1; config options 2server: 3 # put unbound.conf config options here. 4 5 access-control: 127.0.0.1/32 allow_snoop #allow queries with RD bit 6 trust-anchor-signaling: no 7 8 # DNSSEC trust anchor taken from a real world example. Used for 9 # DNSSEC-signed CNAME target. 10 trust-anchor: "infoblox.com. 172800 IN DNSKEY 257 3 5 AwEAAerW6xQkJIb5wxm48RoHD/LE8r/GzmdIGOam0lQczIth+I9ctltV dDJXz5BH8j4TOaOH1gBRCXhsPDyPom/eLEkdUuXNuhV6QnWGHOtz1fuY EO+kBqaI79jR0K31OmevR/H/F3C8gi4T6//6G9qsftvcl6m7+V1vI2+c cgxiiOlMrZZb4YAhue1+tRw57f3aVOSNtcrONO/Jffgb9jbDTKRi33oT fDznyPa1lCWMbuybr/LaCU0LP6fG4BII/FDWFi5rQxMHygWfscdYX06c eGUzHqiuNNGL8Jze6johni71T/hJGtLMozkY7qxOLfWBXOu9kr1MBQh5 6hfibOZMZJM=" 11 # Use a fixed and faked date for DNSSEC validation to avoid run-time 12 # re-signing test signatures. 13 val-override-date: "20161001003725" 14 15 define-tag: "cname cname2 nx servfail sec ambiguous" 16 access-control-tag: 127.0.0.1/32 "cname cname2 nx servfail sec" 17 18 # Basic case: one CNAME whose target exists. 19 local-zone: example.com static 20 local-zone-tag: example.com "cname" 21 access-control-tag: 127.0.0.1/32 "cname" 22 access-control-tag-action: 127.0.0.1/32 "cname" redirect 23 access-control-tag-data: 127.0.0.1/32 "cname" "CNAME example.org." 24 25 # Similar to the above, but different original query name. 26 local-zone: another.example.com static 27 local-zone-tag: another.example.com "cname2" 28 access-control-tag: 127.0.0.1/32 "cname2" 29 access-control-tag-action: 127.0.0.1/32 "cname2" redirect 30 access-control-tag-data: 127.0.0.1/32 "cname2" "CNAME example.org." 31 32 # CNAME target is expected to be nonexistent. 33 local-zone: nx.example.com static 34 local-zone-tag: nx.example.com "nx" 35 access-control-tag: 127.0.0.1/32 "nx" 36 access-control-tag-action: 127.0.0.1/32 "nx" redirect 37 access-control-tag-data: 127.0.0.1/32 "nx" "CNAME nx.example.org." 38 39 # Resolution of this CNAME target will result in SERVFAIL. 40 local-zone: servfail.example.com static 41 local-zone-tag: servfail.example.com "servfail" 42 access-control-tag-action: 127.0.0.1/32 "servfail" redirect 43 access-control-tag-data: 127.0.0.1/32 "servfail" "CNAME servfail.example.org." 44 45 # CNAME target is supposed to be DNSSEC-signed. 46 local-zone: sec.example.com static 47 local-zone-tag: sec.example.com "sec" 48 access-control-tag-action: 127.0.0.1/32 "sec" redirect 49 access-control-tag-data: 127.0.0.1/32 "sec" "CNAME www.infoblox.com." 50 51 # Test setup for non-tag based redirect 52 local-zone: example.net redirect 53 local-data: "example.net. IN CNAME cname.example.org." 54 55 ### template zone and tag intended to be used for tests with CNAME and 56 ### other data. 57 ##local-zone: ambiguous.example.com redirect 58 ##@LOCALDATA1@ 59 ##@LOCALDATA2@ 60 ##local-zone-tag: ambiguous.example.com "ambiguous" 61 ##access-control-tag-action: 127.0.0.1/32 "ambiguous" redirect 62 ##@TAGDATA1@ 63 ##@TAGDATA2@ 64 65 66 67 target-fetch-policy: "0 0 0 0 0" 68 69# send the queries to the test server (see the 10.0.10.3 entries below) 70forward-zone: 71 name: "." 72 forward-addr: 10.0.10.3 73CONFIG_END 74 75; short one-line description of scenario: 76SCENARIO_BEGIN Test local-data CNAME aliases 77 78; Specification of the answers that the upstream server provides to unbound 79RANGE_BEGIN 0 1000 80 ADDRESS 10.0.10.3 81; put entries here with answers to specific qname, qtype 82 83; infoblox.com 84ENTRY_BEGIN 85MATCH opcode qtype qname 86ADJUST copy_id 87REPLY QR NOERROR 88SECTION QUESTION 89infoblox.com. IN DNSKEY 90SECTION ANSWER 91infoblox.com. 172800 IN DNSKEY 256 3 5 AwEAAbi2VnVHFm5rO2EiawNWhTTRPPzaA+VEdpGOc+CtwIZq86C4Ndbp 0M7XTi0wru0Pgh54oGZ3ty9WllYEnVfoA1rcGwFJmAln7KKAuQP+dlGE yHPJYduAjG/JFA6Qq0zj18AmWgks+qvethASMm3PtihQkNytjmQWjiL6 6h8cQwFP 92infoblox.com. 172800 IN DNSKEY 257 3 5 AwEAAerW6xQkJIb5wxm48RoHD/LE8r/GzmdIGOam0lQczIth+I9ctltV dDJXz5BH8j4TOaOH1gBRCXhsPDyPom/eLEkdUuXNuhV6QnWGHOtz1fuY EO+kBqaI79jR0K31OmevR/H/F3C8gi4T6//6G9qsftvcl6m7+V1vI2+c cgxiiOlMrZZb4YAhue1+tRw57f3aVOSNtcrONO/Jffgb9jbDTKRi33oT fDznyPa1lCWMbuybr/LaCU0LP6fG4BII/FDWFi5rQxMHygWfscdYX06c eGUzHqiuNNGL8Jze6johni71T/hJGtLMozkY7qxOLfWBXOu9kr1MBQh5 6hfibOZMZJM= 93infoblox.com. 172800 IN RRSIG DNSKEY 5 2 172800 20161004003725 20160930000830 31651 infoblox.com. Ds7LZY2W59fq9cWgqi3W6so1NGFa7JdjO8zlhK3hGu2a2WG1W/rVftom rCf0gdI5q4BZJnq2o0SdLd/U7he1uWz8ATntEETiNs9/8G7myNK17wQu AN/+3gol+qT4DX0CA3Boz7Z+xFQbTwnnJJvGASa/1jPMIYU8DiyNx3Pe SSh9lbyU/4YI0mshn5ZC2HCFChxr+aVJxk4UHjaPfHhWwVu9oM4IbEfn KD9x4ltKjjy0pXMYqVlNs9+tG2nXdwr/6Q4G+yfRBAcW+cWeW5w4igxf xYFq4Y5gkZetGOReoNODZ9YC9WvcxBo+qY/iUN2k+lEFq+oL8+DthAGH uA1krw== 94SECTION AUTHORITY 95SECTION ADDITIONAL 96ENTRY_END 97 98ENTRY_BEGIN 99MATCH opcode qtype qname 100ADJUST copy_id 101REPLY QR NOERROR 102SECTION QUESTION 103www.infoblox.com. IN A 104SECTION ANSWER 105www.infoblox.com. 3600 IN A 161.47.10.70 106www.infoblox.com. 3600 IN RRSIG A 5 3 3600 20161003223322 20160929221122 14916 infoblox.com. WbO9ydRAoRTPvdK18atTdLEkkMGoOjuwbcb6vVI0d6Sea3xkcBMNmtst Wdzr+pKEJqO2bfm167X6uhcOHanHZRnirlTnEbuTdsP0HCiIEGQD5iHg UNH2FJSKGNYBmgZKJpuLhDca7oqtkl8EyGA+UEt6Rtq6aW8V0wpkhPHi Pug=' 107SECTION AUTHORITY 108SECTION ADDITIONAL 109ENTRY_END 110 111; example.org 112ENTRY_BEGIN 113MATCH opcode qtype qname 114ADJUST copy_id 115REPLY QR NOERROR 116SECTION QUESTION 117example.org. IN A 118SECTION ANSWER 119example.org. IN A 192.0.2.1 120SECTION AUTHORITY 121SECTION ADDITIONAL 122ENTRY_END 123 124ENTRY_BEGIN 125MATCH opcode qtype qname 126ADJUST copy_id 127REPLY QR NOERROR 128SECTION QUESTION 129cname.example.org. IN A 130SECTION ANSWER 131cname.example.org. IN A 192.0.2.2 132SECTION AUTHORITY 133SECTION ADDITIONAL 134ENTRY_END 135 136ENTRY_BEGIN 137MATCH opcode qtype qname 138ADJUST copy_id 139REPLY QR NOERROR 140SECTION QUESTION 141example.org. IN AAAA 142SECTION ANSWER 143SECTION AUTHORITY 144example.org. IN SOA ns.example.org. hostmaster.example.org. 2016101900 28800 7200 604800 3600 145SECTION ADDITIONAL 146ENTRY_END 147 148ENTRY_BEGIN 149MATCH opcode qtype qname 150ADJUST copy_id 151REPLY QR NXDOMAIN 152SECTION QUESTION 153nx.example.org. IN A 154SECTION ANSWER 155SECTION AUTHORITY 156example.org. IN SOA ns.example.org. hostmaster.example.org. 2016101900 28800 7200 604800 3600 157SECTION ADDITIONAL 158ENTRY_END 159 160; for norec query 161ENTRY_BEGIN 162MATCH opcode qtype qname 163ADJUST copy_id 164REPLY QR NOERROR 165SECTION QUESTION 166example.org. IN NS 167SECTION ANSWER 168example.org. IN NS ns.example. 169SECTION AUTHORITY 170SECTION ADDITIONAL 171ENTRY_END 172 173ENTRY_BEGIN 174MATCH opcode qtype qname 175ADJUST copy_id 176REPLY QR SERVFAIL 177SECTION QUESTION 178servfail.example.org. IN A 179SECTION ANSWER 180SECTION AUTHORITY 181SECTION ADDITIONAL 182ENTRY_END 183 184; end of entries with answers from upstream server 185RANGE_END 186; Steps where queries are sent, one at a time, to unbound. 187; QUERY is what the downstream client sends to unbound. 188; CHECK_ANSWER contains the response from unbound. 189 190 191; Basic case: both exact and subdomain matches result in the same CNAME 192STEP 10 QUERY 193ENTRY_BEGIN 194REPLY RD 195SECTION QUESTION 196example.com. IN CNAME 197ENTRY_END 198 199; For type-CNAME queries, the CNAME itself will be returned 200STEP 20 CHECK_ANSWER 201ENTRY_BEGIN 202MATCH all 203REPLY QR RD RA AA NOERROR 204SECTION QUESTION 205example.com. IN CNAME 206SECTION ANSWER 207example.com. IN CNAME example.org. 208SECTION AUTHORITY 209SECTION ADDITIONAL 210ENTRY_END 211 212STEP 30 QUERY 213ENTRY_BEGIN 214REPLY RD 215SECTION QUESTION 216alias.example.com. IN CNAME 217ENTRY_END 218 219; For type-CNAME queries, the CNAME itself will be returned 220STEP 40 CHECK_ANSWER 221ENTRY_BEGIN 222MATCH all 223REPLY QR RD RA AA NOERROR 224SECTION QUESTION 225alias.example.com. IN CNAME 226SECTION ANSWER 227alias.example.com. IN CNAME example.org. 228SECTION AUTHORITY 229SECTION ADDITIONAL 230ENTRY_END 231 232; Basic case: both exact and subdomain matches result in the same CNAME 233; For other types, a complete CNAME chain will have to be returned 234STEP 50 QUERY 235ENTRY_BEGIN 236REPLY RD 237SECTION QUESTION 238example.com. IN A 239ENTRY_END 240 241STEP 60 CHECK_ANSWER 242ENTRY_BEGIN 243MATCH all 244REPLY QR RD RA AA NOERROR 245SECTION QUESTION 246example.com. IN A 247SECTION ANSWER 248example.com. IN CNAME example.org. 249example.org. IN A 192.0.2.1 250SECTION AUTHORITY 251SECTION ADDITIONAL 252ENTRY_END 253 254STEP 70 QUERY 255ENTRY_BEGIN 256REPLY RD 257SECTION QUESTION 258alias.example.com. IN A 259ENTRY_END 260 261STEP 80 CHECK_ANSWER 262ENTRY_BEGIN 263MATCH all 264REPLY QR RD RA AA NOERROR 265SECTION QUESTION 266alias.example.com. IN A 267SECTION ANSWER 268alias.example.com. IN CNAME example.org. 269example.org. IN A 192.0.2.1 270SECTION AUTHORITY 271SECTION ADDITIONAL 272ENTRY_END 273 274; Basic case: both exact and subdomain matches result in the same CNAME. 275; The result is the same for non-recursive query as long as a 276; complete chain is cached. 277STEP 90 QUERY 278ENTRY_BEGIN 279REPLY 280SECTION QUESTION 281example.com. IN A 282ENTRY_END 283 284STEP 100 CHECK_ANSWER 285ENTRY_BEGIN 286MATCH all 287REPLY QR RA AA NOERROR 288SECTION QUESTION 289example.com. IN A 290SECTION ANSWER 291example.com. IN CNAME example.org. 292example.org. IN A 192.0.2.1 293SECTION AUTHORITY 294SECTION ADDITIONAL 295ENTRY_END 296 297STEP 110 QUERY 298ENTRY_BEGIN 299REPLY 300SECTION QUESTION 301alias.example.com. IN A 302ENTRY_END 303 304STEP 120 CHECK_ANSWER 305ENTRY_BEGIN 306MATCH all 307REPLY QR RA AA NOERROR 308SECTION QUESTION 309alias.example.com. IN A 310SECTION ANSWER 311alias.example.com. IN CNAME example.org. 312example.org. IN A 192.0.2.1 313SECTION AUTHORITY 314SECTION ADDITIONAL 315ENTRY_END 316 317; Similar to the above, but these are local-zone redirect, instead of 318; tag-based policies. 319STEP 130 QUERY 320ENTRY_BEGIN 321REPLY RD 322SECTION QUESTION 323example.net. IN CNAME 324ENTRY_END 325 326; For type-CNAME queries, the CNAME itself will be returned 327STEP 140 CHECK_ANSWER 328ENTRY_BEGIN 329MATCH all 330REPLY QR RD RA AA NOERROR 331SECTION QUESTION 332example.net. IN CNAME 333SECTION ANSWER 334example.net. IN CNAME cname.example.org. 335SECTION AUTHORITY 336SECTION ADDITIONAL 337ENTRY_END 338 339STEP 150 QUERY 340ENTRY_BEGIN 341REPLY RD 342SECTION QUESTION 343alias.example.net. IN CNAME 344ENTRY_END 345 346; For type-CNAME queries, the CNAME itself will be returned 347STEP 160 CHECK_ANSWER 348ENTRY_BEGIN 349MATCH all 350REPLY QR RD RA AA NOERROR 351SECTION QUESTION 352alias.example.net. IN CNAME 353SECTION ANSWER 354alias.example.net. IN CNAME cname.example.org. 355SECTION AUTHORITY 356SECTION ADDITIONAL 357ENTRY_END 358 359STEP 170 QUERY 360ENTRY_BEGIN 361REPLY RD 362SECTION QUESTION 363example.net. IN A 364ENTRY_END 365 366STEP 180 CHECK_ANSWER 367ENTRY_BEGIN 368MATCH all 369REPLY QR RD RA AA NOERROR 370SECTION QUESTION 371example.net. IN A 372SECTION ANSWER 373example.net. IN CNAME cname.example.org. 374cname.example.org. IN A 192.0.2.2 375SECTION AUTHORITY 376SECTION ADDITIONAL 377ENTRY_END 378 379STEP 190 QUERY 380ENTRY_BEGIN 381REPLY RD 382SECTION QUESTION 383alias.example.net. IN A 384ENTRY_END 385 386STEP 200 CHECK_ANSWER 387ENTRY_BEGIN 388MATCH all 389REPLY QR RD RA AA NOERROR 390SECTION QUESTION 391alias.example.net. IN A 392SECTION ANSWER 393alias.example.net. IN CNAME cname.example.org. 394cname.example.org. IN A 192.0.2.2 395SECTION AUTHORITY 396SECTION ADDITIONAL 397ENTRY_END 398 399 400; Relatively minor cases follow 401 402; query type doesn't exist for the CNAME target. The original query 403; succeeds with an "incomplete" chain only containing the CNAME. 404STEP 210 QUERY 405ENTRY_BEGIN 406REPLY RD 407SECTION QUESTION 408example.com. IN AAAA 409ENTRY_END 410 411STEP 220 CHECK_ANSWER 412ENTRY_BEGIN 413MATCH all 414REPLY QR RD RA AA NOERROR 415SECTION QUESTION 416example.com. IN AAAA 417SECTION ANSWER 418example.com. IN CNAME example.org. 419SECTION AUTHORITY 420example.org. 3600 IN SOA ns.example.org. hostmaster.example.org. 2016101900 28800 7200 604800 3600 421SECTION ADDITIONAL 422ENTRY_END 423 424; The CNAME target name doesn't exist. NXDOMAIN with the CNAME will 425; be returned. 426STEP 230 QUERY 427ENTRY_BEGIN 428REPLY RD 429SECTION QUESTION 430nx.example.com. IN A 431ENTRY_END 432 433STEP 240 CHECK_ANSWER 434ENTRY_BEGIN 435MATCH all 436REPLY QR RD RA AA NXDOMAIN 437SECTION QUESTION 438nx.example.com. IN A 439SECTION ANSWER 440nx.example.com. IN CNAME nx.example.org. 441SECTION AUTHORITY 442example.org. 3600 IN SOA ns.example.org. hostmaster.example.org. 2016101900 28800 7200 604800 3600 443SECTION ADDITIONAL 444ENTRY_END 445 446; Resolution for the CNAME target will result in SERVFAIL. It will 447; be forwarded to the original query. The answer section should be 448; empty. 449STEP 250 QUERY 450ENTRY_BEGIN 451REPLY RD 452SECTION QUESTION 453servfail.example.com. IN A 454ENTRY_END 455 456STEP 260 CHECK_ANSWER 457ENTRY_BEGIN 458MATCH all 459REPLY QR RD RA SERVFAIL 460SECTION QUESTION 461servfail.example.com. IN A 462SECTION ANSWER 463SECTION AUTHORITY 464SECTION ADDITIONAL 465ENTRY_END 466 467; The CNAME target is DNSSEC-signed and it's validated. If the original 468; query enabled the DNSSEC, the RRSIGs will be included in the answer, 469; but the response should have the AD bit off 470STEP 270 QUERY 471ENTRY_BEGIN 472REPLY RD DO 473SECTION QUESTION 474sec.example.com. IN A 475ENTRY_END 476 477STEP 280 CHECK_ANSWER 478ENTRY_BEGIN 479MATCH all 480REPLY QR RD DO RA AA NOERROR 481SECTION QUESTION 482sec.example.com. IN A 483SECTION ANSWER 484sec.example.com. IN CNAME www.infoblox.com. 485www.infoblox.com. 3600 IN A 161.47.10.70 486www.infoblox.com. 3600 IN RRSIG A 5 3 3600 20161003223322 20160929221122 14916 infoblox.com. WbO9ydRAoRTPvdK18atTdLEkkMGoOjuwbcb6vVI0d6Sea3xkcBMNmtst Wdzr+pKEJqO2bfm167X6uhcOHanHZRnirlTnEbuTdsP0HCiIEGQD5iHg UNH2FJSKGNYBmgZKJpuLhDca7oqtkl8EyGA+UEt6Rtq6aW8V0wpkhPHi Pug=' 487SECTION AUTHORITY 488SECTION ADDITIONAL 489ENTRY_END 490 491 492SCENARIO_END 493