1; config options 2server: 3 module-config: "respip validator iterator" 4 target-fetch-policy: "0 0 0 0 0" 5 qname-minimisation: no 6 rrset-roundrobin: no 7 access-control: 192.0.0.0/8 allow 8 9rpz: 10 name: "rpz.example.com." 11 master: 10.20.30.40 12 zonefile: 13TEMPFILE_NAME rpz.example.com 14TEMPFILE_CONTENTS rpz.example.com 15rpz.example.com. 3600 IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 1 3600 900 86400 3600 16rpz.example.com. 3600 IN NS ns.rpz.example.net. 17a.rpz.example.com. IN CNAME *. 18c.rpz.example.com. IN TXT "hello from initial RPZ" 19c.rpz.example.com. IN TXT "another hello from initial RPZ" 20c.rpz.example.com. IN TXT "yet another hello from initial RPZ" 21d.rpz.example.com. IN CNAME . 2232.1.123.0.10.rpz-ip.rpz.example.com. CNAME *. 2332.3.123.0.10.rpz-ip.rpz.example.com. A 10.66.0.3 2432.3.123.0.10.rpz-ip.rpz.example.com. A 10.66.0.4 2532.4.123.0.10.rpz-ip.rpz.example.com. CNAME . 26; also test client-ip, and remove it later with an IXFR. 2724.0.5.0.192.rpz-client-ip A 127.0.0.5 2824.0.6.0.192.rpz-client-ip CNAME *. 2932.41.30.20.10.rpz-nsip A 127.0.0.1 30ns.gotham.com.rpz-nsdname A 127.0.0.1 31TEMPFILE_END 32 33stub-zone: 34 name: "." 35 stub-addr: 10.20.30.40 36 37CONFIG_END 38 39SCENARIO_BEGIN Test RPZ QNAME trigger, loaded using IXFR 40 41RANGE_BEGIN 0 100 42 ADDRESS 10.20.30.40 43 44ENTRY_BEGIN 45MATCH opcode qname qtype 46ADJUST copy_id 47REPLY QR NOERROR AA 48SECTION QUESTION 49. IN NS 50SECTION ANSWER 51. IN NS ns. 52SECTION ADDITIONAL 53ns. IN NS 10.20.30.40 54ENTRY_END 55 56ENTRY_BEGIN 57MATCH opcode qname qtype 58ADJUST copy_id 59REPLY QR NOERROR AA 60SECTION QUESTION 61b. IN TXT 62SECTION ANSWER 63b. TXT "hello from upstream" 64ENTRY_END 65 66ENTRY_BEGIN 67MATCH opcode qname qtype 68ADJUST copy_id 69REPLY QR NOERROR AA 70SECTION QUESTION 71d. IN TXT 72SECTION ANSWER 73d. TXT "hello from upstream" 74ENTRY_END 75 76ENTRY_BEGIN 77MATCH opcode qname qtype 78ADJUST copy_id 79REPLY QR NOERROR AA 80SECTION QUESTION 81a.rpz-ip. IN A 82SECTION ANSWER 83a.rpz-ip. IN A 10.0.123.1 84ENTRY_END 85 86ENTRY_BEGIN 87MATCH opcode qname qtype 88ADJUST copy_id 89REPLY QR NOERROR AA 90SECTION QUESTION 91c.rpz-ip. IN A 92SECTION ANSWER 93c.rpz-ip. IN A 10.0.123.3 94ENTRY_END 95 96ENTRY_BEGIN 97MATCH opcode qname qtype 98ADJUST copy_id 99REPLY QR NOERROR AA 100SECTION QUESTION 101d.rpz-ip. IN A 102SECTION ANSWER 103d.rpz-ip. IN A 10.0.123.4 104ENTRY_END 105 106ENTRY_BEGIN 107MATCH opcode qname qtype 108ADJUST copy_id 109REPLY QR NOERROR AA 110SECTION QUESTION 111a.a. IN A 112SECTION ANSWER 113a.a. IN A 10.0.123.5 114ENTRY_END 115 116ENTRY_BEGIN 117MATCH opcode subdomain 118ADJUST copy_id copy_query 119REPLY QR NOERROR 120SECTION QUESTION 121foo.com. IN NS 122SECTION ANSWER 123SECTION AUTHORITY 124foo.com. 10 IN NS ns.foo.com. 125SECTION ADDITIONAL 126ns.foo.com. 10 IN A 10.20.30.41 127ENTRY_END 128 129ENTRY_BEGIN 130MATCH opcode subdomain 131ADJUST copy_id copy_query 132REPLY QR NOERROR 133SECTION QUESTION 134gotham.com. IN NS 135SECTION ANSWER 136SECTION AUTHORITY 137gotham.com. 10 IN NS ns.gotham.com. 138SECTION ADDITIONAL 139ns.gotham.com. 10 IN A 10.20.30.42 140ENTRY_END 141 142ENTRY_BEGIN 143MATCH opcode qname qtype 144ADJUST copy_id 145REPLY QR AA NOERROR 146SECTION QUESTION 147rpz.example.com. IN SOA 148SECTION ANSWER 149rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 2 3600 900 86400 3600 150ENTRY_END 151 152ENTRY_BEGIN 153MATCH opcode qname qtype 154ADJUST copy_id 155REPLY QR AA NOERROR 156SECTION QUESTION 157rpz.example.com. IN IXFR 158SECTION ANSWER 159rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 2 3600 900 86400 3600 160rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 1 3600 900 86400 3600 161a.rpz.example.com. IN CNAME *. 162c.rpz.example.com. IN TXT "hello from initial RPZ" 163c.rpz.example.com. IN TXT "another hello from initial RPZ" 164d.rpz.example.com. IN CNAME . 16532.1.123.0.10.rpz-ip.rpz.example.com. CNAME *. 16632.3.123.0.10.rpz-ip.rpz.example.com. A 10.66.0.3 16732.3.123.0.10.rpz-ip.rpz.example.com. A 10.66.0.4 16832.4.123.0.10.rpz-ip.rpz.example.com. CNAME . 16924.0.5.0.192.rpz-client-ip.rpz.example.com. A 127.0.0.5 17024.0.6.0.192.rpz-client-ip.rpz.example.com. CNAME *. 17132.41.30.20.10.rpz-nsip.rpz.example.com. A 127.0.0.1 172ns.gotham.com.rpz-nsdname.rpz.example.com. A 127.0.0.1 173rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 2 3600 900 86400 3600 174b.rpz.example.com. TXT "hello from RPZ" 175c.rpz.example.com. TXT "hello from RPZ" 176a.rpz.example.com. CNAME . 17732.1.123.0.10.rpz-ip.rpz.example.com. CNAME . 17832.3.123.0.10.rpz-ip.rpz.example.com. A 10.66.0.5 17932.3.123.0.10.rpz-ip.rpz.example.com. A 10.66.0.6 180rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 2 3600 900 86400 3600 181ENTRY_END 182 183RANGE_END 184 185; ns.foo.com 186RANGE_BEGIN 0 100 187 ADDRESS 10.20.30.41 188ENTRY_BEGIN 189MATCH opcode qname qtype 190ADJUST copy_id 191REPLY QR NOERROR AA 192SECTION QUESTION 193ns.foo.com. IN A 194SECTION ANSWER 195ns.foo.com. 10 IN A 10.20.30.41 196ENTRY_END 197 198ENTRY_BEGIN 199MATCH opcode qname qtype 200ADJUST copy_id 201REPLY QR NOERROR AA 202SECTION QUESTION 203ns.foo.com. IN AAAA 204SECTION ANSWER 205SECTION AUTHORITY 206foo.com. 10 IN SOA ns.foo.com. root.foo.com. 1 2 3 4 10 207ENTRY_END 208 209ENTRY_BEGIN 210MATCH opcode qname qtype 211ADJUST copy_id 212REPLY QR NOERROR AA 213SECTION QUESTION 214www.foo.com. IN A 215SECTION ANSWER 216www.foo.com. 10 IN A 10.20.30.42 217ENTRY_END 218 219RANGE_END 220 221; ns.gotham.com 222RANGE_BEGIN 0 100 223 ADDRESS 10.20.30.42 224ENTRY_BEGIN 225MATCH opcode qname qtype 226ADJUST copy_id 227REPLY QR NOERROR AA 228SECTION QUESTION 229ns.gotham.com. IN A 230SECTION ANSWER 231ns.gotham.com. 10 IN A 10.20.30.42 232ENTRY_END 233 234ENTRY_BEGIN 235MATCH opcode qname qtype 236ADJUST copy_id 237REPLY QR NOERROR AA 238SECTION QUESTION 239ns.gotham.com. IN AAAA 240SECTION ANSWER 241SECTION AUTHORITY 242gotham.com. 10 IN SOA ns.gotham.com. root.gotham.com. 1 2 3 4 10 243ENTRY_END 244 245ENTRY_BEGIN 246MATCH opcode qname qtype 247ADJUST copy_id 248REPLY QR NOERROR AA 249SECTION QUESTION 250www.gotham.com. IN A 251SECTION ANSWER 252www.gotham.com. 10 IN A 10.20.30.43 253ENTRY_END 254 255RANGE_END 256 257STEP 1 QUERY 258ENTRY_BEGIN 259REPLY RD 260SECTION QUESTION 261b. IN TXT 262ENTRY_END 263 264STEP 2 CHECK_ANSWER 265ENTRY_BEGIN 266MATCH all 267REPLY QR RD RA NOERROR 268SECTION QUESTION 269b. IN TXT 270SECTION ANSWER 271b. IN TXT "hello from upstream" 272ENTRY_END 273 274STEP 3 QUERY 275ENTRY_BEGIN 276REPLY RD 277SECTION QUESTION 278a. IN TXT 279ENTRY_END 280 281STEP 4 CHECK_ANSWER 282ENTRY_BEGIN 283MATCH all 284REPLY QR RD RA AA NOERROR 285SECTION QUESTION 286a. IN TXT 287SECTION ANSWER 288ENTRY_END 289 290STEP 5 QUERY 291ENTRY_BEGIN 292REPLY RD 293SECTION QUESTION 294a.rpz-ip. IN A 295ENTRY_END 296 297STEP 6 CHECK_ANSWER 298ENTRY_BEGIN 299MATCH all 300REPLY QR RD RA NOERROR 301SECTION QUESTION 302a.rpz-ip. IN A 303SECTION ANSWER 304ENTRY_END 305 306STEP 7 QUERY 307ENTRY_BEGIN 308REPLY RD 309SECTION QUESTION 310c. IN TXT 311ENTRY_END 312 313STEP 8 CHECK_ANSWER 314ENTRY_BEGIN 315MATCH all 316REPLY QR RD RA AA NOERROR 317SECTION QUESTION 318c. IN TXT 319SECTION ANSWER 320c. IN TXT "yet another hello from initial RPZ" 321c. IN TXT "another hello from initial RPZ" 322c. IN TXT "hello from initial RPZ" 323ENTRY_END 324 325STEP 9 QUERY 326ENTRY_BEGIN 327REPLY RD 328SECTION QUESTION 329c.rpz-ip. IN A 330ENTRY_END 331 332STEP 10 CHECK_ANSWER 333ENTRY_BEGIN 334MATCH all 335REPLY QR RD RA NOERROR 336SECTION QUESTION 337c.rpz-ip. IN A 338SECTION ANSWER 339c.rpz-ip. IN A 10.66.0.4 340c.rpz-ip. IN A 10.66.0.3 341ENTRY_END 342 343STEP 11 QUERY 344ENTRY_BEGIN 345REPLY RD 346SECTION QUESTION 347d. IN TXT 348ENTRY_END 349 350STEP 12 CHECK_ANSWER 351ENTRY_BEGIN 352MATCH all 353REPLY QR RD RA AA NXDOMAIN 354SECTION QUESTION 355d. IN TXT 356ENTRY_END 357 358STEP 13 QUERY 359ENTRY_BEGIN 360REPLY RD 361SECTION QUESTION 362d.rpz-ip. IN A 363ENTRY_END 364 365STEP 15 CHECK_ANSWER 366ENTRY_BEGIN 367MATCH all 368REPLY QR RD RA NXDOMAIN 369SECTION QUESTION 370d.rpz-ip. IN A 371ENTRY_END 372 373STEP 16 QUERY ADDRESS 192.0.5.1 374ENTRY_BEGIN 375REPLY RD 376SECTION QUESTION 377a.a. IN A 378ENTRY_END 379 380STEP 17 CHECK_ANSWER 381ENTRY_BEGIN 382MATCH all 383REPLY QR RD RA AA NOERROR 384SECTION QUESTION 385a.a. IN A 386SECTION ANSWER 387a.a. IN A 127.0.0.5 388ENTRY_END 389 390STEP 18 QUERY ADDRESS 192.0.6.1 391ENTRY_BEGIN 392REPLY RD 393SECTION QUESTION 394a.a. IN A 395ENTRY_END 396 397STEP 19 CHECK_ANSWER 398ENTRY_BEGIN 399MATCH all 400REPLY QR RD RA AA NOERROR 401SECTION QUESTION 402a.a. IN A 403SECTION ANSWER 404ENTRY_END 405 406STEP 20 QUERY 407ENTRY_BEGIN 408REPLY RD 409SECTION QUESTION 410www.foo.com. IN A 411ENTRY_END 412 413STEP 21 CHECK_ANSWER 414ENTRY_BEGIN 415MATCH all 416REPLY QR RD RA AA NOERROR 417SECTION QUESTION 418www.foo.com. IN A 419SECTION ANSWER 420www.foo.com. IN A 127.0.0.1 421ENTRY_END 422 423STEP 22 QUERY 424ENTRY_BEGIN 425REPLY RD 426SECTION QUESTION 427www.gotham.com. IN A 428ENTRY_END 429 430STEP 23 CHECK_ANSWER 431ENTRY_BEGIN 432MATCH all 433REPLY QR RD RA AA NOERROR 434SECTION QUESTION 435www.gotham.com. IN A 436SECTION ANSWER 437www.gotham.com. IN A 127.0.0.1 438ENTRY_END 439 440STEP 24 TIME_PASSES ELAPSE 1 441STEP 30 TIME_PASSES ELAPSE 3600 442STEP 40 TRAFFIC 443 444STEP 50 QUERY 445ENTRY_BEGIN 446REPLY RD 447SECTION QUESTION 448b. IN TXT 449ENTRY_END 450 451STEP 51 CHECK_ANSWER 452ENTRY_BEGIN 453MATCH all 454REPLY QR RD RA AA NOERROR 455SECTION QUESTION 456b. IN TXT 457SECTION ANSWER 458b. IN TXT "hello from RPZ" 459ENTRY_END 460 461STEP 52 QUERY 462ENTRY_BEGIN 463REPLY RD 464SECTION QUESTION 465a. IN TXT 466ENTRY_END 467 468STEP 53 CHECK_ANSWER 469ENTRY_BEGIN 470MATCH all 471REPLY QR RD RA AA NXDOMAIN 472SECTION QUESTION 473a. IN TXT 474SECTION ANSWER 475ENTRY_END 476 477STEP 54 QUERY 478ENTRY_BEGIN 479REPLY RD 480SECTION QUESTION 481a.rpz-ip. IN A 482ENTRY_END 483 484STEP 55 CHECK_ANSWER 485ENTRY_BEGIN 486MATCH all 487REPLY QR RD RA NXDOMAIN 488SECTION QUESTION 489a.rpz-ip. IN A 490SECTION ANSWER 491ENTRY_END 492 493STEP 56 QUERY 494ENTRY_BEGIN 495REPLY RD 496SECTION QUESTION 497c. IN TXT 498ENTRY_END 499 500STEP 57 CHECK_ANSWER 501ENTRY_BEGIN 502MATCH all 503REPLY QR RD RA AA NOERROR 504SECTION QUESTION 505c. IN TXT 506SECTION ANSWER 507c. IN TXT "hello from RPZ" 508c. IN TXT "yet another hello from initial RPZ" 509ENTRY_END 510 511STEP 58 QUERY 512ENTRY_BEGIN 513REPLY RD 514SECTION QUESTION 515c.rpz-ip. IN A 516ENTRY_END 517 518STEP 59 CHECK_ANSWER 519ENTRY_BEGIN 520MATCH all 521REPLY QR RD RA NOERROR 522SECTION QUESTION 523c.rpz-ip. IN A 524SECTION ANSWER 525c.rpz-ip. IN A 10.66.0.6 526c.rpz-ip. IN A 10.66.0.5 527ENTRY_END 528 529STEP 60 QUERY 530ENTRY_BEGIN 531REPLY RD 532SECTION QUESTION 533d. IN TXT 534ENTRY_END 535 536STEP 61 CHECK_ANSWER 537ENTRY_BEGIN 538MATCH all 539REPLY QR RD RA NOERROR 540SECTION QUESTION 541d. IN TXT 542SECTION ANSWER 543d. IN TXT "hello from upstream" 544ENTRY_END 545 546STEP 62 QUERY 547ENTRY_BEGIN 548REPLY RD 549SECTION QUESTION 550d.rpz-ip. IN A 551ENTRY_END 552 553STEP 63 CHECK_ANSWER 554ENTRY_BEGIN 555MATCH all 556REPLY QR RD RA NOERROR 557SECTION QUESTION 558d.rpz-ip. IN A 559SECTION ANSWER 560d.rpz-ip. IN A 10.0.123.4 561ENTRY_END 562 563STEP 64 QUERY ADDRESS 192.0.5.1 564ENTRY_BEGIN 565REPLY RD 566SECTION QUESTION 567a.a. IN A 568ENTRY_END 569 570STEP 65 CHECK_ANSWER 571ENTRY_BEGIN 572MATCH all 573REPLY QR RD RA NOERROR 574SECTION QUESTION 575a.a. IN A 576SECTION ANSWER 577a.a. IN A 10.0.123.5 578ENTRY_END 579 580STEP 66 QUERY ADDRESS 192.0.6.1 581ENTRY_BEGIN 582REPLY RD 583SECTION QUESTION 584a.a. IN A 585ENTRY_END 586 587STEP 67 CHECK_ANSWER 588ENTRY_BEGIN 589MATCH all 590REPLY QR RD RA NOERROR 591SECTION QUESTION 592a.a. IN A 593SECTION ANSWER 594a.a. IN A 10.0.123.5 595ENTRY_END 596 597STEP 68 QUERY 598ENTRY_BEGIN 599REPLY RD 600SECTION QUESTION 601www.foo.com. IN A 602ENTRY_END 603 604STEP 69 CHECK_ANSWER 605ENTRY_BEGIN 606MATCH all 607REPLY QR RD RA NOERROR 608SECTION QUESTION 609www.foo.com. IN A 610SECTION ANSWER 611www.foo.com. 10 IN A 10.20.30.42 612ENTRY_END 613 614STEP 70 QUERY 615ENTRY_BEGIN 616REPLY RD 617SECTION QUESTION 618www.gotham.com. IN A 619ENTRY_END 620 621STEP 71 CHECK_ANSWER 622ENTRY_BEGIN 623MATCH all 624REPLY QR RD RA NOERROR 625SECTION QUESTION 626www.gotham.com. IN A 627SECTION ANSWER 628www.gotham.com. 10 IN A 10.20.30.43 629ENTRY_END 630 631SCENARIO_END 632