1; config options 2server: 3 module-config: "respip validator iterator" 4 target-fetch-policy: "0 0 0 0 0" 5 qname-minimisation: no 6 7rpz: 8 name: "rpz.example.com." 9 rpz-log: yes 10 rpz-log-name: "rpz.example.com" 11 zonefile: 12TEMPFILE_NAME rpz.example.com 13TEMPFILE_CONTENTS rpz.example.com 14$ORIGIN example.com. 15rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( 16 1379078166 28800 7200 604800 7200 ) 17 3600 IN NS ns1.rpz.example.com. 18 3600 IN NS ns2.rpz.example.com. 19$ORIGIN rpz.example.com. 20a CNAME . 21a CNAME *. ; duplicate CNAME here on purpose 22*.a TXT "wildcard local data" 23b.a CNAME *. 24c.a CNAME rpz-passthru. 25c.g CNAME rpz-passthru. 26TEMPFILE_END 27 28rpz: 29 name: "rpz2.example.com." 30 rpz-log: yes 31 rpz-log-name: "rpz2.example.com" 32 zonefile: 33TEMPFILE_NAME rpz2.example.com 34TEMPFILE_CONTENTS rpz2.example.com 35$ORIGIN example.com. 36rpz2 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( 37 1379078166 28800 7200 604800 7200 ) 38 3600 IN NS ns1.rpz.example.com. 39 3600 IN NS ns2.rpz.example.com. 40$ORIGIN rpz2.example.com. 41a TXT "local data 2nd zone" 42d TXT "local data 2nd zone" 43e CNAME *.a.example. 44*.e CNAME *.b.example. 45drop CNAME rpz-drop. 46tcp CNAME rpz-tcp-only. 47c.g CNAME . 48TEMPFILE_END 49 50stub-zone: 51 name: "a." 52 stub-addr: 10.20.30.40 53stub-zone: 54 name: "example." 55 stub-addr: 10.20.30.50 56stub-zone: 57 name: "tcp." 58 stub-addr: 10.20.30.60 59stub-zone: 60 name: "g." 61 stub-addr: 10.20.30.40 62CONFIG_END 63 64SCENARIO_BEGIN Test all support RPZ action for QNAME trigger 65 66; a. 67RANGE_BEGIN 0 1000 68 ADDRESS 10.20.30.40 69ENTRY_BEGIN 70MATCH opcode qtype qname 71ADJUST copy_id 72REPLY QR NOERROR 73SECTION QUESTION 74a. IN NS 75SECTION ANSWER 76a. IN NS ns.a. 77SECTION ADDITIONAL 78ns.a IN A 10.20.30.40 79ENTRY_END 80 81ENTRY_BEGIN 82MATCH opcode qtype qname 83ADJUST copy_id 84REPLY QR NOERROR 85SECTION QUESTION 86c.a. IN TXT 87SECTION ANSWER 88c.a. IN TXT "answer from upstream ns" 89ENTRY_END 90 91ENTRY_BEGIN 92MATCH opcode qtype qname 93ADJUST copy_id 94REPLY QR NOERROR 95SECTION QUESTION 96x.b.a. IN TXT 97SECTION ANSWER 98x.b.a. IN TXT "answer from upstream ns" 99ENTRY_END 100 101ENTRY_BEGIN 102MATCH opcode qtype qname 103ADJUST copy_id 104REPLY QR NOERROR 105SECTION QUESTION 106c.g. IN TXT 107SECTION ANSWER 108c.g. IN TXT "answer from upstream ns" 109ENTRY_END 110 111RANGE_END 112 113; example. 114RANGE_BEGIN 0 1000 115 ADDRESS 10.20.30.50 116ENTRY_BEGIN 117MATCH opcode qtype qname 118ADJUST copy_id 119REPLY QR NOERROR 120SECTION QUESTION 121example. IN NS 122SECTION ANSWER 123example. IN NS ns.example. 124SECTION ADDITIONAL 125ns.example IN A 10.20.30.50 126ENTRY_END 127 128ENTRY_BEGIN 129MATCH opcode qtype qname 130ADJUST copy_id 131REPLY QR NOERROR 132SECTION QUESTION 133e.a.example. IN TXT 134SECTION ANSWER 135e.a.example. IN TXT "e.a.example. answer from upstream ns" 136ENTRY_END 137 138ENTRY_BEGIN 139MATCH opcode qtype qname 140ADJUST copy_id 141REPLY QR NOERROR 142SECTION QUESTION 143something.e.b.example. IN TXT 144SECTION ANSWER 145something.e.b.example. IN TXT "*.b.example. answer from upstream ns" 146ENTRY_END 147 148ENTRY_BEGIN 149MATCH opcode qtype qname 150ADJUST copy_id 151REPLY QR NOERROR 152SECTION QUESTION 153f.example. IN TXT 154SECTION ANSWER 155f.example. IN CNAME d. 156ENTRY_END 157 158RANGE_END 159 160; tcp. 161RANGE_BEGIN 0 1000 162 ADDRESS 10.20.30.60 163ENTRY_BEGIN 164MATCH opcode qtype qname 165ADJUST copy_id 166REPLY QR NOERROR 167SECTION QUESTION 168tcp. IN NS 169SECTION ANSWER 170tcp. IN NS ns.example. 171SECTION ADDITIONAL 172ns.tcp IN A 10.20.30.60 173ENTRY_END 174 175ENTRY_BEGIN 176MATCH opcode qtype qname 177ADJUST copy_id 178REPLY QR AA NOERROR 179SECTION QUESTION 180tcp. IN TXT 181SECTION ANSWER 182tcp. IN TXT "tcp. answer from upstream ns" 183ENTRY_END 184RANGE_END 185 186STEP 10 QUERY 187ENTRY_BEGIN 188REPLY RD 189SECTION QUESTION 190a. IN TXT 191ENTRY_END 192 193STEP 11 CHECK_ANSWER 194ENTRY_BEGIN 195MATCH all 196REPLY QR RD RA AA NXDOMAIN 197SECTION QUESTION 198a. IN TXT 199SECTION ANSWER 200ENTRY_END 201 202STEP 20 QUERY 203ENTRY_BEGIN 204REPLY RD 205SECTION QUESTION 206a.a. IN TXT 207ENTRY_END 208 209STEP 21 CHECK_ANSWER 210ENTRY_BEGIN 211MATCH all 212REPLY QR RD RA AA NOERROR 213SECTION QUESTION 214a.a. IN TXT 215SECTION ANSWER 216a.a. IN TXT "wildcard local data" 217ENTRY_END 218 219STEP 30 QUERY 220ENTRY_BEGIN 221REPLY RD 222SECTION QUESTION 223b.a. IN TXT 224ENTRY_END 225 226STEP 31 CHECK_ANSWER 227ENTRY_BEGIN 228MATCH all 229REPLY QR RD RA AA NOERROR 230SECTION QUESTION 231b.a. IN TXT 232SECTION ANSWER 233ENTRY_END 234 235STEP 40 QUERY 236ENTRY_BEGIN 237REPLY RD 238SECTION QUESTION 239x.a. IN TXT 240ENTRY_END 241 242STEP 41 CHECK_ANSWER 243ENTRY_BEGIN 244MATCH all 245REPLY QR RD RA AA NOERROR 246SECTION QUESTION 247x.a. IN TXT 248SECTION ANSWER 249x.a. IN TXT "wildcard local data" 250ENTRY_END 251 252STEP 50 QUERY 253ENTRY_BEGIN 254REPLY RD 255SECTION QUESTION 256x.a.a. IN TXT 257ENTRY_END 258 259STEP 51 CHECK_ANSWER 260ENTRY_BEGIN 261MATCH all 262REPLY QR RD RA AA NOERROR 263SECTION QUESTION 264x.a.a. IN TXT 265SECTION ANSWER 266x.a.a. IN TXT "wildcard local data" 267ENTRY_END 268 269STEP 60 QUERY 270ENTRY_BEGIN 271REPLY RD 272SECTION QUESTION 273c.a. IN TXT 274ENTRY_END 275 276STEP 61 CHECK_ANSWER 277ENTRY_BEGIN 278MATCH all 279REPLY QR RD RA NOERROR 280SECTION QUESTION 281c.a. IN TXT 282SECTION ANSWER 283c.a. IN TXT "answer from upstream ns" 284ENTRY_END 285 286STEP 70 QUERY 287ENTRY_BEGIN 288REPLY RD 289SECTION QUESTION 290x.b.a. IN TXT 291ENTRY_END 292 293STEP 71 CHECK_ANSWER 294ENTRY_BEGIN 295MATCH all 296REPLY QR RD RA NOERROR 297SECTION QUESTION 298x.b.a. IN TXT 299SECTION ANSWER 300x.b.a. IN TXT "answer from upstream ns" 301ENTRY_END 302 303STEP 80 QUERY 304ENTRY_BEGIN 305REPLY RD 306SECTION QUESTION 307d. IN TXT 308ENTRY_END 309 310STEP 81 CHECK_ANSWER 311ENTRY_BEGIN 312MATCH all 313REPLY QR RD RA AA NOERROR 314SECTION QUESTION 315d. IN TXT 316SECTION ANSWER 317d. IN TXT "local data 2nd zone" 318ENTRY_END 319 320STEP 82 QUERY 321ENTRY_BEGIN 322REPLY RD 323SECTION QUESTION 324e. IN TXT 325ENTRY_END 326 327STEP 83 CHECK_ANSWER 328ENTRY_BEGIN 329MATCH all 330REPLY QR RD RA AA NOERROR 331SECTION QUESTION 332e. IN TXT 333SECTION ANSWER 334e. IN CNAME e.a.example. 335e.a.example. IN TXT "e.a.example. answer from upstream ns" 336ENTRY_END 337 338STEP 84 QUERY 339ENTRY_BEGIN 340REPLY RD 341SECTION QUESTION 342something.e. IN TXT 343ENTRY_END 344 345STEP 85 CHECK_ANSWER 346ENTRY_BEGIN 347MATCH all 348REPLY QR RD RA AA NOERROR 349SECTION QUESTION 350something.e. IN TXT 351SECTION ANSWER 352something.e. IN CNAME something.e.b.example. 353something.e.b.example. IN TXT "*.b.example. answer from upstream ns" 354ENTRY_END 355 356; deny zone 357;STEP 90 QUERY 358;ENTRY_BEGIN 359;SECTION QUESTION 360;drop. IN TXT 361;ENTRY_END 362 363; tcp-only action 364 365STEP 95 QUERY 366ENTRY_BEGIN 367REPLY RD 368SECTION QUESTION 369tcp. IN TXT 370ENTRY_END 371 372STEP 96 CHECK_ANSWER 373ENTRY_BEGIN 374MATCH all 375REPLY QR RD RA AA TC NOERROR 376SECTION QUESTION 377tcp. IN TXT 378SECTION ANSWER 379ENTRY_END 380 381STEP 97 QUERY 382ENTRY_BEGIN 383MATCH TCP 384REPLY RD 385SECTION QUESTION 386tcp. IN TXT 387ENTRY_END 388 389STEP 98 CHECK_ANSWER 390ENTRY_BEGIN 391MATCH all TCP 392REPLY QR RD RA NOERROR 393SECTION QUESTION 394tcp. IN TXT 395SECTION ANSWER 396tcp. IN TXT "tcp. answer from upstream ns" 397ENTRY_END 398 399; check if the name after the CNAME has the qname trigger applied to it. 400STEP 100 QUERY 401ENTRY_BEGIN 402REPLY RD 403SECTION QUESTION 404f.example. IN TXT 405ENTRY_END 406 407STEP 101 CHECK_ANSWER 408ENTRY_BEGIN 409MATCH all 410REPLY QR RD RA AA NOERROR 411SECTION QUESTION 412f.example. IN TXT 413SECTION ANSWER 414f.example. IN CNAME d. 415d. IN TXT "local data 2nd zone" 416ENTRY_END 417 418; check if passthru ends processing 419STEP 110 QUERY 420ENTRY_BEGIN 421REPLY RD 422SECTION QUESTION 423c.g. IN TXT 424ENTRY_END 425 426STEP 111 CHECK_ANSWER 427ENTRY_BEGIN 428MATCH all 429REPLY QR RD RA NOERROR 430SECTION QUESTION 431c.g. IN TXT 432SECTION ANSWER 433c.g. IN TXT "answer from upstream ns" 434ENTRY_END 435 436; no answer is checked at exit of testbound. 437SCENARIO_END 438