- Fix #1234: shortening DNAME loop produces duplicate DNAME records

  in ANSWER section.

git-svn-id: file:///svn/unbound/trunk@4047 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index d071462400bbff807ef0578e376d8653b3dbc49c..ea6d80f1bc8a672a7a92bd18f6eb642f67e03eba 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+10 March 2017: Wouter
+       - Fix #1234: shortening DNAME loop produces duplicate DNAME records
+         in ANSWER section.
+
 9 March 2017: Wouter
        - --disable-sha1 disables SHA1 support in RRSIG, so from DNSKEY and
          DS records.  NSEC3 is not disabled.

diff --git a/iterator/iterator.c b/iterator/iterator.c
index 99ce96f384ee75f10d4d1c31c6e359df93921a7b..ed8c25099ccd7445f8b7cb18df8e4cc78c8cfeae 100644 (file)
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -372,6 +372,29 @@ iter_prepend(struct iter_qstate* iq, struct dns_msg* msg,
        return 1;
 }
 
+/**
+ * Find rrset in ANSWER prepend list.
+ * to avoid duplicate DNAMEs when a DNAME is traversed twice.
+ * @param iq: iterator query state.
+ * @param rrset: rrset to add.
+ * @return false if not found
+ */
+static int
+iter_find_rrset_in_prepend_answer(struct iter_qstate* iq,
+       struct ub_packed_rrset_key* rrset)
+{
+       struct iter_prep_list* p = iq->an_prepend_list;
+       while(p) {
+               if(ub_rrset_compare(p->rrset, rrset) == 0 &&
+                       rrsetdata_equal((struct packed_rrset_data*)p->rrset
+                       ->entry.data, (struct packed_rrset_data*)rrset
+                       ->entry.data))
+                       return 1;
+               p = p->next;
+       }
+       return 0;
+}
+
 /**
  * Add rrset to ANSWER prepend list
  * @param qstate: query state.
@@ -454,14 +477,16 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
                 * by this DNAME following, so we don't process the DNAME 
                 * directly.  */
                if(ntohs(r->rk.type) == LDNS_RR_TYPE_DNAME &&
-                       dname_strict_subdomain_c(*mname, r->rk.dname)) {
+                       dname_strict_subdomain_c(*mname, r->rk.dname) &&
+                       !iter_find_rrset_in_prepend_answer(iq, r)) {
                        if(!iter_add_prepend_answer(qstate, iq, r))
                                return 0;
                        continue;
                }
 
                if(ntohs(r->rk.type) == LDNS_RR_TYPE_CNAME &&
-                       query_dname_compare(*mname, r->rk.dname) == 0) {
+                       query_dname_compare(*mname, r->rk.dname) == 0 &&
+                       !iter_find_rrset_in_prepend_answer(iq, r)) {
                        /* Add this relevant CNAME rrset to the prepend list.*/
                        if(!iter_add_prepend_answer(qstate, iq, r))
                                return 0;

diff --git a/testcode/testpkts.c b/testcode/testpkts.c
index 163c51d506ad1b3ac29d95105b0d4abe83db21c6..e47184ab2f6ec69376f8b3736bd07821d91a4b85 100644 (file)
--- a/testcode/testpkts.c
+++ b/testcode/testpkts.c
@@ -1128,6 +1128,9 @@ match_all(uint8_t* q, size_t qlen, uint8_t* p, size_t plen, int mttl,
                /* check for reordered sections */
                r = match_noloc(qstr, pstr, q, qlen, p, plen);
        }
+       if(!r) {
+               verbose(3, "mismatch pkt '%s' and '%s'", qstr, pstr);
+       }
        free(qstr);
        free(pstr);
        free(qb);

diff --git a/testdata/iter_dname_insec.rpl b/testdata/iter_dname_insec.rpl
new file mode 100644 (file)
index 0000000..ba2d18d
--- /dev/null
+++ b/testdata/iter_dname_insec.rpl
@@ -0,0 +1,1051 @@
+; config options
+server:
+       harden-referral-path: no
+       target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+        name: "."
+       stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test scrub of insecure DNAME in answer section
+
+; root infrastucture
+RANGE_BEGIN 0 10000000
+       ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+shortloop. IN TXT
+SECTION ANSWER
+shortloop. IN TXT "shortloop end"
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+K.ROOT-SERVERS.NET. IN A
+SECTION ANSWER
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+K.ROOT-SERVERS.NET. IN AAAA
+SECTION ANSWER
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH subdomain opcode
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN A
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH subdomain opcode
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+net. IN A
+SECTION AUTHORITY
+net. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH subdomain opcode
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+x. IN A
+SECTION AUTHORITY
+x. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+long. IN NS
+SECTION AUTHORITY
+long. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. IN NS
+SECTION AUTHORITY
+60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+a.gtld-servers.net. IN A
+SECTION ANSWER
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+a.gtld-servers.net. IN AAAA
+SECTION ANSWER
+ENTRY_END
+RANGE_END
+; end of root infrastucture
+
+; a.gtld-servers.net. (com. net. x.)
+RANGE_BEGIN 0 10000000
+       ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+a.gtld-servers.net. IN A
+SECTION ANSWER
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+a.gtld-servers.net. IN AAAA
+SECTION ANSWER
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+net. IN NS
+SECTION AUTHORITY
+net. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN A
+SECTION AUTHORITY
+example.com. IN NS ns1.example.com.
+SECTION ADDITIONAL
+ns1.example.com. IN A 168.192.2.2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN A
+SECTION AUTHORITY
+example.net. IN NS ns1.example.net.
+SECTION ADDITIONAL
+ns1.example.net. IN A 168.192.3.3
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+x. IN NS
+SECTION AUTHORITY
+x. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+x. IN DNAME
+SECTION AUTHORITY
+x. IN DNAME .
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname opcode
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+shortloop.x.x. IN CNAME
+SECTION ANSWER
+x. DNAME .
+shortloop.x.x. IN CNAME shortloop.x.
+shortloop.x. IN CNAME shortloop.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname opcode
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+shortloop.x. IN CNAME
+SECTION ANSWER
+x. DNAME .
+shortloop.x. IN CNAME shortloop.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. IN NS
+SECTION AUTHORITY
+60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+long. IN NS
+SECTION AUTHORITY
+long. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+; DNAME at zone apex, allowed by RFC 6672 section 2.3
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+long. IN DNAME
+SECTION ANSWER
+long.                  3600    IN      DNAME   63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+x.long. IN A
+SECTION ANSWER
+long.                  3600    IN      DNAME   63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
+x.long.                        3600    IN      CNAME   x.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
+x.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. 3600    IN      A       192.0.2.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname qtype opcode
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+x.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. IN A
+SECTION ANSWER
+x.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. 3600    IN      A       192.0.2.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH qname opcode
+ADJUST copy_id copy_query
+REPLY QR YXDOMAIN
+SECTION QUESTION
+too.long. IN A
+SECTION ANSWER
+long.                  3600    IN      DNAME   63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
+ENTRY_END
+RANGE_END
+; end of a.gtld-servers.net.
+
+; RFC 6672 section 2.2. The DNAME Substitution table tests
+;#  QNAME            owner  DNAME   target         result
+;-- ---------------- -------------- -------------- -----------------
+;1  com.             example.com.   example.net.   <no match>
+;2  example.com.     example.com.   example.net.   [0]
+;3  a.example.com.   example.com.   example.net.   a.example.net.
+;4  a.b.example.com. example.com.   example.net.   a.b.example.net.
+;5  ab.example.com.  b.example.com. example.net.   <no match>
+;6  foo.example.com. example.com.   example.net.   foo.example.net.
+;7  a.x.example.com. x.example.com. example.net.   a.example.net.
+;8  a.example.com.   example.com.   y.example.net. a.y.example.net.
+;9  cyc.example.com. example.com.   example.com.   cyc.example.com.
+;10 cyc.example.com. example.com.   c.example.com. cyc.c.example.com.
+;11 shortloop.x.x.   x.             .              shortloop.x.
+;12 shortloop.x.     x.             .              shortloop.
+;
+;  [0] The result depends on the QTYPE.  If the QTYPE = DNAME, then
+;      the result is "example.com.", else "<no match>".
+;
+;                  Table 1. DNAME Substitution Examples
+
+; line no. 1 is mostly for authoritative server
+; line no. 2 QTYPE != DNAME
+STEP 220201 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+example.com. IN NS
+ENTRY_END
+
+STEP 220202 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns1.example.com.
+SECTION ADDITIONAL
+ns1.example.com.        0       IN      A       168.192.2.2
+ENTRY_END
+
+; line no. 2 QTYPE == DNAME
+STEP 220203 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+example.com. IN DNAME
+ENTRY_END
+
+STEP 220204 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO
+SECTION QUESTION
+example.com. IN DNAME
+SECTION ANSWER
+example.com. IN DNAME example.net.
+ENTRY_END
+
+
+;#  QNAME            owner  DNAME   target         result
+;-- ---------------- -------------- -------------- -----------------
+;3  a.example.com.   example.com.   example.net.   a.example.net.
+
+STEP 220301 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+a.example.com. IN A
+ENTRY_END
+
+STEP 220302 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO
+SECTION QUESTION
+a.example.com. IN A
+SECTION ANSWER
+example.com. IN DNAME example.net.
+a.example.com. IN CNAME a.example.net.
+a.example.net. IN A 10.0.0.97
+ENTRY_END
+
+;#  QNAME            owner  DNAME   target         result
+;-- ---------------- -------------- -------------- -----------------
+;4  a.b.example.com. example.com.   example.net.   a.b.example.net.
+
+STEP 220401 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+a.b.example.com. IN A
+ENTRY_END
+
+STEP 220402 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO
+SECTION QUESTION
+a.b.example.com. IN A
+SECTION ANSWER
+example.com. IN DNAME example.net.
+a.b.example.com. IN CNAME a.b.example.net.
+a.b.example.net. IN A 10.0.97.98
+ENTRY_END
+
+;#  QNAME            owner  DNAME   target         result
+;-- ---------------- -------------- -------------- -----------------
+;5  ab.example.com.  b.example.com. example.net.   <no match>
+;6  foo.example.com. example.com.   example.net.   foo.example.net.
+
+; line no. 5 is mostly for authoritative server
+; line no. 6 is basically the same as line no. 3
+
+; ns1.example.com.
+RANGE_BEGIN 220000 220699
+       ADDRESS 168.192.2.2
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns1.example.com.
+SECTION ADDITIONAL
+ns1.example.com. IN A 168.192.2.2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns1.example.com. IN A
+SECTION ANSWER
+ns1.example.com. IN A 168.192.2.2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns1.example.com. IN AAAA
+SECTION ANSWER
+ENTRY_END
+
+; line 2 DNAME
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.com. IN DNAME
+SECTION ANSWER
+example.com. IN DNAME example.net.
+ENTRY_END
+
+; line 3
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a.example.com. IN A
+SECTION ANSWER
+example.com. IN DNAME example.net.
+a.example.com. IN CNAME a.example.net.
+ENTRY_END
+
+; line 4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a.b.example.com. IN A
+SECTION ANSWER
+example.com. IN DNAME example.net.
+a.b.example.com. IN CNAME a.b.example.net.
+ENTRY_END
+RANGE_END
+; end of ns1.example.com.
+
+
+;#  QNAME            owner  DNAME   target         result
+;-- ---------------- -------------- -------------- -----------------
+;7  a.x.example.com. x.example.com. example.net.   a.example.net.
+
+STEP 220701 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+a.x.example.com. IN A
+ENTRY_END
+
+STEP 220702 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO
+SECTION QUESTION
+a.x.example.com. IN A
+SECTION ANSWER
+x.example.com. IN DNAME example.net.
+a.x.example.com. IN CNAME a.example.net.
+a.example.net. IN A 10.0.0.97
+ENTRY_END
+
+; ns1.example.com.
+RANGE_BEGIN 220700 220799
+       ADDRESS 168.192.2.2
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns1.example.com.
+SECTION ADDITIONAL
+ns1.example.com. IN A 168.192.2.2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns1.example.com. IN A
+SECTION ANSWER
+ns1.example.com. IN A 168.192.2.2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns1.example.com. IN AAAA
+SECTION ANSWER
+ENTRY_END
+
+; line 7 DNAME
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.com. IN DNAME
+SECTION ANSWER
+x.example.com. IN DNAME example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a.x.example.com. IN A
+SECTION ANSWER
+x.example.com. IN DNAME example.net.
+a.x.example.com. IN CNAME a.example.net.
+ENTRY_END
+RANGE_END
+; end of ns1.example.com.
+
+;#  QNAME            owner  DNAME   target         result
+;-- ---------------- -------------- -------------- -----------------
+;8  a.example.com.   example.com.   y.example.net. a.y.example.net.
+;
+; a.example.com. was renamed to a2.example.com. to avoid cache clashes
+; on the synthetized CNAME (caching CNAMEs is allowed by RFC 6672 section 3.4)
+
+STEP 220801 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+a2.example.com. IN A
+ENTRY_END
+
+STEP 220802 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO
+SECTION QUESTION
+a2.example.com. IN A
+SECTION ANSWER
+example.com. IN DNAME y.example.net.
+a2.example.com. IN CNAME a2.y.example.net.
+a2.y.example.net. IN A 10.97.50.121
+ENTRY_END
+
+; ns1.example.com.
+RANGE_BEGIN 220800 220899
+       ADDRESS 168.192.2.2
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns1.example.com.
+SECTION ADDITIONAL
+ns1.example.com. IN A 168.192.2.2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns1.example.com. IN A
+SECTION ANSWER
+ns1.example.com. IN A 168.192.2.2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns1.example.com. IN AAAA
+SECTION ANSWER
+ENTRY_END
+
+; line 8 DNAME
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.com. IN DNAME
+SECTION ANSWER
+example.com. IN DNAME y.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a2.example.com. IN A
+SECTION ANSWER
+example.com. IN DNAME y.example.net.
+a2.example.com. IN CNAME a2.y.example.net.
+ENTRY_END
+RANGE_END
+; end of ns1.example.com.
+
+
+;#  QNAME            owner  DNAME   target         result
+;-- ---------------- -------------- -------------- -----------------
+;9  cyc.example.com. example.com.   example.com.   cyc.example.com.
+
+STEP 220901 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+cyc.example.com. IN A
+ENTRY_END
+
+; Expected result is defined by RFC 1034 section 3.6.2:
+; CNAME chains should be followed and CNAME loops signalled as an error
+STEP 220902 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO
+REPLY SERVFAIL
+SECTION QUESTION
+cyc.example.com. IN A
+ENTRY_END
+
+; ns1.example.com.
+RANGE_BEGIN 220900 220999
+       ADDRESS 168.192.2.2
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns1.example.com.
+SECTION ADDITIONAL
+ns1.example.com. IN A 168.192.2.2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns1.example.com. IN A
+SECTION ANSWER
+ns1.example.com. IN A 168.192.2.2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns1.example.com. IN AAAA
+SECTION ANSWER
+ENTRY_END
+
+; line 9 DNAME
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.com. IN DNAME
+SECTION ANSWER
+example.com. IN DNAME example.com.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+cyc.example.com. IN A
+SECTION ANSWER
+example.com. IN DNAME example.com.
+cyc.example.com. IN CNAME cyc.example.com.
+ENTRY_END
+RANGE_END
+; end of ns1.example.com.
+
+;#  QNAME            owner  DNAME   target         result
+;-- ---------------- -------------- -------------- -----------------
+;10 cyc.example.com. example.com.   c.example.com. cyc.c.example.com.
+;
+; cyc.example.com. was renamed to cyc2.example.com. to avoid cache clashes
+; on the synthetized CNAME (caching CNAMEs is allowed by RFC 6672 section 3.4)
+;
+; target c.example.com. was renamed to cyc2.example.net.
+; to limit number of pre-canned answers required for the test
+
+STEP 221001 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+cyc2.example.com. IN A
+ENTRY_END
+
+; Expected result is defined by RFC 1034 section 3.6.2:
+; CNAME chains should be followed and CNAME loops signalled as an error
+STEP 221002 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO SERVFAIL
+SECTION QUESTION
+cyc2.example.com. IN A
+ENTRY_END
+
+; ns1.example.com.
+RANGE_BEGIN 221000 221099
+       ADDRESS 168.192.2.2
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns1.example.com.
+SECTION ADDITIONAL
+ns1.example.com. IN A 168.192.2.2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns1.example.com. IN A
+SECTION ANSWER
+ns1.example.com. IN A 168.192.2.2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns1.example.com. IN AAAA
+SECTION ANSWER
+ENTRY_END
+
+; line 10 DNAME
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.com. IN DNAME
+SECTION ANSWER
+example.com. IN DNAME cyc2.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+cyc2.example.com. IN A
+SECTION ANSWER
+example.com. IN DNAME cyc2.example.net.
+cyc2.example.com. IN CNAME cyc2.cyc2.example.net.
+ENTRY_END
+RANGE_END
+; end of ns1.example.com.
+
+;#  QNAME            owner  DNAME   target         result
+;-- ---------------- -------------- -------------- -----------------
+;11 shortloop.x.x.   x.             .              shortloop.x.
+
+STEP 221101 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+shortloop.x.x. TXT
+ENTRY_END
+
+STEP 221102 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO
+SECTION QUESTION
+shortloop.x.x. IN TXT
+SECTION ANSWER
+x.             IN DNAME        .
+shortloop.x.x. IN CNAME        shortloop.x.
+;;x.           IN DNAME        .
+shortloop.x.   IN CNAME        shortloop.
+shortloop.     IN TXT          "shortloop end"
+ENTRY_END
+
+;#  QNAME            owner  DNAME   target         result
+;-- ---------------- -------------- -------------- -----------------
+;12 shortloop.x.     x.             .              shortloop.
+
+; expire potentically cached CNAMEs for shortloop.x. from cache
+STEP 221200 TIME_PASSES ELAPSE 10000
+
+STEP 221201 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+shortloop.x.   TXT
+ENTRY_END
+
+STEP 221202 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO
+SECTION QUESTION
+shortloop.x.   IN TXT
+SECTION ANSWER
+x.             IN DNAME        .
+shortloop.x.   IN CNAME        shortloop.
+shortloop.     IN TXT          "shortloop end"
+ENTRY_END
+
+
+; ns1.example.net. (data shared by whole 22xxxx range)
+RANGE_BEGIN 220000 229999
+       ADDRESS 168.192.3.3
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.net. IN NS
+SECTION ANSWER
+example.net. IN NS ns1.example.net.
+SECTION ADDITIONAL
+example.net. IN A 168.192.3.3
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns1.example.net. IN A
+SECTION ANSWER
+ns1.example.net. IN A 168.192.3.3
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns1.example.net. IN AAAA
+SECTION ANSWER
+ENTRY_END
+
+; line 3
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a.example.net. IN A
+SECTION ANSWER
+a.example.net. IN A 10.0.0.97
+ENTRY_END
+
+; line 4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a.b.example.net. IN A
+SECTION ANSWER
+a.b.example.net. IN A 10.0.97.98
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+a2.y.example.net. IN A
+SECTION ANSWER
+a2.y.example.net. IN A 10.97.50.121
+ENTRY_END
+
+; line 10
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+cyc2.example.net. IN DNAME
+SECTION ANSWER
+cyc2.example.net. IN DNAME example.com.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+cyc2.cyc2.example.net. IN A
+SECTION ANSWER
+cyc2.example.net. IN DNAME example.com.
+cyc2.cyc2.example.com. IN CNAME cyc2.example.com.
+ENTRY_END
+RANGE_END
+; end of ns1.example.net.
+
+
+; RFC 6672 section 2.2: YXDOMAIN answers for too long results for substitution
+; RFC 6672 section 2.3: DNAME can be at zone apex: zone apex = long.
+STEP 229001 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+x.long.        IN A
+ENTRY_END
+
+; query returning maximal permissible length - should work
+STEP 229002 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA DO
+SECTION QUESTION
+x.long.        IN A
+SECTION ANSWER
+long.                  3600    IN      DNAME   63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
+x.long.                        3600    IN      CNAME   x.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
+x.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. 3600    IN      A       192.0.2.1
+ENTRY_END
+
+; result of substitution has too long name
+; YXDOMAIN should be propagated to the client
+; Unbound SEVFAILs: https://www.ietf.org/mail-archive/web/dnsext/current/msg11282.html
+;TODO
+; STEP 229003 QUERY
+; ENTRY_BEGIN
+; REPLY RD DO
+; SECTION QUESTION
+; too.long.    IN A
+; ENTRY_END
+;
+; STEP 229004 CHECK_ANSWER
+; ENTRY_BEGIN
+; MATCH all
+; REPLY QR YXDOMAIN
+; SECTION QUESTION
+; x.long.      IN A
+; SECTION ANSWER
+; long.                        3600    IN      DNAME   63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
+; ENTRY_END
+
+; YXDOMAIN should work even if the cache is empty
+STEP 229005 TIME_PASSES ELAPSE 4000
+
+; STEP 229006 QUERY
+; ENTRY_BEGIN
+; REPLY RD DO
+; SECTION QUESTION
+; too.long.    IN A
+; ENTRY_END
+; 
+; STEP 229007 CHECK_ANSWER
+; ENTRY_BEGIN
+; MATCH all
+; REPLY QR YXDOMAIN
+; SECTION QUESTION
+; x.long.      IN A
+; SECTION ANSWER
+; long.                        3600    IN      DNAME   63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
+; ENTRY_END
+
+
+
+
+SCENARIO_END