xref: /netbsd-src/external/bsd/unbound/dist/testdata/iter_nxns_cached.rpl (revision 91f7d55fb697b5e0475da4718fa34c3a3ebeac85) 
1; Check that cached NXDOMAIN replies for nameservers do not count towards the
2; MAX_TARGET_NX limit.
3
4server:
5	module-config: "iterator"
6	trust-anchor-signaling: no
7	target-fetch-policy: "0 0 0 0 0"
8	verbosity: 3
9	access-control: 127.0.0.1 allow_snoop
10	do-not-query-localhost: no
11	qname-minimisation: no
12	minimal-responses: no
13	rrset-roundrobin: no
14stub-zone:
15	name: "example.com"
16	stub-addr: 127.0.0.2
17stub-zone:
18	name: "nameservers.com"
19	stub-addr: 127.0.0.3
20CONFIG_END
21
22SCENARIO_BEGIN Test that the NXNS countermeasure is not triggered for cached NXDOMAIN
23
24RANGE_BEGIN 0 100
25	ADDRESS 127.0.0.1
26	ENTRY_BEGIN
27		MATCH opcode qtype qname
28		ADJUST copy_id
29		REPLY QR NOERROR
30		SECTION QUESTION
31			b.a.example.com. IN A
32		SECTION ANSWER
33			b.a.example.com. IN A 127.0.0.0
34	ENTRY_END
35RANGE_END
36
37RANGE_BEGIN 31 100
38	ADDRESS 127.0.0.3
39	ENTRY_BEGIN
40		MATCH opcode qtype qname
41		ADJUST copy_id
42		REPLY QR NOERROR
43		SECTION QUESTION
44			ns1.nameservers.com. IN A
45		SECTION ANSWER
46			ns1.nameservers.com. IN A 127.0.0.1
47	ENTRY_END
48	ENTRY_BEGIN
49		MATCH opcode qtype qname
50		ADJUST copy_id
51		REPLY QR NOERROR
52		SECTION QUESTION
53			ns2.nameservers.com. IN A
54		SECTION ANSWER
55			ns2.nameservers.com. IN A 127.0.0.1
56	ENTRY_END
57	ENTRY_BEGIN
58		MATCH opcode qtype qname
59		ADJUST copy_id
60		REPLY QR NOERROR
61		SECTION QUESTION
62			ns3.nameservers.com. IN A
63		SECTION ANSWER
64			ns3.nameservers.com. IN A 127.0.0.1
65	ENTRY_END
66	ENTRY_BEGIN
67		MATCH opcode qtype qname
68		ADJUST copy_id
69		REPLY QR NOERROR
70		SECTION QUESTION
71			ns4.nameservers.com. IN A
72		SECTION ANSWER
73			ns4.nameservers.com. IN A 127.0.0.1
74	ENTRY_END
75	ENTRY_BEGIN
76		MATCH opcode qtype qname
77		ADJUST copy_id
78		REPLY QR NOERROR
79		SECTION QUESTION
80			ns5.nameservers.com. IN A
81		SECTION ANSWER
82			ns5.nameservers.com. IN A 127.0.0.1
83	ENTRY_END
84	ENTRY_BEGIN
85		MATCH opcode qtype qname
86		ADJUST copy_id
87		REPLY QR NOERROR
88		SECTION QUESTION
89			ns6.nameservers.com. IN A
90		SECTION ANSWER
91			ns6.nameservers.com. IN A 127.0.0.1
92	ENTRY_END
93	ENTRY_BEGIN
94		MATCH opcode qtype qname
95		ADJUST copy_id
96		REPLY QR NOERROR
97		SECTION QUESTION
98			ns7.nameservers.com. IN A
99		SECTION ANSWER
100			ns7.nameservers.com. IN A 127.0.0.1
101	ENTRY_END
102	ENTRY_BEGIN
103		MATCH opcode qtype qname
104		ADJUST copy_id
105		REPLY QR NOERROR
106		SECTION QUESTION
107			ns8.nameservers.com. IN A
108		SECTION ANSWER
109			ns8.nameservers.com. IN A 127.0.0.1
110	ENTRY_END
111	ENTRY_BEGIN
112		MATCH opcode qtype qname
113		ADJUST copy_id
114		REPLY QR NOERROR
115		SECTION QUESTION
116			ns9.nameservers.com. IN A
117		SECTION ANSWER
118			ns9.nameservers.com. IN A 127.0.0.1
119	ENTRY_END
120	ENTRY_BEGIN
121		MATCH opcode qtype qname
122		ADJUST copy_id
123		REPLY QR NOERROR
124		SECTION QUESTION
125			ns10.nameservers.com. IN A
126		SECTION ANSWER
127			ns10.nameservers.com. IN A 127.0.0.1
128	ENTRY_END
129	ENTRY_BEGIN
130		MATCH opcode qtype qname
131		ADJUST copy_id
132		REPLY QR NOERROR
133		SECTION QUESTION
134			ns11.nameservers.com. IN A
135		SECTION ANSWER
136			ns11.nameservers.com. IN A 127.0.0.1
137	ENTRY_END
138	ENTRY_BEGIN
139		MATCH opcode qtype qname
140		ADJUST copy_id
141		REPLY QR NOERROR
142		SECTION QUESTION
143			ns12.nameservers.com. IN A
144		SECTION ANSWER
145			ns12.nameservers.com. IN A 127.0.0.1
146	ENTRY_END
147
148	; Reply no-data to AAAA queries
149	ENTRY_BEGIN
150		MATCH opcode subdomain
151		ADJUST copy_id copy_query
152		REPLY QR NOERROR
153		SECTION QUESTION
154			nameservers.com. IN A
155		SECTION AUTHORITY
156			nameservers.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
157	ENTRY_END
158RANGE_END
159
160; Query for a domain
161STEP 0 QUERY
162ENTRY_BEGIN
163REPLY RD
164SECTION QUESTION
165a.example.com. IN A
166ENTRY_END
167
168; Answer with delegation
169STEP 1 REPLY
170ENTRY_BEGIN
171ADJUST copy_id
172REPLY QR NOERROR
173SECTION QUESTION
174a.example.com. IN A
175SECTION AUTHORITY
176a.example.com. IN NS ns1.nameservers.com.
177a.example.com. IN NS ns2.nameservers.com.
178a.example.com. IN NS ns3.nameservers.com.
179a.example.com. IN NS ns4.nameservers.com.
180a.example.com. IN NS ns5.nameservers.com.
181a.example.com. IN NS ns6.nameservers.com.
182a.example.com. IN NS ns7.nameservers.com.
183a.example.com. IN NS ns8.nameservers.com.
184a.example.com. IN NS ns9.nameservers.com.
185a.example.com. IN NS ns10.nameservers.com.
186a.example.com. IN NS ns11.nameservers.com.
187a.example.com. IN NS ns12.nameservers.com.
188ENTRY_END
189
190; Reply NXDOMAIN to MAX_TARGET_NX queries(6) x2 (A+AAAA)
191STEP 2 REPLY
192ENTRY_BEGIN
193ADJUST copy_id copy_query
194REPLY QR NXDOMAIN
195SECTION QUESTION
196a.query. IN A
197SECTION AUTHORITY
198example.com. IN SOA ns.example.com email.example.com 1 2 3 4 60
199ENTRY_END
200STEP 3 REPLY
201ENTRY_BEGIN
202ADJUST copy_id copy_query
203REPLY QR NXDOMAIN
204SECTION QUESTION
205a.query. IN A
206SECTION AUTHORITY
207example.com. IN SOA ns.ns email.email 1 2 3 4 60
208ENTRY_END
209STEP 4 REPLY
210ENTRY_BEGIN
211ADJUST copy_id copy_query
212REPLY QR NXDOMAIN
213SECTION QUESTION
214a.query. IN A
215ENTRY_END
216STEP 5 REPLY
217ENTRY_BEGIN
218ADJUST copy_id copy_query
219REPLY QR NXDOMAIN
220SECTION QUESTION
221a.query. IN A
222ENTRY_END
223STEP 6 REPLY
224ENTRY_BEGIN
225ADJUST copy_id copy_query
226REPLY QR NXDOMAIN
227SECTION QUESTION
228a.query. IN A
229ENTRY_END
230STEP 7 REPLY
231ENTRY_BEGIN
232ADJUST copy_id copy_query
233REPLY QR NXDOMAIN
234SECTION QUESTION
235a.query. IN A
236ENTRY_END
237STEP 8 REPLY
238ENTRY_BEGIN
239ADJUST copy_id copy_query
240REPLY QR NXDOMAIN
241SECTION QUESTION
242a.query. IN A
243ENTRY_END
244STEP 9 REPLY
245ENTRY_BEGIN
246ADJUST copy_id copy_query
247REPLY QR NXDOMAIN
248SECTION QUESTION
249a.query. IN A
250ENTRY_END
251STEP 10 REPLY
252ENTRY_BEGIN
253ADJUST copy_id copy_query
254REPLY QR NXDOMAIN
255SECTION QUESTION
256a.query. IN A
257ENTRY_END
258STEP 11 REPLY
259ENTRY_BEGIN
260ADJUST copy_id copy_query
261REPLY QR NXDOMAIN
262SECTION QUESTION
263a.query. IN A
264ENTRY_END
265STEP 12 REPLY
266ENTRY_BEGIN
267ADJUST copy_id copy_query
268REPLY QR NXDOMAIN
269SECTION QUESTION
270a.query. IN A
271ENTRY_END
272STEP 13 REPLY
273ENTRY_BEGIN
274ADJUST copy_id copy_query
275REPLY QR NXDOMAIN
276SECTION QUESTION
277a.query. IN A
278ENTRY_END
279
280; We should receive SERVFAIL because MAX_TARGET_NX was reached
281STEP 14 CHECK_ANSWER
282ENTRY_BEGIN
283MATCH all
284REPLY QR RD RA SERVFAIL
285SECTION QUESTION
286a.example.com. IN A
287ENTRY_END
288
289; Query for another domain in the same delegation
290STEP 20 QUERY
291ENTRY_BEGIN
292REPLY RD
293SECTION QUESTION
294b.a.example.com. IN A
295ENTRY_END
296
297; We still have 6 NSes that Unbound didn't try to resolve
298; Reply with NXDOMAIN for 5 of them
299STEP 21 REPLY
300ENTRY_BEGIN
301ADJUST copy_id copy_query
302REPLY QR NXDOMAIN
303SECTION QUESTION
304a.query. IN A
305ENTRY_END
306STEP 22 REPLY
307ENTRY_BEGIN
308ADJUST copy_id copy_query
309REPLY QR NXDOMAIN
310SECTION QUESTION
311a.query. IN A
312ENTRY_END
313STEP 23 REPLY
314ENTRY_BEGIN
315ADJUST copy_id copy_query
316REPLY QR NXDOMAIN
317SECTION QUESTION
318a.query. IN A
319ENTRY_END
320STEP 24 REPLY
321ENTRY_BEGIN
322ADJUST copy_id copy_query
323REPLY QR NXDOMAIN
324SECTION QUESTION
325a.query. IN A
326ENTRY_END
327STEP 25 REPLY
328ENTRY_BEGIN
329ADJUST copy_id copy_query
330REPLY QR NXDOMAIN
331SECTION QUESTION
332a.query. IN A
333ENTRY_END
334STEP 26 REPLY
335ENTRY_BEGIN
336ADJUST copy_id copy_query
337REPLY QR NXDOMAIN
338SECTION QUESTION
339a.query. IN A
340ENTRY_END
341STEP 27 REPLY
342ENTRY_BEGIN
343ADJUST copy_id copy_query
344REPLY QR NXDOMAIN
345SECTION QUESTION
346a.query. IN A
347ENTRY_END
348STEP 28 REPLY
349ENTRY_BEGIN
350ADJUST copy_id copy_query
351REPLY QR NXDOMAIN
352SECTION QUESTION
353a.query. IN A
354ENTRY_END
355STEP 29 REPLY
356ENTRY_BEGIN
357ADJUST copy_id copy_query
358REPLY QR NXDOMAIN
359SECTION QUESTION
360a.query. IN A
361ENTRY_END
362STEP 30 REPLY
363ENTRY_BEGIN
364ADJUST copy_id copy_query
365REPLY QR NXDOMAIN
366SECTION QUESTION
367a.query. IN A
368ENTRY_END
369
370; Unbound will reach the upstream and get the answer for the final NS
371; which has the answer for the client query.
372
373STEP 40 CHECK_ANSWER
374ENTRY_BEGIN
375MATCH all
376REPLY QR RD RA NOERROR
377SECTION QUESTION
378b.a.example.com. IN A
379SECTION ANSWER
380b.a.example.com. IN A 127.0.0.0
381ENTRY_END
382
383; Allow for possible pending NS query (AAAA) to get answered
384STEP 41 TRAFFIC
385
386SCENARIO_END
387