1 ; config options 2 ; The island of trust is at nsecwc.nlnetlabs.nl 3 server: 4 trust-anchor: "nsecwc.nlnetlabs.nl. 10024 IN DS 565 8 2 0C15C04C022700C8713028F6F64CF2343DE627B8F83CDA1C421C65DB 52908A2E" 5 val-override-date: "20181202115531" 6 target-fetch-policy: "0 0 0 0 0" 7 qname-minimisation: "no" 8 fake-sha1: yes 9 trust-anchor-signaling: no 10 ede: yes 11 access-control: 127.0.0.0/8 allow_snoop 12 13 stub-zone: 14 name: "nsecwc.nlnetlabs.nl" 15 stub-addr: "185.49.140.60" 16 17 CONFIG_END 18 19 SCENARIO_BEGIN Test validator with nodata response with wildcard expanded NSEC record, original NSEC owner does not provide proof for QNAME. CVE-2017-15105 test. 20 21 ; ns.example.com. 22 RANGE_BEGIN 0 100 23 ADDRESS 185.49.140.60 24 25 ; response to DNSKEY priming query 26 ENTRY_BEGIN 27 MATCH opcode qtype qname 28 ADJUST copy_id 29 REPLY QR NOERROR 30 SECTION QUESTION 31 nsecwc.nlnetlabs.nl. IN DNSKEY 32 SECTION ANSWER 33 nsecwc.nlnetlabs.nl. 3600 IN DNSKEY 257 3 8 AwEAAbTluF4BfJ/FT7Ak5a3VvYG1AqhT8FXxOsVwGTyueyE/hW+fMFMd QlLMf2Lf/gmsnFgn/p7GDmJBLlPTATmLeP3isvAZbK3MDEP2O5UjTVmt LZriTv8xfxYW6emCM54EQjWii64BFWrOeLm9zQqzyaLl53CbIIXqiacV KPteh8GX 34 nsecwc.nlnetlabs.nl. 3600 IN RRSIG DNSKEY 8 3 3600 20200101000000 20171108114635 565 nsecwc.nlnetlabs.nl. q3bG4e8EtvXKDcNWcyYHeQxLF9l9aJKdmeSubyN6Qc3UVHugd6t3YSxD hlD+g43y7FcdnNHdAPh/jpgC4wtOb5J+5XAuESDHwesmIXOCTJjrb+A8 r+xQK+vsY8FhNZ2r81JZ/KQ/+TcCS5tbYeNZQgENduWAxgGiw3fdrMOV xiU= 35 ENTRY_END 36 37 ; response to query of interest 38 ENTRY_BEGIN 39 MATCH opcode qtype qname 40 ADJUST copy_id 41 REPLY QR NOERROR 42 SECTION QUESTION 43 _25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA 44 SECTION ANSWER 45 SECTION AUTHORITY 46 nsecwc.nlnetlabs.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600 47 nsecwc.nlnetlabs.nl. 3600 IN RRSIG SOA 8 3 3600 20200101000000 20171108114635 565 nsecwc.nlnetlabs.nl. bYibpCDg1LgrnYJgVahgu94LBqLIcNs4iC0SW8LV7pTI1hhuFKbLkO2O ekPdkJAWmu/KTytf8D+cdcK6X/9VS8QCVIF5S0hraHtNezu0f1B5ztg3 7Rqy+uJSucNKoykueAsz2z43GMgO0rGH3bqM7+3ii8p2E2rhzqEtG/D3 qyY= 48 ; NSEC has a label length of 3, indication that the original owner name is: 49 ; *.nsecwc.nlnetlabs.nl. The NSEC therefore does no prove the NODATA answer. 50 _25._tcp.mail.nsecwc.nlnetlabs.nl. 3600 IN NSEC delegation.nsecwc.nlnetlabs.nl. TXT RRSIG NSEC 51 _25._tcp.mail.nsecwc.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 3 3600 20200101000000 20171108114635 565 nsecwc.nlnetlabs.nl. ddy1MRbshFuFJswlouNGHsZUF/tYu8BOCztY2JuHeTMyWL7rhRKp73q/ 1RAXMwywKsynT5ioY0bMtEQszeIEn29IYaPDHieLAobjF6BMu1kO7U2/ oEBrSHM/fx28BcaM5G4nfCIm3BlhQhWvk1NDHLn3Q26x4hF/dnmFOUet aXw= 52 SECTION ADDITIONAL 53 ENTRY_END 54 RANGE_END 55 56 STEP 1 QUERY 57 ENTRY_BEGIN 58 REPLY RD DO 59 SECTION QUESTION 60 _25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA 61 ENTRY_END 62 63 ; recursion happens here. 64 STEP 10 CHECK_ANSWER 65 ENTRY_BEGIN 66 MATCH all ede=6 67 REPLY QR RD RA DO SERVFAIL 68 SECTION QUESTION 69 _25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA 70 SECTION ANSWER 71 ENTRY_END 72 73 ; Redo the query without RD to check EDE caching. 74 STEP 11 QUERY 75 ENTRY_BEGIN 76 REPLY DO 77 SECTION QUESTION 78 _25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA 79 ENTRY_END 80 81 STEP 12 CHECK_ANSWER 82 ENTRY_BEGIN 83 MATCH all ede=6 84 REPLY QR RA DO SERVFAIL 85 SECTION QUESTION 86 _25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA 87 SECTION ANSWER 88 ENTRY_END 89 90 SCENARIO_END 91
Indexes created Mon Jun 01 00:24:59 UTC 2026