summaryrefslogtreecommitdiff
path: root/testdata
diff options
context:
space:
mode:
authorDag-Erling Smørgrav <des@FreeBSD.org>2017-02-03 13:06:34 +0000
committerDag-Erling Smørgrav <des@FreeBSD.org>2017-02-03 13:06:34 +0000
commitbd51c20871bac7a49ea0adc443050f2894cfd5f3 (patch)
treec551994131aa8f3315a21aeaf4f9bc2a8b757e89 /testdata
parent27c2fff0f2fef695b0599fc3931cacfc16376e88 (diff)
vendor/unbound/1.6.0
Notes
Diffstat (limited to 'testdata')
-rw-r--r--testdata/04-checkconf.tpkgbin5127 -> 5169 bytes
-rw-r--r--testdata/09-unbound-control.tpkgbin7028 -> 7433 bytes
-rw-r--r--testdata/local_cname.rpl491
-rw-r--r--testdata/stop_nxdomain_minimised.rpl110
-rw-r--r--testdata/val_cnamewctonodata.rpl2
-rw-r--r--testdata/val_ds_sha2.crpl1
-rw-r--r--testdata/val_ds_sha2_downgrade.crpl1
-rw-r--r--testdata/val_nodata_failsig.rpl4
-rw-r--r--testdata/val_nsec3_wcany.rpl2
-rw-r--r--testdata/val_nsec3_wcany_nodeny.rpl2
-rw-r--r--testdata/views.rpl210
11 files changed, 819 insertions, 4 deletions
diff --git a/testdata/04-checkconf.tpkg b/testdata/04-checkconf.tpkg
index f2ffe3535ff7..c100355de7ba 100644
--- a/testdata/04-checkconf.tpkg
+++ b/testdata/04-checkconf.tpkg
Binary files differ
diff --git a/testdata/09-unbound-control.tpkg b/testdata/09-unbound-control.tpkg
index 62b2097bde5c..d5b11b77f044 100644
--- a/testdata/09-unbound-control.tpkg
+++ b/testdata/09-unbound-control.tpkg
Binary files differ
diff --git a/testdata/local_cname.rpl b/testdata/local_cname.rpl
new file mode 100644
index 000000000000..9f7c4f101ead
--- /dev/null
+++ b/testdata/local_cname.rpl
@@ -0,0 +1,491 @@
+; config options
+server:
+ # put unbound.conf config options here.
+
+ access-control: 127.0.0.1/32 allow_snoop #allow queries with RD bit
+
+ # DNSSEC trust anchor taken from a real world example. Used for
+ # DNSSEC-signed CNAME target.
+ trust-anchor: "infoblox.com. 172800 IN DNSKEY 257 3 5 AwEAAerW6xQkJIb5wxm48RoHD/LE8r/GzmdIGOam0lQczIth+I9ctltV dDJXz5BH8j4TOaOH1gBRCXhsPDyPom/eLEkdUuXNuhV6QnWGHOtz1fuY EO+kBqaI79jR0K31OmevR/H/F3C8gi4T6//6G9qsftvcl6m7+V1vI2+c cgxiiOlMrZZb4YAhue1+tRw57f3aVOSNtcrONO/Jffgb9jbDTKRi33oT fDznyPa1lCWMbuybr/LaCU0LP6fG4BII/FDWFi5rQxMHygWfscdYX06c eGUzHqiuNNGL8Jze6johni71T/hJGtLMozkY7qxOLfWBXOu9kr1MBQh5 6hfibOZMZJM="
+ # Use a fixed and faked date for DNSSEC validation to avoid run-time
+ # re-signing test signatures.
+ val-override-date: "20161001003725"
+
+ define-tag: "cname cname2 nx servfail sec ambiguous"
+ access-control-tag: 127.0.0.1/32 "cname cname2 nx servfail sec"
+
+ # Basic case: one CNAME whose target exists.
+ local-zone: example.com static
+ local-zone-tag: example.com "cname"
+ access-control-tag: 127.0.0.1/32 "cname"
+ access-control-tag-action: 127.0.0.1/32 "cname" redirect
+ access-control-tag-data: 127.0.0.1/32 "cname" "CNAME example.org."
+
+ # Similar to the above, but different original query name.
+ local-zone: another.example.com static
+ local-zone-tag: another.example.com "cname2"
+ access-control-tag: 127.0.0.1/32 "cname2"
+ access-control-tag-action: 127.0.0.1/32 "cname2" redirect
+ access-control-tag-data: 127.0.0.1/32 "cname2" "CNAME example.org."
+
+ # CNAME target is expected to be nonexistent.
+ local-zone: nx.example.com static
+ local-zone-tag: nx.example.com "nx"
+ access-control-tag: 127.0.0.1/32 "nx"
+ access-control-tag-action: 127.0.0.1/32 "nx" redirect
+ access-control-tag-data: 127.0.0.1/32 "nx" "CNAME nx.example.org."
+
+ # Resolution of this CNAME target will result in SERVFAIL.
+ local-zone: servfail.example.com static
+ local-zone-tag: servfail.example.com "servfail"
+ access-control-tag-action: 127.0.0.1/32 "servfail" redirect
+ access-control-tag-data: 127.0.0.1/32 "servfail" "CNAME servfail.example.org."
+
+ # CNAME target is supposed to be DNSSEC-signed.
+ local-zone: sec.example.com static
+ local-zone-tag: sec.example.com "sec"
+ access-control-tag-action: 127.0.0.1/32 "sec" redirect
+ access-control-tag-data: 127.0.0.1/32 "sec" "CNAME www.infoblox.com."
+
+ # Test setup for non-tag based redirect
+ local-zone: example.net redirect
+ local-data: "example.net. IN CNAME cname.example.org."
+
+ ### template zone and tag intended to be used for tests with CNAME and
+ ### other data.
+ ##local-zone: ambiguous.example.com redirect
+ ##@LOCALDATA1@
+ ##@LOCALDATA2@
+ ##local-zone-tag: ambiguous.example.com "ambiguous"
+ ##access-control-tag-action: 127.0.0.1/32 "ambiguous" redirect
+ ##@TAGDATA1@
+ ##@TAGDATA2@
+
+
+
+ target-fetch-policy: "0 0 0 0 0"
+
+# send the queries to the test server (see the 10.0.10.3 entries below)
+forward-zone:
+ name: "."
+ forward-addr: 10.0.10.3
+CONFIG_END
+
+; short one-line description of scenario:
+SCENARIO_BEGIN Test local-data CNAME aliases
+
+; Specification of the answers that the upstream server provides to unbound
+RANGE_BEGIN 0 1000
+ ADDRESS 10.0.10.3
+; put entries here with answers to specific qname, qtype
+
+; infoblox.com
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+infoblox.com. IN DNSKEY
+SECTION ANSWER
+infoblox.com. 172800 IN DNSKEY 256 3 5 AwEAAbi2VnVHFm5rO2EiawNWhTTRPPzaA+VEdpGOc+CtwIZq86C4Ndbp 0M7XTi0wru0Pgh54oGZ3ty9WllYEnVfoA1rcGwFJmAln7KKAuQP+dlGE yHPJYduAjG/JFA6Qq0zj18AmWgks+qvethASMm3PtihQkNytjmQWjiL6 6h8cQwFP
+infoblox.com. 172800 IN DNSKEY 257 3 5 AwEAAerW6xQkJIb5wxm48RoHD/LE8r/GzmdIGOam0lQczIth+I9ctltV dDJXz5BH8j4TOaOH1gBRCXhsPDyPom/eLEkdUuXNuhV6QnWGHOtz1fuY EO+kBqaI79jR0K31OmevR/H/F3C8gi4T6//6G9qsftvcl6m7+V1vI2+c cgxiiOlMrZZb4YAhue1+tRw57f3aVOSNtcrONO/Jffgb9jbDTKRi33oT fDznyPa1lCWMbuybr/LaCU0LP6fG4BII/FDWFi5rQxMHygWfscdYX06c eGUzHqiuNNGL8Jze6johni71T/hJGtLMozkY7qxOLfWBXOu9kr1MBQh5 6hfibOZMZJM=
+infoblox.com. 172800 IN RRSIG DNSKEY 5 2 172800 20161004003725 20160930000830 31651 infoblox.com. Ds7LZY2W59fq9cWgqi3W6so1NGFa7JdjO8zlhK3hGu2a2WG1W/rVftom rCf0gdI5q4BZJnq2o0SdLd/U7he1uWz8ATntEETiNs9/8G7myNK17wQu AN/+3gol+qT4DX0CA3Boz7Z+xFQbTwnnJJvGASa/1jPMIYU8DiyNx3Pe SSh9lbyU/4YI0mshn5ZC2HCFChxr+aVJxk4UHjaPfHhWwVu9oM4IbEfn KD9x4ltKjjy0pXMYqVlNs9+tG2nXdwr/6Q4G+yfRBAcW+cWeW5w4igxf xYFq4Y5gkZetGOReoNODZ9YC9WvcxBo+qY/iUN2k+lEFq+oL8+DthAGH uA1krw==
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.infoblox.com. IN A
+SECTION ANSWER
+www.infoblox.com. 3600 IN A 161.47.10.70
+www.infoblox.com. 3600 IN RRSIG A 5 3 3600 20161003223322 20160929221122 14916 infoblox.com. WbO9ydRAoRTPvdK18atTdLEkkMGoOjuwbcb6vVI0d6Sea3xkcBMNmtst Wdzr+pKEJqO2bfm167X6uhcOHanHZRnirlTnEbuTdsP0HCiIEGQD5iHg UNH2FJSKGNYBmgZKJpuLhDca7oqtkl8EyGA+UEt6Rtq6aW8V0wpkhPHi Pug='
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+; example.org
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.org. IN A
+SECTION ANSWER
+example.org. IN A 192.0.2.1
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+cname.example.org. IN A
+SECTION ANSWER
+cname.example.org. IN A 192.0.2.2
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.org. IN AAAA
+SECTION ANSWER
+SECTION AUTHORITY
+example.org. IN SOA ns.example.org. hostmaster.example.org. 2016101900 28800 7200 604800 3600
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NXDOMAIN
+SECTION QUESTION
+nx.example.org. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+example.org. IN SOA ns.example.org. hostmaster.example.org. 2016101900 28800 7200 604800 3600
+SECTION ADDITIONAL
+ENTRY_END
+
+; for norec query
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.org. IN NS
+SECTION ANSWER
+example.org. IN NS ns.example.
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR SERVFAIL
+SECTION QUESTION
+servfail.example.org. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+; end of entries with answers from upstream server
+RANGE_END
+; Steps where queries are sent, one at a time, to unbound.
+; QUERY is what the downstream client sends to unbound.
+; CHECK_ANSWER contains the response from unbound.
+
+
+; Basic case: both exact and subdomain matches result in the same CNAME
+STEP 10 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example.com. IN CNAME
+ENTRY_END
+
+; For type-CNAME queries, the CNAME itself will be returned
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+example.com. IN CNAME
+SECTION ANSWER
+example.com. IN CNAME example.org.
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+STEP 30 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+alias.example.com. IN CNAME
+ENTRY_END
+
+; For type-CNAME queries, the CNAME itself will be returned
+STEP 40 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+alias.example.com. IN CNAME
+SECTION ANSWER
+alias.example.com. IN CNAME example.org.
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+; Basic case: both exact and subdomain matches result in the same CNAME
+; For other types, a complete CNAME chain will have to be returned
+STEP 50 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example.com. IN A
+ENTRY_END
+
+STEP 60 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+example.com. IN A
+SECTION ANSWER
+example.com. IN CNAME example.org.
+example.org. IN A 192.0.2.1
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+STEP 70 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+alias.example.com. IN A
+ENTRY_END
+
+STEP 80 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+alias.example.com. IN A
+SECTION ANSWER
+alias.example.com. IN CNAME example.org.
+example.org. IN A 192.0.2.1
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+; Basic case: both exact and subdomain matches result in the same CNAME.
+; The result is the same for non-recursive query as long as a
+; complete chain is cached.
+STEP 90 QUERY
+ENTRY_BEGIN
+REPLY
+SECTION QUESTION
+example.com. IN A
+ENTRY_END
+
+STEP 100 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RA AA NOERROR
+SECTION QUESTION
+example.com. IN A
+SECTION ANSWER
+example.com. IN CNAME example.org.
+example.org. IN A 192.0.2.1
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+STEP 110 QUERY
+ENTRY_BEGIN
+REPLY
+SECTION QUESTION
+alias.example.com. IN A
+ENTRY_END
+
+STEP 120 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RA AA NOERROR
+SECTION QUESTION
+alias.example.com. IN A
+SECTION ANSWER
+alias.example.com. IN CNAME example.org.
+example.org. IN A 192.0.2.1
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+; Similar to the above, but these are local-zone redirect, instead of
+; tag-based policies.
+STEP 130 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example.net. IN CNAME
+ENTRY_END
+
+; For type-CNAME queries, the CNAME itself will be returned
+STEP 140 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+example.net. IN CNAME
+SECTION ANSWER
+example.net. IN CNAME cname.example.org.
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+STEP 150 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+alias.example.net. IN CNAME
+ENTRY_END
+
+; For type-CNAME queries, the CNAME itself will be returned
+STEP 160 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+alias.example.net. IN CNAME
+SECTION ANSWER
+alias.example.net. IN CNAME cname.example.org.
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+STEP 170 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example.net. IN A
+ENTRY_END
+
+STEP 180 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+example.net. IN A
+SECTION ANSWER
+example.net. IN CNAME cname.example.org.
+cname.example.org. IN A 192.0.2.2
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+STEP 190 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+alias.example.net. IN A
+ENTRY_END
+
+STEP 200 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+alias.example.net. IN A
+SECTION ANSWER
+alias.example.net. IN CNAME cname.example.org.
+cname.example.org. IN A 192.0.2.2
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+
+; Relatively minor cases follow
+
+; query type doesn't exist for the CNAME target. The original query
+; succeeds with an "incomplete" chain only containing the CNAME.
+STEP 210 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example.com. IN AAAA
+ENTRY_END
+
+STEP 220 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+example.com. IN AAAA
+SECTION ANSWER
+example.com. IN CNAME example.org.
+SECTION AUTHORITY
+example.org. 3600 IN SOA ns.example.org. hostmaster.example.org. 2016101900 28800 7200 604800 3600
+SECTION ADDITIONAL
+ENTRY_END
+
+; The CNAME target name doesn't exist. NXDOMAIN with the CNAME will
+; be returned.
+STEP 230 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+nx.example.com. IN A
+ENTRY_END
+
+STEP 240 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+nx.example.com. IN A
+SECTION ANSWER
+nx.example.com. IN CNAME nx.example.org.
+SECTION AUTHORITY
+example.org. 3600 IN SOA ns.example.org. hostmaster.example.org. 2016101900 28800 7200 604800 3600
+SECTION ADDITIONAL
+ENTRY_END
+
+; Resolution for the CNAME target will result in SERVFAIL. It will
+; be forwarded to the original query. The answer section should be
+; empty.
+STEP 250 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+servfail.example.com. IN A
+ENTRY_END
+
+STEP 260 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA SERVFAIL
+SECTION QUESTION
+servfail.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+; The CNAME target is DNSSEC-signed and it's validated. If the original
+; query enabled the DNSSEC, the RRSIGs will be included in the answer,
+; but the response should have the AD bit off
+STEP 270 QUERY
+ENTRY_BEGIN
+REPLY RD DO
+SECTION QUESTION
+sec.example.com. IN A
+ENTRY_END
+
+STEP 280 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD DO RA AA NOERROR
+SECTION QUESTION
+sec.example.com. IN A
+SECTION ANSWER
+sec.example.com. IN CNAME www.infoblox.com.
+www.infoblox.com. 3600 IN A 161.47.10.70
+www.infoblox.com. 3600 IN RRSIG A 5 3 3600 20161003223322 20160929221122 14916 infoblox.com. WbO9ydRAoRTPvdK18atTdLEkkMGoOjuwbcb6vVI0d6Sea3xkcBMNmtst Wdzr+pKEJqO2bfm167X6uhcOHanHZRnirlTnEbuTdsP0HCiIEGQD5iHg UNH2FJSKGNYBmgZKJpuLhDca7oqtkl8EyGA+UEt6Rtq6aW8V0wpkhPHi Pug='
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+
+
+SCENARIO_END
diff --git a/testdata/stop_nxdomain_minimised.rpl b/testdata/stop_nxdomain_minimised.rpl
new file mode 100644
index 000000000000..8882b7bd9080
--- /dev/null
+++ b/testdata/stop_nxdomain_minimised.rpl
@@ -0,0 +1,110 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+ harden-below-nxdomain: yes
+ qname-minimisation: yes
+ trust-anchor: ". IN DNSKEY 257 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3"
+ val-override-date: "20070916134226"
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+stub-zone:
+ name: "anotherexample.local."
+ stub-addr: 10.20.30.40
+CONFIG_END
+
+SCENARIO_BEGIN Test stop cache search on nxdomain for QNAME minimised query
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN DNSKEY
+SECTION ANSWER
+. 3600 IN DNSKEY 257 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30900 (ksk), size = 512b}
+. 3600 IN RRSIG DNSKEY 5 0 3600 20070926134150 20070829134150 30900 . BlVcSh8xSgm7ne+XVCJwNHQKjk5kTJgG4Fa3sOSfp3YUjb2YclmVWyIw7XEHl0/C6CN5gdy18idnM6vT6Hy42A== ;{id = 30900}
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NXDOMAIN
+SECTION QUESTION
+local. IN A
+SECTION AUTHORITY
+. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2010111601 1800 900 604800 86400
+. 86400 IN RRSIG SOA 5 0 86400 20070926134150 20070829134150 30900 . bOYbFZZp7vWWC2oxV+kph+YXjoQj2f6QJktlgmzRI7oReFX9jy/LibTPQi/sW0SGHpLaj3G5p4IfIlBibne4DA== ;{id = 30900}
+. 86400 IN NSEC ac. NS SOA RRSIG NSEC DNSKEY
+. 86400 IN RRSIG NSEC 5 0 86400 20070926134150 20070829134150 30900 . U+/m5+FmczzkosEx1aTP7MK/F3PpcKWct8CzM1jhjwNe2RlnW7qFe0IH8SLzD/elvxDTQMpJSMlKOhUUdapB8g== ;{id = 30900}
+lk. 86400 IN NSEC lr. NS DS RRSIG NSEC
+lk. 86400 IN RRSIG NSEC 5 1 86400 20070926134150 20070829134150 30900 . j6Pw5Eu9vGHDJcckTSWa8YD1b7FV7c/Z8aVkLfJCH+iPcaa40/LSp784+t2PnAAXL8fgriNL6jF/ve1rti3ANQ== ;{id = 30900}
+ENTRY_END
+RANGE_END
+
+RANGE_BEGIN 0 100
+ ADDRESS 10.20.30.40
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+anotherexample.local. IN TXT
+SECTION ANSWER
+anotherexample.local. 86400 IN TXT "should not resolve this"
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example.local. IN TXT
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+example.local. IN TXT
+SECTION AUTHORITY
+. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2010111601 1800 900 604800 86400
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+anotherexample.local. IN TXT
+ENTRY_END
+
+; query should be answered using NXDOMAIN for local in cache
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+anotherexample.local. IN TXT
+SECTION AUTHORITY
+. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2010111601 1800 900 604800 86400
+ENTRY_END
+
+SCENARIO_END
diff --git a/testdata/val_cnamewctonodata.rpl b/testdata/val_cnamewctonodata.rpl
index 9c3928a19317..83aec7a025e8 100644
--- a/testdata/val_cnamewctonodata.rpl
+++ b/testdata/val_cnamewctonodata.rpl
@@ -11,7 +11,7 @@ stub-zone:
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
-SCENARIO_BEGIN Test validator with wilcard cname to nodata
+SCENARIO_BEGIN Test validator with wildcard cname to nodata
; K.ROOT-SERVERS.NET.
RANGE_BEGIN 0 100
diff --git a/testdata/val_ds_sha2.crpl b/testdata/val_ds_sha2.crpl
index bbf18118597b..6b92e230f486 100644
--- a/testdata/val_ds_sha2.crpl
+++ b/testdata/val_ds_sha2.crpl
@@ -4,6 +4,7 @@ server:
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
+ fake-dsa: yes
stub-zone:
name: "."
diff --git a/testdata/val_ds_sha2_downgrade.crpl b/testdata/val_ds_sha2_downgrade.crpl
index ee9a171233d5..ea4a48105cd4 100644
--- a/testdata/val_ds_sha2_downgrade.crpl
+++ b/testdata/val_ds_sha2_downgrade.crpl
@@ -4,6 +4,7 @@ server:
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
val-override-date: "20070916134226"
target-fetch-policy: "0 0 0 0 0"
+ fake-dsa: yes
stub-zone:
name: "."
diff --git a/testdata/val_nodata_failsig.rpl b/testdata/val_nodata_failsig.rpl
index df3b75e019e4..27d5d30c8314 100644
--- a/testdata/val_nodata_failsig.rpl
+++ b/testdata/val_nodata_failsig.rpl
@@ -130,8 +130,10 @@ SECTION ANSWER
SECTION AUTHORITY
; SOA record is missing in reply.
; Denies A, note this is the end of the NSEC chain.
+; this RRSIG is failed, we set to 0 base64 data to make this easy to detect
www.example.com. IN NSEC example.com. RRSIG NSEC
-www.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFDA8yqBITvLruoQjn/eqjYjwCwySAhUAk5/f3H1HKMsvM+spmmswwFtndyY= ;{id = 2854}
+;www.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFDA8yqBITvLruoQjn/eqjYjwCwySAhUAk5/f3H1HKMsvM+spmmswwFtndyY= ;{id = 2854}
+www.example.com. 3600 IN RRSIG NSEC 3 3 3600 20070926135752 20070829135752 2854 example.com.
; Denies wildcard
example.com. IN NSEC ns.example.com. NS SOA RRSIG NSEC DNSKEY
example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. MCwCFGlz/gvGdVxEo3Kpr+MijEGCZgwaAhRU7qbF13vmCVgR8dFw7LQFKopV6w== ;{id = 2854}
diff --git a/testdata/val_nsec3_wcany.rpl b/testdata/val_nsec3_wcany.rpl
index fff0aa7cd4d0..37074a6a6e0f 100644
--- a/testdata/val_nsec3_wcany.rpl
+++ b/testdata/val_nsec3_wcany.rpl
@@ -10,7 +10,7 @@ stub-zone:
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
-SCENARIO_BEGIN Test validator with NSEC3 wilcard qtype ANY response.
+SCENARIO_BEGIN Test validator with NSEC3 wildcard qtype ANY response.
; K.ROOT-SERVERS.NET.
RANGE_BEGIN 0 100
diff --git a/testdata/val_nsec3_wcany_nodeny.rpl b/testdata/val_nsec3_wcany_nodeny.rpl
index 9215ccc04a4d..080f086c8ea5 100644
--- a/testdata/val_nsec3_wcany_nodeny.rpl
+++ b/testdata/val_nsec3_wcany_nodeny.rpl
@@ -10,7 +10,7 @@ stub-zone:
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
CONFIG_END
-SCENARIO_BEGIN Test validator with NSEC3 wilcard qtype ANY without denial.
+SCENARIO_BEGIN Test validator with NSEC3 wildcard qtype ANY without denial.
; K.ROOT-SERVERS.NET.
RANGE_BEGIN 0 100
diff --git a/testdata/views.rpl b/testdata/views.rpl
new file mode 100644
index 000000000000..d4031363b9ef
--- /dev/null
+++ b/testdata/views.rpl
@@ -0,0 +1,210 @@
+; config options
+server:
+ target-fetch-policy: "0 0 0 0 0"
+
+ access-control: 10.10.10.0/24 allow
+ access-control-view: 10.10.10.10/32 "view1"
+ access-control-view: 10.10.10.20/32 "view2"
+ access-control-view: 10.10.10.30/32 "view3"
+ access-control-view: 10.10.10.40/32 "view4"
+
+ local-zone: "example.com." redirect
+ local-data: 'example.com. IN TXT "global"'
+
+view:
+ name: "view1"
+ local-zone: "nomatch.example.com." redirect
+ local-data: 'nomatch.example.com. IN TXT "view 1"'
+ view-first: no
+
+view:
+ name: "view2"
+ local-zone: "example.com." redirect
+ local-data: 'example.com. IN TXT "view 2"'
+ ; view-first default = no
+
+view:
+ name: "view3"
+ local-zone: "nomatch.example.com." redirect
+ local-data: 'nomatch.example.com. IN TXT "view 3"'
+ view-first: yes
+
+view:
+ name: "view4"
+ local-zone: "example.com." redirect
+ local-data: 'example.com. IN TXT "view 4"'
+ view-first: yes
+
+stub-zone:
+ name: "."
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
+CONFIG_END
+SCENARIO_BEGIN Test view specific local-zone and local-data elements
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+ ADDRESS 193.0.14.129
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN TXT
+SECTION AUTHORITY
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+ ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com. IN NS a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net. IN A 192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN TXT
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+ ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN TXT
+SECTION ANSWER
+example.com. IN TXT "auth data"
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY ADDRESS 10.10.10.10
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+example.com. IN TXT
+ENTRY_END
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA
+SECTION QUESTION
+example.com. IN TXT
+SECTION ANSWER
+example.com. IN TXT "auth data"
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
+STEP 3 QUERY ADDRESS 10.10.10.20
+ENTRY_BEGIN
+SECTION QUESTION
+example.com. IN TXT
+ENTRY_END
+STEP 4 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RA AA
+SECTION QUESTION
+example.com. IN TXT
+SECTION ANSWER
+example.com. IN TXT "view 2"
+ENTRY_END
+
+STEP 5 QUERY ADDRESS 10.10.10.30
+ENTRY_BEGIN
+SECTION QUESTION
+example.com. IN TXT
+ENTRY_END
+STEP 6 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RA AA
+SECTION QUESTION
+example.com. IN TXT
+SECTION ANSWER
+example.com. IN TXT "global"
+ENTRY_END
+
+STEP 7 QUERY ADDRESS 10.10.10.40
+ENTRY_BEGIN
+SECTION QUESTION
+example.com. IN TXT
+ENTRY_END
+STEP 8 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RA AA
+SECTION QUESTION
+example.com. IN TXT
+SECTION ANSWER
+example.com. IN TXT "view 4"
+ENTRY_END
+
+STEP 9 QUERY ADDRESS 10.10.10.50
+ENTRY_BEGIN
+SECTION QUESTION
+example.com. IN TXT
+ENTRY_END
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RA AA
+SECTION QUESTION
+example.com. IN TXT
+SECTION ANSWER
+example.com. IN TXT "global"
+ENTRY_END
+
+SCENARIO_END
generated by cgit v1.3 (git 2.53.0) at 2026-04-20 20:04:31 +0000