xref: /netbsd-src/external/bsd/unbound/dist/testdata/iter_nxns_cached.rpl (revision 4b004442778f1201b2161e87fd65ba87aae6601a) 
1; Check that cached NXDOMAIN replies for nameservers do not count towards the
2; MAX_TARGET_NX limit.
3
4server:
5	module-config: "iterator"
6	trust-anchor-signaling: no
7	target-fetch-policy: "0 0 0 0 0"
8	verbosity: 3
9	access-control: 127.0.0.1 allow_snoop
10	do-not-query-localhost: no
11	qname-minimisation: no
12	minimal-responses: no
13	rrset-roundrobin: no
14stub-zone:
15	name: "example.com"
16	stub-addr: 127.0.0.2
17stub-zone:
18	name: "nameservers.com"
19	stub-addr: 127.0.0.3
20CONFIG_END
21
22SCENARIO_BEGIN Test that the NXNS countermeasure is not triggered for cached NXDOMAIN
23
24RANGE_BEGIN 0 100
25	ADDRESS 127.0.0.1
26	ENTRY_BEGIN
27		MATCH opcode qtype qname
28		ADJUST copy_id
29		REPLY QR NOERROR
30		SECTION QUESTION
31			b.a.example.com. IN A
32		SECTION ANSWER
33			b.a.example.com. IN A 127.0.0.0
34	ENTRY_END
35RANGE_END
36
37RANGE_BEGIN 31 100
38	ADDRESS 127.0.0.3
39	ENTRY_BEGIN
40		MATCH opcode qtype qname
41		ADJUST copy_id
42		REPLY QR NOERROR
43		SECTION QUESTION
44			ns1.nameservers.com. IN A
45		SECTION ANSWER
46			ns1.nameservers.com. IN A 127.0.0.1
47	ENTRY_END
48	ENTRY_BEGIN
49		MATCH opcode qtype qname
50		ADJUST copy_id
51		REPLY QR NOERROR
52		SECTION QUESTION
53			ns2.nameservers.com. IN A
54		SECTION ANSWER
55			ns2.nameservers.com. IN A 127.0.0.1
56	ENTRY_END
57	ENTRY_BEGIN
58		MATCH opcode qtype qname
59		ADJUST copy_id
60		REPLY QR NOERROR
61		SECTION QUESTION
62			ns3.nameservers.com. IN A
63		SECTION ANSWER
64			ns3.nameservers.com. IN A 127.0.0.1
65	ENTRY_END
66	ENTRY_BEGIN
67		MATCH opcode qtype qname
68		ADJUST copy_id
69		REPLY QR NOERROR
70		SECTION QUESTION
71			ns4.nameservers.com. IN A
72		SECTION ANSWER
73			ns4.nameservers.com. IN A 127.0.0.1
74	ENTRY_END
75	ENTRY_BEGIN
76		MATCH opcode qtype qname
77		ADJUST copy_id
78		REPLY QR NOERROR
79		SECTION QUESTION
80			ns5.nameservers.com. IN A
81		SECTION ANSWER
82			ns5.nameservers.com. IN A 127.0.0.1
83	ENTRY_END
84	ENTRY_BEGIN
85		MATCH opcode qtype qname
86		ADJUST copy_id
87		REPLY QR NOERROR
88		SECTION QUESTION
89			ns6.nameservers.com. IN A
90		SECTION ANSWER
91			ns6.nameservers.com. IN A 127.0.0.1
92	ENTRY_END
93	ENTRY_BEGIN
94		MATCH opcode qtype qname
95		ADJUST copy_id
96		REPLY QR NOERROR
97		SECTION QUESTION
98			ns7.nameservers.com. IN A
99		SECTION ANSWER
100			ns7.nameservers.com. IN A 127.0.0.1
101	ENTRY_END
102	ENTRY_BEGIN
103		MATCH opcode qtype qname
104		ADJUST copy_id
105		REPLY QR NOERROR
106		SECTION QUESTION
107			ns8.nameservers.com. IN A
108		SECTION ANSWER
109			ns8.nameservers.com. IN A 127.0.0.1
110	ENTRY_END
111	ENTRY_BEGIN
112		MATCH opcode qtype qname
113		ADJUST copy_id
114		REPLY QR NOERROR
115		SECTION QUESTION
116			ns9.nameservers.com. IN A
117		SECTION ANSWER
118			ns9.nameservers.com. IN A 127.0.0.1
119	ENTRY_END
120	ENTRY_BEGIN
121		MATCH opcode qtype qname
122		ADJUST copy_id
123		REPLY QR NOERROR
124		SECTION QUESTION
125			ns10.nameservers.com. IN A
126		SECTION ANSWER
127			ns10.nameservers.com. IN A 127.0.0.1
128	ENTRY_END
129	ENTRY_BEGIN
130		MATCH opcode qtype qname
131		ADJUST copy_id
132		REPLY QR NOERROR
133		SECTION QUESTION
134			ns11.nameservers.com. IN A
135		SECTION ANSWER
136			ns11.nameservers.com. IN A 127.0.0.1
137	ENTRY_END
138	ENTRY_BEGIN
139		MATCH opcode qtype qname
140		ADJUST copy_id
141		REPLY QR NOERROR
142		SECTION QUESTION
143			ns12.nameservers.com. IN A
144		SECTION ANSWER
145			ns12.nameservers.com. IN A 127.0.0.1
146	ENTRY_END
147
148	; Reply no-data to AAAA queries
149	ENTRY_BEGIN
150		MATCH opcode subdomain
151		ADJUST copy_id copy_query
152		REPLY QR NOERROR
153		SECTION QUESTION
154			nameservers.com. IN A
155	ENTRY_END
156RANGE_END
157
158; Query for a domain
159STEP 0 QUERY
160ENTRY_BEGIN
161REPLY RD
162SECTION QUESTION
163a.example.com. IN A
164ENTRY_END
165
166; Answer with delegation
167STEP 1 REPLY
168ENTRY_BEGIN
169ADJUST copy_id
170REPLY QR NOERROR
171SECTION QUESTION
172a.example.com. IN A
173SECTION AUTHORITY
174a.example.com. IN NS ns1.nameservers.com.
175a.example.com. IN NS ns2.nameservers.com.
176a.example.com. IN NS ns3.nameservers.com.
177a.example.com. IN NS ns4.nameservers.com.
178a.example.com. IN NS ns5.nameservers.com.
179a.example.com. IN NS ns6.nameservers.com.
180a.example.com. IN NS ns7.nameservers.com.
181a.example.com. IN NS ns8.nameservers.com.
182a.example.com. IN NS ns9.nameservers.com.
183a.example.com. IN NS ns10.nameservers.com.
184a.example.com. IN NS ns11.nameservers.com.
185a.example.com. IN NS ns12.nameservers.com.
186ENTRY_END
187
188; Reply NXDOMAIN to MAX_TARGET_NX queries(6) x2 (A+AAAA)
189STEP 2 REPLY
190ENTRY_BEGIN
191ADJUST copy_id copy_query
192REPLY QR NXDOMAIN
193SECTION QUESTION
194a.query. IN A
195SECTION AUTHORITY
196example.com. IN SOA ns.example.com email.example.com 1 2 3 4 60
197ENTRY_END
198STEP 3 REPLY
199ENTRY_BEGIN
200ADJUST copy_id copy_query
201REPLY QR NXDOMAIN
202SECTION QUESTION
203a.query. IN A
204SECTION AUTHORITY
205example.com. IN SOA ns.ns email.email 1 2 3 4 60
206ENTRY_END
207STEP 4 REPLY
208ENTRY_BEGIN
209ADJUST copy_id copy_query
210REPLY QR NXDOMAIN
211SECTION QUESTION
212a.query. IN A
213ENTRY_END
214STEP 5 REPLY
215ENTRY_BEGIN
216ADJUST copy_id copy_query
217REPLY QR NXDOMAIN
218SECTION QUESTION
219a.query. IN A
220ENTRY_END
221STEP 6 REPLY
222ENTRY_BEGIN
223ADJUST copy_id copy_query
224REPLY QR NXDOMAIN
225SECTION QUESTION
226a.query. IN A
227ENTRY_END
228STEP 7 REPLY
229ENTRY_BEGIN
230ADJUST copy_id copy_query
231REPLY QR NXDOMAIN
232SECTION QUESTION
233a.query. IN A
234ENTRY_END
235STEP 8 REPLY
236ENTRY_BEGIN
237ADJUST copy_id copy_query
238REPLY QR NXDOMAIN
239SECTION QUESTION
240a.query. IN A
241ENTRY_END
242STEP 9 REPLY
243ENTRY_BEGIN
244ADJUST copy_id copy_query
245REPLY QR NXDOMAIN
246SECTION QUESTION
247a.query. IN A
248ENTRY_END
249STEP 10 REPLY
250ENTRY_BEGIN
251ADJUST copy_id copy_query
252REPLY QR NXDOMAIN
253SECTION QUESTION
254a.query. IN A
255ENTRY_END
256STEP 11 REPLY
257ENTRY_BEGIN
258ADJUST copy_id copy_query
259REPLY QR NXDOMAIN
260SECTION QUESTION
261a.query. IN A
262ENTRY_END
263STEP 12 REPLY
264ENTRY_BEGIN
265ADJUST copy_id copy_query
266REPLY QR NXDOMAIN
267SECTION QUESTION
268a.query. IN A
269ENTRY_END
270STEP 13 REPLY
271ENTRY_BEGIN
272ADJUST copy_id copy_query
273REPLY QR NXDOMAIN
274SECTION QUESTION
275a.query. IN A
276ENTRY_END
277
278; We should receive SERVFAIL because MAX_TARGET_NX was reached
279STEP 14 CHECK_ANSWER
280ENTRY_BEGIN
281MATCH all
282REPLY QR RD RA SERVFAIL
283SECTION QUESTION
284a.example.com. IN A
285ENTRY_END
286
287; Query for another domain in the same delegation
288STEP 20 QUERY
289ENTRY_BEGIN
290REPLY RD
291SECTION QUESTION
292b.a.example.com. IN A
293ENTRY_END
294
295; We still have 6 NSes that Unbound didn't try to resolve
296; Reply with NXDOMAIN for 5 of them
297STEP 21 REPLY
298ENTRY_BEGIN
299ADJUST copy_id copy_query
300REPLY QR NXDOMAIN
301SECTION QUESTION
302a.query. IN A
303ENTRY_END
304STEP 22 REPLY
305ENTRY_BEGIN
306ADJUST copy_id copy_query
307REPLY QR NXDOMAIN
308SECTION QUESTION
309a.query. IN A
310ENTRY_END
311STEP 23 REPLY
312ENTRY_BEGIN
313ADJUST copy_id copy_query
314REPLY QR NXDOMAIN
315SECTION QUESTION
316a.query. IN A
317ENTRY_END
318STEP 24 REPLY
319ENTRY_BEGIN
320ADJUST copy_id copy_query
321REPLY QR NXDOMAIN
322SECTION QUESTION
323a.query. IN A
324ENTRY_END
325STEP 25 REPLY
326ENTRY_BEGIN
327ADJUST copy_id copy_query
328REPLY QR NXDOMAIN
329SECTION QUESTION
330a.query. IN A
331ENTRY_END
332STEP 26 REPLY
333ENTRY_BEGIN
334ADJUST copy_id copy_query
335REPLY QR NXDOMAIN
336SECTION QUESTION
337a.query. IN A
338ENTRY_END
339STEP 27 REPLY
340ENTRY_BEGIN
341ADJUST copy_id copy_query
342REPLY QR NXDOMAIN
343SECTION QUESTION
344a.query. IN A
345ENTRY_END
346STEP 28 REPLY
347ENTRY_BEGIN
348ADJUST copy_id copy_query
349REPLY QR NXDOMAIN
350SECTION QUESTION
351a.query. IN A
352ENTRY_END
353STEP 29 REPLY
354ENTRY_BEGIN
355ADJUST copy_id copy_query
356REPLY QR NXDOMAIN
357SECTION QUESTION
358a.query. IN A
359ENTRY_END
360STEP 30 REPLY
361ENTRY_BEGIN
362ADJUST copy_id copy_query
363REPLY QR NXDOMAIN
364SECTION QUESTION
365a.query. IN A
366ENTRY_END
367
368; Unbound will reach the upstream and get the answer for the final NS
369; which has the answer for the client query.
370
371STEP 40 CHECK_ANSWER
372ENTRY_BEGIN
373MATCH all
374REPLY QR RD RA NOERROR
375SECTION QUESTION
376b.a.example.com. IN A
377SECTION ANSWER
378b.a.example.com. IN A 127.0.0.0
379ENTRY_END
380
381; Allow for possible pending NS query (AAAA) to get answered
382STEP 41 TRAFFIC
383
384SCENARIO_END
385