testdata/autotrust_revtp.rpl


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

; config options
server:
	target-fetch-policy: "0 0 0 0 0"
	log-time-ascii: yes
stub-zone:
	name: "."
	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
AUTOTRUST_FILE example.com
; autotrust trust anchor file
;;id: example.com. 1
;;last_queried: 1258962400 ;;Mon Nov 23 08:46:40 2009
;;last_success: 1258962400 ;;Mon Nov 23 08:46:40 2009
;;next_probe_time: 1258967360 ;;Mon Nov 23 10:09:20 2009
;;query_failed: 0
;;query_interval: 5400
;;retry_time: 3600
example.com.    10800   IN      DNSKEY  257 3 5 AwEAAas/cAhCFXvBUgTSNZCvQp0pLx1dY+7rXR0hH4/3EUgWmsmbYUpI1qD0xhwKD/oYGEwAm291fyWJ9c0oVxXDEK8= ;{id = 16486 (ksk), size = 512b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 08:46:40 2009
example.com.	10800	IN	DNSKEY	257 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55582 (ksk), size = 512b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1258962400 ;;Mon Nov 23 08:46:40 2009
AUTOTRUST_END
CONFIG_END

SCENARIO_BEGIN Test autotrust with trust point revocation

; K-ROOT
RANGE_BEGIN 0 100
	ADDRESS 193.0.14.129
ENTRY_BEGIN
MATCH opcode qname qtype
ADJUST copy_id copy_query
REPLY QR AA
SECTION QUESTION
. IN NS
SECTION ANSWER
. IN NS k.root-servers.net.
SECTION ADDITIONAL
k.root-servers.net IN A 193.0.14.129
ENTRY_END

ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR
SECTION QUESTION
com. IN NS
SECTION AUTHORITY
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
RANGE_END

; a.gtld-servers.net.
RANGE_BEGIN 0 100
	ADDRESS 192.5.6.30
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR
SECTION QUESTION
example.com. IN NS
SECTION AUTHORITY
example.com. IN NS ns.example.com.
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ENTRY_END
RANGE_END

; ns.example.com.
RANGE_BEGIN 0 100
	ADDRESS 1.2.3.4
ENTRY_BEGIN
MATCH opcode qname qtype
ADJUST copy_id
REPLY QR AA
SECTION QUESTION
example.com. IN DNSKEY
SECTION ANSWER

; revoked keys

example.com.    10800   IN      DNSKEY  385 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55710 (ksk), size = 512b}
example.com.	10800	IN	DNSKEY	385 3 5 AwEAAas/cAhCFXvBUgTSNZCvQp0pLx1dY+7rXR0hH4/3EUgWmsmbYUpI1qD0xhwKD/oYGEwAm291fyWJ9c0oVxXDEK8= ;{id = 16614 (ksk), size = 512b}
; signatures
example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091124111500 20091018111500 55710 example.com. zOSlB1iwtlP2lum1RK0WoDQrMVj0JKwk2E5Mu1okzV38hAx3Xm9IGMK6WrNkVVLmx4OkhYmdPVA95jVsFpwLMw== ;{id = 55710}
example.com.	10800	IN	RRSIG	DNSKEY 5 2 10800 20091124111500 20091018111500 16614 example.com. qP49cCYP3lvNnLBYty/JxAwHqBIGjpup5zQ7qpjPnaZpBb/TlpOhY17LBZrqD86VvBbEVz5tkxC9UrCy85ePDQ== ;{id = 16614}

ENTRY_END

ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. IN A 10.20.30.40
ENTRY_END
RANGE_END

RANGE_END

; set date/time to Mon Nov 23 09:46:40 2009
STEP 5 TIME_PASSES EVAL ${1258962400 + 7200}
STEP 6 TRAFFIC   ; do the probe
STEP 7 ASSIGN t0 = ${time}
STEP 8 ASSIGN probe0 = ${range 0 ${timeout} 0}
STEP 9 ASSIGN tp = ${1258962400}

; the auto probing should have been done now.
STEP 11 CHECK_AUTOTRUST example.com
FILE_BEGIN
; autotrust trust anchor file
;;REVOKED
; The zone has all keys revoked, and is
; considered as if it has no trust anchors.
; the remainder of the file is the last probe.
; to restart the trust anchor, overwrite this file.
; with one containing valid DNSKEYs or DSes.
;;id: example.com. 1
;;last_queried: ${$t0} ;;${ctime $t0}
;;last_success: ${$t0} ;;${ctime $t0}
;;next_probe_time: ${0} ;;${ctime 0}
;;query_failed: 0
;;query_interval: 5400
;;retry_time: 3600
example.com.	10800	IN	DNSKEY	385 3 5 AwEAAc3Z5DQDJpH4oPdNtC4BUQHk50XMD+dHr4r8psHmivIa83hxR5CRgCtd9sENCW9Ae8OIO19xw9t/RPaEAqQa+OE= ;{id = 55710 (ksk), size = 512b} ;;state=4 [ REVOKED ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0}
example.com.	10800	IN	DNSKEY	385 3 5 AwEAAas/cAhCFXvBUgTSNZCvQp0pLx1dY+7rXR0hH4/3EUgWmsmbYUpI1qD0xhwKD/oYGEwAm291fyWJ9c0oVxXDEK8= ;{id = 16614 (ksk), size = 512b} ;;state=4 [ REVOKED ] ;;count=0 ;;lastchange=${$t0} ;;${ctime $t0}
FILE_END

STEP 20 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
www.example.com. IN A
ENTRY_END

; correct unsigned response works after trust point revocation.
STEP 30 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. IN A   10.20.30.40
ENTRY_END

SCENARIO_END