3 harden-referral-path: yes
4 target-fetch-policy: "0 0 0 0 0"
5 qname-minimisation: "no"
9 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
12 SCENARIO_BEGIN Test NS record spoof protection.
18 MATCH opcode qtype qname
24 . IN NS K.ROOT-SERVERS.NET.
26 K.ROOT-SERVERS.NET. IN A 193.0.14.129
30 MATCH opcode subdomain
31 ADJUST copy_id copy_query
36 com. IN NS a.gtld-servers.net.
38 a.gtld-servers.net. IN A 192.5.6.30
41 ; for simplicity the root server is authoritative for root-servers.net
42 ; and also for gtld-servers.net
44 MATCH opcode qtype qname
48 K.ROOT-SERVERS.NET. IN A
50 K.ROOT-SERVERS.NET. IN A 193.0.14.129
54 MATCH opcode qtype qname
58 a.gtld-servers.net. IN A
60 a.gtld-servers.net. IN A 192.5.6.30
69 MATCH opcode subdomain
70 ADJUST copy_id copy_query
75 example.com. IN NS ns.example.com.
77 ns.example.com. IN A 1.2.3.4
81 MATCH opcode qtype qname
87 com. IN NS a.gtld-servers.net.
89 a.gtld-servers.net. IN A 192.5.6.30
97 MATCH opcode qtype qname
101 www.example.com. IN A
103 www.example.com. IN A 10.20.30.40
105 example.com. IN NS ns.example.com.
107 ns.example.com. IN A 1.2.3.4
111 MATCH opcode qtype qname
115 mail.example.com. IN A
117 mail.example.com. IN A 10.20.30.50
119 example.com. IN NS ns.example.com.
121 ns.example.com. IN A 1.2.3.4
125 MATCH opcode qtype qname
131 example.com. IN NS ns.example.com.
133 ns.example.com. IN A 1.2.3.4
137 MATCH opcode qtype qname
143 ns.example.com. IN A 1.2.3.4
145 example.com. IN NS ns.example.com.
148 ;; answer to the spoofed query ; spoofed reply answer.
149 ; here we put it in the nameserver for ease.
151 MATCH opcode qtype qname
155 bad123.example.com. IN A
157 bad123.example.com. IN A 6.6.6.6
160 example.com. IN NS bad123.example.com.
169 MATCH opcode qtype qname
173 www.example.com. IN A
175 www.example.com. IN A 6.6.6.6
177 example.com. IN NS bad123.example.com.
179 bad123.example.com. IN A 6.6.6.6
183 MATCH opcode qtype qname
187 mail.example.com. IN A
189 mail.example.com. IN A 6.6.6.6
191 example.com. IN NS bad123.example.com.
193 bad123.example.com. IN A 6.6.6.6
197 MATCH opcode qtype qname
201 bad123.example.com. IN A
203 bad123.example.com. IN A 6.6.6.6
206 example.com. IN NS bad123.example.com.
214 www.example.com. IN A
217 ; recursion happens here.
221 REPLY QR RD RA NOERROR
223 www.example.com. IN A
225 www.example.com. IN A 10.20.30.40
227 example.com. IN NS ns.example.com.
229 ns.example.com. IN A 1.2.3.4
237 bad123.example.com. IN A
240 ; recursion happens here.
243 ; no matching here, just accept the answer to the spoofed query.
244 ; it is wrong, but only one query ...
245 ; this test is to check further on, that we still have the right nameserver.
247 REPLY QR RD RA NOERROR
249 bad123.example.com. IN A
251 bad123.example.com. IN A 6.6.6.6
253 example.com. IN NS ns.example.com.
255 ns.example.com. IN A 1.2.3.4
263 mail.example.com. IN A
269 REPLY QR RD RA NOERROR
271 mail.example.com. IN A
273 mail.example.com. IN A 10.20.30.50
275 example.com. IN NS ns.example.com.
277 ns.example.com. IN A 1.2.3.4