[apple/network_cmds.git] / unbound / testdata / autotrust_init_failsig.rpl

; config options
server:
	target-fetch-policy: "0 0 0 0 0"
	log-time-ascii: yes
stub-zone:
	name: "."
	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
; initial content (say from dig example.com DNSKEY > example.com.key) 
AUTOTRUST_FILE example.com
example.com.	10800	IN	DNSKEY	257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b}
example.com.	10800	IN	DNSKEY	256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
AUTOTRUST_END
CONFIG_END

SCENARIO_BEGIN Test autotrust with failed signature initial trust anchor

; K-ROOT
RANGE_BEGIN 0 100
	ADDRESS 193.0.14.129
ENTRY_BEGIN
MATCH opcode qname qtype
ADJUST copy_id copy_query
REPLY QR AA
SECTION QUESTION
. IN NS
SECTION ANSWER
. IN NS k.root-servers.net.
SECTION ADDITIONAL
k.root-servers.net IN A 193.0.14.129
ENTRY_END

ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR
SECTION QUESTION
com. IN NS
SECTION AUTHORITY
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
RANGE_END

; a.gtld-servers.net.
RANGE_BEGIN 0 100
	ADDRESS 192.5.6.30
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR
SECTION QUESTION
example.com. IN NS
SECTION AUTHORITY
example.com. IN NS ns.example.com.
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ENTRY_END
RANGE_END

; ns.example.com.
RANGE_BEGIN 0 100
	ADDRESS 1.2.3.4
ENTRY_BEGIN
MATCH opcode qname qtype
ADJUST copy_id
REPLY QR AA
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
ns.example.com. IN NSEC nugget.example.com. A NSEC RRSIG
ns.example.com.	3600	IN	RRSIG	NSEC 5 3 3600 20090924111500 20090821111500 30899 example.com. WRUQ5d5aBO5AXbvnfCd0AWfKGvQIuAjT2qydGkUIaLZaiP4nj+JdquEy1nGvBwYQ9gWyP7b6C6UGrUnVcNBpcw== ;{id = 30899}
SECTION AUTHORITY
example.com.	3600	IN	NS	ns.example.com.
example.com.	3600	IN	RRSIG	NS 5 2 3600 20090924111500 20090821111500 30899 example.com. J5wxRq0jgwQL6yy530kvo9cHqNAUHV8IF4dvaYZL0bNraO2Oe6dVXqlJl4+cxNHI2TMsstwFPr2Zz8tv6Az2mQ== ;{id = 30899}
SECTION ADDITIONAL
ENTRY_END

ENTRY_BEGIN
MATCH opcode qname qtype
ADJUST copy_id
REPLY QR AA
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com.	3600	IN	A	10.20.30.40
www.example.com.	3600	IN	RRSIG	A 5 3 3600 20090924111500 20090821111500 30899 example.com. pYGxVLsWUvOp1wSf0iwPap+JnECfC5GAm1lRqy3YEqecNGld7U7x/5Imo3CerbdZrVptUQs2oH0lcjwYJXMnsw== ;{id = 30899}
SECTION AUTHORITY
example.com.	3600	IN	NS	ns.example.com.
example.com.	3600	IN	RRSIG	NS 5 2 3600 20090924111500 20090821111500 30899 example.com. J5wxRq0jgwQL6yy530kvo9cHqNAUHV8IF4dvaYZL0bNraO2Oe6dVXqlJl4+cxNHI2TMsstwFPr2Zz8tv6Az2mQ== ;{id = 30899}
SECTION ADDITIONAL
ns.example.com.	3600	IN	A	1.2.3.4
ns.example.com.	3600	IN	RRSIG	A 5 3 3600 20090924111500 20090821111500 30899 example.com. JsXbS18oyc0zkVaOWGSFdIQuOsZKflT0GraT9afDPoWLCgH4ApF7jNgfJV7Pqy1sTBRajME5IUAhpANwGBuW4A== ;{id = 30899}
ENTRY_END

ENTRY_BEGIN
MATCH opcode qname qtype
ADJUST copy_id
REPLY QR AA
SECTION QUESTION
example.com. IN DNSKEY
SECTION ANSWER
; KSK 1
example.com.	10800	IN	DNSKEY	257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b}
; ZSK 1
example.com.	10800	IN	DNSKEY	256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (ksk), size = 512b}
; signatures
; changed the date in signatures from 20090924111500 20090821111500
; to make them fail.
example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20090101010000 20090101010000 30899 example.com. b/HK231jIQLX8IhlZfup3r0yhpXaasbPE6LzxoEVVvWaTZWcLmeV8jDIcn0qO7Yvs7bIJN20lwVAV0GcHH3hWQ== ;{id = 30899}
example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20090101010000 20090101010000 55582 example.com. PCHme1QLoULxqjhg5tMlpR0qJlBfstEUVq18TtNoKQe9le1YhJ9caheXcTWoK+boLhXxg9u6Yyvq8FboQh0OjA== ;{id = 55582}

ENTRY_END
RANGE_END

; set date/time to Aug 24 07:46:40  (2009).
STEP 5 TIME_PASSES ELAPSE 1251100000
STEP 6 ASSIGN t0 = ${time}
STEP 7 ASSIGN probe = ${range 3200 ${timeout} 3600}

; the auto probing should have been done now.
STEP 8 CHECK_AUTOTRUST example.com
FILE_BEGIN
example.com.	10800	IN	DNSKEY	257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b}
example.com.	10800	IN	DNSKEY	256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
FILE_END


STEP 10 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END

STEP 20 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END

; The autotrust anchor was probed due to the query.

STEP 30 CHECK_AUTOTRUST example.com
FILE_BEGIN
example.com.	10800	IN	DNSKEY	257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b}
example.com.	10800	IN	DNSKEY	256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
FILE_END

; wait and see if autotrust probes (the unchanged) domain again.
STEP 40 TIME_PASSES EVAL ${$probe}

STEP 50 TRAFFIC

STEP 65 ASSIGN probe2 = ${range 3200 ${timeout} 3600}

STEP 70 CHECK_AUTOTRUST example.com
FILE_BEGIN
example.com.	10800	IN	DNSKEY	257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b}
example.com.	10800	IN	DNSKEY	256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
FILE_END

SCENARIO_END
Commit	Line	Data
89c4ed63 A	1	; config options
	2	server:
	3	target-fetch-policy: "0 0 0 0 0"
	4	log-time-ascii: yes
	5	stub-zone:
	6	name: "."
	7	stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
	8	; initial content (say from dig example.com DNSKEY > example.com.key)
	9	AUTOTRUST_FILE example.com
	10	example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b}
	11	example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
	12	AUTOTRUST_END
	13	CONFIG_END
	14
	15	SCENARIO_BEGIN Test autotrust with failed signature initial trust anchor
	16
	17	; K-ROOT
	18	RANGE_BEGIN 0 100
	19	ADDRESS 193.0.14.129
	20	ENTRY_BEGIN
	21	MATCH opcode qname qtype
	22	ADJUST copy_id copy_query
	23	REPLY QR AA
	24	SECTION QUESTION
	25	. IN NS
	26	SECTION ANSWER
	27	. IN NS k.root-servers.net.
	28	SECTION ADDITIONAL
	29	k.root-servers.net IN A 193.0.14.129
	30	ENTRY_END
	31
	32	ENTRY_BEGIN
	33	MATCH opcode subdomain
	34	ADJUST copy_id copy_query
	35	REPLY QR
	36	SECTION QUESTION
	37	com. IN NS
	38	SECTION AUTHORITY
	39	com. IN NS a.gtld-servers.net.
	40	SECTION ADDITIONAL
	41	a.gtld-servers.net. IN A 192.5.6.30
	42	ENTRY_END
	43	RANGE_END
	44
	45	; a.gtld-servers.net.
	46	RANGE_BEGIN 0 100
	47	ADDRESS 192.5.6.30
	48	ENTRY_BEGIN
	49	MATCH opcode subdomain
	50	ADJUST copy_id copy_query
	51	REPLY QR
	52	SECTION QUESTION
	53	example.com. IN NS
	54	SECTION AUTHORITY
	55	example.com. IN NS ns.example.com.
	56	SECTION ADDITIONAL
	57	ns.example.com. IN A 1.2.3.4
	58	ENTRY_END
	59	RANGE_END
	60
	61	; ns.example.com.
	62	RANGE_BEGIN 0 100
	63	ADDRESS 1.2.3.4
	64	ENTRY_BEGIN
65	MATCH opcode qname qtype
66	ADJUST copy_id
67	REPLY QR AA
68	SECTION QUESTION
69	ns.example.com. IN AAAA
70	SECTION ANSWER
71	ns.example.com. IN NSEC nugget.example.com. A NSEC RRSIG
72	ns.example.com. 3600 IN RRSIG NSEC 5 3 3600 20090924111500 20090821111500 30899 example.com. WRUQ5d5aBO5AXbvnfCd0AWfKGvQIuAjT2qydGkUIaLZaiP4nj+JdquEy1nGvBwYQ9gWyP7b6C6UGrUnVcNBpcw== ;{id = 30899}
73	SECTION AUTHORITY
74	example.com. 3600 IN NS ns.example.com.
75	example.com. 3600 IN RRSIG NS 5 2 3600 20090924111500 20090821111500 30899 example.com. J5wxRq0jgwQL6yy530kvo9cHqNAUHV8IF4dvaYZL0bNraO2Oe6dVXqlJl4+cxNHI2TMsstwFPr2Zz8tv6Az2mQ== ;{id = 30899}
76	SECTION ADDITIONAL
77	ENTRY_END
78
79	ENTRY_BEGIN
80	MATCH opcode qname qtype
81	ADJUST copy_id
82	REPLY QR AA
83	SECTION QUESTION
84	www.example.com. IN A
85	SECTION ANSWER
86	www.example.com. 3600 IN A 10.20.30.40
87	www.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. pYGxVLsWUvOp1wSf0iwPap+JnECfC5GAm1lRqy3YEqecNGld7U7x/5Imo3CerbdZrVptUQs2oH0lcjwYJXMnsw== ;{id = 30899}
88	SECTION AUTHORITY
89	example.com. 3600 IN NS ns.example.com.
90	example.com. 3600 IN RRSIG NS 5 2 3600 20090924111500 20090821111500 30899 example.com. J5wxRq0jgwQL6yy530kvo9cHqNAUHV8IF4dvaYZL0bNraO2Oe6dVXqlJl4+cxNHI2TMsstwFPr2Zz8tv6Az2mQ== ;{id = 30899}
91	SECTION ADDITIONAL
92	ns.example.com. 3600 IN A 1.2.3.4
93	ns.example.com. 3600 IN RRSIG A 5 3 3600 20090924111500 20090821111500 30899 example.com. JsXbS18oyc0zkVaOWGSFdIQuOsZKflT0GraT9afDPoWLCgH4ApF7jNgfJV7Pqy1sTBRajME5IUAhpANwGBuW4A== ;{id = 30899}
94	ENTRY_END
95
96	ENTRY_BEGIN
97	MATCH opcode qname qtype
98	ADJUST copy_id
99	REPLY QR AA
100	SECTION QUESTION
101	example.com. IN DNSKEY
102	SECTION ANSWER
103	; KSK 1
104	example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b}
105	; ZSK 1
106	example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (ksk), size = 512b}
107	; signatures
108	; changed the date in signatures from 20090924111500 20090821111500
109	; to make them fail.
110	example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20090101010000 20090101010000 30899 example.com. b/HK231jIQLX8IhlZfup3r0yhpXaasbPE6LzxoEVVvWaTZWcLmeV8jDIcn0qO7Yvs7bIJN20lwVAV0GcHH3hWQ== ;{id = 30899}
111	example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20090101010000 20090101010000 55582 example.com. PCHme1QLoULxqjhg5tMlpR0qJlBfstEUVq18TtNoKQe9le1YhJ9caheXcTWoK+boLhXxg9u6Yyvq8FboQh0OjA== ;{id = 55582}
112
113	ENTRY_END
114	RANGE_END
115
116	; set date/time to Aug 24 07:46:40 (2009).
117	STEP 5 TIME_PASSES ELAPSE 1251100000
118	STEP 6 ASSIGN t0 = ${time}
119	STEP 7 ASSIGN probe = ${range 3200 ${timeout} 3600}
120
121	; the auto probing should have been done now.
122	STEP 8 CHECK_AUTOTRUST example.com
123	FILE_BEGIN
124	example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b}
125	example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
126	FILE_END
127
128
129	STEP 10 QUERY
130	ENTRY_BEGIN
131	REPLY RD DO
132	SECTION QUESTION
133	www.example.com. IN A
134	ENTRY_END
135
136	STEP 20 CHECK_ANSWER
137	ENTRY_BEGIN
138	MATCH all
139	REPLY QR RD RA DO SERVFAIL
140	SECTION QUESTION
141	www.example.com. IN A
142	SECTION ANSWER
143	ENTRY_END
144
145	; The autotrust anchor was probed due to the query.
146
147	STEP 30 CHECK_AUTOTRUST example.com
148	FILE_BEGIN
149	example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b}
150	example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
151	FILE_END
152
153	; wait and see if autotrust probes (the unchanged) domain again.
154	STEP 40 TIME_PASSES EVAL ${$probe}
155
156	STEP 50 TRAFFIC
157
158	STEP 65 ASSIGN probe2 = ${range 3200 ${timeout} 3600}
159
160	STEP 70 CHECK_AUTOTRUST example.com
161	FILE_BEGIN
162	example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b}
163	example.com. 10800 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
164	FILE_END
165
166	SCENARIO_END