From 710778dfddec7cbf0fb61db8e8d237cffb666569 Mon Sep 17 00:00:00 2001
From: Ralph Dolmans <ralph@nlnetlabs.nl>
Date: Thu, 13 Apr 2017 08:49:32 +0000
Subject: [PATCH] - Added ECS unit test (from Manu Bretelle). - ECS
 documentation fix (from Manu Bretelle).

git-svn-id: file:///svn/unbound/trunk@4116 be551aaa-1e26-0410-a405-d3ace91eadb9
---
 doc/Changelog                   |   4 +
 doc/unbound.conf.5.in           |   5 +-
 testdata/subnet_max_source.crpl | 231 ++++++++++++++++++++++++++++++++
 3 files changed, 238 insertions(+), 2 deletions(-)
 create mode 100644 testdata/subnet_max_source.crpl

diff --git a/doc/Changelog b/doc/Changelog
index 2a90abe3e..98aa4dabf 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+13 April 2017: Ralph
+	- Added ECS unit test (from Manu Bretelle).
+	- ECS documentation fix (from Manu Bretelle).
+
 13 April 2017: Wouter
 	- Fix #1250: inconsistent indentation in services/listen_dnsport.c.
 	- tag for 1.6.2rc1
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 431d59f21..d9a7060e3 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1490,8 +1490,9 @@ specialized cache. If the authority indicated no support, the response is stored
 in the regular cache.
 .LP
 Additionally, when a client includes the option in its queries, Unbound will
-forward the option to the authority regardless of the authorities presence in
-the whitelist. In this case the lookup in the regular cache is skipped.
+forward the option to the authority if prensent in the whitelist, or
+\fBclient\-subnet\-always\-forward\fR is set to yes. In this case the lookup in
+the regular cache is skipped.
 .LP
 The maximum size of the ECS cache is controlled by 'msg-cache-size' in the
 configuration file. On top of that, for each query only 100 different subnets
diff --git a/testdata/subnet_max_source.crpl b/testdata/subnet_max_source.crpl
new file mode 100644
index 000000000..dc4b54217
--- /dev/null
+++ b/testdata/subnet_max_source.crpl
@@ -0,0 +1,231 @@
+; When the triggering query includes ECS option, source prefix-length should
+; be set to the shorter of the incoming query or server maximum cacheable prefix
+; length
+
+server:
+	val-override-date: "20070916134226"
+	target-fetch-policy: "0 0 0 0 0"
+	send-client-subnet: 1.2.3.4
+	max-client-subnet-ipv4: 17
+	module-config: "subnetcache validator iterator"
+	verbosity: 3
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test shortest source prefix-length
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			. IN NS
+		SECTION ANSWER
+			. IN NS	K.ROOT-SERVERS.NET.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION AUTHORITY
+			com.	IN NS	a.gtld-servers.net.
+		SECTION ADDITIONAL
+			a.gtld-servers.net.	IN 	A	192.5.6.30
+	ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			com. IN NS
+		SECTION ANSWER
+			com.    IN NS   a.gtld-servers.net.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			a.gtld-servers.net.     IN      A       192.5.6.30
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id copy_ednsdata_assume_clientsubnet
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN NS
+		SECTION ANSWER
+			example.com.    IN NS   ns.example.com.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+				;; we expect to receive empty
+			HEX_EDNSDATA_END
+			ns.example.com.         IN      A       1.2.3.4
+	ENTRY_END
+
+	; response to query of interest
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id copy_ednsdata_assume_clientsubnet
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION ANSWER
+			www.example.com. IN A	10.20.30.40
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+							; client is 127.0.0.1
+				00 08 		; OPC
+				00 06 		; option length
+				00 01 		; Family
+				10 00 		; source mask, scopemask
+				7f 00    	; address
+			HEX_EDNSDATA_END
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+
+	; client send /18, we expect /17
+	ENTRY_BEGIN
+		MATCH opcode qtype qname ednsdata
+		ADJUST copy_id copy_ednsdata_assume_clientsubnet
+		REPLY QR NOERROR
+		SECTION QUESTION
+			www.example.com. IN A
+		SECTION ANSWER
+			www.example.com. IN A	10.20.30.50
+		SECTION AUTHORITY
+			example.com.	IN NS	ns.example.com.
+		SECTION ADDITIONAL
+			HEX_EDNSDATA_BEGIN
+							; client is 127.1.0.1
+				00 08 		; OPC
+				00 07 		; option length
+				00 01 		; Family
+				11 00 		; source mask, scopemask
+				7f 01 00   	; address
+			HEX_EDNSDATA_END
+			ns.example.com.		IN 	A	1.2.3.4
+	ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+	HEX_ANSWER_BEGIN;
+		00 00 01 00 00 01 00 00		;ID 0
+		00 00 00 01 03 77 77 77		; www.example.com A? (DO)
+		07 65 78 61 6d 70 6c 65 
+		03 63 6f 6d 00 00 01 00
+		01 00 00 29 10 00 00 00 
+		80 00 00 0a
+		
+		00 08 00 06			; OPC, optlen
+		00 01 10 00			; ip4, scope 16, source 0
+		7f 00   			;127.0.0.0/16
+	HEX_ANSWER_END
+ENTRY_END
+
+
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ednsdata
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		www.example.com. IN A
+	SECTION ANSWER
+		www.example.com. IN A	10.20.30.40
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		HEX_EDNSDATA_BEGIN
+						; client is 127.0.0.1
+			00 08 		; OPC
+			00 06 		; option length
+			00 01 		; Family
+			10 10 		; source mask, scopemask
+			7f 00 	; address
+		HEX_EDNSDATA_END
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+STEP 11 QUERY
+ENTRY_BEGIN
+	HEX_ANSWER_BEGIN;
+		00 00 01 00 00 01 00 00		;ID 0
+		00 00 00 01 03 77 77 77		; www.example.com A? (DO)
+		07 65 78 61 6d 70 6c 65 
+		03 63 6f 6d 00 00 01 00
+		01 00 00 29 10 00 00 00 
+		80 00 00 0b
+		
+		00 08 00 07			; OPC, optlen
+		00 01 12 00			; ip4, scope 18, source 0
+		7f 01 00  			;127.1.0.0/18
+	HEX_ANSWER_END
+ENTRY_END
+
+
+
+; recursion happens here.
+STEP 20 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all ednsdata
+	REPLY QR RD RA NOERROR
+	SECTION QUESTION
+		www.example.com. IN A
+	SECTION ANSWER
+		www.example.com. IN A	10.20.30.50
+	SECTION AUTHORITY
+		example.com.	IN NS	ns.example.com.
+	SECTION ADDITIONAL
+		HEX_EDNSDATA_BEGIN
+						; client is 127.1.0.1
+			00 08 		; OPC
+			00 07 		; option length
+			00 01 		; Family
+			12 11 		; source mask, scopemask
+			7f 01 00 	; address
+		HEX_EDNSDATA_END
+		ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+
+SCENARIO_END