2 ; The island of trust is at example.com
4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
5 val-override-date: "20070916134226"
6 target-fetch-policy: "0 0 0 0 0"
7 qname-minimisation: "no"
9 trust-anchor-signaling: no
13 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
16 SCENARIO_BEGIN Test validator with DS nodata as nxdomain on trust chain
17 ; This is a bug in ANS 2.8.1.0 where it gives an NXDOMAIN instead of
18 ; NOERROR for an empty nonterminal DS query. The proof for this NXDOMAIN
19 ; is the NSEC that proves emptynonterminal.
25 MATCH opcode qtype qname
31 . IN NS K.ROOT-SERVERS.NET.
33 K.ROOT-SERVERS.NET. IN A 193.0.14.129
37 MATCH opcode qtype qname
41 328.0.0.194.example.com. IN A
43 com. IN NS a.gtld-servers.net.
45 a.gtld-servers.net. IN A 192.5.6.30
53 MATCH opcode qtype qname
59 com. IN NS a.gtld-servers.net.
61 a.gtld-servers.net. IN A 192.5.6.30
65 MATCH opcode qtype qname
69 328.0.0.194.example.com. IN A
71 example.com. IN NS ns.example.com.
73 ns.example.com. IN A 1.2.3.4
81 MATCH opcode qtype qname
87 example.com. IN NS ns.example.com.
88 example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
90 ns.example.com. IN A 1.2.3.4
91 ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
94 ; response to DNSKEY priming query
96 MATCH opcode qtype qname
100 example.com. IN DNSKEY
102 example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
103 example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854}
105 example.com. IN NS ns.example.com.
106 example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
108 ns.example.com. IN A 1.2.3.4
109 ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
112 ; responses to DS empty nonterminal queries.
114 MATCH opcode qtype qname
118 194.example.com. IN DS
120 example.com. 3600 IN SOA ns.example.com. host.example.com. 2007091980 3600 7200 1209600 7200
121 example.com. 3600 IN RRSIG SOA 3 2 3600 20070926135752 20070829135752 2854 example.com. MC0CFCOn5qKBIV7bwFMBA+Qqiblx0cylAhUAoFiGtFm2wHhJpq9MooTYdeVw45s= ;{id = 2854}
123 ; This NSEC proves the NOERROR/NODATA case.
124 194.example.com. IN NSEC 0.0.194.example.com. A RRSIG NSEC
125 194.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFDcoKl74U9FjsuYF3Vc0E8GQ2GgzAhUAhlyhO2MMcAWQMxIhEZ4MguokN5g= ;{id = 2854}
130 MATCH opcode qtype qname
132 ; Bad NXDOMAIN response, this should be NOERROR.
135 0.194.example.com. IN DS
137 example.com. 3600 IN SOA ns.example.com. host.example.com. 2007091980 3600 7200 1209600 7200
138 example.com. 3600 IN RRSIG SOA 3 2 3600 20070926135752 20070829135752 2854 example.com. MC0CFCOn5qKBIV7bwFMBA+Qqiblx0cylAhUAoFiGtFm2wHhJpq9MooTYdeVw45s= ;{id = 2854}
140 ; This NSEC proves the NOERROR/NODATA case.
141 194.example.com. IN NSEC 0.0.194.example.com. A RRSIG NSEC
142 194.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFDcoKl74U9FjsuYF3Vc0E8GQ2GgzAhUAhlyhO2MMcAWQMxIhEZ4MguokN5g= ;{id = 2854}
146 ; response for delegation to sub zone.
148 MATCH opcode qtype qname
152 328.0.0.194.example.com. IN A
155 0.0.194.example.com. IN NS ns.sub.example.com.
156 0.0.194.example.com. 3600 IN DS 30899 RSASHA1 1 aa46f0717075d9750ac3596c659a2e326b33c28c
157 0.0.194.example.com. 3600 IN RRSIG DS 3 5 3600 20070926135752 20070829135752 2854 example.com. MCwCFC9GIqtp/103hktw6bPpD83gr+0iAhQ8yev2yUaR9l64rYBUYTJqOoTKdw== ;{id = 2854}
159 ns.sub.example.com. IN A 1.2.3.6
162 ; response for delegation to sub zone
164 MATCH opcode qtype qname
168 0.0.194.example.com. IN DNSKEY
171 0.0.194.example.com. IN NS ns.sub.example.com.
172 0.0.194.example.com. 3600 IN DS 30899 RSASHA1 1 aa46f0717075d9750ac3596c659a2e326b33c28c
173 0.0.194.example.com. 3600 IN RRSIG DS 3 5 3600 20070926135752 20070829135752 2854 example.com. MCwCFC9GIqtp/103hktw6bPpD83gr+0iAhQ8yev2yUaR9l64rYBUYTJqOoTKdw== ;{id = 2854}
175 ns.sub.example.com. IN A 1.2.3.6
179 ; ns.sub.example.com. for zone 0.0.194.example.com.
183 MATCH opcode qtype qname
187 0.0.194.example.com. IN NS
189 0.0.194.example.com. IN NS ns.sub.example.com.
190 0.0.194.example.com. 3600 IN RRSIG NS 5 5 3600 20070926135752 20070829135752 30899 0.0.194.example.com. KXDA+/PJAE+dXhv6O6Z0ZovDwabSRJcIt+GT5AL6ewlj46hzo/SDKUtEhYCeT1IVQvYtXrESwFZjpp7N0rXXBg== ;{id = 30899}
192 ns.sub.example.com. IN A 1.2.3.6
195 ; response to DNSKEY priming query
196 ; 0.0.194.example.com. 3600 IN DS 30899 RSASHA1 1 aa46f0717075d9750ac3596c659a2e326b33c28c
198 MATCH opcode qtype qname
202 0.0.194.example.com. IN DNSKEY
204 0.0.194.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
205 0.0.194.example.com. 3600 IN RRSIG DNSKEY 5 5 3600 20070926135752 20070829135752 30899 0.0.194.example.com. fSmc7ef6NwbDXC0o4wPc/aa8LakW5ZJwEZ4xPYl3tTZKmPNM7hPXskl1tFlvst9Va4u37F62v+16trprHb+SCQ== ;{id = 30899}
207 0.0.194.example.com. IN NS ns.sub.example.com.
208 0.0.194.example.com. 3600 IN RRSIG NS 5 5 3600 20070926135752 20070829135752 30899 0.0.194.example.com. KXDA+/PJAE+dXhv6O6Z0ZovDwabSRJcIt+GT5AL6ewlj46hzo/SDKUtEhYCeT1IVQvYtXrESwFZjpp7N0rXXBg== ;{id = 30899}
210 ns.sub.example.com. IN A 1.2.3.6
213 ; response to query of interest
215 MATCH opcode qtype qname
219 328.0.0.194.example.com. IN A
221 328.0.0.194.example.com. IN A 11.11.11.11
222 328.0.0.194.example.com. 3600 IN RRSIG A 5 6 3600 20070926135752 20070829135752 30899 0.0.194.example.com. chZW77mqywhw/4ch6BxXQ4EbFgb9zgh2xF75FLlKq/7ey6CfHSJRpJRjRqtMTn+1i18UL2B4nPS/WnK5DZeqlA== ;{id = 30899}
232 328.0.0.194.example.com. IN A
235 ; recursion happens here.
239 REPLY QR RD RA AD DO NOERROR
241 328.0.0.194.example.com. IN A
243 328.0.0.194.example.com. 3600 IN A 11.11.11.11
244 328.0.0.194.example.com. 3600 IN RRSIG A 5 6 3600 20070926135752 20070829135752 30899 0.0.194.example.com. chZW77mqywhw/4ch6BxXQ4EbFgb9zgh2xF75FLlKq/7ey6CfHSJRpJRjRqtMTn+1i18UL2B4nPS/WnK5DZeqlA== ;{id = 30899}