1; config options 2server: 3 trust-anchor: "example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}" 4 trust-anchor: "example.org. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}" 5 val-override-date: "20091011000000" 6 fake-sha1: yes 7 trust-anchor-signaling: no 8 9forward-zone: 10 name: "." 11 forward-addr: 192.0.2.1 12CONFIG_END 13 14SCENARIO_BEGIN Test validator with CNAME to insecure NSEC or NSEC3. 15 16RANGE_BEGIN 0 100 17 ADDRESS 192.0.2.1 18 19ENTRY_BEGIN 20MATCH opcode qtype qname 21ADJUST copy_id 22REPLY QR NOERROR 23SECTION QUESTION 24example.com. IN DNSKEY 25SECTION ANSWER 26example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 27example.com. 3600 IN RRSIG DNSKEY 5 2 3600 20091012000000 20091010000000 30899 example.com. BeCk6+D0ysmO1+X0CjvXH55AO78C7Vxrq58C3YgO0wt2eTG/deZCiWI3bz+3OC64cICbJr5fvCfqUuJDABU/fw== ;{id = 30899} 28ENTRY_END 29 30ENTRY_BEGIN 31MATCH opcode qtype qname 32ADJUST copy_id 33REPLY QR NOERROR 34SECTION QUESTION 35www.example.com. IN AAAA 36SECTION ANSWER 37www.example.com. 3600 IN CNAME unsafe.example.com. 38www.example.com. 3600 IN RRSIG CNAME 5 3 3600 20091012000000 20091010000000 30899 example.com. FJN0bZitZfxNQNTD1V2vcDBQ9cb4y4YGa35Ilr+VnrBiisAB9ZyrO8umvdtwzV1VPIlfFDQTJrKh5aZparLHPw== ;{id = 30899} 39SECTION AUTHORITY 40; really an insecure delegation, but co-hosted on the server. 41unsafe.example.com. 3600 IN NSEC v.example.com. NS RRSIG NSEC 42unsafe.example.com. 3600 IN RRSIG NSEC 5 3 3600 20091012000000 20091010000000 30899 example.com. Le9EsRd2MxkOGRCvGtQkXRDAob5ZJOFQlZbDvcWAh5OXVpmcwZmCHctxw/Zyi4LkNYoYCSCc8PiVRrJM3IsGrQ== ;{id = 30899} 43ENTRY_END 44 45ENTRY_BEGIN 46MATCH opcode qtype qname 47ADJUST copy_id 48REPLY QR NOERROR 49SECTION QUESTION 50unsafe.example.com. IN AAAA 51SECTION ANSWER 52; empty response 53SECTION AUTHORITY 54example.com. 3600 IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600 55example.com. 3600 IN RRSIG SOA 5 2 3600 20091012000000 20091010000000 30899 example.com. gJkF06xR3FoD/d+rxcLOwGpT8+DV+nbxED8C6T1qZyhWfKlfpYzISNooKBWD+JQbaGKV/nfm+rT3M0fnIXPpQQ== 56ENTRY_END 57 58ENTRY_BEGIN 59MATCH opcode qtype qname 60ADJUST copy_id 61REPLY QR NOERROR 62SECTION QUESTION 63example.org. IN DNSKEY 64SECTION ANSWER 65example.org. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} 66example.org. 3600 IN RRSIG DNSKEY 5 2 3600 20091012000000 20091010000000 30899 example.org. rd9aoXbeaE0zyT96Z0sjN3Mz5Nz/wuRsIH1lwcjwUFmAAT7F+SjwVWeo8nGaTBd8JDSUdiL+VwotEE0I22RrnA== ;{id = 30899} 67ENTRY_END 68 69ENTRY_BEGIN 70MATCH opcode qtype qname 71ADJUST copy_id 72REPLY QR NOERROR 73SECTION QUESTION 74www.example.org. IN AAAA 75SECTION ANSWER 76www.example.org. 3600 IN CNAME unsafe.example.org. 77www.example.org. 3600 IN RRSIG CNAME 5 3 3600 20091012000000 20091010000000 30899 example.org. ZgRbMnunAqa1K46GINIihekkI73/1PkGFSAJRn7bSTxBpLM+qiHJDU1+QgS2SjaSKHqNqbXy/eeG3qX9r9y87g== ;{id = 30899} 78SECTION AUTHORITY 79; really an insecure delegation, but co-hosted on the server. 80; h(unsafe.example.org.) = ltchu0548v0cof8f25u2pj4mjf4shcms. 81ltchu0548v0cof8f25u2pj4mjf4shcms.example.org. IN NSEC3 1 0 1 - ltchu0548v0cof8f25u2pj4mjf4shcmt NS 82ltchu0548v0cof8f25u2pj4mjf4shcms.example.org. 3600 IN RRSIG NSEC3 5 3 3600 20091012000000 20091010000000 30899 example.org. yxuYgfkg8QTdB5yBMN9Up9GyKu7xjKDScqq95/tsy3lx22tLsdLD9Fojdrq7eB+K7Tr72AejmVJs44v6TmWkZw== ;{id = 30899} 83ENTRY_END 84 85ENTRY_BEGIN 86MATCH opcode qtype qname 87ADJUST copy_id 88REPLY QR NOERROR 89SECTION QUESTION 90unsafe.example.org. IN AAAA 91SECTION ANSWER 92; empty response 93SECTION AUTHORITY 94example.org. 3600 IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600 95example.org. 3600 IN RRSIG SOA 5 2 3600 20091012000000 20091010000000 30899 example.org. lYlSk7saPytwcu6Dp3HKYdyCOIlpTm+T8kjf0hnrLgPDZuksUjw/GLB+d6onTDpWLlasHfi0eoAkNvTeuR0+1w== 96ENTRY_END 97 98RANGE_END 99 100; NSEC 101STEP 1 QUERY 102ENTRY_BEGIN 103REPLY RD DO 104SECTION QUESTION 105www.example.com. IN AAAA 106ENTRY_END 107; recursion happens here. 108STEP 10 CHECK_ANSWER 109ENTRY_BEGIN 110MATCH all 111REPLY QR RD RA DO NOERROR 112SECTION QUESTION 113www.example.com. IN AAAA 114SECTION ANSWER 115www.example.com. 3600 IN CNAME unsafe.example.com. 116www.example.com. 3600 IN RRSIG CNAME 5 3 3600 20091012000000 20091010000000 30899 example.com. FJN0bZitZfxNQNTD1V2vcDBQ9cb4y4YGa35Ilr+VnrBiisAB9ZyrO8umvdtwzV1VPIlfFDQTJrKh5aZparLHPw== ;{id = 30899} 117SECTION AUTHORITY 118unsafe.example.com. 3600 IN NSEC v.example.com. NS RRSIG NSEC 119unsafe.example.com. 3600 IN RRSIG NSEC 5 3 3600 20091012000000 20091010000000 30899 example.com. Le9EsRd2MxkOGRCvGtQkXRDAob5ZJOFQlZbDvcWAh5OXVpmcwZmCHctxw/Zyi4LkNYoYCSCc8PiVRrJM3IsGrQ== ;{id = 30899} 120example.com. 3600 IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600 121example.com. 3600 IN RRSIG SOA 5 2 3600 20091012000000 20091010000000 30899 example.com. gJkF06xR3FoD/d+rxcLOwGpT8+DV+nbxED8C6T1qZyhWfKlfpYzISNooKBWD+JQbaGKV/nfm+rT3M0fnIXPpQQ== 122ENTRY_END 123 124; NSEC3 125STEP 20 QUERY 126ENTRY_BEGIN 127REPLY RD DO 128SECTION QUESTION 129www.example.org. IN AAAA 130ENTRY_END 131; recursion happens here. 132STEP 30 CHECK_ANSWER 133ENTRY_BEGIN 134MATCH all 135REPLY QR RD RA DO NOERROR 136SECTION QUESTION 137www.example.org. IN AAAA 138SECTION ANSWER 139www.example.org. 3600 IN CNAME unsafe.example.org. 140www.example.org. 3600 IN RRSIG CNAME 5 3 3600 20091012000000 20091010000000 30899 example.org. ZgRbMnunAqa1K46GINIihekkI73/1PkGFSAJRn7bSTxBpLM+qiHJDU1+QgS2SjaSKHqNqbXy/eeG3qX9r9y87g== ;{id = 30899} 141SECTION AUTHORITY 142ltchu0548v0cof8f25u2pj4mjf4shcms.example.org. 3600 IN NSEC3 1 0 1 - ltchu0548v0cof8f25u2pj4mjf4shcmt NS 143ltchu0548v0cof8f25u2pj4mjf4shcms.example.org. 3600 IN RRSIG NSEC3 5 3 3600 20091012000000 20091010000000 30899 example.org. yxuYgfkg8QTdB5yBMN9Up9GyKu7xjKDScqq95/tsy3lx22tLsdLD9Fojdrq7eB+K7Tr72AejmVJs44v6TmWkZw== ;{id = 30899} 144example.org. 3600 IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600 145example.org. 3600 IN RRSIG SOA 5 2 3600 20091012000000 20091010000000 30899 example.org. lYlSk7saPytwcu6Dp3HKYdyCOIlpTm+T8kjf0hnrLgPDZuksUjw/GLB+d6onTDpWLlasHfi0eoAkNvTeuR0+1w== 146ENTRY_END 147 148SCENARIO_END 149