM5pVbX5g8E4pnOrLa/jzPB7srzMpyWVCpt81lPoFpdfXUMm7434ifkTYhpAll7y5NAocFiT3F+XGe06qMIr51WxoFfegIGohMFhkTDUdLWrdV10128W+NzPdwoYtiigtCObKxTtyj3gK+mxqXvX4X4F2YIGQ+mx62ovdUilnLYZm/WC/ZQkdxeOZjeCTxvSpGGG+wtu1QufgIJ+BpAZAOxREOYZkhR29AG0np4EA== 272ENTRY_END 273 274ENTRY_BEGIN 275MATCH opcode qtype qname 276ADJUST copy_id 277REPLY QR SERVFAIL 278SECTION QUESTION 279sub2.example.net. IN DNSKEY 280SECTION ANSWER 281; sub2.example.net. IN DNSKEY 257 3 8 AwEAAb4WMOTBLTFvmBra5m6SK4VfViOzmvyUAU0qv861ZQXeEFvwlndqNU9rwRsMxrSWAYs5nHErKDn49usC/HyxxW1477iGFHhfgL4mjNreJm9zft2QFB1VLbRbEPYdDMLCn4co0qnG7/KG8W2i8Pym1L7f+aREwbLo+/716AS2PbaKMhfWLKLiq5wnBcUClQMNzCiwhqxDJp1oePqfkVdeUgXOtgi0dYRIKyQFhJ5VWJ22npoi/Gif0XLCADAlAwRLKc8o/yJkCxskzgpHpw5Cki1lclg0aq4ssOuPRQ+ne6IHYCz9D2mwzulblhLFamKdq7aHzNt4NlyxhpANVFiKLD8= ;{id = 29332 (ksk), size = 2048b} 282ENTRY_END 283 284ENTRY_BEGIN 285MATCH opcode qtype qname 286ADJUST copy_id 287REPLY QR AA NOERROR 288SECTION QUESTION 289sub2.example.net. IN DS 290SECTION ANSWER 291sub2.example.net. 3600 IN DS 29332 8 2 d53e615d9d736b0f2a0097f1d5fa51c84320610f94ecbd7197e7de5f44f02d72 292sub2.example.net. 3600 IN RRSIG DS 8 3 3600 20070926134150 20070829134150 1444 example.net. dYLYs1uMxJm5+MB6L1+uStE5S1YtyYR0JF+1pPoTptc/H1hYqMxK7pVQPtIGvq8j8wNyC7jOzALfEXgwRKiSdR1l1GQ5HIxWkhUmkpLcecwJOjemee4nXaifOFa5bdbdYpuDwTiIzx+PvanlaVjEPy0i1IukanDi6jojfyWcgLA= 293ENTRY_END 294RANGE_END 295 296STEP 1 QUERY 297ENTRY_BEGIN 298REPLY RD DO 299SECTION QUESTION 300www.example.com. IN A 301ENTRY_END 302 303; The DNSKEY lookup for the key prime is a failure. 304STEP 10 CHECK_ANSWER 305ENTRY_BEGIN 306MATCH all ede=9 307REPLY QR RD RA DO SERVFAIL 308SECTION QUESTION 309www.example.com. IN A 310SECTION ANSWER 311ENTRY_END 312 313STEP 20 QUERY 314ENTRY_BEGIN 315REPLY RD DO 316SECTION QUESTION 317www.sub1.example.net. IN A 318ENTRY_END 319 320; The DS lookup is a failure. 321STEP 30 CHECK_ANSWER 322ENTRY_BEGIN 323MATCH all ede=23 324REPLY QR RD RA DO SERVFAIL 325SECTION QUESTION 326www.sub1.example.net. IN A 327SECTION ANSWER 328ENTRY_END 329 330STEP 40 QUERY 331ENTRY_BEGIN 332REPLY RD DO 333SECTION QUESTION 334www.sub2.example.net. IN A 335ENTRY_END 336 337; The DNSKEY lookup is a failure. 338STEP 50 CHECK_ANSWER 339ENTRY_BEGIN 340MATCH all ede=9 341REPLY QR RD RA DO SERVFAIL 342SECTION QUESTION 343www.sub2.example.net. IN A 344SECTION ANSWER 345ENTRY_END 346 347SCENARIO_END 348