1 ; Check that cached NXDOMAIN replies for nameservers do not count towards the 2 ; MAX_TARGET_NX limit. 3 4 server: 5 module-config: "iterator" 6 trust-anchor-signaling: no 7 target-fetch-policy: "0 0 0 0 0" 8 verbosity: 3 9 access-control: 127.0.0.1 allow_snoop 10 do-not-query-localhost: no 11 qname-minimisation: no 12 minimal-responses: no 13 rrset-roundrobin: no 14 stub-zone: 15 name: "example.com" 16 stub-addr: 127.0.0.2 17 stub-zone: 18 name: "nameservers.com" 19 stub-addr: 127.0.0.3 20 CONFIG_END 21 22 SCENARIO_BEGIN Test that the NXNS countermeasure is not triggered for cached NXDOMAIN 23 24 RANGE_BEGIN 0 100 25 ADDRESS 127.0.0.1 26 ENTRY_BEGIN 27 MATCH opcode qtype qname 28 ADJUST copy_id 29 REPLY QR NOERROR 30 SECTION QUESTION 31 b.a.example.com. IN A 32 SECTION ANSWER 33 b.a.example.com. IN A 127.0.0.0 34 ENTRY_END 35 RANGE_END 36 37 RANGE_BEGIN 31 100 38 ADDRESS 127.0.0.3 39 ENTRY_BEGIN 40 MATCH opcode qtype qname 41 ADJUST copy_id 42 REPLY QR NOERROR 43 SECTION QUESTION 44 ns1.nameservers.com. IN A 45 SECTION ANSWER 46 ns1.nameservers.com. IN A 127.0.0.1 47 ENTRY_END 48 ENTRY_BEGIN 49 MATCH opcode qtype qname 50 ADJUST copy_id 51 REPLY QR NOERROR 52 SECTION QUESTION 53 ns2.nameservers.com. IN A 54 SECTION ANSWER 55 ns2.nameservers.com. IN A 127.0.0.1 56 ENTRY_END 57 ENTRY_BEGIN 58 MATCH opcode qtype qname 59 ADJUST copy_id 60 REPLY QR NOERROR 61 SECTION QUESTION 62 ns3.nameservers.com. IN A 63 SECTION ANSWER 64 ns3.nameservers.com. IN A 127.0.0.1 65 ENTRY_END 66 ENTRY_BEGIN 67 MATCH opcode qtype qname 68 ADJUST copy_id 69 REPLY QR NOERROR 70 SECTION QUESTION 71 ns4.nameservers.com. IN A 72 SECTION ANSWER 73 ns4.nameservers.com. IN A 127.0.0.1 74 ENTRY_END 75 ENTRY_BEGIN 76 MATCH opcode qtype qname 77 ADJUST copy_id 78 REPLY QR NOERROR 79 SECTION QUESTION 80 ns5.nameservers.com. IN A 81 SECTION ANSWER 82 ns5.nameservers.com. IN A 127.0.0.1 83 ENTRY_END 84 ENTRY_BEGIN 85 MATCH opcode qtype qname 86 ADJUST copy_id 87 REPLY QR NOERROR 88 SECTION QUESTION 89 ns6.nameservers.com. IN A 90 SECTION ANSWER 91 ns6.nameservers.com. IN A 127.0.0.1 92 ENTRY_END 93 ENTRY_BEGIN 94 MATCH opcode qtype qname 95 ADJUST copy_id 96 REPLY QR NOERROR 97 SECTION QUESTION 98 ns7.nameservers.com. IN A 99 SECTION ANSWER 100 ns7.nameservers.com. IN A 127.0.0.1 101 ENTRY_END 102 ENTRY_BEGIN 103 MATCH opcode qtype qname 104 ADJUST copy_id 105 REPLY QR NOERROR 106 SECTION QUESTION 107 ns8.nameservers.com. IN A 108 SECTION ANSWER 109 ns8.nameservers.com. IN A 127.0.0.1 110 ENTRY_END 111 ENTRY_BEGIN 112 MATCH opcode qtype qname 113 ADJUST copy_id 114 REPLY QR NOERROR 115 SECTION QUESTION 116 ns9.nameservers.com. IN A 117 SECTION ANSWER 118 ns9.nameservers.com. IN A 127.0.0.1 119 ENTRY_END 120 ENTRY_BEGIN 121 MATCH opcode qtype qname 122 ADJUST copy_id 123 REPLY QR NOERROR 124 SECTION QUESTION 125 ns10.nameservers.com. IN A 126 SECTION ANSWER 127 ns10.nameservers.com. IN A 127.0.0.1 128 ENTRY_END 129 ENTRY_BEGIN 130 MATCH opcode qtype qname 131 ADJUST copy_id 132 REPLY QR NOERROR 133 SECTION QUESTION 134 ns11.nameservers.com. IN A 135 SECTION ANSWER 136 ns11.nameservers.com. IN A 127.0.0.1 137 ENTRY_END 138 ENTRY_BEGIN 139 MATCH opcode qtype qname 140 ADJUST copy_id 141 REPLY QR NOERROR 142 SECTION QUESTION 143 ns12.nameservers.com. IN A 144 SECTION ANSWER 145 ns12.nameservers.com. IN A 127.0.0.1 146 ENTRY_END 147 148 ; Reply no-data to AAAA queries 149 ENTRY_BEGIN 150 MATCH opcode subdomain 151 ADJUST copy_id copy_query 152 REPLY QR NOERROR 153 SECTION QUESTION 154 nameservers.com. IN A 155 SECTION AUTHORITY 156 nameservers.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600 157 ENTRY_END 158 RANGE_END 159 160 ; Query for a domain 161 STEP 0 QUERY 162 ENTRY_BEGIN 163 REPLY RD 164 SECTION QUESTION 165 a.example.com. IN A 166 ENTRY_END 167 168 ; Answer with delegation 169 STEP 1 REPLY 170 ENTRY_BEGIN 171 ADJUST copy_id 172 REPLY QR NOERROR 173 SECTION QUESTION 174 a.example.com. IN A 175 SECTION AUTHORITY 176 a.example.com. IN NS ns1.nameservers.com. 177 a.example.com. IN NS ns2.nameservers.com. 178 a.example.com. IN NS ns3.nameservers.com. 179 a.example.com. IN NS ns4.nameservers.com. 180 a.example.com. IN NS ns5.nameservers.com. 181 a.example.com. IN NS ns6.nameservers.com. 182 a.example.com. IN NS ns7.nameservers.com. 183 a.example.com. IN NS ns8.nameservers.com. 184 a.example.com. IN NS ns9.nameservers.com. 185 a.example.com. IN NS ns10.nameservers.com. 186 a.example.com. IN NS ns11.nameservers.com. 187 a.example.com. IN NS ns12.nameservers.com. 188 ENTRY_END 189 190 ; Reply NXDOMAIN to MAX_TARGET_NX queries(6) x2 (A+AAAA) 191 STEP 2 REPLY 192 ENTRY_BEGIN 193 ADJUST copy_id copy_query 194 REPLY QR NXDOMAIN 195 SECTION QUESTION 196 a.query. IN A 197 SECTION AUTHORITY 198 example.com. IN SOA ns.example.com email.example.com 1 2 3 4 60 199 ENTRY_END 200 STEP 3 REPLY 201 ENTRY_BEGIN 202 ADJUST copy_id copy_query 203 REPLY QR NXDOMAIN 204 SECTION QUESTION 205 a.query. IN A 206 SECTION AUTHORITY 207 example.com. IN SOA ns.ns email.email 1 2 3 4 60 208 ENTRY_END 209 STEP 4 REPLY 210 ENTRY_BEGIN 211 ADJUST copy_id copy_query 212 REPLY QR NXDOMAIN 213 SECTION QUESTION 214 a.query. IN A 215 ENTRY_END 216 STEP 5 REPLY 217 ENTRY_BEGIN 218 ADJUST copy_id copy_query 219 REPLY QR NXDOMAIN 220 SECTION QUESTION 221 a.query. IN A 222 ENTRY_END 223 STEP 6 REPLY 224 ENTRY_BEGIN 225 ADJUST copy_id copy_query 226 REPLY QR NXDOMAIN 227 SECTION QUESTION 228 a.query. IN A 229 ENTRY_END 230 STEP 7 REPLY 231 ENTRY_BEGIN 232 ADJUST copy_id copy_query 233 REPLY QR NXDOMAIN 234 SECTION QUESTION 235 a.query. IN A 236 ENTRY_END 237 STEP 8 REPLY 238 ENTRY_BEGIN 239 ADJUST copy_id copy_query 240 REPLY QR NXDOMAIN 241 SECTION QUESTION 242 a.query. IN A 243 ENTRY_END 244 STEP 9 REPLY 245 ENTRY_BEGIN 246 ADJUST copy_id copy_query 247 REPLY QR NXDOMAIN 248 SECTION QUESTION 249 a.query. IN A 250 ENTRY_END 251 STEP 10 REPLY 252 ENTRY_BEGIN 253 ADJUST copy_id copy_query 254 REPLY QR NXDOMAIN 255 SECTION QUESTION 256 a.query. IN A 257 ENTRY_END 258 STEP 11 REPLY 259 ENTRY_BEGIN 260 ADJUST copy_id copy_query 261 REPLY QR NXDOMAIN 262 SECTION QUESTION 263 a.query. IN A 264 ENTRY_END 265 STEP 12 REPLY 266 ENTRY_BEGIN 267 ADJUST copy_id copy_query 268 REPLY QR NXDOMAIN 269 SECTION QUESTION 270 a.query. IN A 271 ENTRY_END 272 STEP 13 REPLY 273 ENTRY_BEGIN 274 ADJUST copy_id copy_query 275 REPLY QR NXDOMAIN 276 SECTION QUESTION 277 a.query. IN A 278 ENTRY_END 279 280 ; We should receive SERVFAIL because MAX_TARGET_NX was reached 281 STEP 14 CHECK_ANSWER 282 ENTRY_BEGIN 283 MATCH all 284 REPLY QR RD RA SERVFAIL 285 SECTION QUESTION 286 a.example.com. IN A 287 ENTRY_END 288 289 ; Query for another domain in the same delegation 290 STEP 20 QUERY 291 ENTRY_BEGIN 292 REPLY RD 293 SECTION QUESTION 294 b.a.example.com. IN A 295 ENTRY_END 296 297 ; We still have 6 NSes that Unbound didn't try to resolve 298 ; Reply with NXDOMAIN for 5 of them 299 STEP 21 REPLY 300 ENTRY_BEGIN 301 ADJUST copy_id copy_query 302 REPLY QR NXDOMAIN 303 SECTION QUESTION 304 a.query. IN A 305 ENTRY_END 306 STEP 22 REPLY 307 ENTRY_BEGIN 308 ADJUST copy_id copy_query 309 REPLY QR NXDOMAIN 310 SECTION QUESTION 311 a.query. IN A 312 ENTRY_END 313 STEP 23 REPLY 314 ENTRY_BEGIN 315 ADJUST copy_id copy_query 316 REPLY QR NXDOMAIN 317 SECTION QUESTION 318 a.query. IN A 319 ENTRY_END 320 STEP 24 REPLY 321 ENTRY_BEGIN 322 ADJUST copy_id copy_query 323 REPLY QR NXDOMAIN 324 SECTION QUESTION 325 a.query. IN A 326 ENTRY_END 327 STEP 25 REPLY 328 ENTRY_BEGIN 329 ADJUST copy_id copy_query 330 REPLY QR NXDOMAIN 331 SECTION QUESTION 332 a.query. IN A 333 ENTRY_END 334 STEP 26 REPLY 335 ENTRY_BEGIN 336 ADJUST copy_id copy_query 337 REPLY QR NXDOMAIN 338 SECTION QUESTION 339 a.query. IN A 340 ENTRY_END 341 STEP 27 REPLY 342 ENTRY_BEGIN 343 ADJUST copy_id copy_query 344 REPLY QR NXDOMAIN 345 SECTION QUESTION 346 a.query. IN A 347 ENTRY_END 348 STEP 28 REPLY 349 ENTRY_BEGIN 350 ADJUST copy_id copy_query 351 REPLY QR NXDOMAIN 352 SECTION QUESTION 353 a.query. IN A 354 ENTRY_END 355 STEP 29 REPLY 356 ENTRY_BEGIN 357 ADJUST copy_id copy_query 358 REPLY QR NXDOMAIN 359 SECTION QUESTION 360 a.query. IN A 361 ENTRY_END 362 STEP 30 REPLY 363 ENTRY_BEGIN 364 ADJUST copy_id copy_query 365 REPLY QR NXDOMAIN 366 SECTION QUESTION 367 a.query. IN A 368 ENTRY_END 369 370 ; Unbound will reach the upstream and get the answer for the final NS 371 ; which has the answer for the client query. 372 373 STEP 40 CHECK_ANSWER 374 ENTRY_BEGIN 375 MATCH all 376 REPLY QR RD RA NOERROR 377 SECTION QUESTION 378 b.a.example.com. IN A 379 SECTION ANSWER 380 b.a.example.com. IN A 127.0.0.0 381 ENTRY_END 382 383 ; Allow for possible pending NS query (AAAA) to get answered 384 STEP 41 TRAFFIC 385 386 SCENARIO_END 387
Indexes created Mon Jun 01 00:24:59 UTC 2026