xref: /netbsd-src/external/bsd/unbound/dist/testdata/ipsecmod_whitelist.crpl (revision f42d8de7d1744f0ae38eedac13b4320e5351d1d6) 
1; Test ipsecmod-whitelist option.
2
3; config options
4server:
5	access-control: 127.0.0.1 allow_snoop
6	module-config: "ipsecmod validator iterator"
7	; ../../ is there because the test runs from testdata/03-testbound.dir
8	ipsecmod-hook: "../../testdata/ipsecmod_hook.sh"
9	ipsecmod-strict: no
10	ipsecmod-max-ttl: 200
11	ipsecmod-whitelist: white.example.com
12	qname-minimisation: "no"
13	minimal-responses: no
14
15stub-zone:
16	name: "."
17	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
18CONFIG_END
19
20SCENARIO_BEGIN Test ipsecmod-whitelist option
21; Scenario overview:
22; - query for black.example.com. IN A
23; - check that we get an answer for black.example.com. IN A with the correct TTL
24; - check that an answer for black.example.com. IN IPSECKEY is not cached (not given)
25; - query for white.example.com. IN A
26; - check that query for white.example.com. IN IPSECKEY is generated
27; - check that we get an answer for white.example.com. IN A with the correct TTL
28; - check that the get the same answer from cache
29; - check that we get the IPSECKEY answer from cache
30
31; K.ROOT-SERVERS.NET.
32RANGE_BEGIN 0 100
33	ADDRESS 193.0.14.129
34	ENTRY_BEGIN
35		MATCH opcode qtype qname
36		ADJUST copy_id
37		REPLY QR NOERROR
38		SECTION QUESTION
39			. IN NS
40		SECTION ANSWER
41			. IN NS	K.ROOT-SERVERS.NET.
42		SECTION ADDITIONAL
43			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
44	ENTRY_END
45
46	ENTRY_BEGIN
47		MATCH opcode qtype qname
48		ADJUST copy_id
49		REPLY QR AA NOERROR
50		SECTION QUESTION
51			a.gtld-servers.net.	IN AAAA
52		SECTION AUTHORITY
53			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
54	ENTRY_END
55
56	ENTRY_BEGIN
57		MATCH opcode qtype qname
58		ADJUST copy_id
59		REPLY QR AA NOERROR
60		SECTION QUESTION
61			K.ROOT-SERVERS.NET.	IN	AAAA
62		SECTION AUTHORITY
63			. 86400 IN SOA . . 20070304 28800 7200 604800 86400
64	ENTRY_END
65
66	ENTRY_BEGIN
67		MATCH opcode subdomain
68		ADJUST copy_id copy_query
69		REPLY QR NOERROR
70		SECTION QUESTION
71			com. IN A
72		SECTION AUTHORITY
73			com. IN NS	a.gtld-servers.net.
74		SECTION ADDITIONAL
75			a.gtld-servers.net.	IN 	A	192.5.6.30
76	ENTRY_END
77RANGE_END
78
79; a.gtld-servers.net.
80RANGE_BEGIN 0 100
81	ADDRESS 192.5.6.30
82	ENTRY_BEGIN
83		MATCH opcode qtype qname
84		ADJUST copy_id
85		REPLY QR NOERROR
86		SECTION QUESTION
87			com. IN NS
88		SECTION ANSWER
89			com.    IN NS   a.gtld-servers.net.
90		SECTION ADDITIONAL
91			a.gtld-servers.net.     IN      A       192.5.6.30
92	ENTRY_END
93
94	ENTRY_BEGIN
95		MATCH opcode subdomain
96		ADJUST copy_id copy_query
97		REPLY QR NOERROR
98		SECTION QUESTION
99			example.com. IN A
100		SECTION AUTHORITY
101			example.com.	IN NS	ns.example.com.
102		SECTION ADDITIONAL
103			ns.example.com.		IN 	A	1.2.3.4
104	ENTRY_END
105RANGE_END
106
107; ns.example.com.
108RANGE_BEGIN 0 100
109	ADDRESS 1.2.3.4
110	ENTRY_BEGIN
111		MATCH opcode qtype qname
112		ADJUST copy_id
113		REPLY QR NOERROR
114		SECTION QUESTION
115			example.com. IN NS
116		SECTION ANSWER
117			example.com.    IN NS   ns.example.com.
118		SECTION ADDITIONAL
119			ns.example.com.         IN      A       1.2.3.4
120	ENTRY_END
121
122	ENTRY_BEGIN
123		MATCH opcode qtype qname
124		ADJUST copy_id
125		REPLY QR AA NOERROR
126		SECTION QUESTION
127			ns.example.com. IN AAAA
128		SECTION AUTHORITY
129			example.com. 10 IN SOA . . 15 28800 7200 604800 10
130	ENTRY_END
131
132	ENTRY_BEGIN
133		MATCH opcode qtype qname
134		ADJUST copy_id
135		REPLY QR NOERROR
136		SECTION QUESTION
137			white.example.com. IN A
138		SECTION ANSWER
139			white.example.com.    3600 IN      A       5.6.7.8
140		SECTION AUTHORITY
141			example.com.	IN NS	ns.example.com.
142		SECTION ADDITIONAL
143			ns.example.com.		IN 	A	1.2.3.4
144	ENTRY_END
145
146	ENTRY_BEGIN
147		MATCH opcode qtype qname
148		ADJUST copy_id
149		REPLY QR NOERROR
150		SECTION QUESTION
151			white.example.com. IN IPSECKEY
152		SECTION ANSWER
153			white.example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
154		SECTION AUTHORITY
155			example.com.	IN NS	ns.example.com.
156		SECTION ADDITIONAL
157			ns.example.com.		IN 	A	1.2.3.4
158	ENTRY_END
159
160	ENTRY_BEGIN
161		MATCH opcode qtype qname
162		ADJUST copy_id
163		REPLY QR NOERROR
164		SECTION QUESTION
165			black.example.com. IN A
166		SECTION ANSWER
167			black.example.com.    3600 IN      A       5.6.7.8
168		SECTION AUTHORITY
169			example.com.	IN NS	ns.example.com.
170		SECTION ADDITIONAL
171			ns.example.com.		IN 	A	1.2.3.4
172	ENTRY_END
173
174	ENTRY_BEGIN
175		MATCH opcode qtype qname
176		ADJUST copy_id
177		REPLY QR NOERROR
178		SECTION QUESTION
179			black.example.com. IN IPSECKEY
180		SECTION ANSWER
181			black.example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
182		SECTION AUTHORITY
183			example.com.	IN NS	ns.example.com.
184		SECTION ADDITIONAL
185			ns.example.com.		IN 	A	1.2.3.4
186	ENTRY_END
187RANGE_END
188
189STEP 1 QUERY
190ENTRY_BEGIN
191	REPLY RD
192	SECTION QUESTION
193		black.example.com. IN A
194ENTRY_END
195
196STEP 10 CHECK_ANSWER
197ENTRY_BEGIN
198	MATCH all ttl
199	REPLY QR RD RA NOERROR
200	SECTION QUESTION
201		black.example.com. IN A
202	SECTION ANSWER
203		black.example.com.  3600 IN A 5.6.7.8
204	SECTION AUTHORITY
205		example.com.	IN NS	ns.example.com.
206	SECTION ADDITIONAL
207		ns.example.com.		IN 	A	1.2.3.4
208ENTRY_END
209
210STEP 11 QUERY
211ENTRY_BEGIN
212	SECTION QUESTION
213		black.example.com. IN IPSECKEY
214ENTRY_END
215
216STEP 12 CHECK_ANSWER
217ENTRY_BEGIN
218	MATCH all
219	REPLY QR RA NOERROR
220	SECTION QUESTION
221		black.example.com. IN IPSECKEY
222	SECTION AUTHORITY
223		example.com.	IN NS	ns.example.com.
224	SECTION ADDITIONAL
225		ns.example.com.		IN 	A	1.2.3.4
226ENTRY_END
227
228STEP 20 QUERY
229ENTRY_BEGIN
230	REPLY RD
231	SECTION QUESTION
232		white.example.com. IN A
233ENTRY_END
234
235STEP 21 CHECK_OUT_QUERY
236ENTRY_BEGIN
237	MATCH qname qtype opcode
238	SECTION QUESTION
239		white.example.com. IN IPSECKEY
240ENTRY_END
241
242STEP 30 CHECK_ANSWER
243ENTRY_BEGIN
244	MATCH all ttl
245	REPLY QR RD RA NOERROR
246	SECTION QUESTION
247		white.example.com. IN A
248	SECTION ANSWER
249		white.example.com.  200 IN A 5.6.7.8
250	SECTION AUTHORITY
251		example.com.	IN NS	ns.example.com.
252	SECTION ADDITIONAL
253		ns.example.com.		IN 	A	1.2.3.4
254ENTRY_END
255
256STEP 31 QUERY
257ENTRY_BEGIN
258	SECTION QUESTION
259		white.example.com. IN A
260ENTRY_END
261
262STEP 40 CHECK_ANSWER
263ENTRY_BEGIN
264	MATCH all ttl
265	REPLY QR RA NOERROR
266	SECTION QUESTION
267		white.example.com. IN A
268	SECTION ANSWER
269		white.example.com.  200 IN A 5.6.7.8
270	SECTION AUTHORITY
271		example.com.	IN NS	ns.example.com.
272	SECTION ADDITIONAL
273		ns.example.com.		IN 	A	1.2.3.4
274ENTRY_END
275
276STEP 41 QUERY
277ENTRY_BEGIN
278	SECTION QUESTION
279		white.example.com. IN IPSECKEY
280ENTRY_END
281
282STEP 50 CHECK_ANSWER
283ENTRY_BEGIN
284	MATCH all
285	REPLY QR RA NOERROR
286	SECTION QUESTION
287		white.example.com. IN IPSECKEY
288	SECTION ANSWER
289		white.example.com. 3600 IN IPSECKEY 10 0 2 . AQNRU3mG7TVTO2BkR47usntb102uFJtugbo6BSGvgqt4AQ==
290	SECTION AUTHORITY
291		example.com.	IN NS	ns.example.com.
292	SECTION ADDITIONAL
293		ns.example.com.		IN 	A	1.2.3.4
294ENTRY_END
295
296SCENARIO_END
297