1 ; Test ipsecmod-ignore-bogus option
4 ; The island of trust is at example.com
6 trust-anchor: "example.com. IN DS 48069 8 2 fce2bcb0d88b828064faad58e935ca2e32ff0bbd8bd8407a8f344d8f8e8c438a"
7 val-override-date: "-1"
8 target-fetch-policy: "0 0 0 0 0"
9 # test that default value of harden-dnssec-stripped is still yes.
11 trust-anchor-signaling: no
12 access-control: 127.0.0.1 allow_snoop
13 module-config: "ipsecmod validator iterator"
14 ; ../../ is there because the test runs from testdata/03-testbound.dir
15 ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
18 ipsecmod-ignore-bogus: yes
19 qname-minimisation: "no"
24 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
27 SCENARIO_BEGIN Test ipsecmod-ignore-bogus option
29 ; - query for example.com. IN A
30 ; - check that query for example.com. IN IPSECKEY is generated
31 ; - check that we get an answer for example.com. IN A with the correct TTL
32 ; - check that the get the same answer from cache
33 ; - check that we don't get the IPSECKEY answer from cache (bogus)
39 MATCH opcode qtype qname
45 . IN NS K.ROOT-SERVERS.NET.
47 K.ROOT-SERVERS.NET. IN A 193.0.14.129
51 MATCH opcode qtype qname
55 a.gtld-servers.net. IN AAAA
57 . 86400 IN SOA . . 20070304 28800 7200 604800 86400
61 MATCH opcode qtype qname
65 K.ROOT-SERVERS.NET. IN AAAA
67 . 86400 IN SOA . . 20070304 28800 7200 604800 86400
71 MATCH opcode subdomain
72 ADJUST copy_id copy_query
77 com. IN NS a.gtld-servers.net.
79 a.gtld-servers.net. IN A 192.5.6.30
87 MATCH opcode qtype qname
93 com. IN NS a.gtld-servers.net.
95 a.gtld-servers.net. IN A 192.5.6.30
99 MATCH opcode subdomain
100 ADJUST copy_id copy_query
105 example.com. IN NS ns.example.com.
107 ns.example.com. IN A 1.2.3.4
115 MATCH opcode qtype qname
121 example.com. IN NS ns.example.com.
122 example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
124 ns.example.com. IN A 1.2.3.4
125 ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
129 MATCH opcode qtype qname
133 ns.example.com. IN AAAA
135 example.com. 86400 IN SOA ns.example.com. example.com. 2002022401 10800 15 604800 10800
136 example.com. 86400 IN RRSIG SOA 8 2 86400 20170609142855 20170512142855 48069 example.com. fr6oVOsRMnm3D8N01LxzPvT9lWdNDhTlmwR1co42c3H2ra1EjbbKqkLcrXQAsq7E/ddzqgL3RnYS+3USojXycI1xhjXC8YT2xsW3uH8uTY1Qvk1K75lu1OXmDiU6wvHplFowl0OX7sx76lB1itbvsau4bMPMt03sf4u8po7V35s=
139 ; response to A query
141 MATCH opcode qtype qname
147 example.com. 3600 IN A 5.6.7.8
148 example.com. 3600 IN RRSIG A 8 2 3600 20170609142855 20170512142855 48069 example.com. Qviw6w8ReMG2WZxenvzj/YwoeM3Ln59Fnw6s1MRWGsD2yA3+y0loFdUEHZdRhrEiV0kvtQGC+kBhMuSMq/cyjprbKLw5pkS9+MMDDnVPP1PQb17LY4NIxPtq710AN1sjhBK6PVa6XN+3ciUmCcLs1ESviQkVKpgAY/QlV0TaarQ=
150 example.com. IN NS ns.example.com.
151 example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
153 ns.example.com. IN A 1.2.3.4
154 ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
157 ; response to IPSECKEY query
159 MATCH opcode qtype qname
163 example.com. IN IPSECKEY
165 example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
166 ;(correct answer) example.com. 3600 IN RRSIG IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. UqRbG6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE=
168 example.com. 3600 IN RRSIG IPSECKEY 8 2 3600 20170609144114 20170512144114 48069 example.com. Bogus6P8mWQEVt16j86cS6fqEN8c+5t8qtePr9ghRqIxeuPOCkLiSqmXQYcQbOeOK4YoWQ3gD2az2JMWQMxEKeBLpxXZbgZN+2uIZ9LLEkyYjGRulr9kameKTM1feSe31A9mR9IgMNrY/ZeUkfxC+8Q7s8avOqYH2jVMFUg9raE=
170 example.com. IN NS ns.example.com.
171 example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
173 ns.example.com. IN A 1.2.3.4
174 ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
177 ; response to DNSKEY priming query
179 MATCH opcode qtype qname
183 example.com. IN DNSKEY
185 example.com. 86400 IN DNSKEY 256 3 8 AwEAAddE7q1HL4Id+gpQ7imk+RyNEhCWgtew5tstsqIR/fXq0RBn0rF4SI1H6ysbb3nfqAV1xRDJ01ddpgfGyz9zXXHQ/H/9qEpeWapqfNTQ5GHHdxBL2iST7XusThfXEyX/pouKIpvtknvtLs8tmH64dajxoJkaejU2EKXKaBaRKcYx ;{id = 48069 (zsk), size = 1024b}
186 example.com. 86400 IN RRSIG DNSKEY 8 2 86400 20170609144114 20170512144114 48069 example.com. mJU3LnubfYW7vhksiC1STWbrSjCe6TG1kEpnk4jRrYovues6bzOTIFSXEMjPW1mikulapnx3nMtTWdrW2InjfP9wLV/u2Wx1Vu3s9uzli/27y//3DOkZSeBa5RZdKpC1h8UB5GAxq4MRiSidgEBB1qaDIaE29sWmn9kPHEgNcgI=
188 example.com. IN NS ns.example.com.
189 example.com. 3600 IN RRSIG NS 8 2 3600 20170609142855 20170512142855 48069 example.com. SYFM1dsPEly0PjdShX8EsRnpq6XTysrvUBWB+LjGaC0wn3RFd0A2TG3WhVkUxhjTzRjt9jn3rz+JUJyybrhBkYXjBeBBjLep6Le7PQSct+FFDTIuX8duixfOzEN5LSYRMUnSuAq/z0LJHUB6nqTw8XWRm6EIImdEBc6D0u1KSes=
191 ns.example.com. IN A 1.2.3.4
192 ns.example.com. 3600 IN RRSIG A 8 3 3600 20170609142855 20170512142855 48069 example.com. kK5LZnGi2VmVmKUXkVenYCQMHGqwhGaEOwjwVG9ScOVzvqNA+n7KWwxdLDsIVLgr/BjR9Cj9+HYB9hYMhk+LnsbHqf5ovY3+n7CV4v3MDWJBLYt7NHvXwoywbaD71w7koo0SUiBXMB/FyuxRj6BXEk4dlGh7mgHZXE+X/gCYxsM=
203 STEP 2 CHECK_OUT_QUERY
205 MATCH qname qtype opcode
207 example.com. IN IPSECKEY
213 REPLY QR RD RA NOERROR
217 example.com. 200 IN A 5.6.7.8
219 example.com. IN NS ns.example.com.
221 ns.example.com. IN A 1.2.3.4
224 ; Query without RD, check if cached and with correct TTL
238 example.com. 200 IN A 5.6.7.8
240 example.com. IN NS ns.example.com.
242 ns.example.com. IN A 1.2.3.4
245 ; Query without RD, check if IPSECKEY is not cached
249 example.com. IN IPSECKEY
257 example.com. IN IPSECKEY