mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 22:57:08 +00:00
207 lines
9.7 KiB
Plaintext
207 lines
9.7 KiB
Plaintext
|
; config options
|
||
|
; The island of trust is at example.com
|
||
|
server:
|
||
|
trust-anchor: "example.com. DS 57024 7 1 46d134be319b2cc910b9938f1cb25dc41abb27bf"
|
||
|
val-override-date: "20070916134226"
|
||
|
target-fetch-policy: "0 0 0 0 0"
|
||
|
|
||
|
stub-zone:
|
||
|
name: "."
|
||
|
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||
|
CONFIG_END
|
||
|
|
||
|
SCENARIO_BEGIN Test validator with optout NSEC3 response that gets no AD.
|
||
|
|
||
|
; K.ROOT-SERVERS.NET.
|
||
|
RANGE_BEGIN 0 100
|
||
|
ADDRESS 193.0.14.129
|
||
|
ENTRY_BEGIN
|
||
|
MATCH opcode qtype qname
|
||
|
ADJUST copy_id
|
||
|
REPLY QR NOERROR
|
||
|
SECTION QUESTION
|
||
|
. IN NS
|
||
|
SECTION ANSWER
|
||
|
. IN NS K.ROOT-SERVERS.NET.
|
||
|
SECTION ADDITIONAL
|
||
|
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||
|
ENTRY_END
|
||
|
|
||
|
ENTRY_BEGIN
|
||
|
MATCH opcode subdomain
|
||
|
ADJUST copy_id copy_query
|
||
|
REPLY QR NOERROR
|
||
|
SECTION QUESTION
|
||
|
com. IN A
|
||
|
SECTION AUTHORITY
|
||
|
com. IN NS a.gtld-servers.net.
|
||
|
SECTION ADDITIONAL
|
||
|
a.gtld-servers.net. IN A 192.5.6.30
|
||
|
ENTRY_END
|
||
|
RANGE_END
|
||
|
|
||
|
; a.gtld-servers.net.
|
||
|
RANGE_BEGIN 0 100
|
||
|
ADDRESS 192.5.6.30
|
||
|
ENTRY_BEGIN
|
||
|
MATCH opcode qtype qname
|
||
|
ADJUST copy_id
|
||
|
REPLY QR NOERROR
|
||
|
SECTION QUESTION
|
||
|
com. IN NS
|
||
|
SECTION ANSWER
|
||
|
com. IN NS a.gtld-servers.net.
|
||
|
SECTION ADDITIONAL
|
||
|
a.gtld-servers.net. IN A 192.5.6.30
|
||
|
ENTRY_END
|
||
|
|
||
|
ENTRY_BEGIN
|
||
|
MATCH opcode subdomain
|
||
|
ADJUST copy_id copy_query
|
||
|
REPLY QR NOERROR
|
||
|
SECTION QUESTION
|
||
|
example.com. IN A
|
||
|
SECTION AUTHORITY
|
||
|
example.com. IN NS ns.example.com.
|
||
|
SECTION ADDITIONAL
|
||
|
ns.example.com. IN A 1.2.3.4
|
||
|
ENTRY_END
|
||
|
RANGE_END
|
||
|
|
||
|
; ns.example.com.
|
||
|
RANGE_BEGIN 0 100
|
||
|
ADDRESS 1.2.3.4
|
||
|
ENTRY_BEGIN
|
||
|
MATCH opcode qtype qname
|
||
|
ADJUST copy_id
|
||
|
REPLY QR NOERROR
|
||
|
SECTION QUESTION
|
||
|
example.com. IN NS
|
||
|
SECTION ANSWER
|
||
|
example.com. IN NS ns.example.com.
|
||
|
example.com. 3600 IN RRSIG NS 7 2 3600 20070926134150 20070829134150 57024 example.com. fIE3H2v3wAm3GPajsdgJn+A8R4Cp7dMXf1PSUQ8BfklzMBMJjpc0oM/S7u/HVLYQs1jx8CMdw2TZEpIPfo6Rl0TekDqNtVk6IBw1H+zxDFwf3v7UdOjm8s6FfoEJcZ5yEFV/Lps82NzHCR9uqprhv6ddQdAeVNA5QHis1c5Y1P0= ;{id = 57024}
|
||
|
SECTION ADDITIONAL
|
||
|
ns.example.com. IN A 1.2.3.4
|
||
|
ns.example.com. 3600 IN RRSIG A 7 3 3600 20070926134150 20070829134150 57024 example.com. b0iX5vuTqngB5F0ORFrFLx8sAeTHGJVcPpD34iNFY71ZoFnHrHfAMWC3RAWz+nQ1NmH1oDdA8NTYN/aQQNzwEz4VmVYA2PANBSiwSY3q3gp9PWZU6CfRNf2dU/210H0y35FroQpADszmwC+Hlbcvll+bQj3fSyT2W/69kRVssj4= ;{id = 57024}
|
||
|
ENTRY_END
|
||
|
|
||
|
; response to DNSKEY priming query
|
||
|
ENTRY_BEGIN
|
||
|
MATCH opcode qtype qname
|
||
|
ADJUST copy_id
|
||
|
REPLY QR NOERROR
|
||
|
SECTION QUESTION
|
||
|
example.com. IN DNSKEY
|
||
|
SECTION ANSWER
|
||
|
example.com. 3600 IN DNSKEY 257 3 7 AwEAAbvre/wK/WVeoj0SiwVkTD+NefvHPru9YIqLWY0m+0E5NYOpJZdc+PGQQYRzFNOlugVZtFirmv5Lmz7GNiASXtG/IFi//SlE30DxEKQOjt2F6qSZTZ1nZ5XOIMGTwWyp4OoI0egk5JavC5mQbyXqcj82ywt6F5Z3CmnThVl6MtOv ;{id = 57024 (ksk), size = 1024b}
|
||
|
example.com. 3600 IN RRSIG DNSKEY 7 2 3600 20070926134150 20070829134150 57024 example.com. lqOo8W7UffLZIKBoIJg8OAPkmCWptnstiLIg1bAtzuEZDZFr2KNZGv+5k6hbRJKYnZRLReY4v8G9Eg0GCC/44gLm8BZlnh/4jLOjMH9MKusFV/jNqz/HABITYn1pBwvVak7lzqN+bmL0KMyWf1MzPWilx4fM9YWinsQFILVLPL0= ;{id = 57024}
|
||
|
SECTION AUTHORITY
|
||
|
example.com. IN NS ns.example.com.
|
||
|
example.com. 3600 IN RRSIG NS 7 2 3600 20070926134150 20070829134150 57024 example.com. fIE3H2v3wAm3GPajsdgJn+A8R4Cp7dMXf1PSUQ8BfklzMBMJjpc0oM/S7u/HVLYQs1jx8CMdw2TZEpIPfo6Rl0TekDqNtVk6IBw1H+zxDFwf3v7UdOjm8s6FfoEJcZ5yEFV/Lps82NzHCR9uqprhv6ddQdAeVNA5QHis1c5Y1P0= ;{id = 57024}
|
||
|
SECTION ADDITIONAL
|
||
|
ns.example.com. IN A 1.2.3.4
|
||
|
ns.example.com. 3600 IN RRSIG A 7 3 3600 20070926134150 20070829134150 57024 example.com. b0iX5vuTqngB5F0ORFrFLx8sAeTHGJVcPpD34iNFY71ZoFnHrHfAMWC3RAWz+nQ1NmH1oDdA8NTYN/aQQNzwEz4VmVYA2PANBSiwSY3q3gp9PWZU6CfRNf2dU/210H0y35FroQpADszmwC+Hlbcvll+bQj3fSyT2W/69kRVssj4= ;{id = 57024}
|
||
|
ENTRY_END
|
||
|
|
||
|
; response to query of interest
|
||
|
ENTRY_BEGIN
|
||
|
MATCH opcode qtype qname
|
||
|
ADJUST copy_id
|
||
|
REPLY QR NOERROR
|
||
|
SECTION QUESTION
|
||
|
sub.example.com. IN DS
|
||
|
SECTION ANSWER
|
||
|
SECTION AUTHORITY
|
||
|
example.com. IN SOA ns.example.com. noc.example.com. 2009310622 1800 900 604800 86400
|
||
|
example.com. 3600 IN RRSIG SOA 7 2 3600 20070926134150 20070829134150 57024 example.com. HlyER7bYPiSJ9jdjjRBucQexYr932Oor1TvxSLPWw5fuWvr/fFitKVnLqC+lqBIeOby44KiDr0rIk+ZqYjWWKNjaLm5wMfhQzbsAgGTQxmO07jnYOGQG9SI6DSbR9GJdZ7imu5sx5oo5dze73MxgLMZIethGaFMkktYN53+AzG0= ;{id = 57024}
|
||
|
|
||
|
; optout
|
||
|
; example.com. -> onib9mgub9h0rml3cdf5bgrj59dkjhvk.
|
||
|
; sub.example.com. -> kg19n32806c832kijdnglq8p9m2r5mdj.
|
||
|
; *.example.com. -> 4f3cnt8cu22tngec382jj4gde4rb47ub.
|
||
|
onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. NSEC3 1 1 0 - pnib9mgub9h0rml3cdf5bgrj59dkjhvk NS SOA RRSIG DNSKEY NSEC3PARAM
|
||
|
jg19n32806c832kijdnglq8p9m2r5mdj.example.com. NSEC3 1 1 0 - lg19n32806c832kijdnglq8p9m2r5mdj NS DS RRSIG
|
||
|
|
||
|
onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. jHrF+lnyRL1LE/Bwz6C+jZg3E/2qQkVSboGxya6iX71v0zA3eUsob9m9l3gHNlhwhyahbamHUKx+OMvtYuzRa+RMv4ObuLRIt8StdixeXaUU+rx7C2qCKOFsa5q4HzK4bLYPfyb5T9w67HbzHPLEllXPA7tghzyzCM9qBtbvwK4= ;{id = 57024}
|
||
|
jg19n32806c832kijdnglq8p9m2r5mdj.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. f7ZSCahAuKOLXquM0jpdU6I9AX31CgGicRiB3aU4jvqQp/EygbCNn5kfpyXY0FvZvzggpl8naXSStOPN9dy3bb0NwGQkJcYD94NEw307T8uEunOvx1ug5TuakBAwqjY8xKM3xab3LnWYRtx4zdln/3ZDHvBUwfzkxUZrzeKjpiI= ;{id = 57024}
|
||
|
SECTION ADDITIONAL
|
||
|
ENTRY_END
|
||
|
|
||
|
ENTRY_BEGIN
|
||
|
MATCH opcode qtype qname
|
||
|
ADJUST copy_id
|
||
|
REPLY QR NOERROR
|
||
|
SECTION QUESTION
|
||
|
sub.example.com. IN MX
|
||
|
SECTION ANSWER
|
||
|
SECTION AUTHORITY
|
||
|
example.com. IN SOA ns.example.com. noc.example.com. 2009310622 1800 900 604800 86400
|
||
|
example.com. 3600 IN RRSIG SOA 7 2 3600 20070926134150 20070829134150 57024 example.com. HlyER7bYPiSJ9jdjjRBucQexYr932Oor1TvxSLPWw5fuWvr/fFitKVnLqC+lqBIeOby44KiDr0rIk+ZqYjWWKNjaLm5wMfhQzbsAgGTQxmO07jnYOGQG9SI6DSbR9GJdZ7imu5sx5oo5dze73MxgLMZIethGaFMkktYN53+AzG0= ;{id = 57024}
|
||
|
|
||
|
; optout
|
||
|
; example.com. -> onib9mgub9h0rml3cdf5bgrj59dkjhvk.
|
||
|
; sub.example.com. -> kg19n32806c832kijdnglq8p9m2r5mdj.
|
||
|
; *.example.com. -> 4f3cnt8cu22tngec382jj4gde4rb47ub.
|
||
|
onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. NSEC3 1 1 0 - pnib9mgub9h0rml3cdf5bgrj59dkjhvk NS SOA RRSIG DNSKEY NSEC3PARAM
|
||
|
jg19n32806c832kijdnglq8p9m2r5mdj.example.com. NSEC3 1 1 0 - lg19n32806c832kijdnglq8p9m2r5mdj NS DS RRSIG
|
||
|
|
||
|
onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. jHrF+lnyRL1LE/Bwz6C+jZg3E/2qQkVSboGxya6iX71v0zA3eUsob9m9l3gHNlhwhyahbamHUKx+OMvtYuzRa+RMv4ObuLRIt8StdixeXaUU+rx7C2qCKOFsa5q4HzK4bLYPfyb5T9w67HbzHPLEllXPA7tghzyzCM9qBtbvwK4= ;{id = 57024}
|
||
|
jg19n32806c832kijdnglq8p9m2r5mdj.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. f7ZSCahAuKOLXquM0jpdU6I9AX31CgGicRiB3aU4jvqQp/EygbCNn5kfpyXY0FvZvzggpl8naXSStOPN9dy3bb0NwGQkJcYD94NEw307T8uEunOvx1ug5TuakBAwqjY8xKM3xab3LnWYRtx4zdln/3ZDHvBUwfzkxUZrzeKjpiI= ;{id = 57024}
|
||
|
SECTION ADDITIONAL
|
||
|
ENTRY_END
|
||
|
RANGE_END
|
||
|
|
||
|
STEP 1 QUERY
|
||
|
ENTRY_BEGIN
|
||
|
REPLY RD DO
|
||
|
SECTION QUESTION
|
||
|
sub.example.com. IN MX
|
||
|
ENTRY_END
|
||
|
|
||
|
; recursion happens here.
|
||
|
; no AD flag on this because an optout NSEC3 is used.
|
||
|
STEP 10 CHECK_ANSWER
|
||
|
ENTRY_BEGIN
|
||
|
MATCH all
|
||
|
REPLY QR RD RA NOERROR
|
||
|
SECTION QUESTION
|
||
|
sub.example.com. IN MX
|
||
|
SECTION ANSWER
|
||
|
SECTION AUTHORITY
|
||
|
example.com. IN SOA ns.example.com. noc.example.com. 2009310622 1800 900 604800 86400
|
||
|
example.com. 3600 IN RRSIG SOA 7 2 3600 20070926134150 20070829134150 57024 example.com. HlyER7bYPiSJ9jdjjRBucQexYr932Oor1TvxSLPWw5fuWvr/fFitKVnLqC+lqBIeOby44KiDr0rIk+ZqYjWWKNjaLm5wMfhQzbsAgGTQxmO07jnYOGQG9SI6DSbR9GJdZ7imu5sx5oo5dze73MxgLMZIethGaFMkktYN53+AzG0= ;{id = 57024}
|
||
|
onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. NSEC3 1 1 0 - pnib9mgub9h0rml3cdf5bgrj59dkjhvk NS SOA RRSIG DNSKEY NSEC3PARAM
|
||
|
onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. jHrF+lnyRL1LE/Bwz6C+jZg3E/2qQkVSboGxya6iX71v0zA3eUsob9m9l3gHNlhwhyahbamHUKx+OMvtYuzRa+RMv4ObuLRIt8StdixeXaUU+rx7C2qCKOFsa5q4HzK4bLYPfyb5T9w67HbzHPLEllXPA7tghzyzCM9qBtbvwK4= ;{id = 57024}
|
||
|
jg19n32806c832kijdnglq8p9m2r5mdj.example.com. NSEC3 1 1 0 - lg19n32806c832kijdnglq8p9m2r5mdj NS DS RRSIG
|
||
|
jg19n32806c832kijdnglq8p9m2r5mdj.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. f7ZSCahAuKOLXquM0jpdU6I9AX31CgGicRiB3aU4jvqQp/EygbCNn5kfpyXY0FvZvzggpl8naXSStOPN9dy3bb0NwGQkJcYD94NEw307T8uEunOvx1ug5TuakBAwqjY8xKM3xab3LnWYRtx4zdln/3ZDHvBUwfzkxUZrzeKjpiI= ;{id = 57024}
|
||
|
SECTION ADDITIONAL
|
||
|
ENTRY_END
|
||
|
|
||
|
STEP 20 QUERY
|
||
|
ENTRY_BEGIN
|
||
|
REPLY RD DO
|
||
|
SECTION QUESTION
|
||
|
sub.example.com. IN DS
|
||
|
ENTRY_END
|
||
|
|
||
|
; recursion happens here.
|
||
|
; the same answer gives AD flag for DS, because the optout says no DS exists.
|
||
|
STEP 30 CHECK_ANSWER
|
||
|
ENTRY_BEGIN
|
||
|
MATCH all
|
||
|
REPLY QR RD RA AD NOERROR
|
||
|
SECTION QUESTION
|
||
|
sub.example.com. IN DS
|
||
|
SECTION ANSWER
|
||
|
SECTION AUTHORITY
|
||
|
example.com. IN SOA ns.example.com. noc.example.com. 2009310622 1800 900 604800 86400
|
||
|
example.com. 3600 IN RRSIG SOA 7 2 3600 20070926134150 20070829134150 57024 example.com. HlyER7bYPiSJ9jdjjRBucQexYr932Oor1TvxSLPWw5fuWvr/fFitKVnLqC+lqBIeOby44KiDr0rIk+ZqYjWWKNjaLm5wMfhQzbsAgGTQxmO07jnYOGQG9SI6DSbR9GJdZ7imu5sx5oo5dze73MxgLMZIethGaFMkktYN53+AzG0= ;{id = 57024}
|
||
|
onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. NSEC3 1 1 0 - pnib9mgub9h0rml3cdf5bgrj59dkjhvk NS SOA RRSIG DNSKEY NSEC3PARAM
|
||
|
onib9mgub9h0rml3cdf5bgrj59dkjhvk.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. jHrF+lnyRL1LE/Bwz6C+jZg3E/2qQkVSboGxya6iX71v0zA3eUsob9m9l3gHNlhwhyahbamHUKx+OMvtYuzRa+RMv4ObuLRIt8StdixeXaUU+rx7C2qCKOFsa5q4HzK4bLYPfyb5T9w67HbzHPLEllXPA7tghzyzCM9qBtbvwK4= ;{id = 57024}
|
||
|
jg19n32806c832kijdnglq8p9m2r5mdj.example.com. NSEC3 1 1 0 - lg19n32806c832kijdnglq8p9m2r5mdj NS DS RRSIG
|
||
|
jg19n32806c832kijdnglq8p9m2r5mdj.example.com. 3600 IN RRSIG NSEC3 7 3 3600 20070926134150 20070829134150 57024 example.com. f7ZSCahAuKOLXquM0jpdU6I9AX31CgGicRiB3aU4jvqQp/EygbCNn5kfpyXY0FvZvzggpl8naXSStOPN9dy3bb0NwGQkJcYD94NEw307T8uEunOvx1ug5TuakBAwqjY8xKM3xab3LnWYRtx4zdln/3ZDHvBUwfzkxUZrzeKjpiI= ;{id = 57024}
|
||
|
SECTION ADDITIONAL
|
||
|
ENTRY_END
|
||
|
|
||
|
SCENARIO_END
|