1 ; config options 2 server: 3 harden-referral-path: no 4 target-fetch-policy: "0 0 0 0 0" 5 qname-minimisation: "no" 6 minimal-responses: no 7 iter-scrub-promiscuous: no 8 9 stub-zone: 10 name: "." 11 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. 12 CONFIG_END 13 14 SCENARIO_BEGIN Test scrub of insecure DNAME in answer section 15 16 STEP 10 QUERY 17 ENTRY_BEGIN 18 REPLY RD 19 SECTION QUESTION 20 x.y.example.com. IN A 21 ENTRY_END 22 23 ; root prime is sent 24 STEP 20 CHECK_OUT_QUERY 25 ENTRY_BEGIN 26 MATCH qname qtype opcode 27 SECTION QUESTION 28 . IN NS 29 ENTRY_END 30 STEP 30 REPLY 31 ENTRY_BEGIN 32 MATCH opcode qtype qname 33 ADJUST copy_id 34 REPLY QR AA NOERROR 35 SECTION QUESTION 36 . IN NS 37 SECTION ANSWER 38 . IN NS K.ROOT-SERVERS.NET. 39 SECTION ADDITIONAL 40 K.ROOT-SERVERS.NET. IN A 193.0.14.129 41 ENTRY_END 42 43 ; query sent to root server 44 STEP 40 CHECK_OUT_QUERY 45 ENTRY_BEGIN 46 MATCH qname qtype opcode 47 SECTION QUESTION 48 x.y.example.com. IN A 49 ENTRY_END 50 STEP 50 REPLY 51 ENTRY_BEGIN 52 MATCH opcode qtype qname 53 ADJUST copy_id 54 REPLY QR NOERROR 55 SECTION QUESTION 56 x.y.example.com. IN A 57 SECTION AUTHORITY 58 com. IN NS a.gtld-servers.net. 59 SECTION ADDITIONAL 60 a.gtld-servers.net. IN A 192.5.6.30 61 ENTRY_END 62 63 ; query sent to .com server 64 STEP 60 CHECK_OUT_QUERY 65 ENTRY_BEGIN 66 MATCH qname qtype opcode 67 SECTION QUESTION 68 x.y.example.com. IN A 69 ENTRY_END 70 71 ; STEP 62 CHECK_OUT_QUERY 72 ; ENTRY_BEGIN 73 ; MATCH qname qtype opcode 74 ; SECTION QUESTION 75 ; com. IN NS 76 ; ENTRY_END 77 ; STEP 63 REPLY 78 ; ENTRY_BEGIN 79 ; MATCH opcode qtype qname 80 ; ADJUST copy_id 81 ; REPLY QR NOERROR 82 ; SECTION QUESTION 83 ; com. IN NS 84 ; SECTION ANSWER 85 ; com. IN NS a.gtld-servers.net. 86 ; SECTION ADDITIONAL 87 ; a.gtld-servers.net. IN A 192.5.6.30 88 ; ENTRY_END 89 90 STEP 70 REPLY 91 ENTRY_BEGIN 92 MATCH opcode qtype qname 93 ADJUST copy_id 94 REPLY QR NOERROR 95 SECTION QUESTION 96 x.y.example.com. IN A 97 SECTION AUTHORITY 98 example.com. IN NS ns1.example.com. 99 SECTION ADDITIONAL 100 ns1.example.com. IN A 168.192.2.2 101 ENTRY_END 102 103 STEP 80 CHECK_OUT_QUERY 104 ENTRY_BEGIN 105 MATCH qname qtype opcode 106 SECTION QUESTION 107 x.y.example.com. IN A 108 ENTRY_END 109 110 ; STEP 82 CHECK_OUT_QUERY 111 ; ENTRY_BEGIN 112 ; MATCH qname qtype opcode 113 ; SECTION QUESTION 114 ; example.com. IN NS 115 ; ENTRY_END 116 ; STEP 83 REPLY 117 ; ENTRY_BEGIN 118 ; MATCH opcode qtype qname 119 ; ADJUST copy_id 120 ; REPLY QR NOERROR 121 ; SECTION QUESTION 122 ; example.com. IN NS 123 ; SECTION ANSWER 124 ; example.com. IN NS ns1.example.com. 125 ; SECTION ADDITIONAL 126 ; ns1.example.com. IN A 168.192.2.2 127 ; ENTRY_END 128 129 STEP 90 REPLY 130 ENTRY_BEGIN 131 MATCH opcode qtype qname 132 ADJUST copy_id 133 REPLY QR AA NOERROR 134 SECTION QUESTION 135 x.y.example.com. IN A 136 SECTION ANSWER 137 y.example.com. DNAME z.example.com. 138 x.y.example.com. IN CNAME x.z.example.com. 139 x.z.example.com. IN A 10.20.30.0 140 SECTION AUTHORITY 141 example.com. IN NS ns1.example.com. 142 SECTION ADDITIONAL 143 ns1.example.com. IN A 168.192.2.2 144 ENTRY_END 145 146 STEP 100 CHECK_OUT_QUERY 147 ENTRY_BEGIN 148 MATCH qname qtype opcode 149 SECTION QUESTION 150 x.z.example.com. IN A 151 ENTRY_END 152 STEP 110 REPLY 153 ENTRY_BEGIN 154 MATCH opcode qtype qname 155 ADJUST copy_id 156 REPLY QR AA NOERROR 157 SECTION QUESTION 158 x.z.example.com. IN A 159 SECTION ANSWER 160 x.z.example.com. IN A 10.20.30.40 161 SECTION AUTHORITY 162 example.com. IN NS ns1.example.com. 163 SECTION ADDITIONAL 164 ns1.example.com. IN A 168.192.2.2 165 ENTRY_END 166 167 ; answer to first query (simply puts DNAME in cache) 168 STEP 120 CHECK_ANSWER 169 ENTRY_BEGIN 170 MATCH all ttl 171 REPLY QR RD RA 172 SECTION QUESTION 173 x.y.example.com. IN A 174 SECTION ANSWER 175 y.example.com. DNAME z.example.com. 176 x.y.example.com. IN CNAME x.z.example.com. 177 x.z.example.com. IN A 10.20.30.40 178 SECTION AUTHORITY 179 example.com. IN NS ns1.example.com. 180 SECTION ADDITIONAL 181 ns1.example.com. IN A 168.192.2.2 182 ENTRY_END 183 184 ; now, DNAME insecure from cache should not be used. 185 ; new query 186 STEP 200 QUERY 187 ENTRY_BEGIN 188 REPLY RD 189 SECTION QUESTION 190 other.y.example.com. IN A 191 ENTRY_END 192 193 STEP 210 CHECK_OUT_QUERY 194 ENTRY_BEGIN 195 MATCH qname qtype opcode 196 SECTION QUESTION 197 other.y.example.com. IN A 198 ENTRY_END 199 STEP 220 REPLY 200 ENTRY_BEGIN 201 MATCH opcode qtype qname 202 ADJUST copy_id 203 REPLY QR AA NOERROR 204 SECTION QUESTION 205 other.y.example.com. IN A 206 SECTION ANSWER 207 y.example.com. DNAME z.example.com. 208 other.y.example.com. IN CNAME other.z.example.com. 209 other.z.example.com. IN A 50.60.70.0 210 SECTION AUTHORITY 211 example.com. IN NS ns1.example.com. 212 SECTION ADDITIONAL 213 ns1.example.com. IN A 168.192.2.2 214 ENTRY_END 215 216 STEP 230 CHECK_OUT_QUERY 217 ENTRY_BEGIN 218 MATCH qname qtype opcode 219 SECTION QUESTION 220 other.z.example.com. IN A 221 ENTRY_END 222 STEP 240 REPLY 223 ENTRY_BEGIN 224 MATCH opcode qtype qname 225 ADJUST copy_id 226 REPLY QR AA NOERROR 227 SECTION QUESTION 228 other.z.example.com. IN A 229 SECTION ANSWER 230 other.z.example.com. IN A 50.60.70.80 231 SECTION AUTHORITY 232 example.com. IN NS ns1.example.com. 233 SECTION ADDITIONAL 234 ns1.example.com. IN A 168.192.2.2 235 ENTRY_END 236 237 STEP 250 CHECK_ANSWER 238 ENTRY_BEGIN 239 MATCH all ttl 240 REPLY QR RD RA 241 SECTION QUESTION 242 other.y.example.com. IN A 243 SECTION ANSWER 244 y.example.com. DNAME z.example.com. 245 other.y.example.com. IN CNAME other.z.example.com. 246 other.z.example.com. IN A 50.60.70.80 247 SECTION AUTHORITY 248 example.com. IN NS ns1.example.com. 249 SECTION ADDITIONAL 250 ns1.example.com. IN A 168.192.2.2 251 ENTRY_END 252 253 SCENARIO_END 254
Indexes created Mon Jun 01 00:24:59 UTC 2026