Merge branch 'kskroll-sentinel' into 'master'

Test draft-ietf-dnsop-kskroll-sentinel-00#section-2 See merge request !97

Merge branch 'kskroll-sentinel' into 'master'
Test draft-ietf-dnsop-kskroll-sentinel-00#section-2 See merge request !97
fc5657f6 · Petr Špaček · 387e8845 · 297d8e06 · fc5657f6 · fc5657f6
Commit fc5657f6 authored Jan 22, 2018 by Petr Špaček
105 changed files
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
-image: cznic/ci-debian-kresd
+image: $CI_REGISTRY/knot/knot-resolver/ci:debian-stable
 variables:
  LC_ALL: C.UTF-8


--- a/doc/scenario_guide.rst
+++ b/doc/scenario_guide.rst
@@ -416,6 +416,7 @@ Format is list of "key: value" pairs, one pair per line. There is no explicit st
 config option              default meaning
 ========================== ======= =====================================================================
 do-not-query-localhost     on      on = queries cannot be sent to 127.0.0.1/8 or ::1/128 addresses
+domain-insecure            (none)  domain name specifying DNS sub-tree with explicitly disabled DNSSEC validation
 force-ipv6                 off     use a IPv6 address as ``stub-addr``
 harden-glue                on      additional checks on glue addresses
 query-minimization         on      RFC 7816 query algorithm enabled; default inherited from QMIN environment variable

--- a/doc/user_guide.rst
+++ b/doc/user_guide.rst
@@ -190,6 +190,7 @@ DNS specifics:
 - ``HARDEN_GLUE``     [bool]_ - enables or disables additional checks on glue addresses
 - ``QMIN``            [bool]_ - enables or disables query minimization respectively
 - ``TRUST_ANCHORS`` - list of trust anchors in form of a DS records, see `scenario guide <doc/scenario_guide.rst>`_
+- ``NEGATIVE_TRUST_ANCHORS`` - list of domain names with explicitly disabled DNSSEC validation

 .. [bool] boolean expressed as string ``true``/``false``


--- a/pydnstest/scenario.py
+++ b/pydnstest/scenario.py
@@ -935,6 +935,7 @@ def parse_config(scn_cfg, qmin, installdir):
    sockfamily = 0  # auto-select value for socket.getaddrinfo
    trust_anchor_list = []
    trust_anchor_files = {}
+    negative_ta_list = []
    stub_addr = None
    override_timestamp = None

@@ -946,9 +947,11 @@ def parse_config(scn_cfg, qmin, installdir):
        # Enable selectively for some tests
        if k == 'do-not-query-localhost':
            do_not_query_localhost = str2bool(v)
-        if k == 'harden-glue':
+        elif k == 'domain-insecure':
+            negative_ta_list.append(v)
+        elif k == 'harden-glue':
            harden_glue = str2bool(v)
-        if k == 'query-minimization':
+        elif k == 'query-minimization':
            qmin = str2bool(v)
        elif k == 'trust-anchor':
            trust_anchor = v.strip('"\'')
@@ -1000,9 +1003,12 @@ def parse_config(scn_cfg, qmin, installdir):
                               % (v, str(ex)))
        elif k == 'force-ipv6' and v.upper() == 'TRUE':
            sockfamily = socket.AF_INET6
+        else:
+            raise NotImplementedError('unsupported CONFIG key "%s"' % k)

    ctx = {
        "DO_NOT_QUERY_LOCALHOST": str(do_not_query_localhost).lower(),
+        "NEGATIVE_TRUST_ANCHORS": negative_ta_list,
        "FEATURES": features,
        "HARDEN_GLUE": str(harden_glue).lower(),
        "INSTALL_DIR": installdir,

--- a/sets/resolver/iter_badraw.rpl
+++ b/sets/resolver/iter_badraw.rpl
-	name: "."
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_cname_badauth.rpl
+++ b/sets/resolver/iter_cname_badauth.rpl
 ; config options
-	target-fetch-policy: "3 2 1 0 0"
-	name: "."
+;	target-fetch-policy: "3 2 1 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_cname_cache.rpl
+++ b/sets/resolver/iter_cname_cache.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_cname_double.rpl
+++ b/sets/resolver/iter_cname_double.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_cname_nx.rpl
+++ b/sets/resolver/iter_cname_nx.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_cname_qnamecopy.rpl
+++ b/sets/resolver/iter_cname_qnamecopy.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_cycle.rpl
+++ b/sets/resolver/iter_cycle.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_cycle_noh.rpl
+++ b/sets/resolver/iter_cycle_noh.rpl
 ; config options
 	harden-glue: "no"
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_domain_sale.rpl
+++ b/sets/resolver/iter_domain_sale.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_domain_sale_nschange.rpl
+++ b/sets/resolver/iter_domain_sale_nschange.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_donotq127.rpl
+++ b/sets/resolver/iter_donotq127.rpl
 ; config options
-	name: "."
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_formerr.rpl
+++ b/sets/resolver/iter_formerr.rpl
 ; config options
-	harden-referral-path: no
-	target-fetch-policy: "0 0 0 0 0"
-        name: "."
+;	harden-referral-path: no
+;	target-fetch-policy: "0 0 0 0 0"
+;        name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_hint_lame.rpl
+++ b/sets/resolver/iter_hint_lame.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 	; minimization does not affect priming query
 	query-minimization: off

--- a/sets/resolver/iter_lame_aaaa.rpl
+++ b/sets/resolver/iter_lame_aaaa.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_lame_noaa.rpl
+++ b/sets/resolver/iter_lame_noaa.rpl
 ; config options
-	harden-referral-path: no
-	target-fetch-policy: "0 0 0 0 0"
-        name: "."
+;	harden-referral-path: no
+;	target-fetch-policy: "0 0 0 0 0"
+;        name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
 	; test with pre-scripted replies does not make sense with qmin
 	query-minimization: off

--- a/sets/resolver/iter_lame_nosoa.rpl
+++ b/sets/resolver/iter_lame_nosoa.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_lamescrub.rpl
+++ b/sets/resolver/iter_lamescrub.rpl
 ; config options
-	name: "."
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_minim_a.rpl
+++ b/sets/resolver/iter_minim_a.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
+;	target-fetch-policy: "0 0 0 0 0"
 	query-minimization: on
-	name: "."
+;	name: "."
 	stub-addr: 127.0.0.10 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_minim_a_nxdomain.rpl
+++ b/sets/resolver/iter_minim_a_nxdomain.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
+;	target-fetch-policy: "0 0 0 0 0"
 	query-minimization: on
-	name: "."
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_minim_nonempty.rpl
+++ b/sets/resolver/iter_minim_nonempty.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
+;	target-fetch-policy: "0 0 0 0 0"
 	query-minimization: on
-	name: "."
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_minim_ns.rpl
+++ b/sets/resolver/iter_minim_ns.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
+;	target-fetch-policy: "0 0 0 0 0"
 	query-minimization: on
-	name: "."
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_mod.rpl
+++ b/sets/resolver/iter_mod.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	module-config: "iterator"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	module-config: "iterator"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_multiple_A.rpl
+++ b/sets/resolver/iter_multiple_A.rpl
 ; config options
 ; The island of trust is at example.com
-server:
+;server:
 	trust-anchor: "example.com.		IN DS 438 10 2 33F8133EB48EDB093839E985600EB7B7009EB5AC312D11CCA9007F6B 71D94D7B"
 	val-override-date: "20160308103040"
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.

--- a/sets/resolver/iter_ns_badaa.rpl
+++ b/sets/resolver/iter_ns_badaa.rpl
 ; config options
-	target-fetch-policy: "3 2 1 0 0"
-	name: "."
+;	target-fetch-policy: "3 2 1 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_ns_badglue.rpl
+++ b/sets/resolver/iter_ns_badglue.rpl
 ; config options
-	target-fetch-policy: "3 2 1 0 0"
-	name: "."
+;	target-fetch-policy: "3 2 1 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_ns_badip.rpl
+++ b/sets/resolver/iter_ns_badip.rpl
 ; config options
-	target-fetch-policy: "3 2 1 0 0"
-	name: "."
+;	target-fetch-policy: "3 2 1 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_ns_noglue.rpl
+++ b/sets/resolver/iter_ns_noglue.rpl
 ; config options
-	target-fetch-policy: "3 2 1 0 0"
-	name: "."
+;	target-fetch-policy: "3 2 1 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_ns_spoof.rpl
+++ b/sets/resolver/iter_ns_spoof.rpl
 ; config options
-	harden-referral-path: yes
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	harden-referral-path: yes
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_pc_a.rpl
+++ b/sets/resolver/iter_pc_a.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_pc_aaaa.rpl
+++ b/sets/resolver/iter_pc_aaaa.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_pcdirect.rpl
+++ b/sets/resolver/iter_pcdirect.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_pclame.rpl
+++ b/sets/resolver/iter_pclame.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_pcname.rpl
+++ b/sets/resolver/iter_pcname.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_pcnamech.rpl
+++ b/sets/resolver/iter_pcnamech.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_pcnamechrec.rpl
+++ b/sets/resolver/iter_pcnamechrec.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_pcttl.rpl
+++ b/sets/resolver/iter_pcttl.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	do-ip6: no
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	do-ip6: no
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_reclame_one.rpl
+++ b/sets/resolver/iter_reclame_one.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_reclame_two.rpl
+++ b/sets/resolver/iter_reclame_two.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_recurse.rpl
+++ b/sets/resolver/iter_recurse.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_refuse.rpl
+++ b/sets/resolver/iter_refuse.rpl
 ; config options
-server:
+;server:
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_req_qname.rpl
+++ b/sets/resolver/iter_req_qname.rpl
 ; config options
-server:
-	target-fetch-policy: "0 0 0 0 0"
+;server:
+;	target-fetch-policy: "0 0 0 0 0"

-stub-zone:
-	name: "."
+;stub-zone:
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_resolve.rpl
+++ b/sets/resolver/iter_resolve.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_soamin.rpl
+++ b/sets/resolver/iter_soamin.rpl
 ; config options
-	target-fetch-policy: "0 0 0 0 0"
-	name: "."
+;	target-fetch-policy: "0 0 0 0 0"
+;	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_tcbit.rpl
+++ b/sets/resolver/iter_tcbit.rpl
 ; config options
-	harden-referral-path: no
-	target-fetch-policy: "0 0 0 0 0"
-        name: "."
+;	harden-referral-path: no
+;	target-fetch-policy: "0 0 0 0 0"
+;        name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
 CONFIG_END


--- a/sets/resolver/iter_validate.rpl
+++ b/sets/resolver/iter_validate.rpl
 ; config options
-server:
+;server:
 	trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
 	val-override-timestamp: "1437625000"

-stub-zone:
-	name: "."
+;stub-zone:
+;	name: "."
 	stub-addr: 198.41.0.4 	# a.root-servers.net.
 CONFIG_END


--- a/sets/resolver/iter_validate_child_zone_noaddr.rpl
+++ b/sets/resolver/iter_validate_child_zone_noaddr.rpl
 ; config options
-server:
+;server:
 	trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
 	val-override-timestamp: "1441892800"
 	query-minimization: off

-stub-zone:
-	name: "."
+;stub-zone:
+;	name: "."
 	stub-addr: 198.41.0.4 	# a.root-servers.net.
 CONFIG_END


--- a/sets/resolver/iter_validate_extradata.rpl
+++ b/sets/resolver/iter_validate_extradata.rpl
 ; config options
-server:
+;server:
 	trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
 	val-override-timestamp: "1437625000"

-stub-zone:
-	name: "."
+;stub-zone:
+;	name: "."
 	stub-addr: 198.41.0.4 	# a.root-servers.net.
 CONFIG_END


--- a/sets/resolver/iter_validate_nsec_nxdomain.rpl
+++ b/sets/resolver/iter_validate_nsec_nxdomain.rpl
 ; config options
-server:
+;server:
 	trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
 	val-override-timestamp: "1438783903"
 	query-minimization: off

-stub-zone:
-	name: "."
+;stub-zone:
+;	name: "."
 	stub-addr: 198.41.0.4 	# a.root-servers.net.
 CONFIG_END


--- a/sets/resolver/nsec3_wildcard_no_data_response.rpl
+++ b/sets/resolver/nsec3_wildcard_no_data_response.rpl
 ; config options
-server:
+;server:
        stub-addr: 193.0.14.129
 	trust-anchor: ". 3600 IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
 	val-override-timestamp: "1450794800"

--- a/sets/resolver/nsec_name_error_response-part2.rpl
+++ b/sets/resolver/nsec_name_error_response-part2.rpl
 ; config options
-server:
+;server:
 	trust-anchor: ". 3600 IN DS 17272 13 4 B87AD8C76DC2244E7AA57285057BF533F2E248CC8D7E1A071D8A3837A711A5EA705C4707E6E8911DA653BE1AE019927B"
 	val-override-timestamp: "1442323400"
 	do-not-query-localhost: off

-stub-zone:
-	name: "."
+;stub-zone:
+;	name: "."
 	stub-addr: 127.0.0.1 	# ns.
 CONFIG_END


--- a/sets/resolver/nsec_name_error_response.rpl
+++ b/sets/resolver/nsec_name_error_response.rpl
 ; config options
-server:
+;server:
 	trust-anchor: ". 3600 IN DS 17272 13 4 B87AD8C76DC2244E7AA57285057BF533F2E248CC8D7E1A071D8A3837A711A5EA705C4707E6E8911DA653BE1AE019927B"
 	val-override-timestamp: "1442323400"
 	do-not-query-localhost: off

-stub-zone:
-	name: "."
+;stub-zone:
+;	name: "."
 	stub-addr: 127.0.0.1 	# ns.
 CONFIG_END


--- a/sets/resolver/nsec_no_data_response.rpl
+++ b/sets/resolver/nsec_no_data_response.rpl
 ; config options
-server:
+;server:
 	trust-anchor: ". 3600 IN DS 17272 13 4 B87AD8C76DC2244E7AA57285057BF533F2E248CC8D7E1A071D8A3837A711A5EA705C4707E6E8911DA653BE1AE019927B"
 	val-override-timestamp: "1442839270"
 	do-not-query-localhost: off

-stub-zone:
-	name: "."
+;stub-zone:
+;	name: "."
 	stub-addr: 127.0.0.1 	# ns.
 CONFIG_END


--- a/sets/resolver/nsec_ref_to_unsigned1.rpl
+++ b/sets/resolver/nsec_ref_to_unsigned1.rpl
 ; config options
 ; The island of trust is at example.com
-server:
+;server:
 	trust-anchor: "example.com.		IN DS 438 10 2 33F8133EB48EDB093839E985600EB7B7009EB5AC312D11CCA9007F6B 71D94D7B"
 	val-override-date: "20160308103040"
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.

--- a/sets/resolver/nsec_ref_to_unsigned2.rpl
+++ b/sets/resolver/nsec_ref_to_unsigned2.rpl
 ; config options