1; config options 2server: 3 target-fetch-policy: "0 0 0 0 0" 4 minimal-responses: no 5 6stub-zone: 7 name: "." 8 stub-addr: 193.0.14.129 9stub-zone: 10 name: "example.com" 11 stub-addr: 10.0.1.1 12stub-zone: 13 name: "example.net" 14 stub-addr: 10.0.5.1 15CONFIG_END 16 17SCENARIO_BEGIN Test stub zone leaking to the internet on last resort fallback 18 19; root server 20RANGE_BEGIN 0 100 21 ADDRESS 193.0.14.129 22 23; root prime 24ENTRY_BEGIN 25MATCH qname qtype 26ADJUST copy_id copy_query 27REPLY QR NOERROR 28SECTION QUESTION 29. IN NS 30SECTION ANSWER 31. IN NS k.root-servers.net. 32SECTION ADDITIONAL 33k.root-servers.net. IN A 193.0.14.129 34ENTRY_END 35 36RANGE_END 37 38; stub server for example.com 39RANGE_BEGIN 0 100 40 ADDRESS 10.0.1.1 41 42; subzone is delegated 43ENTRY_BEGIN 44MATCH opcode subdomain 45ADJUST copy_id copy_query 46REPLY QR NOERROR 47SECTION QUESTION 48subzone.example.com. IN A 49SECTION AUTHORITY 50subzone.example.com. IN NS sub-ns1.example.com. 51subzone.example.com. IN NS sub-ns2.example.com. 52subzone.example.com. IN NS example.net. 53SECTION ADDITIONAL 54sub-ns1.example.com. IN A 10.0.2.3 55sub-ns2.example.com. IN A 10.0.2.4 56ENTRY_END 57 58ENTRY_BEGIN 59MATCH opcode question 60ADJUST copy_id copy_query 61REPLY QR AA NOERROR 62SECTION QUESTION 63sub-ns1.example.com. IN A 64SECTION ANSWER 65sub-ns1.example.com. IN A 10.0.2.3 66ENTRY_END 67 68ENTRY_BEGIN 69MATCH opcode question 70ADJUST copy_id copy_query 71REPLY QR AA NOERROR 72SECTION QUESTION 73sub-ns2.example.com. IN A 74SECTION ANSWER 75sub-ns2.example.com. IN A 10.0.2.4 76ENTRY_END 77 78ENTRY_BEGIN 79MATCH opcode question 80ADJUST copy_id copy_query 81REPLY QR AA NOERROR 82SECTION QUESTION 83sub-ns1.example.com. IN AAAA 84SECTION AUTHORITY 85example.com. 300 SOA master.example.com etc 1 2 3 4 300 86ENTRY_END 87 88ENTRY_BEGIN 89MATCH opcode question 90ADJUST copy_id copy_query 91REPLY QR AA NOERROR 92SECTION QUESTION 93sub-ns2.example.com. IN AAAA 94SECTION AUTHORITY 95example.com. 300 SOA master.example.com etc 1 2 3 4 300 96ENTRY_END 97 98RANGE_END 99 100; stub server for example.net 101RANGE_BEGIN 0 100 102 ADDRESS 10.0.5.1 103 104ENTRY_BEGIN 105MATCH opcode question 106ADJUST copy_id copy_query 107REPLY QR AA NOERROR 108SECTION QUESTION 109example.net. IN NS 110SECTION ANSWER 111example.net. IN NS ns.example.net. 112SECTION ADDITIONAL 113ns.example.net. IN A 10.0.5.1 114ENTRY_END 115 116ENTRY_BEGIN 117MATCH opcode question 118ADJUST copy_id copy_query 119REPLY QR AA NOERROR 120SECTION QUESTION 121example.net. IN A 122SECTION ANSWER 123example.net. IN A 10.0.5.4 124ENTRY_END 125 126ENTRY_BEGIN 127MATCH opcode question 128ADJUST copy_id copy_query 129REPLY QR AA NOERROR 130SECTION QUESTION 131example.net. IN AAAA 132SECTION AUTHORITY 133example.net. 300 SOA master.example.net etc 1 2 3 4 300 134ENTRY_END 135 136RANGE_END 137 138; stub server for subzone.example.com 139RANGE_BEGIN 0 100 140 ADDRESS 10.0.2.3 141; match anything, servfail 142ENTRY_BEGIN 143MATCH opcode 144ADJUST copy_id copy_query 145REPLY QR SERVFAIL 146SECTION QUESTION 147subzone.example.com. IN A 148SECTION ANSWER 149ENTRY_END 150RANGE_END 151 152; stub server for subzone.example.com 153RANGE_BEGIN 0 100 154 ADDRESS 10.0.2.4 155; match anything, servfail 156ENTRY_BEGIN 157MATCH opcode 158ADJUST copy_id copy_query 159REPLY QR SERVFAIL 160SECTION QUESTION 161subzone.example.com. IN A 162SECTION ANSWER 163ENTRY_END 164RANGE_END 165 166; stub server for subzone.example.com 167RANGE_BEGIN 0 100 168 ADDRESS 10.0.5.4 169; match anything, servfail 170ENTRY_BEGIN 171MATCH opcode 172ADJUST copy_id copy_query 173REPLY QR SERVFAIL 174SECTION QUESTION 175subzone.example.com. IN A 176SECTION ANSWER 177ENTRY_END 178RANGE_END 179 180 181; fetch the delegation point for example.net in cache. 182STEP 1 QUERY 183ENTRY_BEGIN 184REPLY RD 185SECTION QUESTION 186example.net. IN NS 187ENTRY_END 188 189; recursion happens here. 190STEP 10 CHECK_ANSWER 191ENTRY_BEGIN 192MATCH all 193REPLY QR RD RA NOERROR 194SECTION QUESTION 195example.net. IN NS 196SECTION ANSWER 197example.net. IN NS ns.example.net. 198SECTION ADDITIONAL 199ns.example.net. IN A 10.0.5.1 200ENTRY_END 201 202STEP 20 QUERY 203ENTRY_BEGIN 204REPLY RD 205SECTION QUESTION 206whatever.subzone.example.com. IN A 207ENTRY_END 208 209; recursion happens here. 210; the query should not leak subzone ns queries to the internet 211STEP 30 CHECK_ANSWER 212ENTRY_BEGIN 213MATCH all 214REPLY QR RD RA SERVFAIL 215SECTION QUESTION 216whatever.subzone.example.com. IN A 217SECTION ANSWER 218SECTION AUTHORITY 219ENTRY_END 220 221SCENARIO_END 222