diff options
4 files changed, 2029 insertions, 49 deletions
diff --git a/meta-networking/recipes-support/unbound/unbound/0001-CVE-2025-11411-1.patch b/meta-networking/recipes-support/unbound/unbound/0001-CVE-2025-11411-1.patch new file mode 100644 index 0000000000..5cb0b96c66 --- /dev/null +++ b/meta-networking/recipes-support/unbound/unbound/0001-CVE-2025-11411-1.patch | |||
| @@ -0,0 +1,1874 @@ | |||
| 1 | From a33f0638e1dacf2633cf2292078a674576bca852 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> | ||
| 3 | Date: Wed, 22 Oct 2025 10:54:57 +0200 | ||
| 4 | Subject: [PATCH] - Fix CVE-2025-11411 (possible domain hijacking attack), | ||
| 5 | reported by Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from | ||
| 6 | Tsinghua University. | ||
| 7 | |||
| 8 | This fixes CVE-2025-11411 by applying the complete patch | ||
| 9 | |||
| 10 | CVE: CVE-2025-11411 | ||
| 11 | Upstream-Status: Backport [complete backport of https://github.com/NLnetLabs/unbound/commit/a33f0638e1dacf2633cf2292078a674576bca852] | ||
| 12 | |||
| 13 | Comment: Patch refreshed | ||
| 14 | |||
| 15 | Signed-off-by: Jackson James <jacksonj2@kpit.com> | ||
| 16 | --- | ||
| 17 | iterator/iter_scrub.c | 16 ++++++++++++++++ | ||
| 18 | testdata/autotrust_init.rpl | 1 + | ||
| 19 | testdata/autotrust_init_ds.rpl | 1 + | ||
| 20 | testdata/autotrust_init_sigs.rpl | 1 + | ||
| 21 | testdata/autotrust_init_zsk.rpl | 1 + | ||
| 22 | testdata/black_data.rpl | 1 + | ||
| 23 | testdata/black_prime.rpl | 1 + | ||
| 24 | testdata/disable_edns_do.rpl | 1 + | ||
| 25 | testdata/dns64_lookup.rpl | 1 + | ||
| 26 | testdata/fetch_glue.rpl | 1 + | ||
| 27 | testdata/fetch_glue_cname.rpl | 1 + | ||
| 28 | testdata/fwd_cached.rpl | 1 + | ||
| 29 | .../fwd_compress_c00c.conf | 1 + | ||
| 30 | testdata/fwd_minimal.rpl | 1 + | ||
| 31 | testdata/ipsecmod_bogus_ipseckey.crpl | 1 + | ||
| 32 | testdata/ipsecmod_enabled.crpl | 1 + | ||
| 33 | testdata/ipsecmod_ignore_bogus_ipseckey.crpl | 1 + | ||
| 34 | testdata/ipsecmod_max_ttl.crpl | 1 + | ||
| 35 | testdata/ipsecmod_strict.crpl | 1 + | ||
| 36 | testdata/ipsecmod_whitelist.crpl | 1 + | ||
| 37 | testdata/iter_class_any.rpl | 1 + | ||
| 38 | testdata/iter_cycle_noh.rpl | 1 + | ||
| 39 | testdata/iter_domain_sale.rpl | 1 + | ||
| 40 | testdata/iter_domain_sale_nschange.rpl | 1 + | ||
| 41 | testdata/iter_emptydp.rpl | 1 + | ||
| 42 | testdata/iter_emptydp_for_glue.rpl | 1 + | ||
| 43 | testdata/iter_fwdfirst.rpl | 1 + | ||
| 44 | testdata/iter_fwdfirstequal.rpl | 1 + | ||
| 45 | testdata/iter_fwdstub.rpl | 1 + | ||
| 46 | testdata/iter_fwdstubroot.rpl | 1 + | ||
| 47 | testdata/iter_ghost_sub.rpl | 1 + | ||
| 48 | testdata/iter_ghost_timewindow.rpl | 1 + | ||
| 49 | testdata/iter_got6only.rpl | 1 + | ||
| 50 | testdata/iter_hint_lame.rpl | 1 + | ||
| 51 | testdata/iter_lame_noaa.rpl | 1 + | ||
| 52 | testdata/iter_lame_nosoa.rpl | 1 + | ||
| 53 | testdata/iter_mod.rpl | 1 + | ||
| 54 | testdata/iter_ns_badip.rpl | 1 + | ||
| 55 | testdata/iter_ns_spoof.rpl | 1 + | ||
| 56 | testdata/iter_nxns_fallback.rpl | 1 + | ||
| 57 | testdata/iter_pc_a.rpl | 1 + | ||
| 58 | testdata/iter_pc_aaaa.rpl | 1 + | ||
| 59 | testdata/iter_pcdiff.rpl | 1 + | ||
| 60 | testdata/iter_pcdirect.rpl | 1 + | ||
| 61 | testdata/iter_pcname.rpl | 1 + | ||
| 62 | testdata/iter_pcnamech.rpl | 1 + | ||
| 63 | testdata/iter_pcnamechrec.rpl | 1 + | ||
| 64 | testdata/iter_pcnamerec.rpl | 1 + | ||
| 65 | testdata/iter_pcttl.rpl | 1 + | ||
| 66 | testdata/iter_prefetch.rpl | 1 + | ||
| 67 | testdata/iter_prefetch_change.rpl | 1 + | ||
| 68 | testdata/iter_prefetch_change2.rpl | 1 + | ||
| 69 | testdata/iter_prefetch_childns.rpl | 1 + | ||
| 70 | testdata/iter_prefetch_fail.rpl | 1 + | ||
| 71 | testdata/iter_prefetch_ns.rpl | 1 + | ||
| 72 | testdata/iter_primenoglue.rpl | 1 + | ||
| 73 | testdata/iter_privaddr.rpl | 1 + | ||
| 74 | testdata/iter_ranoaa_lame.rpl | 1 + | ||
| 75 | testdata/iter_reclame_one.rpl | 1 + | ||
| 76 | testdata/iter_reclame_two.rpl | 1 + | ||
| 77 | testdata/iter_recurse.rpl | 1 + | ||
| 78 | testdata/iter_resolve.rpl | 1 + | ||
| 79 | testdata/iter_resolve_minimised.rpl | 1 + | ||
| 80 | testdata/iter_resolve_minimised_nx.rpl | 1 + | ||
| 81 | testdata/iter_resolve_minimised_refused.rpl | 1 + | ||
| 82 | testdata/iter_resolve_minimised_timeout.rpl | 1 + | ||
| 83 | testdata/iter_scrub_cname_an.rpl | 1 + | ||
| 84 | testdata/iter_scrub_dname_insec.rpl | 1 + | ||
| 85 | testdata/iter_scrub_dname_rev.rpl | 1 + | ||
| 86 | testdata/iter_scrub_dname_sec.rpl | 1 + | ||
| 87 | testdata/iter_scrub_rr_length.rpl | 1 + | ||
| 88 | testdata/iter_soamin.rpl | 1 + | ||
| 89 | testdata/iter_stub_noroot.rpl | 1 + | ||
| 90 | testdata/iter_stubfirst.rpl | 1 + | ||
| 91 | testdata/iter_timeout_ra_aaaa.rpl | 1 + | ||
| 92 | testdata/rrset_rettl.rpl | 1 + | ||
| 93 | testdata/rrset_untrusted.rpl | 1 + | ||
| 94 | testdata/rrset_updated.rpl | 1 + | ||
| 95 | testdata/rrset_use_cached.rpl | 1 + | ||
| 96 | testdata/serve_expired.rpl | 1 + | ||
| 97 | testdata/serve_expired_0ttl_nodata.rpl | 1 + | ||
| 98 | testdata/serve_expired_0ttl_nxdomain.rpl | 1 + | ||
| 99 | testdata/serve_expired_0ttl_servfail.rpl | 1 + | ||
| 100 | testdata/serve_expired_cached_servfail.rpl | 1 + | ||
| 101 | testdata/serve_expired_client_timeout.rpl | 1 + | ||
| 102 | .../serve_expired_client_timeout_no_prefetch.rpl | 1 + | ||
| 103 | .../serve_expired_client_timeout_servfail.rpl | 1 + | ||
| 104 | testdata/serve_expired_reply_ttl.rpl | 1 + | ||
| 105 | testdata/serve_expired_ttl.rpl | 1 + | ||
| 106 | testdata/serve_expired_ttl_client_timeout.rpl | 1 + | ||
| 107 | testdata/serve_expired_zerottl.rpl | 1 + | ||
| 108 | testdata/serve_original_ttl.rpl | 1 + | ||
| 109 | testdata/subnet_cached.crpl | 1 + | ||
| 110 | testdata/subnet_cached_servfail.crpl | 1 + | ||
| 111 | testdata/subnet_global_prefetch.crpl | 1 + | ||
| 112 | .../subnet_global_prefetch_always_forward.crpl | 1 + | ||
| 113 | testdata/subnet_global_prefetch_expired.crpl | 1 + | ||
| 114 | .../subnet_global_prefetch_with_client_ecs.crpl | 1 + | ||
| 115 | testdata/subnet_max_source.crpl | 1 + | ||
| 116 | testdata/subnet_prefetch.crpl | 1 + | ||
| 117 | testdata/subnet_val_positive.crpl | 1 + | ||
| 118 | testdata/subnet_val_positive_client.crpl | 1 + | ||
| 119 | testdata/trust_cname_chain.rpl | 1 + | ||
| 120 | testdata/ttl_max.rpl | 1 + | ||
| 121 | testdata/ttl_min.rpl | 1 + | ||
| 122 | testdata/val_adbit.rpl | 1 + | ||
| 123 | testdata/val_adcopy.rpl | 1 + | ||
| 124 | testdata/val_cnametocnamewctoposwc.rpl | 1 + | ||
| 125 | testdata/val_ds_afterprime.rpl | 1 + | ||
| 126 | testdata/val_faildnskey_ok.rpl | 1 + | ||
| 127 | testdata/val_keyprefetch_verify.rpl | 1 + | ||
| 128 | testdata/val_noadwhennodo.rpl | 1 + | ||
| 129 | testdata/val_nsec3_b3_optout.rpl | 1 + | ||
| 130 | testdata/val_nsec3_b3_optout_negcache.rpl | 1 + | ||
| 131 | testdata/val_nsec3_b4_wild.rpl | 1 + | ||
| 132 | testdata/val_nsec3_cnametocnamewctoposwc.rpl | 1 + | ||
| 133 | testdata/val_positive.rpl | 1 + | ||
| 134 | testdata/val_positive_wc.rpl | 1 + | ||
| 135 | testdata/val_qds_badanc.rpl | 1 + | ||
| 136 | testdata/val_qds_oneanc.rpl | 1 + | ||
| 137 | testdata/val_qds_twoanc.rpl | 1 + | ||
| 138 | testdata/val_refer_unsignadd.rpl | 1 + | ||
| 139 | testdata/val_referd.rpl | 1 + | ||
| 140 | testdata/val_referglue.rpl | 1 + | ||
| 141 | testdata/val_rrsig.rpl | 1 + | ||
| 142 | testdata/val_spurious_ns.rpl | 1 + | ||
| 143 | testdata/val_stub_noroot.rpl | 1 + | ||
| 144 | testdata/val_ta_algo_dnskey.rpl | 1 + | ||
| 145 | testdata/val_ta_algo_dnskey_dp.rpl | 1 + | ||
| 146 | testdata/val_ta_algo_missing_dp.rpl | 1 + | ||
| 147 | testdata/val_twocname.rpl | 1 + | ||
| 148 | testdata/val_unalgo_anchor.rpl | 1 + | ||
| 149 | testdata/val_wild_pos.rpl | 1 + | ||
| 150 | testdata/views.rpl | 1 + | ||
| 151 | util/config_file.c | 3 +++ | ||
| 152 | util/config_file.h | 3 +++ | ||
| 153 | util/configlexer.lex | 1 + | ||
| 154 | util/configparser.y | 14 +++++++++++++- | ||
| 155 | 138 files changed, 169 insertions(+), 1 deletion(-) | ||
| 156 | |||
| 157 | diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c | ||
| 158 | index 48867e5..cc12f97 100644 | ||
| 159 | --- a/iterator/iter_scrub.c | ||
| 160 | +++ b/iterator/iter_scrub.c | ||
| 161 | @@ -571,6 +571,22 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, | ||
| 162 | "RRset:", pkt, msg, prev, &rrset); | ||
| 163 | continue; | ||
| 164 | } | ||
| 165 | + /* If the NS set is a promiscuous NS set, scrub that | ||
| 166 | + * to remove potential for poisonous contents that | ||
| 167 | + * affects other names in the same zone. Remove | ||
| 168 | + * promiscuous NS sets in positive answers, that | ||
| 169 | + * thus have records in the answer section. Nodata | ||
| 170 | + * and nxdomain promiscuous NS sets have been removed | ||
| 171 | + * already. Since the NS rrset is scrubbed, its | ||
| 172 | + * address records are also not marked to be allowed | ||
| 173 | + * and are removed later. */ | ||
| 174 | + if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR && | ||
| 175 | + msg->an_rrsets != 0 && | ||
| 176 | + env->cfg->iter_scrub_promiscuous) { | ||
| 177 | + remove_rrset("normalize: removing promiscuous " | ||
| 178 | + "RRset:", pkt, msg, prev, &rrset); | ||
| 179 | + continue; | ||
| 180 | + } | ||
| 181 | if(nsset == NULL) { | ||
| 182 | nsset = rrset; | ||
| 183 | } else { | ||
| 184 | diff --git a/testdata/autotrust_init.rpl b/testdata/autotrust_init.rpl | ||
| 185 | index d722273..d69e70b 100644 | ||
| 186 | --- a/testdata/autotrust_init.rpl | ||
| 187 | +++ b/testdata/autotrust_init.rpl | ||
| 188 | @@ -5,6 +5,7 @@ server: | ||
| 189 | fake-sha1: yes | ||
| 190 | trust-anchor-signaling: no | ||
| 191 | minimal-responses: no | ||
| 192 | + iter-scrub-promiscuous: no | ||
| 193 | stub-zone: | ||
| 194 | name: "." | ||
| 195 | stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. | ||
| 196 | diff --git a/testdata/autotrust_init_ds.rpl b/testdata/autotrust_init_ds.rpl | ||
| 197 | index ad4019e..9ffb4d4 100644 | ||
| 198 | --- a/testdata/autotrust_init_ds.rpl | ||
| 199 | +++ b/testdata/autotrust_init_ds.rpl | ||
| 200 | @@ -5,6 +5,7 @@ server: | ||
| 201 | fake-sha1: yes | ||
| 202 | trust-anchor-signaling: no | ||
| 203 | minimal-responses: no | ||
| 204 | + iter-scrub-promiscuous: no | ||
| 205 | stub-zone: | ||
| 206 | name: "." | ||
| 207 | stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. | ||
| 208 | diff --git a/testdata/autotrust_init_sigs.rpl b/testdata/autotrust_init_sigs.rpl | ||
| 209 | index d5d52f4..a7cb796 100644 | ||
| 210 | --- a/testdata/autotrust_init_sigs.rpl | ||
| 211 | +++ b/testdata/autotrust_init_sigs.rpl | ||
| 212 | @@ -5,6 +5,7 @@ server: | ||
| 213 | fake-sha1: yes | ||
| 214 | trust-anchor-signaling: no | ||
| 215 | minimal-responses: no | ||
| 216 | + iter-scrub-promiscuous: no | ||
| 217 | stub-zone: | ||
| 218 | name: "." | ||
| 219 | stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. | ||
| 220 | diff --git a/testdata/autotrust_init_zsk.rpl b/testdata/autotrust_init_zsk.rpl | ||
| 221 | index 56a5bc0..2d28d43 100644 | ||
| 222 | --- a/testdata/autotrust_init_zsk.rpl | ||
| 223 | +++ b/testdata/autotrust_init_zsk.rpl | ||
| 224 | @@ -5,6 +5,7 @@ server: | ||
| 225 | fake-sha1: yes | ||
| 226 | trust-anchor-signaling: no | ||
| 227 | minimal-responses: no | ||
| 228 | + iter-scrub-promiscuous: no | ||
| 229 | stub-zone: | ||
| 230 | name: "." | ||
| 231 | stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. | ||
| 232 | diff --git a/testdata/black_data.rpl b/testdata/black_data.rpl | ||
| 233 | index e6ef1b7..e928d63 100644 | ||
| 234 | --- a/testdata/black_data.rpl | ||
| 235 | +++ b/testdata/black_data.rpl | ||
| 236 | @@ -8,6 +8,7 @@ server: | ||
| 237 | fake-sha1: yes | ||
| 238 | trust-anchor-signaling: no | ||
| 239 | minimal-responses: no | ||
| 240 | + iter-scrub-promiscuous: no | ||
| 241 | rrset-roundrobin: no | ||
| 242 | |||
| 243 | stub-zone: | ||
| 244 | diff --git a/testdata/black_prime.rpl b/testdata/black_prime.rpl | ||
| 245 | index fbe92a7..0301c85 100644 | ||
| 246 | --- a/testdata/black_prime.rpl | ||
| 247 | +++ b/testdata/black_prime.rpl | ||
| 248 | @@ -8,6 +8,7 @@ server: | ||
| 249 | fake-sha1: yes | ||
| 250 | trust-anchor-signaling: no | ||
| 251 | minimal-responses: no | ||
| 252 | + iter-scrub-promiscuous: no | ||
| 253 | rrset-roundrobin: no | ||
| 254 | |||
| 255 | stub-zone: | ||
| 256 | diff --git a/testdata/disable_edns_do.rpl b/testdata/disable_edns_do.rpl | ||
| 257 | index 82a16da..45b4ffc 100644 | ||
| 258 | --- a/testdata/disable_edns_do.rpl | ||
| 259 | +++ b/testdata/disable_edns_do.rpl | ||
| 260 | @@ -5,6 +5,7 @@ server: | ||
| 261 | qname-minimisation: "no" | ||
| 262 | trust-anchor-signaling: no | ||
| 263 | minimal-responses: no | ||
| 264 | + iter-scrub-promiscuous: no | ||
| 265 | disable-edns-do: yes | ||
| 266 | |||
| 267 | stub-zone: | ||
| 268 | diff --git a/testdata/dns64_lookup.rpl b/testdata/dns64_lookup.rpl | ||
| 269 | index 327f7df..cec8012 100644 | ||
| 270 | --- a/testdata/dns64_lookup.rpl | ||
| 271 | +++ b/testdata/dns64_lookup.rpl | ||
| 272 | @@ -7,6 +7,7 @@ server: | ||
| 273 | dns64-ignore-aaaa: ip6ignore.example.com | ||
| 274 | dns64-ignore-aaaa: ip6only.example.com | ||
| 275 | minimal-responses: no | ||
| 276 | + iter-scrub-promiscuous: no | ||
| 277 | |||
| 278 | stub-zone: | ||
| 279 | name: "." | ||
| 280 | diff --git a/testdata/fetch_glue.rpl b/testdata/fetch_glue.rpl | ||
| 281 | index 8860d85..daf687a 100644 | ||
| 282 | --- a/testdata/fetch_glue.rpl | ||
| 283 | +++ b/testdata/fetch_glue.rpl | ||
| 284 | @@ -3,6 +3,7 @@ server: | ||
| 285 | target-fetch-policy: "0 0 0 0 0" | ||
| 286 | qname-minimisation: "no" | ||
| 287 | minimal-responses: no | ||
| 288 | + iter-scrub-promiscuous: no | ||
| 289 | |||
| 290 | stub-zone: | ||
| 291 | name: "." | ||
| 292 | diff --git a/testdata/fetch_glue_cname.rpl b/testdata/fetch_glue_cname.rpl | ||
| 293 | index 64f00fb..c786a41 100644 | ||
| 294 | --- a/testdata/fetch_glue_cname.rpl | ||
| 295 | +++ b/testdata/fetch_glue_cname.rpl | ||
| 296 | @@ -3,6 +3,7 @@ server: | ||
| 297 | target-fetch-policy: "0 0 0 0 0" | ||
| 298 | qname-minimisation: "no" | ||
| 299 | minimal-responses: no | ||
| 300 | + iter-scrub-promiscuous: no | ||
| 301 | |||
| 302 | stub-zone: | ||
| 303 | name: "." | ||
| 304 | diff --git a/testdata/fwd_cached.rpl b/testdata/fwd_cached.rpl | ||
| 305 | index 2d6b0c2..4a00f87 100644 | ||
| 306 | --- a/testdata/fwd_cached.rpl | ||
| 307 | +++ b/testdata/fwd_cached.rpl | ||
| 308 | @@ -2,6 +2,7 @@ | ||
| 309 | ; config options go here. | ||
| 310 | server: | ||
| 311 | minimal-responses: no | ||
| 312 | + iter-scrub-promiscuous: no | ||
| 313 | forward-zone: name: "." forward-addr: 216.0.0.1 | ||
| 314 | CONFIG_END | ||
| 315 | |||
| 316 | diff --git a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf | ||
| 317 | index 5b2c804..7bc7408 100644 | ||
| 318 | --- a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf | ||
| 319 | +++ b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf | ||
| 320 | @@ -10,6 +10,7 @@ server: | ||
| 321 | username: "" | ||
| 322 | do-not-query-localhost: no | ||
| 323 | minimal-responses: no | ||
| 324 | + iter-scrub-promiscuous: no | ||
| 325 | rrset-roundrobin: no | ||
| 326 | forward-zone: | ||
| 327 | name: "." | ||
| 328 | diff --git a/testdata/fwd_minimal.rpl b/testdata/fwd_minimal.rpl | ||
| 329 | index e85d712..ef1d7fc 100644 | ||
| 330 | --- a/testdata/fwd_minimal.rpl | ||
| 331 | +++ b/testdata/fwd_minimal.rpl | ||
| 332 | @@ -5,6 +5,7 @@ server: | ||
| 333 | ; is fine for that, not removed by minimal-responses. | ||
| 334 | access-control: 127.0.0.1 allow_snoop | ||
| 335 | minimal-responses: yes | ||
| 336 | + iter-scrub-promiscuous: no | ||
| 337 | forward-zone: name: "." forward-addr: 216.0.0.1 | ||
| 338 | CONFIG_END | ||
| 339 | |||
| 340 | diff --git a/testdata/ipsecmod_bogus_ipseckey.crpl b/testdata/ipsecmod_bogus_ipseckey.crpl | ||
| 341 | index 094710b..98bc454 100644 | ||
| 342 | --- a/testdata/ipsecmod_bogus_ipseckey.crpl | ||
| 343 | +++ b/testdata/ipsecmod_bogus_ipseckey.crpl | ||
| 344 | @@ -9,6 +9,7 @@ server: | ||
| 345 | qname-minimisation: "no" | ||
| 346 | # test that default value of harden-dnssec-stripped is still yes. | ||
| 347 | fake-sha1: yes | ||
| 348 | + iter-scrub-promiscuous: no | ||
| 349 | trust-anchor-signaling: no | ||
| 350 | access-control: 127.0.0.1 allow_snoop | ||
| 351 | module-config: "ipsecmod validator iterator" | ||
| 352 | diff --git a/testdata/ipsecmod_enabled.crpl b/testdata/ipsecmod_enabled.crpl | ||
| 353 | index 4498429..04e8cb1 100644 | ||
| 354 | --- a/testdata/ipsecmod_enabled.crpl | ||
| 355 | +++ b/testdata/ipsecmod_enabled.crpl | ||
| 356 | @@ -11,6 +11,7 @@ server: | ||
| 357 | ipsecmod-enabled: no | ||
| 358 | qname-minimisation: "no" | ||
| 359 | minimal-responses: no | ||
| 360 | + iter-scrub-promiscuous: no | ||
| 361 | |||
| 362 | stub-zone: | ||
| 363 | name: "." | ||
| 364 | diff --git a/testdata/ipsecmod_ignore_bogus_ipseckey.crpl b/testdata/ipsecmod_ignore_bogus_ipseckey.crpl | ||
| 365 | index a605c34..4c4d80c 100644 | ||
| 366 | --- a/testdata/ipsecmod_ignore_bogus_ipseckey.crpl | ||
| 367 | +++ b/testdata/ipsecmod_ignore_bogus_ipseckey.crpl | ||
| 368 | @@ -18,6 +18,7 @@ server: | ||
| 369 | ipsecmod-ignore-bogus: yes | ||
| 370 | qname-minimisation: "no" | ||
| 371 | minimal-responses: no | ||
| 372 | + iter-scrub-promiscuous: no | ||
| 373 | |||
| 374 | stub-zone: | ||
| 375 | name: "." | ||
| 376 | diff --git a/testdata/ipsecmod_max_ttl.crpl b/testdata/ipsecmod_max_ttl.crpl | ||
| 377 | index 592bae0..4dfeddf 100644 | ||
| 378 | --- a/testdata/ipsecmod_max_ttl.crpl | ||
| 379 | +++ b/testdata/ipsecmod_max_ttl.crpl | ||
| 380 | @@ -10,6 +10,7 @@ server: | ||
| 381 | ipsecmod-max-ttl: 200 | ||
| 382 | qname-minimisation: "no" | ||
| 383 | minimal-responses: no | ||
| 384 | + iter-scrub-promiscuous: no | ||
| 385 | |||
| 386 | stub-zone: | ||
| 387 | name: "." | ||
| 388 | diff --git a/testdata/ipsecmod_strict.crpl b/testdata/ipsecmod_strict.crpl | ||
| 389 | index f74e308..51cc11b 100644 | ||
| 390 | --- a/testdata/ipsecmod_strict.crpl | ||
| 391 | +++ b/testdata/ipsecmod_strict.crpl | ||
| 392 | @@ -10,6 +10,7 @@ server: | ||
| 393 | ipsecmod-max-ttl: 200 | ||
| 394 | qname-minimisation: "no" | ||
| 395 | minimal-responses: no | ||
| 396 | + iter-scrub-promiscuous: no | ||
| 397 | |||
| 398 | stub-zone: | ||
| 399 | name: "." | ||
| 400 | diff --git a/testdata/ipsecmod_whitelist.crpl b/testdata/ipsecmod_whitelist.crpl | ||
| 401 | index 34108f3..350c2ad 100644 | ||
| 402 | --- a/testdata/ipsecmod_whitelist.crpl | ||
| 403 | +++ b/testdata/ipsecmod_whitelist.crpl | ||
| 404 | @@ -11,6 +11,7 @@ server: | ||
| 405 | ipsecmod-whitelist: white.example.com | ||
| 406 | qname-minimisation: "no" | ||
| 407 | minimal-responses: no | ||
| 408 | + iter-scrub-promiscuous: no | ||
| 409 | |||
| 410 | stub-zone: | ||
| 411 | name: "." | ||
| 412 | diff --git a/testdata/iter_class_any.rpl b/testdata/iter_class_any.rpl | ||
| 413 | index 6fb296e..87e0db0 100644 | ||
| 414 | --- a/testdata/iter_class_any.rpl | ||
| 415 | +++ b/testdata/iter_class_any.rpl | ||
| 416 | @@ -8,6 +8,7 @@ server: | ||
| 417 | fake-sha1: yes | ||
| 418 | trust-anchor-signaling: no | ||
| 419 | minimal-responses: no | ||
| 420 | + iter-scrub-promiscuous: no | ||
| 421 | |||
| 422 | stub-zone: | ||
| 423 | name: "." | ||
| 424 | diff --git a/testdata/iter_cycle_noh.rpl b/testdata/iter_cycle_noh.rpl | ||
| 425 | index eee26ca..e551ac6 100644 | ||
| 426 | --- a/testdata/iter_cycle_noh.rpl | ||
| 427 | +++ b/testdata/iter_cycle_noh.rpl | ||
| 428 | @@ -4,6 +4,7 @@ server: | ||
| 429 | target-fetch-policy: "0 0 0 0 0" | ||
| 430 | qname-minimisation: "no" | ||
| 431 | minimal-responses: no | ||
| 432 | + iter-scrub-promiscuous: no | ||
| 433 | |||
| 434 | stub-zone: | ||
| 435 | name: "." | ||
| 436 | diff --git a/testdata/iter_domain_sale.rpl b/testdata/iter_domain_sale.rpl | ||
| 437 | index 6110148..7c3cc1f 100644 | ||
| 438 | --- a/testdata/iter_domain_sale.rpl | ||
| 439 | +++ b/testdata/iter_domain_sale.rpl | ||
| 440 | @@ -2,6 +2,7 @@ | ||
| 441 | server: | ||
| 442 | target-fetch-policy: "0 0 0 0 0" | ||
| 443 | minimal-responses: no | ||
| 444 | + iter-scrub-promiscuous: no | ||
| 445 | |||
| 446 | stub-zone: | ||
| 447 | name: "." | ||
| 448 | diff --git a/testdata/iter_domain_sale_nschange.rpl b/testdata/iter_domain_sale_nschange.rpl | ||
| 449 | index 5664855..886ed51 100644 | ||
| 450 | --- a/testdata/iter_domain_sale_nschange.rpl | ||
| 451 | +++ b/testdata/iter_domain_sale_nschange.rpl | ||
| 452 | @@ -2,6 +2,7 @@ | ||
| 453 | server: | ||
| 454 | target-fetch-policy: "0 0 0 0 0" | ||
| 455 | minimal-responses: no | ||
| 456 | + iter-scrub-promiscuous: no | ||
| 457 | |||
| 458 | stub-zone: | ||
| 459 | name: "." | ||
| 460 | diff --git a/testdata/iter_emptydp.rpl b/testdata/iter_emptydp.rpl | ||
| 461 | index ecb49b6..3879a9b 100644 | ||
| 462 | --- a/testdata/iter_emptydp.rpl | ||
| 463 | +++ b/testdata/iter_emptydp.rpl | ||
| 464 | @@ -8,6 +8,7 @@ server: | ||
| 465 | fake-sha1: yes | ||
| 466 | trust-anchor-signaling: no | ||
| 467 | minimal-responses: no | ||
| 468 | + iter-scrub-promiscuous: no | ||
| 469 | |||
| 470 | stub-zone: | ||
| 471 | name: "." | ||
| 472 | diff --git a/testdata/iter_emptydp_for_glue.rpl b/testdata/iter_emptydp_for_glue.rpl | ||
| 473 | index 94dec2b..fc7933f 100644 | ||
| 474 | --- a/testdata/iter_emptydp_for_glue.rpl | ||
| 475 | +++ b/testdata/iter_emptydp_for_glue.rpl | ||
| 476 | @@ -8,6 +8,7 @@ server: | ||
| 477 | fake-sha1: yes | ||
| 478 | trust-anchor-signaling: no | ||
| 479 | minimal-responses: no | ||
| 480 | + iter-scrub-promiscuous: no | ||
| 481 | |||
| 482 | stub-zone: | ||
| 483 | name: "." | ||
| 484 | diff --git a/testdata/iter_fwdfirst.rpl b/testdata/iter_fwdfirst.rpl | ||
| 485 | index 0f8a85f..509a1cd 100644 | ||
| 486 | --- a/testdata/iter_fwdfirst.rpl | ||
| 487 | +++ b/testdata/iter_fwdfirst.rpl | ||
| 488 | @@ -2,6 +2,7 @@ | ||
| 489 | server: | ||
| 490 | target-fetch-policy: "0 0 0 0 0" | ||
| 491 | minimal-responses: no | ||
| 492 | + iter-scrub-promiscuous: no | ||
| 493 | |||
| 494 | stub-zone: | ||
| 495 | name: "." | ||
| 496 | diff --git a/testdata/iter_fwdfirstequal.rpl b/testdata/iter_fwdfirstequal.rpl | ||
| 497 | index dc64814..abd25d1 100644 | ||
| 498 | --- a/testdata/iter_fwdfirstequal.rpl | ||
| 499 | +++ b/testdata/iter_fwdfirstequal.rpl | ||
| 500 | @@ -2,6 +2,7 @@ | ||
| 501 | server: | ||
| 502 | target-fetch-policy: "0 0 0 0 0" | ||
| 503 | minimal-responses: no | ||
| 504 | + iter-scrub-promiscuous: no | ||
| 505 | |||
| 506 | stub-zone: | ||
| 507 | name: "." | ||
| 508 | diff --git a/testdata/iter_fwdstub.rpl b/testdata/iter_fwdstub.rpl | ||
| 509 | index ad5b57c..4c741a5 100644 | ||
| 510 | --- a/testdata/iter_fwdstub.rpl | ||
| 511 | +++ b/testdata/iter_fwdstub.rpl | ||
| 512 | @@ -2,6 +2,7 @@ | ||
| 513 | server: | ||
| 514 | target-fetch-policy: "0 0 0 0 0" | ||
| 515 | minimal-responses: no | ||
| 516 | + iter-scrub-promiscuous: no | ||
| 517 | |||
| 518 | stub-zone: | ||
| 519 | name: "." | ||
| 520 | diff --git a/testdata/iter_fwdstubroot.rpl b/testdata/iter_fwdstubroot.rpl | ||
| 521 | index fa93043..dd93ecd 100644 | ||
| 522 | --- a/testdata/iter_fwdstubroot.rpl | ||
| 523 | +++ b/testdata/iter_fwdstubroot.rpl | ||
| 524 | @@ -2,6 +2,7 @@ | ||
| 525 | server: | ||
| 526 | target-fetch-policy: "0 0 0 0 0" | ||
| 527 | minimal-responses: no | ||
| 528 | + iter-scrub-promiscuous: no | ||
| 529 | |||
| 530 | stub-zone: | ||
| 531 | name: "." | ||
| 532 | diff --git a/testdata/iter_ghost_sub.rpl b/testdata/iter_ghost_sub.rpl | ||
| 533 | index ccb7367..36767bb 100644 | ||
| 534 | --- a/testdata/iter_ghost_sub.rpl | ||
| 535 | +++ b/testdata/iter_ghost_sub.rpl | ||
| 536 | @@ -3,6 +3,7 @@ server: | ||
| 537 | target-fetch-policy: "0 0 0 0 0" | ||
| 538 | qname-minimisation: "no" | ||
| 539 | minimal-responses: no | ||
| 540 | + iter-scrub-promiscuous: no | ||
| 541 | |||
| 542 | stub-zone: | ||
| 543 | name: "." | ||
| 544 | diff --git a/testdata/iter_ghost_timewindow.rpl b/testdata/iter_ghost_timewindow.rpl | ||
| 545 | index 9e30462..24390a0 100644 | ||
| 546 | --- a/testdata/iter_ghost_timewindow.rpl | ||
| 547 | +++ b/testdata/iter_ghost_timewindow.rpl | ||
| 548 | @@ -3,6 +3,7 @@ server: | ||
| 549 | target-fetch-policy: "0 0 0 0 0" | ||
| 550 | qname-minimisation: "no" | ||
| 551 | minimal-responses: no | ||
| 552 | + iter-scrub-promiscuous: no | ||
| 553 | discard-timeout: 86400 | ||
| 554 | |||
| 555 | stub-zone: | ||
| 556 | diff --git a/testdata/iter_got6only.rpl b/testdata/iter_got6only.rpl | ||
| 557 | index 1552284..b0d20b3 100644 | ||
| 558 | --- a/testdata/iter_got6only.rpl | ||
| 559 | +++ b/testdata/iter_got6only.rpl | ||
| 560 | @@ -4,6 +4,7 @@ server: | ||
| 561 | target-fetch-policy: "0 0 0 0 0 " | ||
| 562 | qname-minimisation: "no" | ||
| 563 | minimal-responses: no | ||
| 564 | + iter-scrub-promiscuous: no | ||
| 565 | stub-zone: | ||
| 566 | name: "." | ||
| 567 | stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. | ||
| 568 | diff --git a/testdata/iter_hint_lame.rpl b/testdata/iter_hint_lame.rpl | ||
| 569 | index 2fb6dde..26aa5dc 100644 | ||
| 570 | --- a/testdata/iter_hint_lame.rpl | ||
| 571 | +++ b/testdata/iter_hint_lame.rpl | ||
| 572 | @@ -3,6 +3,7 @@ server: | ||
| 573 | target-fetch-policy: "0 0 0 0 0" | ||
| 574 | qname-minimisation: "no" | ||
| 575 | minimal-responses: no | ||
| 576 | + iter-scrub-promiscuous: no | ||
| 577 | |||
| 578 | stub-zone: | ||
| 579 | name: "." | ||
| 580 | diff --git a/testdata/iter_lame_noaa.rpl b/testdata/iter_lame_noaa.rpl | ||
| 581 | index defaa5c..050866c 100644 | ||
| 582 | --- a/testdata/iter_lame_noaa.rpl | ||
| 583 | +++ b/testdata/iter_lame_noaa.rpl | ||
| 584 | @@ -4,6 +4,7 @@ server: | ||
| 585 | target-fetch-policy: "0 0 0 0 0" | ||
| 586 | qname-minimisation: "no" | ||
| 587 | minimal-responses: no | ||
| 588 | + iter-scrub-promiscuous: no | ||
| 589 | rrset-roundrobin: no | ||
| 590 | |||
| 591 | stub-zone: | ||
| 592 | diff --git a/testdata/iter_lame_nosoa.rpl b/testdata/iter_lame_nosoa.rpl | ||
| 593 | index 3bf6ccc..d55ff78 100644 | ||
| 594 | --- a/testdata/iter_lame_nosoa.rpl | ||
| 595 | +++ b/testdata/iter_lame_nosoa.rpl | ||
| 596 | @@ -2,6 +2,7 @@ | ||
| 597 | server: | ||
| 598 | target-fetch-policy: "0 0 0 0 0" | ||
| 599 | minimal-responses: no | ||
| 600 | + iter-scrub-promiscuous: no | ||
| 601 | rrset-roundrobin: no | ||
| 602 | |||
| 603 | stub-zone: | ||
| 604 | diff --git a/testdata/iter_mod.rpl b/testdata/iter_mod.rpl | ||
| 605 | index 35b3a5a..3d3d678 100644 | ||
| 606 | --- a/testdata/iter_mod.rpl | ||
| 607 | +++ b/testdata/iter_mod.rpl | ||
| 608 | @@ -4,6 +4,7 @@ server: | ||
| 609 | qname-minimisation: "no" | ||
| 610 | module-config: "iterator" | ||
| 611 | minimal-responses: no | ||
| 612 | + iter-scrub-promiscuous: no | ||
| 613 | |||
| 614 | stub-zone: | ||
| 615 | name: "." | ||
| 616 | diff --git a/testdata/iter_ns_badip.rpl b/testdata/iter_ns_badip.rpl | ||
| 617 | index e0bf966..481f47a 100644 | ||
| 618 | --- a/testdata/iter_ns_badip.rpl | ||
| 619 | +++ b/testdata/iter_ns_badip.rpl | ||
| 620 | @@ -3,6 +3,7 @@ server: | ||
| 621 | target-fetch-policy: "3 2 1 0 0" | ||
| 622 | qname-minimisation: "no" | ||
| 623 | minimal-responses: no | ||
| 624 | + iter-scrub-promiscuous: no | ||
| 625 | rrset-roundrobin: no | ||
| 626 | |||
| 627 | stub-zone: | ||
| 628 | diff --git a/testdata/iter_ns_spoof.rpl b/testdata/iter_ns_spoof.rpl | ||
| 629 | index f674576..999ff05 100644 | ||
| 630 | --- a/testdata/iter_ns_spoof.rpl | ||
| 631 | +++ b/testdata/iter_ns_spoof.rpl | ||
| 632 | @@ -4,6 +4,7 @@ server: | ||
| 633 | target-fetch-policy: "0 0 0 0 0" | ||
| 634 | qname-minimisation: "no" | ||
| 635 | minimal-responses: no | ||
| 636 | + iter-scrub-promiscuous: no | ||
| 637 | stub-zone: | ||
| 638 | name: "." | ||
| 639 | stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. | ||
| 640 | diff --git a/testdata/iter_nxns_fallback.rpl b/testdata/iter_nxns_fallback.rpl | ||
| 641 | index 2a6a3fd..8c0beb8 100644 | ||
| 642 | --- a/testdata/iter_nxns_fallback.rpl | ||
| 643 | +++ b/testdata/iter_nxns_fallback.rpl | ||
| 644 | @@ -8,6 +8,7 @@ server: | ||
| 645 | access-control: 127.0.0.1 allow_snoop | ||
| 646 | qname-minimisation: no | ||
| 647 | minimal-responses: no | ||
| 648 | + iter-scrub-promiscuous: no | ||
| 649 | rrset-roundrobin: no | ||
| 650 | |||
| 651 | stub-zone: | ||
| 652 | diff --git a/testdata/iter_pc_a.rpl b/testdata/iter_pc_a.rpl | ||
| 653 | index d9add00..be73a79 100644 | ||
| 654 | --- a/testdata/iter_pc_a.rpl | ||
| 655 | +++ b/testdata/iter_pc_a.rpl | ||
| 656 | @@ -2,6 +2,7 @@ | ||
| 657 | server: | ||
| 658 | target-fetch-policy: "0 0 0 0 0" | ||
| 659 | minimal-responses: no | ||
| 660 | + iter-scrub-promiscuous: no | ||
| 661 | |||
| 662 | stub-zone: | ||
| 663 | name: "." | ||
| 664 | diff --git a/testdata/iter_pc_aaaa.rpl b/testdata/iter_pc_aaaa.rpl | ||
| 665 | index a283543..a7ce186 100644 | ||
| 666 | --- a/testdata/iter_pc_aaaa.rpl | ||
| 667 | +++ b/testdata/iter_pc_aaaa.rpl | ||
| 668 | @@ -2,6 +2,7 @@ | ||
| 669 | server: | ||
| 670 | target-fetch-policy: "0 0 0 0 0" | ||
| 671 | minimal-responses: no | ||
| 672 | + iter-scrub-promiscuous: no | ||
| 673 | |||
| 674 | stub-zone: | ||
| 675 | name: "." | ||
| 676 | diff --git a/testdata/iter_pcdiff.rpl b/testdata/iter_pcdiff.rpl | ||
| 677 | index 57fb109..a462d33 100644 | ||
| 678 | --- a/testdata/iter_pcdiff.rpl | ||
| 679 | +++ b/testdata/iter_pcdiff.rpl | ||
| 680 | @@ -2,6 +2,7 @@ | ||
| 681 | server: | ||
| 682 | target-fetch-policy: "0 0 0 0 0" | ||
| 683 | minimal-responses: no | ||
| 684 | + iter-scrub-promiscuous: no | ||
| 685 | |||
| 686 | stub-zone: | ||
| 687 | name: "." | ||
| 688 | diff --git a/testdata/iter_pcdirect.rpl b/testdata/iter_pcdirect.rpl | ||
| 689 | index 0bd5dfe..656ec7a 100644 | ||
| 690 | --- a/testdata/iter_pcdirect.rpl | ||
| 691 | +++ b/testdata/iter_pcdirect.rpl | ||
| 692 | @@ -3,6 +3,7 @@ server: | ||
| 693 | target-fetch-policy: "0 0 0 0 0" | ||
| 694 | qname-minimisation: "no" | ||
| 695 | minimal-responses: no | ||
| 696 | + iter-scrub-promiscuous: no | ||
| 697 | |||
| 698 | stub-zone: | ||
| 699 | name: "." | ||
| 700 | diff --git a/testdata/iter_pcname.rpl b/testdata/iter_pcname.rpl | ||
| 701 | index e17c910..af53c90 100644 | ||
| 702 | --- a/testdata/iter_pcname.rpl | ||
| 703 | +++ b/testdata/iter_pcname.rpl | ||
| 704 | @@ -2,6 +2,7 @@ | ||
| 705 | server: | ||
| 706 | target-fetch-policy: "0 0 0 0 0" | ||
| 707 | minimal-responses: no | ||
| 708 | + iter-scrub-promiscuous: no | ||
| 709 | |||
| 710 | stub-zone: | ||
| 711 | name: "." | ||
| 712 | diff --git a/testdata/iter_pcnamech.rpl b/testdata/iter_pcnamech.rpl | ||
| 713 | index 32b3130..805cb18 100644 | ||
| 714 | --- a/testdata/iter_pcnamech.rpl | ||
| 715 | +++ b/testdata/iter_pcnamech.rpl | ||
| 716 | @@ -2,6 +2,7 @@ | ||
| 717 | server: | ||
| 718 | target-fetch-policy: "0 0 0 0 0" | ||
| 719 | minimal-responses: no | ||
| 720 | + iter-scrub-promiscuous: no | ||
| 721 | rrset-roundrobin: no | ||
| 722 | |||
| 723 | stub-zone: | ||
| 724 | diff --git a/testdata/iter_pcnamechrec.rpl b/testdata/iter_pcnamechrec.rpl | ||
| 725 | index 8bf7ad8..bbb9c86 100644 | ||
| 726 | --- a/testdata/iter_pcnamechrec.rpl | ||
| 727 | +++ b/testdata/iter_pcnamechrec.rpl | ||
| 728 | @@ -2,6 +2,7 @@ | ||
| 729 | server: | ||
| 730 | target-fetch-policy: "0 0 0 0 0" | ||
| 731 | minimal-responses: no | ||
| 732 | + iter-scrub-promiscuous: no | ||
| 733 | rrset-roundrobin: no | ||
| 734 | |||
| 735 | stub-zone: | ||
| 736 | diff --git a/testdata/iter_pcnamerec.rpl b/testdata/iter_pcnamerec.rpl | ||
| 737 | index faee6d0..2ea0dad 100644 | ||
| 738 | --- a/testdata/iter_pcnamerec.rpl | ||
| 739 | +++ b/testdata/iter_pcnamerec.rpl | ||
| 740 | @@ -2,6 +2,7 @@ | ||
| 741 | server: | ||
| 742 | target-fetch-policy: "0 0 0 0 0" | ||
| 743 | minimal-responses: no | ||
| 744 | + iter-scrub-promiscuous: no | ||
| 745 | |||
| 746 | stub-zone: | ||
| 747 | name: "." | ||
| 748 | diff --git a/testdata/iter_pcttl.rpl b/testdata/iter_pcttl.rpl | ||
| 749 | index 413f8cb..a702017 100644 | ||
| 750 | --- a/testdata/iter_pcttl.rpl | ||
| 751 | +++ b/testdata/iter_pcttl.rpl | ||
| 752 | @@ -3,6 +3,7 @@ server: | ||
| 753 | target-fetch-policy: "0 0 0 0 0" | ||
| 754 | do-ip6: no | ||
| 755 | minimal-responses: no | ||
| 756 | + iter-scrub-promiscuous: no | ||
| 757 | |||
| 758 | stub-zone: | ||
| 759 | name: "." | ||
| 760 | diff --git a/testdata/iter_prefetch.rpl b/testdata/iter_prefetch.rpl | ||
| 761 | index bad92dc..fdf5955 100644 | ||
| 762 | --- a/testdata/iter_prefetch.rpl | ||
| 763 | +++ b/testdata/iter_prefetch.rpl | ||
| 764 | @@ -4,6 +4,7 @@ server: | ||
| 765 | qname-minimisation: "no" | ||
| 766 | prefetch: "yes" | ||
| 767 | minimal-responses: no | ||
| 768 | + iter-scrub-promiscuous: no | ||
| 769 | |||
| 770 | stub-zone: | ||
| 771 | name: "." | ||
| 772 | diff --git a/testdata/iter_prefetch_change.rpl b/testdata/iter_prefetch_change.rpl | ||
| 773 | index 1be9e6a..c1a1a71 100644 | ||
| 774 | --- a/testdata/iter_prefetch_change.rpl | ||
| 775 | +++ b/testdata/iter_prefetch_change.rpl | ||
| 776 | @@ -3,6 +3,7 @@ server: | ||
| 777 | target-fetch-policy: "0 0 0 0 0" | ||
| 778 | prefetch: "yes" | ||
| 779 | minimal-responses: no | ||
| 780 | + iter-scrub-promiscuous: no | ||
| 781 | |||
| 782 | stub-zone: | ||
| 783 | name: "." | ||
| 784 | diff --git a/testdata/iter_prefetch_change2.rpl b/testdata/iter_prefetch_change2.rpl | ||
| 785 | index 7a8370f..4a966fe 100644 | ||
| 786 | --- a/testdata/iter_prefetch_change2.rpl | ||
| 787 | +++ b/testdata/iter_prefetch_change2.rpl | ||
| 788 | @@ -3,6 +3,7 @@ server: | ||
| 789 | target-fetch-policy: "0 0 0 0 0" | ||
| 790 | prefetch: "yes" | ||
| 791 | minimal-responses: no | ||
| 792 | + iter-scrub-promiscuous: no | ||
| 793 | |||
| 794 | stub-zone: | ||
| 795 | name: "." | ||
| 796 | diff --git a/testdata/iter_prefetch_childns.rpl b/testdata/iter_prefetch_childns.rpl | ||
| 797 | index 00a91fc..f234065 100644 | ||
| 798 | --- a/testdata/iter_prefetch_childns.rpl | ||
| 799 | +++ b/testdata/iter_prefetch_childns.rpl | ||
| 800 | @@ -4,6 +4,7 @@ server: | ||
| 801 | qname-minimisation: "no" | ||
| 802 | prefetch: "yes" | ||
| 803 | minimal-responses: no | ||
| 804 | + iter-scrub-promiscuous: no | ||
| 805 | |||
| 806 | stub-zone: | ||
| 807 | name: "." | ||
| 808 | diff --git a/testdata/iter_prefetch_fail.rpl b/testdata/iter_prefetch_fail.rpl | ||
| 809 | index 1d92a4c..d1e3083 100644 | ||
| 810 | --- a/testdata/iter_prefetch_fail.rpl | ||
| 811 | +++ b/testdata/iter_prefetch_fail.rpl | ||
| 812 | @@ -3,6 +3,7 @@ server: | ||
| 813 | target-fetch-policy: "0 0 0 0 0" | ||
| 814 | prefetch: "yes" | ||
| 815 | minimal-responses: no | ||
| 816 | + iter-scrub-promiscuous: no | ||
| 817 | |||
| 818 | stub-zone: | ||
| 819 | name: "." | ||
| 820 | diff --git a/testdata/iter_prefetch_ns.rpl b/testdata/iter_prefetch_ns.rpl | ||
| 821 | index 93af216..3192d31 100644 | ||
| 822 | --- a/testdata/iter_prefetch_ns.rpl | ||
| 823 | +++ b/testdata/iter_prefetch_ns.rpl | ||
| 824 | @@ -4,6 +4,7 @@ server: | ||
| 825 | qname-minimisation: "no" | ||
| 826 | prefetch: "yes" | ||
| 827 | minimal-responses: no | ||
| 828 | + iter-scrub-promiscuous: no | ||
| 829 | |||
| 830 | stub-zone: | ||
| 831 | name: "." | ||
| 832 | diff --git a/testdata/iter_primenoglue.rpl b/testdata/iter_primenoglue.rpl | ||
| 833 | index b9808dd..f8c9803 100644 | ||
| 834 | --- a/testdata/iter_primenoglue.rpl | ||
| 835 | +++ b/testdata/iter_primenoglue.rpl | ||
| 836 | @@ -8,6 +8,7 @@ server: | ||
| 837 | fake-sha1: yes | ||
| 838 | trust-anchor-signaling: no | ||
| 839 | minimal-responses: no | ||
| 840 | + iter-scrub-promiscuous: no | ||
| 841 | |||
| 842 | stub-zone: | ||
| 843 | name: "." | ||
| 844 | diff --git a/testdata/iter_privaddr.rpl b/testdata/iter_privaddr.rpl | ||
| 845 | index 0c87b4b..b7a6fde 100644 | ||
| 846 | --- a/testdata/iter_privaddr.rpl | ||
| 847 | +++ b/testdata/iter_privaddr.rpl | ||
| 848 | @@ -3,6 +3,7 @@ server: | ||
| 849 | target-fetch-policy: "0 0 0 0 0" | ||
| 850 | qname-minimisation: "no" | ||
| 851 | minimal-responses: no | ||
| 852 | + iter-scrub-promiscuous: no | ||
| 853 | |||
| 854 | private-address: 10.0.0.0/8 | ||
| 855 | private-address: 172.16.0.0/12 | ||
| 856 | diff --git a/testdata/iter_ranoaa_lame.rpl b/testdata/iter_ranoaa_lame.rpl | ||
| 857 | index 8ee8241..313192f 100644 | ||
| 858 | --- a/testdata/iter_ranoaa_lame.rpl | ||
| 859 | +++ b/testdata/iter_ranoaa_lame.rpl | ||
| 860 | @@ -2,6 +2,7 @@ | ||
| 861 | server: | ||
| 862 | target-fetch-policy: "0 0 0 0 0" | ||
| 863 | minimal-responses: no | ||
| 864 | + iter-scrub-promiscuous: no | ||
| 865 | rrset-roundrobin: no | ||
| 866 | |||
| 867 | stub-zone: | ||
| 868 | diff --git a/testdata/iter_reclame_one.rpl b/testdata/iter_reclame_one.rpl | ||
| 869 | index 4a6abfa..d273e60 100644 | ||
| 870 | --- a/testdata/iter_reclame_one.rpl | ||
| 871 | +++ b/testdata/iter_reclame_one.rpl | ||
| 872 | @@ -3,6 +3,7 @@ server: | ||
| 873 | target-fetch-policy: "0 0 0 0 0" | ||
| 874 | qname-minimisation: "no" | ||
| 875 | minimal-responses: no | ||
| 876 | + iter-scrub-promiscuous: no | ||
| 877 | rrset-roundrobin: no | ||
| 878 | |||
| 879 | stub-zone: | ||
| 880 | diff --git a/testdata/iter_reclame_two.rpl b/testdata/iter_reclame_two.rpl | ||
| 881 | index 76c310b..e2b2bc1 100644 | ||
| 882 | --- a/testdata/iter_reclame_two.rpl | ||
| 883 | +++ b/testdata/iter_reclame_two.rpl | ||
| 884 | @@ -2,6 +2,7 @@ | ||
| 885 | server: | ||
| 886 | target-fetch-policy: "0 0 0 0 0" | ||
| 887 | minimal-responses: no | ||
| 888 | + iter-scrub-promiscuous: no | ||
| 889 | rrset-roundrobin: no | ||
| 890 | |||
| 891 | stub-zone: | ||
| 892 | diff --git a/testdata/iter_recurse.rpl b/testdata/iter_recurse.rpl | ||
| 893 | index be50b4a..1352876 100644 | ||
| 894 | --- a/testdata/iter_recurse.rpl | ||
| 895 | +++ b/testdata/iter_recurse.rpl | ||
| 896 | @@ -3,6 +3,7 @@ server: | ||
| 897 | target-fetch-policy: "0 0 0 0 0" | ||
| 898 | qname-minimisation: "no" | ||
| 899 | minimal-responses: no | ||
| 900 | + iter-scrub-promiscuous: no | ||
| 901 | |||
| 902 | stub-zone: | ||
| 903 | name: "." | ||
| 904 | diff --git a/testdata/iter_resolve.rpl b/testdata/iter_resolve.rpl | ||
| 905 | index ed051ff..3ea56ab 100644 | ||
| 906 | --- a/testdata/iter_resolve.rpl | ||
| 907 | +++ b/testdata/iter_resolve.rpl | ||
| 908 | @@ -3,6 +3,7 @@ server: | ||
| 909 | target-fetch-policy: "0 0 0 0 0" | ||
| 910 | qname-minimisation: "no" | ||
| 911 | minimal-responses: no | ||
| 912 | + iter-scrub-promiscuous: no | ||
| 913 | |||
| 914 | stub-zone: | ||
| 915 | name: "." | ||
| 916 | diff --git a/testdata/iter_resolve_minimised.rpl b/testdata/iter_resolve_minimised.rpl | ||
| 917 | index 2c6f9cc..13f04d4 100644 | ||
| 918 | --- a/testdata/iter_resolve_minimised.rpl | ||
| 919 | +++ b/testdata/iter_resolve_minimised.rpl | ||
| 920 | @@ -2,6 +2,7 @@ | ||
| 921 | server: | ||
| 922 | target-fetch-policy: "0 0 0 0 0" | ||
| 923 | minimal-responses: no | ||
| 924 | + iter-scrub-promiscuous: no | ||
| 925 | |||
| 926 | stub-zone: | ||
| 927 | name: "." | ||
| 928 | diff --git a/testdata/iter_resolve_minimised_nx.rpl b/testdata/iter_resolve_minimised_nx.rpl | ||
| 929 | index 74e612c..c68f20c 100644 | ||
| 930 | --- a/testdata/iter_resolve_minimised_nx.rpl | ||
| 931 | +++ b/testdata/iter_resolve_minimised_nx.rpl | ||
| 932 | @@ -3,6 +3,7 @@ server: | ||
| 933 | target-fetch-policy: "0 0 0 0 0" | ||
| 934 | qname-minimisation: yes | ||
| 935 | minimal-responses: no | ||
| 936 | + iter-scrub-promiscuous: no | ||
| 937 | |||
| 938 | stub-zone: | ||
| 939 | name: "." | ||
| 940 | diff --git a/testdata/iter_resolve_minimised_refused.rpl b/testdata/iter_resolve_minimised_refused.rpl | ||
| 941 | index 66e8e63..8dc76e2 100644 | ||
| 942 | --- a/testdata/iter_resolve_minimised_refused.rpl | ||
| 943 | +++ b/testdata/iter_resolve_minimised_refused.rpl | ||
| 944 | @@ -3,6 +3,7 @@ server: | ||
| 945 | target-fetch-policy: "0 0 0 0 0" | ||
| 946 | qname-minimisation: yes | ||
| 947 | minimal-responses: no | ||
| 948 | + iter-scrub-promiscuous: no | ||
| 949 | |||
| 950 | stub-zone: | ||
| 951 | name: "." | ||
| 952 | diff --git a/testdata/iter_resolve_minimised_timeout.rpl b/testdata/iter_resolve_minimised_timeout.rpl | ||
| 953 | index 86b9321..3740d79 100644 | ||
| 954 | --- a/testdata/iter_resolve_minimised_timeout.rpl | ||
| 955 | +++ b/testdata/iter_resolve_minimised_timeout.rpl | ||
| 956 | @@ -3,6 +3,7 @@ server: | ||
| 957 | target-fetch-policy: "0 0 0 0 0" | ||
| 958 | qname-minimisation: yes | ||
| 959 | minimal-responses: no | ||
| 960 | + iter-scrub-promiscuous: no | ||
| 961 | |||
| 962 | stub-zone: | ||
| 963 | name: "." | ||
| 964 | diff --git a/testdata/iter_scrub_cname_an.rpl b/testdata/iter_scrub_cname_an.rpl | ||
| 965 | index 9c5060a..f81916b 100644 | ||
| 966 | --- a/testdata/iter_scrub_cname_an.rpl | ||
| 967 | +++ b/testdata/iter_scrub_cname_an.rpl | ||
| 968 | @@ -4,6 +4,7 @@ server: | ||
| 969 | target-fetch-policy: "0 0 0 0 0" | ||
| 970 | qname-minimisation: "no" | ||
| 971 | minimal-responses: no | ||
| 972 | + iter-scrub-promiscuous: no | ||
| 973 | |||
| 974 | stub-zone: | ||
| 975 | name: "." | ||
| 976 | diff --git a/testdata/iter_scrub_dname_insec.rpl b/testdata/iter_scrub_dname_insec.rpl | ||
| 977 | index 826d89e..82ff1d3 100644 | ||
| 978 | --- a/testdata/iter_scrub_dname_insec.rpl | ||
| 979 | +++ b/testdata/iter_scrub_dname_insec.rpl | ||
| 980 | @@ -4,6 +4,7 @@ server: | ||
| 981 | target-fetch-policy: "0 0 0 0 0" | ||
| 982 | qname-minimisation: "no" | ||
| 983 | minimal-responses: no | ||
| 984 | + iter-scrub-promiscuous: no | ||
| 985 | |||
| 986 | stub-zone: | ||
| 987 | name: "." | ||
| 988 | diff --git a/testdata/iter_scrub_dname_rev.rpl b/testdata/iter_scrub_dname_rev.rpl | ||
| 989 | index 9caca66..dfb21b8 100644 | ||
| 990 | --- a/testdata/iter_scrub_dname_rev.rpl | ||
| 991 | +++ b/testdata/iter_scrub_dname_rev.rpl | ||
| 992 | @@ -8,6 +8,7 @@ server: | ||
| 993 | fake-sha1: yes | ||
| 994 | trust-anchor-signaling: no | ||
| 995 | minimal-responses: no | ||
| 996 | + iter-scrub-promiscuous: no | ||
| 997 | |||
| 998 | stub-zone: | ||
| 999 | name: "." | ||
| 1000 | diff --git a/testdata/iter_scrub_dname_sec.rpl b/testdata/iter_scrub_dname_sec.rpl | ||
| 1001 | index 34a7b32..943b19f 100644 | ||
| 1002 | --- a/testdata/iter_scrub_dname_sec.rpl | ||
| 1003 | +++ b/testdata/iter_scrub_dname_sec.rpl | ||
| 1004 | @@ -8,6 +8,7 @@ server: | ||
| 1005 | fake-sha1: yes | ||
| 1006 | trust-anchor-signaling: no | ||
| 1007 | minimal-responses: no | ||
| 1008 | + iter-scrub-promiscuous: no | ||
| 1009 | |||
| 1010 | stub-zone: | ||
| 1011 | name: "." | ||
| 1012 | diff --git a/testdata/iter_scrub_rr_length.rpl b/testdata/iter_scrub_rr_length.rpl | ||
| 1013 | index 2ef73c2..5463723 100644 | ||
| 1014 | --- a/testdata/iter_scrub_rr_length.rpl | ||
| 1015 | +++ b/testdata/iter_scrub_rr_length.rpl | ||
| 1016 | @@ -3,6 +3,7 @@ server: | ||
| 1017 | target-fetch-policy: "0 0 0 0 0" | ||
| 1018 | qname-minimisation: "no" | ||
| 1019 | minimal-responses: no | ||
| 1020 | + iter-scrub-promiscuous: no | ||
| 1021 | rrset-roundrobin: no | ||
| 1022 | ede: yes | ||
| 1023 | log-servfail: yes | ||
| 1024 | diff --git a/testdata/iter_soamin.rpl b/testdata/iter_soamin.rpl | ||
| 1025 | index 7e90260..0facc35 100644 | ||
| 1026 | --- a/testdata/iter_soamin.rpl | ||
| 1027 | +++ b/testdata/iter_soamin.rpl | ||
| 1028 | @@ -2,6 +2,7 @@ | ||
| 1029 | server: | ||
| 1030 | target-fetch-policy: "0 0 0 0 0" | ||
| 1031 | minimal-responses: no | ||
| 1032 | + iter-scrub-promiscuous: no | ||
| 1033 | |||
| 1034 | stub-zone: | ||
| 1035 | name: "." | ||
| 1036 | diff --git a/testdata/iter_stub_noroot.rpl b/testdata/iter_stub_noroot.rpl | ||
| 1037 | index ef306bd..749462b 100644 | ||
| 1038 | --- a/testdata/iter_stub_noroot.rpl | ||
| 1039 | +++ b/testdata/iter_stub_noroot.rpl | ||
| 1040 | @@ -2,6 +2,7 @@ | ||
| 1041 | server: | ||
| 1042 | target-fetch-policy: "0 0 0 0 0" | ||
| 1043 | minimal-responses: no | ||
| 1044 | + iter-scrub-promiscuous: no | ||
| 1045 | |||
| 1046 | stub-zone: | ||
| 1047 | name: "." | ||
| 1048 | diff --git a/testdata/iter_stubfirst.rpl b/testdata/iter_stubfirst.rpl | ||
| 1049 | index 1a7112d..7cd3305 100644 | ||
| 1050 | --- a/testdata/iter_stubfirst.rpl | ||
| 1051 | +++ b/testdata/iter_stubfirst.rpl | ||
| 1052 | @@ -2,6 +2,7 @@ | ||
| 1053 | server: | ||
| 1054 | target-fetch-policy: "0 0 0 0 0" | ||
| 1055 | minimal-responses: no | ||
| 1056 | + iter-scrub-promiscuous: no | ||
| 1057 | |||
| 1058 | stub-zone: | ||
| 1059 | name: "." | ||
| 1060 | diff --git a/testdata/iter_timeout_ra_aaaa.rpl b/testdata/iter_timeout_ra_aaaa.rpl | ||
| 1061 | index 126867b..9456f04 100644 | ||
| 1062 | --- a/testdata/iter_timeout_ra_aaaa.rpl | ||
| 1063 | +++ b/testdata/iter_timeout_ra_aaaa.rpl | ||
| 1064 | @@ -3,6 +3,7 @@ server: | ||
| 1065 | target-fetch-policy: "0 0 0 0 0" | ||
| 1066 | qname-minimisation: "no" | ||
| 1067 | minimal-responses: no | ||
| 1068 | + iter-scrub-promiscuous: no | ||
| 1069 | |||
| 1070 | stub-zone: | ||
| 1071 | name: "." | ||
| 1072 | diff --git a/testdata/rrset_rettl.rpl b/testdata/rrset_rettl.rpl | ||
| 1073 | index 55dd623..131a98e 100644 | ||
| 1074 | --- a/testdata/rrset_rettl.rpl | ||
| 1075 | +++ b/testdata/rrset_rettl.rpl | ||
| 1076 | @@ -2,6 +2,7 @@ | ||
| 1077 | ; config options go here. | ||
| 1078 | server: | ||
| 1079 | minimal-responses: no | ||
| 1080 | + iter-scrub-promiscuous: no | ||
| 1081 | forward-zone: name: "." forward-addr: 216.0.0.1 | ||
| 1082 | CONFIG_END | ||
| 1083 | |||
| 1084 | diff --git a/testdata/rrset_untrusted.rpl b/testdata/rrset_untrusted.rpl | ||
| 1085 | index 6370ebf..207275b 100644 | ||
| 1086 | --- a/testdata/rrset_untrusted.rpl | ||
| 1087 | +++ b/testdata/rrset_untrusted.rpl | ||
| 1088 | @@ -2,6 +2,7 @@ | ||
| 1089 | ; config options go here. | ||
| 1090 | server: | ||
| 1091 | minimal-responses: no | ||
| 1092 | + iter-scrub-promiscuous: no | ||
| 1093 | forward-zone: name: "." forward-addr: 216.0.0.1 | ||
| 1094 | CONFIG_END | ||
| 1095 | |||
| 1096 | diff --git a/testdata/rrset_updated.rpl b/testdata/rrset_updated.rpl | ||
| 1097 | index 55da56b..ba8e492 100644 | ||
| 1098 | --- a/testdata/rrset_updated.rpl | ||
| 1099 | +++ b/testdata/rrset_updated.rpl | ||
| 1100 | @@ -2,6 +2,7 @@ | ||
| 1101 | ; config options go here. | ||
| 1102 | server: | ||
| 1103 | minimal-responses: no | ||
| 1104 | + iter-scrub-promiscuous: no | ||
| 1105 | rrset-roundrobin: no | ||
| 1106 | forward-zone: name: "." forward-addr: 216.0.0.1 | ||
| 1107 | CONFIG_END | ||
| 1108 | diff --git a/testdata/rrset_use_cached.rpl b/testdata/rrset_use_cached.rpl | ||
| 1109 | index 8420ae0..17696f6 100644 | ||
| 1110 | --- a/testdata/rrset_use_cached.rpl | ||
| 1111 | +++ b/testdata/rrset_use_cached.rpl | ||
| 1112 | @@ -1,5 +1,6 @@ | ||
| 1113 | server: | ||
| 1114 | minimal-responses: no | ||
| 1115 | + iter-scrub-promiscuous: no | ||
| 1116 | serve-expired: yes | ||
| 1117 | # The value does not matter, we will not simulate delay. | ||
| 1118 | # We do not want only serve-expired because fetches from that | ||
| 1119 | diff --git a/testdata/serve_expired.rpl b/testdata/serve_expired.rpl | ||
| 1120 | index 3f61019..2bba0d9 100644 | ||
| 1121 | --- a/testdata/serve_expired.rpl | ||
| 1122 | +++ b/testdata/serve_expired.rpl | ||
| 1123 | @@ -3,6 +3,7 @@ server: | ||
| 1124 | module-config: "validator iterator" | ||
| 1125 | qname-minimisation: "no" | ||
| 1126 | minimal-responses: no | ||
| 1127 | + iter-scrub-promiscuous: no | ||
| 1128 | serve-expired: yes | ||
| 1129 | access-control: 127.0.0.1/32 allow_snoop | ||
| 1130 | ede: yes | ||
| 1131 | diff --git a/testdata/serve_expired_0ttl_nodata.rpl b/testdata/serve_expired_0ttl_nodata.rpl | ||
| 1132 | index 7f1b5a5..d16a115 100644 | ||
| 1133 | --- a/testdata/serve_expired_0ttl_nodata.rpl | ||
| 1134 | +++ b/testdata/serve_expired_0ttl_nodata.rpl | ||
| 1135 | @@ -3,6 +3,7 @@ server: | ||
| 1136 | module-config: "validator iterator" | ||
| 1137 | qname-minimisation: "no" | ||
| 1138 | minimal-responses: no | ||
| 1139 | + iter-scrub-promiscuous: no | ||
| 1140 | serve-expired: yes | ||
| 1141 | log-servfail: yes | ||
| 1142 | ede: yes | ||
| 1143 | diff --git a/testdata/serve_expired_0ttl_nxdomain.rpl b/testdata/serve_expired_0ttl_nxdomain.rpl | ||
| 1144 | index 4adb4b8..a9195b0 100644 | ||
| 1145 | --- a/testdata/serve_expired_0ttl_nxdomain.rpl | ||
| 1146 | +++ b/testdata/serve_expired_0ttl_nxdomain.rpl | ||
| 1147 | @@ -3,6 +3,7 @@ server: | ||
| 1148 | module-config: "validator iterator" | ||
| 1149 | qname-minimisation: "no" | ||
| 1150 | minimal-responses: no | ||
| 1151 | + iter-scrub-promiscuous: no | ||
| 1152 | serve-expired: yes | ||
| 1153 | log-servfail: yes | ||
| 1154 | ede: yes | ||
| 1155 | diff --git a/testdata/serve_expired_0ttl_servfail.rpl b/testdata/serve_expired_0ttl_servfail.rpl | ||
| 1156 | index 6833af1..b0fa484 100644 | ||
| 1157 | --- a/testdata/serve_expired_0ttl_servfail.rpl | ||
| 1158 | +++ b/testdata/serve_expired_0ttl_servfail.rpl | ||
| 1159 | @@ -3,6 +3,7 @@ server: | ||
| 1160 | module-config: "validator iterator" | ||
| 1161 | qname-minimisation: "no" | ||
| 1162 | minimal-responses: no | ||
| 1163 | + iter-scrub-promiscuous: no | ||
| 1164 | serve-expired: yes | ||
| 1165 | log-servfail: yes | ||
| 1166 | ede: yes | ||
| 1167 | diff --git a/testdata/serve_expired_cached_servfail.rpl b/testdata/serve_expired_cached_servfail.rpl | ||
| 1168 | index f5f4c70..0beb8fc 100644 | ||
| 1169 | --- a/testdata/serve_expired_cached_servfail.rpl | ||
| 1170 | +++ b/testdata/serve_expired_cached_servfail.rpl | ||
| 1171 | @@ -3,6 +3,7 @@ server: | ||
| 1172 | module-config: "validator iterator" | ||
| 1173 | qname-minimisation: "no" | ||
| 1174 | minimal-responses: no | ||
| 1175 | + iter-scrub-promiscuous: no | ||
| 1176 | serve-expired: yes | ||
| 1177 | serve-expired-reply-ttl: 123 | ||
| 1178 | log-servfail: yes | ||
| 1179 | diff --git a/testdata/serve_expired_client_timeout.rpl b/testdata/serve_expired_client_timeout.rpl | ||
| 1180 | index 5560aa0..e40e1b4 100644 | ||
| 1181 | --- a/testdata/serve_expired_client_timeout.rpl | ||
| 1182 | +++ b/testdata/serve_expired_client_timeout.rpl | ||
| 1183 | @@ -3,6 +3,7 @@ server: | ||
| 1184 | module-config: "validator iterator" | ||
| 1185 | qname-minimisation: "no" | ||
| 1186 | minimal-responses: no | ||
| 1187 | + iter-scrub-promiscuous: no | ||
| 1188 | serve-expired: yes | ||
| 1189 | serve-expired-client-timeout: 1 | ||
| 1190 | serve-expired-reply-ttl: 123 | ||
| 1191 | diff --git a/testdata/serve_expired_client_timeout_no_prefetch.rpl b/testdata/serve_expired_client_timeout_no_prefetch.rpl | ||
| 1192 | index aed397d..3a35c46 100644 | ||
| 1193 | --- a/testdata/serve_expired_client_timeout_no_prefetch.rpl | ||
| 1194 | +++ b/testdata/serve_expired_client_timeout_no_prefetch.rpl | ||
| 1195 | @@ -3,6 +3,7 @@ server: | ||
| 1196 | module-config: "validator iterator" | ||
| 1197 | qname-minimisation: "no" | ||
| 1198 | minimal-responses: no | ||
| 1199 | + iter-scrub-promiscuous: no | ||
| 1200 | serve-expired: yes | ||
| 1201 | serve-expired-client-timeout: 1 | ||
| 1202 | serve-expired-reply-ttl: 123 | ||
| 1203 | diff --git a/testdata/serve_expired_client_timeout_servfail.rpl b/testdata/serve_expired_client_timeout_servfail.rpl | ||
| 1204 | index 51aa043..226e4b5 100644 | ||
| 1205 | --- a/testdata/serve_expired_client_timeout_servfail.rpl | ||
| 1206 | +++ b/testdata/serve_expired_client_timeout_servfail.rpl | ||
| 1207 | @@ -3,6 +3,7 @@ server: | ||
| 1208 | module-config: "validator iterator" | ||
| 1209 | qname-minimisation: "no" | ||
| 1210 | minimal-responses: no | ||
| 1211 | + iter-scrub-promiscuous: no | ||
| 1212 | serve-expired: yes | ||
| 1213 | serve-expired-client-timeout: 1 | ||
| 1214 | serve-expired-reply-ttl: 123 | ||
| 1215 | diff --git a/testdata/serve_expired_reply_ttl.rpl b/testdata/serve_expired_reply_ttl.rpl | ||
| 1216 | index 124fb87..063aad9 100644 | ||
| 1217 | --- a/testdata/serve_expired_reply_ttl.rpl | ||
| 1218 | +++ b/testdata/serve_expired_reply_ttl.rpl | ||
| 1219 | @@ -3,6 +3,7 @@ server: | ||
| 1220 | module-config: "validator iterator" | ||
| 1221 | qname-minimisation: "no" | ||
| 1222 | minimal-responses: no | ||
| 1223 | + iter-scrub-promiscuous: no | ||
| 1224 | serve-expired: yes | ||
| 1225 | serve-expired-reply-ttl: 123 | ||
| 1226 | ede: yes | ||
| 1227 | diff --git a/testdata/serve_expired_ttl.rpl b/testdata/serve_expired_ttl.rpl | ||
| 1228 | index df4ecb8..df3cd90 100644 | ||
| 1229 | --- a/testdata/serve_expired_ttl.rpl | ||
| 1230 | +++ b/testdata/serve_expired_ttl.rpl | ||
| 1231 | @@ -3,6 +3,7 @@ server: | ||
| 1232 | module-config: "validator iterator" | ||
| 1233 | qname-minimisation: "no" | ||
| 1234 | minimal-responses: no | ||
| 1235 | + iter-scrub-promiscuous: no | ||
| 1236 | serve-expired: yes | ||
| 1237 | serve-expired-ttl: 10 | ||
| 1238 | |||
| 1239 | diff --git a/testdata/serve_expired_ttl_client_timeout.rpl b/testdata/serve_expired_ttl_client_timeout.rpl | ||
| 1240 | index 169d070..f285790 100644 | ||
| 1241 | --- a/testdata/serve_expired_ttl_client_timeout.rpl | ||
| 1242 | +++ b/testdata/serve_expired_ttl_client_timeout.rpl | ||
| 1243 | @@ -3,6 +3,7 @@ server: | ||
| 1244 | module-config: "validator iterator" | ||
| 1245 | qname-minimisation: "no" | ||
| 1246 | minimal-responses: no | ||
| 1247 | + iter-scrub-promiscuous: no | ||
| 1248 | serve-expired: yes | ||
| 1249 | serve-expired-ttl: 10 | ||
| 1250 | serve-expired-client-timeout: 1 | ||
| 1251 | diff --git a/testdata/serve_expired_zerottl.rpl b/testdata/serve_expired_zerottl.rpl | ||
| 1252 | index 0239b4a..fbb76f9 100644 | ||
| 1253 | --- a/testdata/serve_expired_zerottl.rpl | ||
| 1254 | +++ b/testdata/serve_expired_zerottl.rpl | ||
| 1255 | @@ -3,6 +3,7 @@ server: | ||
| 1256 | module-config: "validator iterator" | ||
| 1257 | qname-minimisation: "no" | ||
| 1258 | minimal-responses: no | ||
| 1259 | + iter-scrub-promiscuous: no | ||
| 1260 | serve-expired: yes | ||
| 1261 | serve-expired-reply-ttl: 123 | ||
| 1262 | ede: yes | ||
| 1263 | diff --git a/testdata/serve_original_ttl.rpl b/testdata/serve_original_ttl.rpl | ||
| 1264 | index 24d01b6..ced0672 100644 | ||
| 1265 | --- a/testdata/serve_original_ttl.rpl | ||
| 1266 | +++ b/testdata/serve_original_ttl.rpl | ||
| 1267 | @@ -4,6 +4,7 @@ server: | ||
| 1268 | module-config: "validator iterator" | ||
| 1269 | qname-minimisation: "no" | ||
| 1270 | minimal-responses: no | ||
| 1271 | + iter-scrub-promiscuous: no | ||
| 1272 | serve-original-ttl: yes | ||
| 1273 | cache-max-ttl: 1000 | ||
| 1274 | cache-min-ttl: 20 | ||
| 1275 | diff --git a/testdata/subnet_cached.crpl b/testdata/subnet_cached.crpl | ||
| 1276 | index 2098313..8f3c3de 100644 | ||
| 1277 | --- a/testdata/subnet_cached.crpl | ||
| 1278 | +++ b/testdata/subnet_cached.crpl | ||
| 1279 | @@ -15,6 +15,7 @@ server: | ||
| 1280 | access-control: 127.0.0.1 allow_snoop | ||
| 1281 | qname-minimisation: "no" | ||
| 1282 | minimal-responses: no | ||
| 1283 | + iter-scrub-promiscuous: no | ||
| 1284 | |||
| 1285 | stub-zone: | ||
| 1286 | name: "." | ||
| 1287 | diff --git a/testdata/subnet_cached_servfail.crpl b/testdata/subnet_cached_servfail.crpl | ||
| 1288 | index 9c746d5..535671b 100644 | ||
| 1289 | --- a/testdata/subnet_cached_servfail.crpl | ||
| 1290 | +++ b/testdata/subnet_cached_servfail.crpl | ||
| 1291 | @@ -11,6 +11,7 @@ server: | ||
| 1292 | access-control: 127.0.0.1 allow_snoop | ||
| 1293 | qname-minimisation: no | ||
| 1294 | minimal-responses: no | ||
| 1295 | + iter-scrub-promiscuous: no | ||
| 1296 | serve-expired: yes | ||
| 1297 | prefetch: yes | ||
| 1298 | |||
| 1299 | diff --git a/testdata/subnet_global_prefetch.crpl b/testdata/subnet_global_prefetch.crpl | ||
| 1300 | index 2f005d4..7665015 100644 | ||
| 1301 | --- a/testdata/subnet_global_prefetch.crpl | ||
| 1302 | +++ b/testdata/subnet_global_prefetch.crpl | ||
| 1303 | @@ -12,6 +12,7 @@ server: | ||
| 1304 | access-control: 127.0.0.1 allow_snoop | ||
| 1305 | qname-minimisation: no | ||
| 1306 | minimal-responses: no | ||
| 1307 | + iter-scrub-promiscuous: no | ||
| 1308 | prefetch: yes | ||
| 1309 | |||
| 1310 | stub-zone: | ||
| 1311 | diff --git a/testdata/subnet_global_prefetch_always_forward.crpl b/testdata/subnet_global_prefetch_always_forward.crpl | ||
| 1312 | index ccfe5df..0713629 100644 | ||
| 1313 | --- a/testdata/subnet_global_prefetch_always_forward.crpl | ||
| 1314 | +++ b/testdata/subnet_global_prefetch_always_forward.crpl | ||
| 1315 | @@ -12,6 +12,7 @@ server: | ||
| 1316 | access-control: 127.0.0.1 allow_snoop | ||
| 1317 | qname-minimisation: no | ||
| 1318 | minimal-responses: no | ||
| 1319 | + iter-scrub-promiscuous: no | ||
| 1320 | |||
| 1321 | stub-zone: | ||
| 1322 | name: "." | ||
| 1323 | diff --git a/testdata/subnet_global_prefetch_expired.crpl b/testdata/subnet_global_prefetch_expired.crpl | ||
| 1324 | index de1b780..7c00d82 100644 | ||
| 1325 | --- a/testdata/subnet_global_prefetch_expired.crpl | ||
| 1326 | +++ b/testdata/subnet_global_prefetch_expired.crpl | ||
| 1327 | @@ -13,6 +13,7 @@ server: | ||
| 1328 | access-control: 127.0.0.1 allow_snoop | ||
| 1329 | qname-minimisation: no | ||
| 1330 | minimal-responses: no | ||
| 1331 | + iter-scrub-promiscuous: no | ||
| 1332 | serve-expired: yes | ||
| 1333 | serve-expired-ttl: 1 | ||
| 1334 | prefetch: yes | ||
| 1335 | diff --git a/testdata/subnet_global_prefetch_with_client_ecs.crpl b/testdata/subnet_global_prefetch_with_client_ecs.crpl | ||
| 1336 | index ddc832c..8589db7 100644 | ||
| 1337 | --- a/testdata/subnet_global_prefetch_with_client_ecs.crpl | ||
| 1338 | +++ b/testdata/subnet_global_prefetch_with_client_ecs.crpl | ||
| 1339 | @@ -12,6 +12,7 @@ server: | ||
| 1340 | access-control: 127.0.0.1 allow_snoop | ||
| 1341 | qname-minimisation: no | ||
| 1342 | minimal-responses: no | ||
| 1343 | + iter-scrub-promiscuous: no | ||
| 1344 | prefetch: yes | ||
| 1345 | |||
| 1346 | stub-zone: | ||
| 1347 | diff --git a/testdata/subnet_max_source.crpl b/testdata/subnet_max_source.crpl | ||
| 1348 | index f5c7464..f3f71e7 100644 | ||
| 1349 | --- a/testdata/subnet_max_source.crpl | ||
| 1350 | +++ b/testdata/subnet_max_source.crpl | ||
| 1351 | @@ -11,6 +11,7 @@ server: | ||
| 1352 | verbosity: 3 | ||
| 1353 | qname-minimisation: "no" | ||
| 1354 | minimal-responses: no | ||
| 1355 | + iter-scrub-promiscuous: no | ||
| 1356 | |||
| 1357 | stub-zone: | ||
| 1358 | name: "." | ||
| 1359 | diff --git a/testdata/subnet_prefetch.crpl b/testdata/subnet_prefetch.crpl | ||
| 1360 | index aaa6bf0..243e409 100644 | ||
| 1361 | --- a/testdata/subnet_prefetch.crpl | ||
| 1362 | +++ b/testdata/subnet_prefetch.crpl | ||
| 1363 | @@ -12,6 +12,7 @@ server: | ||
| 1364 | access-control: 127.0.0.1 allow_snoop | ||
| 1365 | qname-minimisation: no | ||
| 1366 | minimal-responses: no | ||
| 1367 | + iter-scrub-promiscuous: no | ||
| 1368 | prefetch: yes | ||
| 1369 | |||
| 1370 | stub-zone: | ||
| 1371 | diff --git a/testdata/subnet_val_positive.crpl b/testdata/subnet_val_positive.crpl | ||
| 1372 | index 01456e5..10996ad 100644 | ||
| 1373 | --- a/testdata/subnet_val_positive.crpl | ||
| 1374 | +++ b/testdata/subnet_val_positive.crpl | ||
| 1375 | @@ -13,6 +13,7 @@ server: | ||
| 1376 | fake-dsa: yes | ||
| 1377 | qname-minimisation: "no" | ||
| 1378 | minimal-responses: no | ||
| 1379 | + iter-scrub-promiscuous: no | ||
| 1380 | |||
| 1381 | stub-zone: | ||
| 1382 | name: "." | ||
| 1383 | diff --git a/testdata/subnet_val_positive_client.crpl b/testdata/subnet_val_positive_client.crpl | ||
| 1384 | index b573742..1b51d52 100644 | ||
| 1385 | --- a/testdata/subnet_val_positive_client.crpl | ||
| 1386 | +++ b/testdata/subnet_val_positive_client.crpl | ||
| 1387 | @@ -14,6 +14,7 @@ server: | ||
| 1388 | fake-dsa: yes | ||
| 1389 | qname-minimisation: "no" | ||
| 1390 | minimal-responses: no | ||
| 1391 | + iter-scrub-promiscuous: no | ||
| 1392 | |||
| 1393 | stub-zone: | ||
| 1394 | name: "." | ||
| 1395 | diff --git a/testdata/trust_cname_chain.rpl b/testdata/trust_cname_chain.rpl | ||
| 1396 | index f8415ba..e24f8c1 100644 | ||
| 1397 | --- a/testdata/trust_cname_chain.rpl | ||
| 1398 | +++ b/testdata/trust_cname_chain.rpl | ||
| 1399 | @@ -2,6 +2,7 @@ | ||
| 1400 | server: | ||
| 1401 | target-fetch-policy: "0 0 0 0 0" | ||
| 1402 | minimal-responses: no | ||
| 1403 | + iter-scrub-promiscuous: no | ||
| 1404 | stub-zone: | ||
| 1405 | name: "." | ||
| 1406 | stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. | ||
| 1407 | diff --git a/testdata/ttl_max.rpl b/testdata/ttl_max.rpl | ||
| 1408 | index 3256963..b24eea3 100644 | ||
| 1409 | --- a/testdata/ttl_max.rpl | ||
| 1410 | +++ b/testdata/ttl_max.rpl | ||
| 1411 | @@ -4,6 +4,7 @@ server: | ||
| 1412 | cache-max-ttl: 10 | ||
| 1413 | qname-minimisation: "no" | ||
| 1414 | minimal-responses: no | ||
| 1415 | + iter-scrub-promiscuous: no | ||
| 1416 | |||
| 1417 | stub-zone: | ||
| 1418 | name: "." | ||
| 1419 | diff --git a/testdata/ttl_min.rpl b/testdata/ttl_min.rpl | ||
| 1420 | index 3c79ff5..94206c7 100644 | ||
| 1421 | --- a/testdata/ttl_min.rpl | ||
| 1422 | +++ b/testdata/ttl_min.rpl | ||
| 1423 | @@ -4,6 +4,7 @@ server: | ||
| 1424 | cache-min-ttl: 10 | ||
| 1425 | qname-minimisation: "no" | ||
| 1426 | minimal-responses: no | ||
| 1427 | + iter-scrub-promiscuous: no | ||
| 1428 | |||
| 1429 | stub-zone: | ||
| 1430 | name: "." | ||
| 1431 | diff --git a/testdata/val_adbit.rpl b/testdata/val_adbit.rpl | ||
| 1432 | index 7ce62de..233c58b 100644 | ||
| 1433 | --- a/testdata/val_adbit.rpl | ||
| 1434 | +++ b/testdata/val_adbit.rpl | ||
| 1435 | @@ -8,6 +8,7 @@ server: | ||
| 1436 | fake-sha1: yes | ||
| 1437 | trust-anchor-signaling: no | ||
| 1438 | minimal-responses: no | ||
| 1439 | + iter-scrub-promiscuous: no | ||
| 1440 | |||
| 1441 | stub-zone: | ||
| 1442 | name: "." | ||
| 1443 | diff --git a/testdata/val_adcopy.rpl b/testdata/val_adcopy.rpl | ||
| 1444 | index 604fd57..7bc31df 100644 | ||
| 1445 | --- a/testdata/val_adcopy.rpl | ||
| 1446 | +++ b/testdata/val_adcopy.rpl | ||
| 1447 | @@ -7,6 +7,7 @@ server: | ||
| 1448 | qname-minimisation: "no" | ||
| 1449 | fake-sha1: yes | ||
| 1450 | minimal-responses: no | ||
| 1451 | + iter-scrub-promiscuous: no | ||
| 1452 | |||
| 1453 | stub-zone: | ||
| 1454 | name: "." | ||
| 1455 | diff --git a/testdata/val_cnametocnamewctoposwc.rpl b/testdata/val_cnametocnamewctoposwc.rpl | ||
| 1456 | index 407666e..9ea8b49 100644 | ||
| 1457 | --- a/testdata/val_cnametocnamewctoposwc.rpl | ||
| 1458 | +++ b/testdata/val_cnametocnamewctoposwc.rpl | ||
| 1459 | @@ -7,6 +7,7 @@ server: | ||
| 1460 | qname-minimisation: "no" | ||
| 1461 | fake-sha1: yes | ||
| 1462 | trust-anchor-signaling: no | ||
| 1463 | + iter-scrub-promiscuous: no | ||
| 1464 | |||
| 1465 | stub-zone: | ||
| 1466 | name: "." | ||
| 1467 | diff --git a/testdata/val_ds_afterprime.rpl b/testdata/val_ds_afterprime.rpl | ||
| 1468 | index 3b1c0d6..301a1f6 100644 | ||
| 1469 | --- a/testdata/val_ds_afterprime.rpl | ||
| 1470 | +++ b/testdata/val_ds_afterprime.rpl | ||
| 1471 | @@ -8,6 +8,7 @@ server: | ||
| 1472 | fake-sha1: yes | ||
| 1473 | trust-anchor-signaling: no | ||
| 1474 | minimal-responses: no | ||
| 1475 | + iter-scrub-promiscuous: no | ||
| 1476 | |||
| 1477 | stub-zone: | ||
| 1478 | name: "." | ||
| 1479 | diff --git a/testdata/val_faildnskey_ok.rpl b/testdata/val_faildnskey_ok.rpl | ||
| 1480 | index 50f3184..f9196f3 100644 | ||
| 1481 | --- a/testdata/val_faildnskey_ok.rpl | ||
| 1482 | +++ b/testdata/val_faildnskey_ok.rpl | ||
| 1483 | @@ -8,6 +8,7 @@ server: | ||
| 1484 | fake-sha1: yes | ||
| 1485 | trust-anchor-signaling: no | ||
| 1486 | minimal-responses: no | ||
| 1487 | + iter-scrub-promiscuous: no | ||
| 1488 | |||
| 1489 | stub-zone: | ||
| 1490 | name: "." | ||
| 1491 | diff --git a/testdata/val_keyprefetch_verify.rpl b/testdata/val_keyprefetch_verify.rpl | ||
| 1492 | index 9b901a8..6cf8184 100644 | ||
| 1493 | --- a/testdata/val_keyprefetch_verify.rpl | ||
| 1494 | +++ b/testdata/val_keyprefetch_verify.rpl | ||
| 1495 | @@ -10,6 +10,7 @@ server: | ||
| 1496 | fake-sha1: yes | ||
| 1497 | trust-anchor-signaling: no | ||
| 1498 | minimal-responses: no | ||
| 1499 | + iter-scrub-promiscuous: no | ||
| 1500 | |||
| 1501 | stub-zone: | ||
| 1502 | name: "." | ||
| 1503 | diff --git a/testdata/val_noadwhennodo.rpl b/testdata/val_noadwhennodo.rpl | ||
| 1504 | index 46e1bad..dbdeb78 100644 | ||
| 1505 | --- a/testdata/val_noadwhennodo.rpl | ||
| 1506 | +++ b/testdata/val_noadwhennodo.rpl | ||
| 1507 | @@ -8,6 +8,7 @@ server: | ||
| 1508 | fake-sha1: yes | ||
| 1509 | trust-anchor-signaling: no | ||
| 1510 | minimal-responses: no | ||
| 1511 | + iter-scrub-promiscuous: no | ||
| 1512 | |||
| 1513 | stub-zone: | ||
| 1514 | name: "." | ||
| 1515 | diff --git a/testdata/val_nsec3_b3_optout.rpl b/testdata/val_nsec3_b3_optout.rpl | ||
| 1516 | index 9d84be9..5d8a43a 100644 | ||
| 1517 | --- a/testdata/val_nsec3_b3_optout.rpl | ||
| 1518 | +++ b/testdata/val_nsec3_b3_optout.rpl | ||
| 1519 | @@ -7,6 +7,7 @@ server: | ||
| 1520 | fake-sha1: yes | ||
| 1521 | trust-anchor-signaling: no | ||
| 1522 | minimal-responses: no | ||
| 1523 | + iter-scrub-promiscuous: no | ||
| 1524 | rrset-roundrobin: no | ||
| 1525 | |||
| 1526 | stub-zone: | ||
| 1527 | diff --git a/testdata/val_nsec3_b3_optout_negcache.rpl b/testdata/val_nsec3_b3_optout_negcache.rpl | ||
| 1528 | index 497a859..e7be762 100644 | ||
| 1529 | --- a/testdata/val_nsec3_b3_optout_negcache.rpl | ||
| 1530 | +++ b/testdata/val_nsec3_b3_optout_negcache.rpl | ||
| 1531 | @@ -7,6 +7,7 @@ server: | ||
| 1532 | fake-sha1: yes | ||
| 1533 | trust-anchor-signaling: no | ||
| 1534 | minimal-responses: no | ||
| 1535 | + iter-scrub-promiscuous: no | ||
| 1536 | rrset-roundrobin: no | ||
| 1537 | |||
| 1538 | stub-zone: | ||
| 1539 | diff --git a/testdata/val_nsec3_b4_wild.rpl b/testdata/val_nsec3_b4_wild.rpl | ||
| 1540 | index 8bf3a54..295932f 100644 | ||
| 1541 | --- a/testdata/val_nsec3_b4_wild.rpl | ||
| 1542 | +++ b/testdata/val_nsec3_b4_wild.rpl | ||
| 1543 | @@ -6,6 +6,7 @@ server: | ||
| 1544 | qname-minimisation: "no" | ||
| 1545 | fake-sha1: yes | ||
| 1546 | trust-anchor-signaling: no | ||
| 1547 | + iter-scrub-promiscuous: no | ||
| 1548 | rrset-roundrobin: no | ||
| 1549 | |||
| 1550 | stub-zone: | ||
| 1551 | diff --git a/testdata/val_nsec3_cnametocnamewctoposwc.rpl b/testdata/val_nsec3_cnametocnamewctoposwc.rpl | ||
| 1552 | index 1651ae7..3e4c55a 100644 | ||
| 1553 | --- a/testdata/val_nsec3_cnametocnamewctoposwc.rpl | ||
| 1554 | +++ b/testdata/val_nsec3_cnametocnamewctoposwc.rpl | ||
| 1555 | @@ -7,6 +7,7 @@ server: | ||
| 1556 | qname-minimisation: "no" | ||
| 1557 | fake-sha1: yes | ||
| 1558 | trust-anchor-signaling: no | ||
| 1559 | + iter-scrub-promiscuous: no | ||
| 1560 | |||
| 1561 | stub-zone: | ||
| 1562 | name: "." | ||
| 1563 | diff --git a/testdata/val_positive.rpl b/testdata/val_positive.rpl | ||
| 1564 | index daaf360..c808517 100644 | ||
| 1565 | --- a/testdata/val_positive.rpl | ||
| 1566 | +++ b/testdata/val_positive.rpl | ||
| 1567 | @@ -8,6 +8,7 @@ server: | ||
| 1568 | fake-sha1: yes | ||
| 1569 | trust-anchor-signaling: no | ||
| 1570 | minimal-responses: no | ||
| 1571 | + iter-scrub-promiscuous: no | ||
| 1572 | |||
| 1573 | stub-zone: | ||
| 1574 | name: "." | ||
| 1575 | diff --git a/testdata/val_positive_wc.rpl b/testdata/val_positive_wc.rpl | ||
| 1576 | index 5384acf..591dcc6 100644 | ||
| 1577 | --- a/testdata/val_positive_wc.rpl | ||
| 1578 | +++ b/testdata/val_positive_wc.rpl | ||
| 1579 | @@ -7,6 +7,7 @@ server: | ||
| 1580 | qname-minimisation: "no" | ||
| 1581 | fake-sha1: yes | ||
| 1582 | trust-anchor-signaling: no | ||
| 1583 | + iter-scrub-promiscuous: no | ||
| 1584 | |||
| 1585 | stub-zone: | ||
| 1586 | name: "." | ||
| 1587 | diff --git a/testdata/val_qds_badanc.rpl b/testdata/val_qds_badanc.rpl | ||
| 1588 | index dc68615..cb53136 100644 | ||
| 1589 | --- a/testdata/val_qds_badanc.rpl | ||
| 1590 | +++ b/testdata/val_qds_badanc.rpl | ||
| 1591 | @@ -7,6 +7,7 @@ server: | ||
| 1592 | qname-minimisation: "no" | ||
| 1593 | fake-sha1: yes | ||
| 1594 | minimal-responses: no | ||
| 1595 | + iter-scrub-promiscuous: no | ||
| 1596 | |||
| 1597 | stub-zone: | ||
| 1598 | name: "." | ||
| 1599 | diff --git a/testdata/val_qds_oneanc.rpl b/testdata/val_qds_oneanc.rpl | ||
| 1600 | index f21ab42..bda9f90 100644 | ||
| 1601 | --- a/testdata/val_qds_oneanc.rpl | ||
| 1602 | +++ b/testdata/val_qds_oneanc.rpl | ||
| 1603 | @@ -8,6 +8,7 @@ server: | ||
| 1604 | fake-sha1: yes | ||
| 1605 | trust-anchor-signaling: no | ||
| 1606 | minimal-responses: no | ||
| 1607 | + iter-scrub-promiscuous: no | ||
| 1608 | |||
| 1609 | stub-zone: | ||
| 1610 | name: "." | ||
| 1611 | diff --git a/testdata/val_qds_twoanc.rpl b/testdata/val_qds_twoanc.rpl | ||
| 1612 | index 4e4f2e7..f801c02 100644 | ||
| 1613 | --- a/testdata/val_qds_twoanc.rpl | ||
| 1614 | +++ b/testdata/val_qds_twoanc.rpl | ||
| 1615 | @@ -9,6 +9,7 @@ server: | ||
| 1616 | fake-sha1: yes | ||
| 1617 | trust-anchor-signaling: no | ||
| 1618 | minimal-responses: no | ||
| 1619 | + iter-scrub-promiscuous: no | ||
| 1620 | |||
| 1621 | stub-zone: | ||
| 1622 | name: "." | ||
| 1623 | diff --git a/testdata/val_refer_unsignadd.rpl b/testdata/val_refer_unsignadd.rpl | ||
| 1624 | index 4d07301..22f15d2 100644 | ||
| 1625 | --- a/testdata/val_refer_unsignadd.rpl | ||
| 1626 | +++ b/testdata/val_refer_unsignadd.rpl | ||
| 1627 | @@ -9,6 +9,7 @@ server: | ||
| 1628 | qname-minimisation: "no" | ||
| 1629 | fake-sha1: yes | ||
| 1630 | trust-anchor-signaling: no | ||
| 1631 | + iter-scrub-promiscuous: no | ||
| 1632 | rrset-roundrobin: no | ||
| 1633 | |||
| 1634 | stub-zone: | ||
| 1635 | diff --git a/testdata/val_referd.rpl b/testdata/val_referd.rpl | ||
| 1636 | index d475f83..a25ca7b 100644 | ||
| 1637 | --- a/testdata/val_referd.rpl | ||
| 1638 | +++ b/testdata/val_referd.rpl | ||
| 1639 | @@ -10,6 +10,7 @@ server: | ||
| 1640 | fake-sha1: yes | ||
| 1641 | trust-anchor-signaling: no | ||
| 1642 | minimal-responses: no | ||
| 1643 | + iter-scrub-promiscuous: no | ||
| 1644 | |||
| 1645 | stub-zone: | ||
| 1646 | name: "." | ||
| 1647 | diff --git a/testdata/val_referglue.rpl b/testdata/val_referglue.rpl | ||
| 1648 | index 54b7671..3ca0c0e 100644 | ||
| 1649 | --- a/testdata/val_referglue.rpl | ||
| 1650 | +++ b/testdata/val_referglue.rpl | ||
| 1651 | @@ -10,6 +10,7 @@ server: | ||
| 1652 | fake-sha1: yes | ||
| 1653 | trust-anchor-signaling: no | ||
| 1654 | minimal-responses: no | ||
| 1655 | + iter-scrub-promiscuous: no | ||
| 1656 | rrset-roundrobin: no | ||
| 1657 | |||
| 1658 | stub-zone: | ||
| 1659 | diff --git a/testdata/val_rrsig.rpl b/testdata/val_rrsig.rpl | ||
| 1660 | index 0b672e0..69df344 100644 | ||
| 1661 | --- a/testdata/val_rrsig.rpl | ||
| 1662 | +++ b/testdata/val_rrsig.rpl | ||
| 1663 | @@ -7,6 +7,7 @@ server: | ||
| 1664 | qname-minimisation: "no" | ||
| 1665 | fake-sha1: yes | ||
| 1666 | minimal-responses: no | ||
| 1667 | + iter-scrub-promiscuous: no | ||
| 1668 | |||
| 1669 | stub-zone: | ||
| 1670 | name: "." | ||
| 1671 | diff --git a/testdata/val_spurious_ns.rpl b/testdata/val_spurious_ns.rpl | ||
| 1672 | index cb0a6e5..8db94a1 100644 | ||
| 1673 | --- a/testdata/val_spurious_ns.rpl | ||
| 1674 | +++ b/testdata/val_spurious_ns.rpl | ||
| 1675 | @@ -8,6 +8,7 @@ server: | ||
| 1676 | fake-sha1: yes | ||
| 1677 | trust-anchor-signaling: no | ||
| 1678 | minimal-responses: no | ||
| 1679 | + iter-scrub-promiscuous: no | ||
| 1680 | |||
| 1681 | stub-zone: | ||
| 1682 | name: "." | ||
| 1683 | diff --git a/testdata/val_stub_noroot.rpl b/testdata/val_stub_noroot.rpl | ||
| 1684 | index 07113be..66c3d8e 100644 | ||
| 1685 | --- a/testdata/val_stub_noroot.rpl | ||
| 1686 | +++ b/testdata/val_stub_noroot.rpl | ||
| 1687 | @@ -6,6 +6,7 @@ server: | ||
| 1688 | fake-sha1: yes | ||
| 1689 | trust-anchor-signaling: no | ||
| 1690 | minimal-responses: no | ||
| 1691 | + iter-scrub-promiscuous: no | ||
| 1692 | |||
| 1693 | stub-zone: | ||
| 1694 | name: "." | ||
| 1695 | diff --git a/testdata/val_ta_algo_dnskey.rpl b/testdata/val_ta_algo_dnskey.rpl | ||
| 1696 | index 03bac83..5b0b64d 100644 | ||
| 1697 | --- a/testdata/val_ta_algo_dnskey.rpl | ||
| 1698 | +++ b/testdata/val_ta_algo_dnskey.rpl | ||
| 1699 | @@ -9,6 +9,7 @@ server: | ||
| 1700 | fake-sha1: yes | ||
| 1701 | trust-anchor-signaling: no | ||
| 1702 | minimal-responses: no | ||
| 1703 | + iter-scrub-promiscuous: no | ||
| 1704 | |||
| 1705 | stub-zone: | ||
| 1706 | name: "." | ||
| 1707 | diff --git a/testdata/val_ta_algo_dnskey_dp.rpl b/testdata/val_ta_algo_dnskey_dp.rpl | ||
| 1708 | index 2b3609b..ae0c499 100644 | ||
| 1709 | --- a/testdata/val_ta_algo_dnskey_dp.rpl | ||
| 1710 | +++ b/testdata/val_ta_algo_dnskey_dp.rpl | ||
| 1711 | @@ -10,6 +10,7 @@ server: | ||
| 1712 | fake-sha1: yes | ||
| 1713 | trust-anchor-signaling: no | ||
| 1714 | minimal-responses: no | ||
| 1715 | + iter-scrub-promiscuous: no | ||
| 1716 | |||
| 1717 | stub-zone: | ||
| 1718 | name: "." | ||
| 1719 | diff --git a/testdata/val_ta_algo_missing_dp.rpl b/testdata/val_ta_algo_missing_dp.rpl | ||
| 1720 | index dc55a09..14efdec 100644 | ||
| 1721 | --- a/testdata/val_ta_algo_missing_dp.rpl | ||
| 1722 | +++ b/testdata/val_ta_algo_missing_dp.rpl | ||
| 1723 | @@ -11,6 +11,7 @@ server: | ||
| 1724 | fake-sha1: yes | ||
| 1725 | trust-anchor-signaling: no | ||
| 1726 | minimal-responses: no | ||
| 1727 | + iter-scrub-promiscuous: no | ||
| 1728 | |||
| 1729 | stub-zone: | ||
| 1730 | name: "." | ||
| 1731 | diff --git a/testdata/val_twocname.rpl b/testdata/val_twocname.rpl | ||
| 1732 | index bc7c3bc..b432364 100644 | ||
| 1733 | --- a/testdata/val_twocname.rpl | ||
| 1734 | +++ b/testdata/val_twocname.rpl | ||
| 1735 | @@ -5,6 +5,7 @@ server: | ||
| 1736 | fake-sha1: yes | ||
| 1737 | trust-anchor-signaling: no | ||
| 1738 | minimal-responses: no | ||
| 1739 | + iter-scrub-promiscuous: no | ||
| 1740 | rrset-roundrobin: no | ||
| 1741 | |||
| 1742 | forward-zone: | ||
| 1743 | diff --git a/testdata/val_unalgo_anchor.rpl b/testdata/val_unalgo_anchor.rpl | ||
| 1744 | index fbbf288..a935201 100644 | ||
| 1745 | --- a/testdata/val_unalgo_anchor.rpl | ||
| 1746 | +++ b/testdata/val_unalgo_anchor.rpl | ||
| 1747 | @@ -7,6 +7,7 @@ server: | ||
| 1748 | qname-minimisation: "no" | ||
| 1749 | fake-sha1: yes | ||
| 1750 | minimal-responses: no | ||
| 1751 | + iter-scrub-promiscuous: no | ||
| 1752 | |||
| 1753 | stub-zone: | ||
| 1754 | name: "." | ||
| 1755 | diff --git a/testdata/val_wild_pos.rpl b/testdata/val_wild_pos.rpl | ||
| 1756 | index 624d8e0..9fafa65 100644 | ||
| 1757 | --- a/testdata/val_wild_pos.rpl | ||
| 1758 | +++ b/testdata/val_wild_pos.rpl | ||
| 1759 | @@ -8,6 +8,7 @@ server: | ||
| 1760 | fake-sha1: yes | ||
| 1761 | trust-anchor-signaling: no | ||
| 1762 | minimal-responses: no | ||
| 1763 | + iter-scrub-promiscuous: no | ||
| 1764 | |||
| 1765 | stub-zone: | ||
| 1766 | name: "." | ||
| 1767 | diff --git a/testdata/views.rpl b/testdata/views.rpl | ||
| 1768 | index 6a9052f..a602624 100644 | ||
| 1769 | --- a/testdata/views.rpl | ||
| 1770 | +++ b/testdata/views.rpl | ||
| 1771 | @@ -3,6 +3,7 @@ server: | ||
| 1772 | target-fetch-policy: "0 0 0 0 0" | ||
| 1773 | qname-minimisation: "no" | ||
| 1774 | minimal-responses: no | ||
| 1775 | + iter-scrub-promiscuous: no | ||
| 1776 | |||
| 1777 | access-control: 10.10.10.0/24 allow | ||
| 1778 | access-control-view: 10.10.10.10/32 "view1" | ||
| 1779 | diff --git a/util/config_file.c b/util/config_file.c | ||
| 1780 | index c403d74..a2fefde 100644 | ||
| 1781 | --- a/util/config_file.c | ||
| 1782 | +++ b/util/config_file.c | ||
| 1783 | @@ -404,6 +404,7 @@ config_create(void) | ||
| 1784 | cfg->ipset_name_v6 = NULL; | ||
| 1785 | #endif | ||
| 1786 | cfg->ede = 0; | ||
| 1787 | + cfg->iter_scrub_promiscuous = 1; | ||
| 1788 | return cfg; | ||
| 1789 | error_exit: | ||
| 1790 | config_delete(cfg); | ||
| 1791 | @@ -712,6 +713,7 @@ int config_set_option(struct config_file* cfg, const char* opt, | ||
| 1792 | else S_NUMBER_OR_ZERO("serve-expired-client-timeout:", serve_expired_client_timeout) | ||
| 1793 | else S_YNO("ede:", ede) | ||
| 1794 | else S_YNO("ede-serve-expired:", ede_serve_expired) | ||
| 1795 | + else S_YNO("iter-scrub-promiscuous:", iter_scrub_promiscuous) | ||
| 1796 | else S_YNO("serve-original-ttl:", serve_original_ttl) | ||
| 1797 | else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations) | ||
| 1798 | else S_YNO("zonemd-permissive-mode:", zonemd_permissive_mode) | ||
| 1799 | @@ -1175,6 +1177,7 @@ config_get_option(struct config_file* cfg, const char* opt, | ||
| 1800 | else O_DEC(opt, "serve-expired-client-timeout", serve_expired_client_timeout) | ||
| 1801 | else O_YNO(opt, "ede", ede) | ||
| 1802 | else O_YNO(opt, "ede-serve-expired", ede_serve_expired) | ||
| 1803 | + else O_YNO(opt, "iter-scrub-promiscuous", iter_scrub_promiscuous) | ||
| 1804 | else O_YNO(opt, "serve-original-ttl", serve_original_ttl) | ||
| 1805 | else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations) | ||
| 1806 | else O_YNO(opt, "zonemd-permissive-mode", zonemd_permissive_mode) | ||
| 1807 | diff --git a/util/config_file.h b/util/config_file.h | ||
| 1808 | index 7ded3c2..b037261 100644 | ||
| 1809 | --- a/util/config_file.h | ||
| 1810 | +++ b/util/config_file.h | ||
| 1811 | @@ -752,6 +752,9 @@ struct config_file { | ||
| 1812 | #endif | ||
| 1813 | /** respond with Extended DNS Errors (RFC8914) */ | ||
| 1814 | int ede; | ||
| 1815 | + /** Should the iterator scrub promiscuous NS rrsets, from positive | ||
| 1816 | + * answers. */ | ||
| 1817 | + int iter_scrub_promiscuous; | ||
| 1818 | }; | ||
| 1819 | |||
| 1820 | /** from cfg username, after daemonize setup performed */ | ||
| 1821 | diff --git a/util/configlexer.lex b/util/configlexer.lex | ||
| 1822 | index 7455f50..5e9a355 100644 | ||
| 1823 | --- a/util/configlexer.lex | ||
| 1824 | +++ b/util/configlexer.lex | ||
| 1825 | @@ -584,6 +584,7 @@ edns-client-string-opcode{COLON} { YDVAR(1, VAR_EDNS_CLIENT_STRING_OPCODE) } | ||
| 1826 | nsid{COLON} { YDVAR(1, VAR_NSID ) } | ||
| 1827 | ede{COLON} { YDVAR(1, VAR_EDE ) } | ||
| 1828 | proxy-protocol-port{COLON} { YDVAR(1, VAR_PROXY_PROTOCOL_PORT) } | ||
| 1829 | +iter-scrub-promiscuous{COLON} { YDVAR(1, VAR_ITER_SCRUB_PROMISCUOUS) } | ||
| 1830 | <INITIAL,val>{NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; } | ||
| 1831 | |||
| 1832 | /* Quoted strings. Strip leading and ending quotes */ | ||
| 1833 | diff --git a/util/configparser.y b/util/configparser.y | ||
| 1834 | index 7d95690..ab99aa0 100644 | ||
| 1835 | --- a/util/configparser.y | ||
| 1836 | +++ b/util/configparser.y | ||
| 1837 | @@ -203,6 +203,7 @@ extern struct config_parser_state* cfg_parser; | ||
| 1838 | %token VAR_PROXY_PROTOCOL_PORT VAR_STATISTICS_INHIBIT_ZERO | ||
| 1839 | %token VAR_HARDEN_UNKNOWN_ADDITIONAL VAR_DISABLE_EDNS_DO VAR_CACHEDB_NO_STORE | ||
| 1840 | %token VAR_LOG_DESTADDR | ||
| 1841 | +%token VAR_ITER_SCRUB_PROMISCUOUS | ||
| 1842 | |||
| 1843 | %% | ||
| 1844 | toplevelvars: /* empty */ | toplevelvars toplevelvar ; | ||
| 1845 | @@ -339,7 +340,8 @@ content_server: server_num_threads | server_verbosity | server_port | | ||
| 1846 | server_interface_automatic_ports | server_ede | | ||
| 1847 | server_proxy_protocol_port | server_statistics_inhibit_zero | | ||
| 1848 | server_harden_unknown_additional | server_disable_edns_do | | ||
| 1849 | - server_log_destaddr | ||
| 1850 | + server_log_destaddr | | ||
| 1851 | + server_iter_scrub_promiscuous | ||
| 1852 | ; | ||
| 1853 | stubstart: VAR_STUB_ZONE | ||
| 1854 | { | ||
| 1855 | @@ -3945,6 +3947,16 @@ server_cookie_secret: VAR_COOKIE_SECRET STRING_ARG | ||
| 1856 | free($2); | ||
| 1857 | } | ||
| 1858 | ; | ||
| 1859 | +server_iter_scrub_promiscuous: VAR_ITER_SCRUB_PROMISCUOUS STRING_ARG | ||
| 1860 | + { | ||
| 1861 | + OUTYY(("P(server_iter_scrub_promiscuous:%s)\n", $2)); | ||
| 1862 | + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) | ||
| 1863 | + yyerror("expected yes or no."); | ||
| 1864 | + else cfg_parser->cfg->iter_scrub_promiscuous = | ||
| 1865 | + (strcmp($2, "yes")==0); | ||
| 1866 | + free($2); | ||
| 1867 | + } | ||
| 1868 | + ; | ||
| 1869 | ipsetstart: VAR_IPSET | ||
| 1870 | { | ||
| 1871 | OUTYY(("\nP(ipset:)\n")); | ||
| 1872 | -- | ||
| 1873 | 2.34.1 | ||
| 1874 | |||
diff --git a/meta-networking/recipes-support/unbound/unbound/0002-CVE-2025-11411-2.patch b/meta-networking/recipes-support/unbound/unbound/0002-CVE-2025-11411-2.patch new file mode 100644 index 0000000000..382c9f7c64 --- /dev/null +++ b/meta-networking/recipes-support/unbound/unbound/0002-CVE-2025-11411-2.patch | |||
| @@ -0,0 +1,153 @@ | |||
| 1 | From f6269baa605d31859f28770e01a24e3677e5f82c Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> | ||
| 3 | Date: Wed, 26 Nov 2025 11:09:40 +0100 | ||
| 4 | Subject: [PATCH] - Additional fix for CVE-2025-11411 (possible domain | ||
| 5 | hijacking attack), to include YXDOMAIN and non-referral nodata answers in | ||
| 6 | the mitigation as well, reported by TaoFei Guo from Peking University, Yang | ||
| 7 | Luo and JianJun Chen from Tsinghua University. | ||
| 8 | |||
| 9 | CVE: CVE-2025-11411 | ||
| 10 | Upstream-Status: Backport [https://github.com/NLnetLabs/unbound/commit/f6269baa605d31859f28770e01a24e3677e5f82c] | ||
| 11 | |||
| 12 | Comment: Patch refreshed | ||
| 13 | |||
| 14 | Signed-off-by: Jackson James <jacksonj2@kpit.com> | ||
| 15 | --- | ||
| 16 | iterator/iter_scrub.c | 39 +++++++++++++++++++++--- | ||
| 17 | testdata/ratelimit.tdir/ratelimit.testns | 30 ++++++++++++++---- | ||
| 18 | 2 files changed, 59 insertions(+), 10 deletions(-) | ||
| 19 | |||
| 20 | diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c | ||
| 21 | index cc12f97..02f1b48 100644 | ||
| 22 | --- a/iterator/iter_scrub.c | ||
| 23 | +++ b/iterator/iter_scrub.c | ||
| 24 | @@ -377,19 +377,21 @@ type_allowed_in_additional_section(uint16_t tp) | ||
| 25 | * @param qinfo: original query. | ||
| 26 | * @param region: where to allocate synthesized CNAMEs. | ||
| 27 | * @param env: module env with config options. | ||
| 28 | + * @param zonename: name of server zone. | ||
| 29 | * @return 0 on error. | ||
| 30 | */ | ||
| 31 | static int | ||
| 32 | scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, | ||
| 33 | struct query_info* qinfo, struct regional* region, | ||
| 34 | - struct module_env* env) | ||
| 35 | + struct module_env* env, uint8_t* zonename) | ||
| 36 | { | ||
| 37 | uint8_t* sname = qinfo->qname; | ||
| 38 | size_t snamelen = qinfo->qname_len; | ||
| 39 | struct rrset_parse* rrset, *prev, *nsset=NULL; | ||
| 40 | |||
| 41 | if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR && | ||
| 42 | - FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NXDOMAIN) | ||
| 43 | + FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NXDOMAIN && | ||
| 44 | + FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_YXDOMAIN) | ||
| 45 | return 1; | ||
| 46 | |||
| 47 | /* For the ANSWER section, remove all "irrelevant" records and add | ||
| 48 | @@ -418,6 +420,11 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, | ||
| 49 | &aliaslen, pkt)) { | ||
| 50 | verbose(VERB_ALGO, "synthesized CNAME " | ||
| 51 | "too long"); | ||
| 52 | + if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_YXDOMAIN) { | ||
| 53 | + prev = rrset; | ||
| 54 | + rrset = rrset->rrset_all_next; | ||
| 55 | + continue; | ||
| 56 | + } | ||
| 57 | return 0; | ||
| 58 | } | ||
| 59 | if(nx && nx->type == LDNS_RR_TYPE_CNAME && | ||
| 60 | @@ -587,6 +594,29 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, | ||
| 61 | "RRset:", pkt, msg, prev, &rrset); | ||
| 62 | continue; | ||
| 63 | } | ||
| 64 | + /* Also delete promiscuous NS for other RCODEs */ | ||
| 65 | + if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR | ||
| 66 | + && env->cfg->iter_scrub_promiscuous) { | ||
| 67 | + remove_rrset("normalize: removing promiscuous " | ||
| 68 | + "RRset:", pkt, msg, prev, &rrset); | ||
| 69 | + continue; | ||
| 70 | + } | ||
| 71 | + /* Also delete promiscuous NS for NOERROR with nodata | ||
| 72 | + * for authoritative answers, not for delegations. | ||
| 73 | + * NOERROR with an_rrsets!=0 already handled. | ||
| 74 | + * Also NOERROR and soa_in_auth already handled. | ||
| 75 | + * NOERROR with an_rrsets==0, and not a referral. | ||
| 76 | + * referral is (NS not the zonename, noSOA). | ||
| 77 | + */ | ||
| 78 | + if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR | ||
| 79 | + && msg->an_rrsets == 0 | ||
| 80 | + && !(dname_pkt_compare(pkt, rrset->dname, | ||
| 81 | + zonename) != 0 && !soa_in_auth(msg)) | ||
| 82 | + && env->cfg->iter_scrub_promiscuous) { | ||
| 83 | + remove_rrset("normalize: removing promiscuous " | ||
| 84 | + "RRset:", pkt, msg, prev, &rrset); | ||
| 85 | + continue; | ||
| 86 | + } | ||
| 87 | if(nsset == NULL) { | ||
| 88 | nsset = rrset; | ||
| 89 | } else { | ||
| 90 | @@ -947,7 +977,8 @@ scrub_message(sldns_buffer* pkt, struct msg_parse* msg, | ||
| 91 | /* this is not required for basic operation but is a forgery | ||
| 92 | * resistance (security) feature */ | ||
| 93 | if((FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR || | ||
| 94 | - FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN) && | ||
| 95 | + FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN || | ||
| 96 | + FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_YXDOMAIN) && | ||
| 97 | msg->qdcount == 0) | ||
| 98 | return 0; | ||
| 99 | |||
| 100 | @@ -961,7 +992,7 @@ scrub_message(sldns_buffer* pkt, struct msg_parse* msg, | ||
| 101 | } | ||
| 102 | |||
| 103 | /* normalize the response, this cleans up the additional. */ | ||
| 104 | - if(!scrub_normalize(pkt, msg, qinfo, region, env)) | ||
| 105 | + if(!scrub_normalize(pkt, msg, qinfo, region, env, zonename)) | ||
| 106 | return 0; | ||
| 107 | /* delete all out-of-zone information */ | ||
| 108 | if(!scrub_sanitize(pkt, msg, qinfo, zonename, env, ie, qstate)) | ||
| 109 | diff --git a/testdata/ratelimit.tdir/ratelimit.testns b/testdata/ratelimit.tdir/ratelimit.testns | ||
| 110 | index 563c1db..5c22c29 100644 | ||
| 111 | --- a/testdata/ratelimit.tdir/ratelimit.testns | ||
| 112 | +++ b/testdata/ratelimit.tdir/ratelimit.testns | ||
| 113 | @@ -3,13 +3,31 @@ $ORIGIN example.com. | ||
| 114 | $TTL 3600 | ||
| 115 | |||
| 116 | ENTRY_BEGIN | ||
| 117 | -MATCH opcode qtype | ||
| 118 | +MATCH opcode qname qtype | ||
| 119 | REPLY QR AA NOERROR | ||
| 120 | -ADJUST copy_id copy_query | ||
| 121 | +ADJUST copy_id | ||
| 122 | SECTION QUESTION | ||
| 123 | -wild IN A | ||
| 124 | +www1 IN A | ||
| 125 | SECTION ANSWER | ||
| 126 | -wild IN A 10.20.30.40 | ||
| 127 | -SECTION AUTHORITY | ||
| 128 | -example.com. IN NS ns.example.com. | ||
| 129 | +www1 IN A 1.1.1.1 | ||
| 130 | +ENTRY_END | ||
| 131 | + | ||
| 132 | +ENTRY_BEGIN | ||
| 133 | +MATCH opcode qname qtype | ||
| 134 | +REPLY QR AA NOERROR | ||
| 135 | +ADJUST copy_id | ||
| 136 | +SECTION QUESTION | ||
| 137 | +www2 IN A | ||
| 138 | +SECTION ANSWER | ||
| 139 | +www2 IN A 2.2.2.2 | ||
| 140 | +ENTRY_END | ||
| 141 | + | ||
| 142 | +ENTRY_BEGIN | ||
| 143 | +MATCH opcode qname qtype | ||
| 144 | +REPLY QR AA NOERROR | ||
| 145 | +ADJUST copy_id | ||
| 146 | +SECTION QUESTION | ||
| 147 | +www3 IN A | ||
| 148 | +SECTION ANSWER | ||
| 149 | +www3 IN A 3.3.3.3 | ||
| 150 | ENTRY_END | ||
| 151 | -- | ||
| 152 | 2.34.1 | ||
| 153 | |||
diff --git a/meta-networking/recipes-support/unbound/unbound/CVE-2025-11411.patch b/meta-networking/recipes-support/unbound/unbound/CVE-2025-11411.patch deleted file mode 100644 index a653090770..0000000000 --- a/meta-networking/recipes-support/unbound/unbound/CVE-2025-11411.patch +++ /dev/null | |||
| @@ -1,48 +0,0 @@ | |||
| 1 | From 98fac0b396e1e85a6345baa59fc178b1f51759b8 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Patrick Vogelaar <patrick.vogelaar@belden.com> | ||
| 3 | Date: Wed, 29 Oct 2025 13:33:23 +0100 | ||
| 4 | Subject: [PATCH] Fix CVE-2025-11411 (possible domain hijacking attack) | ||
| 5 | |||
| 6 | This fixes CVE-2025-11411 by applying the minimal patch [1] listed in [2] | ||
| 7 | |||
| 8 | [1] https://nlnetlabs.nl/downloads/unbound/patch_CVE-2025-11411.diff | ||
| 9 | [2] https://www.nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt | ||
| 10 | |||
| 11 | CVE: CVE-2025-11411 | ||
| 12 | Upstream-Status: Backport [minimal backport of https://github.com/NLnetLabs/unbound/commit/a33f0638e1dacf2633cf2292078a674576bca852] | ||
| 13 | |||
| 14 | Signed-off-by: Patrick Vogelaar <patrick.vogelaar@belden.com> | ||
| 15 | --- | ||
| 16 | iterator/iter_scrub.c | 16 ++++++++++++++++ | ||
| 17 | 1 file changed, 16 insertions(+) | ||
| 18 | |||
| 19 | diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c | ||
| 20 | index 48867e50..5beaa048 100644 | ||
| 21 | --- a/iterator/iter_scrub.c | ||
| 22 | +++ b/iterator/iter_scrub.c | ||
| 23 | @@ -571,6 +571,22 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, | ||
| 24 | "RRset:", pkt, msg, prev, &rrset); | ||
| 25 | continue; | ||
| 26 | } | ||
| 27 | + /* If the NS set is a promiscuous NS set, scrub that | ||
| 28 | + * to remove potential for poisonous contents that | ||
| 29 | + * affects other names in the same zone. Remove | ||
| 30 | + * promiscuous NS sets in positive answers, that | ||
| 31 | + * thus have records in the answer section. Nodata | ||
| 32 | + * and nxdomain promiscuous NS sets have been removed | ||
| 33 | + * already. Since the NS rrset is scrubbed, its | ||
| 34 | + * address records are also not marked to be allowed | ||
| 35 | + * and are removed later. */ | ||
| 36 | + if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR && | ||
| 37 | + msg->an_rrsets != 0 && | ||
| 38 | + 1 /* env->cfg->iter_scrub_promiscuous */) { | ||
| 39 | + remove_rrset("normalize: removing promiscuous " | ||
| 40 | + "RRset:", pkt, msg, prev, &rrset); | ||
| 41 | + continue; | ||
| 42 | + } | ||
| 43 | if(nsset == NULL) { | ||
| 44 | nsset = rrset; | ||
| 45 | } else { | ||
| 46 | -- | ||
| 47 | 2.34.1 | ||
| 48 | |||
diff --git a/meta-networking/recipes-support/unbound/unbound_1.19.3.bb b/meta-networking/recipes-support/unbound/unbound_1.19.3.bb index 7e3e37406f..6841049ac5 100644 --- a/meta-networking/recipes-support/unbound/unbound_1.19.3.bb +++ b/meta-networking/recipes-support/unbound/unbound_1.19.3.bb | |||
| @@ -12,7 +12,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5308494bc0590c0cb036afd781d78f06" | |||
| 12 | SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=https;nobranch=1 \ | 12 | SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=https;nobranch=1 \ |
| 13 | file://CVE-2024-8508.patch \ | 13 | file://CVE-2024-8508.patch \ |
| 14 | file://CVE-2024-33655.patch \ | 14 | file://CVE-2024-33655.patch \ |
| 15 | file://CVE-2025-11411.patch \ | 15 | file://0001-CVE-2025-11411-1.patch \ |
| 16 | file://0002-CVE-2025-11411-2.patch \ | ||
| 16 | file://CVE-2024-43167.patch \ | 17 | file://CVE-2024-43167.patch \ |
| 17 | file://CVE-2024-43168_1.patch \ | 18 | file://CVE-2024-43168_1.patch \ |
| 18 | file://CVE-2024-43168_2.patch \ | 19 | file://CVE-2024-43168_2.patch \ |
