--- /dev/null
+; config options
+; The island of trust is at example.com
+server:
+ trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+ val-override-date: "20070916134226"
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with lots of ENTs in the chain of trust
+; query is for a.1.2.b.3.4.c.5.6.example.com.
+; labels 1-6 are empty nonterminals.
+; there are DNSKEYs at labels b, c, example.com.
+; and DSes at b and c.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+www.sub.example.com. IN A
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+www.sub.example.com. IN A
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854}
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response for ENT DS queries.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+6.example.com. IN DS
+SECTION AUTHORITY
+example.com. NSEC c.5.6.example.com. SOA DNSKEY NS RRSIG NSEC
+example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCoocKDsR+Hius4e+5zJPlXeeWNowIUO+pa14FBcWH/dCNK5R0vRrlWY5s= ;{id = 2854}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+5.6.example.com. IN DS
+SECTION AUTHORITY
+example.com. NSEC c.5.6.example.com. SOA DNSKEY NS RRSIG NSEC
+example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCoocKDsR+Hius4e+5zJPlXeeWNowIUO+pa14FBcWH/dCNK5R0vRrlWY5s= ;{id = 2854}
+ENTRY_END
+
+; response for query in question - delegation
+; and all other queries, receive a delegation to c.5.6.example.com.
+ENTRY_BEGIN
+MATCH opcode
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+a.1.2.b.3.4.c.5.6.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+c.5.6.example.com. IN NS ns.c.5.6.example.com.
+c.5.6.example.com. 3600 IN DS 2854 3 1 4449f16fa7d712283aa43cc8dcc8e07c05856e08
+c.5.6.example.com. 3600 IN RRSIG DS 3 5 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCgiF7eFL89mSqjUPEpQuL5QEa1OgIUWdfUmMkwVBwOgmxlxZIKfGs5od0= ;{id = 2854}
+SECTION ADDITIONAL
+ns.c.5.6.example.com. IN A 1.2.3.6
+ENTRY_END
+RANGE_END
+
+; ns.c.5.6.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.6
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+c.5.6.example.com. IN DNSKEY
+SECTION ANSWER
+c.5.6.example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+c.5.6.example.com. 3600 IN RRSIG DNSKEY 3 5 3600 20070926134150 20070829134150 2854 c.5.6.example.com. MC0CFHsYd4tGO5BotXFzG9d8fzHkX576AhUAoZ2d1FNUBsrwxl6XSz/hoxme/4Q= ;{id = 2854}
+ENTRY_END
+
+; response to DS queries.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+4.c.5.6.example.com. IN DS
+SECTION AUTHORITY
+3.c.5.6.example.com. IN NSEC b.3.4.c.5.6.example.com. NS DS RRSIG NSEC
+3.c.5.6.example.com. 3600 IN RRSIG NSEC 3 6 3600 20070926134150 20070829134150 2854 c.5.6.example.com. MCwCFFFF5WwGibkPunDt0BW2W9lncACcAhQuFh7FbfCE1ulJqBFf1YxjvT/WHQ== ;{id = 2854}
+
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+3.4.c.5.6.example.com. IN DS
+SECTION AUTHORITY
+3.c.5.6.example.com. IN NSEC b.3.4.c.5.6.example.com. NS DS RRSIG NSEC
+3.c.5.6.example.com. 3600 IN RRSIG NSEC 3 6 3600 20070926134150 20070829134150 2854 c.5.6.example.com. MCwCFFFF5WwGibkPunDt0BW2W9lncACcAhQuFh7FbfCE1ulJqBFf1YxjvT/WHQ== ;{id = 2854}
+ENTRY_END
+
+; any other query gets a referral
+ENTRY_BEGIN
+MATCH opcode
+ADJUST copy_id copy_query
+REPLY AA QR NOERROR
+SECTION QUESTION
+4.c.5.6.example.com. IN DS
+SECTION AUTHORITY
+b.3.4.c.5.6.example.com. IN NS ns.b.3.4.c.5.6.example.com.
+b.3.4.c.5.6.example.com. 3600 IN DS 30899 5 1 849ebbdefa338db3e6c3ddffd58851523ba701de
+b.3.4.c.5.6.example.com. 3600 IN RRSIG DS 3 8 3600 20070926134150 20070829134150 2854 c.5.6.example.com. MC0CFEuXbvClpAOx7E1SXeH0d+Q4jpySAhUAtbEbQ8qtRF5chUOWNtg31ESAjWg= ;{id = 2854}
+SECTION ADDITIONAL
+ns.b.3.4.c.5.6.example.com. IN A 1.2.3.7
+ENTRY_END
+RANGE_END
+
+; ns.b.3.4.c.5.6.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.7
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+b.3.4.c.5.6.example.com. IN DNSKEY
+SECTION ANSWER
+b.3.4.c.5.6.example.com. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
+b.3.4.c.5.6.example.com. 3600 IN RRSIG DNSKEY 5 8 3600 20070926134150 20070829134150 30899 b.3.4.c.5.6.example.com. KNftlGVkrfvo3l3Wliq+i695MqJI9B8QnTVhCHKhFPZfEq0HCxV8gO3ZlaTUle1YEnr7+yXUritXlzjFOlf1hw== ;{id = 30899}
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a.1.2.b.3.4.c.5.6.example.com. IN A
+SECTION ANSWER
+a.1.2.b.3.4.c.5.6.example.com. IN A 11.11.11.11
+a.1.2.b.3.4.c.5.6.example.com. 3600 IN RRSIG A 5 11 3600 20070926134150 20070829134150 30899 b.3.4.c.5.6.example.com. GUZcUHhxAvc6FYwAzVJcTqsjz5L36bGA45dyeSupEGEhhUJj0wm/FaYCAlO8J+H2zcFEqbgK0KzHdrFmNHkgUQ== ;{id = 30899}
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.1.2.b.3.4.c.5.6.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD NOERROR
+SECTION QUESTION
+a.1.2.b.3.4.c.5.6.example.com. IN A
+SECTION ANSWER
+a.1.2.b.3.4.c.5.6.example.com. 3600 IN A 11.11.11.11
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+SCENARIO_END
return 1;
}
- if(vq->empty_DS_name && dname_strict_subdomain_c(vq->empty_DS_name,
- current_key_name)) {
+ if(vq->empty_DS_name) {
/* if the last empty nonterminal/emptyDS name we detected is
* below the current key, use that name to make progress
* along the chain of trust */
/* The next step is either to query for the next DS, or to query
* for the next DNSKEY. */
-
if(vq->ds_rrset)
log_nametypeclass(VERB_ALGO, "DS RRset", vq->ds_rrset->rk.dname, LDNS_RR_TYPE_DS, LDNS_RR_CLASS_IN);
else log_info("No DS RRset");
+
+ if(vq->ds_rrset && query_dname_compare(vq->ds_rrset->rk.dname,
+ vq->key_entry->name) != 0) {
+ if(!generate_request(qstate, id, vq->ds_rrset->rk.dname,
+ vq->ds_rrset->rk.dname_len, LDNS_RR_TYPE_DNSKEY,
+ vq->qchase.qclass)) {
+ log_err("mem error generating DNSKEY request");
+ return val_error(qstate, id);
+ }
+ return 0;
+ }
+
if(!vq->ds_rrset || query_dname_compare(vq->ds_rrset->rk.dname,
target_key_name) != 0) {
if(!generate_request(qstate, id, target_key_name,
projects / thirdparty / unbound.git / commitdiff
