--- /dev/null
+; config options
+server:
+ trust-anchor: "GOV. DS 26079 7 2 4ED5FFBC8A40262B56E1232135B929192804ACC006930D087AAB38A611C89041"
+ val-override-date: "20091113091234"
+
+forward-zone:
+ name: "."
+ forward-addr: 192.0.2.1
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with CNAME to optout NSEC3 span NODATA
+
+RANGE_BEGIN 0 100
+ ADDRESS 192.0.2.1
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.hud.gov. IN AAAA
+SECTION ANSWER
+www.hud.gov. 86400 IN CNAME www.content.hud.gov.
+www.hud.gov. 86400 IN RRSIG CNAME 7 3 86400 20091204150200 20091104150200 64775 hud.gov. taZtumaTp8eSlcj0vEGnY0Up05RtlC2NhHrtHDUdq1TskAPQH8Eu9AoVe6gKrFEyCC1ixprOhT8Ni661d/ZykdzgceZ8KgFIlSQ84Whm59yB2gcbXLen9rApF0+NuyRgdAph6yjMYMtfoRQWAASG7SqS/v52dkHNf/a9PXaDvHBvjoiTK+dXPKFulkmEl0KyhXBdsikl6/Xd68FF41FdDNzWS8ZzYCdd4CWaXXkwTtPSFsKyXGZeXOTxqGQJnD+hNBkn2sAca1oLiAsfaiCHec66I+rHGXT+mPB7HXez32jbbeInkgB7M2TUoRXehifuloR8sur8Xck9FPRv24Si8A== ;{id = 64775}
+SECTION AUTHORITY
+content.hud.gov. 86400 IN NS drfswitch.hud.gov.
+content.hud.gov. 86400 IN NS lanswitch.hud.gov.
+3RUD2HK5O5KA0IC6BF22C1T4R1BJGJ3R.hud.gov. 86400 IN NSEC3 1 1 5 abcd 42bsks495i3mb2s3f6nhusc6rfm54g4g A NS SOA MX RRSIG DNSKEY NSEC3PARAM ; flags: optout
+3RUD2HK5O5KA0IC6BF22C1T4R1BJGJ3R.hud.gov. 86400 IN RRSIG NSEC3 7 3 86400 20091204150200 20091104150200 64775 hud.gov. APf75Nx4eY9eHov3T9hduDLuG4TJfVfEUEhSgm7HIZRvSPFgajHz2q+Wy6888G3C0T1Zft1qL2PdHMonK6H1OEE+NiOxroDsZaH+aWZjAsbIO86qQ2xcC+/Z9DsddQtONk0zAqpuYxHSn879rAk/BIKeDukNoBChHCSTy8olUFiYt7XEmjz5AOoc8R5VQhMQi/vmbmC0BoFOemDxxowG2MX27Hj2MbVBEJiT8xioFEk41jsdDI0WQtpnory2NT/UM4kWZdmDdxbpwu2F8oixe3oi4AOI9j3EukoOZT9f0Sx+tCg/I9zLNZJi+VuI5oUlpZkSH5EoUyRgK33eO+KJhQ== ;{id = 64775}
+GO8CPDSLPULIOURE31GBK5JJKA0BKIVN.hud.gov. 86400 IN NSEC3 1 1 5 abcd gvfjd9enpjtet8a14uhb8hlrfeon2b72 A RRSIG ; flags: optout
+GO8CPDSLPULIOURE31GBK5JJKA0BKIVN.hud.gov. 86400 IN RRSIG NSEC3 7 3 86400 20091204150200 20091104150200 64775 hud.gov. eQFg/RvJ640k+Fa5yIUZwkx8FvsYSivykYFjc6dOiGt7r3VprfxwGWeYpyjYr/+mzu0ugE5ePDjZWtr5naK3dvqmt7qKk4/nEvVDoUmrg7joIUmeTzami9RB9lzCq2O/ddempQ6jpwfjiIDuEKUxHMpBFpw8QQZnZSZHKKQCDB4pOj8U8J/wNJXCS+SP7plU1hEVroC+QXCOYS8NHY2wFyeuW7A+xvg9tyYp9PH6c5MoNMkRQt36Kdvfk1nk3osktwalJNLmMhDr/vtErFieGGD6E9Ud9Pg70bPF2G5nqwwLDRevy7hIFjaMDHfYrcWc4B5hrUSpGtLJkYog9vsd2w== ;{id = 64775}
+SECTION ADDITIONAL
+drfswitch.hud.gov. 86400 IN A 170.97.167.1
+lanswitch.hud.gov. 86400 IN A 170.97.67.78
+drfswitch.hud.gov. 86400 IN RRSIG A 7 3 86400 20091204150200 20091104150200 64775 hud.gov. ub6Anb7XgDMRsTYxqKDRUOYnntLetcJMXM9SVbG7Cb2n+ccp4OO38u6KnGO1i8U5rhTQ6WPlG6iKA+8U0mQuWp3fkzBaE+a5R3eEfzLlRE/MbjUqHjTb0MVYQnMWaA7YXmj/1BNFjBuAam+J3QnU4JR3RqN9WDmHXYx8IUEY9BYSWvTMhOnzebRu6z9MUBQWFfm69pFxf0Z1SkpInznU/mxGdGlslzxL8ScKAUMSBiQG1tyL90OEXW3Yp7kbOtpTxGrXucpMiMB9lXI/z9UiRJenZrJ7swyyyJ5Do0TjCiS3oS8RBhX8ou09sNftUmF9crKz/BdNq90wVYoHXYz9vg== ;{id = 64775}
+lanswitch.hud.gov. 86400 IN RRSIG A 7 3 86400 20091204150200 20091104150200 64775 hud.gov. QO+quzaZXrIBZy0JXhx85/8auhBj8dCqeidaUCs6rzCd/lgUDt7B/mH8IanU33o+PyKsBN+B5r9bavFFCNc4sPDUVwNcnZfKCyFQvvUnI3rztCJb/ESYnJ/xu/5g966cRLOajzAvvLAWZ6vT4p3b9+CpaONOJ19D08RpwsWnTkqiEP/UiXaWBpVwyt4JHN0oiNmMGshk5zjbHir1gUInd7QbJk3SpyiIgHT5Z4nhTUGkd1sIve++aIxjsQ8MVrE+INw4v56dJaoYD6bqQewmg2yAr9nYemYUHYi8+USy7/anEaUsOvk9zZfncevTfY/sOORFWoD15bHF2BWUo2YwaQ== ;{id = 64775}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.content.hud.gov. IN AAAA
+SECTION ANSWER
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+GOV. IN DNSKEY
+SECTION ANSWER
+GOV. 86400 IN DNSKEY 256 3 7 AwEAAaQ6vDoHd2QDRBLwB+n63RxnmJExvIcOz7uv9gM+l8QSMAJTTCDpqJ8R+8UfYs97cn6LM3cT3kcl9V0GnjljNzNMk39W11Ej7htNcbf4u1n5z2e4WsnpjQJJmKoWv2FORIfJmLKbxzGILSK13mrDUETj9onhdtOsjkhcK/7S+h1d ;{id = 51998 (zsk), size = 1024b}
+GOV. 86400 IN DNSKEY 257 3 7 AwEAAZ1OCt7zZxeaROvzXNCNlqQWIi++p5ABXSoxqJ65WQko6xrI9RImK7IBT5roFhXjBDGJ8ld9CYIEN94kK83K/QwUGCJ+v3vIQFi09IqsPeRdHTQyghWWbhzAZpnlZ16imXB4yFZjdbV2iM66KcgsESQMPEcIayDQJh6JEi1wmslrYvRRJ6YPOWrlLD0RmdtCaRuzlUE0RiWSem/i8vDFdmsSwChRMcORklKqjqt1+RBIiEFJGKIz7lGc9DXRwkBfb+halii+jrELiZAPzfO7rf08l3QlgHEuxclTTdEaxctPd2O2U/Hl9tRgkxRL/Zv1i0sEx2mOJGcUCeVm4Hf2aM8= ;{id = 26079 (ksk), size = 2048b}
+GOV. 86400 IN RRSIG DNSKEY 7 1 86400 20091117211705 20091112211705 26079 gov. OR2ltuGs0IxWqikvqWIoXLy7gPpWafolM+fyQ9uyuzPdxILo8QboVzfRr3Q8X/hOa6MRwR0KHGci2NH/29p9cekafdMbOer0kvh0hndnf+yGLuDcd9HLj5hpoZ5uecZ2r02OWtRHCKetAPF95SYrIQBzoqUNOswdDlSTW1R8v/BQ6UpztuUQcciZJxARbXlovzSkMbnoyjtehgKjXPP/Zy79vSwhjpTJ4XAsc2E3Tw1qAE7ZZUzYpN8uGmAQYVtZraQIjazE/A+xVo+XB0dZdhlM00xUs6GNuZytckUOqecBKZ2IKlxBe+kBEkj2nz1PBRAzmZUoS3ZZPkKaA6ygTA== ;{id = 26079}
+GOV. 86400 IN RRSIG DNSKEY 7 1 86400 20091117211705 20091112211705 51998 gov. VDizeuAywZB0tQm4kmbOSGhrK1eJYC9VSSND/wG7oTj/oWDAKMEke1XrQXGEoIFyBKZk5dHpUB6tmEA9RPLMwI51ue66pM9RRT1aNLba08r6TDzr6ZxKjtqBDj4Xy16h6PWZ2jC9JASGeNGINg6zCeVmU75yqXh6+X+KeypO64E= ;{id = 51998}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+hud.gov. IN DS
+SECTION ANSWER
+hud.gov. 86399 IN DS 52146 7 2 54af554fc3ffc532bb898b9ab39f1276fd17b59d3e44772c3142ea62680d71c7 ; xihap-zehog-zybyz-zecaf-dyvym-nydun-pusan-zagil-kezyc-lutyn-tazog-gyted-sosig-depyk-dypeb-tasas-lexix
+hud.gov. 86399 IN RRSIG DS 7 2 86400 20091117211705 20091112211705 51998 gov. FHDstL7xVBBedCaG83M884pnxCV8PY9GjUulwH7BSTVIaFBJe/kxlKGTsD0j5x4QfezjBWKenjpvw5SiMGeQOnIJeA/z6Ze9QBCGVrbx0ZgoKEoSRyfD0vIjvM7J4T2PLgslI8fsMpWFs4KzmujKJNRVq4aFzFk9k8bFCJnEPJk= ;{id = 51998}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+hud.gov. IN DNSKEY
+SECTION ANSWER
+hud.gov. 86400 IN DNSKEY 256 3 7 AwEAAcAOoW+zclZqs8kCGmm290DImA1DDfKqbifB1oGNjOcmz6xz6PigLa8ORaAG0zpabZwLMXyhMaKbseR+beGnOf2wh5N0oxN8grCNTJm+YAMeyvCn2dz3J8YEoclyST4bhU38MGFsEVVZukXsIniFfvnKfpVxArpO7ocbDXI+EN3RA8EHFTIHOCfEbCS7zyO0mtrdM88Y/tIX9fjsYUig6lfVUNISJUL4TyUMpmi8/hu2dLdTuXXIAEMx/vyQHVFq2ZZM0nnDJ9vJCZEgwFAjUE5/BjlrDgofonxdY8SLDbQvn11z/SPugKiA16bdO6i/ND4FjEhG2HUJHeeQCrZ61rE= ;{id = 64775 (zsk), size = 2048b}
+hud.gov. 86400 IN DNSKEY 256 3 7 AwEAAfFubFVJ6m7jO8HvInmFEXivfnqZZpS7SnsucTlfGg5yhIayzS3tC0UMAt1QU+pEIyVH+qa2fG2+/45gAp+iG3zwyepyZuup8eo/SlXefWXZ9CIjBNaaptd2sSDsuF8mPtdQmtm3AbPqGEe7p7edIHHJBxPy90AzJQeKppyRcRcrGO3QNC9Glso177NbHZVZuY46V63RdaY3Qf5t7/03xy/Z68KWFEJKUCBxkHjAVIH0KaT9M37dPzs9L7F/+NyOLfMUzk87ctv4ivW9dcJRf79aulzoIV4LlGu0ZsrvxRZ5t+ind+GDeTvaKseH0NWF5Am2dG/QrHtewQL9qGztjN8= ;{id = 41402 (zsk), size = 2048b}
+hud.gov. 86400 IN DNSKEY 257 3 7 AwEAAZ50d20TkOzWzJD+anUMSIMfGaI8m4If6DMax4NQnZ34yta6UOb907SRqBs2vJ+MpcJkyRuLx/Z9vGlfZQ7V9eBgI62EZwmfiitanwSFPZgCzM8nVswpDS+/CmaHhXUoLdgNgUYh4WSl/7fXroluC/18xyMl3ZGQRRjJftpQSMXubP/n9nCHZXE5YiDw1cRklqA4lLyNeXBgadWa8klekr89WNij454KApevbg0GSudEJw7IWzbOb09npvQ1hnLz8pmDsaahfIsGBvcHSUEJrjSkk3J1oHDj0B7Gxm+tZH4Er21RTucEWeroyIJSQmsYN+Cm0FyfgJ75bNEsRe5M4Vc= ;{id = 52146 (ksk), size = 2048b}
+hud.gov. 86400 IN RRSIG DNSKEY 7 2 86400 20091204150200 20091104150200 52146 hud.gov. KWIA6wH6BqwuF7d6dyTbfqbcLgbUG2ZKJA4vVfhWqOC76Xnt7gXPLeB2GQwwyhSR0s3IHIzAB0Uj+RAGGcz2NH5JanfxNC9rAvubYESXSlLr/FC33exLeOxGisJZzRnPpk5NynXwyT8TXul1ew48/Mpyi7j6+tlqakqHw2HlId7oblxO2cjN6JV0JLZ44l7tCw6ALYhamA48PQ1WeJbGcfH7buCEG7S1ceZSZlG6kml+u7pb65QL9AZjCnDIecXk7B3HMCdIT8zyrO8QK0GiLMMak9RogF/5gBiH/WDCq7146vcVneW/Hn/+hLnY104iOKuadJcbmStlMF5k0iBzng== ;{id = 52146}
+hud.gov. 86400 IN RRSIG DNSKEY 7 2 86400 20091204150200 20091104150200 64775 hud.gov. V0JSAtTmQn76T408nyntg1ydX5sVvq8RSCN/Bf+cqTPXMFlPpmOs4VQv791bY85n28qOehV7Ws2CrhfxbyFbyYRXPBtWkg6jH3JXicYPn7Abm7E5N2Y6Mkm1Z9xt/APCw+aSkt0swMJzYBO5P5aeDesIB+Pz5I+SLuOPin3GFjGYL+YB5j5rTY/Nqnp2eQytF0SoFdqCIPCP7l9ZtYdaxBDQNX3Hklm4dRYP5U9wL8sqaeUwgKjJTGcbXiXdPXF9+3AojshKMpk14lcplHcy+cQ4p5ehSngtDwdWtG8gcWKCg829I/1iOFcnPgJ1YK1DdPVEGTgUFgGGwTx+HYMsPA== ;{id = 64775}
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www.hud.gov. IN AAAA
+ENTRY_END
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.hud.gov. IN AAAA
+SECTION ANSWER
+www.hud.gov. 86400 IN CNAME www.content.hud.gov.
+www.hud.gov. 86400 IN RRSIG CNAME 7 3 86400 20091204150200 20091104150200 64775 hud.gov. taZtumaTp8eSlcj0vEGnY0Up05RtlC2NhHrtHDUdq1TskAPQH8Eu9AoVe6gKrFEyCC1ixprOhT8Ni661d/ZykdzgceZ8KgFIlSQ84Whm59yB2gcbXLen9rApF0+NuyRgdAph6yjMYMtfoRQWAASG7SqS/v52dkHNf/a9PXaDvHBvjoiTK+dXPKFulkmEl0KyhXBdsikl6/Xd68FF41FdDNzWS8ZzYCdd4CWaXXkwTtPSFsKyXGZeXOTxqGQJnD+hNBkn2sAca1oLiAsfaiCHec66I+rHGXT+mPB7HXez32jbbeInkgB7M2TUoRXehifuloR8sur8Xck9FPRv24Si8A== ;{id = 64775}
+SECTION AUTHORITY
+3RUD2HK5O5KA0IC6BF22C1T4R1BJGJ3R.hud.gov. 86400 IN NSEC3 1 1 5 abcd 42bsks495i3mb2s3f6nhusc6rfm54g4g A NS SOA MX RRSIG DNSKEY NSEC3PARAM ; flags: optout
+3RUD2HK5O5KA0IC6BF22C1T4R1BJGJ3R.hud.gov. 86400 IN RRSIG NSEC3 7 3 86400 20091204150200 20091104150200 64775 hud.gov. APf75Nx4eY9eHov3T9hduDLuG4TJfVfEUEhSgm7HIZRvSPFgajHz2q+Wy6888G3C0T1Zft1qL2PdHMonK6H1OEE+NiOxroDsZaH+aWZjAsbIO86qQ2xcC+/Z9DsddQtONk0zAqpuYxHSn879rAk/BIKeDukNoBChHCSTy8olUFiYt7XEmjz5AOoc8R5VQhMQi/vmbmC0BoFOemDxxowG2MX27Hj2MbVBEJiT8xioFEk41jsdDI0WQtpnory2NT/UM4kWZdmDdxbpwu2F8oixe3oi4AOI9j3EukoOZT9f0Sx+tCg/I9zLNZJi+VuI5oUlpZkSH5EoUyRgK33eO+KJhQ== ;{id = 64775}
+GO8CPDSLPULIOURE31GBK5JJKA0BKIVN.hud.gov. 86400 IN NSEC3 1 1 5 abcd gvfjd9enpjtet8a14uhb8hlrfeon2b72 A RRSIG ; flags: optout
+GO8CPDSLPULIOURE31GBK5JJKA0BKIVN.hud.gov. 86400 IN RRSIG NSEC3 7 3 86400 20091204150200 20091104150200 64775 hud.gov. eQFg/RvJ640k+Fa5yIUZwkx8FvsYSivykYFjc6dOiGt7r3VprfxwGWeYpyjYr/+mzu0ugE5ePDjZWtr5naK3dvqmt7qKk4/nEvVDoUmrg7joIUmeTzami9RB9lzCq2O/ddempQ6jpwfjiIDuEKUxHMpBFpw8QQZnZSZHKKQCDB4pOj8U8J/wNJXCS+SP7plU1hEVroC+QXCOYS8NHY2wFyeuW7A+xvg9tyYp9PH6c5MoNMkRQt36Kdvfk1nk3osktwalJNLmMhDr/vtErFieGGD6E9Ud9Pg70bPF2G5nqwwLDRevy7hIFjaMDHfYrcWc4B5hrUSpGtLJkYog9vsd2w== ;{id = 64775}
+ENTRY_END
+
+SCENARIO_END
}
/* Case 5: */
- if(qinfo->qtype != LDNS_RR_TYPE_DS) {
- verbose(VERB_ALGO, "proveNodata: could not find matching "
- "NSEC3, nor matching wildcard, and qtype is not DS "
- "-- no more options, bogus.");
- return sec_status_bogus;
- }
+ /* Due to forwarders, cnames, and other collating effects, we
+ * can see the ordinary unsigned data from a zone beneath an
+ * insecure delegation under an optout here */
/* We need to make sure that the covering NSEC3 is opt-out. */
log_assert(ce.nc_rrset);
if(!nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
- verbose(VERB_ALGO, "proveNodata: covering NSEC3 was not "
+ if(qinfo->qtype == LDNS_RR_TYPE_DS)
+ verbose(VERB_ALGO, "proveNodata: covering NSEC3 was not "
"opt-out in an opt-out DS NOERROR/NODATA case.");
+ else verbose(VERB_ALGO, "proveNodata: could not find matching "
+ "NSEC3, nor matching wildcard, nor optout NSEC3 "
+ "-- no more options, bogus.");
return sec_status_bogus;
}
+ /* the optout is a secure denial of DS records */
+ if(qinfo->qtype != LDNS_RR_TYPE_DS)
+ return sec_status_insecure;
return sec_status_secure;
}
struct ub_packed_rrset_key** list, size_t num,
struct query_info* qinfo, struct key_entry_key* kkey, int* nodata)
{
+ enum sec_status sec;
rbtree_t ct;
struct nsec3_filter flt;
*nodata = 0;
if(nsec3_do_prove_nameerror(env, &flt, &ct, qinfo)==sec_status_secure)
return sec_status_secure;
- if(nsec3_do_prove_nodata(env, &flt, &ct, qinfo)==sec_status_secure) {
+ sec = nsec3_do_prove_nodata(env, &flt, &ct, qinfo);
+ if(sec==sec_status_secure) {
*nodata = 1;
- return sec_status_secure;
}
- return sec_status_bogus;
+ return sec;
}
projects / thirdparty / unbound.git / commitdiff
