1 ; config options 2 server: 3 answer-cookie: yes 4 cookie-secret: "000102030405060708090a0b0c0d0e0f" 5 access-control: 127.0.0.1 allow_cookie 6 access-control: 1.2.3.4 allow 7 local-data: "test. TXT test" 8 9 CONFIG_END 10 11 SCENARIO_BEGIN Test downstream DNS Cookies 12 13 ; Note: When a valid hash was required, it was generated by running this test 14 ; with an invalid one and checking the output for the valid one. 15 ; Actual hash generation is tested with unit tests. 16 17 ; Query without a client cookie ... 18 STEP 0 QUERY 19 ENTRY_BEGIN 20 REPLY RD 21 SECTION QUESTION 22 test. IN TXT 23 ENTRY_END 24 ; ... get TC and refused 25 STEP 1 CHECK_ANSWER 26 ENTRY_BEGIN 27 MATCH all 28 REPLY QR RD RA TC REFUSED 29 SECTION QUESTION 30 test. IN TXT 31 ENTRY_END 32 33 ; Query without a client cookie on TCP ... 34 STEP 10 QUERY 35 ENTRY_BEGIN 36 REPLY RD 37 MATCH TCP 38 SECTION QUESTION 39 test. IN TXT 40 ENTRY_END 41 ; ... get an answer 42 STEP 11 CHECK_ANSWER 43 ENTRY_BEGIN 44 MATCH all 45 REPLY QR RD RA AA NOERROR 46 SECTION QUESTION 47 test. IN TXT 48 SECTION ANSWER 49 test. IN TXT "test" 50 ENTRY_END 51 52 ; Query with only a client cookie ... 53 STEP 20 QUERY 54 ENTRY_BEGIN 55 REPLY RD 56 SECTION QUESTION 57 test. IN TXT 58 SECTION ADDITIONAL 59 HEX_EDNSDATA_BEGIN 60 00 0a ; Opcode 10 61 00 08 ; Length 8 62 31 32 33 34 35 36 37 38 ; Random bits 63 HEX_EDNSDATA_END 64 ENTRY_END 65 ; ... get BADCOOKIE and a new cookie 66 STEP 21 CHECK_ANSWER 67 ENTRY_BEGIN 68 MATCH all server_cookie 69 REPLY QR RD RA DO YXRRSET ; BADCOOKIE is an extended rcode 70 SECTION QUESTION 71 test. IN TXT 72 ENTRY_END 73 74 ; Query with an invalid cookie ... 75 STEP 30 QUERY 76 ENTRY_BEGIN 77 REPLY RD 78 SECTION QUESTION 79 test. IN TXT 80 SECTION ADDITIONAL 81 HEX_EDNSDATA_BEGIN 82 00 0a ; Opcode 10 83 00 18 ; Length 24 84 31 32 33 34 35 36 37 38 ; Random bits 85 02 00 00 00 ; wrong version 86 00 00 00 00 ; Timestamp 87 31 32 33 34 35 36 37 38 ; wrong hash 88 HEX_EDNSDATA_END 89 ENTRY_END 90 ; ... get BADCOOKIE and a new cookie 91 STEP 31 CHECK_ANSWER 92 ENTRY_BEGIN 93 MATCH all server_cookie 94 REPLY QR RD RA DO YXRRSET ; BADCOOKIE is an extended rcode 95 SECTION QUESTION 96 test. IN TXT 97 ENTRY_END 98 99 ; Query with an invalid cookie from a non-cookie protected address ... 100 STEP 40 QUERY ADDRESS 1.2.3.4 101 ENTRY_BEGIN 102 REPLY RD 103 SECTION QUESTION 104 test. IN TXT 105 SECTION ADDITIONAL 106 HEX_EDNSDATA_BEGIN 107 00 0a ; Opcode 10 108 00 18 ; Length 24 109 31 32 33 34 35 36 37 38 ; Random bits 110 02 00 00 00 ; wrong version 111 00 00 00 00 ; Timestamp 112 31 32 33 34 35 36 37 38 ; wrong hash 113 HEX_EDNSDATA_END 114 ENTRY_END 115 ; ... get answer and a cookie 116 STEP 41 CHECK_ANSWER 117 ENTRY_BEGIN 118 MATCH all server_cookie 119 REPLY QR RD RA AA DO NOERROR 120 SECTION QUESTION 121 test. IN TXT 122 SECTION ANSWER 123 test. IN TXT "test" 124 ENTRY_END 125 126 ; Query with a valid cookie ... 127 STEP 50 QUERY 128 ENTRY_BEGIN 129 REPLY RD 130 SECTION QUESTION 131 test. IN TXT 132 SECTION ADDITIONAL 133 HEX_EDNSDATA_BEGIN 134 00 0a ; Opcode 10 135 00 18 ; Length 24 136 31 32 33 34 35 36 37 38 ; Random bits 137 01 00 00 00 ; Version/Reserved 138 00 00 00 00 ; Timestamp 139 38 52 7b a8 c6 a4 ea 96 ; Hash 140 HEX_EDNSDATA_END 141 ENTRY_END 142 ; ... get answer and the cookie 143 STEP 51 CHECK_ANSWER 144 ENTRY_BEGIN 145 MATCH all server_cookie 146 REPLY QR RD RA AA DO NOERROR 147 SECTION QUESTION 148 test. IN TXT 149 SECTION ANSWER 150 test. IN TXT "test" 151 ENTRY_END 152 153 ; Query with a valid >30 minutes old cookie ... 154 STEP 59 TIME_PASSES ELAPSE 1801 155 STEP 60 QUERY 156 ENTRY_BEGIN 157 REPLY RD 158 SECTION QUESTION 159 test. IN TXT 160 SECTION ADDITIONAL 161 HEX_EDNSDATA_BEGIN 162 00 0a ; Opcode 10 163 00 18 ; Length 24 164 31 32 33 34 35 36 37 38 ; Random bits 165 01 00 00 00 ; Version/Reserved 166 00 00 00 00 ; Timestamp 167 38 52 7b a8 c6 a4 ea 96 ; Hash 168 HEX_EDNSDATA_END 169 ENTRY_END 170 ; ... Get answer and a refreshed cookie 171 ; (we don't check the re-freshness here; it has its own unit test) 172 STEP 61 CHECK_ANSWER 173 ENTRY_BEGIN 174 MATCH all server_cookie 175 REPLY QR RD RA AA DO NOERROR 176 SECTION QUESTION 177 test. IN TXT 178 SECTION ANSWER 179 test. IN TXT "test" 180 ENTRY_END 181 182 ; Query with a hash-valid >60 minutes old cookie ... 183 STEP 69 TIME_PASSES ELAPSE 3601 184 STEP 70 QUERY 185 ENTRY_BEGIN 186 REPLY RD 187 SECTION QUESTION 188 test. IN TXT 189 SECTION ADDITIONAL 190 HEX_EDNSDATA_BEGIN 191 00 0a ; Opcode 10 192 00 18 ; Length 24 193 31 32 33 34 35 36 37 38 ; Random bits 194 01 00 00 00 ; Version/Reserved 195 00 00 07 09 ; Timestamp (1801) 196 77 81 38 e3 8f aa 72 86 ; Hash 197 HEX_EDNSDATA_END 198 ENTRY_END 199 ; ... get BADCOOKIE and a new cookie 200 STEP 71 CHECK_ANSWER 201 ENTRY_BEGIN 202 MATCH all server_cookie 203 REPLY QR RD RA DO YXRRSET ; BADCOOKIE is an extended rcode 204 SECTION QUESTION 205 test. IN TXT 206 ENTRY_END 207 208 ; Query with a valid future (<5 minutes) cookie ... 209 STEP 80 QUERY 210 ENTRY_BEGIN 211 REPLY RD 212 SECTION QUESTION 213 test. IN TXT 214 SECTION ADDITIONAL 215 HEX_EDNSDATA_BEGIN 216 00 0a ; Opcode 10 217 00 18 ; Length 24 218 31 32 33 34 35 36 37 38 ; Random bits 219 01 00 00 00 ; Version/Reserved 220 00 00 16 45 ; Timestamp (1801 + 3601 + 299) 221 4a f5 0f df f0 e8 c7 09 ; Hash 222 HEX_EDNSDATA_END 223 ENTRY_END 224 ; ... get an answer 225 STEP 81 CHECK_ANSWER 226 ENTRY_BEGIN 227 MATCH all server_cookie 228 REPLY QR RD RA AA DO NOERROR 229 SECTION QUESTION 230 test. IN TXT 231 SECTION ANSWER 232 test. IN TXT "test" 233 ENTRY_END 234 235 SCENARIO_END 236
Indexes created Mon Jun 01 00:24:59 UTC 2026