head 1.1; branch 1.1.1; access; symbols netbsd-11-0-RC4:1.1.1.1 netbsd-11-0-RC3:1.1.1.1 netbsd-11-0-RC2:1.1.1.1 netbsd-11-0-RC1:1.1.1.1 unbound-1-24-2:1.1.1.1 unbound-1-23-1:1.1.1.1 perseant-exfatfs-base-20250801:1.1.1.1 netbsd-11:1.1.1.1.0.18 netbsd-11-base:1.1.1.1 netbsd-10-1-RELEASE:1.1.1.1 perseant-exfatfs-base-20240630:1.1.1.1 perseant-exfatfs:1.1.1.1.0.16 perseant-exfatfs-base:1.1.1.1 netbsd-9-4-RELEASE:1.1.1.1 netbsd-10-0-RELEASE:1.1.1.1 netbsd-10-0-RC6:1.1.1.1 netbsd-10-0-RC5:1.1.1.1 unbound-1-19-1:1.1.1.1 netbsd-10-0-RC4:1.1.1.1 netbsd-10-0-RC3:1.1.1.1 netbsd-10-0-RC2:1.1.1.1 netbsd-10-0-RC1:1.1.1.1 netbsd-10:1.1.1.1.0.14 netbsd-10-base:1.1.1.1 unbound-1-16-3:1.1.1.1 netbsd-9-3-RELEASE:1.1.1.1 cjep_sun2x-base1:1.1.1.1 cjep_sun2x:1.1.1.1.0.12 cjep_sun2x-base:1.1.1.1 cjep_staticlib_x-base1:1.1.1.1 netbsd-9-2-RELEASE:1.1.1.1 cjep_staticlib_x:1.1.1.1.0.10 cjep_staticlib_x-base:1.1.1.1 unbound-1-13-1:1.1.1.1 netbsd-9-1-RELEASE:1.1.1.1 phil-wifi-20200421:1.1.1.1 phil-wifi-20200411:1.1.1.1 is-mlppp:1.1.1.1.0.8 is-mlppp-base:1.1.1.1 phil-wifi-20200406:1.1.1.1 netbsd-9-0-RELEASE:1.1.1.1 netbsd-9-0-RC2:1.1.1.1 unbound-1-9-6:1.1.1.1 netbsd-9-0-RC1:1.1.1.1 phil-wifi-20191119:1.1.1.1 netbsd-9:1.1.1.1.0.6 netbsd-9-base:1.1.1.1 phil-wifi:1.1.1.1.0.4 phil-wifi-20190609:1.1.1.1 unbound-1-9-1:1.1.1.1 pgoyette-compat-merge-20190127:1.1.1.1.2.2 pgoyette-compat-20190127:1.1.1.1 pgoyette-compat-20190118:1.1.1.1 pgoyette-compat-1226:1.1.1.1 pgoyette-compat-1126:1.1.1.1 pgoyette-compat-1020:1.1.1.1 pgoyette-compat-0930:1.1.1.1 pgoyette-compat:1.1.1.1.0.2 pgoyette-compat-0906:1.1.1.1 unbound-1-7-3:1.1.1.1 NLNETLABS:1.1.1; locks; strict; comment @# @; 1.1 date 2018.09.03.14.09.09; author christos; state Exp; branches 1.1.1.1; next ; commitid o0zwx3bWVehagFQA; 1.1.1.1 date 2018.09.03.14.09.09; author christos; state Exp; branches 1.1.1.1.2.1 1.1.1.1.4.1; next ; commitid o0zwx3bWVehagFQA; 1.1.1.1.2.1 date 2018.09.03.14.09.09; author pgoyette; state dead; branches; next 1.1.1.1.2.2; commitid HCi1bXD317XIK0RA; 1.1.1.1.2.2 date 2018.09.06.06.51.52; author pgoyette; state Exp; branches; next ; commitid HCi1bXD317XIK0RA; 1.1.1.1.4.1 date 2018.09.03.14.09.09; author christos; state dead; branches; next 1.1.1.1.4.2; commitid jtc8rnCzWiEEHGqB; 1.1.1.1.4.2 date 2019.06.10.21.51.43; author christos; state Exp; branches; next ; commitid jtc8rnCzWiEEHGqB; desc @@ 1.1 log @Initial revision @ text @; config options server: target-fetch-policy: "0 0 0 0 0" auth-zone: name: "example.com." ## zonefile (or none). ## zonefile: "example.com.zone" ## master by IP address or hostname ## can list multiple masters, each on one line. ## master: master: 1.2.3.44 ## url for http fetch ## url: ## queries from downstream clients get authoritative answers. ## for-downstream: yes for-downstream: yes ## queries are used to fetch authoritative answers from this zone, ## instead of unbound itself sending queries there. ## for-upstream: yes for-upstream: yes ## on failures with for-upstream, fallback to sending queries to ## the authority servers ## fallback-enabled: no ## this line generates zonefile: \n"/tmp/xxx.example.com"\n zonefile: TEMPFILE_NAME example.com ## this is the inline file /tmp/xxx.example.com ## the tempfiles are deleted when the testrun is over. TEMPFILE_CONTENTS example.com TEMPFILE_END stub-zone: name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. CONFIG_END SCENARIO_BEGIN Test authority zone with AXFR ; K.ROOT-SERVERS.NET. RANGE_BEGIN 0 100 ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION . IN NS SECTION ANSWER . IN NS K.ROOT-SERVERS.NET. SECTION ADDITIONAL K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION com. IN NS SECTION AUTHORITY com. IN NS a.gtld-servers.net. SECTION ADDITIONAL a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END RANGE_END ; a.gtld-servers.net. RANGE_BEGIN 0 100 ADDRESS 192.5.6.30 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION com. IN NS SECTION ANSWER com. IN NS a.gtld-servers.net. SECTION ADDITIONAL a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION example.com. IN NS SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL ns.example.com. IN A 1.2.3.44 ENTRY_END RANGE_END ; ns.example.net. RANGE_BEGIN 0 100 ADDRESS 1.2.3.44 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION example.net. IN NS SECTION ANSWER example.net. IN NS ns.example.net. SECTION ADDITIONAL ns.example.net. IN A 1.2.3.44 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ns.example.net. IN A SECTION ANSWER ns.example.net. IN A 1.2.3.44 SECTION AUTHORITY example.net. IN NS ns.example.net. ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ns.example.net. IN AAAA SECTION AUTHORITY example.net. IN NS ns.example.net. SECTION ADDITIONAL www.example.net. IN A 1.2.3.44 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION example.com. IN NS SECTION ANSWER example.com. IN NS ns.example.net. ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER www.example.com. IN A 10.20.30.40 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION example.com. IN SOA SECTION ANSWER ; serial, refresh, retry, expire, minimum example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR AA NOERROR SECTION QUESTION example.com. IN AXFR SECTION ANSWER example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600 example.com. IN NS ns.example.net. EXTRA_PACKET REPLY QR AA NOERROR SECTION QUESTION example.com. IN AXFR SECTION ANSWER www.example.com. IN A 1.2.3.4 example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600 ENTRY_END RANGE_END STEP 1 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION www.example.com. IN A ENTRY_END ; recursion happens here. STEP 20 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR AA RD RA SERVFAIL SECTION QUESTION www.example.com. IN A SECTION ANSWER ENTRY_END STEP 30 TIME_PASSES ELAPSE 10 STEP 40 TRAFFIC STEP 50 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION www.example.com. IN A ENTRY_END ; recursion happens here. STEP 60 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR AA RD RA NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER www.example.com. IN A 1.2.3.4 ENTRY_END ; the zonefile was updated with new contents STEP 70 CHECK_TEMPFILE example.com FILE_BEGIN example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600 example.com. 3600 IN NS ns.example.net. www.example.com. 3600 IN A 1.2.3.4 FILE_END SCENARIO_END @ 1.1.1.1 log @Import unbound-1.7.3 19 June 2018: Wouter - Fix for unbound-control on Windows and set TCP socket parameters more closely. - Fix windows unbound-control no cert bad file descriptor error. 18 June 2018: Wouter - Fix that control-use-cert: no works for 127.0.0.1 to disable certs. - Fix unbound-checkconf for control-use-cert. 15 June 2018: Wouter - tag for 1.7.3rc1. 14 June 2018: Wouter - #4103: Fix that auth-zone does not insist on SOA record first in file for url downloads. - Fix that first control-interface determines if TLS is used. Warn when IP address interfaces are used without TLS. - Fix nettle compile. 12 June 2018: Ralph - Don't count CNAME response types received during qname minimisation as query restart. 12 June 2018: Wouter - #4102 for NSD, but for Unbound. Named unix pipes do not use certificate and key files, access can be restricted with file and directory permissions. The option control-use-cert is no longer used, and ignored if found in unbound.conf. - Rename tls-additional-ports to tls-additional-port, because every line adds one port. - Fix buffer size warning in unit test. - remade dependencies in the Makefile. 6 June 2018: Wouter - Patch to fix openwrt for mac os build darwin detection in configure. 5 June 2018: Wouter - Fix crash if ratelimit taken into use with unbound-control instead of with unbound.conf. 4 June 2018: Wouter - Fix deadlock caused by incoming notify for auth-zone. - tag for 1.7.2rc1, became 1.7.2 release on 11 June 2018, trunk is 1.7.3 in development from this point. - #4100: Fix stub reprime when it becomes useless. 1 June 2018: Wouter - Rename additional-tls-port to tls-additional-ports. The older name is accepted for backwards compatibility. 30 May 2018: Wouter - Patch from Syzdek: Add ability to ignore RD bit and treat all requests as if the RD bit is set. 29 May 2018: Wouter - in compat/arc4random call getentropy_urandom when getentropy fails with ENOSYS. - Fix that fallback for windows port. 28 May 2018: Wouter - Fix windows tcp and tls spin on events. - Add routine from getdns to add windows cert store to the SSL_CTX. - tls-win-cert option that adds the system certificate store for authenticating DNS-over-TLS connections. It can be used instead of the tls-cert-bundle option, or with it to add certificates. 25 May 2018: Wouter - For TCP and TLS connections that don't establish, perform address update in infra cache, so future selections can exclude them. - Fix that tcp sticky events are removed for closed fd on windows. - Fix close events for tcp only. 24 May 2018: Wouter - Fix that libunbound can do DNS-over-TLS, when configured. - Fix that windows unbound service can use DNS-over-TLS. - unbound-host initializes ssl (for potential DNS-over-TLS usage inside libunbound), when ssl upstream or a cert-bundle is configured. 23 May 2018: Wouter - Use accept4 to speed up incoming TCP (and TLS) connections, available on Linux, FreeBSD and OpenBSD. 17 May 2018: Ralph - Qname minimisation default changed to yes. 15 May 2018: Wouter - Fix low-rtt-pct to low-rtt-permil, as it is parts in one thousand. 11 May 2018: Wouter - Fix contrib/libunbound.pc for libssl libcrypto references, from https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226914 7 May 2018: Wouter - Fix windows to not have sticky TLS events for TCP. - Fix read of DNS over TLS length and data in one read call. - Fix mesh state assertion failure due to callback removal. 3 May 2018: Wouter - Fix that configure --with-libhiredis also turns on cachedb. - Fix gcc 8 buffer warning in testcode. - Fix function type cast warning in libunbound context callback type. 2 May 2018: Wouter - Fix fail to reject dead peers in forward-zone, with ssl-upstream. 1 May 2018: Wouter - Fix that unbound-control reload frees the rrset keys and returns the memory pages to the system. 30 April 2018: Wouter - Fix spelling error in man page and note defaults as no instead of off. 26 April 2018: Wouter - Fix for crash in daemon_cleanup with dnstap during reload, from Saksham Manchanda. - Also that for dnscrypt. - tag for 1.7.1rc1 release. Became 1.7.1 release on 3 May, trunk is from here 1.7.2 in development. 25 April 2018: Ralph - Fix memory leak when caching wildcard records for aggressive NSEC use 24 April 2018: Wouter - Fix contrib/fastrpz.patch for this release. - Fix auth https for libev. 24 April 2018: Ralph - Added root-key-sentinel support 23 April 2018: Wouter - makedist uses bz2 for expat code, instead of tar.gz. - Fix #4092: libunbound: use-caps-for-id lacks colon in config_set_option. - auth zone http download stores exact copy of downloaded file, including comments in the file. - Fix sldns parse failure for CDS alternate delete syntax empty hex. - Attempt for auth zone fix; add of callback in mesh gets from callback does not skip callback of result. - Fix cname classification with qname minimisation enabled. - list_auth_zones unbound-control command. 20 April 2018: Wouter - man page documentation for dns-over-tls forward-addr '#' notation. - removed free from failed parse case. - Fix #4091: Fix that reload of auth-zone does not merge the zonefile with the previous contents. - Delete auth zone when removed from config. 19 April 2018: Wouter - Can set tls authentication with forward-addr: IP#tls.auth.name And put the public cert bundle in tls-cert-bundle: "ca-bundle.pem". such as forward-addr: 9.9.9.9@@853#dns.quad9.net or 1.1.1.1@@853#cloudflare-dns.com - Fix #658: unbound using TLS in a forwarding configuration does not verify the server's certificate (RFC 8310 support). - For addr with #authname and no @@port notation, the default is 853. 18 April 2018: Wouter - Fix auth-zone retry timer to be on schedule with retry timeout, with backoff. Also time a refresh at the zone expiry. 17 April 2018: Wouter - auth zone notify work. - allow-notify: config statement for auth-zones. - unit test for allow-notify 16 April 2018: Wouter - Fix auth zone target lookup iterator. - auth zone notify with prefix - auth zone notify work. 13 April 2018: Wouter - Fix for max include depth for authzones. - Fix memory free on fail for $INCLUDE in authzone. - Fix that an internal error to look up the wrong rr type for auth zone gets stopped, before trying to send there. - auth zone notify work. 10 April 2018: Ralph - num.query.aggressive.NOERROR and num.query.aggressive.NXDOMAIN statistics counters. 10 April 2018: Wouter - documentation for low-rtt and low-rtt-pct. - auth zone notify work. 9 April 2018: Wouter - Fix that flush_zone sets prefetch ttl expired, so that with serve-expired enabled it'll start prefetching those entries. - num.query.authzone.up and num.query.authzone.down statistics counters. - Fix downstream auth zone, only fallback when auth zone fails to answer and fallback is enabled. - Accept both option names with and without colon for get_option and set_option. - low-rtt and low-rtt-pct in unbound.conf enable the server selection of fast servers for some percentage of the time. 5 April 2018: Wouter - Combine write of tcp length and tcp query for dns over tls. - nitpick fixes in example.conf. - Fix above stub queries for type NS and useless delegation point. - Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3 tls_choose_sigalg routine does not allow the ciphers for the pipe, so use TLSv1.2. - ED448 support. 3 April 2018: Wouter - Fix #4043: make test fails due to v6 presentation issue in macOS. - Fix unable to resolve after new WLAN connection, due to auth-zone failing with a forwarder set. Now, auth-zone is only used for answers (not referrals) when a forwarder is set. 29 March 2018: Ralph - Check "result" in dup_all(), by Florian Obser. 23 March 2018: Ralph - Fix unbound-control get_option aggressive-nsec 21 March 2018: Ralph - Do not use cached NSEC records to generate negative answers for domains under DNSSEC Negative Trust Anchors. 19 March 2018: Wouter - iana port update. 16 March 2018: Wouter - corrected a minor typo in the changelog. - move htobe64/be64toh portability code to cachedb.c. 15 March 2018: Wouter - Add --with-libhiredis, unbound support for a new cachedb backend that uses a Redis server as the storage. This implementation depends on the hiredis client library (https://redislabs.com/lp/hiredis/). And unbound should be built with both --enable-cachedb and --with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h should exist). Patch from Jinmei Tatuya (Infoblox). - Fix #3817: core dump happens in libunbound delete, when queued servfail hits deleted message queue. - Create additional tls service interfaces by opening them on other portnumbers and listing the portnumbers as additional-tls-port: nr. 13 March 2018: Wouter - Fix typo in documentation. - Fix #3736: Fix 0 TTL domains stuck on SERVFAIL unless manually flushed with serve-expired on. 12 March 2018: Wouter - Added documentation for aggressive-nsec: yes. - tag 1.7.0rc3. That became the 1.7.0 release on 15 Mar, trunk now has 1.7.1 in development. - Fix #3727: Protocol name is TLS, options have been renamed but documentation is not consistent. - Check IXFR start serial. 9 March 2018: Wouter - Fix #3598: Fix swig build issue on rhel6 based system. configure --disable-swig-version-check stops the swig version check. 8 March 2018: Wouter - tag 1.7.0rc2. 7 March 2018: Wouter - Fixed contrib/fastrpz.patch, even though this already applied cleanly for me, now also for others. - patch to log creates keytag queries, from A. Schulze. - patch suggested by Debian lintian: allow to -> allow one to, from A. Schulze. - Attempt to remove warning about trailing whitespace. 6 March 2018: Wouter - Reverted fix for #3512, this may not be the best way forward; although it could be changed at a later time, to stay similar to other implementations. - svn trunk contains 1.7.0, this is the number for the next release. - Fix for windows compile. - tag 1.7.0rc1. 5 March 2018: Wouter - Fix to check define of DSA for when openssl is without deprecated. - iana port update. - Fix #3582: Squelch address already in use log when reuseaddr option causes same port to be used twice for tcp connections. 27 February 2018: Wouter - Fixup contrib/fastrpz.patch so that it applies. - Fix compile without threads, and remove unused variable. - Fix compile with staticexe and python module. - Fix nettle compile. 22 February 2018: Ralph - Save wildcard RRset from answer with original owner for use in aggressive NSEC. 21 February 2018: Wouter - Fix #3512: unbound incorrectly reports SERVFAIL for CAA query when there is a CNAME loop. - Fix validation for CNAME loops. When it detects a cname loop, by finding the cname, cname in the existing list, it returns the partial result with the validation result up to then. - more robust cachedump rrset routine. 19 February 2018: Wouter - Fix #3505: Documentation for default local zones references wrong RFC. - Fix #3494: local-zone noview can be used to break out of the view to the global local zone contents, for queries for that zone. - Fix for more maintainable code in localzone. 16 February 2018: Wouter - Fixes for clang static analyzer, the missing ; in edns-subnet/addrtree.c after the assert made clang analyzer produce a failure to analyze it. 13 February 2018: Ralph - Aggressive NSEC tests 13 February 2018: Wouter - tls-cert-bundle option in unbound.conf enables TLS authentication. - iana port update. 12 February 2018: Wouter - Unit test for auth zone https url download. 12 February 2018: Ralph - Added tests with wildcard expanded NSEC records (CVE-2017-15105 test) - Processed aggressive NSEC code review remarks Wouter 8 February 2018: Ralph - Aggressive use of NSEC implementation. Use cached NSEC records to generate NXDOMAIN, NODATA and positive wildcard answers. 8 February 2018: Wouter - iana port update. - auth zone url config. 5 February 2018: Wouter - Fix #3451: dnstap not building when you have a separate build dir. And removed protoc warning, set dnstap.proto syntax to proto2. - auth-zone provides a way to configure RFC7706 from unbound.conf, eg. with auth-zone: name: "." for-downstream: no for-upstream: yes fallback-enabled: yes and masters or a zonefile with data. 2 February 2018: Wouter - Fix unfreed locks in log and arc4random at exit of unbound. - unit test with valgrind - Fix lock race condition in dns cache dname synthesis. - lock subnet new item before insertion to please checklocks, no modification of critical regions outside of lock region. 1 February 2018: Wouter - fix unaligned structure making a false positive in checklock unitialised memory. 29 January 2018: Ralph - Use NSEC with longest ce to prove wildcard absence. - Only use *.ce to prove wildcard absence, no longer names. 25 January 2018: Wouter - ltrace.conf file for libunbound in contrib. 23 January 2018: Wouter - Fix that unbound-checkconf -f flag works with auto-trust-anchor-file for startup scripts to get the full pathname(s) of anchor file(s). - Print fatal errors about remote control setup before log init, so that it is printed to console. 22 January 2018: Wouter - Accept tls-upstream in unbound.conf, the ssl-upstream keyword is also recognized and means the same. Also for tls-port, tls-service-key, tls-service-pem, stub-tls-upstream and forward-tls-upstream. - Fix #3397: Fix that cachedb could return a partial CNAME chain. - Fix #3397: Fix that when the cache contains an unsigned DNAME in the middle of a cname chain, a result without the DNAME could be returned. @ text @@ 1.1.1.1.4.1 log @file auth_xfr.rpl was added on branch phil-wifi on 2019-06-10 21:51:43 +0000 @ text @d1 232 @ 1.1.1.1.4.2 log @Sync with HEAD @ text @a0 232 ; config options server: target-fetch-policy: "0 0 0 0 0" auth-zone: name: "example.com." ## zonefile (or none). ## zonefile: "example.com.zone" ## master by IP address or hostname ## can list multiple masters, each on one line. ## master: master: 1.2.3.44 ## url for http fetch ## url: ## queries from downstream clients get authoritative answers. ## for-downstream: yes for-downstream: yes ## queries are used to fetch authoritative answers from this zone, ## instead of unbound itself sending queries there. ## for-upstream: yes for-upstream: yes ## on failures with for-upstream, fallback to sending queries to ## the authority servers ## fallback-enabled: no ## this line generates zonefile: \n"/tmp/xxx.example.com"\n zonefile: TEMPFILE_NAME example.com ## this is the inline file /tmp/xxx.example.com ## the tempfiles are deleted when the testrun is over. TEMPFILE_CONTENTS example.com TEMPFILE_END stub-zone: name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. CONFIG_END SCENARIO_BEGIN Test authority zone with AXFR ; K.ROOT-SERVERS.NET. RANGE_BEGIN 0 100 ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION . IN NS SECTION ANSWER . IN NS K.ROOT-SERVERS.NET. SECTION ADDITIONAL K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION com. IN NS SECTION AUTHORITY com. IN NS a.gtld-servers.net. SECTION ADDITIONAL a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END RANGE_END ; a.gtld-servers.net. RANGE_BEGIN 0 100 ADDRESS 192.5.6.30 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION com. IN NS SECTION ANSWER com. IN NS a.gtld-servers.net. SECTION ADDITIONAL a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION example.com. IN NS SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL ns.example.com. IN A 1.2.3.44 ENTRY_END RANGE_END ; ns.example.net. RANGE_BEGIN 0 100 ADDRESS 1.2.3.44 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION example.net. IN NS SECTION ANSWER example.net. IN NS ns.example.net. SECTION ADDITIONAL ns.example.net. IN A 1.2.3.44 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ns.example.net. IN A SECTION ANSWER ns.example.net. IN A 1.2.3.44 SECTION AUTHORITY example.net. IN NS ns.example.net. ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ns.example.net. IN AAAA SECTION AUTHORITY example.net. IN NS ns.example.net. SECTION ADDITIONAL www.example.net. IN A 1.2.3.44 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION example.com. IN NS SECTION ANSWER example.com. IN NS ns.example.net. ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER www.example.com. IN A 10.20.30.40 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION example.com. IN SOA SECTION ANSWER ; serial, refresh, retry, expire, minimum example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR AA NOERROR SECTION QUESTION example.com. IN AXFR SECTION ANSWER example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600 example.com. IN NS ns.example.net. EXTRA_PACKET REPLY QR AA NOERROR SECTION QUESTION example.com. IN AXFR SECTION ANSWER www.example.com. IN A 1.2.3.4 example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600 ENTRY_END RANGE_END STEP 1 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION www.example.com. IN A ENTRY_END ; recursion happens here. STEP 20 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR AA RD RA SERVFAIL SECTION QUESTION www.example.com. IN A SECTION ANSWER ENTRY_END STEP 30 TIME_PASSES ELAPSE 10 STEP 40 TRAFFIC STEP 50 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION www.example.com. IN A ENTRY_END ; recursion happens here. STEP 60 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR AA RD RA NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER www.example.com. IN A 1.2.3.4 ENTRY_END ; the zonefile was updated with new contents STEP 70 CHECK_TEMPFILE example.com FILE_BEGIN example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600 example.com. 3600 IN NS ns.example.net. www.example.com. 3600 IN A 1.2.3.4 FILE_END SCENARIO_END @ 1.1.1.1.2.1 log @file auth_xfr.rpl was added on branch pgoyette-compat on 2018-09-06 06:51:52 +0000 @ text @d1 232 @ 1.1.1.1.2.2 log @Sync with HEAD Resolve a couple of conflicts (result of the uimin/uimax changes) @ text @a0 232 ; config options server: target-fetch-policy: "0 0 0 0 0" auth-zone: name: "example.com." ## zonefile (or none). ## zonefile: "example.com.zone" ## master by IP address or hostname ## can list multiple masters, each on one line. ## master: master: 1.2.3.44 ## url for http fetch ## url: ## queries from downstream clients get authoritative answers. ## for-downstream: yes for-downstream: yes ## queries are used to fetch authoritative answers from this zone, ## instead of unbound itself sending queries there. ## for-upstream: yes for-upstream: yes ## on failures with for-upstream, fallback to sending queries to ## the authority servers ## fallback-enabled: no ## this line generates zonefile: \n"/tmp/xxx.example.com"\n zonefile: TEMPFILE_NAME example.com ## this is the inline file /tmp/xxx.example.com ## the tempfiles are deleted when the testrun is over. TEMPFILE_CONTENTS example.com TEMPFILE_END stub-zone: name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. CONFIG_END SCENARIO_BEGIN Test authority zone with AXFR ; K.ROOT-SERVERS.NET. RANGE_BEGIN 0 100 ADDRESS 193.0.14.129 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION . IN NS SECTION ANSWER . IN NS K.ROOT-SERVERS.NET. SECTION ADDITIONAL K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION com. IN NS SECTION AUTHORITY com. IN NS a.gtld-servers.net. SECTION ADDITIONAL a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END RANGE_END ; a.gtld-servers.net. RANGE_BEGIN 0 100 ADDRESS 192.5.6.30 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION com. IN NS SECTION ANSWER com. IN NS a.gtld-servers.net. SECTION ADDITIONAL a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION example.com. IN NS SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL ns.example.com. IN A 1.2.3.44 ENTRY_END RANGE_END ; ns.example.net. RANGE_BEGIN 0 100 ADDRESS 1.2.3.44 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION example.net. IN NS SECTION ANSWER example.net. IN NS ns.example.net. SECTION ADDITIONAL ns.example.net. IN A 1.2.3.44 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ns.example.net. IN A SECTION ANSWER ns.example.net. IN A 1.2.3.44 SECTION AUTHORITY example.net. IN NS ns.example.net. ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION ns.example.net. IN AAAA SECTION AUTHORITY example.net. IN NS ns.example.net. SECTION ADDITIONAL www.example.net. IN A 1.2.3.44 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION example.com. IN NS SECTION ANSWER example.com. IN NS ns.example.net. ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER www.example.com. IN A 10.20.30.40 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR NOERROR SECTION QUESTION example.com. IN SOA SECTION ANSWER ; serial, refresh, retry, expire, minimum example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR AA NOERROR SECTION QUESTION example.com. IN AXFR SECTION ANSWER example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600 example.com. IN NS ns.example.net. EXTRA_PACKET REPLY QR AA NOERROR SECTION QUESTION example.com. IN AXFR SECTION ANSWER www.example.com. IN A 1.2.3.4 example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600 ENTRY_END RANGE_END STEP 1 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION www.example.com. IN A ENTRY_END ; recursion happens here. STEP 20 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR AA RD RA SERVFAIL SECTION QUESTION www.example.com. IN A SECTION ANSWER ENTRY_END STEP 30 TIME_PASSES ELAPSE 10 STEP 40 TRAFFIC STEP 50 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION www.example.com. IN A ENTRY_END ; recursion happens here. STEP 60 CHECK_ANSWER ENTRY_BEGIN MATCH all REPLY QR AA RD RA NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER www.example.com. IN A 1.2.3.4 ENTRY_END ; the zonefile was updated with new contents STEP 70 CHECK_TEMPFILE example.com FILE_BEGIN example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600 example.com. 3600 IN NS ns.example.net. www.example.com. 3600 IN A 1.2.3.4 FILE_END SCENARIO_END @