upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-24 00:29:58 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Referral path checking, for spoof mitigation, improved.

Browse source 
git-svn-id: file:///svn/unbound/trunk@1305 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2008-10-15 13:32:49 +00:00
parent 3dc4715109
commit bf659c8362
9 changed files with 281 additions and 167 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
doc/Changelog
View file

@ -1,5 +1,8 @@
15 October 2008: Wouter 15 October 2008: Wouter
- better documentation for 0x20; remove fallback TODO, it is done. - better documentation for 0x20; remove fallback TODO, it is done.
- harden-referral-path feature includes A, AAAA queries for glue,
as well as very careful NS caching (only when doing NS query).
A, AAAA use the delegation from the NS-query.
14 October 2008: Wouter 14 October 2008: Wouter
- fwd_three.tpkg test was flaky. If the three requests hit the - fwd_three.tpkg test was flaky. If the three requests hit the

6
doc/plan
View file

@ -75,11 +75,11 @@ not stats on SIGUSR1. perhaps also see which slow auth servers cause >1sec value
*** from draft resolver-mitigation *** from draft resolver-mitigation
+ option harden-referral-path + option harden-referral-path
+ direct queries for NS records + direct queries for NS records
* careful caching, only NS query causes referral caching. + careful caching, only NS query causes referral caching.
* direct queries for A, AAAA in-bailiwick from a referral. + direct queries for A, AAAA in-bailiwick from a referral.
* trouble counter, cache wipe threshold. * trouble counter, cache wipe threshold.
* off-path validation? + off-path validation
* root NS, root glue validation after prime * root NS, root glue validation after prime
* ignore bogus nameservers, pretend they always return a servfail. * ignore bogus nameservers, pretend they always return a servfail.

110
iterator/iterator.c
View file

@ -630,6 +630,57 @@ prime_stub(struct module_qstate* qstate, struct iter_qstate* iq,
return 1; return 1;
} }
/**
* Generate A and AAAA checks for glue that is in-zone for the referral
* we just got to obtain authoritative information on the adresses.
*
* @param qstate: the qtstate that triggered the need to prime.
* @param iq: iterator query state.
* @param id: module id.
*/
static void
generate_a_aaaa_check(struct module_qstate* qstate, struct iter_qstate* iq,
int id)
{
struct module_qstate* subq;
size_t i;
struct reply_info* rep = iq->response->rep;
struct ub_packed_rrset_key* s;
log_assert(iq->dp);
/* walk through additional, and check if in-zone,
* only relevant A, AAAA are left after scrub anyway */
for(i=rep->an_numrrsets+rep->ns_numrrsets; i<rep->rrset_count; i++) {
s = rep->rrsets[i];
/* check *ALL* addresses that are transmitted in additional*/
/* is it an address ? */
if( !(ntohs(s->rk.type)==LDNS_RR_TYPE_A ||
ntohs(s->rk.type)==LDNS_RR_TYPE_AAAA)) {
continue;
}
/* is this query the same as the A/AAAA check for it */
if(qstate->qinfo.qtype == ntohs(s->rk.type) &&
qstate->qinfo.qclass == ntohs(s->rk.rrset_class) &&
query_dname_compare(qstate->qinfo.qname,
s->rk.dname)==0 &&
(qstate->query_flags&BIT_RD) &&
!(qstate->query_flags&BIT_CD))
continue;
/* generate subrequest for it */
log_nametypeclass(VERB_ALGO, "must fetch addr", s->rk.dname,
ntohs(s->rk.type), ntohs(s->rk.rrset_class));
if(!generate_sub_request(s->rk.dname, s->rk.dname_len,
ntohs(s->rk.type), ntohs(s->rk.rrset_class),
qstate, id, iq,
INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
log_err("out of memory generating ns check");
return;
}
/* ignore subq - not need for more init */
}
}
/** /**
* Generate a NS check request to obtain authoritative information * Generate a NS check request to obtain authoritative information
* on an NS rrset. * on an NS rrset.
@ -637,18 +688,26 @@ prime_stub(struct module_qstate* qstate, struct iter_qstate* iq,
* @param qstate: the qtstate that triggered the need to prime. * @param qstate: the qtstate that triggered the need to prime.
* @param iq: iterator query state. * @param iq: iterator query state.
* @param id: module id. * @param id: module id.
* @param qclass: the class.
*/ */
static void static void
generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
int id, uint16_t qclass)
{ {
struct module_qstate* subq; struct module_qstate* subq;
log_assert(iq->dp); log_assert(iq->dp);
/* avoid the redundant INIT state processing. */ /* is this query the same as the nscheck? */
if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS &&
query_dname_compare(iq->dp->name, qstate->qinfo.qname)==0 &&
(qstate->query_flags&BIT_RD) && !(qstate->query_flags&BIT_CD)){
/* spawn off A, AAAA queries for in-zone glue to check */
generate_a_aaaa_check(qstate, iq, id);
return;
}
log_nametypeclass(VERB_ALGO, "must fetch ns",
iq->dp->name, LDNS_RR_TYPE_NS, iq->qchase.qclass);
if(!generate_sub_request(iq->dp->name, iq->dp->namelen, if(!generate_sub_request(iq->dp->name, iq->dp->namelen,
LDNS_RR_TYPE_NS, qclass, qstate, id, iq, LDNS_RR_TYPE_NS, iq->qchase.qclass, qstate, id, iq,
INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) { INIT_REQUEST_STATE, FINISHED_STATE, &subq, 1)) {
log_err("out of memory generating ns check"); log_err("out of memory generating ns check");
return; return;
@ -657,9 +716,9 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq,
struct iter_qstate* subiq = struct iter_qstate* subiq =
(struct iter_qstate*)subq->minfo[id]; (struct iter_qstate*)subq->minfo[id];
/* Set the initial delegation point to mine. */
/* this means it queries the referral we just got */
/* make copy to avoid use of stub dp by different qs/threads */ /* make copy to avoid use of stub dp by different qs/threads */
/* refetch glue to start higher up the tree */
subiq->refetch_glue = 1;
subiq->dp = delegpt_copy(iq->dp, subq->region); subiq->dp = delegpt_copy(iq->dp, subq->region);
if(!subiq->dp) { if(!subiq->dp) {
log_err("out of memory generating ns check, copydp"); log_err("out of memory generating ns check, copydp");
@ -669,9 +728,6 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq,
return; return;
} }
} }
/* this module stops, our submodule starts, and does the query. */
qstate->ext_state[id] = module_wait_subquery;
} }
/** /**
@ -1365,13 +1421,27 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
* delegation point, and back to the QUERYTARGETS_STATE. */ * delegation point, and back to the QUERYTARGETS_STATE. */
verbose(VERB_DETAIL, "query response was REFERRAL"); verbose(VERB_DETAIL, "query response was REFERRAL");
/* Store the referral under the current query */ /* if hardened, only store referral if we asked for it */
if(!iter_dns_store(qstate->env, &iq->response->qinfo, if(!qstate->env->cfg->harden_referral_path ||
iq->response->rep, 1)) ( qstate->qinfo.qtype == LDNS_RR_TYPE_NS
return error_response(qstate, id, LDNS_RCODE_SERVFAIL); && (qstate->query_flags&BIT_RD)
if(qstate->env->neg_cache) && !(qstate->query_flags&BIT_CD)
val_neg_addreferral(qstate->env->neg_cache, /* we know that all other NS rrsets are scrubbed
iq->response->rep, iq->dp->name); * away, thus on referral only one is left.
* see if that equals the query name... */
&& reply_find_rrset_section_ns(iq->response->rep,
qstate->qinfo.qname, qstate->qinfo.qname_len,
LDNS_RR_TYPE_NS, qstate->qinfo.qclass)
)) {
/* Store the referral under the current query */
if(!iter_dns_store(qstate->env, &iq->response->qinfo,
iq->response->rep, 1))
return error_response(qstate, id,
LDNS_RCODE_SERVFAIL);
if(qstate->env->neg_cache)
val_neg_addreferral(qstate->env->neg_cache,
iq->response->rep, iq->dp->name);
}
/* Reset the event state, setting the current delegation /* Reset the event state, setting the current delegation
* point to the referral. */ * point to the referral. */
@ -1390,12 +1460,12 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
iq->dnssec_expected = iter_indicates_dnssec(qstate->env, iq->dnssec_expected = iter_indicates_dnssec(qstate->env,
iq->dp, iq->response, iq->qchase.qclass); iq->dp, iq->response, iq->qchase.qclass);
/* spawn off a NS query to auth servers for the NS we just /* spawn off NS and addr to auth servers for the NS we just
* got in the referral. This gets authoritative answer * got in the referral. This gets authoritative answer
* (answer section trust level) rrset. * (answer section trust level) rrset.
* right after, we detach subs, we don't want the answer */ * right after, we detach the subs, answer goes to cache. */
if(qstate->env->cfg->harden_referral_path) if(qstate->env->cfg->harden_referral_path)
generate_ns_check(qstate, iq, id, iq->qchase.qclass); generate_ns_check(qstate, iq, id);
/* stop current outstanding queries. /* stop current outstanding queries.
* FIXME: should the outstanding queries be waited for and * FIXME: should the outstanding queries be waited for and

38
testdata/dlv_insecure.rpl vendored
View file

@ -3,7 +3,7 @@
server: server:
dlv-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" dlv-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
val-override-date: "20070916134226" val-override-date: "20070916134226"
harden-referral-path: yes harden-referral-path: no
stub-zone: stub-zone:
name: "." name: "."
@ -140,23 +140,25 @@ ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752
ENTRY_END ENTRY_END
; DLV query ; DLV query
; picked out of the negative cache due to NS queries in between. ; could be picked out of the negative cache due to NS queries in between.
; ENTRY_BEGIN ENTRY_BEGIN
; MATCH opcode qtype qname MATCH opcode qtype qname
; ADJUST copy_id ADJUST copy_id
; REPLY QR NXDOMAIN REPLY QR NXDOMAIN
; SECTION QUESTION SECTION QUESTION
; example.net.example.com. IN DLV www.example.net.example.com. IN DLV
; SECTION ANSWER SECTION ANSWER
; SECTION AUTHORITY SECTION AUTHORITY
; example.com. IN NS ns.example.com. example.com. IN SOA open.nlnetlabs.nl. hostmaster.nlnetlabs.nl. 2008081300 28800 7200 604800 3600
; example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} example.com. 3600 IN RRSIG SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AKPJnPBqfJKxE4P2iVYkSRJno9HmiXJZtjdqE8oBeq9Lk9FytcMdcig= ;{id = 2854}
; example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC example.com. IN NS ns.example.com.
; example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854} example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
; SECTION ADDITIONAL example.com IN NSEC zazz.example.com. SOA NS RRSIG NSEC
; ns.example.com. IN A 1.2.3.4 example.com. 3600 IN RRSIG NSEC 3 2 3600 20070926135752 20070829135752 2854 example.com. AAi21jQpno6gXnrPrtK0NvNgX9B8E9U5RvTd47QiCWLF7KdtKxB7Xz0= ;{id = 2854}
; ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} SECTION ADDITIONAL
; ENTRY_END ns.example.com. IN A 1.2.3.4
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854}
ENTRY_END
ENTRY_BEGIN ENTRY_BEGIN
MATCH opcode qtype qname MATCH opcode qtype qname

84
testdata/iter_lame_noaa.rpl vendored
View file

@ -1,6 +1,6 @@
; config options ; config options
server: server:
harden-referral-path: yes harden-referral-path: no
stub-zone: stub-zone:
name: "." name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
@ -70,25 +70,25 @@ www.example.com. IN A
ENTRY_END ENTRY_END
; answer the NS queries that have been generated ; answer the NS queries that have been generated
STEP 62 CHECK_OUT_QUERY ; STEP 62 CHECK_OUT_QUERY
ENTRY_BEGIN ; ENTRY_BEGIN
MATCH qname qtype opcode ; MATCH qname qtype opcode
SECTION QUESTION ; SECTION QUESTION
com. IN NS ; com. IN NS
ENTRY_END ; ENTRY_END
;
STEP 63 REPLY ; STEP 63 REPLY
ENTRY_BEGIN ; ; ENTRY_BEGIN
MATCH opcode qtype qname ; MATCH opcode qtype qname
ADJUST copy_id ; ADJUST copy_id
REPLY QR AA NOERROR ; REPLY QR AA NOERROR
SECTION QUESTION ; SECTION QUESTION
com. IN NS ; com. IN NS
SECTION ANSWER ; SECTION ANSWER
com. IN NS a.gtld-servers.net. ; com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL ; SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30 ; a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END ; ENTRY_END
STEP 70 REPLY STEP 70 REPLY
ENTRY_BEGIN ENTRY_BEGIN
@ -114,28 +114,28 @@ SECTION QUESTION
www.example.com. IN A www.example.com. IN A
ENTRY_END ENTRY_END
STEP 82 CHECK_OUT_QUERY ; STEP 82 CHECK_OUT_QUERY
ENTRY_BEGIN ; ENTRY_BEGIN
MATCH qname qtype opcode ; MATCH qname qtype opcode
SECTION QUESTION ; SECTION QUESTION
example.com. IN NS ; example.com. IN NS
ENTRY_END ; ENTRY_END
;
STEP 83 REPLY ; STEP 83 REPLY
ENTRY_BEGIN ; ENTRY_BEGIN
MATCH opcode qtype qname ; MATCH opcode qtype qname
ADJUST copy_id ; ADJUST copy_id
REPLY QR AA NOERROR ; REPLY QR AA NOERROR
SECTION QUESTION ; SECTION QUESTION
example.com. IN NS ; example.com. IN NS
SECTION ANSWER ; SECTION ANSWER
example.com. IN NS ns1.example.com. ; example.com. IN NS ns1.example.com.
example.com. IN NS ns2.example.com. ; example.com. IN NS ns2.example.com.
SECTION ADDITIONAL ; SECTION ADDITIONAL
ns1.example.com. IN A 168.192.2.2 ; ns1.example.com. IN A 168.192.2.2
ns2.example.com. IN A 168.192.3.3 ; ns2.example.com. IN A 168.192.3.3
ENTRY_END ; ENTRY_END
;
STEP 90 REPLY STEP 90 REPLY
ENTRY_BEGIN ENTRY_BEGIN
MATCH opcode qtype qname MATCH opcode qtype qname

49
testdata/iter_ns_spoof.rpl vendored
View file

@ -24,27 +24,50 @@ K.ROOT-SERVERS.NET. IN A 193.0.14.129
ENTRY_END ENTRY_END
ENTRY_BEGIN ENTRY_BEGIN
MATCH opcode qtype qname MATCH opcode subdomain
ADJUST copy_id ADJUST copy_id copy_query
REPLY QR NOERROR REPLY QR NOERROR
SECTION QUESTION SECTION QUESTION
www.example.com. IN A com. IN NS
SECTION AUTHORITY SECTION AUTHORITY
com. IN NS a.gtld-servers.net. com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30 a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END ENTRY_END
; for simplicity the root server is authoritative for root-servers.net
; and also for gtld-servers.net
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
K.ROOT-SERVERS.NET. IN A
SECTION ANSWER
K.ROOT-SERVERS.NET. IN A 193.0.14.129
ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
a.gtld-servers.net. IN A
SECTION ANSWER
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END
RANGE_END RANGE_END
; a.gtld-servers.net. ; a.gtld-servers.net.
RANGE_BEGIN 0 100 RANGE_BEGIN 0 100
ADDRESS 192.5.6.30 ADDRESS 192.5.6.30
ENTRY_BEGIN ENTRY_BEGIN
MATCH opcode qtype qname MATCH opcode subdomain
ADJUST copy_id ADJUST copy_id copy_query
REPLY QR NOERROR REPLY QR NOERROR
SECTION QUESTION SECTION QUESTION
www.example.com. IN A example.com. IN NS
SECTION AUTHORITY SECTION AUTHORITY
example.com. IN NS ns.example.com. example.com. IN NS ns.example.com.
SECTION ADDITIONAL SECTION ADDITIONAL
@ -56,7 +79,7 @@ MATCH opcode qtype qname
ADJUST copy_id ADJUST copy_id
REPLY QR NOERROR REPLY QR NOERROR
SECTION QUESTION SECTION QUESTION
com. IN NS com. IN NS
SECTION ANSWER SECTION ANSWER
com. IN NS a.gtld-servers.net. com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL SECTION ADDITIONAL
@ -107,6 +130,18 @@ SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4 ns.example.com. IN A 1.2.3.4
ENTRY_END ENTRY_END
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
ns.example.com. IN A
SECTION ANSWER
ns.example.com. IN A 1.2.3.4
SECTION AUTHORITY
example.com. IN NS ns.example.com.
ENTRY_END
;; answer to the spoofed query ; spoofed reply answer. ;; answer to the spoofed query ; spoofed reply answer.
; here we put it in the nameserver for ease. ; here we put it in the nameserver for ease.
ENTRY_BEGIN ENTRY_BEGIN

74
testdata/iter_scrub_cname_an.rpl vendored
View file

@ -1,6 +1,6 @@
; config options ; config options
server: server:
harden-referral-path: yes harden-referral-path: no
stub-zone: stub-zone:
name: "." name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
@ -63,24 +63,24 @@ SECTION QUESTION
www.example.com. IN A www.example.com. IN A
ENTRY_END ENTRY_END
STEP 62 CHECK_OUT_QUERY ; STEP 62 CHECK_OUT_QUERY
ENTRY_BEGIN ; ENTRY_BEGIN
MATCH qname qtype opcode ; MATCH qname qtype opcode
SECTION QUESTION ; SECTION QUESTION
com. IN NS ; com. IN NS
ENTRY_END ; ENTRY_END
STEP 63 REPLY ; STEP 63 REPLY
ENTRY_BEGIN ; ENTRY_BEGIN
MATCH opcode qtype qname ; MATCH opcode qtype qname
ADJUST copy_id ; ADJUST copy_id
REPLY QR NOERROR ; REPLY QR NOERROR
SECTION QUESTION ; SECTION QUESTION
com. IN NS ; com. IN NS
SECTION ANSWER ; SECTION ANSWER
com. IN NS a.gtld-servers.net. ; com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL ; SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30 ; a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END ; ENTRY_END
STEP 70 REPLY STEP 70 REPLY
ENTRY_BEGIN ENTRY_BEGIN
@ -103,24 +103,24 @@ SECTION QUESTION
www.example.com. IN A www.example.com. IN A
ENTRY_END ENTRY_END
STEP 82 CHECK_OUT_QUERY ; STEP 82 CHECK_OUT_QUERY
ENTRY_BEGIN ; ENTRY_BEGIN
MATCH qname qtype opcode ; MATCH qname qtype opcode
SECTION QUESTION ; SECTION QUESTION
example.com. IN NS ; example.com. IN NS
ENTRY_END ; ENTRY_END
STEP 83 REPLY ; STEP 83 REPLY
ENTRY_BEGIN ; ENTRY_BEGIN
MATCH opcode qtype qname ; MATCH opcode qtype qname
ADJUST copy_id ; ADJUST copy_id
REPLY QR NOERROR ; REPLY QR NOERROR
SECTION QUESTION ; SECTION QUESTION
example.com. IN NS ; example.com. IN NS
SECTION ANSWER ; SECTION ANSWER
example.com. IN NS ns1.example.com. ; example.com. IN NS ns1.example.com.
SECTION ADDITIONAL ; SECTION ADDITIONAL
ns1.example.com. IN A 168.192.2.2 ; ns1.example.com. IN A 168.192.2.2
ENTRY_END ; ENTRY_END
STEP 90 REPLY STEP 90 REPLY
ENTRY_BEGIN ENTRY_BEGIN

78
testdata/iter_scrub_dname_insec.rpl vendored
View file

@ -1,6 +1,6 @@
; config options ; config options
server: server:
harden-referral-path: yes harden-referral-path: no
stub-zone: stub-zone:
name: "." name: "."
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
@ -62,24 +62,26 @@ MATCH qname qtype opcode
SECTION QUESTION SECTION QUESTION
x.y.example.com. IN A x.y.example.com. IN A
ENTRY_END ENTRY_END
STEP 62 CHECK_OUT_QUERY
ENTRY_BEGIN ; STEP 62 CHECK_OUT_QUERY
MATCH qname qtype opcode ; ENTRY_BEGIN
SECTION QUESTION ; MATCH qname qtype opcode
com. IN NS ; SECTION QUESTION
ENTRY_END ; com. IN NS
STEP 63 REPLY ; ENTRY_END
ENTRY_BEGIN ; STEP 63 REPLY
MATCH opcode qtype qname ; ENTRY_BEGIN
ADJUST copy_id ; MATCH opcode qtype qname
REPLY QR NOERROR ; ADJUST copy_id
SECTION QUESTION ; REPLY QR NOERROR
com. IN NS ; SECTION QUESTION
SECTION ANSWER ; com. IN NS
com. IN NS a.gtld-servers.net. ; SECTION ANSWER
SECTION ADDITIONAL ; com. IN NS a.gtld-servers.net.
a.gtld-servers.net. IN A 192.5.6.30 ; SECTION ADDITIONAL
ENTRY_END ; a.gtld-servers.net. IN A 192.5.6.30
; ENTRY_END
STEP 70 REPLY STEP 70 REPLY
ENTRY_BEGIN ENTRY_BEGIN
MATCH opcode qtype qname MATCH opcode qtype qname
@ -99,24 +101,26 @@ MATCH qname qtype opcode
SECTION QUESTION SECTION QUESTION
x.y.example.com. IN A x.y.example.com. IN A
ENTRY_END ENTRY_END
STEP 82 CHECK_OUT_QUERY
ENTRY_BEGIN ; STEP 82 CHECK_OUT_QUERY
MATCH qname qtype opcode ; ENTRY_BEGIN
SECTION QUESTION ; MATCH qname qtype opcode
example.com. IN NS ; SECTION QUESTION
ENTRY_END ; example.com. IN NS
STEP 83 REPLY ; ENTRY_END
ENTRY_BEGIN ; STEP 83 REPLY
MATCH opcode qtype qname ; ENTRY_BEGIN
ADJUST copy_id ; MATCH opcode qtype qname
REPLY QR NOERROR ; ADJUST copy_id
SECTION QUESTION ; REPLY QR NOERROR
example.com. IN NS ; SECTION QUESTION
SECTION ANSWER ; example.com. IN NS
example.com. IN NS ns1.example.com. ; SECTION ANSWER
SECTION ADDITIONAL ; example.com. IN NS ns1.example.com.
ns1.example.com. IN A 168.192.2.2 ; SECTION ADDITIONAL
ENTRY_END ; ns1.example.com. IN A 168.192.2.2
; ENTRY_END
STEP 90 REPLY STEP 90 REPLY
ENTRY_BEGIN ENTRY_BEGIN
MATCH opcode qtype qname MATCH opcode qtype qname

4
testdata/val_referd.rpl vendored
View file

@ -3,7 +3,7 @@
server: server:
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
val-override-date: "20070916134226" val-override-date: "20070916134226"
harden-referral-path: yes harden-referral-path: no
access-control: 127.0.0.1 allow_snoop access-control: 127.0.0.1 allow_snoop
stub-zone: stub-zone:
@ -112,7 +112,7 @@ SECTION QUESTION
www.example.com. IN A www.example.com. IN A
SECTION ANSWER SECTION ANSWER
www.example.com. IN A 10.20.30.40 www.example.com. IN A 10.20.30.40
ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854} www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. AD8qRJvXxOtmSuy8Ogyo0roA294qOtNT2E1m05kSU0jbxN4qLYn0OmU= ;{id = 2854}
SECTION AUTHORITY SECTION AUTHORITY
example.com. IN NS ns.example.com. example.com. IN NS ns.example.com.
example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}