1 ; Test ipsecmod-strict option
5 access-control: 127.0.0.1 allow_snoop
6 module-config: "ipsecmod validator iterator"
7 ; ../../ is there because the test runs from testdata/03-testbound.dir
8 ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
11 qname-minimisation: "no"
16 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
19 SCENARIO_BEGIN Test ipsecmod-strict option
21 ; - query for example.com. IN A
22 ; - check that query for example.com. IN IPSECKEY is generated
23 ; - check that we get SERVFAIL as answer (the hook failed)
24 ; - check that the example.com. IN A answer is not cached
25 ; - check that the example.com. IN IPSECKEY answer is cached
31 MATCH opcode qtype qname
37 . IN NS K.ROOT-SERVERS.NET.
39 K.ROOT-SERVERS.NET. IN A 193.0.14.129
43 MATCH opcode qtype qname
47 a.gtld-servers.net. IN AAAA
49 . 86400 IN SOA . . 20070304 28800 7200 604800 86400
53 MATCH opcode qtype qname
57 K.ROOT-SERVERS.NET. IN AAAA
59 . 86400 IN SOA . . 20070304 28800 7200 604800 86400
63 MATCH opcode subdomain
64 ADJUST copy_id copy_query
69 com. IN NS a.gtld-servers.net.
71 a.gtld-servers.net. IN A 192.5.6.30
79 MATCH opcode qtype qname
85 com. IN NS a.gtld-servers.net.
87 a.gtld-servers.net. IN A 192.5.6.30
91 MATCH opcode subdomain
92 ADJUST copy_id copy_query
97 example.com. IN NS ns.example.com.
99 ns.example.com. IN A 1.2.3.4
107 MATCH opcode qtype qname
113 example.com. IN NS ns.example.com.
115 ns.example.com. IN A 1.2.3.4
119 MATCH opcode qtype qname
123 ns.example.com. IN AAAA
125 example.com. 10 IN SOA . . 15 28800 7200 604800 10
128 ; response to A query
130 MATCH opcode qtype qname
136 example.com. 3600 IN A 5.6.7.8
138 example.com. IN NS ns.example.com.
140 ns.example.com. IN A 1.2.3.4
143 ; response to IPSECKEY query
145 MATCH opcode qtype qname
149 example.com. IN IPSECKEY
151 example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
153 example.com. IN NS ns.example.com.
155 ns.example.com. IN A 1.2.3.4
166 STEP 2 CHECK_OUT_QUERY
168 MATCH qname qtype opcode
170 example.com. IN IPSECKEY
176 REPLY QR RD RA SERVFAIL
194 example.com. IN NS ns.example.com.
196 ns.example.com. IN A 1.2.3.4
202 example.com. IN IPSECKEY
210 example.com. IN IPSECKEY
212 example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
214 example.com. IN NS ns.example.com.
216 ns.example.com. IN A 1.2.3.4