- Fix validator classification of qtype DNAME for positive and

  redirection answers, and fix validator signature routine for dealing
  with the synthesized CNAME for a DNAME without previously
  encountering it and also for when the qtype is DNAME.

diff --git a/doc/Changelog b/doc/Changelog
index 797c602bb299083ed67d12818d5324ef0e1604d0..4369a671a267285cb3f5d51d82c1e041320d180b 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -3,6 +3,10 @@
          are long enough for newer OpenSSL versions.
        - Fix TTL of synthesized CNAME when a DNAME is used from cache.
        - Remove unused portion from iter_dname_ttl unit test.
+       - Fix validator classification of qtype DNAME for positive and
+         redirection answers, and fix validator signature routine for dealing
+         with the synthesized CNAME for a DNAME without previously
+         encountering it and also for when the qtype is DNAME.
 
 7 March 2024: Wouter
        - Version set to 1.19.3 for release. After 1.19.2 point release with

diff --git a/testdata/val_cnameqtype.rpl b/testdata/val_cnameqtype.rpl
index 05ef474267899c95794133a2e05e47d542834669..abca7bcfad7e42c49a97fa25c6070e9410c036f1 100644 (file)
--- a/testdata/val_cnameqtype.rpl
+++ b/testdata/val_cnameqtype.rpl
@@ -3,6 +3,7 @@
 server:
        trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
        trust-anchor: "example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}"
+       trust-anchor: "foo.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}"
        val-override-date: "20070916134226"
        target-fetch-policy: "0 0 0 0 0"
        qname-minimisation: "no"
@@ -17,7 +18,7 @@ CONFIG_END
 SCENARIO_BEGIN Test validator with a query for type cname
 
 ; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 1000
        ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -44,11 +45,11 @@ a.gtld-servers.net. IN      A       192.5.6.30
 ENTRY_END
 
 ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
+MATCH opcode subdomain
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.example.net. IN CNAME
+net. IN A
 SECTION AUTHORITY
 net.   IN NS   a.gtld-servers.net.
 SECTION ADDITIONAL
@@ -57,7 +58,7 @@ ENTRY_END
 RANGE_END
 
 ; a.gtld-servers.net.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 1000
        ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -94,21 +95,33 @@ example.com.        IN NS   ns.example.com.
 SECTION ADDITIONAL
 ns.example.com.                IN      A       1.2.3.4
 ENTRY_END
+
 ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
+MATCH opcode subdomain
+ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-www.example.net. IN A
+example.net. IN A
 SECTION AUTHORITY
 example.net.   IN NS   ns.example.net.
 SECTION ADDITIONAL
 ns.example.net.                IN      A       1.2.3.5
 ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+foo.net. IN NS
+SECTION AUTHORITY
+foo.net. IN NS ns.example.com.
+ENTRY_END
+
 RANGE_END
 
 ; ns.example.com.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 1000
        ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -155,10 +168,167 @@ www.example.com.        3600    IN      RRSIG   CNAME DSA 3 3600 20070926134150
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www2.example.com. IN A
+SECTION ANSWER
+www2.example.com.      3600    IN      CNAME   www.example.net.
+www2.example.com.      3600    IN      RRSIG   CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AGgh6pDCL7VF0uJablClW7cgvsPuNzpHZ+M7nZIwi61+0RPhFZLHcN4=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+foo.test-dname.example.com. IN CNAME
+SECTION ANSWER
+test-dname.example.com.        3600    IN      DNAME   example.net.
+test-dname.example.com.        3600    IN      RRSIG   DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0=
+foo.test-dname.example.com. 3600 IN CNAME foo.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www3.example.com. IN A
+SECTION ANSWER
+www3.example.com.      3600    IN      CNAME   www3.foo.net.
+www3.example.com.      3600    IN      RRSIG   CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AFCgCmBh9ZhKJj6AqJAaai8Xwrp9nVYP/yyg4RglHEHb7LlIKED93Ic=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www3.foo.net. IN A
+SECTION ANSWER
+www3.foo.net. IN A 12.13.14.15
+www3.foo.net.  3600    IN      RRSIG   A 5 3 3600 20070926134150 20070829134150 30899 foo.net. y50vzw6pCWNmM4y1LNbc37htWGvjxKzdV/JS5ONdFWUQelbDx5YrD91m9U88ItIpwQiGKJWQBwNgHzVKW7iF2A==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+www4.example.com. IN CNAME
+SECTION ANSWER
+www4.example.com.      3600    IN      CNAME   www4.foo.net.
+www4.example.com.      3600    IN      RRSIG   CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AA/PJO3mDuDAGQHZ2nb52q3SG0vTp0RcshM09InjZlGTIwHPIYcuizw=
+SECTION AUTHORITY
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+van.foo.net.   3600    IN      NSEC    xix.foo.net. A AAAA RRSIG NSEC
+van.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw==
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+www4.foo.net. IN CNAME
+SECTION AUTHORITY
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+van.foo.net.   3600    IN      NSEC    xix.foo.net. A AAAA RRSIG NSEC
+van.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw==
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+www5.example.com. IN A
+SECTION ANSWER
+www5.example.com.      3600    IN      CNAME   www5.foo.net.
+www5.example.com.      3600    IN      RRSIG   CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AIXA8v0JC14UIQtthXS0Kv66rE0jqPKHgq3CPdc6PDi+tLqGjFrXIdI=
+SECTION AUTHORITY
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+van.foo.net.   3600    IN      NSEC    xix.foo.net. A AAAA RRSIG NSEC
+van.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw==
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+www5.foo.net. IN A
+SECTION AUTHORITY
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+sea.foo.net.   3600    IN      NSEC    ur.foo.net. A AAAA RRSIG NSEC
+sea.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. SOz+kQrhbR7M4oid0L9HfHK3re9L5T+6x1m+DFyV0ogqGcsAfAmyvAPJUQyclENMWWqyJMgSfrqzpqEdM5HRWQ==
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+cup.h-dname.example.com. IN CNAME
+SECTION ANSWER
+h-dname.example.com.   3600    IN      DNAME   tea.foo.net.
+h-dname.example.com.   3600    IN      RRSIG   DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AKXt5koLeZD2ibFrmZyE3ZOQCWHIA/UtrlCgFLalfaTm91NVlki5aV0=
+cup.h-dname.example.com. 3600 IN CNAME cup.tea.foo.net.
+SECTION AUTHORITY
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+sea.foo.net.   3600    IN      NSEC    ur.foo.net. A AAAA RRSIG NSEC
+sea.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. SOz+kQrhbR7M4oid0L9HfHK3re9L5T+6x1m+DFyV0ogqGcsAfAmyvAPJUQyclENMWWqyJMgSfrqzpqEdM5HRWQ==
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+cup.tea.foo.net. IN CNAME
+SECTION AUTHORITY
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+sea.foo.net.   3600    IN      NSEC    ur.foo.net. A AAAA RRSIG NSEC
+sea.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. SOz+kQrhbR7M4oid0L9HfHK3re9L5T+6x1m+DFyV0ogqGcsAfAmyvAPJUQyclENMWWqyJMgSfrqzpqEdM5HRWQ==
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+foo.net. IN DNSKEY
+SECTION ANSWER
+foo.net.       3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
+foo.net.       3600    IN      RRSIG   DNSKEY 5 2 3600 20070926134150 20070829134150 30899 foo.net. FLWrxrEnMpKoUDf+mbHGKSQ9OYloJs1eVbxkQaTSfJSLnLzOS0MLflMfbH1nC+Fk8idN7Aw07P5S9Ez1/fAb4w==
+ENTRY_END
+
 RANGE_END
 
 ; ns.example.net.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 1000
        ADDRESS 1.2.3.5
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -207,6 +377,7 @@ SECTION ADDITIONAL
 ENTRY_END
 RANGE_END
 
+; Test qtype CNAME, answer from upstream.
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD DO
@@ -228,4 +399,229 @@ SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
 
+; Test qtype CNAME, answer from cache after A query.
+; perform the A query that gets the CNAME in cache.
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www2.example.com. IN A
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+www2.example.com. IN A
+SECTION ANSWER
+www2.example.com.      3600    IN      CNAME   www.example.net.
+www2.example.com.      3600    IN      RRSIG   CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AGgh6pDCL7VF0uJablClW7cgvsPuNzpHZ+M7nZIwi61+0RPhFZLHcN4=
+www.example.net. IN    A       11.12.13.14
+www.example.net.        3600    IN      RRSIG   A 5 3 3600 20070926134150 20070829134150 30899 example.net. CPxF5hK9Kg5eT7W6LgZwr0ePYEm9HMcSY4vvqCS6gDWB4X9jvXLCfBkCLhsNybPBpGWlsLi5wM6MTdJXuPpsRA== ;{id = 30899}
+ENTRY_END
+
+; now query for type CNAME, that is in cache.
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www2.example.com. IN CNAME
+ENTRY_END
+
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+www2.example.com. IN CNAME
+SECTION ANSWER
+www2.example.com.      3600    IN      CNAME   www.example.net.
+www2.example.com.      3600    IN      RRSIG   CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AGgh6pDCL7VF0uJablClW7cgvsPuNzpHZ+M7nZIwi61+0RPhFZLHcN4=
+ENTRY_END
+
+; Test qtype CNAME, answer DNAME from upstream.
+STEP 60 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+foo.test-dname.example.com. IN CNAME
+ENTRY_END
+
+STEP 70 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+foo.test-dname.example.com. IN CNAME
+SECTION ANSWER
+test-dname.example.com.        3600    IN      DNAME   example.net.
+test-dname.example.com.        3600    IN      RRSIG   DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0=
+foo.test-dname.example.com. 3600 IN CNAME foo.example.net.
+ENTRY_END
+
+; Test qtype CNAME, answer DNAME from cached DNAME record.
+STEP 80 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+foo2.test-dname.example.com. IN CNAME
+ENTRY_END
+
+STEP 90 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+foo2.test-dname.example.com. IN CNAME
+SECTION ANSWER
+test-dname.example.com.        3600    IN      DNAME   example.net.
+test-dname.example.com.        3600    IN      RRSIG   DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0=
+foo2.test-dname.example.com. 3600 IN CNAME foo2.example.net.
+ENTRY_END
+
+; Test first a simple A query, that connects example.com to foo.net.
+STEP 100 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www3.example.com. IN A
+ENTRY_END
+
+STEP 110 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+www3.example.com. IN A
+SECTION ANSWER
+www3.example.com.      3600    IN      CNAME   www3.foo.net.
+www3.example.com.      3600    IN      RRSIG   CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AFCgCmBh9ZhKJj6AqJAaai8Xwrp9nVYP/yyg4RglHEHb7LlIKED93Ic=
+www3.foo.net. IN A 12.13.14.15
+www3.foo.net.  3600    IN      RRSIG   A 5 3 3600 20070926134150 20070829134150 30899 foo.net. y50vzw6pCWNmM4y1LNbc37htWGvjxKzdV/JS5ONdFWUQelbDx5YrD91m9U88ItIpwQiGKJWQBwNgHzVKW7iF2A==
+ENTRY_END
+
+; Test qtype CNAME, but the upstream responds that there is NXDOMAIN,
+; it can do this because it has the zone loaded at the name after the CNAME,
+; in the zone foo.net. and it chases the CNAME.
+STEP 120 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www4.example.com. IN CNAME
+ENTRY_END
+
+STEP 130 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NXDOMAIN
+SECTION QUESTION
+www4.example.com. IN CNAME
+SECTION ANSWER
+www4.example.com.      3600    IN      CNAME   www4.foo.net.
+www4.example.com.      3600    IN      RRSIG   CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AA/PJO3mDuDAGQHZ2nb52q3SG0vTp0RcshM09InjZlGTIwHPIYcuizw=
+SECTION AUTHORITY
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+van.foo.net.   3600    IN      NSEC    xix.foo.net. A AAAA RRSIG NSEC
+van.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw==
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+ENTRY_END
+
+; Test, first pull a CNAME to NXDOMAIN in cache with an A query and then use
+; it for qtype CNAME.
+STEP 140 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www5.example.com. IN A
+ENTRY_END
+
+STEP 150 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NXDOMAIN
+SECTION QUESTION
+www5.example.com. IN A
+SECTION ANSWER
+www5.example.com.      3600    IN      CNAME   www5.foo.net.
+www5.example.com.      3600    IN      RRSIG   CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AIXA8v0JC14UIQtthXS0Kv66rE0jqPKHgq3CPdc6PDi+tLqGjFrXIdI=
+SECTION AUTHORITY
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+van.foo.net.   3600    IN      NSEC    xix.foo.net. A AAAA RRSIG NSEC
+van.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw==
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+ENTRY_END
+
+STEP 160 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www5.example.com. IN CNAME
+ENTRY_END
+
+STEP 170 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+www5.example.com. IN CNAME
+SECTION ANSWER
+www5.example.com.      3600    IN      CNAME   www5.foo.net.
+www5.example.com.      3600    IN      RRSIG   CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AIXA8v0JC14UIQtthXS0Kv66rE0jqPKHgq3CPdc6PDi+tLqGjFrXIdI=
+ENTRY_END
+
+; Test, qtype CNAME, but it is a DNAME and the upstream server can respond
+; with NXDOMAIN, it can do this because the foo.net zone is also loaded by
+; the server and it looks in the other zone.
+STEP 180 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+cup.h-dname.example.com. IN CNAME
+ENTRY_END
+
+STEP 190 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NXDOMAIN
+SECTION QUESTION
+cup.h-dname.example.com. IN CNAME
+SECTION ANSWER
+h-dname.example.com.   3600    IN      DNAME   tea.foo.net.
+h-dname.example.com.   3600    IN      RRSIG   DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AKXt5koLeZD2ibFrmZyE3ZOQCWHIA/UtrlCgFLalfaTm91NVlki5aV0=
+cup.h-dname.example.com. 3600 IN CNAME cup.tea.foo.net.
+SECTION AUTHORITY
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+sea.foo.net.   3600    IN      NSEC    ur.foo.net. A AAAA RRSIG NSEC
+sea.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. SOz+kQrhbR7M4oid0L9HfHK3re9L5T+6x1m+DFyV0ogqGcsAfAmyvAPJUQyclENMWWqyJMgSfrqzpqEdM5HRWQ==
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+ENTRY_END
+
+; Test, first pull a DNAME in cache and then use it for qtype CNAME to an
+; NXDOMAIN.
+STEP 200 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+cup2.h-dname.example.com. IN CNAME
+ENTRY_END
+
+STEP 210 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+cup2.h-dname.example.com. IN CNAME
+SECTION ANSWER
+h-dname.example.com.   3600    IN      DNAME   tea.foo.net.
+h-dname.example.com.   3600    IN      RRSIG   DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AKXt5koLeZD2ibFrmZyE3ZOQCWHIA/UtrlCgFLalfaTm91NVlki5aV0=
+cup2.h-dname.example.com. 3600 IN CNAME cup2.tea.foo.net.
+ENTRY_END
+
 SCENARIO_END

diff --git a/testdata/val_dnameqtype.rpl b/testdata/val_dnameqtype.rpl
new file mode 100644 (file)
index 0000000..74cc45e
--- /dev/null
+++ b/testdata/val_dnameqtype.rpl
@@ -0,0 +1,689 @@
+; config options
+; The island of trust is at example.com
+server:
+       trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+       trust-anchor: "example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}"
+       trust-anchor: "foo.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}"
+       val-override-date: "20070916134226"
+       target-fetch-policy: "0 0 0 0 0"
+       qname-minimisation: "no"
+       fake-sha1: yes
+       trust-anchor-signaling: no
+
+stub-zone:
+       name: "."
+       stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with a query for type dname
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 1000
+       ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS        K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.    IN      A       193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com.   IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.    IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+net. IN A
+SECTION AUTHORITY
+net.   IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.    IN      A       192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 1000
+       ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+net. IN NS
+SECTION ANSWER
+net.    IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.     IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com.   IN NS   ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.                IN      A       1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN A
+SECTION AUTHORITY
+example.net.   IN NS   ns.example.net.
+SECTION ADDITIONAL
+ns.example.net.                IN      A       1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+foo.net. IN NS
+SECTION AUTHORITY
+foo.net. IN NS ns.example.com.
+ENTRY_END
+
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 1000
+       ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.    IN NS   ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.         IN      A       1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com.    3600    IN      DNSKEY  256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com. 3600    IN      RRSIG   DNSKEY DSA 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFBQRtlR4BEv9ohi+PGFjp+AHsJuHAhRCvz0shggvnvI88DFnBDCczHUcVA== ;{id = 2854}
+SECTION AUTHORITY
+example.com.   IN NS   ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com.                IN      A       1.2.3.4
+ns.example.com. 3600    IN      RRSIG   A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN DNAME
+SECTION ANSWER
+www.example.com. IN    DNAME   www.example.net.
+www.example.com.       3600    IN      RRSIG   DNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AKXpbBNiurXv6oFOFQJv5rASdxpoWp2WV1j4ZdJAJ1f48cOkBM2oiEE=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www2.example.com. IN DNAME
+SECTION ANSWER
+www2.example.com.      3600    IN      DNAME   www.example.net.
+www2.example.com.      3600    IN      RRSIG   DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ABu2/f8Ec9BfUkWVid/ufoIjTuS1iZ/zQ5qeF5GiKxPDu//bP2eTgmI=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+fore.www2.example.com. IN A
+SECTION ANSWER
+www2.example.com.      3600    IN      DNAME   www.example.net.
+www2.example.com.      3600    IN      RRSIG   DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ABu2/f8Ec9BfUkWVid/ufoIjTuS1iZ/zQ5qeF5GiKxPDu//bP2eTgmI=
+fore.www2.example.com. IN CNAME fore.www.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+foo.test-dname.example.com. IN DNAME
+SECTION ANSWER
+test-dname.example.com.        3600    IN      DNAME   example.net.
+test-dname.example.com.        3600    IN      RRSIG   DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0=
+foo.test-dname.example.com. 3600 IN CNAME foo.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www3.example.com. IN A
+SECTION ANSWER
+www3.example.com.      3600    IN      CNAME   www3.foo.net.
+www3.example.com.      3600    IN      RRSIG   CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AFCgCmBh9ZhKJj6AqJAaai8Xwrp9nVYP/yyg4RglHEHb7LlIKED93Ic=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www3.foo.net. IN A
+SECTION ANSWER
+www3.foo.net. IN A 12.13.14.15
+www3.foo.net.  3600    IN      RRSIG   A 5 3 3600 20070926134150 20070829134150 30899 foo.net. y50vzw6pCWNmM4y1LNbc37htWGvjxKzdV/JS5ONdFWUQelbDx5YrD91m9U88ItIpwQiGKJWQBwNgHzVKW7iF2A==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+www4.example.com. IN DNAME
+SECTION ANSWER
+www4.example.com.      3600    IN      CNAME   www4.foo.net.
+www4.example.com.      3600    IN      RRSIG   CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AA/PJO3mDuDAGQHZ2nb52q3SG0vTp0RcshM09InjZlGTIwHPIYcuizw=
+SECTION AUTHORITY
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+van.foo.net.   3600    IN      NSEC    xix.foo.net. A AAAA RRSIG NSEC 
+van.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw==
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+www4.foo.net. IN DNAME
+SECTION AUTHORITY
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+van.foo.net.   3600    IN      NSEC    xix.foo.net. A AAAA RRSIG NSEC 
+van.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw==
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+www5.example.com. IN A
+SECTION ANSWER
+www5.example.com.      3600    IN      CNAME   www5.foo.net.
+www5.example.com.      3600    IN      RRSIG   CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AIXA8v0JC14UIQtthXS0Kv66rE0jqPKHgq3CPdc6PDi+tLqGjFrXIdI=
+SECTION AUTHORITY
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+van.foo.net.   3600    IN      NSEC    xix.foo.net. A AAAA RRSIG NSEC 
+van.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw==
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+www5.foo.net. IN A
+SECTION AUTHORITY
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+sea.foo.net.   3600    IN      NSEC    ur.foo.net. A AAAA RRSIG NSEC
+sea.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. SOz+kQrhbR7M4oid0L9HfHK3re9L5T+6x1m+DFyV0ogqGcsAfAmyvAPJUQyclENMWWqyJMgSfrqzpqEdM5HRWQ==
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+cup.h-dname.example.com. IN DNAME
+SECTION ANSWER
+h-dname.example.com.   3600    IN      DNAME   tea.foo.net.
+h-dname.example.com.   3600    IN      RRSIG   DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AKXt5koLeZD2ibFrmZyE3ZOQCWHIA/UtrlCgFLalfaTm91NVlki5aV0=
+cup.h-dname.example.com. 3600 IN CNAME cup.tea.foo.net.
+SECTION AUTHORITY
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+sea.foo.net.   3600    IN      NSEC    ur.foo.net. A AAAA RRSIG NSEC
+sea.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. SOz+kQrhbR7M4oid0L9HfHK3re9L5T+6x1m+DFyV0ogqGcsAfAmyvAPJUQyclENMWWqyJMgSfrqzpqEdM5HRWQ==
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+cup.tea.foo.net. IN DNAME
+SECTION AUTHORITY
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+sea.foo.net.   3600    IN      NSEC    ur.foo.net. A AAAA RRSIG NSEC
+sea.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. SOz+kQrhbR7M4oid0L9HfHK3re9L5T+6x1m+DFyV0ogqGcsAfAmyvAPJUQyclENMWWqyJMgSfrqzpqEdM5HRWQ==
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+foo.net. IN DNSKEY
+SECTION ANSWER
+foo.net.       3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
+foo.net.       3600    IN      RRSIG   DNSKEY 5 2 3600 20070926134150 20070829134150 30899 foo.net. FLWrxrEnMpKoUDf+mbHGKSQ9OYloJs1eVbxkQaTSfJSLnLzOS0MLflMfbH1nC+Fk8idN7Aw07P5S9Ez1/fAb4w==
+ENTRY_END
+
+RANGE_END
+
+; ns.example.net.
+RANGE_BEGIN 0 1000
+       ADDRESS 1.2.3.5
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN NS
+SECTION ANSWER
+example.net.   IN NS   ns.example.net.
+example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
+SECTION ADDITIONAL
+ns.example.net.                IN      A       1.2.3.5
+ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN DNSKEY
+SECTION ANSWER
+example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}
+example.net.    3600    IN      RRSIG   DNSKEY RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. hiFzlQ8VoYgCuvIsfVuxC3mfJDqsTh0yc6abs5xMx5uEcIjb0dndFQx7INOM+imlzveEN73Hqp4OLFpFhsWLlw== ;{id = 30899}
+SECTION AUTHORITY
+example.net.   IN NS   ns.example.net.
+example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
+SECTION ADDITIONAL
+ns.example.net.                IN      A       1.2.3.5
+ns.example.net. 3600    IN      RRSIG   A RSASHA1 3 3600 20070926134150 20070829134150 30899 example.net. x+tQMC9FhzT7Fcy1pM5NrOC7E8nLd7THPI3C6ie4EwL8PrxllqlR3q/DKB0d/m0qCOPcgN6HFOYURV1s4uAcsw== ;{id = 30899}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+foo.example.net. IN DNAME
+SECTION ANSWER
+foo.example.net. IN    DNAME lower.example.net.
+foo.example.net.       3600    IN      RRSIG   DNAME 5 3 3600 20070926134150 20070829134150 30899 example.net. OZLH158CkKbQZOkBCof7oLzy8sbtDI3/BHEOqBeYZzcfHHfHS9L4qJBII5uO+x8yB/DTkFEhdL5WZV2IjRlkNQ==
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+foo2.example.net. IN DNAME
+SECTION ANSWER
+foo2.example.net. IN   DNAME lower.example.net.
+foo2.example.net.      3600    IN      RRSIG   DNAME 5 3 3600 20070926134150 20070829134150 30899 example.net. xth0C1DoNubf4PpjkS0tgo6O7yzaLPuTKB2yTNFM1iZRm5pd0o3eo/upvfG2SwqfzimgvM1eDyK06QX/R7Enfw==
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.net. IN A
+SECTION ANSWER
+www.example.net. IN    A       11.12.13.14
+www.example.net.        3600    IN      RRSIG   A 5 3 3600 20070926134150 20070829134150 30899 example.net. CPxF5hK9Kg5eT7W6LgZwr0ePYEm9HMcSY4vvqCS6gDWB4X9jvXLCfBkCLhsNybPBpGWlsLi5wM6MTdJXuPpsRA== ;{id = 30899}
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+fore.www.example.net. IN A
+SECTION ANSWER
+fore.www.example.net. IN       A       11.12.13.15
+fore.www.example.net.  3600    IN      RRSIG   A 5 4 3600 20070926134150 20070829134150 30899 example.net. D1axzzs2olCCMQUQchy4ZRs8oefSdLpiIlhPsF1Y5GTTLHKKs6H14tm3FrRTLUIb2FzZywHX0Hl+pfoB/lG2qQ==
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+; Test qtype DNAME, answer from upstream.
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www.example.com. IN DNAME
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+www.example.com. IN DNAME
+SECTION ANSWER
+www.example.com. IN    DNAME   www.example.net.
+www.example.com.       3600    IN      RRSIG   DNAME 3 3 3600 20070926134150 20070829134150 2854 example.com. AKXpbBNiurXv6oFOFQJv5rASdxpoWp2WV1j4ZdJAJ1f48cOkBM2oiEE=
+ENTRY_END
+
+; Test qtype DNAME, answer from cache after A query.
+; perform the A query that gets the DNAME in cache.
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+fore.www2.example.com. IN A
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+fore.www2.example.com. IN A
+SECTION ANSWER
+www2.example.com.      3600    IN      DNAME   www.example.net.
+www2.example.com.      3600    IN      RRSIG   DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ABu2/f8Ec9BfUkWVid/ufoIjTuS1iZ/zQ5qeF5GiKxPDu//bP2eTgmI=
+fore.www2.example.com. IN CNAME fore.www.example.net.
+fore.www.example.net. IN       A       11.12.13.15
+fore.www.example.net.  3600    IN      RRSIG   A 5 4 3600 20070926134150 20070829134150 30899 example.net. D1axzzs2olCCMQUQchy4ZRs8oefSdLpiIlhPsF1Y5GTTLHKKs6H14tm3FrRTLUIb2FzZywHX0Hl+pfoB/lG2qQ==
+ENTRY_END
+
+; now query for type DNAME, that is in cache.
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www2.example.com. IN DNAME
+ENTRY_END
+
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+www2.example.com. IN DNAME
+SECTION ANSWER
+www2.example.com.      3600    IN      DNAME   www.example.net.
+www2.example.com.      3600    IN      RRSIG   DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ABu2/f8Ec9BfUkWVid/ufoIjTuS1iZ/zQ5qeF5GiKxPDu//bP2eTgmI=
+ENTRY_END
+
+; Test qtype DNAME, answer DNAME from upstream.
+STEP 60 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+foo.test-dname.example.com. IN DNAME
+ENTRY_END
+
+STEP 70 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+foo.test-dname.example.com. IN DNAME
+SECTION ANSWER
+test-dname.example.com.        3600    IN      DNAME   example.net.
+test-dname.example.com.        3600    IN      RRSIG   DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0=
+foo.test-dname.example.com. 3600 IN CNAME foo.example.net.
+foo.example.net. IN    DNAME lower.example.net.
+foo.example.net.       3600    IN      RRSIG   DNAME 5 3 3600 20070926134150 20070829134150 30899 example.net. OZLH158CkKbQZOkBCof7oLzy8sbtDI3/BHEOqBeYZzcfHHfHS9L4qJBII5uO+x8yB/DTkFEhdL5WZV2IjRlkNQ==
+ENTRY_END
+
+; Test qtype DNAME, answer DNAME from cached DNAME record.
+STEP 80 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+foo2.test-dname.example.com. IN DNAME
+ENTRY_END
+
+STEP 90 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+foo2.test-dname.example.com. IN DNAME
+SECTION ANSWER
+test-dname.example.com.        3600    IN      DNAME   example.net.
+test-dname.example.com.        3600    IN      RRSIG   DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. ACp31Evt1c6tKzmTh/smAuGFydZ1OO26Qkej/BW4Bw5RFBQiKaY22Z0=
+foo2.test-dname.example.com. 3600 IN CNAME foo2.example.net.
+foo2.example.net. IN   DNAME lower.example.net.
+foo2.example.net.      3600    IN      RRSIG   DNAME 5 3 3600 20070926134150 20070829134150 30899 example.net. xth0C1DoNubf4PpjkS0tgo6O7yzaLPuTKB2yTNFM1iZRm5pd0o3eo/upvfG2SwqfzimgvM1eDyK06QX/R7Enfw==
+ENTRY_END
+
+; Test first a simple A query, that connects example.com to foo.net.
+STEP 100 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www3.example.com. IN A
+ENTRY_END
+
+STEP 110 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+www3.example.com. IN A
+SECTION ANSWER
+www3.example.com.      3600    IN      CNAME   www3.foo.net.
+www3.example.com.      3600    IN      RRSIG   CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AFCgCmBh9ZhKJj6AqJAaai8Xwrp9nVYP/yyg4RglHEHb7LlIKED93Ic=
+www3.foo.net. IN A 12.13.14.15
+www3.foo.net.  3600    IN      RRSIG   A 5 3 3600 20070926134150 20070829134150 30899 foo.net. y50vzw6pCWNmM4y1LNbc37htWGvjxKzdV/JS5ONdFWUQelbDx5YrD91m9U88ItIpwQiGKJWQBwNgHzVKW7iF2A==
+ENTRY_END
+
+; Test qtype DNAME, but the upstream responds that there is NXDOMAIN,
+; it can do this because it has the zone loaded at the name after the CNAME,
+; in the zone foo.net. and it chases the query there.
+STEP 120 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www4.example.com. IN DNAME
+ENTRY_END
+
+STEP 130 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NXDOMAIN
+SECTION QUESTION
+www4.example.com. IN DNAME
+SECTION ANSWER
+www4.example.com.      3600    IN      CNAME   www4.foo.net.
+www4.example.com.      3600    IN      RRSIG   CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AA/PJO3mDuDAGQHZ2nb52q3SG0vTp0RcshM09InjZlGTIwHPIYcuizw=
+SECTION AUTHORITY
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+van.foo.net.   3600    IN      NSEC    xix.foo.net. A AAAA RRSIG NSEC 
+van.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw==
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+ENTRY_END
+
+; Test, first pull a CNAME to NXDOMAIN in cache with an A query and then use
+; it for qtype DNAME.
+STEP 140 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www5.example.com. IN A
+ENTRY_END
+
+STEP 150 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NXDOMAIN
+SECTION QUESTION
+www5.example.com. IN A
+SECTION ANSWER
+www5.example.com.      3600    IN      CNAME   www5.foo.net.
+www5.example.com.      3600    IN      RRSIG   CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AIXA8v0JC14UIQtthXS0Kv66rE0jqPKHgq3CPdc6PDi+tLqGjFrXIdI=
+SECTION AUTHORITY
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+van.foo.net.   3600    IN      NSEC    xix.foo.net. A AAAA RRSIG NSEC 
+van.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw==
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+ENTRY_END
+
+STEP 160 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www5.example.com. IN DNAME
+ENTRY_END
+
+STEP 170 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NXDOMAIN
+SECTION QUESTION
+www5.example.com. IN DNAME
+SECTION ANSWER
+www5.example.com.      3600    IN      CNAME   www5.foo.net.
+www5.example.com.      3600    IN      RRSIG   CNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AIXA8v0JC14UIQtthXS0Kv66rE0jqPKHgq3CPdc6PDi+tLqGjFrXIdI=
+SECTION AUTHORITY
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+van.foo.net.   3600    IN      NSEC    xix.foo.net. A AAAA RRSIG NSEC 
+van.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. awGqM+lA86rKWm8Rh1RvBYC9fJdAM2YBSqVE4VvWfhsUVN+JCspNtU3yg+R3/njfXox6cDTCfqqPDXB7KSPXaw==
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+ENTRY_END
+
+; Test, qtype DNAME, but it is under a DNAME and the upstream server can
+; respond with NXDOMAIN, it can do this because the foo.net zone is also
+; loaded by the server and it looks in the other zone.
+STEP 180 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+cup.h-dname.example.com. IN DNAME
+ENTRY_END
+
+STEP 190 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NXDOMAIN
+SECTION QUESTION
+cup.h-dname.example.com. IN DNAME
+SECTION ANSWER
+h-dname.example.com.   3600    IN      DNAME   tea.foo.net.
+h-dname.example.com.   3600    IN      RRSIG   DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AKXt5koLeZD2ibFrmZyE3ZOQCWHIA/UtrlCgFLalfaTm91NVlki5aV0=
+cup.h-dname.example.com. 3600 IN CNAME cup.tea.foo.net.
+SECTION AUTHORITY
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+sea.foo.net.   3600    IN      NSEC    ur.foo.net. A AAAA RRSIG NSEC
+sea.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. SOz+kQrhbR7M4oid0L9HfHK3re9L5T+6x1m+DFyV0ogqGcsAfAmyvAPJUQyclENMWWqyJMgSfrqzpqEdM5HRWQ==
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+ENTRY_END
+
+; Test, first pull a DNAME in cache and then use it for qtype DNAME to an
+; NXDOMAIN.
+STEP 200 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+cup2.h-dname.example.com. IN DNAME
+ENTRY_END
+
+STEP 210 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NXDOMAIN
+SECTION QUESTION
+cup2.h-dname.example.com. IN DNAME
+SECTION ANSWER
+h-dname.example.com.   3600    IN      DNAME   tea.foo.net.
+h-dname.example.com.   3600    IN      RRSIG   DNAME 3 3 3600 20070926135752 20070829135752 2854 example.com. AKXt5koLeZD2ibFrmZyE3ZOQCWHIA/UtrlCgFLalfaTm91NVlki5aV0=
+cup2.h-dname.example.com. 3600 IN CNAME cup2.tea.foo.net.
+SECTION AUTHORITY
+foo.net.       3600    IN      NSEC    bank.foo.net. NS SOA RRSIG NSEC DNSKEY
+foo.net.       3600    IN      RRSIG   NSEC 5 2 3600 20070926134150 20070829134150 30899 foo.net. w0nZn1gL11mBfDBWrnU5Z7ZDBQNpytyok7TL0K/adxUV5crNxmnX0IZjsMPcM6KG995DtLIqG7w2Ux82ltgllg==
+sea.foo.net.   3600    IN      NSEC    ur.foo.net. A AAAA RRSIG NSEC
+sea.foo.net.   3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 foo.net. SOz+kQrhbR7M4oid0L9HfHK3re9L5T+6x1m+DFyV0ogqGcsAfAmyvAPJUQyclENMWWqyJMgSfrqzpqEdM5HRWQ==
+foo.net. IN SOA ns.example.com. admin.foo.net. 2024030800 3600 3600 604800 3600
+foo.net.       3600    IN      RRSIG   SOA 5 2 3600 20070926134150 20070829134150 30899 foo.net. pDamdEYFVw2l2tBl2ZMYKHXRWWbBpIsi12AGpCv9fOBzvefsFZrFb79amLKOvfknmMUix5NnXeoc6zzQSkXeZQ==
+ENTRY_END
+
+SCENARIO_END

diff --git a/validator/val_utils.c b/validator/val_utils.c
index c316183a9d9efae506e791be0ab3f70ff65ece33..a7db41dadc3d4b1b7f44393d64a77d589e7ad340 100644 (file)
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -118,7 +118,30 @@ val_classify_response(uint16_t query_flags, struct query_info* origqinf,
         * ANY responses are validated differently. */
        if(rcode == LDNS_RCODE_NOERROR && qinf->qtype == LDNS_RR_TYPE_ANY)
                return VAL_CLASS_ANY;
-       
+
+       /* For the query type DNAME, the name matters. Equal name is the
+        * answer looked for, but a subdomain redirects the query. */
+       if(qinf->qtype == LDNS_RR_TYPE_DNAME) {
+               for(i=skip; i<rep->an_numrrsets; i++) {
+                       if(rcode == LDNS_RCODE_NOERROR &&
+                               ntohs(rep->rrsets[i]->rk.type)
+                               == LDNS_RR_TYPE_DNAME &&
+                               query_dname_compare(qinf->qname,
+                               rep->rrsets[i]->rk.dname) == 0) {
+                               /* type is DNAME and name is equal, it is
+                                * the answer. For the query name a subdomain
+                                * of the rrset.dname it would redirect. */
+                               return VAL_CLASS_POSITIVE;
+                       }
+                       if(ntohs(rep->rrsets[i]->rk.type)
+                               == LDNS_RR_TYPE_CNAME)
+                               return VAL_CLASS_CNAME;
+               }
+               log_dns_msg("validator: error. failed to classify response message: ",
+                       qinf, rep);
+               return VAL_CLASS_UNKNOWN;
+       }
+
        /* Note that DNAMEs will be ignored here, unless qtype=DNAME. Unless
         * qtype=CNAME, this will yield a CNAME response. */
        for(i=skip; i<rep->an_numrrsets; i++) {
@@ -231,6 +254,21 @@ val_find_signer(enum val_classification subtype, struct query_info* qinf,
                                rep->rrsets[i]->rk.dname) == 0) {
                                val_find_rrset_signer(rep->rrsets[i], 
                                        signer_name, signer_len);
+                               /* If there was no signer, and the query
+                                * was for type CNAME, and this is a CNAME,
+                                * and the previous is a DNAME, then this
+                                * is the synthesized CNAME, use the signer
+                                * of the DNAME record. */
+                               if(*signer_name == NULL &&
+                                  qinf->qtype == LDNS_RR_TYPE_CNAME &&
+                                  ntohs(rep->rrsets[i]->rk.type) ==
+                                  LDNS_RR_TYPE_CNAME && i > skip &&
+                                  ntohs(rep->rrsets[i-1]->rk.type) ==
+                                  LDNS_RR_TYPE_DNAME &&
+                                  dname_strict_subdomain_c(rep->rrsets[i]->rk.dname, rep->rrsets[i-1]->rk.dname)) {
+                                       val_find_rrset_signer(rep->rrsets[i-1],
+                                               signer_name, signer_len);
+                               }
                                return;
                        }
                }

diff --git a/validator/validator.c b/validator/validator.c
index aa71df9cbf58a9b6095fcfd21225af1fecf5205e..15ae13a39d04af8abfec94b27eb50e88e64c9ce8 100644 (file)
--- a/validator/validator.c
+++ b/validator/validator.c
@@ -621,7 +621,6 @@ prime_trust_anchor(struct module_qstate* qstate, struct val_qstate* vq,
  * @param vq: validator query state.
  * @param env: module env for verify.
  * @param ve: validator env for verify.
- * @param qchase: query that was made.
  * @param chase_reply: answer to validate.
  * @param key_entry: the key entry, which is trusted, and which matches
  *     the signer of the answer. The key entry isgood().
@@ -632,7 +631,7 @@ prime_trust_anchor(struct module_qstate* qstate, struct val_qstate* vq,
  */
 static int
 validate_msg_signatures(struct module_qstate* qstate, struct val_qstate* vq,
-       struct module_env* env, struct val_env* ve, struct query_info* qchase,
+       struct module_env* env, struct val_env* ve,
        struct reply_info* chase_reply, struct key_entry_key* key_entry,
        int* suspend)
 {
@@ -640,7 +639,7 @@ validate_msg_signatures(struct module_qstate* qstate, struct val_qstate* vq,
        size_t i, slen;
        struct ub_packed_rrset_key* s;
        enum sec_status sec;
-       int dname_seen = 0, num_verifies = 0, verified, have_state = 0;
+       int num_verifies = 0, verified, have_state = 0;
        char* reason = NULL;
        sldns_ede_code reason_bogus = LDNS_EDE_DNSSEC_BOGUS;
        *suspend = 0;
@@ -658,9 +657,13 @@ validate_msg_signatures(struct module_qstate* qstate, struct val_qstate* vq,
                /* Skip the CNAME following a (validated) DNAME.
                 * Because of the normalization routines in the iterator, 
                 * there will always be an unsigned CNAME following a DNAME 
-                * (unless qtype=DNAME). */
-               if(dname_seen && ntohs(s->rk.type) == LDNS_RR_TYPE_CNAME) {
-                       dname_seen = 0;
+                * (unless qtype=DNAME in the answer part). */
+               if(i>0 && ntohs(chase_reply->rrsets[i-1]->rk.type) ==
+                       LDNS_RR_TYPE_DNAME &&
+                       ntohs(s->rk.type) == LDNS_RR_TYPE_CNAME &&
+                       ((struct packed_rrset_data*)chase_reply->rrsets[i-1]->entry.data)->security == sec_status_secure &&
+                       dname_strict_subdomain_c(s->rk.dname, chase_reply->rrsets[i-1]->rk.dname)
+                       ) {
                        /* CNAME was synthesized by our own iterator */
                        /* since the DNAME verified, mark the CNAME as secure */
                        ((struct packed_rrset_data*)s->entry.data)->security =
@@ -691,12 +694,6 @@ validate_msg_signatures(struct module_qstate* qstate, struct val_qstate* vq,
                        return 0;
                }
 
-               /* Notice a DNAME that should be followed by an unsigned 
-                * CNAME. */
-               if(qchase->qtype != LDNS_RR_TYPE_DNAME && 
-                       ntohs(s->rk.type) == LDNS_RR_TYPE_DNAME) {
-                       dname_seen = 1;
-               }
                num_verifies += verified;
                if(num_verifies > MAX_VALIDATE_AT_ONCE &&
                        i+1 < (env->cfg->val_clean_additional?
@@ -2186,7 +2183,7 @@ processValidate(struct module_qstate* qstate, struct val_qstate* vq,
 
        /* check signatures in the message; 
         * answer and authority must be valid, additional is only checked. */
-       if(!validate_msg_signatures(qstate, vq, qstate->env, ve, &vq->qchase,
+       if(!validate_msg_signatures(qstate, vq, qstate->env, ve,
                vq->chase_reply, vq->key_entry, &suspend)) {
                if(suspend) {
                        if(!validate_suspend_setup_timer(qstate, vq,