summaryrefslogtreecommitdiff
path: root/testdata
diff options
context:
space:
mode:
authorCy Schubert <cy@FreeBSD.org>2022-06-08 14:43:13 +0000
committerCy Schubert <cy@FreeBSD.org>2022-06-08 14:43:13 +0000
commit5f9f82264b91e041df7cba2406625146e7268ce4 (patch)
treeba7309ee547bf22115420277f45a3478aafb6397 /testdata
parent3574dc0bd83e731bba79edc130c0569bf05f7af5 (diff)
vendor/unbound/1.16.0
Diffstat (limited to 'testdata')
-rw-r--r--testdata/auth_zonemd_file_unknown.rpl184
-rw-r--r--testdata/autotrust_init_fail.rpl4
-rw-r--r--testdata/autotrust_init_failsig.rpl4
-rw-r--r--testdata/autotrust_probefail.rpl4
-rw-r--r--testdata/autotrust_probefailsig.rpl4
-rw-r--r--testdata/black_ds_entry.rpl5
-rw-r--r--testdata/black_key_entry.rpl5
-rw-r--r--testdata/black_prime_entry.rpl5
-rwxr-xr-xtestdata/ede.tdir/bogus/clean.sh1
-rw-r--r--testdata/ede.tdir/bogus/dnskey-failures.test10
-rw-r--r--testdata/ede.tdir/bogus/dnssec-failures.test15
-rwxr-xr-xtestdata/ede.tdir/bogus/make-broken-zone.sh67
-rw-r--r--testdata/ede.tdir/bogus/nsec-failures.test10
-rw-r--r--testdata/ede.tdir/bogus/rrsig-failures.test10
-rw-r--r--testdata/ede.tdir/ede-auth.conf27
-rw-r--r--testdata/ede.tdir/ede.conf49
-rw-r--r--testdata/ede.tdir/ede.dsc16
-rw-r--r--testdata/ede.tdir/ede.post10
-rw-r--r--testdata/ede.tdir/ede.pre37
-rw-r--r--testdata/ede.tdir/ede.test72
-rw-r--r--testdata/ede_acl_refused.rpl35
-rw-r--r--testdata/ede_cache_snoop_noth_auth.rpl33
-rw-r--r--testdata/ede_localzone_dname_expansion.rpl37
-rw-r--r--testdata/edns_keepalive.rpl6
-rw-r--r--testdata/ipset.tdir/ipset.conf23
-rw-r--r--testdata/ipset.tdir/ipset.dsc16
-rw-r--r--testdata/ipset.tdir/ipset.post14
-rw-r--r--testdata/ipset.tdir/ipset.pre33
-rw-r--r--testdata/ipset.tdir/ipset.test155
-rw-r--r--testdata/ipset.tdir/ipset.testns103
-rw-r--r--testdata/iter_cname_minimise.rpl179
-rw-r--r--testdata/iter_dp_ip6useless.rpl168
-rw-r--r--testdata/nsid_bogus.rpl3
-rw-r--r--testdata/root_key_sentinel.rpl5
-rw-r--r--testdata/rpz_passthru.rpl154
-rw-r--r--testdata/rpz_qname.rpl37
-rw-r--r--testdata/serve_expired.rpl7
-rw-r--r--testdata/serve_expired_client_timeout.rpl8
-rw-r--r--testdata/serve_expired_reply_ttl.rpl8
-rw-r--r--testdata/serve_expired_servfail.rpl8
-rw-r--r--testdata/serve_expired_zerottl.rpl8
-rw-r--r--testdata/serve_original_ttl.rpl8
-rw-r--r--testdata/subnet_prefetch.crpl215
-rw-r--r--testdata/subnet_prefetch_with_client_ecs.crpl221
-rw-r--r--testdata/val_cnametocloser_nosig.rpl3
-rw-r--r--testdata/val_cnametonodata_nonsec.rpl4
-rw-r--r--testdata/val_cnametoposnowc.rpl5
-rw-r--r--testdata/val_deleg_nons.rpl3
-rw-r--r--testdata/val_dnamewc.rpl5
-rw-r--r--testdata/val_ds_cname.rpl4
-rw-r--r--testdata/val_faildnskey.rpl3
-rw-r--r--testdata/val_nodata_failsig.rpl5
-rw-r--r--testdata/val_nodata_failwc.rpl6
-rw-r--r--testdata/val_nokeyprime.rpl3
-rw-r--r--testdata/val_nsec3_b1_nameerror_nowc.rpl4
-rw-r--r--testdata/val_nsec3_b2_nodata_nons.rpl5
-rw-r--r--testdata/val_nsec3_entnodata_optout_badopt.rpl5
-rw-r--r--testdata/val_nsec3_nods_badsig.rpl5
-rw-r--r--testdata/val_nx_failwc.rpl6
-rw-r--r--testdata/val_nx_overreach.rpl5
-rw-r--r--testdata/val_secds_nosig.rpl3
-rw-r--r--testdata/val_ta_algo_missing.rpl3
62 files changed, 2026 insertions, 74 deletions
diff --git a/testdata/auth_zonemd_file_unknown.rpl b/testdata/auth_zonemd_file_unknown.rpl
new file mode 100644
index 000000000000..f5c5f276e882
--- /dev/null
+++ b/testdata/auth_zonemd_file_unknown.rpl
@@ -0,0 +1,184 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+
+auth-zone:
+ name: "example.com."
+ ## zonefile (or none).
+ ## zonefile: "example.com.zone"
+ ## master by IP address or hostname
+ ## can list multiple masters, each on one line.
+ ## master:
+ ## url for http fetch
+ ## url:
+ ## queries from downstream clients get authoritative answers.
+ ## for-downstream: yes
+ for-downstream: no
+ ## queries are used to fetch authoritative answers from this zone,
+ ## instead of unbound itself sending queries there.
+ ## for-upstream: yes
+ for-upstream: yes
+ ## on failures with for-upstream, fallback to sending queries to
+ ## the authority servers
+ ## fallback-enabled: no
+ zonemd-check: yes
+
+ ## this line generates zonefile: \n"/tmp/xxx.example.com"\n
+ zonefile:
+TEMPFILE_NAME example.com
+ ## this is the inline file /tmp/xxx.example.com
+ ## the tempfiles are deleted when the testrun is over.
+TEMPFILE_CONTENTS example.com
+example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600
+example.com. IN NS ns.example.com.
+example.com. IN ZONEMD 200154054 1 22 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
+example.com. IN ZONEMD 200154054 21 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22
+www.example.com. IN A 127.0.0.1
+ns.example.com. IN A 127.0.0.1
+bar.example.com. IN A 1.2.3.4
+ding.example.com. IN A 1.2.3.4
+foo.example.com. IN A 1.2.3.4
+TEMPFILE_END
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test authority zone with ZONEMD with unknown algo from zonefile
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.44
+ENTRY_END
+RANGE_END
+
+; ns.example.net.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.44
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.net. IN NS
+SECTION ANSWER
+example.net. IN NS ns.example.net.
+SECTION ADDITIONAL
+ns.example.net. IN A 1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.net. IN A
+SECTION ANSWER
+ns.example.net. IN A 1.2.3.44
+SECTION AUTHORITY
+example.net. IN NS ns.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.net. IN AAAA
+SECTION AUTHORITY
+example.net. IN NS ns.example.net.
+SECTION ADDITIONAL
+www.example.net. IN A 1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 127.0.0.1
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/autotrust_init_fail.rpl b/testdata/autotrust_init_fail.rpl
index 497dfcf5731c..1f3fed9570a2 100644
--- a/testdata/autotrust_init_fail.rpl
+++ b/testdata/autotrust_init_fail.rpl
@@ -4,6 +4,8 @@ server:
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
+
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
@@ -150,7 +152,7 @@ ENTRY_END
STEP 20 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=9
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
diff --git a/testdata/autotrust_init_failsig.rpl b/testdata/autotrust_init_failsig.rpl
index 2bf5014e4683..7f6a14d833e5 100644
--- a/testdata/autotrust_init_failsig.rpl
+++ b/testdata/autotrust_init_failsig.rpl
@@ -5,6 +5,8 @@ server:
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
+
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
@@ -138,7 +140,7 @@ ENTRY_END
STEP 20 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=6
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
diff --git a/testdata/autotrust_probefail.rpl b/testdata/autotrust_probefail.rpl
index d3ac6aedf7f2..e22cbf71ff96 100644
--- a/testdata/autotrust_probefail.rpl
+++ b/testdata/autotrust_probefail.rpl
@@ -4,6 +4,8 @@ server:
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
+
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
@@ -155,7 +157,7 @@ ENTRY_END
STEP 30 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=9
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
diff --git a/testdata/autotrust_probefailsig.rpl b/testdata/autotrust_probefailsig.rpl
index 48230050239e..7d486ffbc397 100644
--- a/testdata/autotrust_probefailsig.rpl
+++ b/testdata/autotrust_probefailsig.rpl
@@ -4,6 +4,8 @@ server:
log-time-ascii: yes
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
+
stub-zone:
name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
@@ -155,7 +157,7 @@ ENTRY_END
STEP 30 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=6
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
diff --git a/testdata/black_ds_entry.rpl b/testdata/black_ds_entry.rpl
index e2367a980d31..168dc236d203 100644
--- a/testdata/black_ds_entry.rpl
+++ b/testdata/black_ds_entry.rpl
@@ -6,6 +6,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -578,7 +579,7 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=7
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.sub.example.com. IN A
@@ -595,7 +596,7 @@ ENTRY_END
STEP 120 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=7
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
ftp.sub.example.com. IN A
diff --git a/testdata/black_key_entry.rpl b/testdata/black_key_entry.rpl
index 37946c008cfd..cd2b0bfbe557 100644
--- a/testdata/black_key_entry.rpl
+++ b/testdata/black_key_entry.rpl
@@ -6,6 +6,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -560,7 +561,7 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=7
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.sub.example.com. IN A
@@ -577,7 +578,7 @@ ENTRY_END
STEP 120 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=7
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
ftp.sub.example.com. IN A
diff --git a/testdata/black_prime_entry.rpl b/testdata/black_prime_entry.rpl
index 8221d2db6b58..e635ed9cc10b 100644
--- a/testdata/black_prime_entry.rpl
+++ b/testdata/black_prime_entry.rpl
@@ -7,6 +7,7 @@ server:
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -285,7 +286,7 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=7
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
@@ -304,7 +305,7 @@ ENTRY_END
; recursion happens here.
STEP 120 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=7
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
ftp.example.com. IN A
diff --git a/testdata/ede.tdir/bogus/clean.sh b/testdata/ede.tdir/bogus/clean.sh
new file mode 100755
index 000000000000..54128f807217
--- /dev/null
+++ b/testdata/ede.tdir/bogus/clean.sh
@@ -0,0 +1 @@
+rm -f K* piece1 base expired notyetincepted trust-anchors dnssec-failures.test.signed dnskey-failures.test.signed nsec-failures.test.signed rrsig-failures.test.signed
diff --git a/testdata/ede.tdir/bogus/dnskey-failures.test b/testdata/ede.tdir/bogus/dnskey-failures.test
new file mode 100644
index 000000000000..49d6ad5a384d
--- /dev/null
+++ b/testdata/ede.tdir/bogus/dnskey-failures.test
@@ -0,0 +1,10 @@
+$ORIGIN dnskey-failures.test.
+
+@ SOA ns hostmaster (
+ 1 ; serial
+ 14400 ; refresh (4 hours)
+ 1800 ; retry (30 minutes)
+ 2419200 ; expire (4 weeks)
+ 300 ; minimum (5 minutes)
+)
+ A 192.0.2.1
diff --git a/testdata/ede.tdir/bogus/dnssec-failures.test b/testdata/ede.tdir/bogus/dnssec-failures.test
new file mode 100644
index 000000000000..5af5941c0959
--- /dev/null
+++ b/testdata/ede.tdir/bogus/dnssec-failures.test
@@ -0,0 +1,15 @@
+$ORIGIN dnssec-failures.test.
+
+@ SOA ns hostmaster (
+ 1 ; serial
+ 14400 ; refresh (4 hours)
+ 1800 ; retry (30 minutes)
+ 2419200 ; expire (4 weeks)
+ 300 ; minimum (5 minutes)
+)
+ NS ns
+ns A 192.0.2.1
+notyetincepted TXT "Not yet incepted"
+expired TXT "Expired"
+sigsinvalid TXT "Signatures invalid"
+missingrrsigs TXT "Signatures missing" \ No newline at end of file
diff --git a/testdata/ede.tdir/bogus/make-broken-zone.sh b/testdata/ede.tdir/bogus/make-broken-zone.sh
new file mode 100755
index 000000000000..67b4fcfb2d84
--- /dev/null
+++ b/testdata/ede.tdir/bogus/make-broken-zone.sh
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+
+# create oudated zones
+CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnssec-failures.test`
+echo $CSK
+
+echo ". IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d" | \
+ cat $CSK.ds - > bogus/trust-anchors
+
+# differentiate for MacOS with "gdate"
+DATE=date
+which gdate > /dev/null 2>&1 && DATE=gdate
+
+ONEMONTHAGO=`$DATE -d 'now - 1 month' +%Y%m%d`
+YESTERDAY=`$DATE -d 'now - 2 days' +%Y%m%d`
+TOMORROW=`$DATE -d 'now + 2 days' +%Y%m%d`
+
+ldns-signzone -i $YESTERDAY -f - bogus/dnssec-failures.test $CSK | \
+ grep -v '^missingrrsigs\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \
+ sed 's/Signatures invalid/Signatures INVALID/g' | \
+ grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' | \
+ grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \
+ grep -v '^expired\.dnssec-failures\.test\..*IN.*TXT' | \
+ grep -v '^expired\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' > base
+ldns-signzone -i $ONEMONTHAGO -e $YESTERDAY -f - bogus/dnssec-failures.test $CSK | \
+ grep -v '[ ]NSEC[ ]' | \
+ grep '^expired\.dnssec-failures\.test\..*IN.*TXT' > expired
+ldns-signzone -i $TOMORROW -f - bogus/dnssec-failures.test $CSK | \
+ grep -v '[ ]NSEC[ ]' | \
+ grep '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' > notyetincepted
+
+cat base expired notyetincepted > bogus/dnssec-failures.test.signed
+
+# cleanup old zone keys
+rm -f $CSK.*
+# create zone with DNSKEY missing
+CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnskey-failures.test`
+echo $CSK
+cat $CSK.ds >> bogus/trust-anchors
+
+ldns-signzone -f tmp.signed bogus/dnskey-failures.test $CSK
+grep -v ' DNSKEY ' tmp.signed > bogus/dnskey-failures.test.signed
+
+
+# cleanup old zone keys
+rm -f $CSK.*
+# create zone with NSEC missing
+CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom nsec-failures.test`
+echo $CSK
+cat $CSK.ds >> bogus/trust-anchors
+
+ldns-signzone -f tmp.signed bogus/nsec-failures.test $CSK
+grep -v ' NSEC ' tmp.signed > bogus/nsec-failures.test.signed
+
+
+# cleanup old zone keys
+rm -f $CSK.*
+# create zone with RRSIGs missing
+CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom rrsig-failures.test`
+echo $CSK
+cat $CSK.ds >> bogus/trust-anchors
+
+ldns-signzone -f tmp.signed bogus/rrsig-failures.test $CSK
+grep -v ' RRSIG ' tmp.signed > bogus/rrsig-failures.test.signed
+
+# cleanup
+rm -f base expired notyetincepted tmp.signed $CSK.*
diff --git a/testdata/ede.tdir/bogus/nsec-failures.test b/testdata/ede.tdir/bogus/nsec-failures.test
new file mode 100644
index 000000000000..529298df686b
--- /dev/null
+++ b/testdata/ede.tdir/bogus/nsec-failures.test
@@ -0,0 +1,10 @@
+$ORIGIN nsec-failures.test.
+
+@ SOA ns hostmaster (
+ 1 ; serial
+ 14400 ; refresh (4 hours)
+ 1800 ; retry (30 minutes)
+ 2419200 ; expire (4 weeks)
+ 300 ; minimum (5 minutes)
+)
+ A 192.0.2.1
diff --git a/testdata/ede.tdir/bogus/rrsig-failures.test b/testdata/ede.tdir/bogus/rrsig-failures.test
new file mode 100644
index 000000000000..cab0b7f48d04
--- /dev/null
+++ b/testdata/ede.tdir/bogus/rrsig-failures.test
@@ -0,0 +1,10 @@
+$ORIGIN rrsig-failures.test.
+
+@ SOA ns hostmaster (
+ 1 ; serial
+ 14400 ; refresh (4 hours)
+ 1800 ; retry (30 minutes)
+ 2419200 ; expire (4 weeks)
+ 300 ; minimum (5 minutes)
+)
+ A 192.0.2.1
diff --git a/testdata/ede.tdir/ede-auth.conf b/testdata/ede.tdir/ede-auth.conf
new file mode 100644
index 000000000000..d78da0382ad4
--- /dev/null
+++ b/testdata/ede.tdir/ede-auth.conf
@@ -0,0 +1,27 @@
+server:
+ verbosity: 1
+ use-syslog: no
+ chroot: ""
+ username: ""
+ directory: ""
+ pidfile: "unbound2.pid"
+ local-zone: test nodefault
+ interface: 127.0.0.1
+ port: @PORT2@
+
+auth-zone:
+ name: "dnssec-failures.test"
+ zonefile: "bogus/dnssec-failures.test.signed"
+
+auth-zone:
+ name: "dnskey-failures.test"
+ zonefile: "bogus/dnskey-failures.test.signed"
+
+auth-zone:
+ name: "nsec-failures.test"
+ zonefile: "bogus/nsec-failures.test.signed"
+
+auth-zone:
+ name: "rrsig-failures.test"
+ zonefile: "bogus/rrsig-failures.test.signed"
+
diff --git a/testdata/ede.tdir/ede.conf b/testdata/ede.tdir/ede.conf
new file mode 100644
index 000000000000..13730d42f2c5
--- /dev/null
+++ b/testdata/ede.tdir/ede.conf
@@ -0,0 +1,49 @@
+server:
+ verbosity: 2
+ interface: 127.0.0.1
+ port: @PORT@
+ use-syslog: no
+ directory: .
+ pidfile: "unbound.pid"
+ chroot: ""
+ username: ""
+ directory: ""
+ val-log-level: 2
+
+ trust-anchor-file: "bogus/trust-anchors"
+
+ module-config: "respip validator iterator"
+
+ ede: yes
+ access-control: 127.0.0.2/32 refuse
+ access-control: 127.0.0.3/32 allow
+
+ local-zone: hopsa.kidee. always_refuse
+ local-data: "hopsa.kidee. TXT hela hola"
+
+ local-zone: nlnetlabs.nl transparent
+ local-data: "hopsa.nlnetlabs.nl. TXT hela hola"
+
+ local-zone: uva.nl. always_null
+
+ local-zone: example.com redirect
+ local-data: "example.com CNAME *.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaa."
+
+ local-zone: test nodefault
+ do-not-query-localhost: no
+
+forward-zone:
+ name: "dnssec-failures.test"
+ forward-addr: 127.0.0.1@@PORT2@
+
+forward-zone:
+ name: "dnskey-failures.test"
+ forward-addr: 127.0.0.1@@PORT2@
+
+forward-zone:
+ name: "nsec-failures.test"
+ forward-addr: 127.0.0.1@@PORT2@
+
+forward-zone:
+ name: "rrsig-failures.test"
+ forward-addr: 127.0.0.1@@PORT2@
diff --git a/testdata/ede.tdir/ede.dsc b/testdata/ede.tdir/ede.dsc
new file mode 100644
index 000000000000..c397ded693f2
--- /dev/null
+++ b/testdata/ede.tdir/ede.dsc
@@ -0,0 +1,16 @@
+BaseName: ede
+Version: 1.0
+Description: Test Extended DNS Errors (rfc8914)
+CreationDate: Fri Aug 20 15:42:11 UTC 2021
+Maintainer: Tom Carpay
+Category:
+Component:
+CmdDepends:
+Depends:
+Help:
+Pre: ede.pre
+Post: ede.post
+Test: ede.test
+AuxFiles:
+Passed:
+Failure:
diff --git a/testdata/ede.tdir/ede.post b/testdata/ede.tdir/ede.post
new file mode 100644
index 000000000000..88b26f3132a1
--- /dev/null
+++ b/testdata/ede.tdir/ede.post
@@ -0,0 +1,10 @@
+# #-- ede.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+# teardown
+. ../common.sh
+kill_pid $UNBOUND_PID
+kill_pid $UNBOUND_PID2 \ No newline at end of file
diff --git a/testdata/ede.tdir/ede.pre b/testdata/ede.tdir/ede.pre
new file mode 100644
index 000000000000..e5a0667b0e02
--- /dev/null
+++ b/testdata/ede.tdir/ede.pre
@@ -0,0 +1,37 @@
+# #-- ede.pre --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+UNBOUND_PORT2=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "UNBOUND_PORT2=$UNBOUND_PORT2" >> .tpkg.var.test
+
+# rewrite config file with created ports
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' < ede.conf > temp.conf
+sed -e 's/@PORT2\@/'$UNBOUND_PORT2'/' < temp.conf > ub.conf
+sed -e 's/@PORT2\@/'$UNBOUND_PORT2'/' < ede-auth.conf > ub2.conf
+
+# create broken dnssec zone
+bogus/make-broken-zone.sh
+
+# start unbound in the background
+PRE="../.."
+$PRE/unbound -d -c ub.conf > unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+# start authoritative unbound in the background
+$PRE/unbound -d -c ub2.conf > unbound2.log 2>&1 &
+UNBOUND_PID2=$!
+echo "UNBOUND_PID2=$UNBOUND_PID2" >> .tpkg.var.test
+
+
+cat .tpkg.var.test
+wait_unbound_up unbound.log
+wait_unbound_up unbound2.log
+
diff --git a/testdata/ede.tdir/ede.test b/testdata/ede.tdir/ede.test
new file mode 100644
index 000000000000..5d478bd49cb2
--- /dev/null
+++ b/testdata/ede.tdir/ede.test
@@ -0,0 +1,72 @@
+# #-- ede.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+
+# DNSSEC failure: Signature Expired or DNSKEY Missing (depending on the servfail configuration)
+dig @127.0.0.1 -p $UNBOUND_PORT servfail.nl > servfail.txt
+
+# DNSSEC failure: key not incepted
+dig @127.0.0.1 -p $UNBOUND_PORT notyetincepted.dnssec-failures.test. TXT +dnssec > sig_notyetincepted.txt
+
+if ! grep -q -e "OPT=15: 00 08" -e "EDE: 8" sig_notyetincepted.txt
+then
+ echo "Signature not yet valid does not return EDE Signature Not Yet Valid"
+ cat sig_notyetincepted.txt
+ exit 1
+fi
+
+# DNSSEC failure: key expired
+dig @127.0.0.1 -p $UNBOUND_PORT expired.dnssec-failures.test. TXT +dnssec > sig_expired.txt
+
+if ! grep -q -e "OPT=15: 00 07" -e "EDE: 7" sig_expired.txt
+then
+ echo "Expired signature does not return EDE Signature expired"
+ cat sig_expired.txt
+ exit 1
+fi
+
+# DNSSEC failure: missing rrsigs
+dig @127.0.0.1 -p $UNBOUND_PORT missingrrsigs.dnssec-failures.test. TXT +dnssec > missingrrsigs.txt
+
+if ! grep -q -e "OPT=15: 00 0a" -e "EDE: 10" missingrrsigs.txt
+then
+ echo "Expired signature does not return EDE RRSIGs missing"
+ cat missingrrsigs.txt
+ exit 1
+fi
+
+# signed zone with DNSKEY missing
+dig @127.0.0.1 -p $UNBOUND_PORT dnskey-failures.test > dnskey-failure.txt
+
+if ! grep -q -e "OPT=15: 00 09" -e "EDE: 9" dnskey-failure.txt
+then
+ echo "Expired signature does not return EDE DNSKEY missing"
+ cat dnskey-failure.txt
+ exit 1
+fi
+
+# signed zone with RRSIGs missing
+dig @127.0.0.1 -p $UNBOUND_PORT rrsig-failures.test > rrsig-failure.txt
+
+if ! grep -q -e "OPT=15: 00 0a" -e "EDE: 10" rrsig-failure.txt
+then
+ echo "Expired signature does not return EDE RRSIGs missing"
+ cat rrsig-failure.txt
+ exit 1
+fi
+
+# signed zone with NSEC missing
+dig @127.0.0.1 -p $UNBOUND_PORT abc.nsec-failures.test > nsec-failure.txt
+
+if ! grep -q -e "OPT=15: 00 0c" -e "EDE: 12" nsec-failure.txt
+then
+ echo "Expired signature does not return EDE NSEC missing"
+ cat nsec-failure.txt
+ exit 1
+fi
+
+
+# @TODO DNSSEC indeterminate when implemented
diff --git a/testdata/ede_acl_refused.rpl b/testdata/ede_acl_refused.rpl
new file mode 100644
index 000000000000..81c9cd0a071d
--- /dev/null
+++ b/testdata/ede_acl_refused.rpl
@@ -0,0 +1,35 @@
+; config options
+server:
+ access-control: 127.0.0.0/8 refuse
+ ede: yes
+CONFIG_END
+
+SCENARIO_BEGIN Test ede-acl-refused
+; Scenario overview:
+; - query for example.com. A record with EDNS
+; - check that we get a refused answer with EDE (RFC8914) code 18 - Prohibited
+
+; Query without RD flag
+STEP 1 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ HEX_EDNSDATA_END
+ENTRY_END
+
+; Check that we got ede 18
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ede=18
+ REPLY QR RD REFUSED
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ HEX_EDNSDATA_END
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/ede_cache_snoop_noth_auth.rpl b/testdata/ede_cache_snoop_noth_auth.rpl
new file mode 100644
index 000000000000..d243fdde00ac
--- /dev/null
+++ b/testdata/ede_cache_snoop_noth_auth.rpl
@@ -0,0 +1,33 @@
+; config options
+server:
+ ede: yes
+CONFIG_END
+
+SCENARIO_BEGIN Test ede-cache-snoop-not-authoritative
+; Scenario overview:
+; - query for example.com. A record with EDNS without the RD bit
+; - check that we get a refused answer with EDE (RFC8914) code 20 - Not Authoritative
+
+; Query without RD flag
+STEP 1 QUERY
+ENTRY_BEGIN
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ HEX_EDNSDATA_END
+ENTRY_END
+
+; Check that we got ede 20
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ede=20
+ REPLY QR RA REFUSED
+ SECTION QUESTION
+ example.com. IN A
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ HEX_EDNSDATA_END
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/ede_localzone_dname_expansion.rpl b/testdata/ede_localzone_dname_expansion.rpl
new file mode 100644
index 000000000000..e0540e4fbf1d
--- /dev/null
+++ b/testdata/ede_localzone_dname_expansion.rpl
@@ -0,0 +1,37 @@
+; config options
+server:
+ local-zone: example.com redirect
+ local-data: "example.com CNAME *.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaa."
+ ede: yes
+
+CONFIG_END
+
+SCENARIO_BEGIN Test ede-localzone-dname-expansion
+; Scenario overview:
+; - query for www.qhqwer.qwer.qwer.h.example.com. (a large Qname) A record with EDNS
+; - check that we get a YXDOMAIN answer with EDE (RFC8914) code 0 - Other (which adds a DNAME expansion message)
+
+; Query with RD flag
+STEP 1 QUERY
+ENTRY_BEGIN
+ REPLY RD
+ SECTION QUESTION
+ www.qhqwer.qwer.qwer.h.example.com A
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ HEX_EDNSDATA_END
+ENTRY_END
+
+; Check that we got the correct answer (should be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+ MATCH all ede=0
+ REPLY QR AA RD RA YXDOMAIN
+ SECTION QUESTION
+ www.qhqwer.qwer.qwer.h.example.com A
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ HEX_EDNSDATA_END
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/edns_keepalive.rpl b/testdata/edns_keepalive.rpl
index 9d00b6cf762a..97c8f2ccaa46 100644
--- a/testdata/edns_keepalive.rpl
+++ b/testdata/edns_keepalive.rpl
@@ -47,14 +47,10 @@ STEP 1 QUERY
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
- MATCH TCP ednsdata
+ MATCH TCP
REPLY RD FORMERR
SECTION QUESTION
www.example.com. IN A
- SECTION ADDITIONAL
- HEX_EDNSDATA_BEGIN
- ; Empty
- HEX_EDNSDATA_END
ENTRY_END
STEP 20 QUERY
diff --git a/testdata/ipset.tdir/ipset.conf b/testdata/ipset.tdir/ipset.conf
new file mode 100644
index 000000000000..7cc34912dd2f
--- /dev/null
+++ b/testdata/ipset.tdir/ipset.conf
@@ -0,0 +1,23 @@
+server:
+ verbosity: 3
+ num-threads: 1
+ module-config: "ipset iterator"
+ outgoing-range: 16
+ interface: 127.0.0.1
+ port: @PORT@
+ use-syslog: no
+ directory: ""
+ pidfile: "unbound.pid"
+ chroot: ""
+ username: ""
+ do-not-query-localhost: no
+ local-zone: "example.net." ipset
+stub-zone:
+ name: "example.net."
+ stub-addr: "127.0.0.1@@TOPORT@"
+stub-zone:
+ name: "example.com."
+ stub-addr: "127.0.0.1@@TOPORT@"
+ipset:
+ name-v4: atotallymadeupnamefor4
+ name-v6: atotallymadeupnamefor6
diff --git a/testdata/ipset.tdir/ipset.dsc b/testdata/ipset.tdir/ipset.dsc
new file mode 100644
index 000000000000..b7792b7e0188
--- /dev/null
+++ b/testdata/ipset.tdir/ipset.dsc
@@ -0,0 +1,16 @@
+BaseName: ipset
+Version: 1.0
+Description: mock test ipset module
+CreationDate: Wed Mar 2 13:00:38 CET 2022
+Maintainer: George Thessalonikefs
+Category:
+Component:
+CmdDepends:
+Depends:
+Help:
+Pre: ipset.pre
+Post: ipset.post
+Test: ipset.test
+AuxFiles:
+Passed:
+Failure:
diff --git a/testdata/ipset.tdir/ipset.post b/testdata/ipset.tdir/ipset.post
new file mode 100644
index 000000000000..7af512a4d374
--- /dev/null
+++ b/testdata/ipset.tdir/ipset.post
@@ -0,0 +1,14 @@
+# #-- ipset.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+. ../common.sh
+PRE="../.."
+if grep "define USE_IPSET 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+kill_pid $FWD_PID
+kill_pid $UNBOUND_PID
+cat unbound.log
+exit 0
diff --git a/testdata/ipset.tdir/ipset.pre b/testdata/ipset.tdir/ipset.pre
new file mode 100644
index 000000000000..ee1aedc70937
--- /dev/null
+++ b/testdata/ipset.tdir/ipset.pre
@@ -0,0 +1,33 @@
+# #-- ipset.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+
+PRE="../.."
+if grep "define USE_IPSET 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+FWD_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
+
+# start forwarder
+get_ldns_testns
+$LDNS_TESTNS -p $FWD_PORT ipset.testns >fwd.log 2>&1 &
+FWD_PID=$!
+echo "FWD_PID=$FWD_PID" >> .tpkg.var.test
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < ipset.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_ldns_testns_up fwd.log
+wait_unbound_up unbound.log
diff --git a/testdata/ipset.tdir/ipset.test b/testdata/ipset.tdir/ipset.test
new file mode 100644
index 000000000000..9150e5e3f0bf
--- /dev/null
+++ b/testdata/ipset.tdir/ipset.test
@@ -0,0 +1,155 @@
+# #-- ipset.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+. ../common.sh
+PRE="../.."
+if grep "define USE_IPSET 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi
+
+# Make all the queries. They need to succeed by the way.
+echo "> dig www.example.net."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.net. | tee outfile
+echo "> check answer"
+if grep "1.1.1.1" outfile; then
+ echo "OK"
+else
+ echo "> cat logfiles"
+ cat fwd.log
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+fi
+echo "> check ipset"
+if grep "ipset: add 1.1.1.1 to atotallymadeupnamefor4 for www.example.net." unbound.log; then
+ echo "ipset OK"
+else
+ echo "> cat logfiles"
+ cat fwd.log
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+fi
+
+echo "> dig www.example.net. AAAA"
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.net. AAAA | tee outfile
+echo "> check answer"
+if grep "::1" outfile; then
+ echo "OK"
+else
+ echo "> cat logfiles"
+ cat fwd.log
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+fi
+echo "> check ipset"
+if grep "ipset: add ::1 to atotallymadeupnamefor6 for www.example.net." unbound.log; then
+ echo "ipset OK"
+else
+ echo "> cat logfiles"
+ cat fwd.log
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+fi
+
+echo "> dig cname.example.net."
+dig @127.0.0.1 -p $UNBOUND_PORT cname.example.net. | tee outfile
+echo "> check answer"
+if grep "2.2.2.2" outfile; then
+ echo "OK"
+else
+ echo "> cat logfiles"
+ cat fwd.log
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+fi
+echo "> check ipset"
+if grep "ipset: add 2.2.2.2 to atotallymadeupnamefor4 for target.example.net." unbound.log; then
+ echo "ipset OK"
+else
+ echo "> cat logfiles"
+ cat fwd.log
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+fi
+
+echo "> dig cname.example.net. AAAA"
+dig @127.0.0.1 -p $UNBOUND_PORT cname.example.net. AAAA | tee outfile
+echo "> check answer"
+if grep "::2" outfile; then
+ echo "OK"
+else
+ echo "> cat logfiles"
+ cat fwd.log
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+fi
+echo "> check ipset"
+if grep "ipset: add ::2 to atotallymadeupnamefor6 for target.example.net." unbound.log; then
+ echo "ipset OK"
+else
+ echo "> cat logfiles"
+ cat fwd.log
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+fi
+
+echo "> dig outsidecname.example.net."
+dig @127.0.0.1 -p $UNBOUND_PORT outsidecname.example.net. | tee outfile
+echo "> check answer"
+if grep "3.3.3.3" outfile; then
+ echo "OK"
+else
+ echo "> cat logfiles"
+ cat fwd.log
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+fi
+echo "> check ipset"
+if grep "ipset: add 3.3.3.3 to atotallymadeupnamefor4 for target.example.com." unbound.log; then
+ echo "ipset OK"
+else
+ echo "> cat logfiles"
+ cat fwd.log
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+fi
+
+echo "> dig outsidecname.example.net. AAAA"
+dig @127.0.0.1 -p $UNBOUND_PORT outsidecname.example.net. AAAA | tee outfile
+echo "> check answer"
+if grep "::3" outfile; then
+ echo "OK"
+else
+ echo "> cat logfiles"
+ cat fwd.log
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+fi
+echo "> check ipset"
+if grep "ipset: add ::3 to atotallymadeupnamefor6 for target.example.com." unbound.log; then
+ echo "ipset OK"
+else
+ echo "> cat logfiles"
+ cat fwd.log
+ cat unbound.log
+ echo "Not OK"
+ exit 1
+fi
+
+echo "> cat logfiles"
+cat tap.log
+cat tap.errlog
+cat fwd.log
+echo "> OK"
+exit 0
diff --git a/testdata/ipset.tdir/ipset.testns b/testdata/ipset.tdir/ipset.testns
new file mode 100644
index 000000000000..2b626e915ea7
--- /dev/null
+++ b/testdata/ipset.tdir/ipset.testns
@@ -0,0 +1,103 @@
+; nameserver test file
+$ORIGIN example.net.
+$TTL 3600
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www IN A
+SECTION ANSWER
+www IN A 1.1.1.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+www IN AAAA
+SECTION ANSWER
+www IN AAAA ::1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+cname IN A
+SECTION ANSWER
+cname IN CNAME target.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+cname IN AAAA
+SECTION ANSWER
+cname IN CNAME target.example.net.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+outsidecname IN A
+SECTION ANSWER
+outsidecname IN CNAME target.example.com.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+outsidecname IN AAAA
+SECTION ANSWER
+outsidecname IN CNAME target.example.com.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+target IN A
+SECTION ANSWER
+target IN A 2.2.2.2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+target IN AAAA
+SECTION ANSWER
+target IN AAAA ::2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+target.example.com. IN A
+SECTION ANSWER
+target.example.com. IN A 3.3.3.3
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+REPLY QR AA NOERROR
+ADJUST copy_id
+SECTION QUESTION
+target.example.com. IN AAAA
+SECTION ANSWER
+target.example.com. IN AAAA ::3
+ENTRY_END
diff --git a/testdata/iter_cname_minimise.rpl b/testdata/iter_cname_minimise.rpl
new file mode 100644
index 000000000000..b61c3e344684
--- /dev/null
+++ b/testdata/iter_cname_minimise.rpl
@@ -0,0 +1,179 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: yes
+ module-config: "iterator"
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test cname chain resolution with qname minimisation.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.44
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.44
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.com. IN A
+SECTION ANSWER
+ns.example.com. IN A 1.2.3.44
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+www.example.com. IN A 1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 300 IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com IN A 1.2.3.44
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+c.example.com. IN A
+SECTION ANSWER
+c.example.com. 10 IN CNAME www.example.com.
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+c.example.com. IN CNAME
+SECTION ANSWER
+c.example.com. 10 IN CNAME www.example.com.
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.example.com. IN CNAME
+ENTRY_END
+
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+c.example.com. IN CNAME
+SECTION ANSWER
+c.example.com. 10 IN CNAME www.example.com.
+ENTRY_END
+
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.example.com. IN A
+ENTRY_END
+
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+c.example.com. IN A
+SECTION ANSWER
+c.example.com. 10 IN CNAME www.example.com.
+www.example.com. 300 IN A 10.20.30.40
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/iter_dp_ip6useless.rpl b/testdata/iter_dp_ip6useless.rpl
new file mode 100644
index 000000000000..9a7746e118ed
--- /dev/null
+++ b/testdata/iter_dp_ip6useless.rpl
@@ -0,0 +1,168 @@
+; config options
+server:
+ do-ip6: no
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: no
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test iterator when doip6 is no and dp is useless with only ip6
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+; short TTL here, so it can expire
+ns.example.com. 1 IN A 1.2.3.4
+ns.example.com. 100 IN AAAA ::53
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+; short TTL here, so it can expire
+ns.example.com. 1 IN A 1.2.3.4
+ns.example.com. 100 IN AAAA ::53
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.com. IN A
+SECTION ANSWER
+; short TTL
+ns.example.com. 1 IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION ANSWER
+ns.example.com. IN AAAA ::53
+ENTRY_END
+
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+mail.example.com. IN A
+SECTION ANSWER
+mail.example.com. IN A 10.20.30.50
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+ENTRY_END
+
+STEP 20 TIME_PASSES ELAPSE 5.0
+
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+mail.example.com. IN A
+ENTRY_END
+
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+mail.example.com. IN A
+SECTION ANSWER
+mail.example.com. IN A 10.20.30.50
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/nsid_bogus.rpl b/testdata/nsid_bogus.rpl
index 1414163f8a6a..7e92266cfa49 100644
--- a/testdata/nsid_bogus.rpl
+++ b/testdata/nsid_bogus.rpl
@@ -9,6 +9,7 @@ server:
trust-anchor-signaling: no
minimal-responses: no
nsid: "ascii_hopsa kidee"
+ ede: yes
stub-zone:
name: "."
@@ -157,7 +158,7 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=9
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
diff --git a/testdata/root_key_sentinel.rpl b/testdata/root_key_sentinel.rpl
index 2310953adf0f..39bd9685c293 100644
--- a/testdata/root_key_sentinel.rpl
+++ b/testdata/root_key_sentinel.rpl
@@ -4,6 +4,7 @@ server:
val-override-date: "20180423171826"
target-fetch-policy: "0 0 0 0 0"
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -138,7 +139,7 @@ ENTRY_END
; recursion happens here.
STEP 22 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=6
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
root-key-sentinel-not-ta-19036. IN A
@@ -154,7 +155,7 @@ ENTRY_END
; recursion happens here.
STEP 33 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=6
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
root-key-sentinel-is-ta-20326. IN A
diff --git a/testdata/rpz_passthru.rpl b/testdata/rpz_passthru.rpl
new file mode 100644
index 000000000000..5c8557547692
--- /dev/null
+++ b/testdata/rpz_passthru.rpl
@@ -0,0 +1,154 @@
+; config options
+server:
+ module-config: "respip validator iterator"
+ target-fetch-policy: "0 0 0 0 0"
+ qname-minimisation: no
+ access-control: 192.0.0.0/8 allow
+
+rpz:
+ name: "rpz.example.com."
+ rpz-log: yes
+ rpz-log-name: "rpz.example.com"
+ rpz-action-override: passthru
+ zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN example.com.
+rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. (
+ 1379078166 28800 7200 604800 7200 )
+ 3600 IN NS ns1.rpz.example.com.
+ 3600 IN NS ns2.rpz.example.com.
+$ORIGIN rpz.example.com.
+c.a TXT "local data 1st zone"
+d.a A 127.0.0.1
+TEMPFILE_END
+
+rpz:
+ name: "wl.example.com."
+ rpz-log: yes
+ rpz-log-name: "wl.example.com"
+ zonefile:
+TEMPFILE_NAME wl.example.com
+TEMPFILE_CONTENTS wl.example.com
+$ORIGIN example.com.
+wl 3600 IN SOA ns1.wl.example.com. hostmaster.wl.example.com. (
+ 1379078166 28800 7200 604800 7200 )
+ 3600 IN NS ns1.wl.example.com.
+ 3600 IN NS ns2.wl.example.com.
+$ORIGIN wl.example.com.
+e.a CNAME rpz-passthru.
+TEMPFILE_END
+
+rpz:
+ name: "rpz2.example.com."
+ rpz-log: yes
+ rpz-log-name: "rpz2.example.com"
+ rpz-action-override: nxdomain
+ zonefile:
+TEMPFILE_NAME rpz2.example.com
+TEMPFILE_CONTENTS rpz2.example.com
+$ORIGIN example.com.
+rpz2 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. (
+ 1379078166 28800 7200 604800 7200 )
+ 3600 IN NS ns1.rpz.example.com.
+ 3600 IN NS ns2.rpz.example.com.
+$ORIGIN rpz2.example.com.
+c.a TXT "local data 2nd zone"
+24.0.5.0.192.rpz-client-ip A 127.0.0.1
+24.0.5.0.192.rpz-client-ip TXT "clientip 2nd zone"
+24.0.3.2.1.rpz-ip A 127.0.0.2
+TEMPFILE_END
+
+stub-zone:
+ name: "a."
+ stub-addr: 10.20.30.40
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ passthru ends processing for later triggers.
+
+; a.
+RANGE_BEGIN 0 1000
+ ADDRESS 10.20.30.40
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+c.a. IN TXT
+SECTION ANSWER
+c.a. IN TXT "answer from upstream ns"
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+d.a. IN A
+SECTION ANSWER
+d.a. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+e.a. IN A
+SECTION ANSWER
+e.a. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+STEP 10 QUERY ADDRESS 192.0.5.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.a. IN TXT
+ENTRY_END
+
+STEP 11 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+c.a. IN TXT
+SECTION ANSWER
+c.a. IN TXT "answer from upstream ns"
+ENTRY_END
+
+STEP 20 QUERY ADDRESS 192.0.2.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.a. IN A
+ENTRY_END
+
+STEP 21 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+d.a. IN A
+SECTION ANSWER
+d.a. IN A 1.2.3.4
+ENTRY_END
+
+STEP 30 QUERY ADDRESS 192.0.2.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+e.a. IN A
+ENTRY_END
+
+STEP 31 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+e.a. IN A
+SECTION ANSWER
+e.a. IN A 1.2.3.4
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/rpz_qname.rpl b/testdata/rpz_qname.rpl
index ede6972331d0..aae55b57310b 100644
--- a/testdata/rpz_qname.rpl
+++ b/testdata/rpz_qname.rpl
@@ -6,6 +6,8 @@ server:
rpz:
name: "rpz.example.com."
+ rpz-log: yes
+ rpz-log-name: "rpz.example.com"
zonefile:
TEMPFILE_NAME rpz.example.com
TEMPFILE_CONTENTS rpz.example.com
@@ -20,10 +22,13 @@ a CNAME *. ; duplicate CNAME here on purpose
*.a TXT "wildcard local data"
b.a CNAME *.
c.a CNAME rpz-passthru.
+c.g CNAME rpz-passthru.
TEMPFILE_END
rpz:
name: "rpz2.example.com."
+ rpz-log: yes
+ rpz-log-name: "rpz2.example.com"
zonefile:
TEMPFILE_NAME rpz2.example.com
TEMPFILE_CONTENTS rpz2.example.com
@@ -39,6 +44,7 @@ e CNAME *.a.example.
*.e CNAME *.b.example.
drop CNAME rpz-drop.
tcp CNAME rpz-tcp-only.
+c.g CNAME .
TEMPFILE_END
stub-zone:
@@ -50,6 +56,9 @@ stub-zone:
stub-zone:
name: "tcp."
stub-addr: 10.20.30.60
+stub-zone:
+ name: "g."
+ stub-addr: 10.20.30.40
CONFIG_END
SCENARIO_BEGIN Test all support RPZ action for QNAME trigger
@@ -89,6 +98,16 @@ SECTION ANSWER
x.b.a. IN TXT "answer from upstream ns"
ENTRY_END
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+c.g. IN TXT
+SECTION ANSWER
+c.g. IN TXT "answer from upstream ns"
+ENTRY_END
+
RANGE_END
; example.
@@ -396,5 +415,23 @@ f.example. IN CNAME d.
d. IN TXT "local data 2nd zone"
ENTRY_END
+; check if passthru ends processing
+STEP 110 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.g. IN TXT
+ENTRY_END
+
+STEP 111 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+c.g. IN TXT
+SECTION ANSWER
+c.g. IN TXT "answer from upstream ns"
+ENTRY_END
+
; no answer is checked at exit of testbound.
SCENARIO_END
diff --git a/testdata/serve_expired.rpl b/testdata/serve_expired.rpl
index 167470335212..3f61019fa89f 100644
--- a/testdata/serve_expired.rpl
+++ b/testdata/serve_expired.rpl
@@ -5,6 +5,8 @@ server:
minimal-responses: no
serve-expired: yes
access-control: 127.0.0.1/32 allow_snoop
+ ede: yes
+ ede-serve-expired: yes
stub-zone:
name: "example.com"
@@ -78,6 +80,7 @@ STEP 11 TIME_PASSES ELAPSE 3601
; Query again without RD bit
STEP 30 QUERY
ENTRY_BEGIN
+ REPLY DO
SECTION QUESTION
example.com. IN A
ENTRY_END
@@ -85,8 +88,8 @@ ENTRY_END
; Check that we got a stale answer
STEP 40 CHECK_ANSWER
ENTRY_BEGIN
- MATCH all ttl
- REPLY QR RA NOERROR
+ MATCH all ttl ede=3
+ REPLY QR RA DO NOERROR
SECTION QUESTION
example.com. IN A
SECTION ANSWER
diff --git a/testdata/serve_expired_client_timeout.rpl b/testdata/serve_expired_client_timeout.rpl
index 3f3163afb823..5560aa05a8dd 100644
--- a/testdata/serve_expired_client_timeout.rpl
+++ b/testdata/serve_expired_client_timeout.rpl
@@ -6,6 +6,8 @@ server:
serve-expired: yes
serve-expired-client-timeout: 1
serve-expired-reply-ttl: 123
+ ede: yes
+ ede-serve-expired: yes
stub-zone:
name: "example.com"
@@ -83,7 +85,7 @@ STEP 11 TIME_PASSES ELAPSE 3600
; Query again
STEP 30 QUERY
ENTRY_BEGIN
- REPLY RD
+ REPLY RD DO
SECTION QUESTION
example.com. IN A
ENTRY_END
@@ -94,8 +96,8 @@ STEP 31 TIME_PASSES ELAPSE 1
; Check that we got a stale answer
STEP 40 CHECK_ANSWER
ENTRY_BEGIN
- MATCH all ttl
- REPLY QR RD RA NOERROR
+ MATCH all ttl ede=3
+ REPLY QR RD RA DO NOERROR
SECTION QUESTION
example.com. IN A
SECTION ANSWER
diff --git a/testdata/serve_expired_reply_ttl.rpl b/testdata/serve_expired_reply_ttl.rpl
index c45b8383e390..124fb874df0e 100644
--- a/testdata/serve_expired_reply_ttl.rpl
+++ b/testdata/serve_expired_reply_ttl.rpl
@@ -5,6 +5,8 @@ server:
minimal-responses: no
serve-expired: yes
serve-expired-reply-ttl: 123
+ ede: yes
+ ede-serve-expired: yes
stub-zone:
name: "example.com"
@@ -77,7 +79,7 @@ STEP 11 TIME_PASSES ELAPSE 3601
; Query again
STEP 30 QUERY
ENTRY_BEGIN
- REPLY RD
+ REPLY RD DO
SECTION QUESTION
example.com. IN A
ENTRY_END
@@ -85,8 +87,8 @@ ENTRY_END
; Check that we got a stale answer
STEP 40 CHECK_ANSWER
ENTRY_BEGIN
- MATCH all ttl
- REPLY QR RD RA NOERROR
+ MATCH all ttl ede=3
+ REPLY QR RD RA DO NOERROR
SECTION QUESTION
example.com. IN A
SECTION ANSWER
diff --git a/testdata/serve_expired_servfail.rpl b/testdata/serve_expired_servfail.rpl
index 80ffcde74666..6e3192ef081c 100644
--- a/testdata/serve_expired_servfail.rpl
+++ b/testdata/serve_expired_servfail.rpl
@@ -7,6 +7,8 @@ server:
serve-expired-client-timeout: 1800
serve-expired-reply-ttl: 123
log-servfail: yes
+ ede: yes
+ ede-serve-expired: yes
stub-zone:
@@ -94,7 +96,7 @@ STEP 11 TIME_PASSES ELAPSE 3601
; Query again
STEP 30 QUERY
ENTRY_BEGIN
- REPLY RD
+ REPLY RD DO
SECTION QUESTION
example.com. IN A
ENTRY_END
@@ -102,8 +104,8 @@ ENTRY_END
; Check that we got a stale answer
STEP 40 CHECK_ANSWER
ENTRY_BEGIN
- MATCH all ttl
- REPLY QR RD RA NOERROR
+ MATCH all ttl ede=3
+ REPLY QR RD RA DO NOERROR
SECTION QUESTION
example.com. IN A
SECTION ANSWER
diff --git a/testdata/serve_expired_zerottl.rpl b/testdata/serve_expired_zerottl.rpl
index 846435f3841c..0239b4a19440 100644
--- a/testdata/serve_expired_zerottl.rpl
+++ b/testdata/serve_expired_zerottl.rpl
@@ -5,6 +5,8 @@ server:
minimal-responses: no
serve-expired: yes
serve-expired-reply-ttl: 123
+ ede: yes
+ ede-serve-expired: yes
stub-zone:
name: "example.com"
@@ -128,7 +130,7 @@ STEP 30 TIME_PASSES ELAPSE 11
; Query with RD flag
STEP 40 QUERY
ENTRY_BEGIN
- REPLY RD
+ REPLY RD DO
SECTION QUESTION
example.com. IN A
ENTRY_END
@@ -136,8 +138,8 @@ ENTRY_END
; Check that we got the correct answer
STEP 49 CHECK_ANSWER
ENTRY_BEGIN
- MATCH all ttl
- REPLY QR RD RA NOERROR
+ MATCH all ttl ede=3
+ REPLY QR RD RA DO NOERROR
SECTION QUESTION
example.com. IN A
SECTION ANSWER
diff --git a/testdata/serve_original_ttl.rpl b/testdata/serve_original_ttl.rpl
index 630fb39a4ef0..24d01b6fee1e 100644
--- a/testdata/serve_original_ttl.rpl
+++ b/testdata/serve_original_ttl.rpl
@@ -9,6 +9,8 @@ server:
cache-min-ttl: 20
serve-expired: yes
serve-expired-reply-ttl: 123
+ ede: yes
+ ede-serve-expired: yes
stub-zone:
name: "example.com"
@@ -110,7 +112,7 @@ STEP 31 TIME_PASSES ELAPSE 3601
; Query again
STEP 40 QUERY
ENTRY_BEGIN
- REPLY
+ REPLY DO
SECTION QUESTION
example.com. IN A
ENTRY_END
@@ -118,8 +120,8 @@ ENTRY_END
; Check that we got a stale answer with the original TTL
STEP 50 CHECK_ANSWER
ENTRY_BEGIN
- MATCH all ttl
- REPLY QR RA NOERROR
+ MATCH all ttl ede=3
+ REPLY QR RA DO NOERROR
SECTION QUESTION
example.com. IN A
SECTION ANSWER
diff --git a/testdata/subnet_prefetch.crpl b/testdata/subnet_prefetch.crpl
new file mode 100644
index 000000000000..7083aba6a563
--- /dev/null
+++ b/testdata/subnet_prefetch.crpl
@@ -0,0 +1,215 @@
+; Check if the prefetch option works properly for messages stored in the global
+; cache for non-ECS clients. The prefetch query needs to result in an ECS
+; outgoing query based on the client's IP.
+
+server:
+ trust-anchor-signaling: no
+ target-fetch-policy: "0 0 0 0 0"
+ send-client-subnet: 1.2.3.4
+ max-client-subnet-ipv4: 21
+ module-config: "subnetcache iterator"
+ verbosity: 3
+ access-control: 127.0.0.1 allow_snoop
+ qname-minimisation: no
+ minimal-responses: no
+ serve-expired: yes
+ prefetch: yes
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test prefetch option for global cache
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 10
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to query of interest
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. 10 IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 11 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to query of interest
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id copy_ednsdata_assume_clientsubnet
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ; client is 127.0.0.1
+ 00 08 ; OPC
+ 00 07 ; option length
+ 00 01 ; Family
+ 15 00 ; source mask, scopemask
+ 7f 00 00 ; address
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This answer should be in the global cache
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Try to trigger a prefetch
+STEP 3 TIME_PASSES ELAPSE 11
+
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This expired record came from the cache and a prefetch is triggered
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 30 IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. 3589 IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. 3589 IN A 1.2.3.4
+ENTRY_END
+
+; Allow upstream to reply to the prefetch query.
+; It can only be answered if correct ECS was derived from the client's IP.
+; Otherwise the test will fail with "messages pending".
+STEP 13 TRAFFIC
+
+SCENARIO_END
diff --git a/testdata/subnet_prefetch_with_client_ecs.crpl b/testdata/subnet_prefetch_with_client_ecs.crpl
new file mode 100644
index 000000000000..b0410255e85d
--- /dev/null
+++ b/testdata/subnet_prefetch_with_client_ecs.crpl
@@ -0,0 +1,221 @@
+; Check if the prefetch option works properly for messages stored in the global
+; cache for ECS clients. The prefetch query needs to result in an ECS
+; outgoing query using the client's ECS data.
+
+server:
+ trust-anchor-signaling: no
+ target-fetch-policy: "0 0 0 0 0"
+ send-client-subnet: 1.2.3.4
+ max-client-subnet-ipv4: 21
+ module-config: "subnetcache iterator"
+ verbosity: 3
+ access-control: 127.0.0.1 allow_snoop
+ qname-minimisation: no
+ minimal-responses: no
+ serve-expired: yes
+ prefetch: yes
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test prefetch option for global cache
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ . IN NS
+ SECTION ANSWER
+ . IN NS K.ROOT-SERVERS.NET.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION AUTHORITY
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ com. IN NS
+ SECTION ANSWER
+ com. IN NS a.gtld-servers.net.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ a.gtld-servers.net. IN A 192.5.6.30
+ ENTRY_END
+
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 10
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to query of interest
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. 10 IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 11 100
+ ADDRESS 1.2.3.4
+ ENTRY_BEGIN
+ MATCH opcode qtype qname
+ ADJUST copy_id
+ REPLY QR NOERROR
+ SECTION QUESTION
+ example.com. IN NS
+ SECTION ANSWER
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ;; we expect to receive empty
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+
+ ; response to query of interest
+ ENTRY_BEGIN
+ MATCH opcode qtype qname ednsdata
+ ADJUST copy_id copy_ednsdata_assume_clientsubnet
+ REPLY QR NOERROR
+ SECTION QUESTION
+ www.example.com. IN A
+ SECTION ANSWER
+ www.example.com. IN A 10.20.30.40
+ SECTION AUTHORITY
+ example.com. IN NS ns.example.com.
+ SECTION ADDITIONAL
+ HEX_EDNSDATA_BEGIN
+ ; client is 127.0.0.1
+ 00 08 ; OPC
+ 00 05 ; option length
+ 00 01 ; Family
+ 08 00 ; source mask, scopemask
+ 7f ; address
+ HEX_EDNSDATA_END
+ ns.example.com. IN A 1.2.3.4
+ ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; This answer should be in the global cache
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+; Try to trigger a prefetch
+STEP 3 TIME_PASSES ELAPSE 11
+
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+www.example.com. IN A
+SECTION ADDITIONAL
+HEX_EDNSDATA_BEGIN
+ 00 08 00 05 ; OPC, optlen
+ 00 01 08 00 ; ip4, source 8, scope 0
+ 7f ; 127.0.0.0/8
+HEX_EDNSDATA_END
+ENTRY_END
+
+; This expired record came from the cache and a prefetch is triggered
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all ttl
+REPLY QR RD RA DO NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. 30 IN A 10.20.30.40
+SECTION AUTHORITY
+example.com. 3589 IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. 3589 IN A 1.2.3.4
+ENTRY_END
+
+; Allow upstream to reply to the prefetch query.
+; It can only be answered if correct ECS was derived from the client's IP.
+; Otherwise the test will fail with "messages pending".
+STEP 13 TRAFFIC
+
+SCENARIO_END
diff --git a/testdata/val_cnametocloser_nosig.rpl b/testdata/val_cnametocloser_nosig.rpl
index cfd0d72c8f46..6a0552ec5404 100644
--- a/testdata/val_cnametocloser_nosig.rpl
+++ b/testdata/val_cnametocloser_nosig.rpl
@@ -5,6 +5,7 @@ server:
val-override-date: "20091113091234"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
forward-zone:
name: "."
@@ -88,7 +89,7 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=9
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN AAAA
diff --git a/testdata/val_cnametonodata_nonsec.rpl b/testdata/val_cnametonodata_nonsec.rpl
index c1346ceb491d..48158162cba6 100644
--- a/testdata/val_cnametonodata_nonsec.rpl
+++ b/testdata/val_cnametonodata_nonsec.rpl
@@ -8,6 +8,7 @@ server:
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -254,12 +255,11 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=10
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
-SECTION ADDITIONAL
ENTRY_END
SCENARIO_END
diff --git a/testdata/val_cnametoposnowc.rpl b/testdata/val_cnametoposnowc.rpl
index 343c3e2bbed8..2975bd8d2a03 100644
--- a/testdata/val_cnametoposnowc.rpl
+++ b/testdata/val_cnametoposnowc.rpl
@@ -8,6 +8,7 @@ server:
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -253,13 +254,11 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=6
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
-SECTION AUTHORITY
-SECTION ADDITIONAL
ENTRY_END
SCENARIO_END
diff --git a/testdata/val_deleg_nons.rpl b/testdata/val_deleg_nons.rpl
index 6e8f1bd83791..82348d95b7f9 100644
--- a/testdata/val_deleg_nons.rpl
+++ b/testdata/val_deleg_nons.rpl
@@ -7,6 +7,7 @@ server:
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -261,7 +262,7 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=10
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
foo.www.example.com. IN A
diff --git a/testdata/val_dnamewc.rpl b/testdata/val_dnamewc.rpl
index b011af88a4de..1a0e41ecff0b 100644
--- a/testdata/val_dnamewc.rpl
+++ b/testdata/val_dnamewc.rpl
@@ -8,6 +8,7 @@ server:
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -256,13 +257,11 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=6
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.sub.example.com. IN A
SECTION ANSWER
-SECTION AUTHORITY
-SECTION ADDITIONAL
ENTRY_END
SCENARIO_END
diff --git a/testdata/val_ds_cname.rpl b/testdata/val_ds_cname.rpl
index 7c3e41be3560..3b88fb5a25a6 100644
--- a/testdata/val_ds_cname.rpl
+++ b/testdata/val_ds_cname.rpl
@@ -7,6 +7,7 @@ server:
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -195,11 +196,10 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=10
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
-SECTION ANSWER
ENTRY_END
SCENARIO_END
diff --git a/testdata/val_faildnskey.rpl b/testdata/val_faildnskey.rpl
index 4c3139ac5e01..528082120968 100644
--- a/testdata/val_faildnskey.rpl
+++ b/testdata/val_faildnskey.rpl
@@ -7,6 +7,7 @@ server:
# test that default value of harden-dnssec-stripped is still yes.
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -160,7 +161,7 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=9
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
diff --git a/testdata/val_nodata_failsig.rpl b/testdata/val_nodata_failsig.rpl
index f1be6636c1e9..0c4426bc1054 100644
--- a/testdata/val_nodata_failsig.rpl
+++ b/testdata/val_nodata_failsig.rpl
@@ -7,6 +7,7 @@ server:
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -154,13 +155,11 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=6
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
-SECTION AUTHORITY
-SECTION ADDITIONAL
ENTRY_END
SCENARIO_END
diff --git a/testdata/val_nodata_failwc.rpl b/testdata/val_nodata_failwc.rpl
index f9c810951afe..3aa8212c8932 100644
--- a/testdata/val_nodata_failwc.rpl
+++ b/testdata/val_nodata_failwc.rpl
@@ -7,6 +7,8 @@ server:
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
+
stub-zone:
name: "nsecwc.nlnetlabs.nl"
stub-addr: "185.49.140.60"
@@ -60,13 +62,11 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=6
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
_25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA
SECTION ANSWER
-SECTION AUTHORITY
-SECTION ADDITIONAL
ENTRY_END
SCENARIO_END
diff --git a/testdata/val_nokeyprime.rpl b/testdata/val_nokeyprime.rpl
index 4675a382bc99..5d3727420799 100644
--- a/testdata/val_nokeyprime.rpl
+++ b/testdata/val_nokeyprime.rpl
@@ -6,6 +6,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -153,7 +154,7 @@ ENTRY_END
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=9
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
diff --git a/testdata/val_nsec3_b1_nameerror_nowc.rpl b/testdata/val_nsec3_b1_nameerror_nowc.rpl
index 6c77421a2603..0ff135af6bba 100644
--- a/testdata/val_nsec3_b1_nameerror_nowc.rpl
+++ b/testdata/val_nsec3_b1_nameerror_nowc.rpl
@@ -6,6 +6,7 @@ server:
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -133,7 +134,7 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=6
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
a.c.x.w.example. IN A
@@ -145,7 +146,6 @@ SECTION AUTHORITY
; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== )
; b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG )
; b4um86eghhds6nea196smvmlo4ors995.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. ZkPG3M32lmoHM6pa3D6gZFGB/rhL//Bs3Omh 5u4m/CUiwtblEVOaAKKZd7S959OeiX43aLX3 pOv0TSTyiTxIZg== )
-SECTION ADDITIONAL
ENTRY_END
SCENARIO_END
diff --git a/testdata/val_nsec3_b2_nodata_nons.rpl b/testdata/val_nsec3_b2_nodata_nons.rpl
index 43d815e76e83..b47643b25564 100644
--- a/testdata/val_nsec3_b2_nodata_nons.rpl
+++ b/testdata/val_nsec3_b2_nodata_nons.rpl
@@ -5,6 +5,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -127,13 +128,11 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=12
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
ns1.example. IN MX
SECTION ANSWER
-SECTION AUTHORITY
-SECTION ADDITIONAL
ENTRY_END
SCENARIO_END
diff --git a/testdata/val_nsec3_entnodata_optout_badopt.rpl b/testdata/val_nsec3_entnodata_optout_badopt.rpl
index 7bf202e3abbb..b672bd6e6cc2 100644
--- a/testdata/val_nsec3_entnodata_optout_badopt.rpl
+++ b/testdata/val_nsec3_entnodata_optout_badopt.rpl
@@ -6,6 +6,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -186,13 +187,11 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=6
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
ent.example.com. IN A
SECTION ANSWER
-SECTION AUTHORITY
-SECTION ADDITIONAL
ENTRY_END
SCENARIO_END
diff --git a/testdata/val_nsec3_nods_badsig.rpl b/testdata/val_nsec3_nods_badsig.rpl
index 1c37d21e12f5..79290d659ae7 100644
--- a/testdata/val_nsec3_nods_badsig.rpl
+++ b/testdata/val_nsec3_nods_badsig.rpl
@@ -7,6 +7,7 @@ server:
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -226,13 +227,11 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=7
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.sub.example.com. IN A
SECTION ANSWER
-SECTION AUTHORITY
-SECTION ADDITIONAL
ENTRY_END
SCENARIO_END
diff --git a/testdata/val_nx_failwc.rpl b/testdata/val_nx_failwc.rpl
index eb2f5ba7e421..645a6b4c9728 100644
--- a/testdata/val_nx_failwc.rpl
+++ b/testdata/val_nx_failwc.rpl
@@ -7,6 +7,8 @@ server:
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
+
stub-zone:
name: "nsecwc.nlnetlabs.nl"
stub-addr: "185.49.140.60"
@@ -58,13 +60,11 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=6
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
a.nsecwc.nlnetlabs.nl. IN TXT
SECTION ANSWER
-SECTION AUTHORITY
-SECTION ADDITIONAL
ENTRY_END
SCENARIO_END
diff --git a/testdata/val_nx_overreach.rpl b/testdata/val_nx_overreach.rpl
index c63d4da5c3d8..e5046bc1a445 100644
--- a/testdata/val_nx_overreach.rpl
+++ b/testdata/val_nx_overreach.rpl
@@ -7,6 +7,7 @@ server:
qname-minimisation: "no"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -154,13 +155,11 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=6
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
-SECTION AUTHORITY
-SECTION ADDITIONAL
ENTRY_END
SCENARIO_END
diff --git a/testdata/val_secds_nosig.rpl b/testdata/val_secds_nosig.rpl
index 453cfa6ad496..69f83a393c10 100644
--- a/testdata/val_secds_nosig.rpl
+++ b/testdata/val_secds_nosig.rpl
@@ -6,6 +6,7 @@ server:
target-fetch-policy: "0 0 0 0 0"
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -223,7 +224,7 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=10
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.sub.example.com. IN A
diff --git a/testdata/val_ta_algo_missing.rpl b/testdata/val_ta_algo_missing.rpl
index a905c223bb20..9efb24266c05 100644
--- a/testdata/val_ta_algo_missing.rpl
+++ b/testdata/val_ta_algo_missing.rpl
@@ -10,6 +10,7 @@ server:
harden-algo-downgrade: yes
fake-sha1: yes
trust-anchor-signaling: no
+ ede: yes
stub-zone:
name: "."
@@ -165,7 +166,7 @@ ENTRY_END
; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
-MATCH all
+MATCH all ede=9
REPLY QR RD RA DO SERVFAIL
SECTION QUESTION
www.example.com. IN A
generated by cgit v1.3 (git 2.53.0) at 2026-04-21 04:10:45 +0000