From: Yorgos Thessalonikefs Date: Wed, 22 Oct 2025 08:54:57 +0000 (+0200) Subject: - Fix CVE-2025-11411 (possible domain hijacking attack), reported by Yuxiao Wu, X-Git-Tag: release-1.24.1^0 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a33f0638e1dacf2633cf2292078a674576bca852;p=thirdparty%2Funbound.git - Fix CVE-2025-11411 (possible domain hijacking attack), reported by Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua University. --- diff --git a/daemon/remote.c b/daemon/remote.c index e10dadde7..d8ee7fa7d 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -6176,6 +6176,7 @@ fr_atomic_copy_cfg(struct config_file* oldcfg, struct config_file* cfg, COPY_VAR_ptr(ipset_name_v6); #endif COPY_VAR_int(ede); + COPY_VAR_int(iter_scrub_promiscuous); } #endif /* ATOMIC_POINTER_LOCK_FREE && HAVE_LINK_ATOMIC_STORE */ diff --git a/doc/example.conf.in b/doc/example.conf.in index b33e65bfe..d151f8468 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -196,6 +196,10 @@ server: # Limit on upstream queries for an incoming query and its recursion. # max-global-quota: 200 + # Should the scrubber remove promiscuous NS from positive answers, + # protects against poison attempts. + # iter-scrub-promiscuous: yes + # msec for waiting for an unknown server to reply. Increase if you # are behind a slow satellite link, to eg. 1128. # unknown-server-time-limit: 376 diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in index c05831e41..782a98e50 100644 --- a/doc/unbound-control.8.in +++ b/doc/unbound-control.8.in @@ -167,6 +167,7 @@ ipset, \fI\%tcp\-reuse\-timeout\fP, \fI\%tcp\-auth\-query\-timeout\fP, \fI\%delay\-close\fP\&. +\fI\%iter\-scrub\-promiscuous\fP\&. .sp It does not work with \fI\%interface\fP and diff --git a/doc/unbound-control.rst b/doc/unbound-control.rst index bc548f51d..71ff6ee37 100644 --- a/doc/unbound-control.rst +++ b/doc/unbound-control.rst @@ -169,6 +169,7 @@ There are several commands that the server understands. :ref:`tcp-reuse-timeout`, :ref:`tcp-auth-query-timeout`, :ref:`delay-close`. + :ref:`iter-scrub-promiscuous`. It does not work with :ref:`interface` and diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 172eb26c5..3df4daeb0 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -3656,6 +3656,15 @@ Default: 200 .UNINDENT .INDENT 0.0 .TP +.B iter\-scrub\-promiscuous: \fI\fP +Should the iterator scrubber remove promiscuous NS from positive answers. +This protects against poisonous contents, that could affect names in the +same zone as a spoofed packet. +.sp +Default: yes +.UNINDENT +.INDENT 0.0 +.TP .B fast\-server\-permil: \fI\fP Specify how many times out of 1000 to pick from the set of fastest servers. 0 turns the feature off. diff --git a/doc/unbound.conf.rst b/doc/unbound.conf.rst index ad8404e11..d83816c6f 100644 --- a/doc/unbound.conf.rst +++ b/doc/unbound.conf.rst @@ -3156,6 +3156,14 @@ These options are part of the **server:** clause. Default: 200 +@@UAHL@unbound.conf@iter-scrub-promiscuous@@: ** + Should the iterator scrubber remove promiscuous NS from positive answers. + This protects against poisonous contents, that could affect names in the + same zone as a spoofed packet. + + Default: yes + + @@UAHL@unbound.conf@fast-server-permil@@: ** Specify how many times out of 1000 to pick from the set of fastest servers. 0 turns the feature off. diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c index 49a5f5da1..553d3655f 100644 --- a/iterator/iter_scrub.c +++ b/iterator/iter_scrub.c @@ -634,6 +634,22 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, "RRset:", pkt, msg, prev, &rrset); continue; } + /* If the NS set is a promiscuous NS set, scrub that + * to remove potential for poisonous contents that + * affects other names in the same zone. Remove + * promiscuous NS sets in positive answers, that + * thus have records in the answer section. Nodata + * and nxdomain promiscuous NS sets have been removed + * already. Since the NS rrset is scrubbed, its + * address records are also not marked to be allowed + * and are removed later. */ + if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR && + msg->an_rrsets != 0 && + env->cfg->iter_scrub_promiscuous) { + remove_rrset("normalize: removing promiscuous " + "RRset:", pkt, msg, prev, &rrset); + continue; + } if(nsset == NULL) { nsset = rrset; } else { diff --git a/testdata/autotrust_init.rpl b/testdata/autotrust_init.rpl index d722273e0..d69e70b4b 100644 --- a/testdata/autotrust_init.rpl +++ b/testdata/autotrust_init.rpl @@ -5,6 +5,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. diff --git a/testdata/autotrust_init_ds.rpl b/testdata/autotrust_init_ds.rpl index ad4019ebe..9ffb4d4ba 100644 --- a/testdata/autotrust_init_ds.rpl +++ b/testdata/autotrust_init_ds.rpl @@ -5,6 +5,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. diff --git a/testdata/autotrust_init_sigs.rpl b/testdata/autotrust_init_sigs.rpl index d5d52f473..a7cb7963b 100644 --- a/testdata/autotrust_init_sigs.rpl +++ b/testdata/autotrust_init_sigs.rpl @@ -5,6 +5,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. diff --git a/testdata/autotrust_init_zsk.rpl b/testdata/autotrust_init_zsk.rpl index 56a5bc0b3..2d28d4340 100644 --- a/testdata/autotrust_init_zsk.rpl +++ b/testdata/autotrust_init_zsk.rpl @@ -5,6 +5,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. diff --git a/testdata/black_data.rpl b/testdata/black_data.rpl index e6ef1b79d..e928d630d 100644 --- a/testdata/black_data.rpl +++ b/testdata/black_data.rpl @@ -8,6 +8,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no stub-zone: diff --git a/testdata/black_prime.rpl b/testdata/black_prime.rpl index fbe92a721..0301c85b6 100644 --- a/testdata/black_prime.rpl +++ b/testdata/black_prime.rpl @@ -8,6 +8,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no stub-zone: diff --git a/testdata/disable_edns_do.rpl b/testdata/disable_edns_do.rpl index 82a16da06..45b4ffca8 100644 --- a/testdata/disable_edns_do.rpl +++ b/testdata/disable_edns_do.rpl @@ -5,6 +5,7 @@ server: qname-minimisation: "no" trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no disable-edns-do: yes stub-zone: diff --git a/testdata/dns64_lookup.rpl b/testdata/dns64_lookup.rpl index 327f7dfed..cec801232 100644 --- a/testdata/dns64_lookup.rpl +++ b/testdata/dns64_lookup.rpl @@ -7,6 +7,7 @@ server: dns64-ignore-aaaa: ip6ignore.example.com dns64-ignore-aaaa: ip6only.example.com minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/dns64_prefetch_cache.rpl b/testdata/dns64_prefetch_cache.rpl index a23b92f08..b28839c9a 100644 --- a/testdata/dns64_prefetch_cache.rpl +++ b/testdata/dns64_prefetch_cache.rpl @@ -5,6 +5,7 @@ server: module-config: "dns64 iterator" dns64-prefix: 64:ff9b::0/96 minimal-responses: no + iter-scrub-promiscuous: no prefetch: yes stub-zone: diff --git a/testdata/fetch_glue.rpl b/testdata/fetch_glue.rpl index 8860d85b0..daf687ad4 100644 --- a/testdata/fetch_glue.rpl +++ b/testdata/fetch_glue.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/fetch_glue_cname.rpl b/testdata/fetch_glue_cname.rpl index 64f00fb20..c786a417c 100644 --- a/testdata/fetch_glue_cname.rpl +++ b/testdata/fetch_glue_cname.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/fwd_cached.rpl b/testdata/fwd_cached.rpl index 2d6b0c2b8..4a00f8715 100644 --- a/testdata/fwd_cached.rpl +++ b/testdata/fwd_cached.rpl @@ -2,6 +2,7 @@ ; config options go here. server: minimal-responses: no + iter-scrub-promiscuous: no forward-zone: name: "." forward-addr: 216.0.0.1 CONFIG_END diff --git a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf index 5b2c8045a..7bc7408cd 100644 --- a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf +++ b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf @@ -10,6 +10,7 @@ server: username: "" do-not-query-localhost: no minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no forward-zone: name: "." diff --git a/testdata/fwd_minimal.rpl b/testdata/fwd_minimal.rpl index e85d7124b..ef1d7fc41 100644 --- a/testdata/fwd_minimal.rpl +++ b/testdata/fwd_minimal.rpl @@ -5,6 +5,7 @@ server: ; is fine for that, not removed by minimal-responses. access-control: 127.0.0.1 allow_snoop minimal-responses: yes + iter-scrub-promiscuous: no forward-zone: name: "." forward-addr: 216.0.0.1 CONFIG_END diff --git a/testdata/ipsecmod_bogus_ipseckey.crpl b/testdata/ipsecmod_bogus_ipseckey.crpl index 094710b60..98bc454f2 100644 --- a/testdata/ipsecmod_bogus_ipseckey.crpl +++ b/testdata/ipsecmod_bogus_ipseckey.crpl @@ -9,6 +9,7 @@ server: qname-minimisation: "no" # test that default value of harden-dnssec-stripped is still yes. fake-sha1: yes + iter-scrub-promiscuous: no trust-anchor-signaling: no access-control: 127.0.0.1 allow_snoop module-config: "ipsecmod validator iterator" diff --git a/testdata/ipsecmod_enabled.crpl b/testdata/ipsecmod_enabled.crpl index 449842961..04e8cb1a1 100644 --- a/testdata/ipsecmod_enabled.crpl +++ b/testdata/ipsecmod_enabled.crpl @@ -11,6 +11,7 @@ server: ipsecmod-enabled: no qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/ipsecmod_ignore_bogus_ipseckey.crpl b/testdata/ipsecmod_ignore_bogus_ipseckey.crpl index a605c3445..4c4d80c10 100644 --- a/testdata/ipsecmod_ignore_bogus_ipseckey.crpl +++ b/testdata/ipsecmod_ignore_bogus_ipseckey.crpl @@ -18,6 +18,7 @@ server: ipsecmod-ignore-bogus: yes qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/ipsecmod_max_ttl.crpl b/testdata/ipsecmod_max_ttl.crpl index 592bae046..4dfeddfd9 100644 --- a/testdata/ipsecmod_max_ttl.crpl +++ b/testdata/ipsecmod_max_ttl.crpl @@ -10,6 +10,7 @@ server: ipsecmod-max-ttl: 200 qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/ipsecmod_strict.crpl b/testdata/ipsecmod_strict.crpl index f74e308bd..51cc11b53 100644 --- a/testdata/ipsecmod_strict.crpl +++ b/testdata/ipsecmod_strict.crpl @@ -10,6 +10,7 @@ server: ipsecmod-max-ttl: 200 qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/ipsecmod_whitelist.crpl b/testdata/ipsecmod_whitelist.crpl index 34108f3b1..350c2ad48 100644 --- a/testdata/ipsecmod_whitelist.crpl +++ b/testdata/ipsecmod_whitelist.crpl @@ -11,6 +11,7 @@ server: ipsecmod-whitelist: white.example.com qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_class_any.rpl b/testdata/iter_class_any.rpl index 6fb296e99..87e0db032 100644 --- a/testdata/iter_class_any.rpl +++ b/testdata/iter_class_any.rpl @@ -8,6 +8,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_cycle_noh.rpl b/testdata/iter_cycle_noh.rpl index eee26ca70..e551ac6e8 100644 --- a/testdata/iter_cycle_noh.rpl +++ b/testdata/iter_cycle_noh.rpl @@ -4,6 +4,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_domain_sale.rpl b/testdata/iter_domain_sale.rpl index 6110148a3..7c3cc1f2f 100644 --- a/testdata/iter_domain_sale.rpl +++ b/testdata/iter_domain_sale.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_domain_sale_nschange.rpl b/testdata/iter_domain_sale_nschange.rpl index 5664855d5..886ed51a3 100644 --- a/testdata/iter_domain_sale_nschange.rpl +++ b/testdata/iter_domain_sale_nschange.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_emptydp.rpl b/testdata/iter_emptydp.rpl index ecb49b6cd..3879a9b43 100644 --- a/testdata/iter_emptydp.rpl +++ b/testdata/iter_emptydp.rpl @@ -8,6 +8,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_emptydp_for_glue.rpl b/testdata/iter_emptydp_for_glue.rpl index 94dec2bc5..fc7933fbc 100644 --- a/testdata/iter_emptydp_for_glue.rpl +++ b/testdata/iter_emptydp_for_glue.rpl @@ -8,6 +8,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_fwdfirst.rpl b/testdata/iter_fwdfirst.rpl index 0f8a85f5a..509a1cdad 100644 --- a/testdata/iter_fwdfirst.rpl +++ b/testdata/iter_fwdfirst.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_fwdfirstequal.rpl b/testdata/iter_fwdfirstequal.rpl index dc648143c..abd25d149 100644 --- a/testdata/iter_fwdfirstequal.rpl +++ b/testdata/iter_fwdfirstequal.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_fwdfirstequaltcp.rpl b/testdata/iter_fwdfirstequaltcp.rpl index 72dd441f5..8c2040fce 100644 --- a/testdata/iter_fwdfirstequaltcp.rpl +++ b/testdata/iter_fwdfirstequaltcp.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no tcp-upstream: no #tls-upstream:no # same case but not testable in rpl. diff --git a/testdata/iter_fwdstub.rpl b/testdata/iter_fwdstub.rpl index ad5b57cb7..4c741a50f 100644 --- a/testdata/iter_fwdstub.rpl +++ b/testdata/iter_fwdstub.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_fwdstubroot.rpl b/testdata/iter_fwdstubroot.rpl index fa930430d..dd93ecdef 100644 --- a/testdata/iter_fwdstubroot.rpl +++ b/testdata/iter_fwdstubroot.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_ghost_grandchild_delegation.rpl b/testdata/iter_ghost_grandchild_delegation.rpl index d1e521b57..af6a570eb 100644 --- a/testdata/iter_ghost_grandchild_delegation.rpl +++ b/testdata/iter_ghost_grandchild_delegation.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_ghost_sub.rpl b/testdata/iter_ghost_sub.rpl index ccb736755..36767bb34 100644 --- a/testdata/iter_ghost_sub.rpl +++ b/testdata/iter_ghost_sub.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_ghost_timewindow.rpl b/testdata/iter_ghost_timewindow.rpl index 9e304628c..24390a09c 100644 --- a/testdata/iter_ghost_timewindow.rpl +++ b/testdata/iter_ghost_timewindow.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no discard-timeout: 86400 stub-zone: diff --git a/testdata/iter_got6only.rpl b/testdata/iter_got6only.rpl index 155228439..b0d20b3f4 100644 --- a/testdata/iter_got6only.rpl +++ b/testdata/iter_got6only.rpl @@ -4,6 +4,7 @@ server: target-fetch-policy: "0 0 0 0 0 " qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. diff --git a/testdata/iter_hint_lame.rpl b/testdata/iter_hint_lame.rpl index 2fb6dde72..26aa5dc73 100644 --- a/testdata/iter_hint_lame.rpl +++ b/testdata/iter_hint_lame.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_lame_noaa.rpl b/testdata/iter_lame_noaa.rpl index defaa5ca8..050866c65 100644 --- a/testdata/iter_lame_noaa.rpl +++ b/testdata/iter_lame_noaa.rpl @@ -4,6 +4,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no stub-zone: diff --git a/testdata/iter_lame_nosoa.rpl b/testdata/iter_lame_nosoa.rpl index 3bf6ccc18..d55ff78d6 100644 --- a/testdata/iter_lame_nosoa.rpl +++ b/testdata/iter_lame_nosoa.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no stub-zone: diff --git a/testdata/iter_mod.rpl b/testdata/iter_mod.rpl index 35b3a5af6..3d3d6789d 100644 --- a/testdata/iter_mod.rpl +++ b/testdata/iter_mod.rpl @@ -4,6 +4,7 @@ server: qname-minimisation: "no" module-config: "iterator" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_ns_badip.rpl b/testdata/iter_ns_badip.rpl index e0bf96674..481f47a0a 100644 --- a/testdata/iter_ns_badip.rpl +++ b/testdata/iter_ns_badip.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "3 2 1 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no stub-zone: diff --git a/testdata/iter_ns_spoof.rpl b/testdata/iter_ns_spoof.rpl index f67457635..999ff05ff 100644 --- a/testdata/iter_ns_spoof.rpl +++ b/testdata/iter_ns_spoof.rpl @@ -4,6 +4,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. diff --git a/testdata/iter_nxns_fallback.rpl b/testdata/iter_nxns_fallback.rpl index a9436529a..b4e234130 100644 --- a/testdata/iter_nxns_fallback.rpl +++ b/testdata/iter_nxns_fallback.rpl @@ -8,6 +8,7 @@ server: access-control: 127.0.0.1 allow_snoop qname-minimisation: no minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no stub-zone: diff --git a/testdata/iter_pc_a.rpl b/testdata/iter_pc_a.rpl index d9add0056..be73a796a 100644 --- a/testdata/iter_pc_a.rpl +++ b/testdata/iter_pc_a.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_pc_aaaa.rpl b/testdata/iter_pc_aaaa.rpl index a28354306..a7ce1866f 100644 --- a/testdata/iter_pc_aaaa.rpl +++ b/testdata/iter_pc_aaaa.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_pcdiff.rpl b/testdata/iter_pcdiff.rpl index 57fb109af..a462d333e 100644 --- a/testdata/iter_pcdiff.rpl +++ b/testdata/iter_pcdiff.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_pcdirect.rpl b/testdata/iter_pcdirect.rpl index 0bd5dfe78..656ec7af4 100644 --- a/testdata/iter_pcdirect.rpl +++ b/testdata/iter_pcdirect.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_pcname.rpl b/testdata/iter_pcname.rpl index e17c9102c..af53c901b 100644 --- a/testdata/iter_pcname.rpl +++ b/testdata/iter_pcname.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_pcnamech.rpl b/testdata/iter_pcnamech.rpl index 32b3130c8..805cb18f7 100644 --- a/testdata/iter_pcnamech.rpl +++ b/testdata/iter_pcnamech.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no stub-zone: diff --git a/testdata/iter_pcnamechrec.rpl b/testdata/iter_pcnamechrec.rpl index 8bf7ad879..bbb9c863d 100644 --- a/testdata/iter_pcnamechrec.rpl +++ b/testdata/iter_pcnamechrec.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no stub-zone: diff --git a/testdata/iter_pcnamerec.rpl b/testdata/iter_pcnamerec.rpl index faee6d029..2ea0dada3 100644 --- a/testdata/iter_pcnamerec.rpl +++ b/testdata/iter_pcnamerec.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_pcttl.rpl b/testdata/iter_pcttl.rpl index 413f8cb88..a70201710 100644 --- a/testdata/iter_pcttl.rpl +++ b/testdata/iter_pcttl.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" do-ip6: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_prefetch.rpl b/testdata/iter_prefetch.rpl index bad92dc57..fdf595564 100644 --- a/testdata/iter_prefetch.rpl +++ b/testdata/iter_prefetch.rpl @@ -4,6 +4,7 @@ server: qname-minimisation: "no" prefetch: "yes" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_prefetch_change.rpl b/testdata/iter_prefetch_change.rpl index 1be9e6abe..c1a1a710f 100644 --- a/testdata/iter_prefetch_change.rpl +++ b/testdata/iter_prefetch_change.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" prefetch: "yes" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_prefetch_change2.rpl b/testdata/iter_prefetch_change2.rpl index 7a8370ff6..4a966fea0 100644 --- a/testdata/iter_prefetch_change2.rpl +++ b/testdata/iter_prefetch_change2.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" prefetch: "yes" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_prefetch_childns.rpl b/testdata/iter_prefetch_childns.rpl index 00a91fcde..f234065e7 100644 --- a/testdata/iter_prefetch_childns.rpl +++ b/testdata/iter_prefetch_childns.rpl @@ -4,6 +4,7 @@ server: qname-minimisation: "no" prefetch: "yes" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_prefetch_fail.rpl b/testdata/iter_prefetch_fail.rpl index 1d92a4c1c..d1e308305 100644 --- a/testdata/iter_prefetch_fail.rpl +++ b/testdata/iter_prefetch_fail.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" prefetch: "yes" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_prefetch_ns.rpl b/testdata/iter_prefetch_ns.rpl index 93af21638..3192d31c0 100644 --- a/testdata/iter_prefetch_ns.rpl +++ b/testdata/iter_prefetch_ns.rpl @@ -4,6 +4,7 @@ server: qname-minimisation: "no" prefetch: "yes" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_primenoglue.rpl b/testdata/iter_primenoglue.rpl index b9808dd2c..f8c980350 100644 --- a/testdata/iter_primenoglue.rpl +++ b/testdata/iter_primenoglue.rpl @@ -8,6 +8,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_privaddr.rpl b/testdata/iter_privaddr.rpl index 0c87b4b9a..b7a6fde29 100644 --- a/testdata/iter_privaddr.rpl +++ b/testdata/iter_privaddr.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 diff --git a/testdata/iter_ranoaa_lame.rpl b/testdata/iter_ranoaa_lame.rpl index 8ee82415a..313192f10 100644 --- a/testdata/iter_ranoaa_lame.rpl +++ b/testdata/iter_ranoaa_lame.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no stub-zone: diff --git a/testdata/iter_reclame_one.rpl b/testdata/iter_reclame_one.rpl index 4a6abfae5..d273e6056 100644 --- a/testdata/iter_reclame_one.rpl +++ b/testdata/iter_reclame_one.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no stub-zone: diff --git a/testdata/iter_reclame_two.rpl b/testdata/iter_reclame_two.rpl index 76c310b28..e2b2bc126 100644 --- a/testdata/iter_reclame_two.rpl +++ b/testdata/iter_reclame_two.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no stub-zone: diff --git a/testdata/iter_recurse.rpl b/testdata/iter_recurse.rpl index be50b4af8..135287678 100644 --- a/testdata/iter_recurse.rpl +++ b/testdata/iter_recurse.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_resolve.rpl b/testdata/iter_resolve.rpl index ed051ff24..3ea56abe9 100644 --- a/testdata/iter_resolve.rpl +++ b/testdata/iter_resolve.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_resolve_minimised.rpl b/testdata/iter_resolve_minimised.rpl index 2c6f9ccf5..13f04d481 100644 --- a/testdata/iter_resolve_minimised.rpl +++ b/testdata/iter_resolve_minimised.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_resolve_minimised_nx.rpl b/testdata/iter_resolve_minimised_nx.rpl index 74e612ccb..c68f20ca8 100644 --- a/testdata/iter_resolve_minimised_nx.rpl +++ b/testdata/iter_resolve_minimised_nx.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: yes minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_resolve_minimised_refused.rpl b/testdata/iter_resolve_minimised_refused.rpl index 66e8e631e..8dc76e258 100644 --- a/testdata/iter_resolve_minimised_refused.rpl +++ b/testdata/iter_resolve_minimised_refused.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: yes minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_resolve_minimised_timeout.rpl b/testdata/iter_resolve_minimised_timeout.rpl index 86b932160..3740d79f4 100644 --- a/testdata/iter_resolve_minimised_timeout.rpl +++ b/testdata/iter_resolve_minimised_timeout.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: yes minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_scrub_cname_an.rpl b/testdata/iter_scrub_cname_an.rpl index 9c5060af7..f81916b0c 100644 --- a/testdata/iter_scrub_cname_an.rpl +++ b/testdata/iter_scrub_cname_an.rpl @@ -4,6 +4,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_scrub_dname_insec.rpl b/testdata/iter_scrub_dname_insec.rpl index 826d89e29..82ff1d3da 100644 --- a/testdata/iter_scrub_dname_insec.rpl +++ b/testdata/iter_scrub_dname_insec.rpl @@ -4,6 +4,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_scrub_dname_rev.rpl b/testdata/iter_scrub_dname_rev.rpl index 9caca66c0..dfb21b8b6 100644 --- a/testdata/iter_scrub_dname_rev.rpl +++ b/testdata/iter_scrub_dname_rev.rpl @@ -8,6 +8,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_scrub_dname_sec.rpl b/testdata/iter_scrub_dname_sec.rpl index 34a7b324d..943b19ff5 100644 --- a/testdata/iter_scrub_dname_sec.rpl +++ b/testdata/iter_scrub_dname_sec.rpl @@ -8,6 +8,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_scrub_promiscuous.rpl b/testdata/iter_scrub_promiscuous.rpl new file mode 100644 index 000000000..61fca0d28 --- /dev/null +++ b/testdata/iter_scrub_promiscuous.rpl @@ -0,0 +1,373 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + iter-scrub-promiscuous: yes + +stub-zone: + name: "." + stub-addr: 1.2.3.0 # ns.root +CONFIG_END + +SCENARIO_BEGIN Test iterator with scrub of promiscuous records +; The test queries receive spoofed answers. The check queries see if +; the record is returned by the original server or by a spoofed source. +; The test domains are pollute1.mesa, pollute2.mesa and pollute3.mesa. +; The spoofed contents are ns.attacker.mesa and its IPs 5.6.7.8 and 5.6.7.9. +; The pollute1.mesa NS, ns.pollute2.mesa A, and test3.atkr.pollute3.mesa NS +; with ns.pollute3.mesa A records are tested for cache placement. + +; ns.root +RANGE_BEGIN 0 400 + ADDRESS 1.2.3.0 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS NS.ROOT. +SECTION ADDITIONAL +NS.ROOT. IN A 1.2.3.0 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +mesa. IN NS +SECTION AUTHORITY +mesa. IN NS ns.mesa. +SECTION ADDITIONAL +ns.mesa. IN A 1.2.7.7 +ENTRY_END +RANGE_END + +; ns.mesa +RANGE_BEGIN 0 400 + ADDRESS 1.2.7.7 +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +pollute1.mesa. IN NS +SECTION AUTHORITY +pollute1.mesa. IN NS ns.pollute1.mesa. +SECTION ADDITIONAL +ns.pollute1.mesa. IN A 1.2.4.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +pollute2.mesa. IN NS +SECTION AUTHORITY +pollute2.mesa. IN NS ns.pollute2.mesa. +SECTION ADDITIONAL +ns.pollute2.mesa. IN A 1.2.4.2 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +pollute3.mesa. IN NS +SECTION AUTHORITY +pollute3.mesa. IN NS ns.pollute3.mesa. +SECTION ADDITIONAL +ns.pollute3.mesa. IN A 1.2.4.3 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +attacker.mesa. IN NS +SECTION AUTHORITY +attacker.mesa. IN NS ns.attacker.mesa. +SECTION ADDITIONAL +ns.attacker.mesa. IN A 5.6.7.8 +ENTRY_END +RANGE_END + +; ns.pollute1.mesa +RANGE_BEGIN 0 400 + ADDRESS 1.2.4.1 + +; This is the spoofed answer that is returned. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +test1.atkr.pollute1.mesa. IN A +SECTION ANSWER +test1.atkr.pollute1.mesa. 86400 IN A 1.2.3.4 +SECTION AUTHORITY +pollute1.mesa. 86400 IN NS ns.attacker.mesa. +ENTRY_END + +; correct answer for the check query. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +check.pollute1.mesa. IN A +SECTION ANSWER +check.pollute1.mesa. IN A 1.8.9.1 +ENTRY_END +RANGE_END + +; ns.pollute2.mesa +RANGE_BEGIN 0 400 + ADDRESS 1.2.4.2 + +; This is the spoofed answer that is returned. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +test2.atkr.pollute2.mesa. IN A +SECTION ANSWER +test2.atkr.pollute2.mesa. 86400 IN A 1.2.3.4 +SECTION AUTHORITY +pollute2.mesa. 86400 IN NS ns.pollute2.mesa. +SECTION ADDITIONAL +ns.pollute2.mesa. 86400 IN A 5.6.7.8 +ENTRY_END + +; correct answer for the check query. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +check.pollute2.mesa. IN A +SECTION ANSWER +check.pollute2.mesa. IN A 1.8.9.2 +ENTRY_END +RANGE_END + +; ns.pollute3.mesa +RANGE_BEGIN 0 400 + ADDRESS 1.2.4.3 + +; This is the spoofed answer that is returned. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +test3.atkr.pollute3.mesa. IN A +SECTION ANSWER +test3.atkr.pollute3.mesa. 86400 IN A 1.2.3.4 +SECTION AUTHORITY +test3.atkr.pollute3.mesa. 86400 IN NS ns.pollute3.mesa. +SECTION ADDITIONAL +ns.pollute3.mesa. 86400 IN A 5.6.7.8 +ENTRY_END + +; correct answer for the check query. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +check.pollute3.mesa. IN A +SECTION ANSWER +check.pollute3.mesa. IN A 1.8.9.3 +ENTRY_END +RANGE_END + +; ns.attacker.mesa +RANGE_BEGIN 0 400 + ADDRESS 5.6.7.8 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.attacker.mesa. IN A +SECTION ANSWER +ns.attacker.mesa. 86400 IN A 5.6.7.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.attacker.mesa. IN AAAA +SECTION AUTHORITY +attacker.mesa. 3600 IN SOA ns.attacker.mesa. root.attacker.mesa. 4 7200 3600 604800 3600 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.attacker.mesa. IN A +SECTION ANSWER +ns.attacker.mesa. 86400 IN A 5.6.7.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +check.pollute1.mesa. IN A +SECTION ANSWER +check.pollute1.mesa. 86400 IN A 5.6.7.9 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +check.pollute2.mesa. IN A +SECTION ANSWER +check.pollute2.mesa. 86400 IN A 5.6.7.9 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +check.pollute3.mesa. IN A +SECTION ANSWER +check.pollute3.mesa. 86400 IN A 5.6.7.9 +ENTRY_END +RANGE_END + +; Test query 1 +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +test1.atkr.pollute1.mesa. IN A +ENTRY_END + +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +test1.atkr.pollute1.mesa. IN A +SECTION ANSWER +test1.atkr.pollute1.mesa. 86400 IN A 1.2.3.4 +ENTRY_END + +; Test query 2 +STEP 20 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +test2.atkr.pollute2.mesa. IN A +ENTRY_END + +STEP 30 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +test2.atkr.pollute2.mesa. IN A +SECTION ANSWER +test2.atkr.pollute2.mesa. 86400 IN A 1.2.3.4 +ENTRY_END + +; Test query 3 +STEP 40 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +test3.atkr.pollute3.mesa. IN A +ENTRY_END + +STEP 50 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +test3.atkr.pollute3.mesa. IN A +SECTION ANSWER +test3.atkr.pollute3.mesa. 86400 IN A 1.2.3.4 +ENTRY_END + +; Check the cache contents, for query 1. +STEP 60 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +check.pollute1.mesa. IN A +ENTRY_END + +STEP 70 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +check.pollute1.mesa. IN A +SECTION ANSWER +; good answer +check.pollute1.mesa. IN A 1.8.9.1 +; bad answer +;check.pollute1.mesa. IN A 5.6.7.9 +ENTRY_END + +; Check the cache contents, for query 2. +STEP 80 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +check.pollute2.mesa. IN A +ENTRY_END + +STEP 90 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +check.pollute2.mesa. IN A +SECTION ANSWER +; good answer +check.pollute2.mesa. IN A 1.8.9.2 +; bad answer +;check.pollute2.mesa. IN A 5.6.7.9 +ENTRY_END + +; Check the cache contents, for query 3. +STEP 100 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +check.pollute3.mesa. IN A +ENTRY_END + +STEP 110 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +check.pollute3.mesa. IN A +SECTION ANSWER +; good answer +check.pollute3.mesa. IN A 1.8.9.3 +; bad answer +;check.pollute3.mesa. IN A 5.6.7.9 +ENTRY_END + +SCENARIO_END diff --git a/testdata/iter_scrub_rr_length.rpl b/testdata/iter_scrub_rr_length.rpl index ee7579f9c..143e0fc50 100644 --- a/testdata/iter_scrub_rr_length.rpl +++ b/testdata/iter_scrub_rr_length.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no ede: yes diff --git a/testdata/iter_soamin.rpl b/testdata/iter_soamin.rpl index 7e902601b..0facc3508 100644 --- a/testdata/iter_soamin.rpl +++ b/testdata/iter_soamin.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_stub_noroot.rpl b/testdata/iter_stub_noroot.rpl index ef306bd42..749462b6e 100644 --- a/testdata/iter_stub_noroot.rpl +++ b/testdata/iter_stub_noroot.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_stubfirst.rpl b/testdata/iter_stubfirst.rpl index 1a7112de4..7cd3305a9 100644 --- a/testdata/iter_stubfirst.rpl +++ b/testdata/iter_stubfirst.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_timeout_ra_aaaa.rpl b/testdata/iter_timeout_ra_aaaa.rpl index 126867ba4..9456f0420 100644 --- a/testdata/iter_timeout_ra_aaaa.rpl +++ b/testdata/iter_timeout_ra_aaaa.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/iter_unverified_glue.rpl b/testdata/iter_unverified_glue.rpl index 017f220b6..bc96bb14a 100644 --- a/testdata/iter_unverified_glue.rpl +++ b/testdata/iter_unverified_glue.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: no minimal-responses: no + iter-scrub-promiscuous: no do-ip6: no harden-unverified-glue: yes stub-zone: diff --git a/testdata/rrset_rettl.rpl b/testdata/rrset_rettl.rpl index 55dd62386..131a98e71 100644 --- a/testdata/rrset_rettl.rpl +++ b/testdata/rrset_rettl.rpl @@ -2,6 +2,7 @@ ; config options go here. server: minimal-responses: no + iter-scrub-promiscuous: no forward-zone: name: "." forward-addr: 216.0.0.1 CONFIG_END diff --git a/testdata/rrset_untrusted.rpl b/testdata/rrset_untrusted.rpl index 6370ebf49..207275b56 100644 --- a/testdata/rrset_untrusted.rpl +++ b/testdata/rrset_untrusted.rpl @@ -2,6 +2,7 @@ ; config options go here. server: minimal-responses: no + iter-scrub-promiscuous: no forward-zone: name: "." forward-addr: 216.0.0.1 CONFIG_END diff --git a/testdata/rrset_updated.rpl b/testdata/rrset_updated.rpl index 55da56bac..ba8e4924c 100644 --- a/testdata/rrset_updated.rpl +++ b/testdata/rrset_updated.rpl @@ -2,6 +2,7 @@ ; config options go here. server: minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no forward-zone: name: "." forward-addr: 216.0.0.1 CONFIG_END diff --git a/testdata/rrset_use_cached.rpl b/testdata/rrset_use_cached.rpl index 8420ae02a..17696f600 100644 --- a/testdata/rrset_use_cached.rpl +++ b/testdata/rrset_use_cached.rpl @@ -1,5 +1,6 @@ server: minimal-responses: no + iter-scrub-promiscuous: no serve-expired: yes # The value does not matter, we will not simulate delay. # We do not want only serve-expired because fetches from that diff --git a/testdata/serve_expired.rpl b/testdata/serve_expired.rpl index 990a562c7..573e18bcf 100644 --- a/testdata/serve_expired.rpl +++ b/testdata/serve_expired.rpl @@ -3,6 +3,7 @@ server: module-config: "validator iterator" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no serve-expired: yes serve-expired-client-timeout: 0 access-control: 127.0.0.1/32 allow_snoop diff --git a/testdata/serve_expired_0ttl_nodata.rpl b/testdata/serve_expired_0ttl_nodata.rpl index 8ca461be2..4d483534d 100644 --- a/testdata/serve_expired_0ttl_nodata.rpl +++ b/testdata/serve_expired_0ttl_nodata.rpl @@ -3,6 +3,7 @@ server: module-config: "validator iterator" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no serve-expired: yes serve-expired-client-timeout: 0 ede: yes diff --git a/testdata/serve_expired_0ttl_nxdomain.rpl b/testdata/serve_expired_0ttl_nxdomain.rpl index 7cf26aedd..e7774a4f4 100644 --- a/testdata/serve_expired_0ttl_nxdomain.rpl +++ b/testdata/serve_expired_0ttl_nxdomain.rpl @@ -3,6 +3,7 @@ server: module-config: "validator iterator" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no serve-expired: yes serve-expired-client-timeout: 0 ede: yes diff --git a/testdata/serve_expired_0ttl_servfail.rpl b/testdata/serve_expired_0ttl_servfail.rpl index e9d4c4884..87c509bbb 100644 --- a/testdata/serve_expired_0ttl_servfail.rpl +++ b/testdata/serve_expired_0ttl_servfail.rpl @@ -3,6 +3,7 @@ server: module-config: "validator iterator" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no serve-expired: yes serve-expired-client-timeout: 0 ede: yes diff --git a/testdata/serve_expired_cached_servfail.rpl b/testdata/serve_expired_cached_servfail.rpl index eb115816e..e7cd5ca39 100644 --- a/testdata/serve_expired_cached_servfail.rpl +++ b/testdata/serve_expired_cached_servfail.rpl @@ -3,6 +3,7 @@ server: module-config: "validator iterator" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no serve-expired: yes serve-expired-client-timeout: 0 serve-expired-reply-ttl: 123 diff --git a/testdata/serve_expired_client_timeout.rpl b/testdata/serve_expired_client_timeout.rpl index 5560aa05a..e40e1b4c3 100644 --- a/testdata/serve_expired_client_timeout.rpl +++ b/testdata/serve_expired_client_timeout.rpl @@ -3,6 +3,7 @@ server: module-config: "validator iterator" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no serve-expired: yes serve-expired-client-timeout: 1 serve-expired-reply-ttl: 123 diff --git a/testdata/serve_expired_client_timeout_no_prefetch.rpl b/testdata/serve_expired_client_timeout_no_prefetch.rpl index aed397d9e..3a35c4629 100644 --- a/testdata/serve_expired_client_timeout_no_prefetch.rpl +++ b/testdata/serve_expired_client_timeout_no_prefetch.rpl @@ -3,6 +3,7 @@ server: module-config: "validator iterator" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no serve-expired: yes serve-expired-client-timeout: 1 serve-expired-reply-ttl: 123 diff --git a/testdata/serve_expired_client_timeout_servfail.rpl b/testdata/serve_expired_client_timeout_servfail.rpl index 3c5b35e17..c8a91fed1 100644 --- a/testdata/serve_expired_client_timeout_servfail.rpl +++ b/testdata/serve_expired_client_timeout_servfail.rpl @@ -3,6 +3,7 @@ server: module-config: "validator iterator" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no serve-expired: yes serve-expired-client-timeout: 1 serve-expired-reply-ttl: 123 diff --git a/testdata/serve_expired_client_timeout_val_insecure_delegation.rpl b/testdata/serve_expired_client_timeout_val_insecure_delegation.rpl index 6654a2c68..08fc07158 100644 --- a/testdata/serve_expired_client_timeout_val_insecure_delegation.rpl +++ b/testdata/serve_expired_client_timeout_val_insecure_delegation.rpl @@ -9,6 +9,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no serve-expired: yes diff --git a/testdata/serve_expired_reply_ttl.rpl b/testdata/serve_expired_reply_ttl.rpl index e76976bde..06128a736 100644 --- a/testdata/serve_expired_reply_ttl.rpl +++ b/testdata/serve_expired_reply_ttl.rpl @@ -3,6 +3,7 @@ server: module-config: "validator iterator" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no serve-expired: yes serve-expired-reply-ttl: 123 serve-expired-client-timeout: 0 diff --git a/testdata/serve_expired_ttl.rpl b/testdata/serve_expired_ttl.rpl index 66acbdcf1..24cb34136 100644 --- a/testdata/serve_expired_ttl.rpl +++ b/testdata/serve_expired_ttl.rpl @@ -3,6 +3,7 @@ server: module-config: "validator iterator" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no serve-expired: yes serve-expired-client-timeout: 0 serve-expired-ttl: 10 diff --git a/testdata/serve_expired_ttl_client_timeout.rpl b/testdata/serve_expired_ttl_client_timeout.rpl index 169d070ea..f28579014 100644 --- a/testdata/serve_expired_ttl_client_timeout.rpl +++ b/testdata/serve_expired_ttl_client_timeout.rpl @@ -3,6 +3,7 @@ server: module-config: "validator iterator" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no serve-expired: yes serve-expired-ttl: 10 serve-expired-client-timeout: 1 diff --git a/testdata/serve_expired_zerottl.rpl b/testdata/serve_expired_zerottl.rpl index 1411cb8e7..1dd7547a9 100644 --- a/testdata/serve_expired_zerottl.rpl +++ b/testdata/serve_expired_zerottl.rpl @@ -3,6 +3,7 @@ server: module-config: "validator iterator" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no serve-expired: yes serve-expired-client-timeout: 0 serve-expired-reply-ttl: 123 diff --git a/testdata/serve_original_ttl.rpl b/testdata/serve_original_ttl.rpl index 30503c285..ee80b550f 100644 --- a/testdata/serve_original_ttl.rpl +++ b/testdata/serve_original_ttl.rpl @@ -4,6 +4,7 @@ server: module-config: "validator iterator" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no serve-original-ttl: yes cache-max-ttl: 1000 cache-min-ttl: 20 diff --git a/testdata/subnet_cached.crpl b/testdata/subnet_cached.crpl index 3cee6e978..c97bfbbe8 100644 --- a/testdata/subnet_cached.crpl +++ b/testdata/subnet_cached.crpl @@ -15,6 +15,7 @@ server: access-control: 127.0.0.1 allow_snoop qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/subnet_cached_servfail.crpl b/testdata/subnet_cached_servfail.crpl index 1bcd05f2f..7eec28817 100644 --- a/testdata/subnet_cached_servfail.crpl +++ b/testdata/subnet_cached_servfail.crpl @@ -11,6 +11,7 @@ server: access-control: 127.0.0.1 allow_snoop qname-minimisation: no minimal-responses: no + iter-scrub-promiscuous: no serve-expired: yes serve-expired-client-timeout: 0 prefetch: yes diff --git a/testdata/subnet_cached_size.crpl b/testdata/subnet_cached_size.crpl index d221d0d37..4a8c46449 100644 --- a/testdata/subnet_cached_size.crpl +++ b/testdata/subnet_cached_size.crpl @@ -15,6 +15,7 @@ server: access-control: 127.0.0.0/8 allow_snoop qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no ; the size for the edns subnet cache msg-cache-size: 1500 diff --git a/testdata/subnet_global_prefetch.crpl b/testdata/subnet_global_prefetch.crpl index 2f005d43b..7665015c0 100644 --- a/testdata/subnet_global_prefetch.crpl +++ b/testdata/subnet_global_prefetch.crpl @@ -12,6 +12,7 @@ server: access-control: 127.0.0.1 allow_snoop qname-minimisation: no minimal-responses: no + iter-scrub-promiscuous: no prefetch: yes stub-zone: diff --git a/testdata/subnet_global_prefetch_always_forward.crpl b/testdata/subnet_global_prefetch_always_forward.crpl index 775474cbc..d32ae6da0 100644 --- a/testdata/subnet_global_prefetch_always_forward.crpl +++ b/testdata/subnet_global_prefetch_always_forward.crpl @@ -13,6 +13,7 @@ server: access-control: 127.0.0.1 allow_snoop qname-minimisation: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/subnet_global_prefetch_expired.crpl b/testdata/subnet_global_prefetch_expired.crpl index 374bf3e69..6a491af42 100644 --- a/testdata/subnet_global_prefetch_expired.crpl +++ b/testdata/subnet_global_prefetch_expired.crpl @@ -13,6 +13,7 @@ server: access-control: 127.0.0.1 allow_snoop qname-minimisation: no minimal-responses: no + iter-scrub-promiscuous: no serve-expired: yes serve-expired-client-timeout: 0 serve-expired-ttl: 1 diff --git a/testdata/subnet_global_prefetch_with_client_ecs.crpl b/testdata/subnet_global_prefetch_with_client_ecs.crpl index ddc832c47..8589db7e1 100644 --- a/testdata/subnet_global_prefetch_with_client_ecs.crpl +++ b/testdata/subnet_global_prefetch_with_client_ecs.crpl @@ -12,6 +12,7 @@ server: access-control: 127.0.0.1 allow_snoop qname-minimisation: no minimal-responses: no + iter-scrub-promiscuous: no prefetch: yes stub-zone: diff --git a/testdata/subnet_max_source.crpl b/testdata/subnet_max_source.crpl index f5c7464ed..f3f71e7fd 100644 --- a/testdata/subnet_max_source.crpl +++ b/testdata/subnet_max_source.crpl @@ -11,6 +11,7 @@ server: verbosity: 3 qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/subnet_prefetch.crpl b/testdata/subnet_prefetch.crpl index aaa6bf08c..243e40950 100644 --- a/testdata/subnet_prefetch.crpl +++ b/testdata/subnet_prefetch.crpl @@ -12,6 +12,7 @@ server: access-control: 127.0.0.1 allow_snoop qname-minimisation: no minimal-responses: no + iter-scrub-promiscuous: no prefetch: yes stub-zone: diff --git a/testdata/subnet_val_positive.crpl b/testdata/subnet_val_positive.crpl index 01456e58b..10996ada8 100644 --- a/testdata/subnet_val_positive.crpl +++ b/testdata/subnet_val_positive.crpl @@ -13,6 +13,7 @@ server: fake-dsa: yes qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/subnet_val_positive_client.crpl b/testdata/subnet_val_positive_client.crpl index b573742b7..1b51d52ef 100644 --- a/testdata/subnet_val_positive_client.crpl +++ b/testdata/subnet_val_positive_client.crpl @@ -14,6 +14,7 @@ server: fake-dsa: yes qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/trust_cname_chain.rpl b/testdata/trust_cname_chain.rpl index f8415ba23..e24f8c10d 100644 --- a/testdata/trust_cname_chain.rpl +++ b/testdata/trust_cname_chain.rpl @@ -2,6 +2,7 @@ server: target-fetch-policy: "0 0 0 0 0" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. diff --git a/testdata/ttl_max.rpl b/testdata/ttl_max.rpl index 325696321..b24eea383 100644 --- a/testdata/ttl_max.rpl +++ b/testdata/ttl_max.rpl @@ -4,6 +4,7 @@ server: cache-max-ttl: 10 qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/ttl_min.rpl b/testdata/ttl_min.rpl index 3c79ff5ed..94206c7c5 100644 --- a/testdata/ttl_min.rpl +++ b/testdata/ttl_min.rpl @@ -4,6 +4,7 @@ server: cache-min-ttl: 10 qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_adbit.rpl b/testdata/val_adbit.rpl index 7ce62de77..233c58bef 100644 --- a/testdata/val_adbit.rpl +++ b/testdata/val_adbit.rpl @@ -8,6 +8,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_adcopy.rpl b/testdata/val_adcopy.rpl index 604fd57f2..7bc31df23 100644 --- a/testdata/val_adcopy.rpl +++ b/testdata/val_adcopy.rpl @@ -7,6 +7,7 @@ server: qname-minimisation: "no" fake-sha1: yes minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_cnametocnamewctoposwc.rpl b/testdata/val_cnametocnamewctoposwc.rpl index 407666efc..9ea8b493e 100644 --- a/testdata/val_cnametocnamewctoposwc.rpl +++ b/testdata/val_cnametocnamewctoposwc.rpl @@ -7,6 +7,7 @@ server: qname-minimisation: "no" fake-sha1: yes trust-anchor-signaling: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_ds_afterprime.rpl b/testdata/val_ds_afterprime.rpl index 3b1c0d614..301a1f6b6 100644 --- a/testdata/val_ds_afterprime.rpl +++ b/testdata/val_ds_afterprime.rpl @@ -8,6 +8,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_faildnskey_ok.rpl b/testdata/val_faildnskey_ok.rpl index 50f3184b4..f9196f35f 100644 --- a/testdata/val_faildnskey_ok.rpl +++ b/testdata/val_faildnskey_ok.rpl @@ -8,6 +8,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_keyprefetch_verify.rpl b/testdata/val_keyprefetch_verify.rpl index 9b901a8cb..6cf81848d 100644 --- a/testdata/val_keyprefetch_verify.rpl +++ b/testdata/val_keyprefetch_verify.rpl @@ -10,6 +10,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_noadwhennodo.rpl b/testdata/val_noadwhennodo.rpl index 46e1bad5a..dbdeb780e 100644 --- a/testdata/val_noadwhennodo.rpl +++ b/testdata/val_noadwhennodo.rpl @@ -8,6 +8,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_nsec3_b3_optout.rpl b/testdata/val_nsec3_b3_optout.rpl index 9d84be974..5d8a43a9b 100644 --- a/testdata/val_nsec3_b3_optout.rpl +++ b/testdata/val_nsec3_b3_optout.rpl @@ -7,6 +7,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no stub-zone: diff --git a/testdata/val_nsec3_b3_optout_negcache.rpl b/testdata/val_nsec3_b3_optout_negcache.rpl index 497a8591a..e7be762fb 100644 --- a/testdata/val_nsec3_b3_optout_negcache.rpl +++ b/testdata/val_nsec3_b3_optout_negcache.rpl @@ -7,6 +7,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no stub-zone: diff --git a/testdata/val_nsec3_b4_wild.rpl b/testdata/val_nsec3_b4_wild.rpl index 8bf3a5466..295932fad 100644 --- a/testdata/val_nsec3_b4_wild.rpl +++ b/testdata/val_nsec3_b4_wild.rpl @@ -6,6 +6,7 @@ server: qname-minimisation: "no" fake-sha1: yes trust-anchor-signaling: no + iter-scrub-promiscuous: no rrset-roundrobin: no stub-zone: diff --git a/testdata/val_nsec3_cnametocnamewctoposwc.rpl b/testdata/val_nsec3_cnametocnamewctoposwc.rpl index 1651ae7dc..3e4c55a18 100644 --- a/testdata/val_nsec3_cnametocnamewctoposwc.rpl +++ b/testdata/val_nsec3_cnametocnamewctoposwc.rpl @@ -7,6 +7,7 @@ server: qname-minimisation: "no" fake-sha1: yes trust-anchor-signaling: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_positive.rpl b/testdata/val_positive.rpl index daaf36089..c80851703 100644 --- a/testdata/val_positive.rpl +++ b/testdata/val_positive.rpl @@ -8,6 +8,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_positive_wc.rpl b/testdata/val_positive_wc.rpl index 5384acf63..591dcc603 100644 --- a/testdata/val_positive_wc.rpl +++ b/testdata/val_positive_wc.rpl @@ -7,6 +7,7 @@ server: qname-minimisation: "no" fake-sha1: yes trust-anchor-signaling: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_qds_badanc.rpl b/testdata/val_qds_badanc.rpl index dc686153f..cb53136f6 100644 --- a/testdata/val_qds_badanc.rpl +++ b/testdata/val_qds_badanc.rpl @@ -7,6 +7,7 @@ server: qname-minimisation: "no" fake-sha1: yes minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_qds_oneanc.rpl b/testdata/val_qds_oneanc.rpl index f21ab422b..bda9f9032 100644 --- a/testdata/val_qds_oneanc.rpl +++ b/testdata/val_qds_oneanc.rpl @@ -8,6 +8,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_qds_twoanc.rpl b/testdata/val_qds_twoanc.rpl index 4e4f2e732..f801c023b 100644 --- a/testdata/val_qds_twoanc.rpl +++ b/testdata/val_qds_twoanc.rpl @@ -9,6 +9,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_refer_unsignadd.rpl b/testdata/val_refer_unsignadd.rpl index 4d073016f..22f15d21a 100644 --- a/testdata/val_refer_unsignadd.rpl +++ b/testdata/val_refer_unsignadd.rpl @@ -9,6 +9,7 @@ server: qname-minimisation: "no" fake-sha1: yes trust-anchor-signaling: no + iter-scrub-promiscuous: no rrset-roundrobin: no stub-zone: diff --git a/testdata/val_referd.rpl b/testdata/val_referd.rpl index d475f835e..a25ca7b7d 100644 --- a/testdata/val_referd.rpl +++ b/testdata/val_referd.rpl @@ -10,6 +10,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_referglue.rpl b/testdata/val_referglue.rpl index 54b767156..3ca0c0e80 100644 --- a/testdata/val_referglue.rpl +++ b/testdata/val_referglue.rpl @@ -10,6 +10,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no stub-zone: diff --git a/testdata/val_rrsig.rpl b/testdata/val_rrsig.rpl index 0b672e0f2..69df344a5 100644 --- a/testdata/val_rrsig.rpl +++ b/testdata/val_rrsig.rpl @@ -7,6 +7,7 @@ server: qname-minimisation: "no" fake-sha1: yes minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_spurious_ns.rpl b/testdata/val_spurious_ns.rpl index cb0a6e529..8db94a108 100644 --- a/testdata/val_spurious_ns.rpl +++ b/testdata/val_spurious_ns.rpl @@ -8,6 +8,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_stub_noroot.rpl b/testdata/val_stub_noroot.rpl index 07113bef7..66c3d8e88 100644 --- a/testdata/val_stub_noroot.rpl +++ b/testdata/val_stub_noroot.rpl @@ -6,6 +6,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_ta_algo_dnskey.rpl b/testdata/val_ta_algo_dnskey.rpl index 03bac83aa..5b0b64d25 100644 --- a/testdata/val_ta_algo_dnskey.rpl +++ b/testdata/val_ta_algo_dnskey.rpl @@ -9,6 +9,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_ta_algo_dnskey_dp.rpl b/testdata/val_ta_algo_dnskey_dp.rpl index 2b3609be8..ae0c499ca 100644 --- a/testdata/val_ta_algo_dnskey_dp.rpl +++ b/testdata/val_ta_algo_dnskey_dp.rpl @@ -10,6 +10,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_ta_algo_missing_dp.rpl b/testdata/val_ta_algo_missing_dp.rpl index dc55a09da..14efdeccb 100644 --- a/testdata/val_ta_algo_missing_dp.rpl +++ b/testdata/val_ta_algo_missing_dp.rpl @@ -11,6 +11,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_twocname.rpl b/testdata/val_twocname.rpl index bc7c3bcb2..b4323644a 100644 --- a/testdata/val_twocname.rpl +++ b/testdata/val_twocname.rpl @@ -5,6 +5,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no rrset-roundrobin: no forward-zone: diff --git a/testdata/val_unalgo_anchor.rpl b/testdata/val_unalgo_anchor.rpl index fbbf288a5..a93520122 100644 --- a/testdata/val_unalgo_anchor.rpl +++ b/testdata/val_unalgo_anchor.rpl @@ -7,6 +7,7 @@ server: qname-minimisation: "no" fake-sha1: yes minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/val_wild_pos.rpl b/testdata/val_wild_pos.rpl index 624d8e07b..9fafa6554 100644 --- a/testdata/val_wild_pos.rpl +++ b/testdata/val_wild_pos.rpl @@ -8,6 +8,7 @@ server: fake-sha1: yes trust-anchor-signaling: no minimal-responses: no + iter-scrub-promiscuous: no stub-zone: name: "." diff --git a/testdata/views.rpl b/testdata/views.rpl index 6a9052fbe..a6026244b 100644 --- a/testdata/views.rpl +++ b/testdata/views.rpl @@ -3,6 +3,7 @@ server: target-fetch-policy: "0 0 0 0 0" qname-minimisation: "no" minimal-responses: no + iter-scrub-promiscuous: no access-control: 10.10.10.0/24 allow access-control-view: 10.10.10.10/32 "view1" diff --git a/util/config_file.c b/util/config_file.c index b1e767b3b..25c2b3e30 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -421,6 +421,7 @@ config_create(void) cfg->dns_error_reporting = 0; cfg->iter_scrub_ns = 20; cfg->iter_scrub_cname = 11; + cfg->iter_scrub_promiscuous = 1; cfg->max_global_quota = 200; return cfg; error_exit: @@ -765,6 +766,7 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_YNO("dns-error-reporting:", dns_error_reporting) else S_NUMBER_OR_ZERO("iter-scrub-ns:", iter_scrub_ns) else S_NUMBER_OR_ZERO("iter-scrub-cname:", iter_scrub_cname) + else S_YNO("iter-scrub-promiscuous:", iter_scrub_promiscuous) else S_NUMBER_OR_ZERO("max-global-quota:", max_global_quota) else S_YNO("serve-original-ttl:", serve_original_ttl) else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations) @@ -1241,6 +1243,7 @@ config_get_option(struct config_file* cfg, const char* opt, else O_YNO(opt, "dns-error-reporting", dns_error_reporting) else O_DEC(opt, "iter-scrub-ns", iter_scrub_ns) else O_DEC(opt, "iter-scrub-cname", iter_scrub_cname) + else O_YNO(opt, "iter-scrub-promiscuous", iter_scrub_promiscuous) else O_DEC(opt, "max-global-quota", max_global_quota) else O_YNO(opt, "serve-original-ttl", serve_original_ttl) else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations) diff --git a/util/config_file.h b/util/config_file.h index 44ac036b8..f77538b0d 100644 --- a/util/config_file.h +++ b/util/config_file.h @@ -792,6 +792,9 @@ struct config_file { int iter_scrub_cname; /** limit on upstream queries for an incoming query and subqueries. */ int max_global_quota; + /** Should the iterator scrub promiscuous NS rrsets, from positive + * answers. */ + int iter_scrub_promiscuous; }; /** from cfg username, after daemonize setup performed */ diff --git a/util/configlexer.lex b/util/configlexer.lex index bc258673d..0ba8d60c9 100644 --- a/util/configlexer.lex +++ b/util/configlexer.lex @@ -606,6 +606,7 @@ proxy-protocol-port{COLON} { YDVAR(1, VAR_PROXY_PROTOCOL_PORT) } iter-scrub-ns{COLON} { YDVAR(1, VAR_ITER_SCRUB_NS) } iter-scrub-cname{COLON} { YDVAR(1, VAR_ITER_SCRUB_CNAME) } max-global-quota{COLON} { YDVAR(1, VAR_MAX_GLOBAL_QUOTA) } +iter-scrub-promiscuous{COLON} { YDVAR(1, VAR_ITER_SCRUB_PROMISCUOUS) } {NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; } /* Quoted strings. Strip leading and ending quotes */ diff --git a/util/configparser.y b/util/configparser.y index 82e1d8782..bef1fd38d 100644 --- a/util/configparser.y +++ b/util/configparser.y @@ -215,6 +215,7 @@ extern struct config_parser_state* cfg_parser; %token VAR_LOG_DESTADDR VAR_CACHEDB_CHECK_WHEN_SERVE_EXPIRED %token VAR_COOKIE_SECRET_FILE VAR_ITER_SCRUB_NS VAR_ITER_SCRUB_CNAME %token VAR_MAX_GLOBAL_QUOTA VAR_HARDEN_UNVERIFIED_GLUE VAR_LOG_TIME_ISO +%token VAR_ITER_SCRUB_PROMISCUOUS %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; @@ -356,7 +357,7 @@ content_server: server_num_threads | server_verbosity | server_port | server_harden_unknown_additional | server_disable_edns_do | server_log_destaddr | server_cookie_secret_file | server_iter_scrub_ns | server_iter_scrub_cname | server_max_global_quota | - server_harden_unverified_glue | server_log_time_iso + server_harden_unverified_glue | server_log_time_iso | server_iter_scrub_promiscuous ; stub_clause: stubstart contents_stub { @@ -4240,6 +4241,16 @@ server_max_global_quota: VAR_MAX_GLOBAL_QUOTA STRING_ARG free($2); } ; +server_iter_scrub_promiscuous: VAR_ITER_SCRUB_PROMISCUOUS STRING_ARG + { + OUTYY(("P(server_iter_scrub_promiscuous:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->iter_scrub_promiscuous = + (strcmp($2, "yes")==0); + free($2); + } + ; ipsetstart: VAR_IPSET { OUTYY(("\nP(ipset:)\n"));