3 harden-referral-path: no
4 target-fetch-policy: "0 0 0 0 0"
8 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
11 SCENARIO_BEGIN Test scrub of insecure DNAME in answer section
14 RANGE_BEGIN 0 10000000
17 MATCH qname qtype opcode
23 . IN NS K.ROOT-SERVERS.NET.
25 K.ROOT-SERVERS.NET. IN A 193.0.14.129
29 MATCH qname qtype opcode
35 shortloop. IN TXT "shortloop end"
39 MATCH qname qtype opcode
43 K.ROOT-SERVERS.NET. IN A
45 K.ROOT-SERVERS.NET. IN A 193.0.14.129
49 MATCH qname qtype opcode
53 K.ROOT-SERVERS.NET. IN AAAA
58 MATCH subdomain opcode
59 ADJUST copy_id copy_query
64 com. IN NS a.gtld-servers.net.
66 a.gtld-servers.net. IN A 192.5.6.30
70 MATCH subdomain opcode
71 ADJUST copy_id copy_query
76 net. IN NS a.gtld-servers.net.
78 a.gtld-servers.net. IN A 192.5.6.30
82 MATCH subdomain opcode
83 ADJUST copy_id copy_query
88 x. IN NS a.gtld-servers.net.
90 a.gtld-servers.net. IN A 192.5.6.30
94 MATCH opcode subdomain
95 ADJUST copy_id copy_query
100 long. IN NS a.gtld-servers.net.
102 a.gtld-servers.net. IN A 192.5.6.30
106 MATCH opcode subdomain
107 ADJUST copy_id copy_query
110 60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. IN NS
112 60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. IN NS a.gtld-servers.net.
114 a.gtld-servers.net. IN A 192.5.6.30
118 MATCH qname qtype opcode
122 a.gtld-servers.net. IN A
124 a.gtld-servers.net. IN A 192.5.6.30
128 MATCH qname qtype opcode
132 a.gtld-servers.net. IN AAAA
136 ; end of root infrastucture
138 ; a.gtld-servers.net. (com. net. x.)
139 RANGE_BEGIN 0 10000000
142 MATCH qname qtype opcode
146 a.gtld-servers.net. IN A
148 a.gtld-servers.net. IN A 192.5.6.30
152 MATCH qname qtype opcode
156 a.gtld-servers.net. IN AAAA
161 MATCH qname qtype opcode
167 com. IN NS a.gtld-servers.net.
169 a.gtld-servers.net. IN A 192.5.6.30
173 MATCH qname qtype opcode
179 net. IN NS a.gtld-servers.net.
181 a.gtld-servers.net. IN A 192.5.6.30
185 MATCH opcode subdomain
186 ADJUST copy_id copy_query
191 example.com. IN NS ns1.example.com.
193 ns1.example.com. IN A 168.192.2.2
197 MATCH opcode subdomain
198 ADJUST copy_id copy_query
203 example.net. IN NS ns1.example.net.
205 ns1.example.net. IN A 168.192.3.3
209 MATCH qname qtype opcode
215 x. IN NS a.gtld-servers.net.
217 a.gtld-servers.net. IN A 192.5.6.30
221 MATCH qname qtype opcode
229 a.gtld-servers.net. IN A 192.5.6.30
234 ADJUST copy_id copy_query
237 shortloop.x.x. IN CNAME
240 shortloop.x.x. IN CNAME shortloop.x.
241 shortloop.x. IN CNAME shortloop.
246 ADJUST copy_id copy_query
249 shortloop.x. IN CNAME
252 shortloop.x. IN CNAME shortloop.
256 MATCH qname qtype opcode
260 60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. IN NS
262 60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. IN NS a.gtld-servers.net.
264 a.gtld-servers.net. IN A 192.5.6.30
268 MATCH qname qtype opcode
274 long. IN NS a.gtld-servers.net.
276 a.gtld-servers.net. IN A 192.5.6.30
279 ; DNAME at zone apex, allowed by RFC 6672 section 2.3
281 MATCH qname qtype opcode
287 long. 3600 IN DNAME 63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
291 MATCH qname qtype opcode
297 long. 3600 IN DNAME 63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
298 x.long. 3600 IN CNAME x.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
299 x.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. 3600 IN A 192.0.2.1
303 MATCH qname qtype opcode
307 x.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. IN A
309 x.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. 3600 IN A 192.0.2.1
314 ADJUST copy_id copy_query
319 long. 3600 IN DNAME 63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
322 ; end of a.gtld-servers.net.
324 ; RFC 6672 section 2.2. The DNAME Substitution table tests
325 ;# QNAME owner DNAME target result
326 ;-- ---------------- -------------- -------------- -----------------
327 ;1 com. example.com. example.net. <no match>
328 ;2 example.com. example.com. example.net. [0]
329 ;3 a.example.com. example.com. example.net. a.example.net.
330 ;4 a.b.example.com. example.com. example.net. a.b.example.net.
331 ;5 ab.example.com. b.example.com. example.net. <no match>
332 ;6 foo.example.com. example.com. example.net. foo.example.net.
333 ;7 a.x.example.com. x.example.com. example.net. a.example.net.
334 ;8 a.example.com. example.com. y.example.net. a.y.example.net.
335 ;9 cyc.example.com. example.com. example.com. cyc.example.com.
336 ;10 cyc.example.com. example.com. c.example.com. cyc.c.example.com.
337 ;11 shortloop.x.x. x. . shortloop.x.
338 ;12 shortloop.x. x. . shortloop.
340 ; [0] The result depends on the QTYPE. If the QTYPE = DNAME, then
341 ; the result is "example.com.", else "<no match>".
343 ; Table 1. DNAME Substitution Examples
345 ; line no. 1 is mostly for authoritative server
346 ; line no. 2 QTYPE != DNAME
354 STEP 220202 CHECK_ANSWER
361 example.com. IN NS ns1.example.com.
363 ns1.example.com. 0 IN A 168.192.2.2
366 ; line no. 2 QTYPE == DNAME
371 example.com. IN DNAME
374 STEP 220204 CHECK_ANSWER
379 example.com. IN DNAME
381 example.com. IN DNAME example.net.
385 ;# QNAME owner DNAME target result
386 ;-- ---------------- -------------- -------------- -----------------
387 ;3 a.example.com. example.com. example.net. a.example.net.
396 STEP 220302 CHECK_ANSWER
403 example.com. IN DNAME example.net.
404 a.example.com. IN CNAME a.example.net.
405 a.example.net. IN A 10.0.0.97
408 ;# QNAME owner DNAME target result
409 ;-- ---------------- -------------- -------------- -----------------
410 ;4 a.b.example.com. example.com. example.net. a.b.example.net.
416 a.b.example.com. IN A
419 STEP 220402 CHECK_ANSWER
424 a.b.example.com. IN A
426 example.com. IN DNAME example.net.
427 a.b.example.com. IN CNAME a.b.example.net.
428 a.b.example.net. IN A 10.0.97.98
431 ;# QNAME owner DNAME target result
432 ;-- ---------------- -------------- -------------- -----------------
433 ;5 ab.example.com. b.example.com. example.net. <no match>
434 ;6 foo.example.com. example.com. example.net. foo.example.net.
436 ; line no. 5 is mostly for authoritative server
437 ; line no. 6 is basically the same as line no. 3
440 RANGE_BEGIN 220000 220699
443 MATCH opcode qtype qname
449 example.com. IN NS ns1.example.com.
451 ns1.example.com. IN A 168.192.2.2
455 MATCH opcode qtype qname
459 ns1.example.com. IN A
461 ns1.example.com. IN A 168.192.2.2
465 MATCH opcode qtype qname
469 ns1.example.com. IN AAAA
475 MATCH opcode qtype qname
479 example.com. IN DNAME
481 example.com. IN DNAME example.net.
486 MATCH opcode qtype qname
492 example.com. IN DNAME example.net.
493 a.example.com. IN CNAME a.example.net.
498 MATCH opcode qtype qname
502 a.b.example.com. IN A
504 example.com. IN DNAME example.net.
505 a.b.example.com. IN CNAME a.b.example.net.
508 ; end of ns1.example.com.
511 ;# QNAME owner DNAME target result
512 ;-- ---------------- -------------- -------------- -----------------
513 ;7 a.x.example.com. x.example.com. example.net. a.example.net.
519 a.x.example.com. IN A
522 STEP 220702 CHECK_ANSWER
527 a.x.example.com. IN A
529 x.example.com. IN DNAME example.net.
530 a.x.example.com. IN CNAME a.example.net.
531 a.example.net. IN A 10.0.0.97
535 RANGE_BEGIN 220700 220799
538 MATCH opcode qtype qname
544 example.com. IN NS ns1.example.com.
546 ns1.example.com. IN A 168.192.2.2
550 MATCH opcode qtype qname
554 ns1.example.com. IN A
556 ns1.example.com. IN A 168.192.2.2
560 MATCH opcode qtype qname
564 ns1.example.com. IN AAAA
570 MATCH opcode qtype qname
574 example.com. IN DNAME
576 x.example.com. IN DNAME example.net.
580 MATCH opcode qtype qname
584 a.x.example.com. IN A
586 x.example.com. IN DNAME example.net.
587 a.x.example.com. IN CNAME a.example.net.
590 ; end of ns1.example.com.
592 ;# QNAME owner DNAME target result
593 ;-- ---------------- -------------- -------------- -----------------
594 ;8 a.example.com. example.com. y.example.net. a.y.example.net.
596 ; a.example.com. was renamed to a2.example.com. to avoid cache clashes
597 ; on the synthetized CNAME (caching CNAMEs is allowed by RFC 6672 section 3.4)
606 STEP 220802 CHECK_ANSWER
613 example.com. IN DNAME y.example.net.
614 a2.example.com. IN CNAME a2.y.example.net.
615 a2.y.example.net. IN A 10.97.50.121
619 RANGE_BEGIN 220800 220899
622 MATCH opcode qtype qname
628 example.com. IN NS ns1.example.com.
630 ns1.example.com. IN A 168.192.2.2
634 MATCH opcode qtype qname
638 ns1.example.com. IN A
640 ns1.example.com. IN A 168.192.2.2
644 MATCH opcode qtype qname
648 ns1.example.com. IN AAAA
654 MATCH opcode qtype qname
658 example.com. IN DNAME
660 example.com. IN DNAME y.example.net.
664 MATCH opcode qtype qname
670 example.com. IN DNAME y.example.net.
671 a2.example.com. IN CNAME a2.y.example.net.
674 ; end of ns1.example.com.
677 ;# QNAME owner DNAME target result
678 ;-- ---------------- -------------- -------------- -----------------
679 ;9 cyc.example.com. example.com. example.com. cyc.example.com.
685 cyc.example.com. IN A
688 ; Expected result is defined by RFC 1034 section 3.6.2:
689 ; CNAME chains should be followed and CNAME loops signalled as an error
690 STEP 220902 CHECK_ANSWER
696 cyc.example.com. IN A
698 example.com. 0 IN DNAME example.com.
699 cyc.example.com. 0 IN CNAME cyc.example.com.
703 RANGE_BEGIN 220900 220999
706 MATCH opcode qtype qname
712 example.com. IN NS ns1.example.com.
714 ns1.example.com. IN A 168.192.2.2
718 MATCH opcode qtype qname
722 ns1.example.com. IN A
724 ns1.example.com. IN A 168.192.2.2
728 MATCH opcode qtype qname
732 ns1.example.com. IN AAAA
738 MATCH opcode qtype qname
742 example.com. IN DNAME
744 example.com. IN DNAME example.com.
748 MATCH opcode qtype qname
752 cyc.example.com. IN A
754 example.com. IN DNAME example.com.
755 cyc.example.com. IN CNAME cyc.example.com.
758 ; end of ns1.example.com.
760 ;# QNAME owner DNAME target result
761 ;-- ---------------- -------------- -------------- -----------------
762 ;10 cyc.example.com. example.com. c.example.com. cyc.c.example.com.
764 ; cyc.example.com. was renamed to cyc2.example.com. to avoid cache clashes
765 ; on the synthetized CNAME (caching CNAMEs is allowed by RFC 6672 section 3.4)
767 ; target c.example.com. was renamed to cyc2.example.net.
768 ; to limit number of pre-canned answers required for the test
774 cyc2.example.com. IN A
777 ; Expected result is defined by RFC 1034 section 3.6.2:
778 ; CNAME chains should be followed and CNAME loops signalled as an error
779 STEP 221002 CHECK_ANSWER
782 REPLY QR RD RA DO SERVFAIL
784 cyc2.example.com. IN A
788 RANGE_BEGIN 221000 221099
791 MATCH opcode qtype qname
797 example.com. IN NS ns1.example.com.
799 ns1.example.com. IN A 168.192.2.2
803 MATCH opcode qtype qname
807 ns1.example.com. IN A
809 ns1.example.com. IN A 168.192.2.2
813 MATCH opcode qtype qname
817 ns1.example.com. IN AAAA
823 MATCH opcode qtype qname
827 example.com. IN DNAME
829 example.com. IN DNAME cyc2.example.net.
833 MATCH opcode qtype qname
837 cyc2.example.com. IN A
839 example.com. IN DNAME cyc2.example.net.
840 cyc2.example.com. IN CNAME cyc2.cyc2.example.net.
843 ; end of ns1.example.com.
845 ;# QNAME owner DNAME target result
846 ;-- ---------------- -------------- -------------- -----------------
847 ;11 shortloop.x.x. x. . shortloop.x.
856 STEP 221102 CHECK_ANSWER
861 shortloop.x.x. IN TXT
864 shortloop.x.x. IN CNAME shortloop.x.
866 shortloop.x. IN CNAME shortloop.
867 shortloop. IN TXT "shortloop end"
870 ;# QNAME owner DNAME target result
871 ;-- ---------------- -------------- -------------- -----------------
872 ;12 shortloop.x. x. . shortloop.
874 ; expire potentically cached CNAMEs for shortloop.x. from cache
875 STEP 221200 TIME_PASSES ELAPSE 10000
884 STEP 221202 CHECK_ANSWER
892 shortloop.x. IN CNAME shortloop.
893 shortloop. IN TXT "shortloop end"
897 ; ns1.example.net. (data shared by whole 22xxxx range)
898 RANGE_BEGIN 220000 229999
901 MATCH opcode qtype qname
907 example.net. IN NS ns1.example.net.
909 example.net. IN A 168.192.3.3
913 MATCH opcode qtype qname
917 ns1.example.net. IN A
919 ns1.example.net. IN A 168.192.3.3
923 MATCH opcode qtype qname
927 ns1.example.net. IN AAAA
933 MATCH opcode qtype qname
939 a.example.net. IN A 10.0.0.97
944 MATCH opcode qtype qname
948 a.b.example.net. IN A
950 a.b.example.net. IN A 10.0.97.98
954 MATCH opcode qtype qname
958 a2.y.example.net. IN A
960 a2.y.example.net. IN A 10.97.50.121
965 MATCH opcode qtype qname
969 cyc2.example.net. IN DNAME
971 cyc2.example.net. IN DNAME example.com.
975 MATCH opcode qtype qname
979 cyc2.cyc2.example.net. IN A
981 cyc2.example.net. IN DNAME example.com.
982 cyc2.cyc2.example.com. IN CNAME cyc2.example.com.
985 ; end of ns1.example.net.
988 ; RFC 6672 section 2.2: YXDOMAIN answers for too long results for substitution
989 ; RFC 6672 section 2.3: DNAME can be at zone apex: zone apex = long.
997 ; query returning maximal permissible length - should work
998 STEP 229002 CHECK_ANSWER
1005 long. 3600 IN DNAME 63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
1006 x.long. 3600 IN CNAME x.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
1007 x.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. 3600 IN A 192.0.2.1
1010 ; result of substitution has too long name
1011 ; YXDOMAIN should be propagated to the client
1012 ; Unbound SEVFAILs: https://www.ietf.org/mail-archive/web/dnsext/current/msg11282.html
1021 ; STEP 229004 CHECK_ANSWER
1028 ; long. 3600 IN DNAME 63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
1031 ; YXDOMAIN should work even if the cache is empty
1032 STEP 229005 TIME_PASSES ELAPSE 4000
1041 ; STEP 229007 CHECK_ANSWER
1048 ; long. 3600 IN DNAME 63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.