mirror of
https://github.com/freebsd/freebsd-src
synced 2024-07-22 10:48:02 +00:00
335c7cda12
Release notes at https://www.nlnetlabs.nl/news/2024/May/08/unbound-1.20.0-released/ Security: The DNSBomb vulnerability CVE-2024-33655 Merge commit 'c2a80056864d6eda0398fd127dc0ae515b39752b' into main
260 lines
4.4 KiB
Plaintext
260 lines
4.4 KiB
Plaintext
; config options
|
|
server:
|
|
target-fetch-policy: "0 0 0 0 0"
|
|
qname-minimisation: no
|
|
minimal-responses: no
|
|
serve-expired: yes
|
|
serve-expired-reply-ttl: 30
|
|
module-config: "cachedb iterator"
|
|
|
|
cachedb:
|
|
backend: "testframe"
|
|
secret-seed: "testvalue"
|
|
cachedb-check-when-serve-expired: yes
|
|
|
|
stub-zone:
|
|
name: "."
|
|
stub-addr: 193.0.14.129
|
|
CONFIG_END
|
|
|
|
SCENARIO_BEGIN Test cachedb and serve-expired-reply-ttl.
|
|
|
|
; K.ROOT-SERVERS.NET.
|
|
RANGE_BEGIN 0 400
|
|
ADDRESS 193.0.14.129
|
|
ENTRY_BEGIN
|
|
MATCH opcode qtype qname
|
|
ADJUST copy_id
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
. IN NS
|
|
SECTION ANSWER
|
|
. IN NS K.ROOT-SERVERS.NET.
|
|
SECTION ADDITIONAL
|
|
K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
|
ENTRY_END
|
|
|
|
ENTRY_BEGIN
|
|
MATCH opcode subdomain
|
|
ADJUST copy_id copy_query
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
com. IN NS
|
|
SECTION AUTHORITY
|
|
com. IN NS a.gtld-servers.net.
|
|
SECTION ADDITIONAL
|
|
a.gtld-servers.net. IN A 192.5.6.30
|
|
ENTRY_END
|
|
RANGE_END
|
|
|
|
; a.gtld-servers.net.
|
|
RANGE_BEGIN 0 400
|
|
ADDRESS 192.5.6.30
|
|
ENTRY_BEGIN
|
|
MATCH opcode subdomain
|
|
ADJUST copy_id copy_query
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
example.com. IN NS
|
|
SECTION AUTHORITY
|
|
example.com. IN NS ns2.example.com.
|
|
SECTION ADDITIONAL
|
|
ns2.example.com. IN A 1.2.3.5
|
|
ENTRY_END
|
|
|
|
ENTRY_BEGIN
|
|
MATCH opcode subdomain
|
|
ADJUST copy_id copy_query
|
|
REPLY QR NOERROR
|
|
SECTION QUESTION
|
|
foo.com. IN NS
|
|
SECTION AUTHORITY
|
|
foo.com. IN NS ns.example.com.
|
|
ENTRY_END
|
|
RANGE_END
|
|
|
|
; ns2.example.com.
|
|
RANGE_BEGIN 0 400
|
|
ADDRESS 1.2.3.5
|
|
ENTRY_BEGIN
|
|
MATCH opcode qname qtype
|
|
REPLY QR AA NOERROR
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
SECTION ANSWER
|
|
www.example.com. 10 IN A 1.2.3.4
|
|
ENTRY_END
|
|
|
|
ENTRY_BEGIN
|
|
MATCH opcode qname qtype
|
|
REPLY QR AA NOERROR
|
|
SECTION QUESTION
|
|
www2.example.com. IN A
|
|
SECTION ANSWER
|
|
www2.example.com. 10 IN A 1.2.3.5
|
|
ENTRY_END
|
|
RANGE_END
|
|
|
|
; make time not 0
|
|
STEP 2 TIME_PASSES ELAPSE 212
|
|
|
|
; Get an entry in cache, to make it expired.
|
|
STEP 4 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
ENTRY_END
|
|
|
|
; get the answer for it
|
|
STEP 10 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all
|
|
REPLY QR RD RA NOERROR
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
SECTION ANSWER
|
|
www.example.com. 10 IN A 1.2.3.4
|
|
ENTRY_END
|
|
|
|
; Get another query in cache to make it expired.
|
|
STEP 20 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
www2.example.com. IN A
|
|
ENTRY_END
|
|
|
|
; get the answer for it
|
|
STEP 30 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all
|
|
REPLY QR RD RA NOERROR
|
|
SECTION QUESTION
|
|
www2.example.com. IN A
|
|
SECTION ANSWER
|
|
www2.example.com. 10 IN A 1.2.3.5
|
|
ENTRY_END
|
|
|
|
; it is now expired
|
|
STEP 40 TIME_PASSES ELAPSE 20
|
|
|
|
; cache is expired, and cachedb is expired.
|
|
STEP 50 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
www2.example.com. IN A
|
|
ENTRY_END
|
|
|
|
STEP 60 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all ttl
|
|
REPLY QR RD RA NOERROR
|
|
SECTION QUESTION
|
|
www2.example.com. IN A
|
|
SECTION ANSWER
|
|
www2.example.com. 30 IN A 1.2.3.5
|
|
ENTRY_END
|
|
|
|
; got an answer from upstream
|
|
STEP 61 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
www2.example.com. IN A
|
|
ENTRY_END
|
|
|
|
STEP 62 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all ttl
|
|
REPLY QR RD RA NOERROR
|
|
SECTION QUESTION
|
|
www2.example.com. IN A
|
|
SECTION ANSWER
|
|
www2.example.com. 10 IN A 1.2.3.5
|
|
ENTRY_END
|
|
|
|
; cache is expired, cachedb has no answer
|
|
STEP 70 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
ENTRY_END
|
|
|
|
STEP 80 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all ttl
|
|
REPLY QR RD RA NOERROR
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
SECTION ANSWER
|
|
www.example.com. 30 IN A 1.2.3.4
|
|
ENTRY_END
|
|
|
|
STEP 90 TRAFFIC
|
|
; the entry should be refreshed in cache now.
|
|
; cache is valid and cachedb is valid.
|
|
STEP 100 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
ENTRY_END
|
|
|
|
STEP 110 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all ttl
|
|
REPLY QR RD RA NOERROR
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
SECTION ANSWER
|
|
www.example.com. 10 IN A 1.2.3.4
|
|
ENTRY_END
|
|
|
|
; make both cache and cachedb expired.
|
|
STEP 120 TIME_PASSES ELAPSE 20
|
|
STEP 130 FLUSH_MESSAGE www.example.com. IN A
|
|
|
|
; cache has no entry and cachedb is expired.
|
|
STEP 140 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
ENTRY_END
|
|
|
|
STEP 150 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all ttl
|
|
REPLY QR RD RA NOERROR
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
SECTION ANSWER
|
|
www.example.com. 30 IN A 1.2.3.4
|
|
ENTRY_END
|
|
|
|
; the name is resolved
|
|
STEP 160 TRAFFIC
|
|
|
|
; the resolve name has been updated.
|
|
STEP 170 QUERY
|
|
ENTRY_BEGIN
|
|
REPLY RD
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
ENTRY_END
|
|
|
|
STEP 180 CHECK_ANSWER
|
|
ENTRY_BEGIN
|
|
MATCH all ttl
|
|
REPLY QR RD RA NOERROR
|
|
SECTION QUESTION
|
|
www.example.com. IN A
|
|
SECTION ANSWER
|
|
www.example.com. 10 IN A 1.2.3.4
|
|
ENTRY_END
|
|
|
|
SCENARIO_END
|