- Fix CVE-2025-11411 (possible domain hijacking attack), reported by Yuxiao Wu,

Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua University.

daemon/remote.c

@@ -6176,6 +6176,7 @@ fr_atomic_copy_cfg(struct config_file* oldcfg, struct config_file* cfg,
 	COPY_VAR_ptr(ipset_name_v6);
 #endif
 	COPY_VAR_int(ede);
+	COPY_VAR_int(iter_scrub_promiscuous);
 }
 #endif /* ATOMIC_POINTER_LOCK_FREE && HAVE_LINK_ATOMIC_STORE */
 

doc/example.conf.in

@@ -196,6 +196,10 @@ server:
 	# Limit on upstream queries for an incoming query and its recursion.
 	# max-global-quota: 200
 
+	# Should the scrubber remove promiscuous NS from positive answers,
+	# protects against poison attempts.
+	# iter-scrub-promiscuous: yes
+
 	# msec for waiting for an unknown server to reply.  Increase if you
 	# are behind a slow satellite link, to eg. 1128.
 	# unknown-server-time-limit: 376

doc/unbound-control.8.in

@@ -167,6 +167,7 @@ ipset,
 \fI\%tcp\-reuse\-timeout\fP,
 \fI\%tcp\-auth\-query\-timeout\fP,
 \fI\%delay\-close\fP\&.
+\fI\%iter\-scrub\-promiscuous\fP\&.
 .sp
 It does not work with
 \fI\%interface\fP and

doc/unbound-control.rst

@@ -169,6 +169,7 @@ There are several commands that the server understands.
     :ref:`tcp-reuse-timeout<unbound.conf.tcp-reuse-timeout>`,
     :ref:`tcp-auth-query-timeout<unbound.conf.tcp-auth-query-timeout>`,
     :ref:`delay-close<unbound.conf.delay-close>`.
+    :ref:`iter-scrub-promiscuous<unbound.conf.iter-scrub-promiscuous>`.
 
     It does not work with
     :ref:`interface<unbound.conf.interface>` and

doc/unbound.conf.5.in

@@ -3656,6 +3656,15 @@ Default: 200
 .UNINDENT
 .INDENT 0.0
 .TP
+.B iter\-scrub\-promiscuous: \fI<yes or no>\fP 
+Should the iterator scrubber remove promiscuous NS from positive answers.
+This protects against poisonous contents, that could affect names in the
+same zone as a spoofed packet.
+.sp
+Default: yes
+.UNINDENT
+.INDENT 0.0
+.TP
 .B fast\-server\-permil: \fI<number>\fP 
 Specify how many times out of 1000 to pick from the set of fastest servers.
 0 turns the feature off.

doc/unbound.conf.rst

@@ -3156,6 +3156,14 @@ These options are part of the **server:** clause.
     Default: 200
 
 
+@@UAHL@unbound.conf@iter-scrub-promiscuous@@: *<yes or no>*
+    Should the iterator scrubber remove promiscuous NS from positive answers.
+    This protects against poisonous contents, that could affect names in the
+    same zone as a spoofed packet.
+
+    Default: yes
+
+
 @@UAHL@unbound.conf@fast-server-permil@@: *<number>*
     Specify how many times out of 1000 to pick from the set of fastest servers.
     0 turns the feature off.

iterator/iter_scrub.c

@@ -634,6 +634,22 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
 					"RRset:", pkt, msg, prev, &rrset);
 				continue;
 			}
+			/* If the NS set is a promiscuous NS set, scrub that
+			 * to remove potential for poisonous contents that
+			 * affects other names in the same zone. Remove
+			 * promiscuous NS sets in positive answers, that
+			 * thus have records in the answer section. Nodata
+			 * and nxdomain promiscuous NS sets have been removed
+			 * already. Since the NS rrset is scrubbed, its
+			 * address records are also not marked to be allowed
+			 * and are removed later. */
+			if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR &&
+				msg->an_rrsets != 0 &&
+				env->cfg->iter_scrub_promiscuous) {
+				remove_rrset("normalize: removing promiscuous "
+					"RRset:", pkt, msg, prev, &rrset);
+				continue;
+			}
 			if(nsset == NULL) {
 				nsset = rrset;
 			} else {

testdata/autotrust_init.rpl

@@ -5,6 +5,7 @@ server:
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.

testdata/autotrust_init_ds.rpl

@@ -5,6 +5,7 @@ server:
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.

testdata/autotrust_init_sigs.rpl

@@ -5,6 +5,7 @@ server:
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.

testdata/autotrust_init_zsk.rpl

@@ -5,6 +5,7 @@ server:
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.

testdata/black_data.rpl

@@ -8,6 +8,7 @@ server:
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	rrset-roundrobin: no
 
 stub-zone:

testdata/black_prime.rpl

@@ -8,6 +8,7 @@ server:
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	rrset-roundrobin: no
 
 stub-zone:

testdata/disable_edns_do.rpl

@@ -5,6 +5,7 @@ server:
 	qname-minimisation: "no"
 	trust-anchor-signaling: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	disable-edns-do: yes
 
 stub-zone:

testdata/dns64_lookup.rpl

@@ -7,6 +7,7 @@ server:
 	dns64-ignore-aaaa: ip6ignore.example.com
 	dns64-ignore-aaaa: ip6only.example.com
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/dns64_prefetch_cache.rpl

@@ -5,6 +5,7 @@ server:
 	module-config: "dns64 iterator"
 	dns64-prefix: 64:ff9b::0/96
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	prefetch: yes
 
 stub-zone:

testdata/fetch_glue.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/fetch_glue_cname.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/fwd_cached.rpl

@@ -2,6 +2,7 @@
 ; config options go here.
 server:
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 forward-zone: name: "." forward-addr: 216.0.0.1
 CONFIG_END
 

testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf

@@ -10,6 +10,7 @@ server:
 	username: ""
 	do-not-query-localhost: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	rrset-roundrobin: no
 forward-zone:
 	name: "."

testdata/fwd_minimal.rpl

@@ -5,6 +5,7 @@ server:
 	; is fine for that, not removed by minimal-responses.
 	access-control: 127.0.0.1 allow_snoop
 	minimal-responses: yes
+	iter-scrub-promiscuous: no
 forward-zone: name: "." forward-addr: 216.0.0.1
 CONFIG_END
 

testdata/ipsecmod_bogus_ipseckey.crpl

@@ -9,6 +9,7 @@ server:
 	qname-minimisation: "no"
 	# test that default value of harden-dnssec-stripped is still yes.
 	fake-sha1: yes
+	iter-scrub-promiscuous: no
 	trust-anchor-signaling: no
 	access-control: 127.0.0.1 allow_snoop
 	module-config: "ipsecmod validator iterator"

testdata/ipsecmod_enabled.crpl

@@ -11,6 +11,7 @@ server:
 	ipsecmod-enabled: no
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/ipsecmod_ignore_bogus_ipseckey.crpl

@@ -18,6 +18,7 @@ server:
 	ipsecmod-ignore-bogus: yes
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/ipsecmod_max_ttl.crpl

@@ -10,6 +10,7 @@ server:
 	ipsecmod-max-ttl: 200
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/ipsecmod_strict.crpl

@@ -10,6 +10,7 @@ server:
 	ipsecmod-max-ttl: 200
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/ipsecmod_whitelist.crpl

@@ -11,6 +11,7 @@ server:
 	ipsecmod-whitelist: white.example.com
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_class_any.rpl

@@ -8,6 +8,7 @@ server:
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_cycle_noh.rpl

@@ -4,6 +4,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_domain_sale.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_domain_sale_nschange.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_emptydp.rpl

@@ -8,6 +8,7 @@ server:
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_emptydp_for_glue.rpl

@@ -8,6 +8,7 @@ server:
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_fwdfirst.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_fwdfirstequal.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_fwdfirstequaltcp.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
         tcp-upstream: no
         #tls-upstream:no  # same case but not testable in rpl.
 

testdata/iter_fwdstub.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_fwdstubroot.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_ghost_grandchild_delegation.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_ghost_sub.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_ghost_timewindow.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	discard-timeout: 86400
 
 stub-zone:

testdata/iter_got6only.rpl

@@ -4,6 +4,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0 "
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.

testdata/iter_hint_lame.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_lame_noaa.rpl

@@ -4,6 +4,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	rrset-roundrobin: no
 
 stub-zone:

testdata/iter_lame_nosoa.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	rrset-roundrobin: no
 
 stub-zone:

testdata/iter_mod.rpl

@@ -4,6 +4,7 @@ server:
 	qname-minimisation: "no"
 	module-config: "iterator"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_ns_badip.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "3 2 1 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	rrset-roundrobin: no
 
 stub-zone:

testdata/iter_ns_spoof.rpl

@@ -4,6 +4,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 stub-zone:
 	name: "."
 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.

testdata/iter_nxns_fallback.rpl

@@ -8,6 +8,7 @@ server:
 	access-control: 127.0.0.1 allow_snoop
 	qname-minimisation: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	rrset-roundrobin: no
 
 stub-zone:

testdata/iter_pc_a.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_pc_aaaa.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_pcdiff.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_pcdirect.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_pcname.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_pcnamech.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	rrset-roundrobin: no
 
 stub-zone:

testdata/iter_pcnamechrec.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	rrset-roundrobin: no
 
 stub-zone:

testdata/iter_pcnamerec.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_pcttl.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	do-ip6: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_prefetch.rpl

@@ -4,6 +4,7 @@ server:
 	qname-minimisation: "no"
 	prefetch: "yes"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_prefetch_change.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	prefetch: "yes"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_prefetch_change2.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	prefetch: "yes"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_prefetch_childns.rpl

@@ -4,6 +4,7 @@ server:
 	qname-minimisation: "no"
 	prefetch: "yes"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_prefetch_fail.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	prefetch: "yes"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_prefetch_ns.rpl

@@ -4,6 +4,7 @@ server:
 	qname-minimisation: "no"
 	prefetch: "yes"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_primenoglue.rpl

@@ -8,6 +8,7 @@ server:
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_privaddr.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 	private-address: 10.0.0.0/8
 	private-address: 172.16.0.0/12

testdata/iter_ranoaa_lame.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	rrset-roundrobin: no
 
 stub-zone:

testdata/iter_reclame_one.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	rrset-roundrobin: no
 
 stub-zone:

testdata/iter_reclame_two.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	rrset-roundrobin: no
 
 stub-zone:

testdata/iter_recurse.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_resolve.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_resolve_minimised.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_resolve_minimised_nx.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: yes
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_resolve_minimised_refused.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: yes
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_resolve_minimised_timeout.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: yes
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_scrub_cname_an.rpl

@@ -4,6 +4,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
         name: "."

testdata/iter_scrub_dname_insec.rpl

@@ -4,6 +4,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
         name: "."

testdata/iter_scrub_dname_rev.rpl

@@ -8,6 +8,7 @@ server:
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
         name: "."

testdata/iter_scrub_dname_sec.rpl

@@ -8,6 +8,7 @@ server:
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
         name: "."

testdata/iter_scrub_promiscuous.rpl

@@ -0,0 +1,373 @@
+; config options
+server:
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+	iter-scrub-promiscuous: yes
+
+stub-zone:
+	name: "."
+	stub-addr: 1.2.3.0 # ns.root
+CONFIG_END
+
+SCENARIO_BEGIN Test iterator with scrub of promiscuous records
+; The test queries receive spoofed answers. The check queries see if
+; the record is returned by the original server or by a spoofed source.
+; The test domains are pollute1.mesa, pollute2.mesa and pollute3.mesa.
+; The spoofed contents are ns.attacker.mesa and its IPs 5.6.7.8 and 5.6.7.9.
+; The pollute1.mesa NS, ns.pollute2.mesa A, and test3.atkr.pollute3.mesa NS
+; with ns.pollute3.mesa A records are tested for cache placement.
+
+; ns.root
+RANGE_BEGIN 0 400
+	ADDRESS 1.2.3.0
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS NS.ROOT.
+SECTION ADDITIONAL
+NS.ROOT. IN A 1.2.3.0
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+mesa. IN NS
+SECTION AUTHORITY
+mesa. IN NS ns.mesa.
+SECTION ADDITIONAL
+ns.mesa. IN A 1.2.7.7
+ENTRY_END
+RANGE_END
+
+; ns.mesa
+RANGE_BEGIN 0 400
+	ADDRESS 1.2.7.7
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+pollute1.mesa. IN NS
+SECTION AUTHORITY
+pollute1.mesa. IN NS ns.pollute1.mesa.
+SECTION ADDITIONAL
+ns.pollute1.mesa. IN A 1.2.4.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+pollute2.mesa. IN NS
+SECTION AUTHORITY
+pollute2.mesa. IN NS ns.pollute2.mesa.
+SECTION ADDITIONAL
+ns.pollute2.mesa. IN A 1.2.4.2
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+pollute3.mesa. IN NS
+SECTION AUTHORITY
+pollute3.mesa. IN NS ns.pollute3.mesa.
+SECTION ADDITIONAL
+ns.pollute3.mesa. IN A 1.2.4.3
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+attacker.mesa. IN NS
+SECTION AUTHORITY
+attacker.mesa. IN NS ns.attacker.mesa.
+SECTION ADDITIONAL
+ns.attacker.mesa. IN A 5.6.7.8
+ENTRY_END
+RANGE_END
+
+; ns.pollute1.mesa
+RANGE_BEGIN 0 400
+	ADDRESS 1.2.4.1
+
+; This is the spoofed answer that is returned.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+test1.atkr.pollute1.mesa. IN A
+SECTION ANSWER
+test1.atkr.pollute1.mesa. 86400 IN A 1.2.3.4
+SECTION AUTHORITY
+pollute1.mesa. 86400 IN NS ns.attacker.mesa.
+ENTRY_END
+
+; correct answer for the check query.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+check.pollute1.mesa. IN A
+SECTION ANSWER
+check.pollute1.mesa. IN A 1.8.9.1
+ENTRY_END
+RANGE_END
+
+; ns.pollute2.mesa
+RANGE_BEGIN 0 400
+	ADDRESS 1.2.4.2
+
+; This is the spoofed answer that is returned.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+test2.atkr.pollute2.mesa. IN A
+SECTION ANSWER
+test2.atkr.pollute2.mesa. 86400 IN A 1.2.3.4
+SECTION AUTHORITY
+pollute2.mesa. 86400 IN NS ns.pollute2.mesa.
+SECTION ADDITIONAL
+ns.pollute2.mesa. 86400 IN A 5.6.7.8
+ENTRY_END
+
+; correct answer for the check query.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+check.pollute2.mesa. IN A
+SECTION ANSWER
+check.pollute2.mesa. IN A 1.8.9.2
+ENTRY_END
+RANGE_END
+
+; ns.pollute3.mesa
+RANGE_BEGIN 0 400
+	ADDRESS 1.2.4.3
+
+; This is the spoofed answer that is returned.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+test3.atkr.pollute3.mesa. IN A
+SECTION ANSWER
+test3.atkr.pollute3.mesa. 86400 IN A 1.2.3.4
+SECTION AUTHORITY
+test3.atkr.pollute3.mesa. 86400 IN NS ns.pollute3.mesa.
+SECTION ADDITIONAL
+ns.pollute3.mesa. 86400 IN A 5.6.7.8
+ENTRY_END
+
+; correct answer for the check query.
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+check.pollute3.mesa. IN A
+SECTION ANSWER
+check.pollute3.mesa. IN A 1.8.9.3
+ENTRY_END
+RANGE_END
+
+; ns.attacker.mesa
+RANGE_BEGIN 0 400
+	ADDRESS 5.6.7.8
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.attacker.mesa. IN A
+SECTION ANSWER
+ns.attacker.mesa. 86400 IN A 5.6.7.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.attacker.mesa. IN AAAA
+SECTION AUTHORITY
+attacker.mesa. 3600 IN SOA ns.attacker.mesa. root.attacker.mesa. 4 7200 3600 604800 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.attacker.mesa. IN A
+SECTION ANSWER
+ns.attacker.mesa. 86400 IN A 5.6.7.8
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+check.pollute1.mesa. IN A
+SECTION ANSWER
+check.pollute1.mesa. 86400 IN A 5.6.7.9
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+check.pollute2.mesa. IN A
+SECTION ANSWER
+check.pollute2.mesa. 86400 IN A 5.6.7.9
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+check.pollute3.mesa. IN A
+SECTION ANSWER
+check.pollute3.mesa. 86400 IN A 5.6.7.9
+ENTRY_END
+RANGE_END
+
+; Test query 1
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test1.atkr.pollute1.mesa. IN A
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+test1.atkr.pollute1.mesa. IN A
+SECTION ANSWER
+test1.atkr.pollute1.mesa. 86400 IN A 1.2.3.4
+ENTRY_END
+
+; Test query 2
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test2.atkr.pollute2.mesa. IN A
+ENTRY_END
+
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+test2.atkr.pollute2.mesa. IN A
+SECTION ANSWER
+test2.atkr.pollute2.mesa. 86400 IN A 1.2.3.4
+ENTRY_END
+
+; Test query 3
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+test3.atkr.pollute3.mesa. IN A
+ENTRY_END
+
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+test3.atkr.pollute3.mesa. IN A
+SECTION ANSWER
+test3.atkr.pollute3.mesa. 86400 IN A 1.2.3.4
+ENTRY_END
+
+; Check the cache contents, for query 1.
+STEP 60 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+check.pollute1.mesa. IN A
+ENTRY_END
+
+STEP 70 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+check.pollute1.mesa. IN A
+SECTION ANSWER
+; good answer
+check.pollute1.mesa. IN A 1.8.9.1
+; bad answer
+;check.pollute1.mesa. IN A 5.6.7.9
+ENTRY_END
+
+; Check the cache contents, for query 2.
+STEP 80 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+check.pollute2.mesa. IN A
+ENTRY_END
+
+STEP 90 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+check.pollute2.mesa. IN A
+SECTION ANSWER
+; good answer
+check.pollute2.mesa. IN A 1.8.9.2
+; bad answer
+;check.pollute2.mesa. IN A 5.6.7.9
+ENTRY_END
+
+; Check the cache contents, for query 3.
+STEP 100 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+check.pollute3.mesa. IN A
+ENTRY_END
+
+STEP 110 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+check.pollute3.mesa. IN A
+SECTION ANSWER
+; good answer
+check.pollute3.mesa. IN A 1.8.9.3
+; bad answer
+;check.pollute3.mesa. IN A 5.6.7.9
+ENTRY_END
+
+SCENARIO_END

testdata/iter_scrub_rr_length.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	rrset-roundrobin: no
 	ede: yes
 

testdata/iter_soamin.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_stub_noroot.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_stubfirst.rpl

@@ -2,6 +2,7 @@
 server:
 	target-fetch-policy: "0 0 0 0 0"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_timeout_ra_aaaa.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 
 stub-zone:
 	name: "."

testdata/iter_unverified_glue.rpl

@@ -3,6 +3,7 @@ server:
 	target-fetch-policy: "0 0 0 0 0"
 	qname-minimisation: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	do-ip6: no
 	harden-unverified-glue: yes
 stub-zone:

testdata/rrset_rettl.rpl

@@ -2,6 +2,7 @@
 ; config options go here.
 server:
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 forward-zone: name: "." forward-addr: 216.0.0.1
 CONFIG_END
 

testdata/rrset_untrusted.rpl

@@ -2,6 +2,7 @@
 ; config options go here.
 server:
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 forward-zone: name: "." forward-addr: 216.0.0.1
 CONFIG_END
 

testdata/rrset_updated.rpl

@@ -2,6 +2,7 @@
 ; config options go here.
 server:
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	rrset-roundrobin: no
 forward-zone: name: "." forward-addr: 216.0.0.1
 CONFIG_END

testdata/rrset_use_cached.rpl

@@ -1,5 +1,6 @@
 server:
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	serve-expired: yes
 	# The value does not matter, we will not simulate delay.
 	# We do not want only serve-expired because fetches from that

testdata/serve_expired.rpl

@@ -3,6 +3,7 @@ server:
 	module-config: "validator iterator"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	serve-expired: yes
 	serve-expired-client-timeout: 0
 	access-control: 127.0.0.1/32 allow_snoop

testdata/serve_expired_0ttl_nodata.rpl

@@ -3,6 +3,7 @@ server:
 	module-config: "validator iterator"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	serve-expired: yes
 	serve-expired-client-timeout: 0
 	ede: yes

testdata/serve_expired_0ttl_nxdomain.rpl

@@ -3,6 +3,7 @@ server:
 	module-config: "validator iterator"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	serve-expired: yes
 	serve-expired-client-timeout: 0
 	ede: yes

testdata/serve_expired_0ttl_servfail.rpl

@@ -3,6 +3,7 @@ server:
 	module-config: "validator iterator"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	serve-expired: yes
 	serve-expired-client-timeout: 0
 	ede: yes

testdata/serve_expired_cached_servfail.rpl

@@ -3,6 +3,7 @@ server:
 	module-config: "validator iterator"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	serve-expired: yes
 	serve-expired-client-timeout: 0
 	serve-expired-reply-ttl: 123

testdata/serve_expired_client_timeout.rpl

@@ -3,6 +3,7 @@ server:
 	module-config: "validator iterator"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	serve-expired: yes
 	serve-expired-client-timeout: 1
 	serve-expired-reply-ttl: 123

testdata/serve_expired_client_timeout_no_prefetch.rpl

@@ -3,6 +3,7 @@ server:
 	module-config: "validator iterator"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	serve-expired: yes
 	serve-expired-client-timeout: 1
 	serve-expired-reply-ttl: 123

testdata/serve_expired_client_timeout_servfail.rpl

@@ -3,6 +3,7 @@ server:
 	module-config: "validator iterator"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	serve-expired: yes
 	serve-expired-client-timeout: 1
 	serve-expired-reply-ttl: 123

testdata/serve_expired_client_timeout_val_insecure_delegation.rpl

@@ -9,6 +9,7 @@ server:
 	fake-sha1: yes
 	trust-anchor-signaling: no
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	rrset-roundrobin: no
 
 	serve-expired: yes

testdata/serve_expired_reply_ttl.rpl

@@ -3,6 +3,7 @@ server:
 	module-config: "validator iterator"
 	qname-minimisation: "no"
 	minimal-responses: no
+	iter-scrub-promiscuous: no
 	serve-expired: yes
 	serve-expired-reply-ttl: 123
 	serve-expired-client-timeout: 0