; config options
server:
	harden-referral-path: no
	target-fetch-policy: "0 0 0 0 0"
	qname-minimisation: "no"
	minimal-responses: no

stub-zone:
        name: "."
	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
CONFIG_END

SCENARIO_BEGIN Test scrub of insecure DNAME in answer section

; root infrastucture
RANGE_BEGIN 0 10000000
	ADDRESS 193.0.14.129
ENTRY_BEGIN
MATCH qname qtype opcode
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
. IN NS
SECTION ANSWER
. IN NS K.ROOT-SERVERS.NET.
SECTION ADDITIONAL
K.ROOT-SERVERS.NET. IN A 193.0.14.129
ENTRY_END

ENTRY_BEGIN
MATCH qname qtype opcode
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
shortloop. IN TXT
SECTION ANSWER
shortloop. IN TXT "shortloop end"
ENTRY_END

ENTRY_BEGIN
MATCH qname qtype opcode
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
K.ROOT-SERVERS.NET. IN A
SECTION ANSWER
K.ROOT-SERVERS.NET. IN A 193.0.14.129
ENTRY_END

ENTRY_BEGIN
MATCH qname qtype opcode
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
K.ROOT-SERVERS.NET. IN AAAA
SECTION ANSWER
ENTRY_END

ENTRY_BEGIN
MATCH subdomain opcode
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
com. IN A
SECTION AUTHORITY
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END

ENTRY_BEGIN
MATCH subdomain opcode
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
net. IN A
SECTION AUTHORITY
net. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END

ENTRY_BEGIN
MATCH subdomain opcode
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
x. IN A
SECTION AUTHORITY
x. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END

ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
long. IN NS
SECTION AUTHORITY
long. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END

ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. IN NS
SECTION AUTHORITY
60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END

ENTRY_BEGIN
MATCH qname qtype opcode
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
a.gtld-servers.net. IN A
SECTION ANSWER
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END

ENTRY_BEGIN
MATCH qname qtype opcode
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
a.gtld-servers.net. IN AAAA
SECTION ANSWER
ENTRY_END
RANGE_END
; end of root infrastucture

; a.gtld-servers.net. (com. net. x.)
RANGE_BEGIN 0 10000000
	ADDRESS 192.5.6.30
ENTRY_BEGIN
MATCH qname qtype opcode
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
a.gtld-servers.net. IN A
SECTION ANSWER
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END

ENTRY_BEGIN
MATCH qname qtype opcode
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
a.gtld-servers.net. IN AAAA
SECTION ANSWER
ENTRY_END

ENTRY_BEGIN
MATCH qname qtype opcode
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
com. IN NS
SECTION AUTHORITY
com. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END

ENTRY_BEGIN
MATCH qname qtype opcode
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
net. IN NS
SECTION AUTHORITY
net. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END

ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
example.com. IN A
SECTION AUTHORITY
example.com. IN NS ns1.example.com.
SECTION ADDITIONAL
ns1.example.com. IN A 168.192.2.2
ENTRY_END

ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
example.net. IN A
SECTION AUTHORITY
example.net. IN NS ns1.example.net.
SECTION ADDITIONAL
ns1.example.net. IN A 168.192.3.3
ENTRY_END

ENTRY_BEGIN
MATCH qname qtype opcode
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
x. IN NS
SECTION AUTHORITY
x. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END

ENTRY_BEGIN
MATCH qname qtype opcode
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
x. IN DNAME
SECTION AUTHORITY
x. IN DNAME .
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END

ENTRY_BEGIN
MATCH qname opcode
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
shortloop.x.x. IN CNAME
SECTION ANSWER
x. DNAME .
shortloop.x.x. IN CNAME shortloop.x.
shortloop.x. IN CNAME shortloop.
ENTRY_END

ENTRY_BEGIN
MATCH qname opcode
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
shortloop.x. IN CNAME
SECTION ANSWER
x. DNAME .
shortloop.x. IN CNAME shortloop.
ENTRY_END

ENTRY_BEGIN
MATCH qname qtype opcode
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. IN NS
SECTION AUTHORITY
60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END

ENTRY_BEGIN
MATCH qname qtype opcode
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
long. IN NS
SECTION AUTHORITY
long. IN NS a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net. IN A 192.5.6.30
ENTRY_END

; DNAME at zone apex, allowed by RFC 6672 section 2.3
ENTRY_BEGIN
MATCH qname qtype opcode
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
long. IN DNAME
SECTION ANSWER
long.			3600	IN	DNAME	63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
ENTRY_END

ENTRY_BEGIN
MATCH qname qtype opcode
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
x.long. IN A
SECTION ANSWER
long.			3600	IN	DNAME	63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
x.long.			3600	IN	CNAME	x.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
x.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.	3600	IN	A	192.0.2.1
ENTRY_END

ENTRY_BEGIN
MATCH qname qtype opcode
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
x.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. IN A
SECTION ANSWER
x.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.	3600	IN	A	192.0.2.1
ENTRY_END

ENTRY_BEGIN
MATCH qname opcode
ADJUST copy_id copy_query
REPLY QR AA YXDOMAIN
SECTION QUESTION
too.long. IN A
SECTION ANSWER
long.			3600	IN	DNAME	63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
ENTRY_END
RANGE_END
; end of a.gtld-servers.net.

; result of substitution has too long name
; YXDOMAIN should be propagated to the client
; Unbound SEVFAILs: https://www.ietf.org/mail-archive/web/dnsext/current/msg11282.html
STEP 229003 QUERY
ENTRY_BEGIN
REPLY RD DO
SECTION QUESTION
too.long.	IN A
ENTRY_END

STEP 229004 CHECK_ANSWER
ENTRY_BEGIN
MATCH rcode question answer
REPLY QR YXDOMAIN
SECTION QUESTION
too.long.	IN A
SECTION ANSWER
long.			3600	IN	DNAME	63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.63o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.60o-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
ENTRY_END

SCENARIO_END