From: W.C.A. Wijngaards Date: Fri, 8 Mar 2024 13:10:06 +0000 (+0100) Subject: - Fix validator classification of qtype DNAME for positive and X-Git-Tag: release-1.20.0rc1~78 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2a255076f509c3e89960aa42bf957cf2212f08cc;p=thirdparty%2Funbound.git - Fix validator classification of qtype DNAME for positive and redirection answers, and fix validator signature routine for dealing with the synthesized CNAME for a DNAME without previously encountering it and also for when the qtype is DNAME. --- diff --git a/doc/Changelog b/doc/Changelog index 797c602bb..4369a671a 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -3,6 +3,10 @@ are long enough for newer OpenSSL versions. - Fix TTL of synthesized CNAME when a DNAME is used from cache. - Remove unused portion from iter_dname_ttl unit test. + - Fix validator classification of qtype DNAME for positive and + redirection answers, and fix validator signature routine for dealing + with the synthesized CNAME for a DNAME without previously + encountering it and also for when the qtype is DNAME. 7 March 2024: Wouter - Version set to 1.19.3 for release. After 1.19.2 point release with diff --git a/testdata/val_cnameqtype.rpl b/testdata/val_cnameqtype.rpl index 05ef47426..abca7bcfa 100644 --- a/testdata/val_cnameqtype.rpl +++ b/testdata/val_cnameqtype.rpl @@ -3,6 +3,7 @@ server: trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" trust-anchor: "example.net. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}" + trust-anchor: "foo.net. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}" val-override-date: "20070916134226" target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" @@ -17,7 +18,7 @@ CONFIG_END SCENARIO_BEGIN Test validator with a query for type cname ; K.ROOT-SERVERS.NET. -RANGE_BEGIN 0 100 +RANGE_BEGIN 0 1000 ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH opcode qtype qname @@ -44,11 +45,11 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.net. IN CNAME +net. IN A SECTION AUTHORITY net. IN NS a.gtld-servers.net. SECTION ADDITIONAL @@ -57,7 +58,7 @@ ENTRY_END RANGE_END ; a.gtld-servers.net. -RANGE_BEGIN 0 100 +RANGE_BEGIN 0 1000 ADDRESS 192.5.6.30 ENTRY_BEGIN MATCH opcode qtype qname @@ -94,21 +95,33 @@ example.com. IN NS ns.example.com. SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 ENTRY_END + ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.net. IN A +example.net. IN A SECTION AUTHORITY example.net. IN NS ns.example.net. SECTION ADDITIONAL ns.example.net. IN A 1.2.3.5 ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +foo.net. IN NS +SECTION AUTHORITY +foo.net. IN NS ns.example.com. +ENTRY_END + RANGE_END ; ns.example.com. -RANGE_BEGIN 0 100 +RANGE_BEGIN 0 1000 ADDRESS 1.2.3.4 ENTRY_BEGIN MATCH opcode qtype qname @@ -155,10 +168,167 @@ www.example.com. 3600 IN RRSIG CNAME DSA 3 3600 20070926134150 SECTION AUTHORITY SECTION ADDITIONAL ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www2.example.com. IN A +SECTION ANSWER +www2.example.com. 3600 IN CNAME www.example.net. +www2.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AGgh6pDCL7VF0uJablClW7cgvsPuNzpHZ+M7nZIwi61+0RPhFZLHcN4= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo.test-dname.example.com. IN CNAME +SECTION ANSWER +test-dname.example.com. 3600 IN DNAME example.net. +test-dname.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0= +foo.test-dname.example.com. 3600 IN CNAME foo.example.net. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www3.example.com. IN A +SECTION ANSWER +www3.example.com. 3600 IN CNAME www3.foo.net. +www3.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AFCgCmBh9ZhKJj6AqJAaai8Xwrp9nVYP/yyg4RglHEHb7LlIKED93Ic= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www3.foo.net. IN A +SECTION ANSWER +www3.foo.net. IN A 12.13.14.15 +www3.foo.net. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 foo.net. y50vzw6pCWNmM4y1LNbc37htWGvjxKzdV/JS5ONdFWUQelbDx5YrD91m9U88ItIpwQiGKJWQBwNgHzVKW7iF2A== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NXDOMAIN +SECTION QUESTION +www4.example.com. IN CNAME +SECTION ANSWER +www4.example.com. 3600 IN CNAME www4.foo.net. +www4.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AA/PJO3mDuDAGQHZ2nb52q3SG0vTp0RcshM09InjZlGTIwHPIYcuizw= +SECTION AUTHORITY +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +van.foo.net. 3600 IN NSEC xix.foo.net. A AAAA RRSIG NSEC +van.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw== +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NXDOMAIN +SECTION QUESTION +www4.foo.net. IN CNAME +SECTION AUTHORITY +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +van.foo.net. 3600 IN NSEC xix.foo.net. A AAAA RRSIG NSEC +van.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw== +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NXDOMAIN +SECTION QUESTION +www5.example.com. IN A +SECTION ANSWER +www5.example.com. 3600 IN CNAME www5.foo.net. +www5.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AIXA8v0JC14UIQtthXS0Kv66rE0jqPKHgq3CPdc6PDi+tLqGjFrXIdI= +SECTION AUTHORITY +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +van.foo.net. 3600 IN NSEC xix.foo.net. A AAAA RRSIG NSEC +van.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw== +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NXDOMAIN +SECTION QUESTION +www5.foo.net. IN A +SECTION AUTHORITY +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +sea.foo.net. 3600 IN NSEC ur.foo.net. A AAAA RRSIG NSEC +sea.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. SOz+kQrhbR7M4oid0L9HfHK3re9L5T+6x1m+DFyV0ogqGcsAfAmyvAPJUQyclENMWWqyJMgSfrqzpqEdM5HRWQ== +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NXDOMAIN +SECTION QUESTION +cup.h-dname.example.com. IN CNAME +SECTION ANSWER +h-dname.example.com. 3600 IN DNAME tea.foo.net. +h-dname.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AKXt5koLeZD2ibFrmZyE3ZOQCWHIA/UtrlCgFLalfaTm91NVlki5aV0= +cup.h-dname.example.com. 3600 IN CNAME cup.tea.foo.net. +SECTION AUTHORITY +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +sea.foo.net. 3600 IN NSEC ur.foo.net. A AAAA RRSIG NSEC +sea.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. SOz+kQrhbR7M4oid0L9HfHK3re9L5T+6x1m+DFyV0ogqGcsAfAmyvAPJUQyclENMWWqyJMgSfrqzpqEdM5HRWQ== +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NXDOMAIN +SECTION QUESTION +cup.tea.foo.net. IN CNAME +SECTION AUTHORITY +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +sea.foo.net. 3600 IN NSEC ur.foo.net. A AAAA RRSIG NSEC +sea.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. SOz+kQrhbR7M4oid0L9HfHK3re9L5T+6x1m+DFyV0ogqGcsAfAmyvAPJUQyclENMWWqyJMgSfrqzpqEdM5HRWQ== +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo.net. IN DNSKEY +SECTION ANSWER +foo.net. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} +foo.net. 3600 IN RRSIG DNSKEY 5 2 3600 20070926134150 20070829134150 30899 foo.net. FLWrxrEnMpKoUDf+mbHGKSQ9OYloJs1eVbxkQaTSfJSLnLzOS0MLflMfbH1nC+Fk8idN7Aw07P5S9Ez1/fAb4w== +ENTRY_END + RANGE_END ; ns.example.net. -RANGE_BEGIN 0 100 +RANGE_BEGIN 0 1000 ADDRESS 1.2.3.5 ENTRY_BEGIN MATCH opcode qtype qname @@ -207,6 +377,7 @@ SECTION ADDITIONAL ENTRY_END RANGE_END +; Test qtype CNAME, answer from upstream. STEP 1 QUERY ENTRY_BEGIN REPLY RD DO @@ -228,4 +399,229 @@ SECTION AUTHORITY SECTION ADDITIONAL ENTRY_END +; Test qtype CNAME, answer from cache after A query. +; perform the A query that gets the CNAME in cache. +STEP 20 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www2.example.com. IN A +ENTRY_END + +STEP 30 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NOERROR +SECTION QUESTION +www2.example.com. IN A +SECTION ANSWER +www2.example.com. 3600 IN CNAME www.example.net. +www2.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AGgh6pDCL7VF0uJablClW7cgvsPuNzpHZ+M7nZIwi61+0RPhFZLHcN4= +www.example.net. IN A 11.12.13.14 +www.example.net. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.net. CPxF5hK9Kg5eT7W6LgZwr0ePYEm9HMcSY4vvqCS6gDWB4X9jvXLCfBkCLhsNybPBpGWlsLi5wM6MTdJXuPpsRA== ;{id = 30899} +ENTRY_END + +; now query for type CNAME, that is in cache. +STEP 40 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www2.example.com. IN CNAME +ENTRY_END + +STEP 50 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NOERROR +SECTION QUESTION +www2.example.com. IN CNAME +SECTION ANSWER +www2.example.com. 3600 IN CNAME www.example.net. +www2.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AGgh6pDCL7VF0uJablClW7cgvsPuNzpHZ+M7nZIwi61+0RPhFZLHcN4= +ENTRY_END + +; Test qtype CNAME, answer DNAME from upstream. +STEP 60 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +foo.test-dname.example.com. IN CNAME +ENTRY_END + +STEP 70 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NOERROR +SECTION QUESTION +foo.test-dname.example.com. IN CNAME +SECTION ANSWER +test-dname.example.com. 3600 IN DNAME example.net. +test-dname.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0= +foo.test-dname.example.com. 3600 IN CNAME foo.example.net. +ENTRY_END + +; Test qtype CNAME, answer DNAME from cached DNAME record. +STEP 80 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +foo2.test-dname.example.com. IN CNAME +ENTRY_END + +STEP 90 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NOERROR +SECTION QUESTION +foo2.test-dname.example.com. IN CNAME +SECTION ANSWER +test-dname.example.com. 3600 IN DNAME example.net. +test-dname.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0= +foo2.test-dname.example.com. 3600 IN CNAME foo2.example.net. +ENTRY_END + +; Test first a simple A query, that connects example.com to foo.net. +STEP 100 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www3.example.com. IN A +ENTRY_END + +STEP 110 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NOERROR +SECTION QUESTION +www3.example.com. IN A +SECTION ANSWER +www3.example.com. 3600 IN CNAME www3.foo.net. +www3.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AFCgCmBh9ZhKJj6AqJAaai8Xwrp9nVYP/yyg4RglHEHb7LlIKED93Ic= +www3.foo.net. IN A 12.13.14.15 +www3.foo.net. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 foo.net. y50vzw6pCWNmM4y1LNbc37htWGvjxKzdV/JS5ONdFWUQelbDx5YrD91m9U88ItIpwQiGKJWQBwNgHzVKW7iF2A== +ENTRY_END + +; Test qtype CNAME, but the upstream responds that there is NXDOMAIN, +; it can do this because it has the zone loaded at the name after the CNAME, +; in the zone foo.net. and it chases the CNAME. +STEP 120 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www4.example.com. IN CNAME +ENTRY_END + +STEP 130 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NXDOMAIN +SECTION QUESTION +www4.example.com. IN CNAME +SECTION ANSWER +www4.example.com. 3600 IN CNAME www4.foo.net. +www4.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AA/PJO3mDuDAGQHZ2nb52q3SG0vTp0RcshM09InjZlGTIwHPIYcuizw= +SECTION AUTHORITY +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +van.foo.net. 3600 IN NSEC xix.foo.net. A AAAA RRSIG NSEC +van.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw== +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +ENTRY_END + +; Test, first pull a CNAME to NXDOMAIN in cache with an A query and then use +; it for qtype CNAME. +STEP 140 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www5.example.com. IN A +ENTRY_END + +STEP 150 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NXDOMAIN +SECTION QUESTION +www5.example.com. IN A +SECTION ANSWER +www5.example.com. 3600 IN CNAME www5.foo.net. +www5.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AIXA8v0JC14UIQtthXS0Kv66rE0jqPKHgq3CPdc6PDi+tLqGjFrXIdI= +SECTION AUTHORITY +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +van.foo.net. 3600 IN NSEC xix.foo.net. A AAAA RRSIG NSEC +van.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw== +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +ENTRY_END + +STEP 160 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www5.example.com. IN CNAME +ENTRY_END + +STEP 170 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NOERROR +SECTION QUESTION +www5.example.com. IN CNAME +SECTION ANSWER +www5.example.com. 3600 IN CNAME www5.foo.net. +www5.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AIXA8v0JC14UIQtthXS0Kv66rE0jqPKHgq3CPdc6PDi+tLqGjFrXIdI= +ENTRY_END + +; Test, qtype CNAME, but it is a DNAME and the upstream server can respond +; with NXDOMAIN, it can do this because the foo.net zone is also loaded by +; the server and it looks in the other zone. +STEP 180 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +cup.h-dname.example.com. IN CNAME +ENTRY_END + +STEP 190 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NXDOMAIN +SECTION QUESTION +cup.h-dname.example.com. IN CNAME +SECTION ANSWER +h-dname.example.com. 3600 IN DNAME tea.foo.net. +h-dname.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AKXt5koLeZD2ibFrmZyE3ZOQCWHIA/UtrlCgFLalfaTm91NVlki5aV0= +cup.h-dname.example.com. 3600 IN CNAME cup.tea.foo.net. +SECTION AUTHORITY +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +sea.foo.net. 3600 IN NSEC ur.foo.net. A AAAA RRSIG NSEC +sea.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. SOz+kQrhbR7M4oid0L9HfHK3re9L5T+6x1m+DFyV0ogqGcsAfAmyvAPJUQyclENMWWqyJMgSfrqzpqEdM5HRWQ== +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +ENTRY_END + +; Test, first pull a DNAME in cache and then use it for qtype CNAME to an +; NXDOMAIN. +STEP 200 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +cup2.h-dname.example.com. IN CNAME +ENTRY_END + +STEP 210 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NOERROR +SECTION QUESTION +cup2.h-dname.example.com. IN CNAME +SECTION ANSWER +h-dname.example.com. 3600 IN DNAME tea.foo.net. +h-dname.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AKXt5koLeZD2ibFrmZyE3ZOQCWHIA/UtrlCgFLalfaTm91NVlki5aV0= +cup2.h-dname.example.com. 3600 IN CNAME cup2.tea.foo.net. +ENTRY_END + SCENARIO_END diff --git a/testdata/val_dnameqtype.rpl b/testdata/val_dnameqtype.rpl new file mode 100644 index 000000000..74cc45ec2 --- /dev/null +++ b/testdata/val_dnameqtype.rpl @@ -0,0 +1,689 @@ +; config options +; The island of trust is at example.com +server: + trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" + trust-anchor: "example.net. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}" + trust-anchor: "foo.net. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}" + val-override-date: "20070916134226" + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + fake-sha1: yes + trust-anchor-signaling: no + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test validator with a query for type dname + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 1000 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +net. IN A +SECTION AUTHORITY +net. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 1000 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +net. IN NS +SECTION ANSWER +net. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.net. IN A +SECTION AUTHORITY +example.net. IN NS ns.example.net. +SECTION ADDITIONAL +ns.example.net. IN A 1.2.3.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +foo.net. IN NS +SECTION AUTHORITY +foo.net. IN NS ns.example.com. +ENTRY_END + +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 1000 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} +ENTRY_END + +; response to DNSKEY priming query +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} +example.com. 3600 IN RRSIG DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854} +SECTION AUTHORITY +example.com. IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} +ENTRY_END + +; response to query of interest +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN DNAME +SECTION ANSWER +www.example.com. IN DNAME www.example.net. +www.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AKXpbBNiurXv6oFOFQJv5rASdxpoWp2WV1j4ZdJAJ1f48cOkBM2oiEE= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www2.example.com. IN DNAME +SECTION ANSWER +www2.example.com. 3600 IN DNAME www.example.net. +www2.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ABu2/f8Ec9BfUkWVid/ufoIjTuS1iZ/zQ5qeF5GiKxPDu//bP2eTgmI= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +fore.www2.example.com. IN A +SECTION ANSWER +www2.example.com. 3600 IN DNAME www.example.net. +www2.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ABu2/f8Ec9BfUkWVid/ufoIjTuS1iZ/zQ5qeF5GiKxPDu//bP2eTgmI= +fore.www2.example.com. IN CNAME fore.www.example.net. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo.test-dname.example.com. IN DNAME +SECTION ANSWER +test-dname.example.com. 3600 IN DNAME example.net. +test-dname.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0= +foo.test-dname.example.com. 3600 IN CNAME foo.example.net. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www3.example.com. IN A +SECTION ANSWER +www3.example.com. 3600 IN CNAME www3.foo.net. +www3.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AFCgCmBh9ZhKJj6AqJAaai8Xwrp9nVYP/yyg4RglHEHb7LlIKED93Ic= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www3.foo.net. IN A +SECTION ANSWER +www3.foo.net. IN A 12.13.14.15 +www3.foo.net. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 foo.net. y50vzw6pCWNmM4y1LNbc37htWGvjxKzdV/JS5ONdFWUQelbDx5YrD91m9U88ItIpwQiGKJWQBwNgHzVKW7iF2A== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NXDOMAIN +SECTION QUESTION +www4.example.com. IN DNAME +SECTION ANSWER +www4.example.com. 3600 IN CNAME www4.foo.net. +www4.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AA/PJO3mDuDAGQHZ2nb52q3SG0vTp0RcshM09InjZlGTIwHPIYcuizw= +SECTION AUTHORITY +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +van.foo.net. 3600 IN NSEC xix.foo.net. A AAAA RRSIG NSEC +van.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw== +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NXDOMAIN +SECTION QUESTION +www4.foo.net. IN DNAME +SECTION AUTHORITY +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +van.foo.net. 3600 IN NSEC xix.foo.net. A AAAA RRSIG NSEC +van.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw== +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NXDOMAIN +SECTION QUESTION +www5.example.com. IN A +SECTION ANSWER +www5.example.com. 3600 IN CNAME www5.foo.net. +www5.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AIXA8v0JC14UIQtthXS0Kv66rE0jqPKHgq3CPdc6PDi+tLqGjFrXIdI= +SECTION AUTHORITY +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +van.foo.net. 3600 IN NSEC xix.foo.net. A AAAA RRSIG NSEC +van.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw== +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NXDOMAIN +SECTION QUESTION +www5.foo.net. IN A +SECTION AUTHORITY +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +sea.foo.net. 3600 IN NSEC ur.foo.net. A AAAA RRSIG NSEC +sea.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. SOz+kQrhbR7M4oid0L9HfHK3re9L5T+6x1m+DFyV0ogqGcsAfAmyvAPJUQyclENMWWqyJMgSfrqzpqEdM5HRWQ== +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NXDOMAIN +SECTION QUESTION +cup.h-dname.example.com. IN DNAME +SECTION ANSWER +h-dname.example.com. 3600 IN DNAME tea.foo.net. +h-dname.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AKXt5koLeZD2ibFrmZyE3ZOQCWHIA/UtrlCgFLalfaTm91NVlki5aV0= +cup.h-dname.example.com. 3600 IN CNAME cup.tea.foo.net. +SECTION AUTHORITY +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +sea.foo.net. 3600 IN NSEC ur.foo.net. A AAAA RRSIG NSEC +sea.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. SOz+kQrhbR7M4oid0L9HfHK3re9L5T+6x1m+DFyV0ogqGcsAfAmyvAPJUQyclENMWWqyJMgSfrqzpqEdM5HRWQ== +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NXDOMAIN +SECTION QUESTION +cup.tea.foo.net. IN DNAME +SECTION AUTHORITY +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +sea.foo.net. 3600 IN NSEC ur.foo.net. A AAAA RRSIG NSEC +sea.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. SOz+kQrhbR7M4oid0L9HfHK3re9L5T+6x1m+DFyV0ogqGcsAfAmyvAPJUQyclENMWWqyJMgSfrqzpqEdM5HRWQ== +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo.net. IN DNSKEY +SECTION ANSWER +foo.net. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} +foo.net. 3600 IN RRSIG DNSKEY 5 2 3600 20070926134150 20070829134150 30899 foo.net. FLWrxrEnMpKoUDf+mbHGKSQ9OYloJs1eVbxkQaTSfJSLnLzOS0MLflMfbH1nC+Fk8idN7Aw07P5S9Ez1/fAb4w== +ENTRY_END + +RANGE_END + +; ns.example.net. +RANGE_BEGIN 0 1000 + ADDRESS 1.2.3.5 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.net. IN NS +SECTION ANSWER +example.net. IN NS ns.example.net. +example.net. 3600 IN RRSIG NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899} +SECTION ADDITIONAL +ns.example.net. IN A 1.2.3.5 +ns.example.net. 3600 IN RRSIG A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899} +ENTRY_END + +; response to DNSKEY priming query +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.net. IN DNSKEY +SECTION ANSWER +example.net. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b} +example.net. 3600 IN RRSIG DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899} +SECTION AUTHORITY +example.net. IN NS ns.example.net. +example.net. 3600 IN RRSIG NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899} +SECTION ADDITIONAL +ns.example.net. IN A 1.2.3.5 +ns.example.net. 3600 IN RRSIG A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899} +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo.example.net. IN DNAME +SECTION ANSWER +foo.example.net. IN DNAME lower.example.net. +foo.example.net. 3600 IN RRSIG DNAME 5 3 3600 20070926134150 20070829134150 30899 example.net. OZLH158CkKbQZOkBCof7oLzy8sbtDI3/BHEOqBeYZzcfHHfHS9L4qJBII5uO+x8yB/DTkFEhdL5WZV2IjRlkNQ== +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +foo2.example.net. IN DNAME +SECTION ANSWER +foo2.example.net. IN DNAME lower.example.net. +foo2.example.net. 3600 IN RRSIG DNAME 5 3 3600 20070926134150 20070829134150 30899 example.net. xth0C1DoNubf4PpjkS0tgo6O7yzaLPuTKB2yTNFM1iZRm5pd0o3eo/upvfG2SwqfzimgvM1eDyK06QX/R7Enfw== +ENTRY_END + +; response to query of interest +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.net. IN A +SECTION ANSWER +www.example.net. IN A 11.12.13.14 +www.example.net. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 example.net. CPxF5hK9Kg5eT7W6LgZwr0ePYEm9HMcSY4vvqCS6gDWB4X9jvXLCfBkCLhsNybPBpGWlsLi5wM6MTdJXuPpsRA== ;{id = 30899} +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +fore.www.example.net. IN A +SECTION ANSWER +fore.www.example.net. IN A 11.12.13.15 +fore.www.example.net. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 example.net. D1axzzs2olCCMQUQchy4ZRs8oefSdLpiIlhPsF1Y5GTTLHKKs6H14tm3FrRTLUIb2FzZywHX0Hl+pfoB/lG2qQ== +SECTION AUTHORITY +SECTION ADDITIONAL +ENTRY_END +RANGE_END + +; Test qtype DNAME, answer from upstream. +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www.example.com. IN DNAME +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NOERROR +SECTION QUESTION +www.example.com. IN DNAME +SECTION ANSWER +www.example.com. IN DNAME www.example.net. +www.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AKXpbBNiurXv6oFOFQJv5rASdxpoWp2WV1j4ZdJAJ1f48cOkBM2oiEE= +ENTRY_END + +; Test qtype DNAME, answer from cache after A query. +; perform the A query that gets the DNAME in cache. +STEP 20 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +fore.www2.example.com. IN A +ENTRY_END + +STEP 30 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NOERROR +SECTION QUESTION +fore.www2.example.com. IN A +SECTION ANSWER +www2.example.com. 3600 IN DNAME www.example.net. +www2.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ABu2/f8Ec9BfUkWVid/ufoIjTuS1iZ/zQ5qeF5GiKxPDu//bP2eTgmI= +fore.www2.example.com. IN CNAME fore.www.example.net. +fore.www.example.net. IN A 11.12.13.15 +fore.www.example.net. 3600 IN RRSIG A 5 4 3600 20070926134150 20070829134150 30899 example.net. D1axzzs2olCCMQUQchy4ZRs8oefSdLpiIlhPsF1Y5GTTLHKKs6H14tm3FrRTLUIb2FzZywHX0Hl+pfoB/lG2qQ== +ENTRY_END + +; now query for type DNAME, that is in cache. +STEP 40 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www2.example.com. IN DNAME +ENTRY_END + +STEP 50 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NOERROR +SECTION QUESTION +www2.example.com. IN DNAME +SECTION ANSWER +www2.example.com. 3600 IN DNAME www.example.net. +www2.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ABu2/f8Ec9BfUkWVid/ufoIjTuS1iZ/zQ5qeF5GiKxPDu//bP2eTgmI= +ENTRY_END + +; Test qtype DNAME, answer DNAME from upstream. +STEP 60 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +foo.test-dname.example.com. IN DNAME +ENTRY_END + +STEP 70 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NOERROR +SECTION QUESTION +foo.test-dname.example.com. IN DNAME +SECTION ANSWER +test-dname.example.com. 3600 IN DNAME example.net. +test-dname.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0= +foo.test-dname.example.com. 3600 IN CNAME foo.example.net. +foo.example.net. IN DNAME lower.example.net. +foo.example.net. 3600 IN RRSIG DNAME 5 3 3600 20070926134150 20070829134150 30899 example.net. OZLH158CkKbQZOkBCof7oLzy8sbtDI3/BHEOqBeYZzcfHHfHS9L4qJBII5uO+x8yB/DTkFEhdL5WZV2IjRlkNQ== +ENTRY_END + +; Test qtype DNAME, answer DNAME from cached DNAME record. +STEP 80 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +foo2.test-dname.example.com. IN DNAME +ENTRY_END + +STEP 90 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NOERROR +SECTION QUESTION +foo2.test-dname.example.com. IN DNAME +SECTION ANSWER +test-dname.example.com. 3600 IN DNAME example.net. +test-dname.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0= +foo2.test-dname.example.com. 3600 IN CNAME foo2.example.net. +foo2.example.net. IN DNAME lower.example.net. +foo2.example.net. 3600 IN RRSIG DNAME 5 3 3600 20070926134150 20070829134150 30899 example.net. xth0C1DoNubf4PpjkS0tgo6O7yzaLPuTKB2yTNFM1iZRm5pd0o3eo/upvfG2SwqfzimgvM1eDyK06QX/R7Enfw== +ENTRY_END + +; Test first a simple A query, that connects example.com to foo.net. +STEP 100 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www3.example.com. IN A +ENTRY_END + +STEP 110 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NOERROR +SECTION QUESTION +www3.example.com. IN A +SECTION ANSWER +www3.example.com. 3600 IN CNAME www3.foo.net. +www3.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AFCgCmBh9ZhKJj6AqJAaai8Xwrp9nVYP/yyg4RglHEHb7LlIKED93Ic= +www3.foo.net. IN A 12.13.14.15 +www3.foo.net. 3600 IN RRSIG A 5 3 3600 20070926134150 20070829134150 30899 foo.net. y50vzw6pCWNmM4y1LNbc37htWGvjxKzdV/JS5ONdFWUQelbDx5YrD91m9U88ItIpwQiGKJWQBwNgHzVKW7iF2A== +ENTRY_END + +; Test qtype DNAME, but the upstream responds that there is NXDOMAIN, +; it can do this because it has the zone loaded at the name after the CNAME, +; in the zone foo.net. and it chases the query there. +STEP 120 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www4.example.com. IN DNAME +ENTRY_END + +STEP 130 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NXDOMAIN +SECTION QUESTION +www4.example.com. IN DNAME +SECTION ANSWER +www4.example.com. 3600 IN CNAME www4.foo.net. +www4.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AA/PJO3mDuDAGQHZ2nb52q3SG0vTp0RcshM09InjZlGTIwHPIYcuizw= +SECTION AUTHORITY +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +van.foo.net. 3600 IN NSEC xix.foo.net. A AAAA RRSIG NSEC +van.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw== +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +ENTRY_END + +; Test, first pull a CNAME to NXDOMAIN in cache with an A query and then use +; it for qtype DNAME. +STEP 140 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www5.example.com. IN A +ENTRY_END + +STEP 150 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NXDOMAIN +SECTION QUESTION +www5.example.com. IN A +SECTION ANSWER +www5.example.com. 3600 IN CNAME www5.foo.net. +www5.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AIXA8v0JC14UIQtthXS0Kv66rE0jqPKHgq3CPdc6PDi+tLqGjFrXIdI= +SECTION AUTHORITY +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +van.foo.net. 3600 IN NSEC xix.foo.net. A AAAA RRSIG NSEC +van.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw== +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +ENTRY_END + +STEP 160 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www5.example.com. IN DNAME +ENTRY_END + +STEP 170 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NXDOMAIN +SECTION QUESTION +www5.example.com. IN DNAME +SECTION ANSWER +www5.example.com. 3600 IN CNAME www5.foo.net. +www5.example.com. 3600 IN RRSIG CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AIXA8v0JC14UIQtthXS0Kv66rE0jqPKHgq3CPdc6PDi+tLqGjFrXIdI= +SECTION AUTHORITY +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +van.foo.net. 3600 IN NSEC xix.foo.net. A AAAA RRSIG NSEC +van.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw== +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +ENTRY_END + +; Test, qtype DNAME, but it is under a DNAME and the upstream server can +; respond with NXDOMAIN, it can do this because the foo.net zone is also +; loaded by the server and it looks in the other zone. +STEP 180 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +cup.h-dname.example.com. IN DNAME +ENTRY_END + +STEP 190 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NXDOMAIN +SECTION QUESTION +cup.h-dname.example.com. IN DNAME +SECTION ANSWER +h-dname.example.com. 3600 IN DNAME tea.foo.net. +h-dname.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AKXt5koLeZD2ibFrmZyE3ZOQCWHIA/UtrlCgFLalfaTm91NVlki5aV0= +cup.h-dname.example.com. 3600 IN CNAME cup.tea.foo.net. +SECTION AUTHORITY +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +sea.foo.net. 3600 IN NSEC ur.foo.net. A AAAA RRSIG NSEC +sea.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. SOz+kQrhbR7M4oid0L9HfHK3re9L5T+6x1m+DFyV0ogqGcsAfAmyvAPJUQyclENMWWqyJMgSfrqzpqEdM5HRWQ== +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +ENTRY_END + +; Test, first pull a DNAME in cache and then use it for qtype DNAME to an +; NXDOMAIN. +STEP 200 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +cup2.h-dname.example.com. IN DNAME +ENTRY_END + +STEP 210 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AD DO NXDOMAIN +SECTION QUESTION +cup2.h-dname.example.com. IN DNAME +SECTION ANSWER +h-dname.example.com. 3600 IN DNAME tea.foo.net. +h-dname.example.com. 3600 IN RRSIG DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AKXt5koLeZD2ibFrmZyE3ZOQCWHIA/UtrlCgFLalfaTm91NVlki5aV0= +cup2.h-dname.example.com. 3600 IN CNAME cup2.tea.foo.net. +SECTION AUTHORITY +foo.net. 3600 IN NSEC bank.foo.net. NS SOA RRSIG NSEC DNSKEY +foo.net. 3600 IN RRSIG NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg== +sea.foo.net. 3600 IN NSEC ur.foo.net. A AAAA RRSIG NSEC +sea.foo.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. SOz+kQrhbR7M4oid0L9HfHK3re9L5T+6x1m+DFyV0ogqGcsAfAmyvAPJUQyclENMWWqyJMgSfrqzpqEdM5HRWQ== +foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600 +foo.net. 3600 IN RRSIG SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ== +ENTRY_END + +SCENARIO_END diff --git a/validator/val_utils.c b/validator/val_utils.c index c316183a9..a7db41dad 100644 --- a/validator/val_utils.c +++ b/validator/val_utils.c @@ -118,7 +118,30 @@ val_classify_response(uint16_t query_flags, struct query_info* origqinf, * ANY responses are validated differently. */ if(rcode == LDNS_RCODE_NOERROR && qinf->qtype == LDNS_RR_TYPE_ANY) return VAL_CLASS_ANY; - + + /* For the query type DNAME, the name matters. Equal name is the + * answer looked for, but a subdomain redirects the query. */ + if(qinf->qtype == LDNS_RR_TYPE_DNAME) { + for(i=skip; ian_numrrsets; i++) { + if(rcode == LDNS_RCODE_NOERROR && + ntohs(rep->rrsets[i]->rk.type) + == LDNS_RR_TYPE_DNAME && + query_dname_compare(qinf->qname, + rep->rrsets[i]->rk.dname) == 0) { + /* type is DNAME and name is equal, it is + * the answer. For the query name a subdomain + * of the rrset.dname it would redirect. */ + return VAL_CLASS_POSITIVE; + } + if(ntohs(rep->rrsets[i]->rk.type) + == LDNS_RR_TYPE_CNAME) + return VAL_CLASS_CNAME; + } + log_dns_msg("validator: error. failed to classify response message: ", + qinf, rep); + return VAL_CLASS_UNKNOWN; + } + /* Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless * qtype=CNAME, this will yield a CNAME response. */ for(i=skip; ian_numrrsets; i++) { @@ -231,6 +254,21 @@ val_find_signer(enum val_classification subtype, struct query_info* qinf, rep->rrsets[i]->rk.dname) == 0) { val_find_rrset_signer(rep->rrsets[i], signer_name, signer_len); + /* If there was no signer, and the query + * was for type CNAME, and this is a CNAME, + * and the previous is a DNAME, then this + * is the synthesized CNAME, use the signer + * of the DNAME record. */ + if(*signer_name == NULL && + qinf->qtype == LDNS_RR_TYPE_CNAME && + ntohs(rep->rrsets[i]->rk.type) == + LDNS_RR_TYPE_CNAME && i > skip && + ntohs(rep->rrsets[i-1]->rk.type) == + LDNS_RR_TYPE_DNAME && + dname_strict_subdomain_c(rep->rrsets[i]->rk.dname, rep->rrsets[i-1]->rk.dname)) { + val_find_rrset_signer(rep->rrsets[i-1], + signer_name, signer_len); + } return; } } diff --git a/validator/validator.c b/validator/validator.c index aa71df9cb..15ae13a39 100644 --- a/validator/validator.c +++ b/validator/validator.c @@ -621,7 +621,6 @@ prime_trust_anchor(struct module_qstate* qstate, struct val_qstate* vq, * @param vq: validator query state. * @param env: module env for verify. * @param ve: validator env for verify. - * @param qchase: query that was made. * @param chase_reply: answer to validate. * @param key_entry: the key entry, which is trusted, and which matches * the signer of the answer. The key entry isgood(). @@ -632,7 +631,7 @@ prime_trust_anchor(struct module_qstate* qstate, struct val_qstate* vq, */ static int validate_msg_signatures(struct module_qstate* qstate, struct val_qstate* vq, - struct module_env* env, struct val_env* ve, struct query_info* qchase, + struct module_env* env, struct val_env* ve, struct reply_info* chase_reply, struct key_entry_key* key_entry, int* suspend) { @@ -640,7 +639,7 @@ validate_msg_signatures(struct module_qstate* qstate, struct val_qstate* vq, size_t i, slen; struct ub_packed_rrset_key* s; enum sec_status sec; - int dname_seen = 0, num_verifies = 0, verified, have_state = 0; + int num_verifies = 0, verified, have_state = 0; char* reason = NULL; sldns_ede_code reason_bogus = LDNS_EDE_DNSSEC_BOGUS; *suspend = 0; @@ -658,9 +657,13 @@ validate_msg_signatures(struct module_qstate* qstate, struct val_qstate* vq, /* Skip the CNAME following a (validated) DNAME. * Because of the normalization routines in the iterator, * there will always be an unsigned CNAME following a DNAME - * (unless qtype=DNAME). */ - if(dname_seen && ntohs(s->rk.type) == LDNS_RR_TYPE_CNAME) { - dname_seen = 0; + * (unless qtype=DNAME in the answer part). */ + if(i>0 && ntohs(chase_reply->rrsets[i-1]->rk.type) == + LDNS_RR_TYPE_DNAME && + ntohs(s->rk.type) == LDNS_RR_TYPE_CNAME && + ((struct packed_rrset_data*)chase_reply->rrsets[i-1]->entry.data)->security == sec_status_secure && + dname_strict_subdomain_c(s->rk.dname, chase_reply->rrsets[i-1]->rk.dname) + ) { /* CNAME was synthesized by our own iterator */ /* since the DNAME verified, mark the CNAME as secure */ ((struct packed_rrset_data*)s->entry.data)->security = @@ -691,12 +694,6 @@ validate_msg_signatures(struct module_qstate* qstate, struct val_qstate* vq, return 0; } - /* Notice a DNAME that should be followed by an unsigned - * CNAME. */ - if(qchase->qtype != LDNS_RR_TYPE_DNAME && - ntohs(s->rk.type) == LDNS_RR_TYPE_DNAME) { - dname_seen = 1; - } num_verifies += verified; if(num_verifies > MAX_VALIDATE_AT_ONCE && i+1 < (env->cfg->val_clean_additional? @@ -2186,7 +2183,7 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq, /* check signatures in the message; * answer and authority must be valid, additional is only checked. */ - if(!validate_msg_signatures(qstate, vq, qstate->env, ve, &vq->qchase, + if(!validate_msg_signatures(qstate, vq, qstate->env, ve, vq->chase_reply, vq->key_entry, &suspend)) { if(suspend) { if(!validate_suspend_setup_timer(qstate, vq,