1; config options 2; The island of trust is at example.com 3server: 4 trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" 5 val-override-date: "20070916134226" 6 target-fetch-policy: "0 0 0 0 0" 7 qname-minimisation: "no" 8 fake-sha1: yes 9 trust-anchor-signaling: no 10 minimal-responses: no 11 12 serve-expired: yes 13 serve-expired-client-timeout: 1 14 serve-expired-reply-ttl: 123 15 ede: yes 16 ede-serve-expired: yes 17 18 # No need for AAAA nameserver queries 19 do-ip6: no 20 21stub-zone: 22 name: "." 23 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 24CONFIG_END 25 26SCENARIO_BEGIN Test serve-expired with client-timeout and bogus answer 27; Scenario overview: 28; - query for www.example.com. IN A 29; - check the answer 30; - wait for the record to expire 31; - (upstream now has a bogus response) 32; - query again for www.example.com. IN A 33; - check that we get the expired valid response instead; recursion is blocked for NORR_TTL(5) because of the failure 34; - (upstream has the valid response again) 35; - query once more 36; - check that we get the immediate expired valid response 37; - let NORR_TTL(5) expire 38; - query one last time 39; - check that we get the immediate valid cache response 40 41; The example.com NS and ns.example.com A record are commented out. 42; This to make the test succeed. It then keeps the dnssec valid lookup. 43; Otherwise, the relookup of the referral would overwrite the example.com NS 44; the serve expired response would no longer be valid. But this record must 45; be cached, for keeping the current delegation information. 46; Also the DNSKEY lookup authority and additional are cleaned to stop overwrite 47; of the NS and A record. This is more likely to keep the serve expired 48; information intact. 49 50;; 51;; K.ROOT-SERVERS.NET. 52;; 53RANGE_BEGIN 0 100 54 ADDRESS 193.0.14.129 55 ENTRY_BEGIN 56 MATCH opcode qtype qname 57 ADJUST copy_id 58 REPLY QR NOERROR 59 SECTION QUESTION 60 . IN NS 61 SECTION ANSWER 62 . IN NS K.ROOT-SERVERS.NET. 63 SECTION ADDITIONAL 64 K.ROOT-SERVERS.NET. IN A 193.0.14.129 65 ENTRY_END 66 67 ENTRY_BEGIN 68 MATCH opcode 69 ADJUST copy_id copy_query 70 REPLY QR NOERROR 71 SECTION QUESTION 72 www.example.com. IN A 73 SECTION AUTHORITY 74 com. IN NS a.gtld-servers.net. 75 SECTION ADDITIONAL 76 a.gtld-servers.net. IN A 192.5.6.30 77 ENTRY_END 78RANGE_END 79 80;; 81;; a.gtld-servers.net. 82;; 83RANGE_BEGIN 0 100 84 ADDRESS 192.5.6.30 85 ENTRY_BEGIN 86 MATCH opcode qtype qname 87 ADJUST copy_id 88 REPLY QR NOERROR 89 SECTION QUESTION 90 com. IN NS 91 SECTION ANSWER 92 com. IN NS a.gtld-servers.net. 93 SECTION ADDITIONAL 94 a.gtld-servers.net. IN A 192.5.6.30 95 ENTRY_END 96 97 ENTRY_BEGIN 98 MATCH opcode 99 ADJUST copy_id copy_query 100 REPLY QR NOERROR 101 SECTION QUESTION 102 www.example.com. IN A 103 SECTION AUTHORITY 104 example.com. IN NS ns.example.com. 105 SECTION ADDITIONAL 106 ns.example.com. IN A 1.2.3.4 107 ENTRY_END 108RANGE_END 109 110;; 111;; ns.example.com. with generic valid data 112;; 113RANGE_BEGIN 0 100 114 ADDRESS 1.2.3.4 115 ENTRY_BEGIN 116 MATCH opcode qtype qname 117 ADJUST copy_id 118 REPLY QR NOERROR 119 SECTION QUESTION 120 example.com. IN NS 121 SECTION ANSWER 122 example.com. IN NS ns.example.com. 123 example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 124 SECTION ADDITIONAL 125 ns.example.com. IN A 1.2.3.4 126 ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 127 ENTRY_END 128 129 ; response to DNSKEY priming query 130 ENTRY_BEGIN 131 MATCH opcode qtype qname 132 ADJUST copy_id 133 REPLY QR NOERROR 134 SECTION QUESTION 135 example.com. IN DNSKEY 136 SECTION ANSWER 137 example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} 138 example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854} 139 SECTION AUTHORITY 140 example.com. IN NS ns.example.com. 141 example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 142 SECTION ADDITIONAL 143 ns.example.com. IN A 1.2.3.4 144 ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} 145 ENTRY_END 146RANGE_END 147 148;; 149;; ns.example.com with valid data 150;; 151RANGE_BEGIN 0 10 152 ADDRESS 1.2.3.4 153 ; response to query of interest 154 ENTRY_BEGIN 155 MATCH opcode qtype qname 156 ADJUST copy_id 157 REPLY QR NOERROR 158 SECTION QUESTION 159 www.example.com. IN A 160 SECTION ANSWER 161 www.example.com. IN A 10.20.30.40 162 ;ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854} 163 SECTION AUTHORITY 164 ;example.com. IN NS ns.example.com. 165 ;example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 166 SECTION ADDITIONAL 167 ;ns.example.com. IN A 1.2.3.4 168 www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} 169 ENTRY_END 170RANGE_END 171 172;; 173;; ns.example.com. with bogus data 174;; 175RANGE_BEGIN 20 30 176 ADDRESS 1.2.3.4 177 ; response to query of interest (bogus answer) 178 ENTRY_BEGIN 179 MATCH opcode qtype qname 180 ADJUST copy_id 181 REPLY QR NOERROR 182 SECTION QUESTION 183 www.example.com. IN A 184 SECTION ANSWER 185 www.example.com. IN A 10.20.30.40 186 ;ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854} 187 SECTION AUTHORITY 188 ;example.com. IN NS ns.example.com. 189 ;example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 190 SECTION ADDITIONAL 191 ;ns.example.com. IN A 1.2.3.4 192 ;; (valid signature) 193 ;; www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} 194 ;; (bogus signature) 195 www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. 196 ENTRY_END 197RANGE_END 198 199;; 200;; ns.example.com. with valid data again 201;; 202RANGE_BEGIN 40 70 203 ADDRESS 1.2.3.4 204 ; response to query of interest 205 ENTRY_BEGIN 206 MATCH opcode qtype qname 207 ADJUST copy_id 208 REPLY QR NOERROR 209 SECTION QUESTION 210 www.example.com. IN A 211 SECTION ANSWER 212 www.example.com. IN A 10.20.30.40 213 ;ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854} 214 SECTION AUTHORITY 215 ;example.com. IN NS ns.example.com. 216 ;example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 217 SECTION ADDITIONAL 218 ;ns.example.com. IN A 1.2.3.4 219 www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} 220 ENTRY_END 221RANGE_END 222 223STEP 1 QUERY 224ENTRY_BEGIN 225REPLY RD DO 226SECTION QUESTION 227www.example.com. IN A 228ENTRY_END 229 230; recursion happens here. 231STEP 10 CHECK_ANSWER 232ENTRY_BEGIN 233MATCH all ttl 234REPLY QR RD RA AD DO NOERROR 235SECTION QUESTION 236www.example.com. IN A 237SECTION ANSWER 238www.example.com. IN A 10.20.30.40 239www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} 240SECTION AUTHORITY 241;example.com. IN NS ns.example.com. 242;example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 243SECTION ADDITIONAL 244;ns.example.com. IN A 1.2.3.4 245;ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854} 246ENTRY_END 247 248STEP 11 TIME_PASSES ELAPSE 3601 249 250STEP 20 QUERY 251ENTRY_BEGIN 252REPLY RD DO 253SECTION QUESTION 254www.example.com. IN A 255ENTRY_END 256 257; expired answer because upstream is bogus 258STEP 30 CHECK_ANSWER 259ENTRY_BEGIN 260MATCH all ttl ede=3 261REPLY QR RD RA AD DO NOERROR 262SECTION QUESTION 263www.example.com. IN A 264SECTION ANSWER 265www.example.com. 123 IN A 10.20.30.40 266www.example.com. 123 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} 267SECTION AUTHORITY 268;example.com. 123 IN NS ns.example.com. 269;example.com. 123 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 270SECTION ADDITIONAL 271;ns.example.com. 123 IN A 1.2.3.4 272;ns.example.com. 123 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854} 273ENTRY_END 274 275STEP 40 QUERY 276ENTRY_BEGIN 277REPLY RD DO 278SECTION QUESTION 279www.example.com. IN A 280ENTRY_END 281 282; immediate cached answer; although upstream is valid again 283STEP 50 CHECK_ANSWER 284ENTRY_BEGIN 285MATCH all ttl ede=3 286REPLY QR RD RA AD DO NOERROR 287SECTION QUESTION 288www.example.com. IN A 289SECTION ANSWER 290www.example.com. 123 IN A 10.20.30.40 291www.example.com. 123 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} 292SECTION AUTHORITY 293;example.com. 123 IN NS ns.example.com. 294;example.com. 123 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 295SECTION ADDITIONAL 296;ns.example.com. 123 IN A 1.2.3.4 297;ns.example.com. 123 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854} 298ENTRY_END 299 300STEP 51 TIME_PASSES ELAPSE 5 301 302; query one last time 303STEP 60 QUERY 304ENTRY_BEGIN 305REPLY RD DO 306SECTION QUESTION 307www.example.com. IN A 308ENTRY_END 309 310; this is the fresh valid response 311STEP 70 CHECK_ANSWER 312ENTRY_BEGIN 313MATCH all ttl 314REPLY QR RD RA AD DO NOERROR 315SECTION QUESTION 316www.example.com. IN A 317SECTION ANSWER 318www.example.com. IN A 10.20.30.40 319www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} 320SECTION AUTHORITY 321;example.com. IN NS ns.example.com. 322;example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} 323SECTION ADDITIONAL 324;ns.example.com. IN A 1.2.3.4 325;ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854} 326ENTRY_END 327 328SCENARIO_END 329