3 # put unbound.conf config options here.
5 access-control: 127.0.0.1/32 allow_snoop #allow queries with RD bit
7 # DNSSEC trust anchor taken from a real world example. Used for
8 # DNSSEC-signed CNAME target.
9 trust-anchor: "infoblox.com. 172800 IN DNSKEY 257 3 5 AwEAAerW6xQkJIb5wxm48RoHD/LE8r/GzmdIGOam0lQczIth+I9ctltV dDJXz5BH8j4TOaOH1gBRCXhsPDyPom/eLEkdUuXNuhV6QnWGHOtz1fuY EO+kBqaI79jR0K31OmevR/H/F3C8gi4T6//6G9qsftvcl6m7+V1vI2+c cgxiiOlMrZZb4YAhue1+tRw57f3aVOSNtcrONO/Jffgb9jbDTKRi33oT fDznyPa1lCWMbuybr/LaCU0LP6fG4BII/FDWFi5rQxMHygWfscdYX06c eGUzHqiuNNGL8Jze6johni71T/hJGtLMozkY7qxOLfWBXOu9kr1MBQh5 6hfibOZMZJM="
10 # Use a fixed and faked date for DNSSEC validation to avoid run-time
11 # re-signing test signatures.
12 val-override-date: "20161001003725"
14 define-tag: "cname cname2 nx servfail sec ambiguous"
15 access-control-tag: 127.0.0.1/32 "cname cname2 nx servfail sec"
17 # Basic case: one CNAME whose target exists.
18 local-zone: example.com static
19 local-zone-tag: example.com "cname"
20 access-control-tag: 127.0.0.1/32 "cname"
21 access-control-tag-action: 127.0.0.1/32 "cname" redirect
22 access-control-tag-data: 127.0.0.1/32 "cname" "CNAME example.org."
24 # Similar to the above, but different original query name.
25 local-zone: another.example.com static
26 local-zone-tag: another.example.com "cname2"
27 access-control-tag: 127.0.0.1/32 "cname2"
28 access-control-tag-action: 127.0.0.1/32 "cname2" redirect
29 access-control-tag-data: 127.0.0.1/32 "cname2" "CNAME example.org."
31 # CNAME target is expected to be nonexistent.
32 local-zone: nx.example.com static
33 local-zone-tag: nx.example.com "nx"
34 access-control-tag: 127.0.0.1/32 "nx"
35 access-control-tag-action: 127.0.0.1/32 "nx" redirect
36 access-control-tag-data: 127.0.0.1/32 "nx" "CNAME nx.example.org."
38 # Resolution of this CNAME target will result in SERVFAIL.
39 local-zone: servfail.example.com static
40 local-zone-tag: servfail.example.com "servfail"
41 access-control-tag-action: 127.0.0.1/32 "servfail" redirect
42 access-control-tag-data: 127.0.0.1/32 "servfail" "CNAME servfail.example.org."
44 # CNAME target is supposed to be DNSSEC-signed.
45 local-zone: sec.example.com static
46 local-zone-tag: sec.example.com "sec"
47 access-control-tag-action: 127.0.0.1/32 "sec" redirect
48 access-control-tag-data: 127.0.0.1/32 "sec" "CNAME www.infoblox.com."
50 # Test setup for non-tag based redirect
51 local-zone: example.net redirect
52 local-data: "example.net. IN CNAME cname.example.org."
54 ### template zone and tag intended to be used for tests with CNAME and
56 ##local-zone: ambiguous.example.com redirect
59 ##local-zone-tag: ambiguous.example.com "ambiguous"
60 ##access-control-tag-action: 127.0.0.1/32 "ambiguous" redirect
66 target-fetch-policy: "0 0 0 0 0"
68 # send the queries to the test server (see the 10.0.10.3 entries below)
71 forward-addr: 10.0.10.3
74 ; short one-line description of scenario:
75 SCENARIO_BEGIN Test local-data CNAME aliases
77 ; Specification of the answers that the upstream server provides to unbound
80 ; put entries here with answers to specific qname, qtype
84 MATCH opcode qtype qname
88 infoblox.com. IN DNSKEY
90 infoblox.com. 172800 IN DNSKEY 256 3 5 AwEAAbi2VnVHFm5rO2EiawNWhTTRPPzaA+VEdpGOc+CtwIZq86C4Ndbp 0M7XTi0wru0Pgh54oGZ3ty9WllYEnVfoA1rcGwFJmAln7KKAuQP+dlGE yHPJYduAjG/JFA6Qq0zj18AmWgks+qvethASMm3PtihQkNytjmQWjiL6 6h8cQwFP
91 infoblox.com. 172800 IN DNSKEY 257 3 5 AwEAAerW6xQkJIb5wxm48RoHD/LE8r/GzmdIGOam0lQczIth+I9ctltV dDJXz5BH8j4TOaOH1gBRCXhsPDyPom/eLEkdUuXNuhV6QnWGHOtz1fuY EO+kBqaI79jR0K31OmevR/H/F3C8gi4T6//6G9qsftvcl6m7+V1vI2+c cgxiiOlMrZZb4YAhue1+tRw57f3aVOSNtcrONO/Jffgb9jbDTKRi33oT fDznyPa1lCWMbuybr/LaCU0LP6fG4BII/FDWFi5rQxMHygWfscdYX06c eGUzHqiuNNGL8Jze6johni71T/hJGtLMozkY7qxOLfWBXOu9kr1MBQh5 6hfibOZMZJM=
92 infoblox.com. 172800 IN RRSIG DNSKEY 5 2 172800 20161004003725 20160930000830 31651 infoblox.com. Ds7LZY2W59fq9cWgqi3W6so1NGFa7JdjO8zlhK3hGu2a2WG1W/rVftom rCf0gdI5q4BZJnq2o0SdLd/U7he1uWz8ATntEETiNs9/8G7myNK17wQu AN/+3gol+qT4DX0CA3Boz7Z+xFQbTwnnJJvGASa/1jPMIYU8DiyNx3Pe SSh9lbyU/4YI0mshn5ZC2HCFChxr+aVJxk4UHjaPfHhWwVu9oM4IbEfn KD9x4ltKjjy0pXMYqVlNs9+tG2nXdwr/6Q4G+yfRBAcW+cWeW5w4igxf xYFq4Y5gkZetGOReoNODZ9YC9WvcxBo+qY/iUN2k+lEFq+oL8+DthAGH uA1krw==
98 MATCH opcode qtype qname
102 www.infoblox.com. IN A
104 www.infoblox.com. 3600 IN A 161.47.10.70
105 www.infoblox.com. 3600 IN RRSIG A 5 3 3600 20161003223322 20160929221122 14916 infoblox.com. WbO9ydRAoRTPvdK18atTdLEkkMGoOjuwbcb6vVI0d6Sea3xkcBMNmtst Wdzr+pKEJqO2bfm167X6uhcOHanHZRnirlTnEbuTdsP0HCiIEGQD5iHg UNH2FJSKGNYBmgZKJpuLhDca7oqtkl8EyGA+UEt6Rtq6aW8V0wpkhPHi Pug='
112 MATCH opcode qtype qname
118 example.org. IN A 192.0.2.1
124 MATCH opcode qtype qname
128 cname.example.org. IN A
130 cname.example.org. IN A 192.0.2.2
136 MATCH opcode qtype qname
143 example.org. IN SOA ns.example.org. hostmaster.example.org. 2016101900 28800 7200 604800 3600
148 MATCH opcode qtype qname
155 example.org. IN SOA ns.example.org. hostmaster.example.org. 2016101900 28800 7200 604800 3600
161 MATCH opcode qtype qname
167 example.org. IN NS ns.example.
173 MATCH opcode qtype qname
177 servfail.example.org. IN A
183 ; end of entries with answers from upstream server
185 ; Steps where queries are sent, one at a time, to unbound.
186 ; QUERY is what the downstream client sends to unbound.
187 ; CHECK_ANSWER contains the response from unbound.
190 ; Basic case: both exact and subdomain matches result in the same CNAME
195 example.com. IN CNAME
198 ; For type-CNAME queries, the CNAME itself will be returned
202 REPLY QR RD RA AA NOERROR
204 example.com. IN CNAME
206 example.com. IN CNAME example.org.
215 alias.example.com. IN CNAME
218 ; For type-CNAME queries, the CNAME itself will be returned
222 REPLY QR RD RA AA NOERROR
224 alias.example.com. IN CNAME
226 alias.example.com. IN CNAME example.org.
231 ; Basic case: both exact and subdomain matches result in the same CNAME
232 ; For other types, a complete CNAME chain will have to be returned
243 REPLY QR RD RA AA NOERROR
247 example.com. IN CNAME example.org.
248 example.org. IN A 192.0.2.1
257 alias.example.com. IN A
263 REPLY QR RD RA AA NOERROR
265 alias.example.com. IN A
267 alias.example.com. IN CNAME example.org.
268 example.org. IN A 192.0.2.1
273 ; Basic case: both exact and subdomain matches result in the same CNAME.
274 ; The result is the same for non-recursive query as long as a
275 ; complete chain is cached.
283 STEP 100 CHECK_ANSWER
286 REPLY QR RA AA NOERROR
290 example.com. IN CNAME example.org.
291 example.org. IN A 192.0.2.1
300 alias.example.com. IN A
303 STEP 120 CHECK_ANSWER
306 REPLY QR RA AA NOERROR
308 alias.example.com. IN A
310 alias.example.com. IN CNAME example.org.
311 example.org. IN A 192.0.2.1
316 ; Similar to the above, but these are local-zone redirect, instead of
317 ; tag-based policies.
322 example.net. IN CNAME
325 ; For type-CNAME queries, the CNAME itself will be returned
326 STEP 140 CHECK_ANSWER
329 REPLY QR RD RA AA NOERROR
331 example.net. IN CNAME
333 example.net. IN CNAME cname.example.org.
342 alias.example.net. IN CNAME
345 ; For type-CNAME queries, the CNAME itself will be returned
346 STEP 160 CHECK_ANSWER
349 REPLY QR RD RA AA NOERROR
351 alias.example.net. IN CNAME
353 alias.example.net. IN CNAME cname.example.org.
365 STEP 180 CHECK_ANSWER
368 REPLY QR RD RA AA NOERROR
372 example.net. IN CNAME cname.example.org.
373 cname.example.org. IN A 192.0.2.2
382 alias.example.net. IN A
385 STEP 200 CHECK_ANSWER
388 REPLY QR RD RA AA NOERROR
390 alias.example.net. IN A
392 alias.example.net. IN CNAME cname.example.org.
393 cname.example.org. IN A 192.0.2.2
399 ; Relatively minor cases follow
401 ; query type doesn't exist for the CNAME target. The original query
402 ; succeeds with an "incomplete" chain only containing the CNAME.
410 STEP 220 CHECK_ANSWER
413 REPLY QR RD RA AA NOERROR
417 example.com. IN CNAME example.org.
419 example.org. 3600 IN SOA ns.example.org. hostmaster.example.org. 2016101900 28800 7200 604800 3600
423 ; The CNAME target name doesn't exist. NXDOMAIN with the CNAME will
432 STEP 240 CHECK_ANSWER
435 REPLY QR RD RA AA NXDOMAIN
439 nx.example.com. IN CNAME nx.example.org.
441 example.org. 3600 IN SOA ns.example.org. hostmaster.example.org. 2016101900 28800 7200 604800 3600
445 ; Resolution for the CNAME target will result in SERVFAIL. It will
446 ; be forwarded to the original query. The answer section should be
452 servfail.example.com. IN A
455 STEP 260 CHECK_ANSWER
458 REPLY QR RD RA SERVFAIL
460 servfail.example.com. IN A
466 ; The CNAME target is DNSSEC-signed and it's validated. If the original
467 ; query enabled the DNSSEC, the RRSIGs will be included in the answer,
468 ; but the response should have the AD bit off
473 sec.example.com. IN A
476 STEP 280 CHECK_ANSWER
479 REPLY QR RD DO RA AA NOERROR
481 sec.example.com. IN A
483 sec.example.com. IN CNAME www.infoblox.com.
484 www.infoblox.com. 3600 IN A 161.47.10.70
485 www.infoblox.com. 3600 IN RRSIG A 5 3 3600 20161003223322 20160929221122 14916 infoblox.com. WbO9ydRAoRTPvdK18atTdLEkkMGoOjuwbcb6vVI0d6Sea3xkcBMNmtst Wdzr+pKEJqO2bfm167X6uhcOHanHZRnirlTnEbuTdsP0HCiIEGQD5iHg UNH2FJSKGNYBmgZKJpuLhDca7oqtkl8EyGA+UEt6Rtq6aW8V0wpkhPHi Pug='