1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 trust-anchor: "example.net. 3600 IN DS 1444 8 2 69887be92d4848c0bc10acc95682a01e7e3b57ab0750a2ee6f72cac7191a64f1" 6 val-override-date: "20070916134226" 7 target-fetch-policy: "0 0 0 0 0" 8 qname-minimisation: "no" 9 fake-sha1: yes 10 trust-anchor-signaling: no 11 minimal-responses: no 12 log-servfail: yes 13 val-log-level: 2 14 ede: yes 15 16stub-zone: 17 name: "." 18 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 19CONFIG_END 20 21SCENARIO_BEGIN Test validator with failure for chaing of trust lookup. 22; The error message that is created, also for EDE is more extensive. 23 24; K.ROOT-SERVERS.NET. 25RANGE_BEGIN 0 100 26 ADDRESS 193.0.14.129 27ENTRY_BEGIN 28MATCH opcode qtype qname 29ADJUST copy_id 30REPLY QR NOERROR 31SECTION QUESTION 32. IN NS 33SECTION ANSWER 34. IN NS K.ROOT-SERVERS.NET. 35SECTION ADDITIONAL 36K.ROOT-SERVERS.NET. IN A 193.0.14.129 37ENTRY_END 38 39ENTRY_BEGIN 40MATCH opcode subdomain 41ADJUST copy_id copy_query 42REPLY QR NOERROR 43SECTION QUESTION 44com. IN NS 45SECTION AUTHORITY 46com. IN NS a.gtld-servers.net. 47SECTION ADDITIONAL 48a.gtld-servers.net. IN A 192.5.6.30 49ENTRY_END 50 51ENTRY_BEGIN 52MATCH opcode subdomain 53ADJUST copy_id copy_query 54REPLY QR NOERROR 55SECTION QUESTION 56net. IN NS 57SECTION AUTHORITY 58net. IN NS a.gtld-servers.net. 59SECTION ADDITIONAL 60a.gtld-servers.net. IN A 192.5.6.30 61ENTRY_END 62RANGE_END 63 64; a.gtld-servers.net. 65RANGE_BEGIN 0 100 66 ADDRESS 192.5.6.30 67ENTRY_BEGIN 68MATCH opcode qtype qname 69ADJUST copy_id 70REPLY QR NOERROR 71SECTION QUESTION 72com. IN NS 73SECTION ANSWER 74com. IN NS a.gtld-servers.net. 75SECTION ADDITIONAL 76a.gtld-servers.net. IN A 192.5.6.30 77ENTRY_END 78 79ENTRY_BEGIN 80MATCH opcode subdomain 81ADJUST copy_id copy_query 82REPLY QR NOERROR 83SECTION QUESTION 84example.com. IN NS 85SECTION AUTHORITY 86example.com. IN NS ns.example.com. 87SECTION ADDITIONAL 88ns.example.com. IN A 1.2.3.4 89ENTRY_END 90 91ENTRY_BEGIN 92MATCH opcode subdomain 93ADJUST copy_id copy_query 94REPLY QR NOERROR 95SECTION QUESTION 96example.net. IN NS 97SECTION AUTHORITY 98example.net. IN NS ns.example.net. 99SECTION ADDITIONAL 100ns.example.net. IN A 1.2.3.5 101ENTRY_END 102RANGE_END 103 104; ns.example.com. 105RANGE_BEGIN 0 100 106 ADDRESS 1.2.3.4 107ENTRY_BEGIN 108MATCH opcode qtype qname 109ADJUST copy_id 110REPLY QR NOERROR 111SECTION QUESTION 112example.com. IN NS 113SECTION ANSWER 114example.com. IN NS ns.example.com. 115example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 116SECTION ADDITIONAL 117ns.example.com. IN A 1.2.3.4 118ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 119ENTRY_END 120 121ENTRY_BEGIN 122MATCH opcode qtype qname 123ADJUST copy_id 124REPLY QR AA NOERROR 125SECTION QUESTION 126ns.example.com. IN A 127SECTION ANSWER 128ns.example.com. IN A 1.2.3.4 129ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 130ENTRY_END 131 132ENTRY_BEGIN 133MATCH opcode qtype qname 134ADJUST copy_id 135REPLY QR AA NOERROR 136SECTION QUESTION 137ns.example.com. IN AAAA 138SECTION AUTHORITY 139example.com. IN NS ns.example.com. 140example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 141SECTION ADDITIONAL 142ns.example.com. IN A 1.2.3.4 143ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 144ENTRY_END 145 146; response to DNSKEY priming query 147;ENTRY_BEGIN 148;MATCH opcode qtype qname 149;ADJUST copy_id 150;REPLY QR NOERROR 151;SECTION QUESTION 152;example.com. IN DNSKEY 153;SECTION ANSWER 154;example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 155;example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854} 156;SECTION AUTHORITY 157;example.com. IN NS ns.example.com. 158;example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 159;SECTION ADDITIONAL 160;ns.example.com. IN A 1.2.3.4 161;ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 162;ENTRY_END 163; servfail for DNSKEY priming query 164ENTRY_BEGIN 165MATCH opcode qtype qname 166ADJUST copy_id 167REPLY QR AA SERVFAIL 168SECTION QUESTION 169example.com. IN DNSKEY 170ENTRY_END 171 172; response to query of interest 173ENTRY_BEGIN 174MATCH opcode qtype qname 175ADJUST copy_id 176REPLY QR NOERROR 177SECTION QUESTION 178www.example.com. IN A 179SECTION ANSWER 180www.example.com. IN A 10.20.30.40 181ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854} 182SECTION AUTHORITY 183example.com. IN NS ns.example.com. 184example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 185SECTION ADDITIONAL 186ns.example.com. IN A 1.2.3.4 187www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} 188ENTRY_END 189RANGE_END 190 191; ns.example.com. 192RANGE_BEGIN 0 100 193 ADDRESS 1.2.3.5 194ENTRY_BEGIN 195MATCH opcode qtype qname 196ADJUST copy_id 197REPLY QR AA NOERROR 198SECTION QUESTION 199example.net. IN NS 200SECTION ANSWER 201example.net. 3600 IN NS ns.example.net. 202example.net. 3600 IN RRSIG NS 8 2 3600 20070926134150 20070829134150 1444 example.net. nHpOqZb00nIGytQ1YmVoXEHURL/75dWhlKSEtRTorjVdPGPZNN7ziCWJW303v7u07TkZ+i6oFVEWG/SDR4ejn5o31UKJy1373PEH/cvPf9/44jw9gAFaHF1eO6ZQGaRQaeEpU06+xUcnc2QXFt6rNu60EsTvMRDN83bD+r7FA7Y= 203SECTION ADDITIONAL 204ns.example.net. 3600 IN A 1.2.3.5 205ns.example.net. 3600 IN RRSIG A 8 3 3600 20070926134150 20070829134150 1444 example.net. TgQ4nfGtLHuZXlC4JJlVQ6mejf1WJbstTxsh/kgMAc2tryOxF/gvGBHaMtz6oceFZrIgk6g3RYI1Gk5gjSFNADh+EIwI422M8XPAAxRLfFahiO4lr1aCo4c94TYeZNpnDKy81rINTz2hQE1pGWr8Z03ySABqSBnTE1FQt4N/JCo= 206ENTRY_END 207 208ENTRY_BEGIN 209MATCH opcode qtype qname 210ADJUST copy_id 211REPLY QR AA NOERROR 212SECTION QUESTION 213ns.example.net. IN A 214SECTION ANSWER 215ns.example.net. 3600 IN A 1.2.3.5 216ns.example.net. 3600 IN RRSIG A 8 3 3600 20070926134150 20070829134150 1444 example.net. TgQ4nfGtLHuZXlC4JJlVQ6mejf1WJbstTxsh/kgMAc2tryOxF/gvGBHaMtz6oceFZrIgk6g3RYI1Gk5gjSFNADh+EIwI422M8XPAAxRLfFahiO4lr1aCo4c94TYeZNpnDKy81rINTz2hQE1pGWr8Z03ySABqSBnTE1FQt4N/JCo= 217ENTRY_END 218 219ENTRY_BEGIN 220MATCH opcode qtype qname 221ADJUST copy_id 222REPLY QR AA NOERROR 223SECTION QUESTION 224ns.example.net. IN AAAA 225SECTION AUTHORITY 226example.net. 3600 IN SOA ns.example.net. host.example.net. 1 3600 300 7200 3600 227example.net. 3600 IN RRSIG SOA 8 2 3600 20070926134150 20070829134150 1444 example.net. P5FRQ4A/0n5owaBhZqlYBFD2PNAWJc5oxiDwvwh0hdjxETx8ta3EAvDKtNj5XZ5EKDAhP/tivd+Bq50I0xfRBmrouxgxjgnV3ye8zU+M1fXbuKpsWme9R3S4cs9WYfggTn7X00Af8m0tE62SLH/ZtOOQi2CvOPu7PXtHYT6KW4Q= 228ENTRY_END 229 230ENTRY_BEGIN 231MATCH opcode qtype qname 232ADJUST copy_id 233REPLY QR AA NOERROR 234SECTION QUESTION 235example.net. IN DNSKEY 236SECTION ANSWER 237example.net. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b} 238example.net. 3600 IN RRSIG DNSKEY 8 2 3600 20070926134150 20070829134150 1444 example.net. hAAlJt/YwAgWBzseK0N42+ysSMaWgntcuftF8a43chLh+fbe3vPWrgwqr/Cic52tu4ZqMox592tqWDxAG7F1eDGfO0SfzS2C9Tc/Wnz5nFjFh75G4Mtt8DTv5vTyGUVX5zAFzV8SNijVC0o1F7MHaVPt3rFtjjg2zW/UOz2m9+U= 239ENTRY_END 240 241; For sub1.example.net. zone; it is co-hosted with example.net, so that 242; there can be failures for the DS lookup. But the data lookup succeeds. 243ENTRY_BEGIN 244MATCH opcode qtype qname 245ADJUST copy_id 246REPLY QR AA NOERROR 247SECTION QUESTION 248www.sub1.example.net. IN A 249SECTION ANSWER 250www.sub1.example.net. IN A 10.20.30.41 251www.sub1.example.net. 3600 IN RRSIG A 8 4 3600 20070926134150 20070829134150 29332 sub1.example.net. NcFP77Hixawt8hb+STIbbeqdF9tWTuHsbGEB4agKXlwHqS0BnyA+It6+UdE57IF0Kbnc7gSuaslX9At8ctd4HuC/9F/osbo96o23JEfnXPky/r5SsLaeN5KmUmUVjG9oxyAEc6PVlaaQ5a/RhaxmDRaDiku2gB7KjdjPxwxe+Rc54GV2eM3GtcfT+oDakLdSSACqeVjUFIOtYMpG8jAHrBe4uSnjKI7O0fWDFN5OES6sN9iUS9/ceorIoF/gSIqM7xWEuPLxE2c5TtYJyPtMCeGJ9wBP4wrTXfJ58+Lg5SFKgEuKTvAqEv9KEwg/kJb1GQ+ho5XKFO6EII2iyeUK/w== 252ENTRY_END 253 254ENTRY_BEGIN 255MATCH opcode qtype qname 256ADJUST copy_id 257REPLY QR SERVFAIL 258SECTION QUESTION 259sub1.example.net. IN DS 260SECTION ANSWER 261; no DS for sub1.example.net id=29332 algo=8 262ENTRY_END 263 264ENTRY_BEGIN 265MATCH opcode qtype qname 266ADJUST copy_id 267REPLY QR AA NOERROR 268SECTION QUESTION 269www.sub2.example.net. IN A 270SECTION ANSWER 271www.sub2.example.net. IN A 10.20.30.42 272www.sub2.example.net. 3600 IN RRSIG A 8 4 3600 20070926134150 20070829134150 29332 sub2.example.net. FOY6YxNoFyrSkBtWV7HcECmORTMedRWHdGk7Rm04icT8Bw0dWfzVaIpAkBY6FXx8UvqN7McN4IJI5dAVXptfekO+Yvy2PwkjehRUXvQK64XH5UM5pVbX5g8E4pnOrLa/jzPB7srzMpyWVCpt81lPoFpdfXUMm7434ifkTYhpAll7y5NAocFiT3F+XGe06qMIr51WxoFfegIGohMFhkTDUdLWrdV10128W+NzPdwoYtiigtCObKxTtyj3gK+mxqXvX4X4F2YIGQ+mx62ovdUilnLYZm/WC/ZQkdxeOZjeCTxvSpGGG+wtu1QufgIJ+BpAZAOxREOYZkhR29AG0np4EA== 273ENTRY_END 274 275ENTRY_BEGIN 276MATCH opcode qtype qname 277ADJUST copy_id 278REPLY QR SERVFAIL 279SECTION QUESTION 280sub2.example.net. IN DNSKEY 281SECTION ANSWER 282; sub2.example.net. IN DNSKEY 257 3 8 AwEAAb4WMOTBLTFvmBra5m6SK4VfViOzmvyUAU0qv861ZQXeEFvwlndqNU9rwRsMxrSWAYs5nHErKDn49usC/HyxxW1477iGFHhfgL4mjNreJm9zft2QFB1VLbRbEPYdDMLCn4co0qnG7/KG8W2i8Pym1L7f+aREwbLo+/716AS2PbaKMhfWLKLiq5wnBcUClQMNzCiwhqxDJp1oePqfkVdeUgXOtgi0dYRIKyQFhJ5VWJ22npoi/Gif0XLCADAlAwRLKc8o/yJkCxskzgpHpw5Cki1lclg0aq4ssOuPRQ+ne6IHYCz9D2mwzulblhLFamKdq7aHzNt4NlyxhpANVFiKLD8= ;{id = 29332 (ksk), size = 2048b} 283ENTRY_END 284 285ENTRY_BEGIN 286MATCH opcode qtype qname 287ADJUST copy_id 288REPLY QR AA NOERROR 289SECTION QUESTION 290sub2.example.net. IN DS 291SECTION ANSWER 292sub2.example.net. 3600 IN DS 29332 8 2 d53e615d9d736b0f2a0097f1d5fa51c84320610f94ecbd7197e7de5f44f02d72 293sub2.example.net. 3600 IN RRSIG DS 8 3 3600 20070926134150 20070829134150 1444 example.net. dYLYs1uMxJm5+MB6L1+uStE5S1YtyYR0JF+1pPoTptc/H1hYqMxK7pVQPtIGvq8j8wNyC7jOzALfEXgwRKiSdR1l1GQ5HIxWkhUmkpLcecwJOjemee4nXaifOFa5bdbdYpuDwTiIzx+PvanlaVjEPy0i1IukanDi6jojfyWcgLA= 294ENTRY_END 295RANGE_END 296 297STEP 1 QUERY 298ENTRY_BEGIN 299REPLY RD DO 300SECTION QUESTION 301www.example.com. IN A 302ENTRY_END 303 304; The DNSKEY lookup for the key prime is a failure. 305STEP 10 CHECK_ANSWER 306ENTRY_BEGIN 307MATCH all ede=9 308REPLY QR RD RA DO SERVFAIL 309SECTION QUESTION 310www.example.com. IN A 311SECTION ANSWER 312ENTRY_END 313 314STEP 20 QUERY 315ENTRY_BEGIN 316REPLY RD DO 317SECTION QUESTION 318www.sub1.example.net. IN A 319ENTRY_END 320 321; The DS lookup is a failure. 322STEP 30 CHECK_ANSWER 323ENTRY_BEGIN 324MATCH all ede=23 325REPLY QR RD RA DO SERVFAIL 326SECTION QUESTION 327www.sub1.example.net. IN A 328SECTION ANSWER 329ENTRY_END 330 331STEP 40 QUERY 332ENTRY_BEGIN 333REPLY RD DO 334SECTION QUESTION 335www.sub2.example.net. IN A 336ENTRY_END 337 338; The DNSKEY lookup is a failure. 339STEP 50 CHECK_ANSWER 340ENTRY_BEGIN 341MATCH all ede=9 342REPLY QR RD RA DO SERVFAIL 343SECTION QUESTION 344www.sub2.example.net. IN A 345SECTION ANSWER 346ENTRY_END 347 348SCENARIO_END 349