1; config options 2server: 3 module-config: "respip validator iterator" 4 target-fetch-policy: "0 0 0 0 0" 5 qname-minimisation: no 6 access-control: 192.0.0.0/8 allow 7 8rpz: 9 name: "rpz.example.com." 10 rpz-log: yes 11 rpz-log-name: "rpz.example.com" 12 zonefile: 13TEMPFILE_NAME rpz.example.com 14TEMPFILE_CONTENTS rpz.example.com 15$ORIGIN example.com. 16rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( 17 1379078166 28800 7200 604800 7200 ) 18 3600 IN NS ns1.rpz.example.com. 19 3600 IN NS ns2.rpz.example.com. 20$ORIGIN rpz.example.com. 21ns1.gotham.aa.rpz-nsdname CNAME . 22ns1.gotham.bb.rpz-nsdname CNAME *. 23ns1.gotham.cc.rpz-nsdname CNAME rpz-drop. 24ns1.gotham.com.rpz-nsdname CNAME rpz-passthru. 25ns1.gotham.dd.rpz-nsdname CNAME rpz-tcp-only. 26ns1.gotham.ff.rpz-nsdname A 127.0.0.1 27ns1.gotham.ff.rpz-nsdname TXT "42" 28TEMPFILE_END 29 30stub-zone: 31 name: "." 32 stub-addr: 1.1.1.1 33CONFIG_END 34 35SCENARIO_BEGIN Test RPZ nsip triggers 36 37; . -------------------------------------------------------------------------- 38RANGE_BEGIN 0 100 39 ADDRESS 1.1.1.1 40ENTRY_BEGIN 41MATCH opcode qtype qname 42ADJUST copy_id 43REPLY QR NOERROR 44SECTION QUESTION 45. IN NS 46SECTION ANSWER 47. IN NS ns.root. 48SECTION ADDITIONAL 49ns.root IN A 1.1.1.1 50ENTRY_END 51 52ENTRY_BEGIN 53MATCH opcode subdomain 54ADJUST copy_id copy_query 55REPLY QR NOERROR 56SECTION QUESTION 57com. IN A 58SECTION AUTHORITY 59com. IN NS ns1.com. 60SECTION ADDITIONAL 61ns1.com. IN A 8.8.8.8 62ENTRY_END 63 64ENTRY_BEGIN 65MATCH opcode subdomain 66ADJUST copy_id copy_query 67REPLY QR NOERROR 68SECTION QUESTION 69aa. IN A 70SECTION AUTHORITY 71aa. IN NS ns1.aa. 72SECTION ADDITIONAL 73ns1.aa. IN A 8.8.0.8 74ENTRY_END 75 76ENTRY_BEGIN 77MATCH opcode subdomain 78ADJUST copy_id copy_query 79REPLY QR NOERROR 80SECTION QUESTION 81bb. IN A 82SECTION AUTHORITY 83bb. IN NS ns1.bb. 84SECTION ADDITIONAL 85ns1.bb. IN A 8.8.1.8 86ENTRY_END 87 88ENTRY_BEGIN 89MATCH opcode subdomain 90ADJUST copy_id copy_query 91REPLY QR NOERROR 92SECTION QUESTION 93cc. IN A 94SECTION AUTHORITY 95cc. IN NS ns1.cc. 96SECTION ADDITIONAL 97ns1.cc. IN A 8.8.2.8 98ENTRY_END 99 100ENTRY_BEGIN 101MATCH opcode subdomain 102ADJUST copy_id copy_query 103REPLY QR NOERROR 104SECTION QUESTION 105dd. IN A 106SECTION AUTHORITY 107dd. IN NS ns1.dd. 108SECTION ADDITIONAL 109ns1.dd. IN A 8.8.3.8 110ENTRY_END 111 112ENTRY_BEGIN 113MATCH opcode subdomain 114ADJUST copy_id copy_query 115REPLY QR NOERROR 116SECTION QUESTION 117ee. IN A 118SECTION AUTHORITY 119ee. IN NS ns1.ee. 120SECTION ADDITIONAL 121ns1.ee. IN A 8.8.5.8 122ENTRY_END 123 124ENTRY_BEGIN 125MATCH opcode subdomain 126ADJUST copy_id copy_query 127REPLY QR NOERROR 128SECTION QUESTION 129ff. IN A 130SECTION AUTHORITY 131ff. IN NS ns1.ff. 132SECTION ADDITIONAL 133ns1.ff. IN A 8.8.6.8 134ENTRY_END 135 136RANGE_END 137 138; com. ----------------------------------------------------------------------- 139RANGE_BEGIN 0 100 140 ADDRESS 8.8.8.8 141 142ENTRY_BEGIN 143MATCH opcode qtype qname 144ADJUST copy_id 145REPLY QR NOERROR 146SECTION QUESTION 147com. IN NS 148SECTION ANSWER 149com. IN NS ns1.com. 150SECTION ADDITIONAL 151ns1.com. IN A 8.8.8.8 152ENTRY_END 153 154ENTRY_BEGIN 155MATCH opcode subdomain 156ADJUST copy_id copy_query 157REPLY QR NOERROR 158SECTION QUESTION 159gotham.com. IN A 160SECTION AUTHORITY 161gotham.com. IN NS ns1.gotham.com. 162SECTION ADDITIONAL 163ns1.gotham.com. IN A 192.0.6.1 164ENTRY_END 165 166RANGE_END 167 168; aa. ------------------------------------------------------------------------ 169RANGE_BEGIN 0 100 170 ADDRESS 8.8.0.8 171 172ENTRY_BEGIN 173MATCH opcode qtype qname 174ADJUST copy_id 175REPLY QR NOERROR 176SECTION QUESTION 177aa. IN NS 178SECTION ANSWER 179aa. IN NS ns1.aa. 180SECTION ADDITIONAL 181ns1.aa. IN A 8.8.0.8 182ENTRY_END 183 184ENTRY_BEGIN 185MATCH opcode subdomain 186ADJUST copy_id copy_query 187REPLY QR NOERROR 188SECTION QUESTION 189gotham.aa. IN A 190SECTION AUTHORITY 191gotham.aa. IN NS ns1.gotham.aa. 192SECTION ADDITIONAL 193ns1.gotham.aa. IN A 192.0.0.1 194ENTRY_END 195 196RANGE_END 197 198; bb. ------------------------------------------------------------------------ 199RANGE_BEGIN 0 100 200 ADDRESS 8.8.1.8 201 202ENTRY_BEGIN 203MATCH opcode qtype qname 204ADJUST copy_id 205REPLY QR NOERROR 206SECTION QUESTION 207bb. IN NS 208SECTION ANSWER 209bb. IN NS ns1.bb. 210SECTION ADDITIONAL 211ns1.bb. IN A 8.8.1.8 212ENTRY_END 213 214ENTRY_BEGIN 215MATCH opcode subdomain 216ADJUST copy_id copy_query 217REPLY QR NOERROR 218SECTION QUESTION 219gotham.bb. IN A 220SECTION AUTHORITY 221gotham.bb. IN NS ns1.gotham.bb. 222SECTION ADDITIONAL 223ns1.gotham.bb. IN A 192.0.1.1 224ENTRY_END 225 226RANGE_END 227 228; dd. ------------------------------------------------------------------------ 229RANGE_BEGIN 0 100 230 ADDRESS 8.8.3.8 231 232ENTRY_BEGIN 233MATCH opcode qtype qname 234ADJUST copy_id 235REPLY QR NOERROR 236SECTION QUESTION 237dd. IN NS 238SECTION ANSWER 239dd. IN NS ns1.dd. 240SECTION ADDITIONAL 241ns1.dd. IN A 8.8.3.8 242ENTRY_END 243 244ENTRY_BEGIN 245MATCH opcode subdomain 246ADJUST copy_id copy_query 247REPLY QR NOERROR 248SECTION QUESTION 249gotham.dd. IN A 250SECTION AUTHORITY 251gotham.dd. IN NS ns1.gotham.dd. 252SECTION ADDITIONAL 253ns1.gotham.dd. IN A 192.0.3.1 254ENTRY_END 255 256RANGE_END 257 258; ff. ------------------------------------------------------------------------ 259RANGE_BEGIN 0 100 260 ADDRESS 8.8.6.8 261 262ENTRY_BEGIN 263MATCH opcode qtype qname 264ADJUST copy_id 265REPLY QR NOERROR 266SECTION QUESTION 267ff. IN NS 268SECTION ANSWER 269ff. IN NS ns1.ff. 270SECTION ADDITIONAL 271ns1.ff. IN A 8.8.6.8 272ENTRY_END 273 274ENTRY_BEGIN 275MATCH opcode subdomain 276ADJUST copy_id copy_query 277REPLY QR NOERROR 278SECTION QUESTION 279gotham.ff. IN A 280SECTION AUTHORITY 281gotham.ff. IN NS ns1.gotham.ff. 282SECTION ADDITIONAL 283ns1.gotham.ff. IN A 192.0.5.1 284ENTRY_END 285 286RANGE_END 287 288; ns1.gotham.com. ------------------------------------------------------------ 289RANGE_BEGIN 0 100 290 ADDRESS 192.0.6.1 291 292ENTRY_BEGIN 293MATCH opcode qtype qname 294ADJUST copy_id 295REPLY QR NOERROR 296SECTION QUESTION 297gotham.com. IN A 298SECTION ANSWER 299gotham.com. IN A 192.0.6.2 300ENTRY_END 301 302RANGE_END 303 304; ns1.gotham.aa. ------------------------------------------------------------- 305RANGE_BEGIN 0 100 306 ADDRESS 192.0.0.1 307 308ENTRY_BEGIN 309MATCH opcode qtype qname 310ADJUST copy_id 311REPLY QR NOERROR 312SECTION QUESTION 313gotham.aa. IN A 314SECTION ANSWER 315gotham.aa. IN A 192.0.0.2 316ENTRY_END 317 318RANGE_END 319 320; ns1.gotham.bb. ------------------------------------------------------------- 321RANGE_BEGIN 0 100 322 ADDRESS 192.0.1.1 323 324ENTRY_BEGIN 325MATCH opcode qtype qname 326ADJUST copy_id 327REPLY QR NOERROR 328SECTION QUESTION 329gotham.bb. IN A 330SECTION ANSWER 331gotham.bb. IN A 192.0.1.2 332ENTRY_END 333 334RANGE_END 335 336; ns1.gotham.dd. ------------------------------------------------------------- 337RANGE_BEGIN 0 100 338 ADDRESS 192.0.3.1 339 340ENTRY_BEGIN 341MATCH opcode qtype qname 342ADJUST copy_id 343REPLY QR AA NOERROR 344SECTION QUESTION 345gotham.dd. IN A 346SECTION ANSWER 347gotham.dd. IN A 192.0.3.2 348ENTRY_END 349 350RANGE_END 351 352; ns1.gotham.ff. ------------------------------------------------------------- 353RANGE_BEGIN 0 100 354 ADDRESS 192.0.5.1 355 356ENTRY_BEGIN 357MATCH opcode qtype qname 358ADJUST copy_id 359REPLY QR NOERROR 360SECTION QUESTION 361gotham.ff. IN A 362SECTION ANSWER 363gotham.ff. IN A 192.0.5.2 364ENTRY_END 365 366RANGE_END 367 368; ---------------------------------------------------------------------------- 369 370STEP 1 QUERY 371ENTRY_BEGIN 372REPLY RD 373SECTION QUESTION 374gotham.com. IN A 375ENTRY_END 376 377STEP 2 CHECK_ANSWER 378ENTRY_BEGIN 379MATCH all 380REPLY QR RD RA NOERROR 381SECTION QUESTION 382gotham.com. IN A 383SECTION ANSWER 384gotham.com. IN A 192.0.6.2 385ENTRY_END 386 387STEP 10 QUERY 388ENTRY_BEGIN 389REPLY RD 390SECTION QUESTION 391gotham.aa. IN A 392ENTRY_END 393 394STEP 11 CHECK_ANSWER 395ENTRY_BEGIN 396MATCH all 397REPLY QR AA RD RA NXDOMAIN 398SECTION QUESTION 399gotham.aa. IN A 400SECTION ANSWER 401ENTRY_END 402 403STEP 20 QUERY 404ENTRY_BEGIN 405REPLY RD 406SECTION QUESTION 407gotham.bb. IN A 408ENTRY_END 409 410STEP 21 CHECK_ANSWER 411ENTRY_BEGIN 412MATCH all 413REPLY QR RD RA AA NOERROR 414SECTION QUESTION 415gotham.bb. IN A 416SECTION ANSWER 417ENTRY_END 418 419STEP 30 QUERY 420ENTRY_BEGIN 421REPLY RD 422SECTION QUESTION 423gotham.ff. IN A 424ENTRY_END 425 426STEP 31 CHECK_ANSWER 427ENTRY_BEGIN 428MATCH all 429REPLY QR RD RA AA NOERROR 430SECTION QUESTION 431gotham.ff. IN A 432SECTION ANSWER 433gotham.ff. IN A 127.0.0.1 434ENTRY_END 435 436STEP 40 QUERY 437ENTRY_BEGIN 438REPLY RD 439SECTION QUESTION 440gotham.dd. IN A 441ENTRY_END 442 443; should come back truncated because TCP is required. 444STEP 41 CHECK_ANSWER 445ENTRY_BEGIN 446MATCH all 447REPLY QR RD RA TC NOERROR 448SECTION QUESTION 449gotham.dd. IN A 450SECTION ANSWER 451ENTRY_END 452 453STEP 42 QUERY 454ENTRY_BEGIN 455MATCH TCP 456REPLY RD 457SECTION QUESTION 458gotham.dd. IN A 459ENTRY_END 460 461STEP 43 CHECK_ANSWER 462ENTRY_BEGIN 463MATCH all TCP 464REPLY QR RD RA NOERROR 465SECTION QUESTION 466gotham.dd. IN A 467SECTION ANSWER 468gotham.dd. IN A 192.0.3.2 469ENTRY_END 470 471SCENARIO_END 472