summaryrefslogtreecommitdiff
path: root/testdata
diff options
context:
space:
mode:
authorCy Schubert <cy@FreeBSD.org>2023-09-18 19:59:52 +0000
committerCy Schubert <cy@FreeBSD.org>2023-09-18 19:59:52 +0000
commit401770e05c71ecb5ae61a59d316069b4b78bf622 (patch)
treea66e3d57ff5dde81aaa0fdc4c2d86c8b7a525ae0 /testdata
parent7699e1386a16236002b26107ffd2dcbde375e197 (diff)
vendor/unbound/1.18.0
Diffstat (limited to 'testdata')
-rw-r--r--testdata/00-lint.tdir/00-lint.dsc10
-rw-r--r--testdata/00-lint.tdir/00-lint.pre14
-rw-r--r--testdata/01-doc.tdir/01-doc.test1
-rw-r--r--testdata/09-unbound-control.tdir/09-unbound-control.test17
-rw-r--r--testdata/auth_xfr_host.rpl2
-rw-r--r--testdata/autotrust_init_fail.rpl18
-rw-r--r--testdata/autotrust_init_failsig.rpl18
-rw-r--r--testdata/autotrust_probefail.rpl18
-rw-r--r--testdata/autotrust_probefailsig.rpl18
-rw-r--r--testdata/autotrust_revtp_use.rpl2
-rw-r--r--testdata/black_ds_entry.rpl35
-rw-r--r--testdata/black_key_entry.rpl35
-rw-r--r--testdata/black_prime_entry.rpl33
-rw-r--r--testdata/cachedb_cached_ede.crpl91
-rw-r--r--testdata/doh_downstream_buffer_size.tdir/doh_downstream_buffer_size.test11
-rw-r--r--testdata/ede.tdir/ede.test33
-rw-r--r--testdata/ede_cache_snoop_not_auth.rpl (renamed from testdata/ede_cache_snoop_noth_auth.rpl)0
-rw-r--r--testdata/edns_downstream_cookies.rpl235
-rw-r--r--testdata/ip_ratelimit.tdir/ip_ratelimit.conf28
-rw-r--r--testdata/ip_ratelimit.tdir/ip_ratelimit.dsc16
-rw-r--r--testdata/ip_ratelimit.tdir/ip_ratelimit.post13
-rw-r--r--testdata/ip_ratelimit.tdir/ip_ratelimit.pre24
-rw-r--r--testdata/ip_ratelimit.tdir/ip_ratelimit.test165
-rw-r--r--testdata/ip_ratelimit.tdir/unbound_control.key39
-rw-r--r--testdata/ip_ratelimit.tdir/unbound_control.pem22
-rw-r--r--testdata/ip_ratelimit.tdir/unbound_server.key39
-rw-r--r--testdata/ip_ratelimit.tdir/unbound_server.pem22
-rw-r--r--testdata/iter_cname_minimise_nx.rpl246
-rw-r--r--testdata/iter_dnsseclame_bug.rpl14
-rw-r--r--testdata/iter_dnsseclame_ds.rpl11
-rw-r--r--testdata/iter_dnsseclame_ta.rpl9
-rw-r--r--testdata/iter_donotq127.rpl2
-rw-r--r--testdata/iter_emptydp.rpl9
-rw-r--r--testdata/iter_emptydp_for_glue.rpl16
-rw-r--r--testdata/iter_failreply.rpl132
-rw-r--r--testdata/iter_ignore_empty.rpl198
-rw-r--r--testdata/iter_lame_aaaa.rpl4
-rw-r--r--testdata/iter_lamescrub.rpl2
-rw-r--r--testdata/iter_nat64.rpl117
-rw-r--r--testdata/iter_nat64_prefix.rpl119
-rw-r--r--testdata/iter_nat64_prefix48.rpl118
-rw-r--r--testdata/iter_nxns_cached.rpl2
-rw-r--r--testdata/iter_nxns_fallback.rpl2
-rw-r--r--testdata/iter_primenoglue.rpl33
-rw-r--r--testdata/iter_privaddr.rpl2
-rw-r--r--testdata/iter_ranoaa_lame.rpl6
-rw-r--r--testdata/iter_reclame_two.rpl4
-rw-r--r--testdata/iter_scrub_ns.rpl2
-rw-r--r--testdata/iter_scrub_ns_fwd.rpl2
-rw-r--r--testdata/iter_scrub_ns_side.rpl4
-rw-r--r--testdata/iter_stublastresort.rpl6
-rw-r--r--testdata/nsid_bogus.rpl33
-rw-r--r--testdata/ratelimit.tdir/ratelimit.testns2
-rw-r--r--testdata/root_key_sentinel.rpl33
-rw-r--r--testdata/rpz_ixfr.rpl256
-rw-r--r--testdata/rpz_respip.rpl17
-rw-r--r--testdata/serve_expired_0ttl_nodata.rpl154
-rw-r--r--testdata/serve_expired_0ttl_nxdomain.rpl154
-rw-r--r--testdata/serve_expired_0ttl_servfail.rpl129
-rw-r--r--testdata/serve_expired_cached_servfail_refresh.rpl145
-rw-r--r--testdata/speed_local.tdir/speed_local.test7
-rw-r--r--testdata/stat_values.tdir/stat_values.pre10
-rw-r--r--testdata/stat_values.tdir/stat_values.test201
-rw-r--r--testdata/stat_values.tdir/stat_values.testns10
-rw-r--r--testdata/stat_values.tdir/stat_values_cachedb.conf36
-rw-r--r--testdata/stat_values.tdir/stat_values_downstream_cookies.conf32
-rw-r--r--testdata/stream_ssl.tdir/stream_ssl.serv.conf6
-rw-r--r--testdata/subnet_cached_ede.crpl114
-rw-r--r--testdata/subnet_derived.crpl3
-rw-r--r--testdata/subnet_format_ip4.crpl3
-rw-r--r--testdata/subnet_global_prefetch.crpl236
-rw-r--r--testdata/subnet_global_prefetch_always_forward.crpl167
-rw-r--r--testdata/subnet_global_prefetch_expired.crpl241
-rw-r--r--testdata/subnet_global_prefetch_with_client_ecs.crpl (renamed from testdata/subnet_prefetch_with_client_ecs.crpl)0
-rw-r--r--testdata/subnet_not_whitelisted.crpl3
-rw-r--r--testdata/subnet_prefetch.crpl75
-rw-r--r--testdata/subnet_without_validator.crpl3
-rw-r--r--testdata/svcb.tdir/svcb.failure-cases-012
-rw-r--r--testdata/svcb.tdir/svcb.success-cases.zone14
-rw-r--r--testdata/svcb.tdir/svcb.success-cases.zone.cmp8
-rw-r--r--testdata/svcb.tdir/svcb.test3
-rw-r--r--testdata/val_any.rpl3
-rw-r--r--testdata/val_any_dname.rpl1
-rw-r--r--testdata/val_any_negcache.rpl240
-rw-r--r--testdata/val_cnametocloser_nosig.rpl19
-rw-r--r--testdata/val_cnametoinsecure.rpl11
-rw-r--r--testdata/val_cnametonodata_nonsec.rpl28
-rw-r--r--testdata/val_cnametooptout.rpl6
-rw-r--r--testdata/val_cnametoposnowc.rpl18
-rw-r--r--testdata/val_deleg_nons.rpl18
-rw-r--r--testdata/val_dnamewc.rpl18
-rw-r--r--testdata/val_ds_cname.rpl19
-rw-r--r--testdata/val_faildnskey.rpl23
-rw-r--r--testdata/val_faildnskey_ok.rpl5
-rw-r--r--testdata/val_nodata_failsig.rpl18
-rw-r--r--testdata/val_nodata_failwc.rpl22
-rw-r--r--testdata/val_nokeyprime.rpl18
-rw-r--r--testdata/val_nsec3_b1_nameerror_nowc.rpl25
-rw-r--r--testdata/val_nsec3_b2_nodata_nons.rpl21
-rw-r--r--testdata/val_nsec3_b4_wild_wr.rpl8
-rw-r--r--testdata/val_nsec3_entnodata_optout_badopt.rpl18
-rw-r--r--testdata/val_nsec3_nods_badsig.rpl17
-rw-r--r--testdata/val_nx_failwc.rpl18
-rw-r--r--testdata/val_nx_overreach.rpl18
-rw-r--r--testdata/val_positive_nosigs.rpl5
-rw-r--r--testdata/val_secds_nosig.rpl16
-rw-r--r--testdata/val_ta_algo_missing.rpl19
107 files changed, 4637 insertions, 111 deletions
diff --git a/testdata/00-lint.tdir/00-lint.dsc b/testdata/00-lint.tdir/00-lint.dsc
index 4778f7a81ba5..814a53717d90 100644
--- a/testdata/00-lint.tdir/00-lint.dsc
+++ b/testdata/00-lint.tdir/00-lint.dsc
@@ -3,14 +3,14 @@ Version: 1.0
Description: Put source into lint.
CreationDate: Wed Jan 3 14:12:02 CET 2007
Maintainer: dr. W.C.A. Wijngaards
-Category:
+Category:
Component:
-CmdDepends:
-Depends:
+CmdDepends:
+Depends:
Help:
-Pre:
+Pre: 00-lint.pre
Post:
Test: 00-lint.test
-AuxFiles:
+AuxFiles:
Passed:
Failure:
diff --git a/testdata/00-lint.tdir/00-lint.pre b/testdata/00-lint.tdir/00-lint.pre
new file mode 100644
index 000000000000..507f5e1e9454
--- /dev/null
+++ b/testdata/00-lint.tdir/00-lint.pre
@@ -0,0 +1,14 @@
+# #-- 00-lint.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+PRE="../.."
+
+if test -f $PRE/unbound_test_00-lint ; then
+ echo test enabled
+else
+ skip_test "test skipped; clang linter preferred over splint"
+fi
diff --git a/testdata/01-doc.tdir/01-doc.test b/testdata/01-doc.tdir/01-doc.test
index 6a78a9cd356d..484b0be42e43 100644
--- a/testdata/01-doc.tdir/01-doc.test
+++ b/testdata/01-doc.tdir/01-doc.test
@@ -34,6 +34,7 @@ fgrep -v -e "ldns-src/" hlist > ilist; mv ilist hlist
fgrep -v -e "libunbound/python/libunbound_wrap.c" hlist > ilist; mv ilist hlist
fgrep -v -e "pythonmod/interface.h" hlist > ilist; mv ilist hlist
fgrep -v -e "dnstap" hlist > ilist; mv ilist hlist
+fgrep -v -e "util/siphash.c" hlist > ilist; mv ilist hlist
# filter out compat
fgrep -v -e "compat/" hlist > ilist; mv ilist hlist
for h in `cat hlist`; do
diff --git a/testdata/09-unbound-control.tdir/09-unbound-control.test b/testdata/09-unbound-control.tdir/09-unbound-control.test
index 0ef679b3fd46..0a0bd8a18d47 100644
--- a/testdata/09-unbound-control.tdir/09-unbound-control.test
+++ b/testdata/09-unbound-control.tdir/09-unbound-control.test
@@ -199,7 +199,7 @@ query www.example.com.
cache_dump -c ub.conf
expect_exit_value 0
cat cache.dump
-expect_in_cache "10.20.30.40"
+expect_in_cache_dump "10.20.30.40"
control_command -c ub.conf lookup www.example.com
expect_exit_value 0
@@ -264,6 +264,7 @@ control_command -c ub.conf reload_keep_cache
expect_exit_value 0
cache_dump -c ub.conf
expect_exit_value 0
+cat cache.dump
expect_in_cache_dump "www.example.com.*10.20.30.40"
expect_in_cache_dump "msg www.example.com. IN A"
query www.example.com +nordflag
@@ -291,6 +292,14 @@ fail_in_cache_dump "msg www.example.com. IN A"
query www.example.com
expect_answer "10.20.30.40"
+# See if this part of the test can be enabled, it needs threads for combined
+# output.
+have_threads="no"
+if grep "define HAVE_PTHREAD 1" $PRE/config.h; then have_threads="yes"; fi
+if grep "define HAVE_SOLARIS_THREADS 1" $PRE/config.h; then have_threads="yes"; fi
+if grep "define HAVE_WINDOWS_THREADS 1" $PRE/config.h; then have_threads="yes"; fi
+if test "$have_threads" = "yes"; then
+
teststep "change num-threads and reload_keep_cache - should be empty"
echo "server: num-threads: 2" >> ub.conf
control_command -c ub.conf reload_keep_cache
@@ -311,6 +320,12 @@ expect_exit_value 0
expect_in_cache_dump "www.example.com.*10.20.30.40"
expect_in_cache_dump "msg www.example.com. IN A"
+else
+ echo ""
+ echo "> skip test parts that need threads, have_threads=no"
+# end of check for have_threads
+fi
+
teststep "now stop the server"
control_command -c ub.conf stop
expect_exit_value 0
diff --git a/testdata/auth_xfr_host.rpl b/testdata/auth_xfr_host.rpl
index d052d36a43bf..f8bd1890e0ea 100644
--- a/testdata/auth_xfr_host.rpl
+++ b/testdata/auth_xfr_host.rpl
@@ -84,6 +84,8 @@ REPLY QR AA NOERROR
SECTION QUESTION
ns.example.net. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
RANGE_END
diff --git a/testdata/autotrust_init_fail.rpl b/testdata/autotrust_init_fail.rpl
index 1f3fed9570a2..00703026d274 100644
--- a/testdata/autotrust_init_fail.rpl
+++ b/testdata/autotrust_init_fail.rpl
@@ -5,6 +5,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -159,6 +160,23 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 21 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 22 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=9
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
; The autotrust anchor was probed due to the query.
STEP 30 CHECK_AUTOTRUST example.com
diff --git a/testdata/autotrust_init_failsig.rpl b/testdata/autotrust_init_failsig.rpl
index 7f6a14d833e5..29a8d11d193d 100644
--- a/testdata/autotrust_init_failsig.rpl
+++ b/testdata/autotrust_init_failsig.rpl
@@ -6,6 +6,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -147,6 +148,23 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 21 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 22 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
; The autotrust anchor was probed due to the query.
STEP 30 CHECK_AUTOTRUST example.com
diff --git a/testdata/autotrust_probefail.rpl b/testdata/autotrust_probefail.rpl
index e22cbf71ff96..992d9629df13 100644
--- a/testdata/autotrust_probefail.rpl
+++ b/testdata/autotrust_probefail.rpl
@@ -5,6 +5,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -164,4 +165,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=9
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/autotrust_probefailsig.rpl b/testdata/autotrust_probefailsig.rpl
index 7d486ffbc397..3988add01acf 100644
--- a/testdata/autotrust_probefailsig.rpl
+++ b/testdata/autotrust_probefailsig.rpl
@@ -5,6 +5,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -164,4 +165,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/autotrust_revtp_use.rpl b/testdata/autotrust_revtp_use.rpl
index b43eb60ad6c7..952428a3daa4 100644
--- a/testdata/autotrust_revtp_use.rpl
+++ b/testdata/autotrust_revtp_use.rpl
@@ -109,6 +109,8 @@ SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
; no AAAA
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
RANGE_END
diff --git a/testdata/black_ds_entry.rpl b/testdata/black_ds_entry.rpl
index 168dc236d203..f2e7a2a99241 100644
--- a/testdata/black_ds_entry.rpl
+++ b/testdata/black_ds_entry.rpl
@@ -7,6 +7,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -586,6 +587,23 @@ www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.sub.example.com. IN A
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=7
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.sub.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
; no more outgoing traffic possible.
STEP 110 QUERY
ENTRY_BEGIN
@@ -603,6 +621,23 @@ ftp.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 121 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+ftp.sub.example.com. IN A
+ENTRY_END
+
+STEP 122 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=7
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+ftp.sub.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
; wait for timeout seconds.
STEP 130 TIME_PASSES ELAPSE 901
diff --git a/testdata/black_key_entry.rpl b/testdata/black_key_entry.rpl
index cd2b0bfbe557..c66e1dbb13ad 100644
--- a/testdata/black_key_entry.rpl
+++ b/testdata/black_key_entry.rpl
@@ -7,6 +7,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -568,6 +569,23 @@ www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.sub.example.com. IN A
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=7
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.sub.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
; no more outgoing traffic possible.
STEP 110 QUERY
ENTRY_BEGIN
@@ -585,6 +603,23 @@ ftp.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 121 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+ftp.sub.example.com. IN A
+ENTRY_END
+
+STEP 122 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=7
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+ftp.sub.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
; wait for timeout seconds.
STEP 130 TIME_PASSES ELAPSE 901
diff --git a/testdata/black_prime_entry.rpl b/testdata/black_prime_entry.rpl
index e635ed9cc10b..1acd7d7c12e7 100644
--- a/testdata/black_prime_entry.rpl
+++ b/testdata/black_prime_entry.rpl
@@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -292,6 +293,22 @@ SECTION QUESTION
www.example.com. IN A
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=7
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
STEP 100 TIME_PASSES ELAPSE 10
; second query should not result in going to the network.
@@ -311,5 +328,21 @@ SECTION QUESTION
ftp.example.com. IN A
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 121 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+ftp.example.com. IN A
+ENTRY_END
+
+STEP 122 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=7
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+ftp.example.com. IN A
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/cachedb_cached_ede.crpl b/testdata/cachedb_cached_ede.crpl
new file mode 100644
index 000000000000..5eade545105f
--- /dev/null
+++ b/testdata/cachedb_cached_ede.crpl
@@ -0,0 +1,91 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: no
+ minimal-responses: no
+ module-config: "cachedb validator iterator"
+ trust-anchor-signaling: no
+ verbosity: 4
+ ede: yes
+ val-log-level: 2
+ trust-anchor: "example.nl. DS 50602 8 2 FA8EE175C47325F4BD46D8A4083C3EBEB11C977D689069F2B41F1A29B22446B1"
+
+
+cachedb:
+ backend: "testframe"
+ secret-seed: "testvalue"
+
+stub-zone:
+ name: "example.nl"
+ stub-addr: 193.0.14.129
+CONFIG_END
+
+SCENARIO_BEGIN Test cachedb support for caching EDEs.
+
+RANGE_BEGIN 0 10
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.nl. IN DNSKEY
+SECTION ANSWER
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.nl. IN A
+SECTION ANSWER
+example.nl. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; get the entry in cache.
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+example.nl. IN A
+SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ FF FE ; option code = 65534 (LDNS_EDNS_UNBOUND_CACHEDB_TESTFRAME_TEST)
+ 00 00 ; option length
+ HEX_EDNSDATA_END
+ENTRY_END
+
+; get the answer for it
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=9
+REPLY QR RD RA DO SERVFAIL
+SECTION QUESTION
+example.nl. IN A
+ENTRY_END
+
+; query again for the cached entry
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example.nl. IN A
+SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ FF FE ; option code = 65534 (LDNS_EDNS_UNBOUND_CACHEDB_TESTFRAME_TEST)
+ 00 00 ; option length
+ HEX_EDNSDATA_END
+ENTRY_END
+
+; this must be a cached answer since stub is not answering in this range
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=9
+REPLY QR RD RA DO SERVFAIL
+SECTION QUESTION
+example.nl. IN A
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/doh_downstream_buffer_size.tdir/doh_downstream_buffer_size.test b/testdata/doh_downstream_buffer_size.tdir/doh_downstream_buffer_size.test
index bbeb9eb2b65f..45bde6564b2e 100644
--- a/testdata/doh_downstream_buffer_size.tdir/doh_downstream_buffer_size.test
+++ b/testdata/doh_downstream_buffer_size.tdir/doh_downstream_buffer_size.test
@@ -23,15 +23,26 @@ if test "$?" -ne 0; then
fi
num=$(grep "ANSWER SEC" outfile | wc -l)
# 58 byte answers, 500 byte max response buffer -> 8 answers
+
+# Sometimes unbound is scheduled to be able to respond very quickly,
+# before all the queries are sent, and then writes some of the queries
+# back already, emptying the buffer, which then does not overflow.
+# The attempt is to detect this test flakyness with 'mode w' write lines.
+nummodew=$(grep "mode w" unbound.log | wc -l)
+echo "num answers $num and num write events $nummodew"
if [ $num -eq 8 ]; then
echo "content OK"
else
+ if [ "(" $num -eq 9 -o $num -eq 10 ")" -a $nummodew -eq 2 ]; then
+ echo "skip buffer emptied event"
+ else
echo "result contents not OK"
echo "> cat logfiles"
cat outfile
cat unbound.log
echo "result contents not OK"
exit 1
+ fi
fi
echo "OK"
diff --git a/testdata/ede.tdir/ede.test b/testdata/ede.tdir/ede.test
index 5d478bd49cb2..e45085ebf156 100644
--- a/testdata/ede.tdir/ede.test
+++ b/testdata/ede.tdir/ede.test
@@ -68,5 +68,36 @@ then
exit 1
fi
+# EDE with CD bit set (EDE but no SERVFAIL)
+dig @127.0.0.1 -p $UNBOUND_PORT cd.dnskey-failures.test +cd > cd_bit_ede.txt
-# @TODO DNSSEC indeterminate when implemented
+if ! grep -q -e "NXDOMAIN" cd_bit_ede.txt
+then
+ echo "No NXDOMAIN reply with CD bit set"
+ cat cd_bit_ede.txt
+ exit 1
+fi
+if ! grep -q -e "OPT=15: 00 09" -e "EDE: 9" cd_bit_ede.txt
+then
+ echo "No EDE attached with CD bit set"
+ cat cd_bit_ede.txt
+ exit 1
+fi
+
+# EDE with CD bit set (EDE but no SERVFAIL) for a cached answer
+# Same test as above
+dig @127.0.0.1 -p $UNBOUND_PORT cd.dnskey-failures.test +cd > cd_bit_ede.txt
+
+if ! grep -q -e "NXDOMAIN" cd_bit_ede.txt
+then
+ echo "No NXDOMAIN reply with CD bit set for cached answer"
+ cat cd_bit_ede.txt
+ exit 1
+fi
+if ! grep -q -e "OPT=15: 00 09" -e "EDE: 9" cd_bit_ede.txt
+then
+ echo "No EDE attached with CD bit set for cached answer"
+ cat cd_bit_ede.txt
+ exit 1
+fi
+# TODO DNSSEC indeterminate when implemented
diff --git a/testdata/ede_cache_snoop_noth_auth.rpl b/testdata/ede_cache_snoop_not_auth.rpl
index d243fdde00ac..d243fdde00ac 100644
--- a/testdata/ede_cache_snoop_noth_auth.rpl
+++ b/testdata/ede_cache_snoop_not_auth.rpl
diff --git a/testdata/edns_downstream_cookies.rpl b/testdata/edns_downstream_cookies.rpl
new file mode 100644
index 000000000000..820bc5a7ca70
--- /dev/null
+++ b/testdata/edns_downstream_cookies.rpl
@@ -0,0 +1,235 @@
+; config options
+server:
+ answer-cookie: yes
+ cookie-secret: "000102030405060708090a0b0c0d0e0f"
+ access-control: 127.0.0.1 allow_cookie
+ access-control: 1.2.3.4 allow
+ local-data: "test. TXT test"
+
+CONFIG_END
+
+SCENARIO_BEGIN Test downstream DNS Cookies
+
+; Note: When a valid hash was required, it was generated by running this test
+; with an invalid one and checking the output for the valid one.
+; Actual hash generation is tested with unit tests.
+
+; Query without a client cookie ...
+STEP 0 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test. IN TXT
+ENTRY_END
+; ... get TC and refused
+STEP 1 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA TC REFUSED
+SECTION QUESTION
+test. IN TXT
+ENTRY_END
+
+; Query without a client cookie on TCP ...
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+MATCH TCP
+SECTION QUESTION
+test. IN TXT
+ENTRY_END
+; ... get an answer
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+test. IN TXT
+SECTION ANSWER
+test. IN TXT "test"
+ENTRY_END
+
+; Query with only a client cookie ...
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test. IN TXT
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 0a ; Opcode 10
+ 00 08 ; Length 8
+ 31 32 33 34 35 36 37 38 ; Random bits
+HEX_EDNSDATA_END
+ENTRY_END
+; ... get BADCOOKIE and a new cookie
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all server_cookie
+REPLY QR RD RA DO YXRRSET ; BADCOOKIE is an extended rcode
+SECTION QUESTION
+test. IN TXT
+ENTRY_END
+
+; Query with an invalid cookie ...
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test. IN TXT
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 0a ; Opcode 10
+ 00 18 ; Length 24
+ 31 32 33 34 35 36 37 38 ; Random bits
+ 02 00 00 00 ; wrong version
+ 00 00 00 00 ; Timestamp
+ 31 32 33 34 35 36 37 38 ; wrong hash
+HEX_EDNSDATA_END
+ENTRY_END
+; ... get BADCOOKIE and a new cookie
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all server_cookie
+REPLY QR RD RA DO YXRRSET ; BADCOOKIE is an extended rcode
+SECTION QUESTION
+test. IN TXT
+ENTRY_END
+
+; Query with an invalid cookie from a non-cookie protected address ...
+STEP 40 QUERY ADDRESS 1.2.3.4
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test. IN TXT
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 0a ; Opcode 10
+ 00 18 ; Length 24
+ 31 32 33 34 35 36 37 38 ; Random bits
+ 02 00 00 00 ; wrong version
+ 00 00 00 00 ; Timestamp
+ 31 32 33 34 35 36 37 38 ; wrong hash
+HEX_EDNSDATA_END
+ENTRY_END
+; ... get answer and a cookie
+STEP 41 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all server_cookie
+REPLY QR RD RA AA DO NOERROR
+SECTION QUESTION
+test. IN TXT
+SECTION ANSWER
+test. IN TXT "test"
+ENTRY_END
+
+; Query with a valid cookie ...
+STEP 50 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test. IN TXT
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 0a ; Opcode 10
+ 00 18 ; Length 24
+ 31 32 33 34 35 36 37 38 ; Random bits
+ 01 00 00 00 ; Version/Reserved
+ 00 00 00 00 ; Timestamp
+ 38 52 7b a8 c6 a4 ea 96 ; Hash
+HEX_EDNSDATA_END
+ENTRY_END
+; ... get answer and the cookie
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all server_cookie
+REPLY QR RD RA AA DO NOERROR
+SECTION QUESTION
+test. IN TXT
+SECTION ANSWER
+test. IN TXT "test"
+ENTRY_END
+
+; Query with a valid >30 minutes old cookie ...
+STEP 59 TIME_PASSES ELAPSE 1801
+STEP 60 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test. IN TXT
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 0a ; Opcode 10
+ 00 18 ; Length 24
+ 31 32 33 34 35 36 37 38 ; Random bits
+ 01 00 00 00 ; Version/Reserved
+ 00 00 00 00 ; Timestamp
+ 38 52 7b a8 c6 a4 ea 96 ; Hash
+HEX_EDNSDATA_END
+ENTRY_END
+; ... Get answer and a refreshed cookie
+; (we don't check the re-freshness here; it has its own unit test)
+STEP 61 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all server_cookie
+REPLY QR RD RA AA DO NOERROR
+SECTION QUESTION
+test. IN TXT
+SECTION ANSWER
+test. IN TXT "test"
+ENTRY_END
+
+; Query with a hash-valid >60 minutes old cookie ...
+STEP 69 TIME_PASSES ELAPSE 3601
+STEP 70 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test. IN TXT
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 0a ; Opcode 10
+ 00 18 ; Length 24
+ 31 32 33 34 35 36 37 38 ; Random bits
+ 01 00 00 00 ; Version/Reserved
+ 00 00 07 09 ; Timestamp (1801)
+ 77 81 38 e3 8f aa 72 86 ; Hash
+HEX_EDNSDATA_END
+ENTRY_END
+; ... get BADCOOKIE and a new cookie
+STEP 71 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all server_cookie
+REPLY QR RD RA DO YXRRSET ; BADCOOKIE is an extended rcode
+SECTION QUESTION
+test. IN TXT
+ENTRY_END
+
+; Query with a valid future (<5 minutes) cookie ...
+STEP 80 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test. IN TXT
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 0a ; Opcode 10
+ 00 18 ; Length 24
+ 31 32 33 34 35 36 37 38 ; Random bits
+ 01 00 00 00 ; Version/Reserved
+ 00 00 16 45 ; Timestamp (1801 + 3601 + 299)
+ 4a f5 0f df f0 e8 c7 09 ; Hash
+HEX_EDNSDATA_END
+ENTRY_END
+; ... get an answer
+STEP 81 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all server_cookie
+REPLY QR RD RA AA DO NOERROR
+SECTION QUESTION
+test. IN TXT
+SECTION ANSWER
+test. IN TXT "test"
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/ip_ratelimit.tdir/ip_ratelimit.conf b/testdata/ip_ratelimit.tdir/ip_ratelimit.conf
new file mode 100644
index 000000000000..ae7d0cda0d9d
--- /dev/null
+++ b/testdata/ip_ratelimit.tdir/ip_ratelimit.conf
@@ -0,0 +1,28 @@
+server:
+ verbosity: 5
+ # num-threads: 1
+ interface: 127.0.0.1
+ port: @PORT@
+ use-syslog: no
+ directory: .
+ pidfile: "unbound.pid"
+ chroot: ""
+ username: ""
+ local-data: "test. IN TXT localdata"
+
+ ip-ratelimit: 1
+ ip-ratelimit-cookie: 0
+ ip-ratelimit-factor: 0
+ ip-ratelimit-backoff: yes
+ answer-cookie: yes
+ access-control: 127.0.0.0/8 allow_cookie
+
+remote-control:
+ control-enable: yes
+ control-interface: 127.0.0.1
+ # control-interface: ::1
+ control-port: @CONTROL_PORT@
+ server-key-file: "unbound_server.key"
+ server-cert-file: "unbound_server.pem"
+ control-key-file: "unbound_control.key"
+ control-cert-file: "unbound_control.pem"
diff --git a/testdata/ip_ratelimit.tdir/ip_ratelimit.dsc b/testdata/ip_ratelimit.tdir/ip_ratelimit.dsc
new file mode 100644
index 000000000000..a6f6192360cd
--- /dev/null
+++ b/testdata/ip_ratelimit.tdir/ip_ratelimit.dsc
@@ -0,0 +1,16 @@
+BaseName: ip_ratelimit
+Version: 1.0
+Description: Test IP source ratelimit.
+CreationDate: Tue Aug 8 00:00:00 CET 2023
+Maintainer: Yorgos Thessalonikefs
+Category:
+Component:
+CmdDepends:
+Depends:
+Help:
+Pre: ip_ratelimit.pre
+Post: ip_ratelimit.post
+Test: ip_ratelimit.test
+AuxFiles:
+Passed:
+Failure:
diff --git a/testdata/ip_ratelimit.tdir/ip_ratelimit.post b/testdata/ip_ratelimit.tdir/ip_ratelimit.post
new file mode 100644
index 000000000000..1f86d008587d
--- /dev/null
+++ b/testdata/ip_ratelimit.tdir/ip_ratelimit.post
@@ -0,0 +1,13 @@
+# #-- ip_ratelimit.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+kill_pid $UNBOUND_PID
+if test -f unbound.log; then
+ echo ">>> unbound log"
+ cat unbound.log
+fi
diff --git a/testdata/ip_ratelimit.tdir/ip_ratelimit.pre b/testdata/ip_ratelimit.tdir/ip_ratelimit.pre
new file mode 100644
index 000000000000..c4589a0ea4fe
--- /dev/null
+++ b/testdata/ip_ratelimit.tdir/ip_ratelimit.pre
@@ -0,0 +1,24 @@
+# #-- ip_ratelimit.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+CONTROL_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < ip_ratelimit.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+wait_unbound_up unbound.log
+
+cat .tpkg.var.test
diff --git a/testdata/ip_ratelimit.tdir/ip_ratelimit.test b/testdata/ip_ratelimit.tdir/ip_ratelimit.test
new file mode 100644
index 000000000000..f58b7edcbe2a
--- /dev/null
+++ b/testdata/ip_ratelimit.tdir/ip_ratelimit.test
@@ -0,0 +1,165 @@
+# #-- ip_ratelimit.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+
+get_make
+(cd $PRE; $MAKE streamtcp)
+
+# These tests rely on second time precision. To combat false negatives the
+# tests run multiple times and we allow 1/3 of the runs to fail.
+total_runs=6
+success_threshold=4 # 2/3*total_runs
+
+if dig -h 2>&1 | grep "cookie" >/dev/null; then
+ nocookie="+nocookie"
+else
+ nocookie=""
+fi
+
+echo "> First get a valid cookie"
+dig @127.0.0.1 -p $UNBOUND_PORT +ednsopt=10:0102030405060708 $nocookie +tcp +retry=0 +time=1 test. TXT >outfile 2>&1
+if test "$?" -ne 0; then
+ echo "exit status not OK"
+ echo "> cat logfiles"
+ cat outfile
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+fi
+if test `grep "COOKIE: " outfile | wc -l` -ne 1; then
+ echo "Could not get cookie"
+ echo "> cat logfiles"
+ cat outfile
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+fi
+cookie=`grep "COOKIE: " outfile | cut -d ' ' -f 3`
+
+successes=0
+echo "> Three parallel queries with backoff and cookie"
+# For this test we send three parallel queries. The ratelimit should be reached
+# for that second. We send a query to verify that there is no reply.
+# Then for the next second we again send three parallel queries and we expect
+# none of them to be allowed through because of the backoff logic that keeps
+# rolling the RATE_WINDOW based on demand.
+# Again we send another query but with a valid cookie and we expect to receive
+# an answer.
+for i in $(seq 1 $total_runs); do
+ # Try to hit limit
+ $PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
+ if test "$?" -ne 0; then
+ echo "exit status not OK"
+ echo "> cat logfiles"
+ cat outfile
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+ fi
+ # Expect no answer because of limit
+ dig @127.0.0.1 -p $UNBOUND_PORT $nocookie +retry=0 +time=1 test. TXT >outfile 2>&1
+ if test "$?" -eq 0; then
+ continue
+ fi
+ # Try to keep limit
+ $PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
+ if test "$?" -ne 0; then
+ echo "exit status not OK"
+ echo "> cat logfiles"
+ cat outfile
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+ fi
+ # Expect answer because of DNS cookie
+ dig @127.0.0.1 -p $UNBOUND_PORT +ednsopt=10:$cookie $nocookie +retry=0 +time=1 test. TXT >outfile 2>&1
+ if test "$?" -ne 0; then
+ continue
+ fi
+ ((successes++))
+ # We don't have to wait for all the runs to complete if we know
+ # we passed the threshold.
+ if test $successes -ge $success_threshold; then
+ break
+ fi
+done
+
+if test $successes -ge $success_threshold; then
+ echo "Three parallel queries with backoff and cookie OK"
+else
+ echo "Three parallel queries with backoff and cookie NOT OK"
+ echo "> cat logfiles"
+ cat outfile
+ cat unbound.log
+ echo "Three parallel queries with backoff and cookie NOT OK"
+ exit 1
+fi
+
+echo "> Activating ip-ratelimit-cookie"
+echo "$PRE/unbound-control -c ub.conf set_option ip-ratelimit-cookie: 1"
+$PRE/unbound-control -c ub.conf set_option ip-ratelimit-cookie: 1
+if test $? -ne 0; then
+ echo "wrong exit value after success"
+ exit 1
+fi
+
+successes=0
+echo "> Three parallel queries with backoff and cookie with ip-ratelimit-cookie"
+# This is the exact same test as above with the exception that we don't expect
+# an answer on the last query because ip-ratelimit-cookie is now enabled.
+for i in $(seq 1 $total_runs); do
+ # Try to hit limit
+ $PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
+ if test "$?" -ne 0; then
+ echo "exit status not OK"
+ echo "> cat logfiles"
+ cat outfile
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+ fi
+ # Expect no answer because of limit
+ dig @127.0.0.1 -p $UNBOUND_PORT $nocookie +retry=0 +time=1 test. TXT >outfile 2>&1
+ if test "$?" -eq 0; then
+ continue
+ fi
+ # Try to keep limit
+ $PRE/streamtcp -nu -f 127.0.0.1@$UNBOUND_PORT test. TXT IN test. TXT IN test. TXT IN >outfile 2>&1
+ if test "$?" -ne 0; then
+ echo "exit status not OK"
+ echo "> cat logfiles"
+ cat outfile
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+ fi
+ # Expect no answer because of ip-ratelimit-cookie
+ dig @127.0.0.1 -p $UNBOUND_PORT +ednsopt=10:$cookie $nocookie +retry=0 +time=1 test. TXT >outfile 2>&1
+ if test "$?" -eq 0; then
+ continue
+ fi
+ ((successes++))
+ # We don't have to wait for all the runs to complete if we know
+ # we passed the threshold.
+ if test $successes -ge $success_threshold; then
+ break
+ fi
+done
+
+if test $successes -ge $success_threshold; then
+ echo "Three parallel queries with backoff and cookie with ip-ratelimit-cookie OK"
+else
+ echo "Three parallel queries with backoff and cookie with ip-ratelimit-cookie NOT OK"
+ echo "> cat logfiles"
+ cat outfile
+ cat unbound.log
+ echo "Three parallel queries with backoff and cookie with ip-ratelimit-cookie NOT OK"
+ exit 1
+fi
+
+exit 0
diff --git a/testdata/ip_ratelimit.tdir/unbound_control.key b/testdata/ip_ratelimit.tdir/unbound_control.key
new file mode 100644
index 000000000000..753a4ef6162e
--- /dev/null
+++ b/testdata/ip_ratelimit.tdir/unbound_control.key
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA
+1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ
+F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR
+ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm
+vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb
+IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL
+cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr
+lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov
+15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf
+LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+
+Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57
+YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9
+whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c
+lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax
+tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ
+U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9
+Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc
+Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3
+ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+
+1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN
+b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz
+ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C
+TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF
+tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y
+aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0
+A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU
+LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U
+R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy
+7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj
+7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw
+jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1
+BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar
+kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR
+qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3
+VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9
+MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa
+C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g=
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/ip_ratelimit.tdir/unbound_control.pem b/testdata/ip_ratelimit.tdir/unbound_control.pem
new file mode 100644
index 000000000000..a1edf7017f1d
--- /dev/null
+++ b/testdata/ip_ratelimit.tdir/unbound_control.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw
+WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA
+A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv
+OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj
+1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl
+NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht
+A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/
+Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB
+TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/
+nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My
++i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj
+4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83
+hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU
+9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn
+ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ
+pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD
+72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ
+muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP
+uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte
+-----END CERTIFICATE-----
diff --git a/testdata/ip_ratelimit.tdir/unbound_server.key b/testdata/ip_ratelimit.tdir/unbound_server.key
new file mode 100644
index 000000000000..370a7bbb2f22
--- /dev/null
+++ b/testdata/ip_ratelimit.tdir/unbound_server.key
@@ -0,0 +1,39 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI
+0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq
+GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z
+uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K
+WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5
+FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP
+q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL
+A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP
+7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf
+XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6
+iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7
+2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo
+MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj
+WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz
+O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI
+IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN
+qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU
+dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs
+bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr
+YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km
+7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr
+gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z
+5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG
+ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN
+oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+
+s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW
+zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx
+ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1
+oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3
+BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS
+mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8
+kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93
+7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8
+RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O
+jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp
+O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre
+MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A==
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/ip_ratelimit.tdir/unbound_server.pem b/testdata/ip_ratelimit.tdir/unbound_server.pem
new file mode 100644
index 000000000000..986807310f2b
--- /dev/null
+++ b/testdata/ip_ratelimit.tdir/unbound_server.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx
+EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5
+WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB
+igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32
+a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2
+4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot
+aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4
+TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ
+uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4
++nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz
+XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx
+dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW
+84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7
+JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca
+fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg
+XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF
+qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25
+sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD
+yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe
+CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ==
+-----END CERTIFICATE-----
diff --git a/testdata/iter_cname_minimise_nx.rpl b/testdata/iter_cname_minimise_nx.rpl
new file mode 100644
index 000000000000..080055208daf
--- /dev/null
+++ b/testdata/iter_cname_minimise_nx.rpl
@@ -0,0 +1,246 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: yes
+ module-config: "validator iterator"
+ trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+ val-override-date: "20070916134226"
+ fake-sha1: yes
+ trust-anchor-signaling: no
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test cname chain resolution of nxdomain with qname minimisation.
+; the qtype CNAME lookup has NXDOMAIN.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.44
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.44
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.44
+ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. AAZrcta3WCyz0iq2p78gmcPpXbmXPP9nQXM/czH1R9ilCaEoV8E27UU=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.com. IN A
+SECTION ANSWER
+ns.example.com. IN A 1.2.3.44
+ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. AAZrcta3WCyz0iq2p78gmcPpXbmXPP9nQXM/czH1R9ilCaEoV8E27UU=
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.44
+ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. AAZrcta3WCyz0iq2p78gmcPpXbmXPP9nQXM/czH1R9ilCaEoV8E27UU=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.44
+ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. AAZrcta3WCyz0iq2p78gmcPpXbmXPP9nQXM/czH1R9ilCaEoV8E27UU=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. 300 IN SOA a. b. 1 2 3 4 300
+example.com. 300 IN RRSIG SOA 3 2 300 20070926134150 20070829134150 2854 example.com. AFPx1ZhcHixnxfB90ha4zgp7A+EdM8L63tUnVdlI5B14NiRIXONPDB4=
+v.example.com. IN NSEC x.example.com. A AAAA RRSIG NSEC
+v.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AFT0Ao01lUN8Ppa9QPayQIN9ZtNIj4TzyhUQV31+FhNRK5uSQhiVwMc=
+example.com. 3600 IN NSEC abc.example.com. NS SOA RRSIG NSEC DNSKEY
+example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. ABEOu6iietfjKY1MS0TutZZxUtRYA6XKsC1rMTrenwBF2darY3/Emco=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+c.example.com. IN A
+SECTION ANSWER
+c.example.com. 10 IN CNAME www.example.com.
+c.example.com. 10 IN RRSIG CNAME 3 3 10 20070926134150 20070829134150 2854 example.com. ABT7twnK5qkCBKnaOHxFthUOK+3rBge1wEMItoFPdf16OoVdfccYU2U=
+SECTION AUTHORITY
+example.com. 300 IN SOA a. b. 1 2 3 4 300
+example.com. 300 IN RRSIG SOA 3 2 300 20070926134150 20070829134150 2854 example.com. AFPx1ZhcHixnxfB90ha4zgp7A+EdM8L63tUnVdlI5B14NiRIXONPDB4=
+v.example.com. IN NSEC x.example.com. A AAAA RRSIG NSEC
+v.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AFT0Ao01lUN8Ppa9QPayQIN9ZtNIj4TzyhUQV31+FhNRK5uSQhiVwMc=
+example.com. 3600 IN NSEC abc.example.com. NS SOA RRSIG NSEC DNSKEY
+example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. ABEOu6iietfjKY1MS0TutZZxUtRYA6XKsC1rMTrenwBF2darY3/Emco=
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+c.example.com. IN CNAME
+SECTION ANSWER
+c.example.com. 10 IN CNAME www.example.com.
+c.example.com. 10 IN RRSIG CNAME 3 3 10 20070926134150 20070829134150 2854 example.com. ABT7twnK5qkCBKnaOHxFthUOK+3rBge1wEMItoFPdf16OoVdfccYU2U=
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+c.example.com. IN CNAME
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+c.example.com. IN CNAME
+SECTION ANSWER
+c.example.com. 10 IN CNAME www.example.com.
+c.example.com. 10 IN RRSIG CNAME 3 3 10 20070926134150 20070829134150 2854 example.com. ABT7twnK5qkCBKnaOHxFthUOK+3rBge1wEMItoFPdf16OoVdfccYU2U=
+ENTRY_END
+
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+c.example.com. IN CNAME
+ENTRY_END
+
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+c.example.com. IN CNAME
+SECTION ANSWER
+c.example.com. 10 IN CNAME www.example.com.
+c.example.com. 10 IN RRSIG CNAME 3 3 10 20070926134150 20070829134150 2854 example.com. ABT7twnK5qkCBKnaOHxFthUOK+3rBge1wEMItoFPdf16OoVdfccYU2U=
+ENTRY_END
+
+STEP 50 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+c.example.com. IN A
+ENTRY_END
+
+STEP 60 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NXDOMAIN
+SECTION QUESTION
+c.example.com. IN A
+SECTION ANSWER
+c.example.com. 10 IN CNAME www.example.com.
+c.example.com. 10 IN RRSIG CNAME 3 3 10 20070926134150 20070829134150 2854 example.com. ABT7twnK5qkCBKnaOHxFthUOK+3rBge1wEMItoFPdf16OoVdfccYU2U=
+SECTION AUTHORITY
+example.com. 300 IN SOA a. b. 1 2 3 4 300
+example.com. 300 IN RRSIG SOA 3 2 300 20070926134150 20070829134150 2854 example.com. AFPx1ZhcHixnxfB90ha4zgp7A+EdM8L63tUnVdlI5B14NiRIXONPDB4=
+v.example.com. IN NSEC x.example.com. A AAAA RRSIG NSEC
+v.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926134150 20070829134150 2854 example.com. AFT0Ao01lUN8Ppa9QPayQIN9ZtNIj4TzyhUQV31+FhNRK5uSQhiVwMc=
+example.com. 3600 IN NSEC abc.example.com. NS SOA RRSIG NSEC DNSKEY
+example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926134150 20070829134150 2854 example.com. ABEOu6iietfjKY1MS0TutZZxUtRYA6XKsC1rMTrenwBF2darY3/Emco=
+ENTRY_END
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/iter_dnsseclame_bug.rpl b/testdata/iter_dnsseclame_bug.rpl
index cb17bbf330ad..c5fd13244f58 100644
--- a/testdata/iter_dnsseclame_bug.rpl
+++ b/testdata/iter_dnsseclame_bug.rpl
@@ -117,6 +117,8 @@ REPLY QR AA NOERROR
SECTION QUESTION
e.gtld-servers.net. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
@@ -126,6 +128,8 @@ REPLY QR AA NOERROR
SECTION QUESTION
a.gtld-servers.net. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
; no example.net delegation answers yet.
@@ -156,6 +160,8 @@ REPLY QR AA NOERROR
SECTION QUESTION
e.gtld-servers.net. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
@@ -165,6 +171,8 @@ REPLY QR AA NOERROR
SECTION QUESTION
a.gtld-servers.net. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
@@ -287,6 +295,8 @@ REPLY QR AA NOERROR
SECTION QUESTION
ns.sub.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+sub.example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
RANGE_END
@@ -321,6 +331,8 @@ ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
; fine DNSKEY response.
@@ -417,6 +429,8 @@ REPLY QR AA NOERROR
SECTION QUESTION
ns.sub.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+sub.example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
; response to query of interest
diff --git a/testdata/iter_dnsseclame_ds.rpl b/testdata/iter_dnsseclame_ds.rpl
index 78a11cc072c9..6b2bf653fca4 100644
--- a/testdata/iter_dnsseclame_ds.rpl
+++ b/testdata/iter_dnsseclame_ds.rpl
@@ -116,6 +116,8 @@ REPLY QR AA NOERROR
SECTION QUESTION
e.gtld-servers.net. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
@@ -125,6 +127,8 @@ REPLY QR AA NOERROR
SECTION QUESTION
a.gtld-servers.net. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
@@ -245,6 +249,9 @@ REPLY QR AA NOERROR
SECTION QUESTION
ns.sub.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+sub.example.com. 3600 IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
+sub.example.com. 3600 IN RRSIG SOA 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. o6B6mzZ2pzXRE9qBagNw+U5kZOCViyuYRObCJTMsEQn8kNzSIxOhuqjBoo0ifKmxvUmCxaNtsWaG4eDC+vCBdQ==
ENTRY_END
RANGE_END
@@ -279,6 +286,8 @@ ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
; fine DNSKEY response.
@@ -375,6 +384,8 @@ REPLY QR AA NOERROR
SECTION QUESTION
ns.sub.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+sub.example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
; response to query of interest
diff --git a/testdata/iter_dnsseclame_ta.rpl b/testdata/iter_dnsseclame_ta.rpl
index 5799a1146787..ce4414dda3ce 100644
--- a/testdata/iter_dnsseclame_ta.rpl
+++ b/testdata/iter_dnsseclame_ta.rpl
@@ -119,6 +119,8 @@ REPLY QR NOERROR
SECTION QUESTION
a.gtld-servers.net. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
@@ -128,6 +130,8 @@ REPLY QR NOERROR
SECTION QUESTION
e.gtld-servers.net. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
@@ -239,6 +243,9 @@ REPLY QR AA NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.com. 3600 IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
+example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AC23LvSspto6Zqctz05urK/2OKTnB+7nppMKInYkyjZbZotq2wjJA9s=
ENTRY_END
RANGE_END
@@ -261,6 +268,8 @@ ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
; lame DNSKEY response.
diff --git a/testdata/iter_donotq127.rpl b/testdata/iter_donotq127.rpl
index 3668d7b6fa10..4b22222d286a 100644
--- a/testdata/iter_donotq127.rpl
+++ b/testdata/iter_donotq127.rpl
@@ -35,6 +35,8 @@ REPLY QR NOERROR
SECTION QUESTION
a.gtld-servers.net. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
diff --git a/testdata/iter_emptydp.rpl b/testdata/iter_emptydp.rpl
index 82ddccfade66..ecb49b6cd0fa 100644
--- a/testdata/iter_emptydp.rpl
+++ b/testdata/iter_emptydp.rpl
@@ -108,6 +108,8 @@ REPLY QR NOERROR
SECTION QUESTION
a.gtld-servers.net. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
@@ -156,6 +158,8 @@ REPLY QR AA NOERROR
SECTION QUESTION
ns.example.net. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
; example.com. zone
@@ -180,7 +184,9 @@ REPLY QR NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
-; bogus
+SECTION AUTHORITY
+example.com. 3600 IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
+example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AC23LvSspto6Zqctz05urK/2OKTnB+7nppMKInYkyjZbZotq2wjJA9s=
ENTRY_END
; response to DNSKEY priming query
@@ -261,6 +267,7 @@ SECTION QUESTION
ns.example.net. IN AAAA
SECTION ANSWER
SECTION AUTHORITY
+example.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
SECTION ADDITIONAL
ENTRY_END
diff --git a/testdata/iter_emptydp_for_glue.rpl b/testdata/iter_emptydp_for_glue.rpl
index 68fad6f15c6c..94dec2bc5e06 100644
--- a/testdata/iter_emptydp_for_glue.rpl
+++ b/testdata/iter_emptydp_for_glue.rpl
@@ -135,6 +135,8 @@ REPLY QR NOERROR
SECTION QUESTION
a.gtld-servers.net. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
@@ -211,6 +213,8 @@ REPLY QR AA NOERROR
SECTION QUESTION
ns.example.org. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.org. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
; example.net. zone
@@ -244,6 +248,8 @@ REPLY QR AA NOERROR
SECTION QUESTION
ns.example.net. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
; example.com. zone
@@ -268,7 +274,9 @@ REPLY QR NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
-; bogus message.
+SECTION AUTHORITY
+example.com. 3600 IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
+example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AC23LvSspto6Zqctz05urK/2OKTnB+7nppMKInYkyjZbZotq2wjJA9s=
ENTRY_END
; response to DNSKEY priming query
@@ -343,6 +351,8 @@ REPLY QR AA NOERROR
SECTION QUESTION
ns.example.org. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.org. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
; example.net. zone
@@ -376,6 +386,8 @@ REPLY QR AA NOERROR
SECTION QUESTION
ns.example.net. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
; example.com. zone
@@ -471,6 +483,7 @@ SECTION QUESTION
ns.example.net. IN AAAA
SECTION ANSWER
SECTION AUTHORITY
+example.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
SECTION ADDITIONAL
ENTRY_END
@@ -490,6 +503,7 @@ SECTION QUESTION
ns.example.net. IN AAAA
SECTION ANSWER
SECTION AUTHORITY
+example.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
SECTION ADDITIONAL
ENTRY_END
diff --git a/testdata/iter_failreply.rpl b/testdata/iter_failreply.rpl
new file mode 100644
index 000000000000..393714196d89
--- /dev/null
+++ b/testdata/iter_failreply.rpl
@@ -0,0 +1,132 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: "no"
+ minimal-responses: no
+ log-servfail: yes
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test iterator fail_reply report
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. IN NS ns2.example.net.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ns.example.com. IN AAAA ::1
+ns2.example.net. IN AAAA ::1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns2.example.net. IN A
+SECTION ANSWER
+ns2.example.net. IN A 1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns2.example.net. IN AAAA
+SECTION ANSWER
+ns2.example.net. IN AAAA ::1
+ENTRY_END
+
+RANGE_END
+
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR SERVFAIL
+SECTION QUESTION
+ns.example.com. IN A
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR SERVFAIL
+SECTION QUESTION
+ns.example.com. IN AAAA
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 20 CHECK_OUT_QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 21 TIMEOUT
+STEP 22 TIMEOUT
+STEP 23 TIMEOUT
+STEP 24 TIMEOUT
+STEP 25 TIMEOUT
+
+STEP 31 TIMEOUT
+STEP 32 TIMEOUT
+STEP 33 TIMEOUT
+STEP 34 TIMEOUT
+
+; recursion happens here.
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/iter_ignore_empty.rpl b/testdata/iter_ignore_empty.rpl
new file mode 100644
index 000000000000..c70dd7e8df7b
--- /dev/null
+++ b/testdata/iter_ignore_empty.rpl
@@ -0,0 +1,198 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: "no"
+ minimal-responses: no
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ignore of an empty response.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. IN NS ns2.example2.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example2.com. IN NS
+SECTION AUTHORITY
+example2.com. IN NS ns2.example2.com.
+SECTION ADDITIONAL
+ns2.example2.com. IN A 1.2.3.5
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns.example.com.
+example.com. IN NS ns2.example.net.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.example.com. IN A
+SECTION ANSWER
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION AUTHORITY
+example.com. IN SOA ns root 4 14400 3600 604800 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+; ns2.example2.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.5
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example2.com. IN NS
+SECTION ANSWER
+example2.com. IN NS ns2.example2.com.
+SECTION ADDITIONAL
+ns2.example2.com. IN A 1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns2.example2.com. IN A
+SECTION ANSWER
+ns2.example2.com. IN A 1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns2.example2.com. IN AAAA
+SECTION AUTHORITY
+example2.com. IN SOA ns2 root 4 14400 3600 604800 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+ENTRY_END
+
+; wait for pending nameserver lookups.
+STEP 20 TRAFFIC
+
+SCENARIO_END
diff --git a/testdata/iter_lame_aaaa.rpl b/testdata/iter_lame_aaaa.rpl
index 8afef770ff6b..cef471305c30 100644
--- a/testdata/iter_lame_aaaa.rpl
+++ b/testdata/iter_lame_aaaa.rpl
@@ -76,6 +76,8 @@ REPLY QR NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
@@ -85,6 +87,8 @@ REPLY QR NOERROR
SECTION QUESTION
ns.example.com. IN A
SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
diff --git a/testdata/iter_lamescrub.rpl b/testdata/iter_lamescrub.rpl
index 2de13a6551f3..0ac19d7f8853 100644
--- a/testdata/iter_lamescrub.rpl
+++ b/testdata/iter_lamescrub.rpl
@@ -42,6 +42,8 @@ REPLY QR NOERROR
SECTION QUESTION
a.gtld-servers.net. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
diff --git a/testdata/iter_nat64.rpl b/testdata/iter_nat64.rpl
new file mode 100644
index 000000000000..dde0a25596c1
--- /dev/null
+++ b/testdata/iter_nat64.rpl
@@ -0,0 +1,117 @@
+; config options
+server:
+ do-nat64: yes
+ target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+ name: "."
+ stub-addr: 2001:db8::1
+CONFIG_END
+
+SCENARIO_BEGIN Test NAT64 transport for a v4-only server.
+
+RANGE_BEGIN 0 100
+ ADDRESS 2001:db8::1
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS FAKE.ROOT.
+SECTION ADDITIONAL
+FAKE.ROOT. IN AAAA 2001:db8::1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+v4only. IN NS
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+RANGE_END
+
+; replies from NS over "NAT64"
+
+RANGE_BEGIN 0 100
+ ADDRESS 64:ff9b::c000:0201
+
+; A over NAT64
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+ns.v4only. IN A
+SECTION ANSWER
+ns.v4only. IN A 192.0.2.1
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+ENTRY_END
+
+; no AAAA
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+ns.v4only. IN AAAA
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+v4only. IN NS
+SECTION ANSWER
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+test.v4only. IN A
+SECTION ANSWER
+test.v4only. IN A 192.0.2.2
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test.v4only. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+test.v4only. IN A
+SECTION ANSWER
+test.v4only. IN A 192.0.2.2
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/iter_nat64_prefix.rpl b/testdata/iter_nat64_prefix.rpl
new file mode 100644
index 000000000000..ecb6508dcf55
--- /dev/null
+++ b/testdata/iter_nat64_prefix.rpl
@@ -0,0 +1,119 @@
+; config options
+server:
+ do-nat64: yes
+ nat64-prefix: 2001:db8:1234::/96
+ target-fetch-policy: "0 0 0 0 0"
+ do-ip4: no
+
+stub-zone:
+ name: "."
+ stub-addr: 2001:db8::1
+CONFIG_END
+
+SCENARIO_BEGIN Test NAT64 transport for a v4-only server, custom NAT64 prefix.
+
+RANGE_BEGIN 0 100
+ ADDRESS 2001:db8::1
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS FAKE.ROOT.
+SECTION ADDITIONAL
+FAKE.ROOT. IN AAAA 2001:db8::1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+v4only. IN NS
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+RANGE_END
+
+; replies from NS over "NAT64"
+
+RANGE_BEGIN 0 100
+ ADDRESS 2001:db8:1234::c000:0201
+
+; A over NAT64
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+ns.v4only. IN A
+SECTION ANSWER
+ns.v4only. IN A 192.0.2.1
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+ENTRY_END
+
+; no AAAA
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+ns.v4only. IN AAAA
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+v4only. IN NS
+SECTION ANSWER
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+test.v4only. IN A
+SECTION ANSWER
+test.v4only. IN A 192.0.2.2
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test.v4only. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+test.v4only. IN A
+SECTION ANSWER
+test.v4only. IN A 192.0.2.2
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/iter_nat64_prefix48.rpl b/testdata/iter_nat64_prefix48.rpl
new file mode 100644
index 000000000000..e7c32e8ffc6a
--- /dev/null
+++ b/testdata/iter_nat64_prefix48.rpl
@@ -0,0 +1,118 @@
+; config options
+server:
+ do-nat64: yes
+ nat64-prefix: 2001:db8:2345::/48
+ target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+ name: "."
+ stub-addr: 2001:db8::1
+CONFIG_END
+
+SCENARIO_BEGIN Test NAT64 transport, this time with /48 NAT64 prefix.
+
+RANGE_BEGIN 0 100
+ ADDRESS 2001:db8::1
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS FAKE.ROOT.
+SECTION ADDITIONAL
+FAKE.ROOT. IN AAAA 2001:db8::1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+v4only. IN NS
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+RANGE_END
+
+; replies from NS over "NAT64"
+
+RANGE_BEGIN 0 100
+ ADDRESS 2001:db8:2345:c000:0002:0100::
+
+; A over NAT64
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+ns.v4only. IN A
+SECTION ANSWER
+ns.v4only. IN A 192.0.2.1
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+ENTRY_END
+
+; no AAAA
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+ns.v4only. IN AAAA
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+v4only. IN NS
+SECTION ANSWER
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY AA QR NOERROR
+SECTION QUESTION
+test.v4only. IN A
+SECTION ANSWER
+test.v4only. IN A 192.0.2.2
+SECTION AUTHORITY
+v4only. IN NS ns.v4only.
+SECTION ADDITIONAL
+ns.v4only. IN A 192.0.2.1
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test.v4only. IN A
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+test.v4only. IN A
+SECTION ANSWER
+test.v4only. IN A 192.0.2.2
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/iter_nxns_cached.rpl b/testdata/iter_nxns_cached.rpl
index 7671df6636cc..6cb8866edcbd 100644
--- a/testdata/iter_nxns_cached.rpl
+++ b/testdata/iter_nxns_cached.rpl
@@ -152,6 +152,8 @@ RANGE_BEGIN 31 100
REPLY QR NOERROR
SECTION QUESTION
nameservers.com. IN A
+ SECTION AUTHORITY
+ nameservers.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
RANGE_END
diff --git a/testdata/iter_nxns_fallback.rpl b/testdata/iter_nxns_fallback.rpl
index 324068604be0..2a6a3fd33b75 100644
--- a/testdata/iter_nxns_fallback.rpl
+++ b/testdata/iter_nxns_fallback.rpl
@@ -137,6 +137,8 @@ RANGE_BEGIN 0 100
REPLY QR NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
+ SECTION AUTHORITY
+ example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
diff --git a/testdata/iter_primenoglue.rpl b/testdata/iter_primenoglue.rpl
index a0be71c78cb6..b9808dd2c7df 100644
--- a/testdata/iter_primenoglue.rpl
+++ b/testdata/iter_primenoglue.rpl
@@ -115,29 +115,22 @@ a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-A.ROOT-SERVERS.NET. IN AAAA
-SECTION ANSWER
-ENTRY_END
-
-ENTRY_BEGIN
MATCH opcode qname
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
a.gtld-servers.net. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
-MATCH opcode qname
+MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
-K.ROOT-SERVERS.NET. IN A
+ROOT-SERVERS.NET. IN A
SECTION AUTHORITY
ROOT-SERVERS.NET. IN NS A.ROOT-SERVERS.NET.
SECTION ADDITIONAL
@@ -149,15 +142,6 @@ MATCH opcode qname
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
-K.ROOT-SERVERS.NET. IN AAAA
-SECTION ANSWER
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qname
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
ns.example.net. IN A
SECTION AUTHORITY
example.net. NS ns.example.net.
@@ -213,6 +197,7 @@ K.ROOT-SERVERS.NET. IN A
SECTION ANSWER
K.ROOT-SERVERS.NET. IN A 193.0.14.129
ENTRY_END
+
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
@@ -222,6 +207,8 @@ K.ROOT-SERVERS.NET. IN AAAA
SECTION ANSWER
; no ip6 address: we want to use only one address for K. to avoid having
; to duplicate the entries in this file for both addresses.
+SECTION AUTHORITY
+root-servers.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
RANGE_END
@@ -258,6 +245,8 @@ REPLY QR AA NOERROR
SECTION QUESTION
ns.example.net. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
; example.com. zone
@@ -282,6 +271,8 @@ REPLY QR NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
@@ -363,6 +354,7 @@ SECTION QUESTION
ns.example.net. IN AAAA
SECTION ANSWER
SECTION AUTHORITY
+example.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
SECTION ADDITIONAL
ENTRY_END
@@ -381,6 +373,7 @@ SECTION QUESTION
K.ROOT-SERVERS.NET. IN AAAA
SECTION ANSWER
SECTION AUTHORITY
+root-servers.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
SECTION ADDITIONAL
ENTRY_END
diff --git a/testdata/iter_privaddr.rpl b/testdata/iter_privaddr.rpl
index 93a2a147d1eb..0c87b4b9aaa2 100644
--- a/testdata/iter_privaddr.rpl
+++ b/testdata/iter_privaddr.rpl
@@ -122,6 +122,8 @@ REPLY QR NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
diff --git a/testdata/iter_ranoaa_lame.rpl b/testdata/iter_ranoaa_lame.rpl
index 0e6d9877858e..8ee82415abc1 100644
--- a/testdata/iter_ranoaa_lame.rpl
+++ b/testdata/iter_ranoaa_lame.rpl
@@ -198,6 +198,8 @@ REPLY QR NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
RANGE_END
@@ -235,6 +237,8 @@ REPLY QR NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
@@ -243,6 +247,8 @@ ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
ns.example.net. IN AAAA
+SECTION AUTHORITY
+example.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
; the lame response.
diff --git a/testdata/iter_reclame_two.rpl b/testdata/iter_reclame_two.rpl
index 459dcb17f401..76c310b28efd 100644
--- a/testdata/iter_reclame_two.rpl
+++ b/testdata/iter_reclame_two.rpl
@@ -95,6 +95,8 @@ REPLY QR RA NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
@@ -104,6 +106,8 @@ REPLY QR RA NOERROR
SECTION QUESTION
lame.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
diff --git a/testdata/iter_scrub_ns.rpl b/testdata/iter_scrub_ns.rpl
index 365f0b54ec31..64f980dcd03d 100644
--- a/testdata/iter_scrub_ns.rpl
+++ b/testdata/iter_scrub_ns.rpl
@@ -39,6 +39,7 @@ REPLY QR NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
+www.example.com. IN A 1.2.3.4
; must be scrubbed
www.burritolovers.com. IN A 10.20.30.40
SECTION AUTHORITY
@@ -78,6 +79,7 @@ REPLY QR RD RA NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
+www.example.com. IN A 1.2.3.4
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
diff --git a/testdata/iter_scrub_ns_fwd.rpl b/testdata/iter_scrub_ns_fwd.rpl
index 239dc37f9752..f7a526c46fff 100644
--- a/testdata/iter_scrub_ns_fwd.rpl
+++ b/testdata/iter_scrub_ns_fwd.rpl
@@ -39,6 +39,7 @@ REPLY RD RA QR NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
+www.example.com. IN A 1.2.3.4
; must be scrubbed
www.burritolovers.com. IN A 10.20.30.40
SECTION AUTHORITY
@@ -78,6 +79,7 @@ REPLY QR RD RA NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
+www.example.com. IN A 1.2.3.4
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
diff --git a/testdata/iter_scrub_ns_side.rpl b/testdata/iter_scrub_ns_side.rpl
index 98d00fd92502..44620ebd1ffb 100644
--- a/testdata/iter_scrub_ns_side.rpl
+++ b/testdata/iter_scrub_ns_side.rpl
@@ -39,6 +39,7 @@ REPLY QR NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
+www.example.com. IN A 1.2.3.4
; must be scrubbed
www.burritolovers.com. IN A 10.20.30.40
SECTION AUTHORITY
@@ -54,6 +55,7 @@ REPLY QR NOERROR
SECTION QUESTION
mail.example.com. IN A
SECTION ANSWER
+mail.example.com. IN A 1.2.3.11
SECTION AUTHORITY
; not pertinent to the query
www.example.com. IN NS ns.example.com.
@@ -78,6 +80,7 @@ REPLY QR RD RA NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
+www.example.com. IN A 1.2.3.4
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
@@ -96,6 +99,7 @@ REPLY QR RD RA NOERROR
SECTION QUESTION
mail.example.com. IN A
SECTION ANSWER
+mail.example.com. IN A 1.2.3.11
SECTION AUTHORITY
SECTION ADDITIONAL
ENTRY_END
diff --git a/testdata/iter_stublastresort.rpl b/testdata/iter_stublastresort.rpl
index b60778910a04..8fac79905aa2 100644
--- a/testdata/iter_stublastresort.rpl
+++ b/testdata/iter_stublastresort.rpl
@@ -105,6 +105,8 @@ REPLY QR NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
@@ -156,6 +158,8 @@ REPLY QR AA SERVFAIL
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
@@ -204,6 +208,8 @@ REPLY QR AA
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
ENTRY_BEGIN
diff --git a/testdata/nsid_bogus.rpl b/testdata/nsid_bogus.rpl
index 7e92266cfa49..9a80e1d7503b 100644
--- a/testdata/nsid_bogus.rpl
+++ b/testdata/nsid_bogus.rpl
@@ -10,6 +10,7 @@ server:
minimal-responses: no
nsid: "ascii_hopsa kidee"
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -117,6 +118,9 @@ REPLY QR AA NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.com. 3600 IN SOA ns.example.com. root.example.com. 4 1440 0 3600 604800 3600
+example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AC23LvSspto6Zqctz05urK/2OKTnB+7nppMKInYkyjZbZotq2wjJA9s=
SECTION ADDITIONAL
ENTRY_END
@@ -172,4 +176,33 @@ SECTION ADDITIONAL
HEX_EDNSDATA_END
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ 00 03 ; Opcode NSID (3)
+ 00 00 ; Length 0
+ HEX_EDNSDATA_END
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=9
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ 00 03 ; Opcode NSID (3)
+ 00 0b ; Length 11
+ 68 6F 70 73 61 20 ; "hopsa "
+ 6B 69 64 65 65 ; "kidee"
+ HEX_EDNSDATA_END
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/ratelimit.tdir/ratelimit.testns b/testdata/ratelimit.tdir/ratelimit.testns
index 673bd15a598b..563c1db6a1f2 100644
--- a/testdata/ratelimit.tdir/ratelimit.testns
+++ b/testdata/ratelimit.tdir/ratelimit.testns
@@ -10,4 +10,6 @@ SECTION QUESTION
wild IN A
SECTION ANSWER
wild IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
ENTRY_END
diff --git a/testdata/root_key_sentinel.rpl b/testdata/root_key_sentinel.rpl
index 39bd9685c293..e368bc52185e 100644
--- a/testdata/root_key_sentinel.rpl
+++ b/testdata/root_key_sentinel.rpl
@@ -5,6 +5,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -145,6 +146,22 @@ SECTION QUESTION
root-key-sentinel-not-ta-19036. IN A
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 23 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+root-key-sentinel-not-ta-19036. IN A
+ENTRY_END
+
+STEP 24 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+root-key-sentinel-not-ta-19036. IN A
+ENTRY_END
+
STEP 30 QUERY
ENTRY_BEGIN
REPLY RD DO
@@ -161,6 +178,22 @@ SECTION QUESTION
root-key-sentinel-is-ta-20326. IN A
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 34 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+root-key-sentinel-is-ta-20326. IN A
+ENTRY_END
+
+STEP 35 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+root-key-sentinel-is-ta-20326. IN A
+ENTRY_END
+
STEP 40 QUERY
ENTRY_BEGIN
REPLY RD DO
diff --git a/testdata/rpz_ixfr.rpl b/testdata/rpz_ixfr.rpl
index ca2b6233562f..3566631571a3 100644
--- a/testdata/rpz_ixfr.rpl
+++ b/testdata/rpz_ixfr.rpl
@@ -4,6 +4,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
qname-minimisation: no
rrset-roundrobin: no
+ access-control: 192.0.0.0/8 allow
rpz:
name: "rpz.example.com."
@@ -22,6 +23,11 @@ d.rpz.example.com. IN CNAME .
32.3.123.0.10.rpz-ip.rpz.example.com. A 10.66.0.3
32.3.123.0.10.rpz-ip.rpz.example.com. A 10.66.0.4
32.4.123.0.10.rpz-ip.rpz.example.com. CNAME .
+; also test client-ip, and remove it later with an IXFR.
+24.0.5.0.192.rpz-client-ip A 127.0.0.5
+24.0.6.0.192.rpz-client-ip CNAME *.
+32.41.30.20.10.rpz-nsip A 127.0.0.1
+ns.gotham.com.rpz-nsdname A 127.0.0.1
TEMPFILE_END
stub-zone:
@@ -100,6 +106,42 @@ ENTRY_END
ENTRY_BEGIN
MATCH opcode qname qtype
ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+a.a. IN A
+SECTION ANSWER
+a.a. IN A 10.0.123.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+foo.com. IN NS
+SECTION ANSWER
+SECTION AUTHORITY
+foo.com. 10 IN NS ns.foo.com.
+SECTION ADDITIONAL
+ns.foo.com. 10 IN A 10.20.30.41
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+gotham.com. IN NS
+SECTION ANSWER
+SECTION AUTHORITY
+gotham.com. 10 IN NS ns.gotham.com.
+SECTION ADDITIONAL
+ns.gotham.com. 10 IN A 10.20.30.42
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
rpz.example.com. IN SOA
@@ -124,6 +166,10 @@ d.rpz.example.com. IN CNAME .
32.3.123.0.10.rpz-ip.rpz.example.com. A 10.66.0.3
32.3.123.0.10.rpz-ip.rpz.example.com. A 10.66.0.4
32.4.123.0.10.rpz-ip.rpz.example.com. CNAME .
+24.0.5.0.192.rpz-client-ip.rpz.example.com. A 127.0.0.5
+24.0.6.0.192.rpz-client-ip.rpz.example.com. CNAME *.
+32.41.30.20.10.rpz-nsip.rpz.example.com. A 127.0.0.1
+ns.gotham.com.rpz-nsdname.rpz.example.com. A 127.0.0.1
rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 2 3600 900 86400 3600
b.rpz.example.com. TXT "hello from RPZ"
c.rpz.example.com. TXT "hello from RPZ"
@@ -136,6 +182,78 @@ ENTRY_END
RANGE_END
+; ns.foo.com
+RANGE_BEGIN 0 100
+ ADDRESS 10.20.30.41
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+ns.foo.com. IN A
+SECTION ANSWER
+ns.foo.com. 10 IN A 10.20.30.41
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+ns.foo.com. IN AAAA
+SECTION ANSWER
+SECTION AUTHORITY
+foo.com. 10 IN SOA ns.foo.com. root.foo.com. 1 2 3 4 10
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+www.foo.com. IN A
+SECTION ANSWER
+www.foo.com. 10 IN A 10.20.30.42
+ENTRY_END
+
+RANGE_END
+
+; ns.gotham.com
+RANGE_BEGIN 0 100
+ ADDRESS 10.20.30.42
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+ns.gotham.com. IN A
+SECTION ANSWER
+ns.gotham.com. 10 IN A 10.20.30.42
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+ns.gotham.com. IN AAAA
+SECTION ANSWER
+SECTION AUTHORITY
+gotham.com. 10 IN SOA ns.gotham.com. root.gotham.com. 1 2 3 4 10
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+www.gotham.com. IN A
+SECTION ANSWER
+www.gotham.com. 10 IN A 10.20.30.43
+ENTRY_END
+
+RANGE_END
+
STEP 1 QUERY
ENTRY_BEGIN
REPLY RD
@@ -244,7 +362,6 @@ SECTION QUESTION
d.rpz-ip. IN A
ENTRY_END
-
STEP 15 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
@@ -253,7 +370,74 @@ SECTION QUESTION
d.rpz-ip. IN A
ENTRY_END
-STEP 16 TIME_PASSES ELAPSE 1
+STEP 16 QUERY ADDRESS 192.0.5.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.a. IN A
+ENTRY_END
+
+STEP 17 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+a.a. IN A
+SECTION ANSWER
+a.a. IN A 127.0.0.5
+ENTRY_END
+
+STEP 18 QUERY ADDRESS 192.0.6.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.a. IN A
+ENTRY_END
+
+STEP 19 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+a.a. IN A
+SECTION ANSWER
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.foo.com. IN A
+ENTRY_END
+
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+www.foo.com. IN A
+SECTION ANSWER
+www.foo.com. IN A 127.0.0.1
+ENTRY_END
+
+STEP 22 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham.com. IN A
+ENTRY_END
+
+STEP 23 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+www.gotham.com. IN A
+SECTION ANSWER
+www.gotham.com. IN A 127.0.0.1
+ENTRY_END
+
+STEP 24 TIME_PASSES ELAPSE 1
STEP 30 TIME_PASSES ELAPSE 3600
STEP 40 TRAFFIC
@@ -376,4 +560,72 @@ SECTION ANSWER
d.rpz-ip. IN A 10.0.123.4
ENTRY_END
+STEP 64 QUERY ADDRESS 192.0.5.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.a. IN A
+ENTRY_END
+
+STEP 65 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+a.a. IN A
+SECTION ANSWER
+a.a. IN A 10.0.123.5
+ENTRY_END
+
+STEP 66 QUERY ADDRESS 192.0.6.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.a. IN A
+ENTRY_END
+
+STEP 67 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+a.a. IN A
+SECTION ANSWER
+a.a. IN A 10.0.123.5
+ENTRY_END
+
+STEP 68 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.foo.com. IN A
+ENTRY_END
+
+STEP 69 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.foo.com. IN A
+SECTION ANSWER
+www.foo.com. 10 IN A 10.20.30.42
+ENTRY_END
+
+STEP 70 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham.com. IN A
+ENTRY_END
+
+STEP 71 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.gotham.com. IN A
+SECTION ANSWER
+www.gotham.com. 10 IN A 10.20.30.43
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/rpz_respip.rpl b/testdata/rpz_respip.rpl
index 894a7cc5fca3..795bb25c8a4c 100644
--- a/testdata/rpz_respip.rpl
+++ b/testdata/rpz_respip.rpl
@@ -458,14 +458,29 @@ e. IN AAAA
ENTRY_END
STEP 29 TIME_PASSES ELAPSE 12
+; should be dropped, with cache entry too.
STEP 30 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
+e. IN A
+ENTRY_END
+STEP 31 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+e. IN AAAA
+ENTRY_END
+STEP 32 TIME_PASSES ELAPSE 12
+
+STEP 33 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
y. IN A
ENTRY_END
-STEP 31 CHECK_ANSWER
+STEP 34 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR TC RD RA NOERROR
diff --git a/testdata/serve_expired_0ttl_nodata.rpl b/testdata/serve_expired_0ttl_nodata.rpl
new file mode 100644
index 000000000000..45b51444bccd
--- /dev/null
+++ b/testdata/serve_expired_0ttl_nodata.rpl
@@ -0,0 +1,154 @@
+; config options
+server:
+ module-config: "validator iterator"
+ qname-minimisation: "no"
+ minimal-responses: no
+ serve-expired: yes
+ log-servfail: yes
+ ede: yes
+ ede-serve-expired: yes
+
+
+stub-zone:
+ name: "example.com"
+ stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-expired with NXDOMAIN followed by 0 TTL
+; Scenario overview:
+; - query for 0ttl.example.com. IN A
+; - answer from upstream is NODATA; will be cached for the SOA negative TTL.
+; - check that the client gets the NODATA; also cached
+; - query again right after the TTL expired
+; - this time the server answers with a 0 TTL RRset
+; - check that we get the correct answer
+
+; ns.example.com.
+RANGE_BEGIN 0 20
+ ADDRESS 1.2.3.4
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION AUTHORITY
+ example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 30 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. 10 IN NS
+ SECTION ANSWER
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION ANSWER
+ 0ttl.example.com. 0 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 0 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we get the NODATA (will be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION AUTHORITY
+ example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
+ENTRY_END
+
+; Query again
+STEP 20 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we get the cached NODATA
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION AUTHORITY
+ example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
+ENTRY_END
+
+; Wait for the NXDOMAIN to expire
+STEP 31 TIME_PASSES ELAPSE 32
+
+; Query again
+STEP 40 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we get the cached NODATA
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION AUTHORITY
+ example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
+ENTRY_END
+
+; Query again
+STEP 60 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we got the correct answer
+STEP 70 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION ANSWER
+ 0ttl.example.com. 0 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/serve_expired_0ttl_nxdomain.rpl b/testdata/serve_expired_0ttl_nxdomain.rpl
new file mode 100644
index 000000000000..0fcde9f2ddb6
--- /dev/null
+++ b/testdata/serve_expired_0ttl_nxdomain.rpl
@@ -0,0 +1,154 @@
+; config options
+server:
+ module-config: "validator iterator"
+ qname-minimisation: "no"
+ minimal-responses: no
+ serve-expired: yes
+ log-servfail: yes
+ ede: yes
+ ede-serve-expired: yes
+
+
+stub-zone:
+ name: "example.com"
+ stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-expired with NXDOMAIN followed by 0 TTL
+; Scenario overview:
+; - query for 0ttl.example.com. IN A
+; - answer from upstream is NXDOMAIN; will be cached for the SOA negative TTL.
+; - check that the client gets the NXDOMAIN; also cached
+; - query again right after the TTL expired
+; - this time the server answers with a 0 TTL RRset
+; - check that we get the correct answer
+
+; ns.example.com.
+RANGE_BEGIN 0 20
+ ADDRESS 1.2.3.4
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA NXDOMAIN
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION AUTHORITY
+ example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 30 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. 10 IN NS
+ SECTION ANSWER
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION ANSWER
+ 0ttl.example.com. 0 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 0 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we get the SERVFAIL (will be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA NXDOMAIN
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION AUTHORITY
+ example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
+ENTRY_END
+
+; Query again
+STEP 20 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we get the cached NXDOMAIN
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA NXDOMAIN
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION AUTHORITY
+ example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
+ENTRY_END
+
+; Wait for the NXDOMAIN to expire
+STEP 31 TIME_PASSES ELAPSE 32
+
+; Query again
+STEP 40 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we get the cached NXDOMAIN
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA NXDOMAIN
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION AUTHORITY
+ example.com IN SOA ns.example.com dns.example.com 1 7200 3600 2419200 10
+ENTRY_END
+
+; Query again
+STEP 60 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we got the correct answer
+STEP 70 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION ANSWER
+ 0ttl.example.com. 0 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/serve_expired_0ttl_servfail.rpl b/testdata/serve_expired_0ttl_servfail.rpl
new file mode 100644
index 000000000000..aad7aa8c984f
--- /dev/null
+++ b/testdata/serve_expired_0ttl_servfail.rpl
@@ -0,0 +1,129 @@
+; config options
+server:
+ module-config: "validator iterator"
+ qname-minimisation: "no"
+ minimal-responses: no
+ serve-expired: yes
+ log-servfail: yes
+ ede: yes
+ ede-serve-expired: yes
+
+
+stub-zone:
+ name: "example.com"
+ stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-expired with SERVFAIL followed by 0 TTL
+; Scenario overview:
+; - query for 0ttl.example.com. IN A
+; - answer from upstream is SERVFAIL; will be cached for NORR_TTL(5)
+; - check that the client gets the SERVFAIL; also cached
+; - query again right after the TTL expired
+; - this time the server answers with a 0 TTL RRset
+; - check that we get the correct answer
+
+; ns.example.com.
+RANGE_BEGIN 0 20
+ ADDRESS 1.2.3.4
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA SERVFAIL
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 30 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. 10 IN NS
+ SECTION ANSWER
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION ANSWER
+ 0ttl.example.com. 0 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 0 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we get the SERVFAIL (will be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Query again
+STEP 20 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we get the cached SERVFAIL
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Wait for the SERVFAIL to expire
+STEP 31 TIME_PASSES ELAPSE 32
+
+; Query again
+STEP 40 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ENTRY_END
+
+; Check that we got the correct answer
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ttl
+ REPLY QR RD RA NOERROR
+ SECTION QUESTION
+ 0ttl.example.com. IN A
+ SECTION ANSWER
+ 0ttl.example.com. 0 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/serve_expired_cached_servfail_refresh.rpl b/testdata/serve_expired_cached_servfail_refresh.rpl
new file mode 100644
index 000000000000..664de9aa8732
--- /dev/null
+++ b/testdata/serve_expired_cached_servfail_refresh.rpl
@@ -0,0 +1,145 @@
+; config options
+server:
+ module-config: "validator iterator"
+ qname-minimisation: "no"
+ minimal-responses: no
+ serve-expired: yes
+ serve-expired-reply-ttl: 123
+ log-servfail: yes
+ ede: yes
+ ede-serve-expired: yes
+
+
+stub-zone:
+ name: "example.com"
+ stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-expired with client-timeout and a SERVFAIL upstream reply
+; Scenario overview:
+; - query for example.com. IN A
+; - answer from upstream is SERVFAIL; will be cached for NORR_TTL(5)
+; - check that the client gets the SERVFAIL; also cached
+; - query again right after the TTL expired
+; - cached SERVFAIL should be ignored and upstream queried
+; - answer from upstream is still SERVFAIL; the cached error response will be
+; refreshed for another NORR_TTL(5)
+; - check that the client gets the SERVFAIL
+; - query again; the upstream now has the answer available
+; - check that we get the refreshed cached response instead
+
+; ns.example.com.
+RANGE_BEGIN 0 50
+ ADDRESS 1.2.3.4
+ ; response to A query
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR AA SERVFAIL
+ SECTION QUESTION
+ example.com. IN A
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 60 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. 10 IN NS
+ SECTION ANSWER
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ANSWER
+ example.com. 10 IN A 5.6.7.8
+ SECTION AUTHORITY
+ example.com. 10 IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. 10 IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 0 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Check that we get the SERVFAIL (will be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Query again
+STEP 20 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Check that we get the cached SERVFAIL
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Wait for the SERVFAIL to expire
+STEP 31 TIME_PASSES ELAPSE 6
+
+; Query again
+STEP 40 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Check that we get the SERVFAIL (will be refreshed)
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Query again, upstream has the real answer available
+STEP 60 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+; Check that we get the refreshed cached SERVFAIL
+STEP 70 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all
+ REPLY QR RD RA SERVFAIL
+ SECTION QUESTION
+ example.com. IN A
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/speed_local.tdir/speed_local.test b/testdata/speed_local.tdir/speed_local.test
index 684b3c52251b..6ad1ba737355 100644
--- a/testdata/speed_local.tdir/speed_local.test
+++ b/testdata/speed_local.tdir/speed_local.test
@@ -9,8 +9,11 @@ PRE="../.."
get_make
(cd $PRE; $MAKE perf)
+# seconds per test
+dur=1
+
echo "> perf version.server"
-$PRE/perf -d 1 -a "version.server CH TXT -" 127.0.0.1@$UNBOUND_PORT 2>&1 |
+$PRE/perf -d $dur -a "version.server CH TXT -" 127.0.0.1@$UNBOUND_PORT 2>&1 |
tee outfile
echo -n "version-server " > line.txt
@@ -25,7 +28,7 @@ fi
echo "> perf localhost"
-$PRE/perf -d 1 -a "localhost IN A -" 127.0.0.1@$UNBOUND_PORT 2>&1 |
+$PRE/perf -d $dur -a "localhost IN A -" 127.0.0.1@$UNBOUND_PORT 2>&1 |
tee outfile
echo -n "localhost-addr " >> line.txt
diff --git a/testdata/stat_values.tdir/stat_values.pre b/testdata/stat_values.tdir/stat_values.pre
index 2db4a17e0096..7b6eefdfaa49 100644
--- a/testdata/stat_values.tdir/stat_values.pre
+++ b/testdata/stat_values.tdir/stat_values.pre
@@ -5,6 +5,13 @@
[ -f .tpkg.var.test ] && source .tpkg.var.test
. ../common.sh
+
+PRE="../.."
+if grep "define USE_CACHEDB 1" $PRE/config.h; then
+ USE_CACHEDB=1
+ echo "USE_CACHEDB=1" >> .tpkg.var.test
+fi
+
get_random_port 4
UNBOUND_PORT=$RND_PORT
FWD_PORT=$(($RND_PORT + 1))
@@ -29,8 +36,9 @@ echo "FWD_EXPIRED_PID=$FWD_EXPIRED_PID" >> .tpkg.var.test
# make config file
sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@EXPIREDPORT\@/'$FWD_EXPIRED_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < stat_values.conf > ub.conf
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's/@EXPIREDPORT\@/'$FWD_EXPIRED_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < stat_values_cachedb.conf > ub_cachedb.conf
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < stat_values_downstream_cookies.conf > ub_downstream_cookies.conf
# start unbound in the background
-PRE="../.."
$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
UNBOUND_PID=$!
echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
diff --git a/testdata/stat_values.tdir/stat_values.test b/testdata/stat_values.tdir/stat_values.test
index ef86a0471d60..22d55f1f0d31 100644
--- a/testdata/stat_values.tdir/stat_values.test
+++ b/testdata/stat_values.tdir/stat_values.test
@@ -52,6 +52,12 @@ REST_STATS_FILE=rest_stats.$$
DEBUG=0
+if dig -h 2>&1 | grep "cookie" >/dev/null; then
+ nocookie="+nocookie"
+else
+ nocookie=""
+fi
+
# Write stats to $STATS_FILE.
# Call this when you want to get stats from unbound.
get_stats () {
@@ -95,7 +101,7 @@ check_expected_stats () {
else
echo "! bad expected stats:"
cat $FILTERED_STATS_FILE
- exit 1
+ end 1
fi
}
@@ -109,7 +115,7 @@ check_rest_stats () {
fi
if grep -v "=0$" $REST_STATS_FILE; then
echo "! bad rest stats"
- exit 1
+ end 1
else
echo "OK"
fi
@@ -414,4 +420,195 @@ rrset.cache.count=3
infra.cache.count=2"
+# Bring the downstream DNS Cookies configured Unbound up
+kill_pid $UNBOUND_PID # kill current Unbound
+echo ""
+cat unbound.log
+echo ""
+$PRE/unbound -d -c ub_downstream_cookies.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+wait_unbound_up unbound.log
+
+echo
+echo "[ Get a DNS Cookie. ]"
+echo "> dig www.local.zone +tcp $nocookie +ednsopt=10:0102030405060708"
+dig @127.0.0.1 -p $UNBOUND_PORT +tcp $nocookie +ednsopt=10:0102030405060708 +retry=0 +time=1 www.local.zone. | tee outfile
+echo "> check answer"
+if grep "192.0.2.1" outfile; then
+ echo "OK"
+else
+ end 1
+fi
+# Save valid cookie
+valid_cookie=`grep "COOKIE: " outfile | cut -d ' ' -f 3`
+invalid_cookie=`echo $valid_cookie | tr '0' '4'`
+check_stats "\
+total.num.queries=1
+total.num.queries_cookie_client=1
+total.num.cachehits=1
+num.query.type.A=1
+num.query.class.IN=1
+num.query.opcode.QUERY=1
+num.query.flags.RD=1
+num.query.flags.AD=1
+num.query.edns.present=1
+num.query.tcp=1
+num.answer.rcode.NOERROR=1"
+
+echo
+echo "[ Present the valid DNS Cookie. ]"
+echo "> dig www.local.zone $nocookie +ednsopt=10:valid_cookie"
+dig @127.0.0.1 -p $UNBOUND_PORT $nocookie +ednsopt=10:$valid_cookie +retry=0 +time=1 www.local.zone. | tee outfile
+echo "> check answer"
+if grep "192.0.2.1" outfile; then
+ echo "OK"
+else
+ end 1
+fi
+check_stats "\
+total.num.queries=1
+total.num.queries_cookie_valid=1
+total.num.cachehits=1
+num.query.type.A=1
+num.query.class.IN=1
+num.query.opcode.QUERY=1
+num.query.flags.RD=1
+num.query.flags.AD=1
+num.query.edns.present=1
+num.answer.rcode.NOERROR=1"
+
+echo
+echo "[ Present an invalid DNS Cookie. ]"
+echo "> dig www.local.zone $nocookie +ednsopt=10:invalid_cookie"
+dig @127.0.0.1 -p $UNBOUND_PORT $nocookie +ednsopt=10:$invalid_cookie +retry=0 +time=1 www.local.zone. | tee outfile
+echo "> check answer"
+if grep "192.0.2.1" outfile; then
+ end 1
+else
+ echo "OK"
+fi
+# A lot of stats are missing since BADCOOKIE error response is before
+# those stat calculations.
+# BADCOOKIE is an extended error code; we record YXRRSET below.
+check_stats "\
+total.num.queries=1
+total.num.queries_cookie_invalid=1
+total.num.cachehits=1
+num.answer.rcode.YXRRSET=1"
+
+echo
+echo "[ Present no DNS Cookie. ]"
+echo "> dig www.local.zone +ignore"
+dig @127.0.0.1 -p $UNBOUND_PORT +ignore $nocookie +retry=0 +time=1 www.local.zone. | tee outfile
+echo "> check answer"
+if grep "192.0.2.1" outfile; then
+ end 1
+else
+ echo "OK"
+fi
+# A lot of stats are missing since REFUSED error response because of no DNS
+# Cookie is before those stat calculations.
+check_stats "\
+total.num.queries=1
+total.num.cachehits=1
+num.answer.rcode.REFUSED=1"
+
+if test x$USE_CACHEDB = "x1"; then
+
+# Bring the cachedb configured Unbound up
+kill_pid $UNBOUND_PID # kill current Unbound
+echo ""
+cat unbound.log
+echo ""
+$PRE/unbound -d -c ub_cachedb.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+wait_unbound_up unbound.log
+
+echo
+echo "[ Check cachedb cache miss. ]"
+echo "> dig www.example.com."
+dig @127.0.0.1 +ednsopt=65534 -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+ echo "OK"
+else
+ end 1
+fi
+check_stats "\
+total.num.queries=1
+total.num.cachemiss=1
+total.num.cachehits=0
+total.num.recursivereplies=1
+num.query.type.A=1
+num.query.class.IN=1
+num.query.opcode.QUERY=1
+num.query.flags.RD=1
+num.query.flags.AD=1
+num.query.edns.present=1
+num.query.udpout=1
+num.query.cachedb=0
+msg.cache.count=1
+rrset.cache.count=1
+infra.cache.count=1
+num.answer.rcode.NOERROR=1"
+
+echo
+echo "[ Check cachedb cache hit. ]"
+echo "> dig www.example.com."
+dig @127.0.0.1 +ednsopt=65534 -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+ echo "OK"
+else
+ end 1
+fi
+check_stats "\
+total.num.queries=1
+total.num.cachemiss=1
+total.num.cachehits=0
+total.num.recursivereplies=1
+num.query.type.A=1
+num.query.class.IN=1
+num.query.opcode.QUERY=1
+num.query.flags.RD=1
+num.query.flags.AD=1
+num.query.edns.present=1
+num.query.udpout=0
+num.query.cachedb=1
+msg.cache.count=1
+rrset.cache.count=1
+infra.cache.count=1
+num.answer.rcode.NOERROR=1"
+
+echo
+echo "[ Check cachedb cache hit with stat reset ]"
+echo "> dig www.example.com."
+dig @127.0.0.1 +ednsopt=65534 -p $UNBOUND_PORT www.example.com. | tee outfile
+echo "> check answer"
+if grep "10.20.30.40" outfile; then
+ echo "OK"
+else
+ end 1
+fi
+check_stats "\
+total.num.queries=1
+total.num.cachemiss=1
+total.num.cachehits=0
+total.num.recursivereplies=1
+num.query.type.A=1
+num.query.class.IN=1
+num.query.opcode.QUERY=1
+num.query.flags.RD=1
+num.query.flags.AD=1
+num.query.edns.present=1
+num.query.cachedb=1
+msg.cache.count=1
+rrset.cache.count=1
+infra.cache.count=1
+num.answer.rcode.NOERROR=1"
+
+fi # USE_CACHEDB
+
end 0
diff --git a/testdata/stat_values.tdir/stat_values.testns b/testdata/stat_values.tdir/stat_values.testns
index 6691b01998ad..12df8a93905a 100644
--- a/testdata/stat_values.tdir/stat_values.testns
+++ b/testdata/stat_values.tdir/stat_values.testns
@@ -21,3 +21,13 @@ SECTION QUESTION
SECTION ANSWER
1ttl 1 IN A 1.1.1.1
ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+0ttl IN A
+SECTION ANSWER
+0ttl 0 IN A 0.0.0.1
+ENTRY_END
diff --git a/testdata/stat_values.tdir/stat_values_cachedb.conf b/testdata/stat_values.tdir/stat_values_cachedb.conf
new file mode 100644
index 000000000000..b5e9b0e02932
--- /dev/null
+++ b/testdata/stat_values.tdir/stat_values_cachedb.conf
@@ -0,0 +1,36 @@
+server:
+ verbosity: 5
+ module-config: "cachedb iterator"
+ serve-expired: yes
+ num-threads: 1
+ interface: 127.0.0.1
+ port: @PORT@
+ use-syslog: no
+ directory: ""
+ pidfile: "unbound.pid"
+ chroot: ""
+ username: ""
+ do-not-query-localhost: no
+ extended-statistics: yes
+ identity: "stat_values"
+ outbound-msg-retry: 0
+ root-key-sentinel: no
+ trust-anchor-signaling: no
+
+ local-zone: local.zone static
+ local-data: "www.local.zone A 192.0.2.1"
+remote-control:
+ control-enable: yes
+ control-interface: 127.0.0.1
+ # control-interface: ::1
+ control-port: @CONTROL_PORT@
+ server-key-file: "unbound_server.key"
+ server-cert-file: "unbound_server.pem"
+ control-key-file: "unbound_control.key"
+ control-cert-file: "unbound_control.pem"
+forward-zone:
+ name: "."
+ forward-addr: "127.0.0.1@@TOPORT@"
+forward-zone:
+ name: "expired."
+ forward-addr: "127.0.0.1@@EXPIREDPORT@"
diff --git a/testdata/stat_values.tdir/stat_values_downstream_cookies.conf b/testdata/stat_values.tdir/stat_values_downstream_cookies.conf
new file mode 100644
index 000000000000..21e78829fc8e
--- /dev/null
+++ b/testdata/stat_values.tdir/stat_values_downstream_cookies.conf
@@ -0,0 +1,32 @@
+server:
+ verbosity: 5
+ module-config: "iterator"
+ num-threads: 1
+ interface: 127.0.0.1
+ port: @PORT@
+ use-syslog: no
+ directory: ""
+ pidfile: "unbound.pid"
+ chroot: ""
+ username: ""
+ extended-statistics: yes
+ identity: "stat_values"
+ outbound-msg-retry: 0
+ root-key-sentinel: no
+ trust-anchor-signaling: no
+
+ local-zone: local.zone static
+ local-data: "www.local.zone A 192.0.2.1"
+
+ answer-cookie: yes
+ access-control: 127.0.0.1 allow_cookie
+
+remote-control:
+ control-enable: yes
+ control-interface: 127.0.0.1
+ # control-interface: ::1
+ control-port: @CONTROL_PORT@
+ server-key-file: "unbound_server.key"
+ server-cert-file: "unbound_server.pem"
+ control-key-file: "unbound_control.key"
+ control-cert-file: "unbound_control.pem"
diff --git a/testdata/stream_ssl.tdir/stream_ssl.serv.conf b/testdata/stream_ssl.tdir/stream_ssl.serv.conf
index a5dfcf364ec3..840334f1edb8 100644
--- a/testdata/stream_ssl.tdir/stream_ssl.serv.conf
+++ b/testdata/stream_ssl.tdir/stream_ssl.serv.conf
@@ -9,9 +9,15 @@ server:
chroot: ""
username: ""
do-not-query-localhost: yes
+ local-zone: "example.com" static
+ local-zone: "server" static
+ local-zone: "host" static
local-data: "www.example.com. IN A 10.20.30.40"
local-data: "unbound.server. IN A 127.0.0.1"
local-data: "test.host. IN A 1.2.3.4"
+ local-data: "example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600"
+ local-data: "server. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600"
+ local-data: "host. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600"
ssl-port: @SERVPORT@
ssl-service-key: "unbound_server.key"
ssl-service-pem: "unbound_server.pem"
diff --git a/testdata/subnet_cached_ede.crpl b/testdata/subnet_cached_ede.crpl
new file mode 100644
index 000000000000..36bb28fcc180
--- /dev/null
+++ b/testdata/subnet_cached_ede.crpl
@@ -0,0 +1,114 @@
+; Ask the same question twice. Check to see second is answered
+; from cache
+
+server:
+ trust-anchor-signaling: no
+ target-fetch-policy: "0 0 0 0 0"
+ send-client-subnet: 1.2.3.4
+ max-client-subnet-ipv4: 17
+ module-config: "subnetcache validator iterator"
+ verbosity: 3
+ qname-minimisation: no
+ minimal-responses: no
+ ede: yes
+ val-log-level: 2
+ trust-anchor: "example.nl. DS 50602 8 2 FA8EE175C47325F4BD46D8A4083C3EBEB11C977D689069F2B41F1A29B22446B1"
+
+stub-zone:
+ name: "example.nl"
+ stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test subnetcache support for caching EDEs.
+
+; ns.example.com.
+RANGE_BEGIN 0 10
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.nl. IN DNSKEY
+SECTION ANSWER
+SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ; client is 127.0.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 11 00 ; source mask, scopemask
+ 7f 00 00 ; address
+ HEX_EDNSDATA_END
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.nl. IN A
+SECTION ANSWER
+example.nl. IN A 1.2.3.4
+SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ; client is 127.0.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 11 00 ; source mask, scopemask
+ 7f 00 00 ; address
+ HEX_EDNSDATA_END
+ENTRY_END
+RANGE_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; get the entry in cache.
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+example.nl. IN A
+SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ 00 08 00 07 ; OPC, optlen
+ 00 01 11 00 ; ip4, scope 17, source 0
+ 7f 00 00 ; 127.0.0.0/17
+ HEX_EDNSDATA_END
+ENTRY_END
+
+; get the answer for it
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=9
+REPLY QR RD RA DO SERVFAIL
+SECTION QUESTION
+example.nl. IN A
+ENTRY_END
+
+; query again for the cached entry
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example.nl. IN A
+SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ 00 08 00 07 ; OPC, optlen
+ 00 01 11 00 ; ip4, scope 17, source 0
+ 7f 00 00 ; 127.0.0.0/17
+ HEX_EDNSDATA_END
+ENTRY_END
+
+; this must be a cached answer since stub is not answering in this range
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=9
+REPLY QR RD RA DO SERVFAIL
+SECTION QUESTION
+example.nl. IN A
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/subnet_derived.crpl b/testdata/subnet_derived.crpl
index 6ff626abd7cc..7acf316fe2ec 100644
--- a/testdata/subnet_derived.crpl
+++ b/testdata/subnet_derived.crpl
@@ -39,6 +39,7 @@ RANGE_BEGIN 0 100
SECTION QUESTION
a.gtld-servers.net. IN AAAA
SECTION AUTHORITY
+ net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
;; we expect to receive empty
@@ -111,6 +112,8 @@ RANGE_BEGIN 0 100
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
+ SECTION AUTHORITY
+ example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
;; we expect to receive empty
diff --git a/testdata/subnet_format_ip4.crpl b/testdata/subnet_format_ip4.crpl
index cd1c858fd636..1370caee7da4 100644
--- a/testdata/subnet_format_ip4.crpl
+++ b/testdata/subnet_format_ip4.crpl
@@ -38,6 +38,7 @@ RANGE_BEGIN 0 100
SECTION QUESTION
a.gtld-servers.net. IN AAAA
SECTION AUTHORITY
+ net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
;; we expect to receive empty
@@ -108,6 +109,8 @@ RANGE_BEGIN 0 100
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
+ SECTION AUTHORITY
+ example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
;; we expect to receive empty
diff --git a/testdata/subnet_global_prefetch.crpl b/testdata/subnet_global_prefetch.crpl
new file mode 100644
index 000000000000..2f005d43b905
--- /dev/null
+++ b/testdata/subnet_global_prefetch.crpl
@@ -0,0 +1,236 @@
+; Check if the prefetch option works properly for messages stored in the global
+; cache for non-ECS clients. The prefetch query needs to result in an ECS
+; outgoing query based on the client's IP.
+
+server:
+ trust-anchor-signaling: no
+ target-fetch-policy: "0 0 0 0 0"
+ send-client-subnet: 1.2.3.4
+ max-client-subnet-ipv4: 21
+ module-config: "subnetcache iterator"
+ verbosity: 3
+ access-control: 127.0.0.1 allow_snoop
+ qname-minimisation: no
+ minimal-responses: no
+ prefetch: yes
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test prefetch option for global cache with ECS enabled
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 10
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to query of interest
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. 10 IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 11 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to query of interest
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id copy_ednsdata_assume_clientsubnet
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. 10 IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ; client is 127.0.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 15 00 ; source mask, scopemask
+ 7f 00 00 ; address
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This answer should be in the global cache (because no ECS from upstream)
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Try to trigger a prefetch
+STEP 3 TIME_PASSES ELAPSE 9
+
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This record came from the global cache and a prefetch was triggered.
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 1 IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. 3591 IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. 3591 IN A 1.2.3.4
+ENTRY_END
+
+; Allow time to pass so that the global cache record is expired.
+STEP 13 TIME_PASSES ELAPSE 2
+
+; Query again to verify that the record was prefetched and stored in the ECS
+; cache.
+STEP 15 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This record came from the ECS cache.
+STEP 16 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 8 IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. 3598 IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. 3598 IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/subnet_global_prefetch_always_forward.crpl b/testdata/subnet_global_prefetch_always_forward.crpl
new file mode 100644
index 000000000000..ccfe5dfd6ea1
--- /dev/null
+++ b/testdata/subnet_global_prefetch_always_forward.crpl
@@ -0,0 +1,167 @@
+; Check if the prefetch option works properly when serve-expired is combined
+; with client-subnet-always-forward for non-ECS clients. The prefetch query
+; needs to result in an outgoing query without ECS.
+
+server:
+ trust-anchor-signaling: no
+ target-fetch-policy: "0 0 0 0 0"
+ serve-expired: yes
+ client-subnet-always-forward: yes
+ module-config: "subnetcache iterator"
+ verbosity: 3
+ access-control: 127.0.0.1 allow_snoop
+ qname-minimisation: no
+ minimal-responses: no
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-expired and client-subnet-always-forward without ECS in the request
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to query of interest
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. 10 IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This answer should be in the global cache
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Wait for the TTL to expire
+STEP 3 TIME_PASSES ELAPSE 20
+
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This record came from the global cache and a prefetch was triggered
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 30 IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. 3580 IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. 3580 IN A 1.2.3.4
+ENTRY_END
+
+STEP 13 CHECK_OUT_QUERY
+ENTRY_BEGIN
+ MATCH all
+ REPLY NOERROR DO
+ SECTION QUESTION
+ www.example.com. IN A
+ENTRY_END
+
+STEP 14 TRAFFIC
+
+SCENARIO_END
diff --git a/testdata/subnet_global_prefetch_expired.crpl b/testdata/subnet_global_prefetch_expired.crpl
new file mode 100644
index 000000000000..de1b780553a9
--- /dev/null
+++ b/testdata/subnet_global_prefetch_expired.crpl
@@ -0,0 +1,241 @@
+; Check if the prefetch option works properly for messages stored in the global
+; cache for non-ECS clients. The prefetch query needs to result in an ECS
+; outgoing query based on the client's IP.
+; Prefetch initiated via serve-expired.
+
+server:
+ trust-anchor-signaling: no
+ target-fetch-policy: "0 0 0 0 0"
+ send-client-subnet: 1.2.3.4
+ max-client-subnet-ipv4: 21
+ module-config: "subnetcache iterator"
+ verbosity: 3
+ access-control: 127.0.0.1 allow_snoop
+ qname-minimisation: no
+ minimal-responses: no
+ serve-expired: yes
+ serve-expired-ttl: 1
+ prefetch: yes
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test prefetch option for global cache with ECS enabled (initiated via serve-expired)
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 10
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to query of interest
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. 10 IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 11 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to query of interest
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id copy_ednsdata_assume_clientsubnet
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. 10 IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ; client is 127.0.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 15 00 ; source mask, scopemask
+ 7f 00 00 ; address
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This answer should be in the global cache (because no ECS from upstream)
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Try to trigger a prefetch with expired data
+STEP 3 TIME_PASSES ELAPSE 11
+
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This expired record came from the global cache and a prefetch is triggered.
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 30 IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. 3589 IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. 3589 IN A 1.2.3.4
+ENTRY_END
+
+;STEP 13 TRAFFIC
+; Allow enough time to pass so that the expired record from the global cache
+; cannot be used anymore.
+STEP 14 TIME_PASSES ELAPSE 1
+
+; Query again to verify that the record was prefetched and stored in the ECS
+; cache.
+STEP 15 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This record came from the ECS cache.
+STEP 16 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 9 IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. 3599 IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. 3599 IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/subnet_prefetch_with_client_ecs.crpl b/testdata/subnet_global_prefetch_with_client_ecs.crpl
index ddc832c475de..ddc832c475de 100644
--- a/testdata/subnet_prefetch_with_client_ecs.crpl
+++ b/testdata/subnet_global_prefetch_with_client_ecs.crpl
diff --git a/testdata/subnet_not_whitelisted.crpl b/testdata/subnet_not_whitelisted.crpl
index 545b019eda92..5419a5790f0d 100644
--- a/testdata/subnet_not_whitelisted.crpl
+++ b/testdata/subnet_not_whitelisted.crpl
@@ -39,6 +39,7 @@ RANGE_BEGIN 0 100
SECTION QUESTION
a.gtld-servers.net. IN AAAA
SECTION AUTHORITY
+ net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
;; we expect to receive empty
@@ -109,6 +110,8 @@ RANGE_BEGIN 0 100
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
+ SECTION AUTHORITY
+ example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
;; we expect to receive empty
diff --git a/testdata/subnet_prefetch.crpl b/testdata/subnet_prefetch.crpl
index 04922f2bbe48..aaa6bf08c450 100644
--- a/testdata/subnet_prefetch.crpl
+++ b/testdata/subnet_prefetch.crpl
@@ -1,12 +1,12 @@
-; Check if the prefetch option works properly for messages stored in the global
-; cache for non-ECS clients. The prefetch query needs to result in an ECS
-; outgoing query based on the client's IP.
+; Check if the prefetch option works properly for messages stored in ECS cache
+; for non-ECS clients.
server:
trust-anchor-signaling: no
target-fetch-policy: "0 0 0 0 0"
send-client-subnet: 1.2.3.4
max-client-subnet-ipv4: 21
+ client-subnet-always-forward: yes
module-config: "subnetcache iterator"
verbosity: 3
access-control: 127.0.0.1 allow_snoop
@@ -19,7 +19,7 @@ stub-zone:
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
-SCENARIO_BEGIN Test prefetch option for global cache with ECS enabled
+SCENARIO_BEGIN Test prefetch option for ECS cache
; K.ROOT-SERVERS.NET.
RANGE_BEGIN 0 100
@@ -78,38 +78,7 @@ RANGE_BEGIN 0 100
RANGE_END
; ns.example.com.
-RANGE_BEGIN 0 10
- ADDRESS 1.2.3.4
- ENTRY_BEGIN
- MATCH opcode qtype qname
- ADJUST copy_id
- REPLY QR NOERROR
- SECTION QUESTION
- example.com. IN NS
- SECTION ANSWER
- example.com. IN NS ns.example.com.
- SECTION ADDITIONAL
- ns.example.com. IN A 1.2.3.4
- ENTRY_END
-
- ; response to query of interest
- ENTRY_BEGIN
- MATCH opcode qtype qname
- ADJUST copy_id
- REPLY QR NOERROR
- SECTION QUESTION
- www.example.com. IN A
- SECTION ANSWER
- www.example.com. 10 IN A 10.20.30.40
- SECTION AUTHORITY
- example.com. IN NS ns.example.com.
- SECTION ADDITIONAL
- ns.example.com. IN A 1.2.3.4
- ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 11 100
+RANGE_BEGIN 0 100
ADDRESS 1.2.3.4
ENTRY_BEGIN
MATCH opcode qtype qname
@@ -154,7 +123,7 @@ SECTION QUESTION
www.example.com. IN A
ENTRY_END
-; This answer should be in the global cache (because no ECS from upstream)
+; This answer will end up in the subnet cache
STEP 2 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
@@ -172,53 +141,51 @@ ENTRY_END
; Try to trigger a prefetch
STEP 3 TIME_PASSES ELAPSE 9
-STEP 11 QUERY
+STEP 4 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.example.com. IN A
ENTRY_END
-; This record came from the global cache and a prefetch was triggered
-STEP 12 CHECK_ANSWER
+; This record came from the cache and a prefetch is triggered
+STEP 5 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ttl
REPLY QR RD RA NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
-www.example.com. 1 IN A 10.20.30.40
+www.example.com. 1 IN A 10.20.30.40
SECTION AUTHORITY
-example.com. 3591 IN NS ns.example.com.
+example.com. 3591 IN NS ns.example.com.
SECTION ADDITIONAL
-ns.example.com. 3591 IN A 1.2.3.4
+ns.example.com. 3591 IN A 1.2.3.4
ENTRY_END
-; Allow time to pass so that the global cache record is expired
-STEP 13 TIME_PASSES ELAPSE 2
+; Allow for some time to pass to differentiate from a cached vs resolved answer
+STEP 6 TIME_PASSES ELAPSE 1
-; Query again to verify that the record was prefetched and stored in the ECS
-; cache (because the server replied with ECS this time)
-STEP 14 QUERY
+STEP 7 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.example.com. IN A
ENTRY_END
-; This record came from the ECS cache
-STEP 15 CHECK_ANSWER
+; This prefetched record came from the ECS cache
+STEP 8 CHECK_ANSWER
ENTRY_BEGIN
MATCH all ttl
REPLY QR RD RA NOERROR
SECTION QUESTION
-www.example.com. IN A
+www.example.com. IN A
SECTION ANSWER
-www.example.com. 8 IN A 10.20.30.40
+www.example.com. 9 IN A 10.20.30.40
SECTION AUTHORITY
-example.com. 3598 IN NS ns.example.com.
+example.com. 3599 IN NS ns.example.com.
SECTION ADDITIONAL
-ns.example.com. 3598 IN A 1.2.3.4
+ns.example.com. 3599 IN A 1.2.3.4
ENTRY_END
SCENARIO_END
diff --git a/testdata/subnet_without_validator.crpl b/testdata/subnet_without_validator.crpl
index 2fbf24239ecb..59c38660f281 100644
--- a/testdata/subnet_without_validator.crpl
+++ b/testdata/subnet_without_validator.crpl
@@ -38,6 +38,7 @@ RANGE_BEGIN 0 100
SECTION QUESTION
a.gtld-servers.net. IN AAAA
SECTION AUTHORITY
+ net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
;; we expect to receive empty
@@ -108,6 +109,8 @@ RANGE_BEGIN 0 100
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
+ SECTION AUTHORITY
+ example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
;; we expect to receive empty
diff --git a/testdata/svcb.tdir/svcb.failure-cases-01 b/testdata/svcb.tdir/svcb.failure-cases-01
index c60151692ee8..6d57584f3137 100644
--- a/testdata/svcb.tdir/svcb.failure-cases-01
+++ b/testdata/svcb.tdir/svcb.failure-cases-01
@@ -3,7 +3,7 @@ $TTL 3600
@ SOA primary admin 0 0 0 0 0
-; Here there are multiple instances of the same SvcParamKey in the mandatory list
+; These cases should be base64 encoded but aren't
f21 HTTPS 1 foo.example.com. ech="123"
f21 HTTPS 1 foo.example.com. echconfig="123"
diff --git a/testdata/svcb.tdir/svcb.success-cases.zone b/testdata/svcb.tdir/svcb.success-cases.zone
index 5d6339542f67..c3d015ec0f03 100644
--- a/testdata/svcb.tdir/svcb.success-cases.zone
+++ b/testdata/svcb.tdir/svcb.success-cases.zone
@@ -45,3 +45,17 @@ s08 HTTPS 0 . ( key11=a key12=a key13=a key14=a key15=a key16=a key17=a ke
; maximum alpn size allowed (255 characters)
s09 HTTPS 0 . ( alpn="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" )
+
+; dohpath can be (non-)quoted and MUST contain "?dns"
+; currently there is no validation from Unbound, it can be anything
+; maybe needs changing if Unbound is the primary authoritative for SVCB records.
+; Then SVCB_SEMANTIC_CHECKS parts of the code could be used per authoritative role.
+
+_dns.doh.example. 7200 IN SVCB 1 doh.example. alpn=h2 dohpath
+_dns.doh.example. 7200 IN SVCB 1 doh.example. alpn=h2 dohpath=
+_dns.doh.example. 7200 IN SVCB 1 doh.example. alpn=h2 dohpath=""
+_dns.doh.example. 7200 IN SVCB 1 doh.example. alpn=h2 dohpath="/"
+_dns.doh.example. 7200 IN SVCB 1 doh.example. alpn=h2 dohpath="/dns-query{?dns}"
+_dns.doh.example. 7200 IN SVCB 1 doh.example. alpn=h2 dohpath=/dns-query{?abcd}{!abcd}{?dns}
+_dns.doh.example. 7200 IN SVCB 1 doh.example. alpn=h2 dohpath=/dns-query{?abcdabcd?dns?defedf}
+_dns.doh.example. 7200 IN SVCB 1 doh.example. alpn=h2 dohpath=/dns-queryéè{?dns}
diff --git a/testdata/svcb.tdir/svcb.success-cases.zone.cmp b/testdata/svcb.tdir/svcb.success-cases.zone.cmp
index e504e7b18ad5..3a42393baa17 100644
--- a/testdata/svcb.tdir/svcb.success-cases.zone.cmp
+++ b/testdata/svcb.tdir/svcb.success-cases.zone.cmp
@@ -8,3 +8,11 @@ s06.success-cases. 3600 IN HTTPS 0 . ech="aGVsbG93b3JsZCE="
s07.success-cases. 3600 IN HTTPS 0 . ech="aGVsbG93b3JsZCE="
s08.success-cases. 3600 IN HTTPS 0 . key11="a" key12="a" key13="a" key14="a" key15="a" key16="a" key17="a" key18="a" key19="a" key110="a" key111="a" key112="a" key113="a" key114="a" key115="a" key116="a" key117="a" key118="a" key119="a" key120="a" key121="a" key122="a" key123="a" key124="a" key125="a" key126="a" key127="a" key128="a" key129="a" key130="a" key131="a" key132="a" key133="a" key134="a" key135="a" key136="a" key137="a" key138="a" key139="a" key140="a" key141="a" key142="a" key143="a" key144="a" key145="a" key146="a" key147="a" key148="a" key149="a" key150="a" key151="a" key152="a" key153="a" key154="a" key155="a" key156="a" key157="a" key158="a" key159="a" key160="a" key161="a" key162="a" key163="a"
s09.success-cases. 3600 IN HTTPS 0 . alpn="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
+_dns.doh.example. 7200 IN SVCB \# 26 000103646F68076578616D706C65000001000302683200070000
+_dns.doh.example. 7200 IN SVCB \# 26 000103646F68076578616D706C65000001000302683200070000
+_dns.doh.example. 7200 IN SVCB \# 26 000103646F68076578616D706C65000001000302683200070000
+_dns.doh.example. 7200 IN SVCB 1 doh.example. alpn="h2" dohpath="/"
+_dns.doh.example. 7200 IN SVCB 1 doh.example. alpn="h2" dohpath="/dns-query{?dns}"
+_dns.doh.example. 7200 IN SVCB 1 doh.example. alpn="h2" dohpath="/dns-query{?abcd}{!abcd}{?dns}"
+_dns.doh.example. 7200 IN SVCB 1 doh.example. alpn="h2" dohpath="/dns-query{?abcdabcd?dns?defedf}"
+_dns.doh.example. 7200 IN SVCB 1 doh.example. alpn="h2" dohpath="/dns-query\195\169\195\168{?dns}"
diff --git a/testdata/svcb.tdir/svcb.test b/testdata/svcb.tdir/svcb.test
index 17330e08fde6..280c58fc81c4 100644
--- a/testdata/svcb.tdir/svcb.test
+++ b/testdata/svcb.tdir/svcb.test
@@ -66,7 +66,7 @@ then
elif $PRE/readzone svcb.failure-cases-03
then
- echo "Failure case 02: 65 SvcParams is too many SvcParams; the limit is 64"
+ echo "Failure case 03: 65 SvcParams is too many SvcParams; the limit is 64"
echo "Incorrectly succeeded"
exit 1
@@ -75,6 +75,7 @@ then
echo "Failure case 04: 256 is too many characters for an alpn; maximum is 255"
echo "Incorrectly succeeded"
exit 1
+
else
echo "All failure cases test successfully"
fi
diff --git a/testdata/val_any.rpl b/testdata/val_any.rpl
index 4ce195134926..ee249ffb6843 100644
--- a/testdata/val_any.rpl
+++ b/testdata/val_any.rpl
@@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
rrset-roundrobin: no
+ harden-unknown-additional: yes
stub-zone:
name: "."
@@ -195,10 +196,8 @@ SECTION ADDITIONAL
open.example.com. 600 IN A 213.154.224.1
open.example.com. 600 IN AAAA 2001:7b8:206:1::53
open.example.com. 600 IN AAAA 2001:7b8:206:1::1
-_sip._udp.example.com. 600 IN SRV 0 0 5060 johnny.example.com.
open.example.com. 600 IN RRSIG A 3 3 600 20070926134150 20070829134150 2854 example.com. MC0CFQCh8bja923UJmg1+sYXMK8WIE4dpgIUQe9sZa0GOcUYSgb2rXoogF8af+Y= ;{id = 2854}
open.example.com. 600 IN RRSIG AAAA 3 3 600 20070926134150 20070829134150 2854 example.com. MC0CFQCRGJgIS6kEVG7aJfovuG/q3cgOWwIUYEIFCnfRQlMIYWF7BKMQoMbdkE0= ;{id = 2854}
-_sip._udp.example.com. 600 IN RRSIG SRV 3 4 600 20070926134150 20070829134150 2854 example.com. MCwCFFSRVgOcq1ihVuO6MhCuzWs6SxpVAhRPHHCKy0JxymVkYeFOxTkbVSWMMw== ;{id = 2854}
ENTRY_END
SCENARIO_END
diff --git a/testdata/val_any_dname.rpl b/testdata/val_any_dname.rpl
index 6ab3cded7d5a..005d29606980 100644
--- a/testdata/val_any_dname.rpl
+++ b/testdata/val_any_dname.rpl
@@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
rrset-roundrobin: no
+ harden-unknown-additional: no
stub-zone:
name: "."
diff --git a/testdata/val_any_negcache.rpl b/testdata/val_any_negcache.rpl
new file mode 100644
index 000000000000..77aacba8cc13
--- /dev/null
+++ b/testdata/val_any_negcache.rpl
@@ -0,0 +1,240 @@
+; config options
+; The island of trust is at example.com
+server:
+ trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
+ val-override-date: "20070916134226"
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: "no"
+ fake-sha1: yes
+ trust-anchor-signaling: no
+ rrset-roundrobin: no
+ aggressive-nsec: yes
+ harden-unknown-additional: yes
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test validator with response to qtype ANY and negative cache.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response to DNSKEY priming query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN DNSKEY
+SECTION ANSWER
+example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854}
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
+ENTRY_END
+
+; response with NODATA
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN LOC
+SECTION AUTHORITY
+example.com. 86400 IN SOA open.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000
+example.com. 86400 IN RRSIG SOA 3 2 86400 20070926134150 20070829134150 2854 example.com. MC0CFQCSs8KJepwaIp5vu++/0hk04lkXvgIUdphJSAE/MYob30WcRei9/nL49tE= ;{id = 2854}
+example.com. 18000 IN NSEC _sip._udp.example.com. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY
+example.com. 18000 IN RRSIG NSEC 3 2 18000 20070926134150 20070829134150 2854 example.com. MCwCFBzOGtpgq4uJ2jeuLPYl2HowIRzDAhQVXNz1haQ1mI7z9lt5gcvWW+lFhA== ;{id = 2854}
+ENTRY_END
+
+; response to query of interest
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN ANY
+SECTION ANSWER
+example.com. 86400 IN SOA open.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000
+example.com. 86400 IN RRSIG SOA 3 2 86400 20070926134150 20070829134150 2854 example.com. MC0CFQCSs8KJepwaIp5vu++/0hk04lkXvgIUdphJSAE/MYob30WcRei9/nL49tE= ;{id = 2854}
+example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJIIs70j+sDS/UT2QRp61SE7S3EEXopNXoFE73JLRmvpi/UrOO/Vz4Se6wXv/CYCKjGw06U4WRgRYXcpEhJROyNapmdIKSxhOzfLVE1gqA0PweZR8dtY3aNQSRn3sPpwJr6Mi/PqQKAMMrZ9ckJpf1+bQMOOvxgzz2U1GS18b3yZKcgTMEaJzd/GZYzi/BN2DzQ0MsrSwYXfsNLFOBbs8PJMW4LYIxeeOe6rUgkWOF7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFHq7BNVAeLW+Uw/rkjVS08lrMDk/AhR+bvChHfiE4jLb6uoyE54/irCuqA== ;{id = 2854}
+example.com. 600 IN NAPTR 20 0 "s" "SIP+D2U" "" _sip._udp.example.com.
+example.com. 600 IN RRSIG NAPTR 3 2 600 20070926134150 20070829134150 2854 example.com. MC0CFE8qs66bzuOyKmTIacamrmqabMRzAhUAn0MujX1LB0UpTHuLMgdgMgJJlq4= ;{id = 2854}
+example.com. 86400 IN AAAA 2001:7b8:206:1::1
+example.com. 86400 IN RRSIG AAAA 3 2 86400 20070926134150 20070829134150 2854 example.com. MC0CFEqS4WHyqhUkv7t42TsBZJk/Q9paAhUAtTZ8GaXGpot0PmsM0oGzQU+2iw4= ;{id = 2854}
+example.com. 86400 IN TXT "Stichting NLnet Labs"
+example.com. 86400 IN RRSIG TXT 3 2 86400 20070926134150 20070829134150 2854 example.com. MCwCFH3otn2u8zXczBS8L0VKpyAYZGSkAhQLGaQclkzMAzlB5j73opFjdkh8TA== ;{id = 2854}
+example.com. 86400 IN MX 100 v.net.example.
+example.com. 86400 IN MX 50 open.example.com.
+example.com. 86400 IN RRSIG MX 3 2 86400 20070926134150 20070829134150 2854 example.com. MCwCFEKh3jeqh69zcOqWWv3GNKlMECPyAhR9HJkcPLqlyVWUccWDFJfGGcQfdg== ;{id = 2854}
+example.com. 86400 IN NS v.net.example.
+example.com. 86400 IN NS open.example.com.
+example.com. 86400 IN NS ns7.domain-registry.example.
+example.com. 86400 IN RRSIG NS 3 2 86400 20070926134150 20070829134150 2854 example.com. MC0CFQCaRn30X4neKW7KYoTa2kcsoOLgfgIURvKEyDczLypWlx99KpxzMxRYhEc= ;{id = 2854}
+example.com. 86400 IN A 213.154.224.1
+example.com. 86400 IN RRSIG A 3 2 86400 20070926134150 20070829134150 2854 example.com. MCwCFH8kSLxmRTwzlGDxvF1e4y/gM+5dAhQkzyQ2a6Gf+CMaHzVScaUvTt9HhQ== ;{id = 2854}
+example.com. 18000 IN NSEC _sip._udp.example.com. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY
+example.com. 18000 IN RRSIG NSEC 3 2 18000 20070926134150 20070829134150 2854 example.com. MCwCFBzOGtpgq4uJ2jeuLPYl2HowIRzDAhQVXNz1haQ1mI7z9lt5gcvWW+lFhA== ;{id = 2854}
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ns7.domain-registry.example. 80173 IN A 62.4.86.230
+open.example.com. 600 IN A 213.154.224.1
+open.example.com. 600 IN AAAA 2001:7b8:206:1::53
+open.example.com. 600 IN AAAA 2001:7b8:206:1::1
+v.net.example. 28800 IN A 213.154.224.17
+v.net.example. 28800 IN AAAA 2001:7b8:206:1:200:39ff:fe59:b187
+johnny.example.com. 600 IN A 213.154.224.44
+open.example.com. 600 IN RRSIG A 3 3 600 20070926134150 20070829134150 2854 example.com. MC0CFQCh8bja923UJmg1+sYXMK8WIE4dpgIUQe9sZa0GOcUYSgb2rXoogF8af+Y= ;{id = 2854}
+open.example.com. 600 IN RRSIG AAAA 3 3 600 20070926134150 20070829134150 2854 example.com. MC0CFQCRGJgIS6kEVG7aJfovuG/q3cgOWwIUYEIFCnfRQlMIYWF7BKMQoMbdkE0= ;{id = 2854}
+johnny.example.com. 600 IN RRSIG A 3 3 600 20070926134150 20070829134150 2854 example.com. MCwCFAh0/zSpCd/9eMNz7AyfnuGQFD1ZAhQEpNFNw4XByNEcbi/vsVeii9kp7g== ;{id = 2854}
+_sip._udp.example.com. 600 IN RRSIG SRV 3 4 600 20070926134150 20070829134150 2854 example.com. MCwCFFSRVgOcq1ihVuO6MhCuzWs6SxpVAhRPHHCKy0JxymVkYeFOxTkbVSWMMw== ;{id = 2854}
+_sip._udp.example.com. 600 IN SRV 0 0 5060 johnny.example.com.
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+MATCH TCP
+REPLY RD DO
+SECTION QUESTION
+example.com. IN LOC
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+example.com. IN LOC
+SECTION ANSWER
+SECTION AUTHORITY
+example.com. 86400 IN SOA open.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000
+example.com. 86400 IN RRSIG SOA 3 2 86400 20070926134150 20070829134150 2854 example.com. MC0CFQCSs8KJepwaIp5vu++/0hk04lkXvgIUdphJSAE/MYob30WcRei9/nL49tE= ;{id = 2854}
+example.com. 18000 IN NSEC _sip._udp.example.com. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY
+example.com. 18000 IN RRSIG NSEC 3 2 18000 20070926134150 20070829134150 2854 example.com. MCwCFBzOGtpgq4uJ2jeuLPYl2HowIRzDAhQVXNz1haQ1mI7z9lt5gcvWW+lFhA== ;{id = 2854}
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+MATCH TCP
+REPLY RD DO
+SECTION QUESTION
+example.com. IN ANY
+ENTRY_END
+
+; recursion happens here.
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AD DO NOERROR
+SECTION QUESTION
+example.com. IN ANY
+SECTION ANSWER
+example.com. 86400 IN SOA open.example.com. hostmaster.example.com. 2007090400 28800 7200 604800 18000
+example.com. 86400 IN RRSIG SOA 3 2 86400 20070926134150 20070829134150 2854 example.com. MC0CFQCSs8KJepwaIp5vu++/0hk04lkXvgIUdphJSAE/MYob30WcRei9/nL49tE= ;{id = 2854}
+example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJIIs70j+sDS/UT2QRp61SE7S3EEXopNXoFE73JLRmvpi/UrOO/Vz4Se6wXv/CYCKjGw06U4WRgRYXcpEhJROyNapmdIKSxhOzfLVE1gqA0PweZR8dtY3aNQSRn3sPpwJr6Mi/PqQKAMMrZ9ckJpf1+bQMOOvxgzz2U1GS18b3yZKcgTMEaJzd/GZYzi/BN2DzQ0MsrSwYXfsNLFOBbs8PJMW4LYIxeeOe6rUgkWOF7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b}
+example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134150 20070829134150 2854 example.com. MCwCFHq7BNVAeLW+Uw/rkjVS08lrMDk/AhR+bvChHfiE4jLb6uoyE54/irCuqA== ;{id = 2854}
+example.com. 600 IN NAPTR 20 0 "s" "SIP+D2U" "" _sip._udp.example.com.
+example.com. 600 IN RRSIG NAPTR 3 2 600 20070926134150 20070829134150 2854 example.com. MC0CFE8qs66bzuOyKmTIacamrmqabMRzAhUAn0MujX1LB0UpTHuLMgdgMgJJlq4= ;{id = 2854}
+example.com. 86400 IN AAAA 2001:7b8:206:1::1
+example.com. 86400 IN RRSIG AAAA 3 2 86400 20070926134150 20070829134150 2854 example.com. MC0CFEqS4WHyqhUkv7t42TsBZJk/Q9paAhUAtTZ8GaXGpot0PmsM0oGzQU+2iw4= ;{id = 2854}
+example.com. 86400 IN TXT "Stichting NLnet Labs"
+example.com. 86400 IN RRSIG TXT 3 2 86400 20070926134150 20070829134150 2854 example.com. MCwCFH3otn2u8zXczBS8L0VKpyAYZGSkAhQLGaQclkzMAzlB5j73opFjdkh8TA== ;{id = 2854}
+example.com. 86400 IN MX 100 v.net.example.
+example.com. 86400 IN MX 50 open.example.com.
+example.com. 86400 IN RRSIG MX 3 2 86400 20070926134150 20070829134150 2854 example.com. MCwCFEKh3jeqh69zcOqWWv3GNKlMECPyAhR9HJkcPLqlyVWUccWDFJfGGcQfdg== ;{id = 2854}
+example.com. 86400 IN NS v.net.example.
+example.com. 86400 IN NS open.example.com.
+example.com. 86400 IN NS ns7.domain-registry.example.
+example.com. 86400 IN RRSIG NS 3 2 86400 20070926134150 20070829134150 2854 example.com. MC0CFQCaRn30X4neKW7KYoTa2kcsoOLgfgIURvKEyDczLypWlx99KpxzMxRYhEc= ;{id = 2854}
+example.com. 86400 IN A 213.154.224.1
+example.com. 86400 IN RRSIG A 3 2 86400 20070926134150 20070829134150 2854 example.com. MCwCFH8kSLxmRTwzlGDxvF1e4y/gM+5dAhQkzyQ2a6Gf+CMaHzVScaUvTt9HhQ== ;{id = 2854}
+example.com. 18000 IN NSEC _sip._udp.example.com. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY
+example.com. 18000 IN RRSIG NSEC 3 2 18000 20070926134150 20070829134150 2854 example.com. MCwCFBzOGtpgq4uJ2jeuLPYl2HowIRzDAhQVXNz1haQ1mI7z9lt5gcvWW+lFhA== ;{id = 2854}
+SECTION AUTHORITY
+SECTION ADDITIONAL
+open.example.com. 600 IN A 213.154.224.1
+open.example.com. 600 IN AAAA 2001:7b8:206:1::53
+open.example.com. 600 IN AAAA 2001:7b8:206:1::1
+open.example.com. 600 IN RRSIG A 3 3 600 20070926134150 20070829134150 2854 example.com. MC0CFQCh8bja923UJmg1+sYXMK8WIE4dpgIUQe9sZa0GOcUYSgb2rXoogF8af+Y= ;{id = 2854}
+open.example.com. 600 IN RRSIG AAAA 3 3 600 20070926134150 20070829134150 2854 example.com. MC0CFQCRGJgIS6kEVG7aJfovuG/q3cgOWwIUYEIFCnfRQlMIYWF7BKMQoMbdkE0= ;{id = 2854}
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/val_cnametocloser_nosig.rpl b/testdata/val_cnametocloser_nosig.rpl
index 6a0552ec5404..eca05b1aaf90 100644
--- a/testdata/val_cnametocloser_nosig.rpl
+++ b/testdata/val_cnametocloser_nosig.rpl
@@ -6,6 +6,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
forward-zone:
name: "."
@@ -89,11 +90,27 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all ede=9
+MATCH all ede=10
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN AAAA
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN AAAA
+ENTRY_END
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=10
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN AAAA
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/val_cnametoinsecure.rpl b/testdata/val_cnametoinsecure.rpl
index 78d04de972cc..372a61f21da6 100644
--- a/testdata/val_cnametoinsecure.rpl
+++ b/testdata/val_cnametoinsecure.rpl
@@ -50,9 +50,11 @@ SECTION QUESTION
unsafe.example.com. IN AAAA
SECTION ANSWER
; empty response
+SECTION AUTHORITY
+example.com. 3600 IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
+example.com. 3600 IN RRSIG SOA 5 2 3600 20091012000000 20091010000000 30899 example.com. gJkF06xR3FoD/d+rxcLOwGpT8+DV+nbxED8C6T1qZyhWfKlfpYzISNooKBWD+JQbaGKV/nfm+rT3M0fnIXPpQQ==
ENTRY_END
-
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
@@ -88,6 +90,9 @@ SECTION QUESTION
unsafe.example.org. IN AAAA
SECTION ANSWER
; empty response
+SECTION AUTHORITY
+example.org. 3600 IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
+example.org. 3600 IN RRSIG SOA 5 2 3600 20091012000000 20091010000000 30899 example.org. lYlSk7saPytwcu6Dp3HKYdyCOIlpTm+T8kjf0hnrLgPDZuksUjw/GLB+d6onTDpWLlasHfi0eoAkNvTeuR0+1w==
ENTRY_END
RANGE_END
@@ -112,6 +117,8 @@ www.example.com. 3600 IN RRSIG CNAME 5 3 3600 20091012000000 20
SECTION AUTHORITY
unsafe.example.com. 3600 IN NSEC v.example.com. NS RRSIG NSEC
unsafe.example.com. 3600 IN RRSIG NSEC 5 3 3600 20091012000000 20091010000000 30899 example.com. Le9EsRd2MxkOGRCvGtQkXRDAob5ZJOFQlZbDvcWAh5OXVpmcwZmCHctxw/Zyi4LkNYoYCSCc8PiVRrJM3IsGrQ== ;{id = 30899}
+example.com. 3600 IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
+example.com. 3600 IN RRSIG SOA 5 2 3600 20091012000000 20091010000000 30899 example.com. gJkF06xR3FoD/d+rxcLOwGpT8+DV+nbxED8C6T1qZyhWfKlfpYzISNooKBWD+JQbaGKV/nfm+rT3M0fnIXPpQQ==
ENTRY_END
; NSEC3
@@ -134,6 +141,8 @@ www.example.org. 3600 IN RRSIG CNAME 5 3 3600 20091012000000 20
SECTION AUTHORITY
ltchu0548v0cof8f25u2pj4mjf4shcms.example.org. 3600 IN NSEC3 1 0 1 - ltchu0548v0cof8f25u2pj4mjf4shcmt NS
ltchu0548v0cof8f25u2pj4mjf4shcms.example.org. 3600 IN RRSIG NSEC3 5 3 3600 20091012000000 20091010000000 30899 example.org. yxuYgfkg8QTdB5yBMN9Up9GyKu7xjKDScqq95/tsy3lx22tLsdLD9Fojdrq7eB+K7Tr72AejmVJs44v6TmWkZw== ;{id = 30899}
+example.org. 3600 IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
+example.org. 3600 IN RRSIG SOA 5 2 3600 20091012000000 20091010000000 30899 example.org. lYlSk7saPytwcu6Dp3HKYdyCOIlpTm+T8kjf0hnrLgPDZuksUjw/GLB+d6onTDpWLlasHfi0eoAkNvTeuR0+1w==
ENTRY_END
SCENARIO_END
diff --git a/testdata/val_cnametonodata_nonsec.rpl b/testdata/val_cnametonodata_nonsec.rpl
index 48158162cba6..8f3927575ecb 100644
--- a/testdata/val_cnametonodata_nonsec.rpl
+++ b/testdata/val_cnametonodata_nonsec.rpl
@@ -9,6 +9,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -146,11 +147,13 @@ ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
-REPLY QR NOERROR
+REPLY QR AA NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
SECTION AUTHORITY
+example.com. 3600 IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
+example.com. 3600 IN RRSIG SOA 3 2 3600 20070926135752 20070829135752 2854 example.com. AI+pFL3opyI/Mx3pCwnULbwc99bqXrJjRp4ds1lIBPN9X/Pia3wQdkM=
; NSEC here ...
SECTION ADDITIONAL
ENTRY_END
@@ -208,11 +211,13 @@ ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
-REPLY QR NOERROR
+REPLY QR AA NOERROR
SECTION QUESTION
ns.example.net. IN AAAA
SECTION ANSWER
SECTION AUTHORITY
+example.net. IN NS ns.example.net.
+example.net. 3600 IN RRSIG NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
; NSEC here
SECTION ADDITIONAL
ENTRY_END
@@ -226,6 +231,8 @@ SECTION QUESTION
www.example.net. IN A
SECTION ANSWER
SECTION AUTHORITY
+example.net. 3600 IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
+;example.net. 3600 IN RRSIG SOA 3 2 3600 20070926135752 20070829135752 2854 example.net. ADNbj4XoTESBEkbFri3OG7SujbOUAoyrxPNHbULhxbvbB48Y0YAwvNY=
;www.example.net. IN NSEC example.net. MX NSEC RRSIG
;www.example.net. 3600 IN RRSIG NSEC 5 3 3600 20070926134150 20070829134150 30899 example.net. Z+3/WKJEqhWoMOQLC7Yb1dTVGaqzmU0bZ2cH9jSfNQZiT0O37yzCNNUmMsW4gsJOh3o61iZ+hxpze3aO3aedqQ== ;{id = 30899}
SECTION ADDITIONAL
@@ -262,4 +269,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=10
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/val_cnametooptout.rpl b/testdata/val_cnametooptout.rpl
index c9e982253632..2ec4889f9d4e 100644
--- a/testdata/val_cnametooptout.rpl
+++ b/testdata/val_cnametooptout.rpl
@@ -4,6 +4,7 @@ server:
val-override-date: "20091113091234"
fake-sha1: yes
trust-anchor-signaling: no
+ rrset-roundrobin: no
forward-zone:
name: "."
@@ -44,6 +45,9 @@ REPLY QR NOERROR
SECTION QUESTION
www.content.hud.gov. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+content.hud.gov. 86400 IN NS drfswitch.hud.gov.
+content.hud.gov. 86400 IN NS lanswitch.hud.gov.
ENTRY_END
ENTRY_BEGIN
@@ -107,6 +111,8 @@ SECTION AUTHORITY
3RUD2HK5O5KA0IC6BF22C1T4R1BJGJ3R.hud.gov. 86400 IN RRSIG NSEC3 7 3 86400 20091204150200 20091104150200 64775 hud.gov. APf75Nx4eY9eHov3T9hduDLuG4TJfVfEUEhSgm7HIZRvSPFgajHz2q+Wy6888G3C0T1Zft1qL2PdHMonK6H1OEE+NiOxroDsZaH+aWZjAsbIO86qQ2xcC+/Z9DsddQtONk0zAqpuYxHSn879rAk/BIKeDukNoBChHCSTy8olUFiYt7XEmjz5AOoc8R5VQhMQi/vmbmC0BoFOemDxxowG2MX27Hj2MbVBEJiT8xioFEk41jsdDI0WQtpnory2NT/UM4kWZdmDdxbpwu2F8oixe3oi4AOI9j3EukoOZT9f0Sx+tCg/I9zLNZJi+VuI5oUlpZkSH5EoUyRgK33eO+KJhQ== ;{id = 64775}
GO8CPDSLPULIOURE31GBK5JJKA0BKIVN.hud.gov. 86400 IN NSEC3 1 1 5 abcd gvfjd9enpjtet8a14uhb8hlrfeon2b72 A RRSIG ; flags: optout
GO8CPDSLPULIOURE31GBK5JJKA0BKIVN.hud.gov. 86400 IN RRSIG NSEC3 7 3 86400 20091204150200 20091104150200 64775 hud.gov. eQFg/RvJ640k+Fa5yIUZwkx8FvsYSivykYFjc6dOiGt7r3VprfxwGWeYpyjYr/+mzu0ugE5ePDjZWtr5naK3dvqmt7qKk4/nEvVDoUmrg7joIUmeTzami9RB9lzCq2O/ddempQ6jpwfjiIDuEKUxHMpBFpw8QQZnZSZHKKQCDB4pOj8U8J/wNJXCS+SP7plU1hEVroC+QXCOYS8NHY2wFyeuW7A+xvg9tyYp9PH6c5MoNMkRQt36Kdvfk1nk3osktwalJNLmMhDr/vtErFieGGD6E9Ud9Pg70bPF2G5nqwwLDRevy7hIFjaMDHfYrcWc4B5hrUSpGtLJkYog9vsd2w== ;{id = 64775}
+content.hud.gov. 86400 IN NS drfswitch.hud.gov.
+content.hud.gov. 86400 IN NS lanswitch.hud.gov.
ENTRY_END
SCENARIO_END
diff --git a/testdata/val_cnametoposnowc.rpl b/testdata/val_cnametoposnowc.rpl
index 2975bd8d2a03..1ba57633c146 100644
--- a/testdata/val_cnametoposnowc.rpl
+++ b/testdata/val_cnametoposnowc.rpl
@@ -9,6 +9,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -261,4 +262,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/val_deleg_nons.rpl b/testdata/val_deleg_nons.rpl
index 82348d95b7f9..aac87eab7316 100644
--- a/testdata/val_deleg_nons.rpl
+++ b/testdata/val_deleg_nons.rpl
@@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -269,4 +270,21 @@ foo.www.example.com. IN A
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+foo.www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=10
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+foo.www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/val_dnamewc.rpl b/testdata/val_dnamewc.rpl
index 1a0e41ecff0b..ee72f6a1fa1b 100644
--- a/testdata/val_dnamewc.rpl
+++ b/testdata/val_dnamewc.rpl
@@ -9,6 +9,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -264,4 +265,21 @@ www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.sub.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.sub.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/val_ds_cname.rpl b/testdata/val_ds_cname.rpl
index 3b88fb5a25a6..a49c53538ebe 100644
--- a/testdata/val_ds_cname.rpl
+++ b/testdata/val_ds_cname.rpl
@@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -78,6 +79,8 @@ REPLY QR AA NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
ENTRY_END
RANGE_END
@@ -202,4 +205,20 @@ SECTION QUESTION
www.example.com. IN A
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=10
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/val_faildnskey.rpl b/testdata/val_faildnskey.rpl
index 528082120968..cc1cc9eeed0f 100644
--- a/testdata/val_faildnskey.rpl
+++ b/testdata/val_faildnskey.rpl
@@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -143,10 +144,13 @@ ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
-REPLY QR NOERROR
+REPLY QR AA NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
ENTRY_END
RANGE_END
@@ -168,4 +172,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=9
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/val_faildnskey_ok.rpl b/testdata/val_faildnskey_ok.rpl
index d3ac00c47d15..50f3184b48f1 100644
--- a/testdata/val_faildnskey_ok.rpl
+++ b/testdata/val_faildnskey_ok.rpl
@@ -144,10 +144,13 @@ ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
-REPLY QR NOERROR
+REPLY QR AA NOERROR
SECTION QUESTION
ns.example.com. IN AAAA
SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
ENTRY_END
RANGE_END
diff --git a/testdata/val_nodata_failsig.rpl b/testdata/val_nodata_failsig.rpl
index 0c4426bc1054..16b46d4fd33b 100644
--- a/testdata/val_nodata_failsig.rpl
+++ b/testdata/val_nodata_failsig.rpl
@@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -162,4 +163,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/val_nodata_failwc.rpl b/testdata/val_nodata_failwc.rpl
index 3aa8212c8932..7ac61fa2bddb 100644
--- a/testdata/val_nodata_failwc.rpl
+++ b/testdata/val_nodata_failwc.rpl
@@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "nsecwc.nlnetlabs.nl"
@@ -17,8 +18,8 @@ CONFIG_END
SCENARIO_BEGIN Test validator with nodata response with wildcard expanded NSEC record, original NSEC owner does not provide proof for QNAME. CVE-2017-15105 test.
- ; ns.example.com.
-RANGE_BEGIN 0 100
+ ; ns.example.com.
+RANGE_BEGIN 0 100
ADDRESS 185.49.140.60
; response to DNSKEY priming query
@@ -69,4 +70,21 @@ _25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+_25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+_25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/val_nokeyprime.rpl b/testdata/val_nokeyprime.rpl
index 5d3727420799..b7646d34ca8b 100644
--- a/testdata/val_nokeyprime.rpl
+++ b/testdata/val_nokeyprime.rpl
@@ -7,6 +7,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -161,4 +162,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=9
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/val_nsec3_b1_nameerror_nowc.rpl b/testdata/val_nsec3_b1_nameerror_nowc.rpl
index 0ff135af6bba..9445fec08907 100644
--- a/testdata/val_nsec3_b1_nameerror_nowc.rpl
+++ b/testdata/val_nsec3_b1_nameerror_nowc.rpl
@@ -7,6 +7,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -140,12 +141,24 @@ SECTION QUESTION
a.c.x.w.example. IN A
SECTION ANSWER
SECTION AUTHORITY
-; example. SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 )
-; example. RRSIG SOA 7 1 3600 20150420235959 20051021000000 ( 40430 example. Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd VI2LmKusbZsT0Q== )
-; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. NSEC3 1 1 12 aabbccdd ( 2t7b4g4vsa5smi47k61mv5bv1a22bojr MX DNSKEY NS SOA NSEC3PARAM RRSIG )
-; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== )
-; b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
-; b4um86eghhds6nea196smvmlo4ors995.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. ZkPG3M32lmoHM6pa3D6gZFGB/rhL//Bs3Omh 5u4m/CUiwtblEVOaAKKZd7S959OeiX43aLX3 pOv0TSTyiTxIZg== )
+ENTRY_END
+
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+a.c.x.w.example. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+a.c.x.w.example. IN A
+SECTION ANSWER
+SECTION AUTHORITY
ENTRY_END
SCENARIO_END
diff --git a/testdata/val_nsec3_b2_nodata_nons.rpl b/testdata/val_nsec3_b2_nodata_nons.rpl
index b47643b25564..7dd06a392fa1 100644
--- a/testdata/val_nsec3_b2_nodata_nons.rpl
+++ b/testdata/val_nsec3_b2_nodata_nons.rpl
@@ -6,6 +6,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -97,6 +98,9 @@ ADJUST copy_id
REPLY QR AA DO NOERROR
SECTION QUESTION
ns1.example. IN DS
+SECTION AUTHORITY
+example. SOA ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 )
+example. RRSIG SOA 7 1 3600 20150420235959 20051021000000 ( 40430 example. Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd VI2LmKusbZsT0Q== )
ENTRY_END
ENTRY_BEGIN
@@ -135,4 +139,21 @@ ns1.example. IN MX
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+ns1.example. IN MX
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=12
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+ns1.example. IN MX
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/val_nsec3_b4_wild_wr.rpl b/testdata/val_nsec3_b4_wild_wr.rpl
index 50daf3809e9b..5ca165628607 100644
--- a/testdata/val_nsec3_b4_wild_wr.rpl
+++ b/testdata/val_nsec3_b4_wild_wr.rpl
@@ -129,6 +129,10 @@ SECTION QUESTION
ns2.example. IN A
SECTION ANSWER
; nothing to make sure the ns1 server is used for queries.
+SECTION AUTHORITY
+example. NS ns1.example.
+example. NS ns2.example.
+example. RRSIG NS 7 1 3600 20150420235959 20051021000000 ( 40430 example. PVOgtMK1HHeSTau+HwDWC8Ts+6C8qtqd4pQJ qOtdEVgg+MA+ai4fWDEhu3qHJyLcQ9tbD2vv CnMXjtz6SyObxA== )
ENTRY_END
ENTRY_BEGIN
@@ -139,6 +143,10 @@ SECTION QUESTION
ns2.example. IN AAAA
SECTION ANSWER
; nothing to make sure the ns1 server is used for queries.
+SECTION AUTHORITY
+example. NS ns1.example.
+example. NS ns2.example.
+example. RRSIG NS 7 1 3600 20150420235959 20051021000000 ( 40430 example. PVOgtMK1HHeSTau+HwDWC8Ts+6C8qtqd4pQJ qOtdEVgg+MA+ai4fWDEhu3qHJyLcQ9tbD2vv CnMXjtz6SyObxA== )
ENTRY_END
diff --git a/testdata/val_nsec3_entnodata_optout_badopt.rpl b/testdata/val_nsec3_entnodata_optout_badopt.rpl
index b672bd6e6cc2..c7e5a50068be 100644
--- a/testdata/val_nsec3_entnodata_optout_badopt.rpl
+++ b/testdata/val_nsec3_entnodata_optout_badopt.rpl
@@ -7,6 +7,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -194,4 +195,21 @@ ent.example.com. IN A
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+ent.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+ent.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/val_nsec3_nods_badsig.rpl b/testdata/val_nsec3_nods_badsig.rpl
index 79290d659ae7..d99470f344fc 100644
--- a/testdata/val_nsec3_nods_badsig.rpl
+++ b/testdata/val_nsec3_nods_badsig.rpl
@@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -234,4 +235,20 @@ www.sub.example.com. IN A
SECTION ANSWER
ENTRY_END
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.sub.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=7
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.sub.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/val_nx_failwc.rpl b/testdata/val_nx_failwc.rpl
index 645a6b4c9728..765b34456d96 100644
--- a/testdata/val_nx_failwc.rpl
+++ b/testdata/val_nx_failwc.rpl
@@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "nsecwc.nlnetlabs.nl"
@@ -67,4 +68,21 @@ a.nsecwc.nlnetlabs.nl. IN TXT
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+a.nsecwc.nlnetlabs.nl. IN TXT
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+a.nsecwc.nlnetlabs.nl. IN TXT
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/val_nx_overreach.rpl b/testdata/val_nx_overreach.rpl
index e5046bc1a445..28089e5f361c 100644
--- a/testdata/val_nx_overreach.rpl
+++ b/testdata/val_nx_overreach.rpl
@@ -8,6 +8,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -162,4 +163,21 @@ www.example.com. IN A
SECTION ANSWER
ENTRY_END
+; Redo the query without RD to check EDE caching.
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/val_positive_nosigs.rpl b/testdata/val_positive_nosigs.rpl
index e57836f90d02..c48b39e6f0d3 100644
--- a/testdata/val_positive_nosigs.rpl
+++ b/testdata/val_positive_nosigs.rpl
@@ -137,10 +137,13 @@ ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
-REPLY QR NOERROR
+REPLY QR AA NOERROR
SECTION QUESTION
www.example.com. IN DS
SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
ENTRY_END
; response to query of interest
diff --git a/testdata/val_secds_nosig.rpl b/testdata/val_secds_nosig.rpl
index 69f83a393c10..ec768799d7f9 100644
--- a/testdata/val_secds_nosig.rpl
+++ b/testdata/val_secds_nosig.rpl
@@ -7,6 +7,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -230,4 +231,19 @@ SECTION QUESTION
www.sub.example.com. IN A
ENTRY_END
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.sub.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=10
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.sub.example.com. IN A
+ENTRY_END
+
SCENARIO_END
diff --git a/testdata/val_ta_algo_missing.rpl b/testdata/val_ta_algo_missing.rpl
index 9efb24266c05..537af2cb3e6b 100644
--- a/testdata/val_ta_algo_missing.rpl
+++ b/testdata/val_ta_algo_missing.rpl
@@ -11,6 +11,7 @@ server:
fake-sha1: yes
trust-anchor-signaling: no
ede: yes
+ access-control: 127.0.0.0/8 allow_snoop
stub-zone:
name: "."
@@ -166,11 +167,27 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all ede=9
+MATCH all ede=6
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
ENTRY_END
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY DO
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ede=6
+REPLY QR RA DO SERVFAIL
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+
SCENARIO_END
generated by cgit v1.3 (git 2.53.0) at 2026-04-20 20:07:55 +0000