1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
|
; config options
server:
target-fetch-policy: "0 0 0 0 0"
log-time-ascii: yes
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
AUTOTRUST_FILE example.com
; autotrust trust anchor file
;;id: example.com. 1
;;last_queried: 1258962400 ;;Mon Nov 23 07:46:40 2009
;;last_success: 1258962400 ;;Mon Nov 23 07:46:40 2009
;;next_probe_time: 1258967360 ;;Mon Nov 23 09:09:20 2009
;;query_failed: 0
;;query_interval: 5400
;;retry_time: 3600
example.com. 10800 IN DNSKEY 257 3 5 AwEAAas/cAhCFXvBUgTSNZCvQp0pLx1dY+7rXR0hH4/3EUgWmsmbYUpI1qD0xhwKD/oYGEwAm291fyWJ9c0oVxXDEK8= ;{id = 16486 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 07:46:40 2009
example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 07:46:40 2009
AUTOTRUST_END
CONFIG_END
SCENARIO_BEGIN Test autotrust with probe signature failure
; K-ROOT
RANGE_BEGIN 0 100
ADDRESS 193.0.14.129
ENTRY_BEGIN
MATCH opcode qname qtype
ADJUST copy_id copy_query
REPLY QR AA
SECTION QUESTION
. IN NS
SECTION ANSWER
. IN NS k.root-servers.net.
SECTION ADDITIONAL
k.root-servers.net IN A 193.0.14.129
ENTRY_END
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR
SECTION QUESTION
com. IN NS
SECTION AUTHORITY
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
RANGE_END
; a.gtld-servers.net.
RANGE_BEGIN 0 100
ADDRESS 192.5.6.30
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR
SECTION QUESTION
example.com. IN NS
SECTION AUTHORITY
example.com. IN NS ns.example.com.
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ENTRY_END
RANGE_END
; ns.example.com.
RANGE_BEGIN 0 100
ADDRESS 1.2.3.4
ENTRY_BEGIN
MATCH opcode qname qtype
ADJUST copy_id
REPLY QR AA SERVFAIL
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
ENTRY_END
ENTRY_BEGIN
MATCH opcode qname qtype
ADJUST copy_id
REPLY QR AA
SECTION QUESTION
example.com. IN DNSKEY
SECTION ANSWER
; revoked keys
example.com. 10800 IN DNSKEY 385 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55710 (ksk), size = 512b}
example.com. 10800 IN DNSKEY 385 3 5 AwEAAas/cAhCFXvBUgTSNZCvQp0pLx1dY+7rXR0hH4/3EUgWmsmbYUpI1qD0xhwKD/oYGEwAm291fyWJ9c0oVxXDEK8= ;{id = 16614 (ksk), size = 512b}
; signatures
; were edited from 20091124111500 20091018111500 to make them fail.
example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20090101011500 20090101011500 55710 example.com. zOSlB1iwtlP2lum1RK0WoDQrMVj0JKwk2E5Mu1okzV38hAx3Xm9IGMK6WrNkVVLmx4OkhYmdPVA95jVsFpwLMw== ;{id = 55710}
example.com. 10800 IN RRSIG DNSKEY 5 2 10800 20090101011500 20090101011500 16614 example.com. qP49cCYP3lvNnLBYty/JxAwHqBIGjpup5zQ7qpjPnaZpBb/TlpOhY17LBZrqD86VvBbEVz5tkxC9UrCy85ePDQ== ;{id = 16614}
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id copy_query
REPLY QR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. IN A 10.20.30.40
ENTRY_END
ENTRY_BEGIN
MATCH opcode qname qtype
ADJUST copy_id
REPLY QR AA REFUSED
SECTION QUESTION
ns.example.com. IN A
ENTRY_END
ENTRY_BEGIN
MATCH opcode qname qtype
ADJUST copy_id
REPLY QR AA REFUSED
SECTION QUESTION
ns.example.com. IN AAAA
ENTRY_END
RANGE_END
; set date/time to Mon Nov 23 09:46:40 2009
STEP 5 TIME_PASSES EVAL ${1258962400 + 7200}
STEP 6 TRAFFIC ; do the probe
STEP 7 ASSIGN t0 = ${time}
STEP 8 ASSIGN probe0 = ${range 3200 ${timeout} 3600}
STEP 9 ASSIGN tp = ${1258962400}
; the auto probing should have been done now.
STEP 11 CHECK_AUTOTRUST example.com
FILE_BEGIN
; autotrust trust anchor file
;;id: example.com. 1
;;last_queried: ${$t0} ;;${ctime $t0}
;;last_success: 1258962400 ;;Mon Nov 23 07:46:40 2009
;;next_probe_time: ${$t0+$probe0} ;;${ctime $t0+$probe0}
;;query_failed: 6
;;query_interval: 5400
;;retry_time: 3600
example.com. 10800 IN DNSKEY 257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 07:46:40 2009
example.com. 10800 IN DNSKEY 257 3 5 AwEAAas/cAhCFXvBUgTSNZCvQp0pLx1dY+7rXR0hH4/3EUgWmsmbYUpI1qD0xhwKD/oYGEwAm291fyWJ9c0oVxXDEK8= ;{id = 16486 (ksk), size = 512b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 07:46:40 2009
FILE_END
STEP 20 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END
STEP 30 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
SCENARIO_END
|
