- Added test for leak of stub information.

git-svn-id: file:///svn/unbound/trunk@4141 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -1,3 +1,6 @@
+2 May 2017: Wouter
+	- Added test for leak of stub information.
+
 1 May 2017: Wouter
 	- Fix #1259: "--disable-ecdsa" argument overwritten 
 	  by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c".

testcode/replay.c

@@ -488,6 +488,7 @@ replay_scenario_read(FILE* in, const char* name, int* lineno)
 			return scen;
 		}
 	}
+	log_err("scenario read failed at line %d (no SCENARIO_END?)", *lineno);
 	replay_scenario_delete(scen);
 	return NULL;
 }

testdata/iter_stub_leak.rpl

@@ -0,0 +1,142 @@
+; config options
+server:
+        target-fetch-policy: "0 0 0 0 0"
+
+stub-zone:
+        name: "."
+	stub-addr: 193.0.14.129
+stub-zone:
+	name: "example.com"
+	stub-addr: 10.0.1.1
+CONFIG_END
+
+SCENARIO_BEGIN Test stub zone leaking to the internet on last resort fallback
+
+; root server
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129
+
+; root prime
+ENTRY_BEGIN
+MATCH
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS k.root-servers.net.
+SECTION ADDITIONAL
+k.root-servers.net. IN A 193.0.14.129
+ENTRY_END
+
+RANGE_END
+
+; stub server for example.com
+RANGE_BEGIN 0 100
+	ADDRESS 10.0.1.1
+
+; subzone is delegated
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+subzone.example.com. IN A
+SECTION AUTHORITY
+subzone.example.com. IN NS sub-ns1.example.com.
+subzone.example.com. IN NS sub-ns2.example.com.
+SECTION ADDITIONAL
+sub-ns1.example.com. IN A 10.0.2.3
+sub-ns2.example.com. IN A 10.0.2.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode question
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+sub-ns1.example.com. IN A
+SECTION ANSWER
+sub-ns1.example.com. IN A 10.0.2.3
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode question
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+sub-ns2.example.com. IN A
+SECTION ANSWER
+sub-ns2.example.com. IN A 10.0.2.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode question
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+sub-ns1.example.com. IN AAAA
+SECTION AUTHORITY
+example.com. 300 SOA master.example.com etc 1 2 3 4 300
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode question
+ADJUST copy_id copy_query
+REPLY QR AA NOERROR
+SECTION QUESTION
+sub-ns2.example.com. IN AAAA
+SECTION AUTHORITY
+example.com. 300 SOA master.example.com etc 1 2 3 4 300
+ENTRY_END
+
+RANGE_END
+
+; stub server for subzone.example.com
+RANGE_BEGIN 0 100
+	ADDRESS 10.0.2.3
+; match anything, servfail
+ENTRY_BEGIN
+MATCH opcode
+ADJUST copy_id copy_query
+REPLY QR SERVFAIL
+SECTION QUESTION
+subzone.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+RANGE_END
+
+; stub server for subzone.example.com
+RANGE_BEGIN 0 100
+	ADDRESS 10.0.2.4
+; match anything, servfail
+ENTRY_BEGIN
+MATCH opcode
+ADJUST copy_id copy_query
+REPLY QR SERVFAIL
+SECTION QUESTION
+subzone.example.com. IN A
+SECTION ANSWER
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+whatever.subzone.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+; the query should not leak subzone ns queries to the internet
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA SERVFAIL
+SECTION QUESTION
+whatever.subzone.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+ENTRY_END
+
+SCENARIO_END