- Fix CVE-2025-11411 (possible domain hijacking attack), reported by Yuxiao Wu,

author Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>

Wed, 22 Oct 2025 08:54:57 +0000 (10:54 +0200)

committer Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>

Wed, 22 Oct 2025 08:54:57 +0000 (10:54 +0200)
author Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Wed, 22 Oct 2025 08:54:57 +0000 (10:54 +0200)
committer Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Wed, 22 Oct 2025 08:54:57 +0000 (10:54 +0200)
diff --git a/daemon/remote.c b/daemon/remote.c

index e10dadde78620750f0e873615428915e46f7ca9e..d8ee7fa7d7c1f1e5ab9559c0bb11c04ba45bc592 100644 (file)
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -6176,6 +6176,7 @@ fr_atomic_copy_cfg(struct config_file* oldcfg, struct config_file* cfg,
         COPY_VAR_ptr(ipset_name_v6);
  #endif
         COPY_VAR_int(ede);
+       COPY_VAR_int(iter_scrub_promiscuous);
  }
  #endif /* ATOMIC_POINTER_LOCK_FREE && HAVE_LINK_ATOMIC_STORE */
  
diff --git a/doc/example.conf.in b/doc/example.conf.in

index b33e65bfeae2748946095da67cce53bebdc9eeff..d151f846817413967289c207d82a4125eec2f364 100644 (file)
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -196,6 +196,10 @@ server:
         # Limit on upstream queries for an incoming query and its recursion.
         # max-global-quota: 200
  
+       # Should the scrubber remove promiscuous NS from positive answers,
+       # protects against poison attempts.
+       # iter-scrub-promiscuous: yes
+
         # msec for waiting for an unknown server to reply.  Increase if you
         # are behind a slow satellite link, to eg. 1128.
         # unknown-server-time-limit: 376
diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in

index c05831e4137b86db52c14eafbffef2c5cf3e2470..782a98e50ff5fdec01d0ac82992c5f7de9d76448 100644 (file)
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -167,6 +167,7 @@ ipset,
  \fI\%tcp\-reuse\-timeout\fP,
  \fI\%tcp\-auth\-query\-timeout\fP,
  \fI\%delay\-close\fP\&.
+\fI\%iter\-scrub\-promiscuous\fP\&.
  .sp
  It does not work with
  \fI\%interface\fP and
diff --git a/doc/unbound-control.rst b/doc/unbound-control.rst

index bc548f51d064db8e9e83eb7919c370c859d7382e..71ff6ee37b6cb854b4bb34a70cf21d16c8691027 100644 (file)
--- a/doc/unbound-control.rst
+++ b/doc/unbound-control.rst
@@ -169,6 +169,7 @@ There are several commands that the server understands.
      :ref:`tcp-reuse-timeout<unbound.conf.tcp-reuse-timeout>`,
      :ref:`tcp-auth-query-timeout<unbound.conf.tcp-auth-query-timeout>`,
      :ref:`delay-close<unbound.conf.delay-close>`.
+    :ref:`iter-scrub-promiscuous<unbound.conf.iter-scrub-promiscuous>`.
  
      It does not work with
      :ref:`interface<unbound.conf.interface>` and
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in

index 172eb26c52eb604672b9e67be6c842c48b5aca97..3df4daeb076c813df5da0ab8a2381feb5db0dfe4 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -3656,6 +3656,15 @@ Default: 200
  .UNINDENT
  .INDENT 0.0
  .TP
+.B iter\-scrub\-promiscuous: \fI<yes or no>\fP 
+Should the iterator scrubber remove promiscuous NS from positive answers.
+This protects against poisonous contents, that could affect names in the
+same zone as a spoofed packet.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
  .B fast\-server\-permil: \fI<number>\fP 
  Specify how many times out of 1000 to pick from the set of fastest servers.
  0 turns the feature off.
diff --git a/doc/unbound.conf.rst b/doc/unbound.conf.rst

index ad8404e113cf28793f0e2a7fe6891d6d1c4abf89..d83816c6f4685a4b03bfbadd1783105b756ff585 100644 (file)
--- a/doc/unbound.conf.rst
+++ b/doc/unbound.conf.rst
@@ -3156,6 +3156,14 @@ These options are part of the **server:** clause.
      Default: 200
  
  
+@@UAHL@unbound.conf@iter-scrub-promiscuous@@: *<yes or no>*
+    Should the iterator scrubber remove promiscuous NS from positive answers.
+    This protects against poisonous contents, that could affect names in the
+    same zone as a spoofed packet.
+
+    Default: yes
+
+
  @@UAHL@unbound.conf@fast-server-permil@@: *<number>*
      Specify how many times out of 1000 to pick from the set of fastest servers.
      0 turns the feature off.
diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c

index 49a5f5da19c22271ff1f958c3f67e1b665467cb1..553d3655f0e3f3a09547dab46d808b938073fe26 100644 (file)
--- a/iterator/iter_scrub.c
+++ b/iterator/iter_scrub.c
@@ -634,6 +634,22 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
                                         "RRset:", pkt, msg, prev, &rrset);
                                 continue;
                         }
+                       /* If the NS set is a promiscuous NS set, scrub that
+                        * to remove potential for poisonous contents that
+                        * affects other names in the same zone. Remove
+                        * promiscuous NS sets in positive answers, that
+                        * thus have records in the answer section. Nodata
+                        * and nxdomain promiscuous NS sets have been removed
+                        * already. Since the NS rrset is scrubbed, its
+                        * address records are also not marked to be allowed
+                        * and are removed later. */
+                       if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR &&
+                               msg->an_rrsets != 0 &&
+                               env->cfg->iter_scrub_promiscuous) {
+                               remove_rrset("normalize: removing promiscuous "
+                                       "RRset:", pkt, msg, prev, &rrset);
+                               continue;
+                       }
                         if(nsset == NULL) {
                                 nsset = rrset;
                         } else {
diff --git a/testdata/autotrust_init.rpl b/testdata/autotrust_init.rpl

index d722273e0a99e735612301c3c5feb294b29a6fdb..d69e70b4bef7e8d5be4db99636ee4d111720c54c 100644 (file)
--- a/testdata/autotrust_init.rpl
+++ b/testdata/autotrust_init.rpl
@@ -5,6 +5,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  stub-zone:
         name: "."
         stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
diff --git a/testdata/autotrust_init_ds.rpl b/testdata/autotrust_init_ds.rpl

index ad4019ebec6eb5817d21311407f9efbb88ce15f6..9ffb4d4ba27d86bcc1b9600eb7c5b8b7401b8cec 100644 (file)
--- a/testdata/autotrust_init_ds.rpl
+++ b/testdata/autotrust_init_ds.rpl
@@ -5,6 +5,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  stub-zone:
         name: "."
         stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
diff --git a/testdata/autotrust_init_sigs.rpl b/testdata/autotrust_init_sigs.rpl

index d5d52f4738694d67842fdb862186112c23a96878..a7cb7963ba59c1249b58bdafabd3e04d64884175 100644 (file)
--- a/testdata/autotrust_init_sigs.rpl
+++ b/testdata/autotrust_init_sigs.rpl
@@ -5,6 +5,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  stub-zone:
         name: "."
         stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
diff --git a/testdata/autotrust_init_zsk.rpl b/testdata/autotrust_init_zsk.rpl

index 56a5bc0b3febcf722dfe9ad917fc08e4e28ceed6..2d28d43401103cc4c1630bb74bcb3096b228a43a 100644 (file)
--- a/testdata/autotrust_init_zsk.rpl
+++ b/testdata/autotrust_init_zsk.rpl
@@ -5,6 +5,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  stub-zone:
         name: "."
         stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
diff --git a/testdata/black_data.rpl b/testdata/black_data.rpl

index e6ef1b79d61cb7fb5b0ff1c6fc80e097de10c669..e928d630d2b612cdabd8e763e100b5b8e5333aed 100644 (file)
--- a/testdata/black_data.rpl
+++ b/testdata/black_data.rpl
@@ -8,6 +8,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  
  stub-zone:
diff --git a/testdata/black_prime.rpl b/testdata/black_prime.rpl

index fbe92a721423d35d7c5edf7295ff5a76af91bbbd..0301c85b61a1fed4c9dacd823a3ffb6da871251c 100644 (file)
--- a/testdata/black_prime.rpl
+++ b/testdata/black_prime.rpl
@@ -8,6 +8,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  
  stub-zone:
diff --git a/testdata/disable_edns_do.rpl b/testdata/disable_edns_do.rpl

index 82a16da062f15d433ae0ca28ff0781f6c647d483..45b4ffca8c081441c971994020ca5df205795ea1 100644 (file)
--- a/testdata/disable_edns_do.rpl
+++ b/testdata/disable_edns_do.rpl
@@ -5,6 +5,7 @@ server:
         qname-minimisation: "no"
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
         disable-edns-do: yes
  
  stub-zone:
diff --git a/testdata/dns64_lookup.rpl b/testdata/dns64_lookup.rpl

index 327f7dfed89a760c87f200eac85a0f16af8d3653..cec801232f0d653ef43ed8dd4c91f4ca539439a5 100644 (file)
--- a/testdata/dns64_lookup.rpl
+++ b/testdata/dns64_lookup.rpl
@@ -7,6 +7,7 @@ server:
         dns64-ignore-aaaa: ip6ignore.example.com
         dns64-ignore-aaaa: ip6only.example.com
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/dns64_prefetch_cache.rpl b/testdata/dns64_prefetch_cache.rpl

index a23b92f08d42cf97f700baad02da5cf1fef90c25..b28839c9a0ef5d7a7bed3c9cbe5257bdd625ae1f 100644 (file)
--- a/testdata/dns64_prefetch_cache.rpl
+++ b/testdata/dns64_prefetch_cache.rpl
@@ -5,6 +5,7 @@ server:
         module-config: "dns64 iterator"
         dns64-prefix: 64:ff9b::0/96
         minimal-responses: no
+       iter-scrub-promiscuous: no
         prefetch: yes
  
  stub-zone:
diff --git a/testdata/fetch_glue.rpl b/testdata/fetch_glue.rpl

index 8860d85b0612ef16d62d19392d45e5624df1024d..daf687ad48e64f874e6f2cec29aaa9cd8fc4b2a8 100644 (file)
--- a/testdata/fetch_glue.rpl
+++ b/testdata/fetch_glue.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/fetch_glue_cname.rpl b/testdata/fetch_glue_cname.rpl

index 64f00fb20b5faf758553928ecfac228c451bf158..c786a417c354f38f4c4bac7d9b8ce2a1c57c1f20 100644 (file)
--- a/testdata/fetch_glue_cname.rpl
+++ b/testdata/fetch_glue_cname.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/fwd_cached.rpl b/testdata/fwd_cached.rpl

index 2d6b0c2b8cbea5aa5c3e6459c088600d879967ec..4a00f8715f663855acc02c7d20f08f263caac707 100644 (file)
--- a/testdata/fwd_cached.rpl
+++ b/testdata/fwd_cached.rpl
@@ -2,6 +2,7 @@
  ; config options go here.
  server:
         minimal-responses: no
+       iter-scrub-promiscuous: no
  forward-zone: name: "." forward-addr: 216.0.0.1
  CONFIG_END
  
diff --git a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf

index 5b2c8045a75714b037a137c9599cfafc8f19d701..7bc7408cd645ad58a514f1d86daa39c8b24f54d5 100644 (file)
--- a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf
+++ b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf
@@ -10,6 +10,7 @@ server:
         username: ""
         do-not-query-localhost: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  forward-zone:
         name: "."
diff --git a/testdata/fwd_minimal.rpl b/testdata/fwd_minimal.rpl

index e85d7124b1d8ce0386db36b16a54c9f94b893758..ef1d7fc41a76a8cec958ef2105c51c6dd48d8f6c 100644 (file)
--- a/testdata/fwd_minimal.rpl
+++ b/testdata/fwd_minimal.rpl
@@ -5,6 +5,7 @@ server:
         ; is fine for that, not removed by minimal-responses.
         access-control: 127.0.0.1 allow_snoop
         minimal-responses: yes
+       iter-scrub-promiscuous: no
  forward-zone: name: "." forward-addr: 216.0.0.1
  CONFIG_END
  
diff --git a/testdata/ipsecmod_bogus_ipseckey.crpl b/testdata/ipsecmod_bogus_ipseckey.crpl

index 094710b6006dd132e34874f8d3076d30c26dea8f..98bc454f2f18467507790e0e32074841fbe703ff 100644 (file)
--- a/testdata/ipsecmod_bogus_ipseckey.crpl
+++ b/testdata/ipsecmod_bogus_ipseckey.crpl
@@ -9,6 +9,7 @@ server:
         qname-minimisation: "no"
         # test that default value of harden-dnssec-stripped is still yes.
         fake-sha1: yes
+       iter-scrub-promiscuous: no
         trust-anchor-signaling: no
         access-control: 127.0.0.1 allow_snoop
         module-config: "ipsecmod validator iterator"
diff --git a/testdata/ipsecmod_enabled.crpl b/testdata/ipsecmod_enabled.crpl

index 449842961de1f9654b5729af74cdcd3428ae99d9..04e8cb1a117a0ffb21bd9d31026ac7eabe7c4b67 100644 (file)
--- a/testdata/ipsecmod_enabled.crpl
+++ b/testdata/ipsecmod_enabled.crpl
@@ -11,6 +11,7 @@ server:
         ipsecmod-enabled: no
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/ipsecmod_ignore_bogus_ipseckey.crpl b/testdata/ipsecmod_ignore_bogus_ipseckey.crpl

index a605c344581be3a7b8398065ca262612fa44b1a7..4c4d80c10c9120df5702a6b9820e2fcf99b5f1d8 100644 (file)
--- a/testdata/ipsecmod_ignore_bogus_ipseckey.crpl
+++ b/testdata/ipsecmod_ignore_bogus_ipseckey.crpl
@@ -18,6 +18,7 @@ server:
         ipsecmod-ignore-bogus: yes
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/ipsecmod_max_ttl.crpl b/testdata/ipsecmod_max_ttl.crpl

index 592bae046360d9b69c5f3dd80f3ed26ec66260ff..4dfeddfd9a2df3ffb3f28596eb968b9a39601097 100644 (file)
--- a/testdata/ipsecmod_max_ttl.crpl
+++ b/testdata/ipsecmod_max_ttl.crpl
@@ -10,6 +10,7 @@ server:
         ipsecmod-max-ttl: 200
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/ipsecmod_strict.crpl b/testdata/ipsecmod_strict.crpl

index f74e308bde44cdd6aaf1a8d5cdb2482c8c38dc48..51cc11b5318ff4e04a3ea9169d3cde9ca8778b55 100644 (file)
--- a/testdata/ipsecmod_strict.crpl
+++ b/testdata/ipsecmod_strict.crpl
@@ -10,6 +10,7 @@ server:
         ipsecmod-max-ttl: 200
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/ipsecmod_whitelist.crpl b/testdata/ipsecmod_whitelist.crpl

index 34108f3b116144be24d341af3212c158efd8df82..350c2ad48cc2411a124af7a23386910369e901e9 100644 (file)
--- a/testdata/ipsecmod_whitelist.crpl
+++ b/testdata/ipsecmod_whitelist.crpl
@@ -11,6 +11,7 @@ server:
         ipsecmod-whitelist: white.example.com
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_class_any.rpl b/testdata/iter_class_any.rpl

index 6fb296e99d009c88bb6b4b3f6a8e9def883ccf73..87e0db032e86d4e4a2148788af65a9992ac2dd88 100644 (file)
--- a/testdata/iter_class_any.rpl
+++ b/testdata/iter_class_any.rpl
@@ -8,6 +8,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_cycle_noh.rpl b/testdata/iter_cycle_noh.rpl

index eee26ca70d151532e0c16fd3da093fc32aa96aed..e551ac6e80d4539a989cc7f0caf9da19d93a1097 100644 (file)
--- a/testdata/iter_cycle_noh.rpl
+++ b/testdata/iter_cycle_noh.rpl
@@ -4,6 +4,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_domain_sale.rpl b/testdata/iter_domain_sale.rpl

index 6110148a3c8281ee0525f38e09d8c1b5f96c9b72..7c3cc1f2fef2ea501b50221d8ed3cc32d6c3b98e 100644 (file)
--- a/testdata/iter_domain_sale.rpl
+++ b/testdata/iter_domain_sale.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_domain_sale_nschange.rpl b/testdata/iter_domain_sale_nschange.rpl

index 5664855d50b88bb88a902f092496b1d58ced58ef..886ed51a3bd49220d716f8cbc9520ab8bc7d9738 100644 (file)
--- a/testdata/iter_domain_sale_nschange.rpl
+++ b/testdata/iter_domain_sale_nschange.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_emptydp.rpl b/testdata/iter_emptydp.rpl

index ecb49b6cd0fa445464f248cef344f5a0201d0b93..3879a9b4328ba022e827b4fc5a60de29185ee907 100644 (file)
--- a/testdata/iter_emptydp.rpl
+++ b/testdata/iter_emptydp.rpl
@@ -8,6 +8,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_emptydp_for_glue.rpl b/testdata/iter_emptydp_for_glue.rpl

index 94dec2bc5e06bb87618b0923536766946aec7320..fc7933fbc4da05cf014decce868bf1b075529127 100644 (file)
--- a/testdata/iter_emptydp_for_glue.rpl
+++ b/testdata/iter_emptydp_for_glue.rpl
@@ -8,6 +8,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_fwdfirst.rpl b/testdata/iter_fwdfirst.rpl

index 0f8a85f5ae032a1f162f3049a7dfe96daa34eec6..509a1cdad5584ac94e025f709ab4a7e936737f88 100644 (file)
--- a/testdata/iter_fwdfirst.rpl
+++ b/testdata/iter_fwdfirst.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_fwdfirstequal.rpl b/testdata/iter_fwdfirstequal.rpl

index dc648143ce66c7e2f5790dec66a1d6d94ece185b..abd25d149822c33e05dd56b0237abfa31274ff86 100644 (file)
--- a/testdata/iter_fwdfirstequal.rpl
+++ b/testdata/iter_fwdfirstequal.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_fwdfirstequaltcp.rpl b/testdata/iter_fwdfirstequaltcp.rpl

index 72dd441f50a343c4e69e2f5a5aec10c64f728194..8c2040fcebfef624151334631a5c79d4848245fe 100644 (file)
--- a/testdata/iter_fwdfirstequaltcp.rpl
+++ b/testdata/iter_fwdfirstequaltcp.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
          tcp-upstream: no
          #tls-upstream:no  # same case but not testable in rpl.
  
diff --git a/testdata/iter_fwdstub.rpl b/testdata/iter_fwdstub.rpl

index ad5b57cb769036bab6178f8b29b57bf1fbd1fc34..4c741a50fe4060f371d025f0ddbd27da6e5bf78b 100644 (file)
--- a/testdata/iter_fwdstub.rpl
+++ b/testdata/iter_fwdstub.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_fwdstubroot.rpl b/testdata/iter_fwdstubroot.rpl

index fa930430d7f5bc8dd103fac9eba358a842949715..dd93ecdef3edde453942a9cd649029854ace2321 100644 (file)
--- a/testdata/iter_fwdstubroot.rpl
+++ b/testdata/iter_fwdstubroot.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_ghost_grandchild_delegation.rpl b/testdata/iter_ghost_grandchild_delegation.rpl

index d1e521b57e9c89593205e0875b417e0ff95696f3..af6a570eb14803e2f216d7db854530eb67cae900 100644 (file)
--- a/testdata/iter_ghost_grandchild_delegation.rpl
+++ b/testdata/iter_ghost_grandchild_delegation.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_ghost_sub.rpl b/testdata/iter_ghost_sub.rpl

index ccb736755d70cd722e0aa5f35440ec7227d29092..36767bb344208b0dd419548208a567876cbfd9b6 100644 (file)
--- a/testdata/iter_ghost_sub.rpl
+++ b/testdata/iter_ghost_sub.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_ghost_timewindow.rpl b/testdata/iter_ghost_timewindow.rpl

index 9e304628c98b6f068abc75a876e4fdb4ff53654a..24390a09cf3ecb26b9822836061c1bbbca275e1f 100644 (file)
--- a/testdata/iter_ghost_timewindow.rpl
+++ b/testdata/iter_ghost_timewindow.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         discard-timeout: 86400
  
  stub-zone:
diff --git a/testdata/iter_got6only.rpl b/testdata/iter_got6only.rpl

index 15522843903ba66a955e154fe2c1f29212c819a6..b0d20b3f47340b7a5d42f33086e1e34cb7c0cbc6 100644 (file)
--- a/testdata/iter_got6only.rpl
+++ b/testdata/iter_got6only.rpl
@@ -4,6 +4,7 @@ server:
         target-fetch-policy: "0 0 0 0 0 "
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  stub-zone:
         name: "."
         stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
diff --git a/testdata/iter_hint_lame.rpl b/testdata/iter_hint_lame.rpl

index 2fb6dde72d9194d4c01b786f92b2bb9f861dbd24..26aa5dc735fd752b7f1d2e811a182f57ab98c85a 100644 (file)
--- a/testdata/iter_hint_lame.rpl
+++ b/testdata/iter_hint_lame.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_lame_noaa.rpl b/testdata/iter_lame_noaa.rpl

index defaa5ca82adda0e335d44d8e80fb648c87dbb9e..050866c650bdcf4757c41d16c08f16d4b11729b6 100644 (file)
--- a/testdata/iter_lame_noaa.rpl
+++ b/testdata/iter_lame_noaa.rpl
@@ -4,6 +4,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  
  stub-zone:
diff --git a/testdata/iter_lame_nosoa.rpl b/testdata/iter_lame_nosoa.rpl

index 3bf6ccc18bd79ad16833d4191d89070bd4bb7aaf..d55ff78d6f8206099d8ef71017a70a3cdcd4d7c7 100644 (file)
--- a/testdata/iter_lame_nosoa.rpl
+++ b/testdata/iter_lame_nosoa.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  
  stub-zone:
diff --git a/testdata/iter_mod.rpl b/testdata/iter_mod.rpl

index 35b3a5af6a5cd83faae46e4ce7fe07db76c1b823..3d3d6789d544bfd63b84fb9c2fc681d95091dee2 100644 (file)
--- a/testdata/iter_mod.rpl
+++ b/testdata/iter_mod.rpl
@@ -4,6 +4,7 @@ server:
         qname-minimisation: "no"
         module-config: "iterator"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_ns_badip.rpl b/testdata/iter_ns_badip.rpl

index e0bf966747bc5ad73274047629b4102f8b15004d..481f47a0ac6f7cb2f4ba7ff719de142df4bef660 100644 (file)
--- a/testdata/iter_ns_badip.rpl
+++ b/testdata/iter_ns_badip.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "3 2 1 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  
  stub-zone:
diff --git a/testdata/iter_ns_spoof.rpl b/testdata/iter_ns_spoof.rpl

index f6745763532ff5a1e8c61ec64c9bc0850ba390f3..999ff05ffd43a82ba01f6ad44d4b4717bf604139 100644 (file)
--- a/testdata/iter_ns_spoof.rpl
+++ b/testdata/iter_ns_spoof.rpl
@@ -4,6 +4,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  stub-zone:
         name: "."
         stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
diff --git a/testdata/iter_nxns_fallback.rpl b/testdata/iter_nxns_fallback.rpl

index a9436529a1e80a70e6d497981ff240901914aa96..b4e234130892128809d27127b844244ed5a97aaa 100644 (file)
--- a/testdata/iter_nxns_fallback.rpl
+++ b/testdata/iter_nxns_fallback.rpl
@@ -8,6 +8,7 @@ server:
         access-control: 127.0.0.1 allow_snoop
         qname-minimisation: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  
  stub-zone:
diff --git a/testdata/iter_pc_a.rpl b/testdata/iter_pc_a.rpl

index d9add0056feac3d956b78da3ee527f23a4564564..be73a796a2196e2a564d6f5ca74849e8a5c108bb 100644 (file)
--- a/testdata/iter_pc_a.rpl
+++ b/testdata/iter_pc_a.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_pc_aaaa.rpl b/testdata/iter_pc_aaaa.rpl

index a28354306aca9068b39029b767273037bc6cab5a..a7ce1866f62c505d3193091d262e526af6d25e95 100644 (file)
--- a/testdata/iter_pc_aaaa.rpl
+++ b/testdata/iter_pc_aaaa.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_pcdiff.rpl b/testdata/iter_pcdiff.rpl

index 57fb109afa5e86aeec2227e20a4ebddbecc4e7b4..a462d333e2ff37b984e71c3c59ac55d8d2b67332 100644 (file)
--- a/testdata/iter_pcdiff.rpl
+++ b/testdata/iter_pcdiff.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_pcdirect.rpl b/testdata/iter_pcdirect.rpl

index 0bd5dfe783555a8e9a3f11d3a202c4fb690b32c6..656ec7af4242f362493972cfb09d40a826989276 100644 (file)
--- a/testdata/iter_pcdirect.rpl
+++ b/testdata/iter_pcdirect.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_pcname.rpl b/testdata/iter_pcname.rpl

index e17c9102c86af8ba0547cc0c2ef8f8163aabd839..af53c901bc3a164e2c09116e47250bc59817b5a5 100644 (file)
--- a/testdata/iter_pcname.rpl
+++ b/testdata/iter_pcname.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_pcnamech.rpl b/testdata/iter_pcnamech.rpl

index 32b3130c80540c2345349c1b6bc9f24e0486e47f..805cb18f74f195d2879d7fa9ccf96fa71afac5e3 100644 (file)
--- a/testdata/iter_pcnamech.rpl
+++ b/testdata/iter_pcnamech.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  
  stub-zone:
diff --git a/testdata/iter_pcnamechrec.rpl b/testdata/iter_pcnamechrec.rpl

index 8bf7ad8792b762009fcf00e4d7dfce36ef903caf..bbb9c863df89c4a77038db5c929fade8433a727c 100644 (file)
--- a/testdata/iter_pcnamechrec.rpl
+++ b/testdata/iter_pcnamechrec.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  
  stub-zone:
diff --git a/testdata/iter_pcnamerec.rpl b/testdata/iter_pcnamerec.rpl

index faee6d029acd10a0a7c6a11299272395d86a417c..2ea0dada3aefccfcb4ff3df73803c345613ed661 100644 (file)
--- a/testdata/iter_pcnamerec.rpl
+++ b/testdata/iter_pcnamerec.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_pcttl.rpl b/testdata/iter_pcttl.rpl

index 413f8cb88b09642e2088d94bebb4699b2772c1b8..a702017108c2229c42320c3e2ca6f83cb5df6bc0 100644 (file)
--- a/testdata/iter_pcttl.rpl
+++ b/testdata/iter_pcttl.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         do-ip6: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_prefetch.rpl b/testdata/iter_prefetch.rpl

index bad92dc575ddf52380212609d48484e8bdf0e5a4..fdf595564a2a11307e9b2800dc1ca910e4a1e3d1 100644 (file)
--- a/testdata/iter_prefetch.rpl
+++ b/testdata/iter_prefetch.rpl
@@ -4,6 +4,7 @@ server:
         qname-minimisation: "no"
         prefetch: "yes"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_prefetch_change.rpl b/testdata/iter_prefetch_change.rpl

index 1be9e6abee3bf033b0064760fc275308eff183c3..c1a1a710f9de940758ced63b6aa5b6e5fb959e3f 100644 (file)
--- a/testdata/iter_prefetch_change.rpl
+++ b/testdata/iter_prefetch_change.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         prefetch: "yes"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_prefetch_change2.rpl b/testdata/iter_prefetch_change2.rpl

index 7a8370ff61bb470282cb9195fc176bc9c953141f..4a966fea0fe031bf5af68667bebe51de21e935fa 100644 (file)
--- a/testdata/iter_prefetch_change2.rpl
+++ b/testdata/iter_prefetch_change2.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         prefetch: "yes"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_prefetch_childns.rpl b/testdata/iter_prefetch_childns.rpl

index 00a91fcde1a5fc20771655d4cffc6f512cf4dea9..f234065e7636879d6ab31c900833e9781e17300f 100644 (file)
--- a/testdata/iter_prefetch_childns.rpl
+++ b/testdata/iter_prefetch_childns.rpl
@@ -4,6 +4,7 @@ server:
         qname-minimisation: "no"
         prefetch: "yes"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_prefetch_fail.rpl b/testdata/iter_prefetch_fail.rpl

index 1d92a4c1c462778b472e751f1e04a8c1b6d43dd9..d1e308305b8b1a8ac0ef0f946441d07a479aea5f 100644 (file)
--- a/testdata/iter_prefetch_fail.rpl
+++ b/testdata/iter_prefetch_fail.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         prefetch: "yes"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_prefetch_ns.rpl b/testdata/iter_prefetch_ns.rpl

index 93af216387aeedcfc0d0a7ae9b8f6b3c1fb8c1c2..3192d31c06740235bf0d8b057c0cb785af1d957b 100644 (file)
--- a/testdata/iter_prefetch_ns.rpl
+++ b/testdata/iter_prefetch_ns.rpl
@@ -4,6 +4,7 @@ server:
         qname-minimisation: "no"
         prefetch: "yes"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_primenoglue.rpl b/testdata/iter_primenoglue.rpl

index b9808dd2c7dfd4b339c29f517d186c8e4326378b..f8c98035074adf09425da0e3980f4a914403e651 100644 (file)
--- a/testdata/iter_primenoglue.rpl
+++ b/testdata/iter_primenoglue.rpl
@@ -8,6 +8,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_privaddr.rpl b/testdata/iter_privaddr.rpl

index 0c87b4b9aaa205e2a0708f673dfa01894b8ee5cc..b7a6fde29b6c121ae94d8d79dbce0999d2288f7d 100644 (file)
--- a/testdata/iter_privaddr.rpl
+++ b/testdata/iter_privaddr.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
         private-address: 10.0.0.0/8
         private-address: 172.16.0.0/12
diff --git a/testdata/iter_ranoaa_lame.rpl b/testdata/iter_ranoaa_lame.rpl

index 8ee82415abc165161c1580270a0adc06d46eab9e..313192f10e29e4ff690b025e4d549c9d955a40ca 100644 (file)
--- a/testdata/iter_ranoaa_lame.rpl
+++ b/testdata/iter_ranoaa_lame.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  
  stub-zone:
diff --git a/testdata/iter_reclame_one.rpl b/testdata/iter_reclame_one.rpl

index 4a6abfae534fe803904d060968d2d42dd6894a84..d273e605632cce7f7bb2e1b8656aa94ce887a671 100644 (file)
--- a/testdata/iter_reclame_one.rpl
+++ b/testdata/iter_reclame_one.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  
  stub-zone:
diff --git a/testdata/iter_reclame_two.rpl b/testdata/iter_reclame_two.rpl

index 76c310b28efd70aba5e8cde867665b96d84b5b41..e2b2bc12638e711d050b47d54f73a40451be57af 100644 (file)
--- a/testdata/iter_reclame_two.rpl
+++ b/testdata/iter_reclame_two.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  
  stub-zone:
diff --git a/testdata/iter_recurse.rpl b/testdata/iter_recurse.rpl

index be50b4af8c26570b8a5349272d435f80df9402d0..135287678b855f51da8c7949e914364c690e9451 100644 (file)
--- a/testdata/iter_recurse.rpl
+++ b/testdata/iter_recurse.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_resolve.rpl b/testdata/iter_resolve.rpl

index ed051ff24effec6391dfe526f9ec5ef61a66c051..3ea56abe90043817c54c605c3444cb7dd10f3b19 100644 (file)
--- a/testdata/iter_resolve.rpl
+++ b/testdata/iter_resolve.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_resolve_minimised.rpl b/testdata/iter_resolve_minimised.rpl

index 2c6f9ccf5f935d66889b7b8b9125e63b897e1d66..13f04d4817f60cbd8ffc1b1c97f27be78f73eac5 100644 (file)
--- a/testdata/iter_resolve_minimised.rpl
+++ b/testdata/iter_resolve_minimised.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_resolve_minimised_nx.rpl b/testdata/iter_resolve_minimised_nx.rpl

index 74e612ccb9515d83c611f6a7d3fc2ccdb3b07ad7..c68f20ca8c9cb8fc07d03c0e08b3d1073054ddcc 100644 (file)
--- a/testdata/iter_resolve_minimised_nx.rpl
+++ b/testdata/iter_resolve_minimised_nx.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: yes
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_resolve_minimised_refused.rpl b/testdata/iter_resolve_minimised_refused.rpl

index 66e8e631e200d6fb539eb235bd5407f15fadc3d9..8dc76e258a08d79b88fc1acada24b0dd08df09ee 100644 (file)
--- a/testdata/iter_resolve_minimised_refused.rpl
+++ b/testdata/iter_resolve_minimised_refused.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: yes
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_resolve_minimised_timeout.rpl b/testdata/iter_resolve_minimised_timeout.rpl

index 86b93216075bdd42ad7eda2571e9c337fdd5344f..3740d79f4162854637c4ab5d8933c56023226083 100644 (file)
--- a/testdata/iter_resolve_minimised_timeout.rpl
+++ b/testdata/iter_resolve_minimised_timeout.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: yes
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_scrub_cname_an.rpl b/testdata/iter_scrub_cname_an.rpl

index 9c5060af7913d48a2820a1e159b45a7c1daf557b..f81916b0ca7bf4c543f4564519c8da975097728f 100644 (file)
--- a/testdata/iter_scrub_cname_an.rpl
+++ b/testdata/iter_scrub_cname_an.rpl
@@ -4,6 +4,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
          name: "."
diff --git a/testdata/iter_scrub_dname_insec.rpl b/testdata/iter_scrub_dname_insec.rpl

index 826d89e29e6dd3ce97dc5855a09c6966f388b0b7..82ff1d3daae0719364919eb171ae8c5cc79d349d 100644 (file)
--- a/testdata/iter_scrub_dname_insec.rpl
+++ b/testdata/iter_scrub_dname_insec.rpl
@@ -4,6 +4,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
          name: "."
diff --git a/testdata/iter_scrub_dname_rev.rpl b/testdata/iter_scrub_dname_rev.rpl

index 9caca66c0efda115fb06f2a25a120a6e6fa0b7cd..dfb21b8b69fb96b2c310779516b383a42cea9493 100644 (file)
--- a/testdata/iter_scrub_dname_rev.rpl
+++ b/testdata/iter_scrub_dname_rev.rpl
@@ -8,6 +8,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
          name: "."
diff --git a/testdata/iter_scrub_dname_sec.rpl b/testdata/iter_scrub_dname_sec.rpl

index 34a7b324deacae6010fef693f2de217cc6fbc2f9..943b19ff51519dc9f9d5969c1ff2950eb72cdf96 100644 (file)
--- a/testdata/iter_scrub_dname_sec.rpl
+++ b/testdata/iter_scrub_dname_sec.rpl
@@ -8,6 +8,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
          name: "."
diff --git a/testdata/iter_scrub_promiscuous.rpl b/testdata/iter_scrub_promiscuous.rpl

new file mode 100644 (file)

index 0000000..61fca0d
--- /dev/null
+++ b/testdata/iter_scrub_promiscuous.rpl
@@ -0,0 +1,373 @@
+; config options
+server:
+       target-fetch-policy: "0 0 0 0 0"
+       qname-minimisation: no
+       iter-scrub-promiscuous: yes
+
+stub-zone:
+       name: "."
+       stub-addr: 1.2.3.0 # ns.root
+CONFIG_END
+
+SCENARIO_BEGIN Test iterator with scrub of promiscuous records
+; The test queries receive spoofed answers. The check queries see if
+; the record is returned by the original server or by a spoofed source.
+; The test domains are pollute1.mesa, pollute2.mesa and pollute3.mesa.
+; The spoofed contents are ns.attacker.mesa and its IPs 5.6.7.8 and 5.6.7.9.
+; The pollute1.mesa NS, ns.pollute2.mesa A, and test3.atkr.pollute3.mesa NS
+; with ns.pollute3.mesa A records are tested for cache placement.
+
+; ns.root
+RANGE_BEGIN 0 400
+       ADDRESS 1.2.3.0
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS NS.ROOT.
+SECTION ADDITIONAL
+NS.ROOT. IN A 1.2.3.0
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+mesa. IN NS
+SECTION AUTHORITY
+mesa. IN NS ns.mesa.
+SECTION ADDITIONAL
+ns.mesa. IN A 1.2.7.7
+ENTRY_END
+RANGE_END
+
+; ns.mesa
+RANGE_BEGIN 0 400
+       ADDRESS 1.2.7.7
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+pollute1.mesa. IN NS
+SECTION AUTHORITY
+pollute1.mesa. IN NS ns.pollute1.mesa.
+SECTION ADDITIONAL
+ns.pollute1.mesa. IN A 1.2.4.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+pollute2.mesa. IN NS
+SECTION AUTHORITY
+pollute2.mesa. IN NS ns.pollute2.mesa.
+SECTION ADDITIONAL
+ns.pollute2.mesa. IN A 1.2.4.2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+pollute3.mesa. IN NS
+SECTION AUTHORITY
+pollute3.mesa. IN NS ns.pollute3.mesa.
+SECTION ADDITIONAL
+ns.pollute3.mesa. IN A 1.2.4.3
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+attacker.mesa. IN NS
+SECTION AUTHORITY
+attacker.mesa. IN NS ns.attacker.mesa.
+SECTION ADDITIONAL
+ns.attacker.mesa. IN A 5.6.7.8
+ENTRY_END
+RANGE_END
+
+; ns.pollute1.mesa
+RANGE_BEGIN 0 400
+       ADDRESS 1.2.4.1
+
+; This is the spoofed answer that is returned.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+test1.atkr.pollute1.mesa. IN A
+SECTION ANSWER
+test1.atkr.pollute1.mesa. 86400 IN A 1.2.3.4
+SECTION AUTHORITY
+pollute1.mesa. 86400 IN NS ns.attacker.mesa.
+ENTRY_END
+
+; correct answer for the check query.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+check.pollute1.mesa. IN A
+SECTION ANSWER
+check.pollute1.mesa. IN A 1.8.9.1
+ENTRY_END
+RANGE_END
+
+; ns.pollute2.mesa
+RANGE_BEGIN 0 400
+       ADDRESS 1.2.4.2
+
+; This is the spoofed answer that is returned.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+test2.atkr.pollute2.mesa. IN A
+SECTION ANSWER
+test2.atkr.pollute2.mesa. 86400 IN A 1.2.3.4
+SECTION AUTHORITY
+pollute2.mesa. 86400 IN NS ns.pollute2.mesa.
+SECTION ADDITIONAL
+ns.pollute2.mesa. 86400 IN A 5.6.7.8
+ENTRY_END
+
+; correct answer for the check query.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+check.pollute2.mesa. IN A
+SECTION ANSWER
+check.pollute2.mesa. IN A 1.8.9.2
+ENTRY_END
+RANGE_END
+
+; ns.pollute3.mesa
+RANGE_BEGIN 0 400
+       ADDRESS 1.2.4.3
+
+; This is the spoofed answer that is returned.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+test3.atkr.pollute3.mesa. IN A
+SECTION ANSWER
+test3.atkr.pollute3.mesa. 86400 IN A 1.2.3.4
+SECTION AUTHORITY
+test3.atkr.pollute3.mesa. 86400 IN NS ns.pollute3.mesa.
+SECTION ADDITIONAL
+ns.pollute3.mesa. 86400 IN A 5.6.7.8
+ENTRY_END
+
+; correct answer for the check query.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+check.pollute3.mesa. IN A
+SECTION ANSWER
+check.pollute3.mesa. IN A 1.8.9.3
+ENTRY_END
+RANGE_END
+
+; ns.attacker.mesa
+RANGE_BEGIN 0 400
+       ADDRESS 5.6.7.8
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.attacker.mesa. IN A
+SECTION ANSWER
+ns.attacker.mesa. 86400 IN A 5.6.7.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.attacker.mesa. IN AAAA
+SECTION AUTHORITY
+attacker.mesa. 3600 IN SOA ns.attacker.mesa. root.attacker.mesa. 4 7200 3600 604800 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.attacker.mesa. IN A
+SECTION ANSWER
+ns.attacker.mesa. 86400 IN A 5.6.7.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+check.pollute1.mesa. IN A
+SECTION ANSWER
+check.pollute1.mesa. 86400 IN A 5.6.7.9
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+check.pollute2.mesa. IN A
+SECTION ANSWER
+check.pollute2.mesa. 86400 IN A 5.6.7.9
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+check.pollute3.mesa. IN A
+SECTION ANSWER
+check.pollute3.mesa. 86400 IN A 5.6.7.9
+ENTRY_END
+RANGE_END
+
+; Test query 1
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test1.atkr.pollute1.mesa. IN A
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+test1.atkr.pollute1.mesa. IN A
+SECTION ANSWER
+test1.atkr.pollute1.mesa. 86400 IN A 1.2.3.4
+ENTRY_END
+
+; Test query 2
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test2.atkr.pollute2.mesa. IN A
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+test2.atkr.pollute2.mesa. IN A
+SECTION ANSWER
+test2.atkr.pollute2.mesa. 86400 IN A 1.2.3.4
+ENTRY_END
+
+; Test query 3
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test3.atkr.pollute3.mesa. IN A
+ENTRY_END
+
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+test3.atkr.pollute3.mesa. IN A
+SECTION ANSWER
+test3.atkr.pollute3.mesa. 86400 IN A 1.2.3.4
+ENTRY_END
+
+; Check the cache contents, for query 1.
+STEP 60 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+check.pollute1.mesa. IN A
+ENTRY_END
+
+STEP 70 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+check.pollute1.mesa. IN A
+SECTION ANSWER
+; good answer
+check.pollute1.mesa. IN A 1.8.9.1
+; bad answer
+;check.pollute1.mesa. IN A 5.6.7.9
+ENTRY_END
+
+; Check the cache contents, for query 2.
+STEP 80 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+check.pollute2.mesa. IN A
+ENTRY_END
+
+STEP 90 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+check.pollute2.mesa. IN A
+SECTION ANSWER
+; good answer
+check.pollute2.mesa. IN A 1.8.9.2
+; bad answer
+;check.pollute2.mesa. IN A 5.6.7.9
+ENTRY_END
+
+; Check the cache contents, for query 3.
+STEP 100 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+check.pollute3.mesa. IN A
+ENTRY_END
+
+STEP 110 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+check.pollute3.mesa. IN A
+SECTION ANSWER
+; good answer
+check.pollute3.mesa. IN A 1.8.9.3
+; bad answer
+;check.pollute3.mesa. IN A 5.6.7.9
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/iter_scrub_rr_length.rpl b/testdata/iter_scrub_rr_length.rpl

index ee7579f9c246f2a6993c44c7bdf72dca4fc84422..143e0fc5056c1d69ac93cf355251842b07ffa817 100644 (file)
--- a/testdata/iter_scrub_rr_length.rpl
+++ b/testdata/iter_scrub_rr_length.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
         ede: yes
  
diff --git a/testdata/iter_soamin.rpl b/testdata/iter_soamin.rpl

index 7e902601b00682abc9119e235a5b44ae34282e11..0facc3508799e7d9d8430e0765d1f9081832875f 100644 (file)
--- a/testdata/iter_soamin.rpl
+++ b/testdata/iter_soamin.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_stub_noroot.rpl b/testdata/iter_stub_noroot.rpl

index ef306bd428c4546669297eb6704b945bb3491652..749462b6efc409cd65ef51c1ed0bf4fb626d5112 100644 (file)
--- a/testdata/iter_stub_noroot.rpl
+++ b/testdata/iter_stub_noroot.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_stubfirst.rpl b/testdata/iter_stubfirst.rpl

index 1a7112de4517240b119b22f621a20545e476fa4c..7cd3305a93e4dafb0d9976d0b29a11a738d7c62b 100644 (file)
--- a/testdata/iter_stubfirst.rpl
+++ b/testdata/iter_stubfirst.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_timeout_ra_aaaa.rpl b/testdata/iter_timeout_ra_aaaa.rpl

index 126867ba4a4a625b091566a20a56022f2bd1df0d..9456f042052014685f63c275f403f240cbf59269 100644 (file)
--- a/testdata/iter_timeout_ra_aaaa.rpl
+++ b/testdata/iter_timeout_ra_aaaa.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/iter_unverified_glue.rpl b/testdata/iter_unverified_glue.rpl

index 017f220b6f1c5b1d13b9ac601b9a636d3058471e..bc96bb14a4b6cfe049d946546fba87fef8accd55 100644 (file)
--- a/testdata/iter_unverified_glue.rpl
+++ b/testdata/iter_unverified_glue.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
         do-ip6: no
         harden-unverified-glue: yes
  stub-zone:
diff --git a/testdata/rrset_rettl.rpl b/testdata/rrset_rettl.rpl

index 55dd62386e28b172409968781d7e3a72729abf78..131a98e713d597f5727547e3c01a8b982c965d61 100644 (file)
--- a/testdata/rrset_rettl.rpl
+++ b/testdata/rrset_rettl.rpl
@@ -2,6 +2,7 @@
  ; config options go here.
  server:
         minimal-responses: no
+       iter-scrub-promiscuous: no
  forward-zone: name: "." forward-addr: 216.0.0.1
  CONFIG_END
  
diff --git a/testdata/rrset_untrusted.rpl b/testdata/rrset_untrusted.rpl

index 6370ebf49bf91e4f3703396cbf05276315308214..207275b5657e9ba23cca24f39c607337d779d8d4 100644 (file)
--- a/testdata/rrset_untrusted.rpl
+++ b/testdata/rrset_untrusted.rpl
@@ -2,6 +2,7 @@
  ; config options go here.
  server:
         minimal-responses: no
+       iter-scrub-promiscuous: no
  forward-zone: name: "." forward-addr: 216.0.0.1
  CONFIG_END
  
diff --git a/testdata/rrset_updated.rpl b/testdata/rrset_updated.rpl

index 55da56bac07429314978fd377d4554d1a0ae9b7b..ba8e4924ce59e5d47c08bd387e7d6ad890ac49c4 100644 (file)
--- a/testdata/rrset_updated.rpl
+++ b/testdata/rrset_updated.rpl
@@ -2,6 +2,7 @@
  ; config options go here.
  server:
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  forward-zone: name: "." forward-addr: 216.0.0.1
  CONFIG_END
diff --git a/testdata/rrset_use_cached.rpl b/testdata/rrset_use_cached.rpl

index 8420ae02afe6dda90d1f2ebf58d3a3fcf7ee23ab..17696f600fda2c2d4e0b9aa4f24b5c74ef43e25a 100644 (file)
--- a/testdata/rrset_use_cached.rpl
+++ b/testdata/rrset_use_cached.rpl
@@ -1,5 +1,6 @@
  server:
         minimal-responses: no
+       iter-scrub-promiscuous: no
         serve-expired: yes
         # The value does not matter, we will not simulate delay.
         # We do not want only serve-expired because fetches from that
diff --git a/testdata/serve_expired.rpl b/testdata/serve_expired.rpl

index 990a562c7191ac657dbeeb8e1c49c525ad1a110a..573e18bcf3209e8286630253878b30da083d8052 100644 (file)
--- a/testdata/serve_expired.rpl
+++ b/testdata/serve_expired.rpl
@@ -3,6 +3,7 @@ server:
         module-config: "validator iterator"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         serve-expired: yes
         serve-expired-client-timeout: 0
         access-control: 127.0.0.1/32 allow_snoop
diff --git a/testdata/serve_expired_0ttl_nodata.rpl b/testdata/serve_expired_0ttl_nodata.rpl

index 8ca461be2c7b38b289a56f8cda6c6abebb05a8fb..4d483534d6b36af09348af7fc675c98e9237e369 100644 (file)
--- a/testdata/serve_expired_0ttl_nodata.rpl
+++ b/testdata/serve_expired_0ttl_nodata.rpl
@@ -3,6 +3,7 @@ server:
         module-config: "validator iterator"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         serve-expired: yes
         serve-expired-client-timeout: 0
         ede: yes
diff --git a/testdata/serve_expired_0ttl_nxdomain.rpl b/testdata/serve_expired_0ttl_nxdomain.rpl

index 7cf26aedda0a27458542448758ec2f244da5f81e..e7774a4f4bfdb02931869f022dabe3e0a1339797 100644 (file)
--- a/testdata/serve_expired_0ttl_nxdomain.rpl
+++ b/testdata/serve_expired_0ttl_nxdomain.rpl
@@ -3,6 +3,7 @@ server:
         module-config: "validator iterator"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         serve-expired: yes
         serve-expired-client-timeout: 0
         ede: yes
diff --git a/testdata/serve_expired_0ttl_servfail.rpl b/testdata/serve_expired_0ttl_servfail.rpl

index e9d4c4884e9f15fe478fba66149d26f05bc1d1a8..87c509bbb7b06e61a3ae3ebb78eb76a8bc9e5242 100644 (file)
--- a/testdata/serve_expired_0ttl_servfail.rpl
+++ b/testdata/serve_expired_0ttl_servfail.rpl
@@ -3,6 +3,7 @@ server:
         module-config: "validator iterator"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         serve-expired: yes
         serve-expired-client-timeout: 0
         ede: yes
diff --git a/testdata/serve_expired_cached_servfail.rpl b/testdata/serve_expired_cached_servfail.rpl

index eb115816ec1d908ef65ecc7e34cd466214693751..e7cd5ca395817c24a674c096aa57ed1f6c0e57dc 100644 (file)
--- a/testdata/serve_expired_cached_servfail.rpl
+++ b/testdata/serve_expired_cached_servfail.rpl
@@ -3,6 +3,7 @@ server:
         module-config: "validator iterator"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         serve-expired: yes
         serve-expired-client-timeout: 0
         serve-expired-reply-ttl: 123
diff --git a/testdata/serve_expired_client_timeout.rpl b/testdata/serve_expired_client_timeout.rpl

index 5560aa05a8dd6db40fabc7ff0078e2dd423ce3aa..e40e1b4c3219b113cfad1303ab48f0f971c8f5be 100644 (file)
--- a/testdata/serve_expired_client_timeout.rpl
+++ b/testdata/serve_expired_client_timeout.rpl
@@ -3,6 +3,7 @@ server:
         module-config: "validator iterator"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         serve-expired: yes
         serve-expired-client-timeout: 1
         serve-expired-reply-ttl: 123
diff --git a/testdata/serve_expired_client_timeout_no_prefetch.rpl b/testdata/serve_expired_client_timeout_no_prefetch.rpl

index aed397d9e9ae35d42862480d351ac5b8e499dd09..3a35c4629733376bd47b428e8193815567e912e9 100644 (file)
--- a/testdata/serve_expired_client_timeout_no_prefetch.rpl
+++ b/testdata/serve_expired_client_timeout_no_prefetch.rpl
@@ -3,6 +3,7 @@ server:
         module-config: "validator iterator"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         serve-expired: yes
         serve-expired-client-timeout: 1
         serve-expired-reply-ttl: 123
diff --git a/testdata/serve_expired_client_timeout_servfail.rpl b/testdata/serve_expired_client_timeout_servfail.rpl

index 3c5b35e1793a5be346b749ce8c4af52c82b1efdf..c8a91fed141ea20cb4cf88b9663267b8dda65e9f 100644 (file)
--- a/testdata/serve_expired_client_timeout_servfail.rpl
+++ b/testdata/serve_expired_client_timeout_servfail.rpl
@@ -3,6 +3,7 @@ server:
         module-config: "validator iterator"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         serve-expired: yes
         serve-expired-client-timeout: 1
         serve-expired-reply-ttl: 123
diff --git a/testdata/serve_expired_client_timeout_val_insecure_delegation.rpl b/testdata/serve_expired_client_timeout_val_insecure_delegation.rpl

index 6654a2c68409757a1877b93a7dc851bad3142332..08fc071583dade73a5fc1eaf248ffaede46924db 100644 (file)
--- a/testdata/serve_expired_client_timeout_val_insecure_delegation.rpl
+++ b/testdata/serve_expired_client_timeout_val_insecure_delegation.rpl
@@ -9,6 +9,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  
         serve-expired: yes
diff --git a/testdata/serve_expired_reply_ttl.rpl b/testdata/serve_expired_reply_ttl.rpl

index e76976bde07dd649ea2cf84519c26a151165a5c7..06128a7369e7ae0b2e4acb92a37417983a7360fe 100644 (file)
--- a/testdata/serve_expired_reply_ttl.rpl
+++ b/testdata/serve_expired_reply_ttl.rpl
@@ -3,6 +3,7 @@ server:
         module-config: "validator iterator"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         serve-expired: yes
         serve-expired-reply-ttl: 123
         serve-expired-client-timeout: 0
diff --git a/testdata/serve_expired_ttl.rpl b/testdata/serve_expired_ttl.rpl

index 66acbdcf1fe102fac3a5afac8c277a6d573ae899..24cb341361076da6015d204b1705dcac88ccd860 100644 (file)
--- a/testdata/serve_expired_ttl.rpl
+++ b/testdata/serve_expired_ttl.rpl
@@ -3,6 +3,7 @@ server:
         module-config: "validator iterator"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         serve-expired: yes
         serve-expired-client-timeout: 0
         serve-expired-ttl: 10
diff --git a/testdata/serve_expired_ttl_client_timeout.rpl b/testdata/serve_expired_ttl_client_timeout.rpl

index 169d070ead14a306a572533b5a39695ccf682389..f285790146ac2b3a033d1d8d5717e1a611c9cbd9 100644 (file)
--- a/testdata/serve_expired_ttl_client_timeout.rpl
+++ b/testdata/serve_expired_ttl_client_timeout.rpl
@@ -3,6 +3,7 @@ server:
         module-config: "validator iterator"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         serve-expired: yes
         serve-expired-ttl: 10
         serve-expired-client-timeout: 1
diff --git a/testdata/serve_expired_zerottl.rpl b/testdata/serve_expired_zerottl.rpl

index 1411cb8e77a588161fb5ad3491399bd6d786cdec..1dd7547a96d4df366e20028e862343890ef9da02 100644 (file)
--- a/testdata/serve_expired_zerottl.rpl
+++ b/testdata/serve_expired_zerottl.rpl
@@ -3,6 +3,7 @@ server:
         module-config: "validator iterator"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         serve-expired: yes
         serve-expired-client-timeout: 0
         serve-expired-reply-ttl: 123
diff --git a/testdata/serve_original_ttl.rpl b/testdata/serve_original_ttl.rpl

index 30503c285ccd677044ad5fcd8ca99adde4391de5..ee80b550f8705d1fde1ebf9d33188084e4a1bce7 100644 (file)
--- a/testdata/serve_original_ttl.rpl
+++ b/testdata/serve_original_ttl.rpl
@@ -4,6 +4,7 @@ server:
         module-config: "validator iterator"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         serve-original-ttl: yes
         cache-max-ttl: 1000
         cache-min-ttl: 20
diff --git a/testdata/subnet_cached.crpl b/testdata/subnet_cached.crpl

index 3cee6e978b762182581c3d2b541b20069ed8add8..c97bfbbe8f2cef3d54cfdc42629e4d7e2f9a0c70 100644 (file)
--- a/testdata/subnet_cached.crpl
+++ b/testdata/subnet_cached.crpl
@@ -15,6 +15,7 @@ server:
         access-control: 127.0.0.1 allow_snoop
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/subnet_cached_servfail.crpl b/testdata/subnet_cached_servfail.crpl

index 1bcd05f2f8884d2deeb40823e48806069faf43c8..7eec288170acf3ce59dcc578c6c68adae435aeee 100644 (file)
--- a/testdata/subnet_cached_servfail.crpl
+++ b/testdata/subnet_cached_servfail.crpl
@@ -11,6 +11,7 @@ server:
         access-control: 127.0.0.1 allow_snoop
         qname-minimisation: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
         serve-expired: yes
         serve-expired-client-timeout: 0
         prefetch: yes
diff --git a/testdata/subnet_cached_size.crpl b/testdata/subnet_cached_size.crpl

index d221d0d37bc852d26e22e720e28bd951d1c13240..4a8c46449bf5f19a2828c212c97d147d0eebee1a 100644 (file)
--- a/testdata/subnet_cached_size.crpl
+++ b/testdata/subnet_cached_size.crpl
@@ -15,6 +15,7 @@ server:
         access-control: 127.0.0.0/8 allow_snoop
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
         ; the size for the edns subnet cache
         msg-cache-size: 1500
  
diff --git a/testdata/subnet_global_prefetch.crpl b/testdata/subnet_global_prefetch.crpl

index 2f005d43b905db369ec812c35d72aa9c3ed5c136..7665015c03c6e1f103f4ae044d2a7ac9546a10bc 100644 (file)
--- a/testdata/subnet_global_prefetch.crpl
+++ b/testdata/subnet_global_prefetch.crpl
@@ -12,6 +12,7 @@ server:
         access-control: 127.0.0.1 allow_snoop
         qname-minimisation: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
         prefetch: yes
  
  stub-zone:
diff --git a/testdata/subnet_global_prefetch_always_forward.crpl b/testdata/subnet_global_prefetch_always_forward.crpl

index 775474cbcfeb27011d837caf46400b65e1f46417..d32ae6da0d0e489dae45d5fec29b260b3c6a395f 100644 (file)
--- a/testdata/subnet_global_prefetch_always_forward.crpl
+++ b/testdata/subnet_global_prefetch_always_forward.crpl
@@ -13,6 +13,7 @@ server:
         access-control: 127.0.0.1 allow_snoop
         qname-minimisation: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/subnet_global_prefetch_expired.crpl b/testdata/subnet_global_prefetch_expired.crpl

index 374bf3e693aa7d4c61d4e5e99f65e35c288d057b..6a491af4263b48c20c0bf376a9da5dd59ed84085 100644 (file)
--- a/testdata/subnet_global_prefetch_expired.crpl
+++ b/testdata/subnet_global_prefetch_expired.crpl
@@ -13,6 +13,7 @@ server:
         access-control: 127.0.0.1 allow_snoop
         qname-minimisation: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
         serve-expired: yes
         serve-expired-client-timeout: 0
         serve-expired-ttl: 1
diff --git a/testdata/subnet_global_prefetch_with_client_ecs.crpl b/testdata/subnet_global_prefetch_with_client_ecs.crpl

index ddc832c475def26b5308ebf69a2ef18818870cf1..8589db7e11254d6bbc93a42760cda85d2c2e618d 100644 (file)
--- a/testdata/subnet_global_prefetch_with_client_ecs.crpl
+++ b/testdata/subnet_global_prefetch_with_client_ecs.crpl
@@ -12,6 +12,7 @@ server:
         access-control: 127.0.0.1 allow_snoop
         qname-minimisation: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
         prefetch: yes
  
  stub-zone:
diff --git a/testdata/subnet_max_source.crpl b/testdata/subnet_max_source.crpl

index f5c7464ed7b2a67c6ce6196efedb8d6f244fdf0b..f3f71e7fdb261d697a27dec79bd1a490b289e555 100644 (file)
--- a/testdata/subnet_max_source.crpl
+++ b/testdata/subnet_max_source.crpl
@@ -11,6 +11,7 @@ server:
         verbosity: 3
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/subnet_prefetch.crpl b/testdata/subnet_prefetch.crpl

index aaa6bf08c4500a59a40749f8456b8f5975820f58..243e409505346a7a8f71b758460909ba39120924 100644 (file)
--- a/testdata/subnet_prefetch.crpl
+++ b/testdata/subnet_prefetch.crpl
@@ -12,6 +12,7 @@ server:
         access-control: 127.0.0.1 allow_snoop
         qname-minimisation: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
         prefetch: yes
  
  stub-zone:
diff --git a/testdata/subnet_val_positive.crpl b/testdata/subnet_val_positive.crpl

index 01456e58b89ae3ab9c5cde1fa57215aa9d0706bd..10996ada82ac5285af31037037a556d9c8d95338 100644 (file)
--- a/testdata/subnet_val_positive.crpl
+++ b/testdata/subnet_val_positive.crpl
@@ -13,6 +13,7 @@ server:
         fake-dsa: yes
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/subnet_val_positive_client.crpl b/testdata/subnet_val_positive_client.crpl

index b573742b7067fd27061a87bd75e27e56d3f75ac8..1b51d52ef09588f2db75fa508e00d3982b983275 100644 (file)
--- a/testdata/subnet_val_positive_client.crpl
+++ b/testdata/subnet_val_positive_client.crpl
@@ -14,6 +14,7 @@ server:
         fake-dsa: yes
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/trust_cname_chain.rpl b/testdata/trust_cname_chain.rpl

index f8415ba23ce6b51be970114274bdf4efc93ec90e..e24f8c10da4e0b76d6b1f7d6e1c56d234178d156 100644 (file)
--- a/testdata/trust_cname_chain.rpl
+++ b/testdata/trust_cname_chain.rpl
@@ -2,6 +2,7 @@
  server:
         target-fetch-policy: "0 0 0 0 0"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  stub-zone:
         name: "."
         stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
diff --git a/testdata/ttl_max.rpl b/testdata/ttl_max.rpl

index 32569632123f46d7712114dbcf4a4cef696091d0..b24eea383e0f23f7e02b72b86919213f9ae768ff 100644 (file)
--- a/testdata/ttl_max.rpl
+++ b/testdata/ttl_max.rpl
@@ -4,6 +4,7 @@ server:
         cache-max-ttl: 10
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/ttl_min.rpl b/testdata/ttl_min.rpl

index 3c79ff5ed666daa6b9ccfce7ee8d3d755f17f060..94206c7c543fc486d662821c5f3dca91e53e3dc1 100644 (file)
--- a/testdata/ttl_min.rpl
+++ b/testdata/ttl_min.rpl
@@ -4,6 +4,7 @@ server:
         cache-min-ttl: 10
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_adbit.rpl b/testdata/val_adbit.rpl

index 7ce62de77e314094976f3bce54b14f815f74d989..233c58befe435a5b98ab0bba7062941909bae0d6 100644 (file)
--- a/testdata/val_adbit.rpl
+++ b/testdata/val_adbit.rpl
@@ -8,6 +8,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_adcopy.rpl b/testdata/val_adcopy.rpl

index 604fd57f20437b694c4f8310cdb2d4c046309225..7bc31df23a5509fd420dbf3fdec5c36b10f018c9 100644 (file)
--- a/testdata/val_adcopy.rpl
+++ b/testdata/val_adcopy.rpl
@@ -7,6 +7,7 @@ server:
         qname-minimisation: "no"
         fake-sha1: yes
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_cnametocnamewctoposwc.rpl b/testdata/val_cnametocnamewctoposwc.rpl

index 407666efc0fcd043e4df5582dc7cd3b247247ade..9ea8b493ed1476b1d76ab6b7e7555ef481cb6fc6 100644 (file)
--- a/testdata/val_cnametocnamewctoposwc.rpl
+++ b/testdata/val_cnametocnamewctoposwc.rpl
@@ -7,6 +7,7 @@ server:
         qname-minimisation: "no"
         fake-sha1: yes
         trust-anchor-signaling: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_ds_afterprime.rpl b/testdata/val_ds_afterprime.rpl

index 3b1c0d614ba3efc2de15f5996979be96d6b0e080..301a1f6b6a5303c4ea438443184b7475bef3cf4e 100644 (file)
--- a/testdata/val_ds_afterprime.rpl
+++ b/testdata/val_ds_afterprime.rpl
@@ -8,6 +8,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_faildnskey_ok.rpl b/testdata/val_faildnskey_ok.rpl

index 50f3184b48f1b04408ce4ad5c4e92eecf183f397..f9196f35fe45b2f752688082ca15b6c7f0f157b3 100644 (file)
--- a/testdata/val_faildnskey_ok.rpl
+++ b/testdata/val_faildnskey_ok.rpl
@@ -8,6 +8,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_keyprefetch_verify.rpl b/testdata/val_keyprefetch_verify.rpl

index 9b901a8cbca618163bd1650b8aaa4673ae48499f..6cf81848d5ab8711f7943e9e245f589b6167fde1 100644 (file)
--- a/testdata/val_keyprefetch_verify.rpl
+++ b/testdata/val_keyprefetch_verify.rpl
@@ -10,6 +10,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_noadwhennodo.rpl b/testdata/val_noadwhennodo.rpl

index 46e1bad5a60d16d7f7a20f5a8c93dbc4f20b38ea..dbdeb780e2dab7f260e88e216eacff37a8c74fa2 100644 (file)
--- a/testdata/val_noadwhennodo.rpl
+++ b/testdata/val_noadwhennodo.rpl
@@ -8,6 +8,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_nsec3_b3_optout.rpl b/testdata/val_nsec3_b3_optout.rpl

index 9d84be974185ff5a13b21990d9ebb294cb598297..5d8a43a9b5bded7840521248911d6a67c91be08c 100644 (file)
--- a/testdata/val_nsec3_b3_optout.rpl
+++ b/testdata/val_nsec3_b3_optout.rpl
@@ -7,6 +7,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  
  stub-zone:
diff --git a/testdata/val_nsec3_b3_optout_negcache.rpl b/testdata/val_nsec3_b3_optout_negcache.rpl

index 497a8591a6c17771ef443bfa278af0cebc509b48..e7be762fbe492680e341f3a18ef4ccddf3c38f1b 100644 (file)
--- a/testdata/val_nsec3_b3_optout_negcache.rpl
+++ b/testdata/val_nsec3_b3_optout_negcache.rpl
@@ -7,6 +7,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  
  stub-zone:
diff --git a/testdata/val_nsec3_b4_wild.rpl b/testdata/val_nsec3_b4_wild.rpl

index 8bf3a546628f2796c49be8b9714b6e80a8efffc2..295932fad39cf5af458dc0135de23bb3607d458f 100644 (file)
--- a/testdata/val_nsec3_b4_wild.rpl
+++ b/testdata/val_nsec3_b4_wild.rpl
@@ -6,6 +6,7 @@ server:
         qname-minimisation: "no"
         fake-sha1: yes
         trust-anchor-signaling: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  
  stub-zone:
diff --git a/testdata/val_nsec3_cnametocnamewctoposwc.rpl b/testdata/val_nsec3_cnametocnamewctoposwc.rpl

index 1651ae7dc94f5c709faf18f2a67ec68b484053a0..3e4c55a18c1721fd41fc4205a2e25ba09c9dc704 100644 (file)
--- a/testdata/val_nsec3_cnametocnamewctoposwc.rpl
+++ b/testdata/val_nsec3_cnametocnamewctoposwc.rpl
@@ -7,6 +7,7 @@ server:
         qname-minimisation: "no"
         fake-sha1: yes
         trust-anchor-signaling: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_positive.rpl b/testdata/val_positive.rpl

index daaf36089c09a985c1a1ed8aeef0095cba042ed7..c80851703c0c333bbd15eae5ef45709810493877 100644 (file)
--- a/testdata/val_positive.rpl
+++ b/testdata/val_positive.rpl
@@ -8,6 +8,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_positive_wc.rpl b/testdata/val_positive_wc.rpl

index 5384acf63256d6d89048c76d0801120715200656..591dcc60328da7df4fbc347b078191f62b6129c6 100644 (file)
--- a/testdata/val_positive_wc.rpl
+++ b/testdata/val_positive_wc.rpl
@@ -7,6 +7,7 @@ server:
         qname-minimisation: "no"
         fake-sha1: yes
         trust-anchor-signaling: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_qds_badanc.rpl b/testdata/val_qds_badanc.rpl

index dc686153f406c160887f02465f646c5341f80db9..cb53136f664bc30f3c5dc3a6327db9468548fd66 100644 (file)
--- a/testdata/val_qds_badanc.rpl
+++ b/testdata/val_qds_badanc.rpl
@@ -7,6 +7,7 @@ server:
         qname-minimisation: "no"
         fake-sha1: yes
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_qds_oneanc.rpl b/testdata/val_qds_oneanc.rpl

index f21ab422b47a18d4abb7c8015139dfeed037e7aa..bda9f90327843fd6c909a35954e7afada4b71568 100644 (file)
--- a/testdata/val_qds_oneanc.rpl
+++ b/testdata/val_qds_oneanc.rpl
@@ -8,6 +8,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_qds_twoanc.rpl b/testdata/val_qds_twoanc.rpl

index 4e4f2e732b6400fcf40fbf3123e9e18f4d980727..f801c023b6bc498926053098ba61e09043af9196 100644 (file)
--- a/testdata/val_qds_twoanc.rpl
+++ b/testdata/val_qds_twoanc.rpl
@@ -9,6 +9,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_refer_unsignadd.rpl b/testdata/val_refer_unsignadd.rpl

index 4d073016fce70219d8ff95b96412c3e803496ed2..22f15d21a8c0ccbc7e12d3d097d08110136ee68b 100644 (file)
--- a/testdata/val_refer_unsignadd.rpl
+++ b/testdata/val_refer_unsignadd.rpl
@@ -9,6 +9,7 @@ server:
         qname-minimisation: "no"
         fake-sha1: yes
         trust-anchor-signaling: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  
  stub-zone:
diff --git a/testdata/val_referd.rpl b/testdata/val_referd.rpl

index d475f835eb20a383a6260cb5b7d942ab2b563418..a25ca7b7dd37a854560959755192fe39e143505d 100644 (file)
--- a/testdata/val_referd.rpl
+++ b/testdata/val_referd.rpl
@@ -10,6 +10,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_referglue.rpl b/testdata/val_referglue.rpl

index 54b7671567d075d2cbc560794fd4ab088661334a..3ca0c0e80d7d9a71f1f93b8b016e64d2882d51ed 100644 (file)
--- a/testdata/val_referglue.rpl
+++ b/testdata/val_referglue.rpl
@@ -10,6 +10,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  
  stub-zone:
diff --git a/testdata/val_rrsig.rpl b/testdata/val_rrsig.rpl

index 0b672e0f2cba88f09f67fce37d450850cfd55f23..69df344a534e73f842c73aa3c0a72d3bf6e47e12 100644 (file)
--- a/testdata/val_rrsig.rpl
+++ b/testdata/val_rrsig.rpl
@@ -7,6 +7,7 @@ server:
         qname-minimisation: "no"
         fake-sha1: yes
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_spurious_ns.rpl b/testdata/val_spurious_ns.rpl

index cb0a6e52998759f71c661945febfb1ba65df21e0..8db94a10848cfb2dcc4774e76e9cd413d5015f4e 100644 (file)
--- a/testdata/val_spurious_ns.rpl
+++ b/testdata/val_spurious_ns.rpl
@@ -8,6 +8,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_stub_noroot.rpl b/testdata/val_stub_noroot.rpl

index 07113bef7f8a60f32db25f20d3095b4458e6a9fa..66c3d8e8819e24636380839efa4aa08ab73fb3e0 100644 (file)
--- a/testdata/val_stub_noroot.rpl
+++ b/testdata/val_stub_noroot.rpl
@@ -6,6 +6,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_ta_algo_dnskey.rpl b/testdata/val_ta_algo_dnskey.rpl

index 03bac83aaa43bf2c5c67a3b5f62fd650603815af..5b0b64d2531f101bec9bef05446501df1d34d5a6 100644 (file)
--- a/testdata/val_ta_algo_dnskey.rpl
+++ b/testdata/val_ta_algo_dnskey.rpl
@@ -9,6 +9,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_ta_algo_dnskey_dp.rpl b/testdata/val_ta_algo_dnskey_dp.rpl

index 2b3609be8e19961d244b3298502a81cf3c9c394d..ae0c499ca8e18f262477830710bc569ed963bbe1 100644 (file)
--- a/testdata/val_ta_algo_dnskey_dp.rpl
+++ b/testdata/val_ta_algo_dnskey_dp.rpl
@@ -10,6 +10,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_ta_algo_missing_dp.rpl b/testdata/val_ta_algo_missing_dp.rpl

index dc55a09da44a5e7d1eb6cd367312861824c47dfc..14efdeccb39c3bd1b6eb46defb2db54c0688b339 100644 (file)
--- a/testdata/val_ta_algo_missing_dp.rpl
+++ b/testdata/val_ta_algo_missing_dp.rpl
@@ -11,6 +11,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_twocname.rpl b/testdata/val_twocname.rpl

index bc7c3bcb20d5f15afff67abf33e63110e261f448..b4323644a0c36dec2cf65aab51e4c4097430021e 100644 (file)
--- a/testdata/val_twocname.rpl
+++ b/testdata/val_twocname.rpl
@@ -5,6 +5,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
         rrset-roundrobin: no
  
  forward-zone:
diff --git a/testdata/val_unalgo_anchor.rpl b/testdata/val_unalgo_anchor.rpl

index fbbf288a5ff17eb0da69a6e51bf139312a831adb..a93520122083a16390d5fabe9b58a6ef0e9c7063 100644 (file)
--- a/testdata/val_unalgo_anchor.rpl
+++ b/testdata/val_unalgo_anchor.rpl
@@ -7,6 +7,7 @@ server:
         qname-minimisation: "no"
         fake-sha1: yes
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/val_wild_pos.rpl b/testdata/val_wild_pos.rpl

index 624d8e07bf92370249db984c28399f90c9fe341e..9fafa65546d0aa2c6b815af946b8599d76bc8302 100644 (file)
--- a/testdata/val_wild_pos.rpl
+++ b/testdata/val_wild_pos.rpl
@@ -8,6 +8,7 @@ server:
         fake-sha1: yes
         trust-anchor-signaling: no
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
  stub-zone:
         name: "."
diff --git a/testdata/views.rpl b/testdata/views.rpl

index 6a9052fbe2cd850b4e4b16af8f9f62888a3d9dcb..a6026244b2d71b881a5c1cb200d5c055f5556ea7 100644 (file)
--- a/testdata/views.rpl
+++ b/testdata/views.rpl
@@ -3,6 +3,7 @@ server:
         target-fetch-policy: "0 0 0 0 0"
         qname-minimisation: "no"
         minimal-responses: no
+       iter-scrub-promiscuous: no
  
         access-control: 10.10.10.0/24 allow
         access-control-view: 10.10.10.10/32 "view1"
diff --git a/util/config_file.c b/util/config_file.c

index b1e767b3b2a71173fdae36d0b80d6ee34f45487e..25c2b3e302025b5fc81da94ea4085992d6ad47b3 100644 (file)
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -421,6 +421,7 @@ config_create(void)
         cfg->dns_error_reporting = 0;
         cfg->iter_scrub_ns = 20;
         cfg->iter_scrub_cname = 11;
+       cfg->iter_scrub_promiscuous = 1;
         cfg->max_global_quota = 200;
         return cfg;
  error_exit:
@@ -765,6 +766,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
         else S_YNO("dns-error-reporting:", dns_error_reporting)
         else S_NUMBER_OR_ZERO("iter-scrub-ns:", iter_scrub_ns)
         else S_NUMBER_OR_ZERO("iter-scrub-cname:", iter_scrub_cname)
+       else S_YNO("iter-scrub-promiscuous:", iter_scrub_promiscuous)
         else S_NUMBER_OR_ZERO("max-global-quota:", max_global_quota)
         else S_YNO("serve-original-ttl:", serve_original_ttl)
         else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations)
@@ -1241,6 +1243,7 @@ config_get_option(struct config_file* cfg, const char* opt,
         else O_YNO(opt, "dns-error-reporting", dns_error_reporting)
         else O_DEC(opt, "iter-scrub-ns", iter_scrub_ns)
         else O_DEC(opt, "iter-scrub-cname", iter_scrub_cname)
+       else O_YNO(opt, "iter-scrub-promiscuous", iter_scrub_promiscuous)
         else O_DEC(opt, "max-global-quota", max_global_quota)
         else O_YNO(opt, "serve-original-ttl", serve_original_ttl)
         else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations)
diff --git a/util/config_file.h b/util/config_file.h

index 44ac036b88df9eaa074c984b2fb37ce415fdf506..f77538b0d6a59471eb4e7a3ffe3480831d18fb8c 100644 (file)
--- a/util/config_file.h
+++ b/util/config_file.h
@@ -792,6 +792,9 @@ struct config_file {
         int iter_scrub_cname;
         /** limit on upstream queries for an incoming query and subqueries. */
         int max_global_quota;
+       /** Should the iterator scrub promiscuous NS rrsets, from positive
+        * answers. */
+       int iter_scrub_promiscuous;
  };
  
  /** from cfg username, after daemonize setup performed */
diff --git a/util/configlexer.lex b/util/configlexer.lex

index bc258673d712c0e1e23b4d91cae635484dc71acb..0ba8d60c98707150445b1b75e4375c57d9fc30fe 100644 (file)
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@@ -606,6 +606,7 @@ proxy-protocol-port{COLON}  { YDVAR(1, VAR_PROXY_PROTOCOL_PORT) }
  iter-scrub-ns{COLON}           { YDVAR(1, VAR_ITER_SCRUB_NS) }
  iter-scrub-cname{COLON}                { YDVAR(1, VAR_ITER_SCRUB_CNAME) }
  max-global-quota{COLON}                { YDVAR(1, VAR_MAX_GLOBAL_QUOTA) }
+iter-scrub-promiscuous{COLON}  { YDVAR(1, VAR_ITER_SCRUB_PROMISCUOUS) }
  <INITIAL,val>{NEWLINE}         { LEXOUT(("NL\n")); cfg_parser->line++; }
  
         /* Quoted strings. Strip leading and ending quotes */
diff --git a/util/configparser.y b/util/configparser.y

index 82e1d8782bb5b984747c936f94a2337b0497fc8a..bef1fd38d1dd0dc901dbe383d527b3404fc41cbc 100644 (file)
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -215,6 +215,7 @@ extern struct config_parser_state* cfg_parser;
  %token VAR_LOG_DESTADDR VAR_CACHEDB_CHECK_WHEN_SERVE_EXPIRED
  %token VAR_COOKIE_SECRET_FILE VAR_ITER_SCRUB_NS VAR_ITER_SCRUB_CNAME
  %token VAR_MAX_GLOBAL_QUOTA VAR_HARDEN_UNVERIFIED_GLUE VAR_LOG_TIME_ISO
+%token VAR_ITER_SCRUB_PROMISCUOUS
  
  %%
  toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -356,7 +357,7 @@ content_server: server_num_threads | server_verbosity | server_port |
         server_harden_unknown_additional | server_disable_edns_do |
         server_log_destaddr | server_cookie_secret_file |
         server_iter_scrub_ns | server_iter_scrub_cname | server_max_global_quota |
-       server_harden_unverified_glue | server_log_time_iso
+       server_harden_unverified_glue | server_log_time_iso | server_iter_scrub_promiscuous
         ;
  stub_clause: stubstart contents_stub
         {
@@ -4240,6 +4241,16 @@ server_max_global_quota: VAR_MAX_GLOBAL_QUOTA STRING_ARG
                 free($2);
         }
         ;
+server_iter_scrub_promiscuous: VAR_ITER_SCRUB_PROMISCUOUS STRING_ARG
+       {
+               OUTYY(("P(server_iter_scrub_promiscuous:%s)\n", $2));
+               if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+                       yyerror("expected yes or no.");
+               else cfg_parser->cfg->iter_scrub_promiscuous =
+                       (strcmp($2, "yes")==0);
+               free($2);
+       }
+       ;
  ipsetstart: VAR_IPSET
         {
                 OUTYY(("\nP(ipset:)\n"));
author	Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
	Wed, 22 Oct 2025 08:54:57 +0000 (10:54 +0200)
committer	Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
	Wed, 22 Oct 2025 08:54:57 +0000 (10:54 +0200)
daemon/remote.c		patch \| blob \| blame \| history
doc/example.conf.in		patch \| blob \| blame \| history
doc/unbound-control.8.in		patch \| blob \| blame \| history
doc/unbound-control.rst		patch \| blob \| blame \| history
doc/unbound.conf.5.in		patch \| blob \| blame \| history
doc/unbound.conf.rst		patch \| blob \| blame \| history
iterator/iter_scrub.c		patch \| blob \| blame \| history
testdata/autotrust_init.rpl		patch \| blob \| blame \| history
testdata/autotrust_init_ds.rpl		patch \| blob \| blame \| history
testdata/autotrust_init_sigs.rpl		patch \| blob \| blame \| history
testdata/autotrust_init_zsk.rpl		patch \| blob \| blame \| history
testdata/black_data.rpl		patch \| blob \| blame \| history
testdata/black_prime.rpl		patch \| blob \| blame \| history
testdata/disable_edns_do.rpl		patch \| blob \| blame \| history
testdata/dns64_lookup.rpl		patch \| blob \| blame \| history
testdata/dns64_prefetch_cache.rpl		patch \| blob \| blame \| history
testdata/fetch_glue.rpl		patch \| blob \| blame \| history
testdata/fetch_glue_cname.rpl		patch \| blob \| blame \| history
testdata/fwd_cached.rpl		patch \| blob \| blame \| history
testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf		patch \| blob \| blame \| history
testdata/fwd_minimal.rpl		patch \| blob \| blame \| history
testdata/ipsecmod_bogus_ipseckey.crpl		patch \| blob \| blame \| history
testdata/ipsecmod_enabled.crpl		patch \| blob \| blame \| history
testdata/ipsecmod_ignore_bogus_ipseckey.crpl		patch \| blob \| blame \| history
testdata/ipsecmod_max_ttl.crpl		patch \| blob \| blame \| history
testdata/ipsecmod_strict.crpl		patch \| blob \| blame \| history
testdata/ipsecmod_whitelist.crpl		patch \| blob \| blame \| history
testdata/iter_class_any.rpl		patch \| blob \| blame \| history
testdata/iter_cycle_noh.rpl		patch \| blob \| blame \| history
testdata/iter_domain_sale.rpl		patch \| blob \| blame \| history
testdata/iter_domain_sale_nschange.rpl		patch \| blob \| blame \| history
testdata/iter_emptydp.rpl		patch \| blob \| blame \| history
testdata/iter_emptydp_for_glue.rpl		patch \| blob \| blame \| history
testdata/iter_fwdfirst.rpl		patch \| blob \| blame \| history
testdata/iter_fwdfirstequal.rpl		patch \| blob \| blame \| history
testdata/iter_fwdfirstequaltcp.rpl		patch \| blob \| blame \| history
testdata/iter_fwdstub.rpl		patch \| blob \| blame \| history
testdata/iter_fwdstubroot.rpl		patch \| blob \| blame \| history
testdata/iter_ghost_grandchild_delegation.rpl		patch \| blob \| blame \| history
testdata/iter_ghost_sub.rpl		patch \| blob \| blame \| history
testdata/iter_ghost_timewindow.rpl		patch \| blob \| blame \| history
testdata/iter_got6only.rpl		patch \| blob \| blame \| history
testdata/iter_hint_lame.rpl		patch \| blob \| blame \| history
testdata/iter_lame_noaa.rpl		patch \| blob \| blame \| history
testdata/iter_lame_nosoa.rpl		patch \| blob \| blame \| history
testdata/iter_mod.rpl		patch \| blob \| blame \| history
testdata/iter_ns_badip.rpl		patch \| blob \| blame \| history
testdata/iter_ns_spoof.rpl		patch \| blob \| blame \| history
testdata/iter_nxns_fallback.rpl		patch \| blob \| blame \| history
testdata/iter_pc_a.rpl		patch \| blob \| blame \| history
testdata/iter_pc_aaaa.rpl		patch \| blob \| blame \| history
testdata/iter_pcdiff.rpl		patch \| blob \| blame \| history
testdata/iter_pcdirect.rpl		patch \| blob \| blame \| history
testdata/iter_pcname.rpl		patch \| blob \| blame \| history
testdata/iter_pcnamech.rpl		patch \| blob \| blame \| history
testdata/iter_pcnamechrec.rpl		patch \| blob \| blame \| history
testdata/iter_pcnamerec.rpl		patch \| blob \| blame \| history
testdata/iter_pcttl.rpl		patch \| blob \| blame \| history
testdata/iter_prefetch.rpl		patch \| blob \| blame \| history
testdata/iter_prefetch_change.rpl		patch \| blob \| blame \| history
testdata/iter_prefetch_change2.rpl		patch \| blob \| blame \| history
testdata/iter_prefetch_childns.rpl		patch \| blob \| blame \| history
testdata/iter_prefetch_fail.rpl		patch \| blob \| blame \| history
testdata/iter_prefetch_ns.rpl		patch \| blob \| blame \| history
testdata/iter_primenoglue.rpl		patch \| blob \| blame \| history
testdata/iter_privaddr.rpl		patch \| blob \| blame \| history
testdata/iter_ranoaa_lame.rpl		patch \| blob \| blame \| history
testdata/iter_reclame_one.rpl		patch \| blob \| blame \| history
testdata/iter_reclame_two.rpl		patch \| blob \| blame \| history
testdata/iter_recurse.rpl		patch \| blob \| blame \| history
testdata/iter_resolve.rpl		patch \| blob \| blame \| history
testdata/iter_resolve_minimised.rpl		patch \| blob \| blame \| history
testdata/iter_resolve_minimised_nx.rpl		patch \| blob \| blame \| history
testdata/iter_resolve_minimised_refused.rpl		patch \| blob \| blame \| history
testdata/iter_resolve_minimised_timeout.rpl		patch \| blob \| blame \| history
testdata/iter_scrub_cname_an.rpl		patch \| blob \| blame \| history
testdata/iter_scrub_dname_insec.rpl		patch \| blob \| blame \| history
testdata/iter_scrub_dname_rev.rpl		patch \| blob \| blame \| history
testdata/iter_scrub_dname_sec.rpl		patch \| blob \| blame \| history
testdata/iter_scrub_promiscuous.rpl	[new file with mode: 0644]	patch \| blob
testdata/iter_scrub_rr_length.rpl		patch \| blob \| blame \| history
testdata/iter_soamin.rpl		patch \| blob \| blame \| history
testdata/iter_stub_noroot.rpl		patch \| blob \| blame \| history
testdata/iter_stubfirst.rpl		patch \| blob \| blame \| history
testdata/iter_timeout_ra_aaaa.rpl		patch \| blob \| blame \| history
testdata/iter_unverified_glue.rpl		patch \| blob \| blame \| history
testdata/rrset_rettl.rpl		patch \| blob \| blame \| history
testdata/rrset_untrusted.rpl		patch \| blob \| blame \| history
testdata/rrset_updated.rpl		patch \| blob \| blame \| history
testdata/rrset_use_cached.rpl		patch \| blob \| blame \| history
testdata/serve_expired.rpl		patch \| blob \| blame \| history
testdata/serve_expired_0ttl_nodata.rpl		patch \| blob \| blame \| history
testdata/serve_expired_0ttl_nxdomain.rpl		patch \| blob \| blame \| history
testdata/serve_expired_0ttl_servfail.rpl		patch \| blob \| blame \| history
testdata/serve_expired_cached_servfail.rpl		patch \| blob \| blame \| history
testdata/serve_expired_client_timeout.rpl		patch \| blob \| blame \| history
testdata/serve_expired_client_timeout_no_prefetch.rpl		patch \| blob \| blame \| history
testdata/serve_expired_client_timeout_servfail.rpl		patch \| blob \| blame \| history
testdata/serve_expired_client_timeout_val_insecure_delegation.rpl		patch \| blob \| blame \| history
testdata/serve_expired_reply_ttl.rpl		patch \| blob \| blame \| history
testdata/serve_expired_ttl.rpl		patch \| blob \| blame \| history
testdata/serve_expired_ttl_client_timeout.rpl		patch \| blob \| blame \| history
testdata/serve_expired_zerottl.rpl		patch \| blob \| blame \| history
testdata/serve_original_ttl.rpl		patch \| blob \| blame \| history
testdata/subnet_cached.crpl		patch \| blob \| blame \| history
testdata/subnet_cached_servfail.crpl		patch \| blob \| blame \| history
testdata/subnet_cached_size.crpl		patch \| blob \| blame \| history
testdata/subnet_global_prefetch.crpl		patch \| blob \| blame \| history
testdata/subnet_global_prefetch_always_forward.crpl		patch \| blob \| blame \| history
testdata/subnet_global_prefetch_expired.crpl		patch \| blob \| blame \| history
testdata/subnet_global_prefetch_with_client_ecs.crpl		patch \| blob \| blame \| history
testdata/subnet_max_source.crpl		patch \| blob \| blame \| history
testdata/subnet_prefetch.crpl		patch \| blob \| blame \| history
testdata/subnet_val_positive.crpl		patch \| blob \| blame \| history
testdata/subnet_val_positive_client.crpl		patch \| blob \| blame \| history
testdata/trust_cname_chain.rpl		patch \| blob \| blame \| history
testdata/ttl_max.rpl		patch \| blob \| blame \| history
testdata/ttl_min.rpl		patch \| blob \| blame \| history
testdata/val_adbit.rpl		patch \| blob \| blame \| history
testdata/val_adcopy.rpl		patch \| blob \| blame \| history
testdata/val_cnametocnamewctoposwc.rpl		patch \| blob \| blame \| history
testdata/val_ds_afterprime.rpl		patch \| blob \| blame \| history
testdata/val_faildnskey_ok.rpl		patch \| blob \| blame \| history
testdata/val_keyprefetch_verify.rpl		patch \| blob \| blame \| history
testdata/val_noadwhennodo.rpl		patch \| blob \| blame \| history
testdata/val_nsec3_b3_optout.rpl		patch \| blob \| blame \| history
testdata/val_nsec3_b3_optout_negcache.rpl		patch \| blob \| blame \| history
testdata/val_nsec3_b4_wild.rpl		patch \| blob \| blame \| history
testdata/val_nsec3_cnametocnamewctoposwc.rpl		patch \| blob \| blame \| history
testdata/val_positive.rpl		patch \| blob \| blame \| history
testdata/val_positive_wc.rpl		patch \| blob \| blame \| history
testdata/val_qds_badanc.rpl		patch \| blob \| blame \| history
testdata/val_qds_oneanc.rpl		patch \| blob \| blame \| history
testdata/val_qds_twoanc.rpl		patch \| blob \| blame \| history
testdata/val_refer_unsignadd.rpl		patch \| blob \| blame \| history
testdata/val_referd.rpl		patch \| blob \| blame \| history
testdata/val_referglue.rpl		patch \| blob \| blame \| history
testdata/val_rrsig.rpl		patch \| blob \| blame \| history
testdata/val_spurious_ns.rpl		patch \| blob \| blame \| history
testdata/val_stub_noroot.rpl		patch \| blob \| blame \| history
testdata/val_ta_algo_dnskey.rpl		patch \| blob \| blame \| history
testdata/val_ta_algo_dnskey_dp.rpl		patch \| blob \| blame \| history
testdata/val_ta_algo_missing_dp.rpl		patch \| blob \| blame \| history
testdata/val_twocname.rpl		patch \| blob \| blame \| history
testdata/val_unalgo_anchor.rpl		patch \| blob \| blame \| history
testdata/val_wild_pos.rpl		patch \| blob \| blame \| history
testdata/views.rpl		patch \| blob \| blame \| history
util/config_file.c		patch \| blob \| blame \| history
util/config_file.h		patch \| blob \| blame \| history
util/configlexer.lex		patch \| blob \| blame \| history
util/configparser.y		patch \| blob \| blame \| history