summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-networking/recipes-support/unbound/unbound/0001-CVE-2025-11411-1.patch1874
-rw-r--r--meta-networking/recipes-support/unbound/unbound/0002-CVE-2025-11411-2.patch153
-rw-r--r--meta-networking/recipes-support/unbound/unbound/CVE-2025-11411.patch48
-rw-r--r--meta-networking/recipes-support/unbound/unbound_1.19.3.bb3
4 files changed, 2029 insertions, 49 deletions
diff --git a/meta-networking/recipes-support/unbound/unbound/0001-CVE-2025-11411-1.patch b/meta-networking/recipes-support/unbound/unbound/0001-CVE-2025-11411-1.patch
new file mode 100644
index 0000000000..5cb0b96c66
--- /dev/null
+++ b/meta-networking/recipes-support/unbound/unbound/0001-CVE-2025-11411-1.patch
@@ -0,0 +1,1874 @@
1From a33f0638e1dacf2633cf2292078a674576bca852 Mon Sep 17 00:00:00 2001
2From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
3Date: Wed, 22 Oct 2025 10:54:57 +0200
4Subject: [PATCH] - Fix CVE-2025-11411 (possible domain hijacking attack),
5 reported by Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from
6 Tsinghua University.
7
8This fixes CVE-2025-11411 by applying the complete patch
9
10CVE: CVE-2025-11411
11Upstream-Status: Backport [complete backport of https://github.com/NLnetLabs/unbound/commit/a33f0638e1dacf2633cf2292078a674576bca852]
12
13Comment: Patch refreshed
14
15Signed-off-by: Jackson James <jacksonj2@kpit.com>
16---
17 iterator/iter_scrub.c | 16 ++++++++++++++++
18 testdata/autotrust_init.rpl | 1 +
19 testdata/autotrust_init_ds.rpl | 1 +
20 testdata/autotrust_init_sigs.rpl | 1 +
21 testdata/autotrust_init_zsk.rpl | 1 +
22 testdata/black_data.rpl | 1 +
23 testdata/black_prime.rpl | 1 +
24 testdata/disable_edns_do.rpl | 1 +
25 testdata/dns64_lookup.rpl | 1 +
26 testdata/fetch_glue.rpl | 1 +
27 testdata/fetch_glue_cname.rpl | 1 +
28 testdata/fwd_cached.rpl | 1 +
29 .../fwd_compress_c00c.conf | 1 +
30 testdata/fwd_minimal.rpl | 1 +
31 testdata/ipsecmod_bogus_ipseckey.crpl | 1 +
32 testdata/ipsecmod_enabled.crpl | 1 +
33 testdata/ipsecmod_ignore_bogus_ipseckey.crpl | 1 +
34 testdata/ipsecmod_max_ttl.crpl | 1 +
35 testdata/ipsecmod_strict.crpl | 1 +
36 testdata/ipsecmod_whitelist.crpl | 1 +
37 testdata/iter_class_any.rpl | 1 +
38 testdata/iter_cycle_noh.rpl | 1 +
39 testdata/iter_domain_sale.rpl | 1 +
40 testdata/iter_domain_sale_nschange.rpl | 1 +
41 testdata/iter_emptydp.rpl | 1 +
42 testdata/iter_emptydp_for_glue.rpl | 1 +
43 testdata/iter_fwdfirst.rpl | 1 +
44 testdata/iter_fwdfirstequal.rpl | 1 +
45 testdata/iter_fwdstub.rpl | 1 +
46 testdata/iter_fwdstubroot.rpl | 1 +
47 testdata/iter_ghost_sub.rpl | 1 +
48 testdata/iter_ghost_timewindow.rpl | 1 +
49 testdata/iter_got6only.rpl | 1 +
50 testdata/iter_hint_lame.rpl | 1 +
51 testdata/iter_lame_noaa.rpl | 1 +
52 testdata/iter_lame_nosoa.rpl | 1 +
53 testdata/iter_mod.rpl | 1 +
54 testdata/iter_ns_badip.rpl | 1 +
55 testdata/iter_ns_spoof.rpl | 1 +
56 testdata/iter_nxns_fallback.rpl | 1 +
57 testdata/iter_pc_a.rpl | 1 +
58 testdata/iter_pc_aaaa.rpl | 1 +
59 testdata/iter_pcdiff.rpl | 1 +
60 testdata/iter_pcdirect.rpl | 1 +
61 testdata/iter_pcname.rpl | 1 +
62 testdata/iter_pcnamech.rpl | 1 +
63 testdata/iter_pcnamechrec.rpl | 1 +
64 testdata/iter_pcnamerec.rpl | 1 +
65 testdata/iter_pcttl.rpl | 1 +
66 testdata/iter_prefetch.rpl | 1 +
67 testdata/iter_prefetch_change.rpl | 1 +
68 testdata/iter_prefetch_change2.rpl | 1 +
69 testdata/iter_prefetch_childns.rpl | 1 +
70 testdata/iter_prefetch_fail.rpl | 1 +
71 testdata/iter_prefetch_ns.rpl | 1 +
72 testdata/iter_primenoglue.rpl | 1 +
73 testdata/iter_privaddr.rpl | 1 +
74 testdata/iter_ranoaa_lame.rpl | 1 +
75 testdata/iter_reclame_one.rpl | 1 +
76 testdata/iter_reclame_two.rpl | 1 +
77 testdata/iter_recurse.rpl | 1 +
78 testdata/iter_resolve.rpl | 1 +
79 testdata/iter_resolve_minimised.rpl | 1 +
80 testdata/iter_resolve_minimised_nx.rpl | 1 +
81 testdata/iter_resolve_minimised_refused.rpl | 1 +
82 testdata/iter_resolve_minimised_timeout.rpl | 1 +
83 testdata/iter_scrub_cname_an.rpl | 1 +
84 testdata/iter_scrub_dname_insec.rpl | 1 +
85 testdata/iter_scrub_dname_rev.rpl | 1 +
86 testdata/iter_scrub_dname_sec.rpl | 1 +
87 testdata/iter_scrub_rr_length.rpl | 1 +
88 testdata/iter_soamin.rpl | 1 +
89 testdata/iter_stub_noroot.rpl | 1 +
90 testdata/iter_stubfirst.rpl | 1 +
91 testdata/iter_timeout_ra_aaaa.rpl | 1 +
92 testdata/rrset_rettl.rpl | 1 +
93 testdata/rrset_untrusted.rpl | 1 +
94 testdata/rrset_updated.rpl | 1 +
95 testdata/rrset_use_cached.rpl | 1 +
96 testdata/serve_expired.rpl | 1 +
97 testdata/serve_expired_0ttl_nodata.rpl | 1 +
98 testdata/serve_expired_0ttl_nxdomain.rpl | 1 +
99 testdata/serve_expired_0ttl_servfail.rpl | 1 +
100 testdata/serve_expired_cached_servfail.rpl | 1 +
101 testdata/serve_expired_client_timeout.rpl | 1 +
102 .../serve_expired_client_timeout_no_prefetch.rpl | 1 +
103 .../serve_expired_client_timeout_servfail.rpl | 1 +
104 testdata/serve_expired_reply_ttl.rpl | 1 +
105 testdata/serve_expired_ttl.rpl | 1 +
106 testdata/serve_expired_ttl_client_timeout.rpl | 1 +
107 testdata/serve_expired_zerottl.rpl | 1 +
108 testdata/serve_original_ttl.rpl | 1 +
109 testdata/subnet_cached.crpl | 1 +
110 testdata/subnet_cached_servfail.crpl | 1 +
111 testdata/subnet_global_prefetch.crpl | 1 +
112 .../subnet_global_prefetch_always_forward.crpl | 1 +
113 testdata/subnet_global_prefetch_expired.crpl | 1 +
114 .../subnet_global_prefetch_with_client_ecs.crpl | 1 +
115 testdata/subnet_max_source.crpl | 1 +
116 testdata/subnet_prefetch.crpl | 1 +
117 testdata/subnet_val_positive.crpl | 1 +
118 testdata/subnet_val_positive_client.crpl | 1 +
119 testdata/trust_cname_chain.rpl | 1 +
120 testdata/ttl_max.rpl | 1 +
121 testdata/ttl_min.rpl | 1 +
122 testdata/val_adbit.rpl | 1 +
123 testdata/val_adcopy.rpl | 1 +
124 testdata/val_cnametocnamewctoposwc.rpl | 1 +
125 testdata/val_ds_afterprime.rpl | 1 +
126 testdata/val_faildnskey_ok.rpl | 1 +
127 testdata/val_keyprefetch_verify.rpl | 1 +
128 testdata/val_noadwhennodo.rpl | 1 +
129 testdata/val_nsec3_b3_optout.rpl | 1 +
130 testdata/val_nsec3_b3_optout_negcache.rpl | 1 +
131 testdata/val_nsec3_b4_wild.rpl | 1 +
132 testdata/val_nsec3_cnametocnamewctoposwc.rpl | 1 +
133 testdata/val_positive.rpl | 1 +
134 testdata/val_positive_wc.rpl | 1 +
135 testdata/val_qds_badanc.rpl | 1 +
136 testdata/val_qds_oneanc.rpl | 1 +
137 testdata/val_qds_twoanc.rpl | 1 +
138 testdata/val_refer_unsignadd.rpl | 1 +
139 testdata/val_referd.rpl | 1 +
140 testdata/val_referglue.rpl | 1 +
141 testdata/val_rrsig.rpl | 1 +
142 testdata/val_spurious_ns.rpl | 1 +
143 testdata/val_stub_noroot.rpl | 1 +
144 testdata/val_ta_algo_dnskey.rpl | 1 +
145 testdata/val_ta_algo_dnskey_dp.rpl | 1 +
146 testdata/val_ta_algo_missing_dp.rpl | 1 +
147 testdata/val_twocname.rpl | 1 +
148 testdata/val_unalgo_anchor.rpl | 1 +
149 testdata/val_wild_pos.rpl | 1 +
150 testdata/views.rpl | 1 +
151 util/config_file.c | 3 +++
152 util/config_file.h | 3 +++
153 util/configlexer.lex | 1 +
154 util/configparser.y | 14 +++++++++++++-
155 138 files changed, 169 insertions(+), 1 deletion(-)
156
157diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
158index 48867e5..cc12f97 100644
159--- a/iterator/iter_scrub.c
160+++ b/iterator/iter_scrub.c
161@@ -571,6 +571,22 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
162 "RRset:", pkt, msg, prev, &rrset);
163 continue;
164 }
165+ /* If the NS set is a promiscuous NS set, scrub that
166+ * to remove potential for poisonous contents that
167+ * affects other names in the same zone. Remove
168+ * promiscuous NS sets in positive answers, that
169+ * thus have records in the answer section. Nodata
170+ * and nxdomain promiscuous NS sets have been removed
171+ * already. Since the NS rrset is scrubbed, its
172+ * address records are also not marked to be allowed
173+ * and are removed later. */
174+ if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR &&
175+ msg->an_rrsets != 0 &&
176+ env->cfg->iter_scrub_promiscuous) {
177+ remove_rrset("normalize: removing promiscuous "
178+ "RRset:", pkt, msg, prev, &rrset);
179+ continue;
180+ }
181 if(nsset == NULL) {
182 nsset = rrset;
183 } else {
184diff --git a/testdata/autotrust_init.rpl b/testdata/autotrust_init.rpl
185index d722273..d69e70b 100644
186--- a/testdata/autotrust_init.rpl
187+++ b/testdata/autotrust_init.rpl
188@@ -5,6 +5,7 @@ server:
189 fake-sha1: yes
190 trust-anchor-signaling: no
191 minimal-responses: no
192+ iter-scrub-promiscuous: no
193 stub-zone:
194 name: "."
195 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
196diff --git a/testdata/autotrust_init_ds.rpl b/testdata/autotrust_init_ds.rpl
197index ad4019e..9ffb4d4 100644
198--- a/testdata/autotrust_init_ds.rpl
199+++ b/testdata/autotrust_init_ds.rpl
200@@ -5,6 +5,7 @@ server:
201 fake-sha1: yes
202 trust-anchor-signaling: no
203 minimal-responses: no
204+ iter-scrub-promiscuous: no
205 stub-zone:
206 name: "."
207 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
208diff --git a/testdata/autotrust_init_sigs.rpl b/testdata/autotrust_init_sigs.rpl
209index d5d52f4..a7cb796 100644
210--- a/testdata/autotrust_init_sigs.rpl
211+++ b/testdata/autotrust_init_sigs.rpl
212@@ -5,6 +5,7 @@ server:
213 fake-sha1: yes
214 trust-anchor-signaling: no
215 minimal-responses: no
216+ iter-scrub-promiscuous: no
217 stub-zone:
218 name: "."
219 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
220diff --git a/testdata/autotrust_init_zsk.rpl b/testdata/autotrust_init_zsk.rpl
221index 56a5bc0..2d28d43 100644
222--- a/testdata/autotrust_init_zsk.rpl
223+++ b/testdata/autotrust_init_zsk.rpl
224@@ -5,6 +5,7 @@ server:
225 fake-sha1: yes
226 trust-anchor-signaling: no
227 minimal-responses: no
228+ iter-scrub-promiscuous: no
229 stub-zone:
230 name: "."
231 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
232diff --git a/testdata/black_data.rpl b/testdata/black_data.rpl
233index e6ef1b7..e928d63 100644
234--- a/testdata/black_data.rpl
235+++ b/testdata/black_data.rpl
236@@ -8,6 +8,7 @@ server:
237 fake-sha1: yes
238 trust-anchor-signaling: no
239 minimal-responses: no
240+ iter-scrub-promiscuous: no
241 rrset-roundrobin: no
242
243 stub-zone:
244diff --git a/testdata/black_prime.rpl b/testdata/black_prime.rpl
245index fbe92a7..0301c85 100644
246--- a/testdata/black_prime.rpl
247+++ b/testdata/black_prime.rpl
248@@ -8,6 +8,7 @@ server:
249 fake-sha1: yes
250 trust-anchor-signaling: no
251 minimal-responses: no
252+ iter-scrub-promiscuous: no
253 rrset-roundrobin: no
254
255 stub-zone:
256diff --git a/testdata/disable_edns_do.rpl b/testdata/disable_edns_do.rpl
257index 82a16da..45b4ffc 100644
258--- a/testdata/disable_edns_do.rpl
259+++ b/testdata/disable_edns_do.rpl
260@@ -5,6 +5,7 @@ server:
261 qname-minimisation: "no"
262 trust-anchor-signaling: no
263 minimal-responses: no
264+ iter-scrub-promiscuous: no
265 disable-edns-do: yes
266
267 stub-zone:
268diff --git a/testdata/dns64_lookup.rpl b/testdata/dns64_lookup.rpl
269index 327f7df..cec8012 100644
270--- a/testdata/dns64_lookup.rpl
271+++ b/testdata/dns64_lookup.rpl
272@@ -7,6 +7,7 @@ server:
273 dns64-ignore-aaaa: ip6ignore.example.com
274 dns64-ignore-aaaa: ip6only.example.com
275 minimal-responses: no
276+ iter-scrub-promiscuous: no
277
278 stub-zone:
279 name: "."
280diff --git a/testdata/fetch_glue.rpl b/testdata/fetch_glue.rpl
281index 8860d85..daf687a 100644
282--- a/testdata/fetch_glue.rpl
283+++ b/testdata/fetch_glue.rpl
284@@ -3,6 +3,7 @@ server:
285 target-fetch-policy: "0 0 0 0 0"
286 qname-minimisation: "no"
287 minimal-responses: no
288+ iter-scrub-promiscuous: no
289
290 stub-zone:
291 name: "."
292diff --git a/testdata/fetch_glue_cname.rpl b/testdata/fetch_glue_cname.rpl
293index 64f00fb..c786a41 100644
294--- a/testdata/fetch_glue_cname.rpl
295+++ b/testdata/fetch_glue_cname.rpl
296@@ -3,6 +3,7 @@ server:
297 target-fetch-policy: "0 0 0 0 0"
298 qname-minimisation: "no"
299 minimal-responses: no
300+ iter-scrub-promiscuous: no
301
302 stub-zone:
303 name: "."
304diff --git a/testdata/fwd_cached.rpl b/testdata/fwd_cached.rpl
305index 2d6b0c2..4a00f87 100644
306--- a/testdata/fwd_cached.rpl
307+++ b/testdata/fwd_cached.rpl
308@@ -2,6 +2,7 @@
309 ; config options go here.
310 server:
311 minimal-responses: no
312+ iter-scrub-promiscuous: no
313 forward-zone: name: "." forward-addr: 216.0.0.1
314 CONFIG_END
315
316diff --git a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf
317index 5b2c804..7bc7408 100644
318--- a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf
319+++ b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf
320@@ -10,6 +10,7 @@ server:
321 username: ""
322 do-not-query-localhost: no
323 minimal-responses: no
324+ iter-scrub-promiscuous: no
325 rrset-roundrobin: no
326 forward-zone:
327 name: "."
328diff --git a/testdata/fwd_minimal.rpl b/testdata/fwd_minimal.rpl
329index e85d712..ef1d7fc 100644
330--- a/testdata/fwd_minimal.rpl
331+++ b/testdata/fwd_minimal.rpl
332@@ -5,6 +5,7 @@ server:
333 ; is fine for that, not removed by minimal-responses.
334 access-control: 127.0.0.1 allow_snoop
335 minimal-responses: yes
336+ iter-scrub-promiscuous: no
337 forward-zone: name: "." forward-addr: 216.0.0.1
338 CONFIG_END
339
340diff --git a/testdata/ipsecmod_bogus_ipseckey.crpl b/testdata/ipsecmod_bogus_ipseckey.crpl
341index 094710b..98bc454 100644
342--- a/testdata/ipsecmod_bogus_ipseckey.crpl
343+++ b/testdata/ipsecmod_bogus_ipseckey.crpl
344@@ -9,6 +9,7 @@ server:
345 qname-minimisation: "no"
346 # test that default value of harden-dnssec-stripped is still yes.
347 fake-sha1: yes
348+ iter-scrub-promiscuous: no
349 trust-anchor-signaling: no
350 access-control: 127.0.0.1 allow_snoop
351 module-config: "ipsecmod validator iterator"
352diff --git a/testdata/ipsecmod_enabled.crpl b/testdata/ipsecmod_enabled.crpl
353index 4498429..04e8cb1 100644
354--- a/testdata/ipsecmod_enabled.crpl
355+++ b/testdata/ipsecmod_enabled.crpl
356@@ -11,6 +11,7 @@ server:
357 ipsecmod-enabled: no
358 qname-minimisation: "no"
359 minimal-responses: no
360+ iter-scrub-promiscuous: no
361
362 stub-zone:
363 name: "."
364diff --git a/testdata/ipsecmod_ignore_bogus_ipseckey.crpl b/testdata/ipsecmod_ignore_bogus_ipseckey.crpl
365index a605c34..4c4d80c 100644
366--- a/testdata/ipsecmod_ignore_bogus_ipseckey.crpl
367+++ b/testdata/ipsecmod_ignore_bogus_ipseckey.crpl
368@@ -18,6 +18,7 @@ server:
369 ipsecmod-ignore-bogus: yes
370 qname-minimisation: "no"
371 minimal-responses: no
372+ iter-scrub-promiscuous: no
373
374 stub-zone:
375 name: "."
376diff --git a/testdata/ipsecmod_max_ttl.crpl b/testdata/ipsecmod_max_ttl.crpl
377index 592bae0..4dfeddf 100644
378--- a/testdata/ipsecmod_max_ttl.crpl
379+++ b/testdata/ipsecmod_max_ttl.crpl
380@@ -10,6 +10,7 @@ server:
381 ipsecmod-max-ttl: 200
382 qname-minimisation: "no"
383 minimal-responses: no
384+ iter-scrub-promiscuous: no
385
386 stub-zone:
387 name: "."
388diff --git a/testdata/ipsecmod_strict.crpl b/testdata/ipsecmod_strict.crpl
389index f74e308..51cc11b 100644
390--- a/testdata/ipsecmod_strict.crpl
391+++ b/testdata/ipsecmod_strict.crpl
392@@ -10,6 +10,7 @@ server:
393 ipsecmod-max-ttl: 200
394 qname-minimisation: "no"
395 minimal-responses: no
396+ iter-scrub-promiscuous: no
397
398 stub-zone:
399 name: "."
400diff --git a/testdata/ipsecmod_whitelist.crpl b/testdata/ipsecmod_whitelist.crpl
401index 34108f3..350c2ad 100644
402--- a/testdata/ipsecmod_whitelist.crpl
403+++ b/testdata/ipsecmod_whitelist.crpl
404@@ -11,6 +11,7 @@ server:
405 ipsecmod-whitelist: white.example.com
406 qname-minimisation: "no"
407 minimal-responses: no
408+ iter-scrub-promiscuous: no
409
410 stub-zone:
411 name: "."
412diff --git a/testdata/iter_class_any.rpl b/testdata/iter_class_any.rpl
413index 6fb296e..87e0db0 100644
414--- a/testdata/iter_class_any.rpl
415+++ b/testdata/iter_class_any.rpl
416@@ -8,6 +8,7 @@ server:
417 fake-sha1: yes
418 trust-anchor-signaling: no
419 minimal-responses: no
420+ iter-scrub-promiscuous: no
421
422 stub-zone:
423 name: "."
424diff --git a/testdata/iter_cycle_noh.rpl b/testdata/iter_cycle_noh.rpl
425index eee26ca..e551ac6 100644
426--- a/testdata/iter_cycle_noh.rpl
427+++ b/testdata/iter_cycle_noh.rpl
428@@ -4,6 +4,7 @@ server:
429 target-fetch-policy: "0 0 0 0 0"
430 qname-minimisation: "no"
431 minimal-responses: no
432+ iter-scrub-promiscuous: no
433
434 stub-zone:
435 name: "."
436diff --git a/testdata/iter_domain_sale.rpl b/testdata/iter_domain_sale.rpl
437index 6110148..7c3cc1f 100644
438--- a/testdata/iter_domain_sale.rpl
439+++ b/testdata/iter_domain_sale.rpl
440@@ -2,6 +2,7 @@
441 server:
442 target-fetch-policy: "0 0 0 0 0"
443 minimal-responses: no
444+ iter-scrub-promiscuous: no
445
446 stub-zone:
447 name: "."
448diff --git a/testdata/iter_domain_sale_nschange.rpl b/testdata/iter_domain_sale_nschange.rpl
449index 5664855..886ed51 100644
450--- a/testdata/iter_domain_sale_nschange.rpl
451+++ b/testdata/iter_domain_sale_nschange.rpl
452@@ -2,6 +2,7 @@
453 server:
454 target-fetch-policy: "0 0 0 0 0"
455 minimal-responses: no
456+ iter-scrub-promiscuous: no
457
458 stub-zone:
459 name: "."
460diff --git a/testdata/iter_emptydp.rpl b/testdata/iter_emptydp.rpl
461index ecb49b6..3879a9b 100644
462--- a/testdata/iter_emptydp.rpl
463+++ b/testdata/iter_emptydp.rpl
464@@ -8,6 +8,7 @@ server:
465 fake-sha1: yes
466 trust-anchor-signaling: no
467 minimal-responses: no
468+ iter-scrub-promiscuous: no
469
470 stub-zone:
471 name: "."
472diff --git a/testdata/iter_emptydp_for_glue.rpl b/testdata/iter_emptydp_for_glue.rpl
473index 94dec2b..fc7933f 100644
474--- a/testdata/iter_emptydp_for_glue.rpl
475+++ b/testdata/iter_emptydp_for_glue.rpl
476@@ -8,6 +8,7 @@ server:
477 fake-sha1: yes
478 trust-anchor-signaling: no
479 minimal-responses: no
480+ iter-scrub-promiscuous: no
481
482 stub-zone:
483 name: "."
484diff --git a/testdata/iter_fwdfirst.rpl b/testdata/iter_fwdfirst.rpl
485index 0f8a85f..509a1cd 100644
486--- a/testdata/iter_fwdfirst.rpl
487+++ b/testdata/iter_fwdfirst.rpl
488@@ -2,6 +2,7 @@
489 server:
490 target-fetch-policy: "0 0 0 0 0"
491 minimal-responses: no
492+ iter-scrub-promiscuous: no
493
494 stub-zone:
495 name: "."
496diff --git a/testdata/iter_fwdfirstequal.rpl b/testdata/iter_fwdfirstequal.rpl
497index dc64814..abd25d1 100644
498--- a/testdata/iter_fwdfirstequal.rpl
499+++ b/testdata/iter_fwdfirstequal.rpl
500@@ -2,6 +2,7 @@
501 server:
502 target-fetch-policy: "0 0 0 0 0"
503 minimal-responses: no
504+ iter-scrub-promiscuous: no
505
506 stub-zone:
507 name: "."
508diff --git a/testdata/iter_fwdstub.rpl b/testdata/iter_fwdstub.rpl
509index ad5b57c..4c741a5 100644
510--- a/testdata/iter_fwdstub.rpl
511+++ b/testdata/iter_fwdstub.rpl
512@@ -2,6 +2,7 @@
513 server:
514 target-fetch-policy: "0 0 0 0 0"
515 minimal-responses: no
516+ iter-scrub-promiscuous: no
517
518 stub-zone:
519 name: "."
520diff --git a/testdata/iter_fwdstubroot.rpl b/testdata/iter_fwdstubroot.rpl
521index fa93043..dd93ecd 100644
522--- a/testdata/iter_fwdstubroot.rpl
523+++ b/testdata/iter_fwdstubroot.rpl
524@@ -2,6 +2,7 @@
525 server:
526 target-fetch-policy: "0 0 0 0 0"
527 minimal-responses: no
528+ iter-scrub-promiscuous: no
529
530 stub-zone:
531 name: "."
532diff --git a/testdata/iter_ghost_sub.rpl b/testdata/iter_ghost_sub.rpl
533index ccb7367..36767bb 100644
534--- a/testdata/iter_ghost_sub.rpl
535+++ b/testdata/iter_ghost_sub.rpl
536@@ -3,6 +3,7 @@ server:
537 target-fetch-policy: "0 0 0 0 0"
538 qname-minimisation: "no"
539 minimal-responses: no
540+ iter-scrub-promiscuous: no
541
542 stub-zone:
543 name: "."
544diff --git a/testdata/iter_ghost_timewindow.rpl b/testdata/iter_ghost_timewindow.rpl
545index 9e30462..24390a0 100644
546--- a/testdata/iter_ghost_timewindow.rpl
547+++ b/testdata/iter_ghost_timewindow.rpl
548@@ -3,6 +3,7 @@ server:
549 target-fetch-policy: "0 0 0 0 0"
550 qname-minimisation: "no"
551 minimal-responses: no
552+ iter-scrub-promiscuous: no
553 discard-timeout: 86400
554
555 stub-zone:
556diff --git a/testdata/iter_got6only.rpl b/testdata/iter_got6only.rpl
557index 1552284..b0d20b3 100644
558--- a/testdata/iter_got6only.rpl
559+++ b/testdata/iter_got6only.rpl
560@@ -4,6 +4,7 @@ server:
561 target-fetch-policy: "0 0 0 0 0 "
562 qname-minimisation: "no"
563 minimal-responses: no
564+ iter-scrub-promiscuous: no
565 stub-zone:
566 name: "."
567 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
568diff --git a/testdata/iter_hint_lame.rpl b/testdata/iter_hint_lame.rpl
569index 2fb6dde..26aa5dc 100644
570--- a/testdata/iter_hint_lame.rpl
571+++ b/testdata/iter_hint_lame.rpl
572@@ -3,6 +3,7 @@ server:
573 target-fetch-policy: "0 0 0 0 0"
574 qname-minimisation: "no"
575 minimal-responses: no
576+ iter-scrub-promiscuous: no
577
578 stub-zone:
579 name: "."
580diff --git a/testdata/iter_lame_noaa.rpl b/testdata/iter_lame_noaa.rpl
581index defaa5c..050866c 100644
582--- a/testdata/iter_lame_noaa.rpl
583+++ b/testdata/iter_lame_noaa.rpl
584@@ -4,6 +4,7 @@ server:
585 target-fetch-policy: "0 0 0 0 0"
586 qname-minimisation: "no"
587 minimal-responses: no
588+ iter-scrub-promiscuous: no
589 rrset-roundrobin: no
590
591 stub-zone:
592diff --git a/testdata/iter_lame_nosoa.rpl b/testdata/iter_lame_nosoa.rpl
593index 3bf6ccc..d55ff78 100644
594--- a/testdata/iter_lame_nosoa.rpl
595+++ b/testdata/iter_lame_nosoa.rpl
596@@ -2,6 +2,7 @@
597 server:
598 target-fetch-policy: "0 0 0 0 0"
599 minimal-responses: no
600+ iter-scrub-promiscuous: no
601 rrset-roundrobin: no
602
603 stub-zone:
604diff --git a/testdata/iter_mod.rpl b/testdata/iter_mod.rpl
605index 35b3a5a..3d3d678 100644
606--- a/testdata/iter_mod.rpl
607+++ b/testdata/iter_mod.rpl
608@@ -4,6 +4,7 @@ server:
609 qname-minimisation: "no"
610 module-config: "iterator"
611 minimal-responses: no
612+ iter-scrub-promiscuous: no
613
614 stub-zone:
615 name: "."
616diff --git a/testdata/iter_ns_badip.rpl b/testdata/iter_ns_badip.rpl
617index e0bf966..481f47a 100644
618--- a/testdata/iter_ns_badip.rpl
619+++ b/testdata/iter_ns_badip.rpl
620@@ -3,6 +3,7 @@ server:
621 target-fetch-policy: "3 2 1 0 0"
622 qname-minimisation: "no"
623 minimal-responses: no
624+ iter-scrub-promiscuous: no
625 rrset-roundrobin: no
626
627 stub-zone:
628diff --git a/testdata/iter_ns_spoof.rpl b/testdata/iter_ns_spoof.rpl
629index f674576..999ff05 100644
630--- a/testdata/iter_ns_spoof.rpl
631+++ b/testdata/iter_ns_spoof.rpl
632@@ -4,6 +4,7 @@ server:
633 target-fetch-policy: "0 0 0 0 0"
634 qname-minimisation: "no"
635 minimal-responses: no
636+ iter-scrub-promiscuous: no
637 stub-zone:
638 name: "."
639 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
640diff --git a/testdata/iter_nxns_fallback.rpl b/testdata/iter_nxns_fallback.rpl
641index 2a6a3fd..8c0beb8 100644
642--- a/testdata/iter_nxns_fallback.rpl
643+++ b/testdata/iter_nxns_fallback.rpl
644@@ -8,6 +8,7 @@ server:
645 access-control: 127.0.0.1 allow_snoop
646 qname-minimisation: no
647 minimal-responses: no
648+ iter-scrub-promiscuous: no
649 rrset-roundrobin: no
650
651 stub-zone:
652diff --git a/testdata/iter_pc_a.rpl b/testdata/iter_pc_a.rpl
653index d9add00..be73a79 100644
654--- a/testdata/iter_pc_a.rpl
655+++ b/testdata/iter_pc_a.rpl
656@@ -2,6 +2,7 @@
657 server:
658 target-fetch-policy: "0 0 0 0 0"
659 minimal-responses: no
660+ iter-scrub-promiscuous: no
661
662 stub-zone:
663 name: "."
664diff --git a/testdata/iter_pc_aaaa.rpl b/testdata/iter_pc_aaaa.rpl
665index a283543..a7ce186 100644
666--- a/testdata/iter_pc_aaaa.rpl
667+++ b/testdata/iter_pc_aaaa.rpl
668@@ -2,6 +2,7 @@
669 server:
670 target-fetch-policy: "0 0 0 0 0"
671 minimal-responses: no
672+ iter-scrub-promiscuous: no
673
674 stub-zone:
675 name: "."
676diff --git a/testdata/iter_pcdiff.rpl b/testdata/iter_pcdiff.rpl
677index 57fb109..a462d33 100644
678--- a/testdata/iter_pcdiff.rpl
679+++ b/testdata/iter_pcdiff.rpl
680@@ -2,6 +2,7 @@
681 server:
682 target-fetch-policy: "0 0 0 0 0"
683 minimal-responses: no
684+ iter-scrub-promiscuous: no
685
686 stub-zone:
687 name: "."
688diff --git a/testdata/iter_pcdirect.rpl b/testdata/iter_pcdirect.rpl
689index 0bd5dfe..656ec7a 100644
690--- a/testdata/iter_pcdirect.rpl
691+++ b/testdata/iter_pcdirect.rpl
692@@ -3,6 +3,7 @@ server:
693 target-fetch-policy: "0 0 0 0 0"
694 qname-minimisation: "no"
695 minimal-responses: no
696+ iter-scrub-promiscuous: no
697
698 stub-zone:
699 name: "."
700diff --git a/testdata/iter_pcname.rpl b/testdata/iter_pcname.rpl
701index e17c910..af53c90 100644
702--- a/testdata/iter_pcname.rpl
703+++ b/testdata/iter_pcname.rpl
704@@ -2,6 +2,7 @@
705 server:
706 target-fetch-policy: "0 0 0 0 0"
707 minimal-responses: no
708+ iter-scrub-promiscuous: no
709
710 stub-zone:
711 name: "."
712diff --git a/testdata/iter_pcnamech.rpl b/testdata/iter_pcnamech.rpl
713index 32b3130..805cb18 100644
714--- a/testdata/iter_pcnamech.rpl
715+++ b/testdata/iter_pcnamech.rpl
716@@ -2,6 +2,7 @@
717 server:
718 target-fetch-policy: "0 0 0 0 0"
719 minimal-responses: no
720+ iter-scrub-promiscuous: no
721 rrset-roundrobin: no
722
723 stub-zone:
724diff --git a/testdata/iter_pcnamechrec.rpl b/testdata/iter_pcnamechrec.rpl
725index 8bf7ad8..bbb9c86 100644
726--- a/testdata/iter_pcnamechrec.rpl
727+++ b/testdata/iter_pcnamechrec.rpl
728@@ -2,6 +2,7 @@
729 server:
730 target-fetch-policy: "0 0 0 0 0"
731 minimal-responses: no
732+ iter-scrub-promiscuous: no
733 rrset-roundrobin: no
734
735 stub-zone:
736diff --git a/testdata/iter_pcnamerec.rpl b/testdata/iter_pcnamerec.rpl
737index faee6d0..2ea0dad 100644
738--- a/testdata/iter_pcnamerec.rpl
739+++ b/testdata/iter_pcnamerec.rpl
740@@ -2,6 +2,7 @@
741 server:
742 target-fetch-policy: "0 0 0 0 0"
743 minimal-responses: no
744+ iter-scrub-promiscuous: no
745
746 stub-zone:
747 name: "."
748diff --git a/testdata/iter_pcttl.rpl b/testdata/iter_pcttl.rpl
749index 413f8cb..a702017 100644
750--- a/testdata/iter_pcttl.rpl
751+++ b/testdata/iter_pcttl.rpl
752@@ -3,6 +3,7 @@ server:
753 target-fetch-policy: "0 0 0 0 0"
754 do-ip6: no
755 minimal-responses: no
756+ iter-scrub-promiscuous: no
757
758 stub-zone:
759 name: "."
760diff --git a/testdata/iter_prefetch.rpl b/testdata/iter_prefetch.rpl
761index bad92dc..fdf5955 100644
762--- a/testdata/iter_prefetch.rpl
763+++ b/testdata/iter_prefetch.rpl
764@@ -4,6 +4,7 @@ server:
765 qname-minimisation: "no"
766 prefetch: "yes"
767 minimal-responses: no
768+ iter-scrub-promiscuous: no
769
770 stub-zone:
771 name: "."
772diff --git a/testdata/iter_prefetch_change.rpl b/testdata/iter_prefetch_change.rpl
773index 1be9e6a..c1a1a71 100644
774--- a/testdata/iter_prefetch_change.rpl
775+++ b/testdata/iter_prefetch_change.rpl
776@@ -3,6 +3,7 @@ server:
777 target-fetch-policy: "0 0 0 0 0"
778 prefetch: "yes"
779 minimal-responses: no
780+ iter-scrub-promiscuous: no
781
782 stub-zone:
783 name: "."
784diff --git a/testdata/iter_prefetch_change2.rpl b/testdata/iter_prefetch_change2.rpl
785index 7a8370f..4a966fe 100644
786--- a/testdata/iter_prefetch_change2.rpl
787+++ b/testdata/iter_prefetch_change2.rpl
788@@ -3,6 +3,7 @@ server:
789 target-fetch-policy: "0 0 0 0 0"
790 prefetch: "yes"
791 minimal-responses: no
792+ iter-scrub-promiscuous: no
793
794 stub-zone:
795 name: "."
796diff --git a/testdata/iter_prefetch_childns.rpl b/testdata/iter_prefetch_childns.rpl
797index 00a91fc..f234065 100644
798--- a/testdata/iter_prefetch_childns.rpl
799+++ b/testdata/iter_prefetch_childns.rpl
800@@ -4,6 +4,7 @@ server:
801 qname-minimisation: "no"
802 prefetch: "yes"
803 minimal-responses: no
804+ iter-scrub-promiscuous: no
805
806 stub-zone:
807 name: "."
808diff --git a/testdata/iter_prefetch_fail.rpl b/testdata/iter_prefetch_fail.rpl
809index 1d92a4c..d1e3083 100644
810--- a/testdata/iter_prefetch_fail.rpl
811+++ b/testdata/iter_prefetch_fail.rpl
812@@ -3,6 +3,7 @@ server:
813 target-fetch-policy: "0 0 0 0 0"
814 prefetch: "yes"
815 minimal-responses: no
816+ iter-scrub-promiscuous: no
817
818 stub-zone:
819 name: "."
820diff --git a/testdata/iter_prefetch_ns.rpl b/testdata/iter_prefetch_ns.rpl
821index 93af216..3192d31 100644
822--- a/testdata/iter_prefetch_ns.rpl
823+++ b/testdata/iter_prefetch_ns.rpl
824@@ -4,6 +4,7 @@ server:
825 qname-minimisation: "no"
826 prefetch: "yes"
827 minimal-responses: no
828+ iter-scrub-promiscuous: no
829
830 stub-zone:
831 name: "."
832diff --git a/testdata/iter_primenoglue.rpl b/testdata/iter_primenoglue.rpl
833index b9808dd..f8c9803 100644
834--- a/testdata/iter_primenoglue.rpl
835+++ b/testdata/iter_primenoglue.rpl
836@@ -8,6 +8,7 @@ server:
837 fake-sha1: yes
838 trust-anchor-signaling: no
839 minimal-responses: no
840+ iter-scrub-promiscuous: no
841
842 stub-zone:
843 name: "."
844diff --git a/testdata/iter_privaddr.rpl b/testdata/iter_privaddr.rpl
845index 0c87b4b..b7a6fde 100644
846--- a/testdata/iter_privaddr.rpl
847+++ b/testdata/iter_privaddr.rpl
848@@ -3,6 +3,7 @@ server:
849 target-fetch-policy: "0 0 0 0 0"
850 qname-minimisation: "no"
851 minimal-responses: no
852+ iter-scrub-promiscuous: no
853
854 private-address: 10.0.0.0/8
855 private-address: 172.16.0.0/12
856diff --git a/testdata/iter_ranoaa_lame.rpl b/testdata/iter_ranoaa_lame.rpl
857index 8ee8241..313192f 100644
858--- a/testdata/iter_ranoaa_lame.rpl
859+++ b/testdata/iter_ranoaa_lame.rpl
860@@ -2,6 +2,7 @@
861 server:
862 target-fetch-policy: "0 0 0 0 0"
863 minimal-responses: no
864+ iter-scrub-promiscuous: no
865 rrset-roundrobin: no
866
867 stub-zone:
868diff --git a/testdata/iter_reclame_one.rpl b/testdata/iter_reclame_one.rpl
869index 4a6abfa..d273e60 100644
870--- a/testdata/iter_reclame_one.rpl
871+++ b/testdata/iter_reclame_one.rpl
872@@ -3,6 +3,7 @@ server:
873 target-fetch-policy: "0 0 0 0 0"
874 qname-minimisation: "no"
875 minimal-responses: no
876+ iter-scrub-promiscuous: no
877 rrset-roundrobin: no
878
879 stub-zone:
880diff --git a/testdata/iter_reclame_two.rpl b/testdata/iter_reclame_two.rpl
881index 76c310b..e2b2bc1 100644
882--- a/testdata/iter_reclame_two.rpl
883+++ b/testdata/iter_reclame_two.rpl
884@@ -2,6 +2,7 @@
885 server:
886 target-fetch-policy: "0 0 0 0 0"
887 minimal-responses: no
888+ iter-scrub-promiscuous: no
889 rrset-roundrobin: no
890
891 stub-zone:
892diff --git a/testdata/iter_recurse.rpl b/testdata/iter_recurse.rpl
893index be50b4a..1352876 100644
894--- a/testdata/iter_recurse.rpl
895+++ b/testdata/iter_recurse.rpl
896@@ -3,6 +3,7 @@ server:
897 target-fetch-policy: "0 0 0 0 0"
898 qname-minimisation: "no"
899 minimal-responses: no
900+ iter-scrub-promiscuous: no
901
902 stub-zone:
903 name: "."
904diff --git a/testdata/iter_resolve.rpl b/testdata/iter_resolve.rpl
905index ed051ff..3ea56ab 100644
906--- a/testdata/iter_resolve.rpl
907+++ b/testdata/iter_resolve.rpl
908@@ -3,6 +3,7 @@ server:
909 target-fetch-policy: "0 0 0 0 0"
910 qname-minimisation: "no"
911 minimal-responses: no
912+ iter-scrub-promiscuous: no
913
914 stub-zone:
915 name: "."
916diff --git a/testdata/iter_resolve_minimised.rpl b/testdata/iter_resolve_minimised.rpl
917index 2c6f9cc..13f04d4 100644
918--- a/testdata/iter_resolve_minimised.rpl
919+++ b/testdata/iter_resolve_minimised.rpl
920@@ -2,6 +2,7 @@
921 server:
922 target-fetch-policy: "0 0 0 0 0"
923 minimal-responses: no
924+ iter-scrub-promiscuous: no
925
926 stub-zone:
927 name: "."
928diff --git a/testdata/iter_resolve_minimised_nx.rpl b/testdata/iter_resolve_minimised_nx.rpl
929index 74e612c..c68f20c 100644
930--- a/testdata/iter_resolve_minimised_nx.rpl
931+++ b/testdata/iter_resolve_minimised_nx.rpl
932@@ -3,6 +3,7 @@ server:
933 target-fetch-policy: "0 0 0 0 0"
934 qname-minimisation: yes
935 minimal-responses: no
936+ iter-scrub-promiscuous: no
937
938 stub-zone:
939 name: "."
940diff --git a/testdata/iter_resolve_minimised_refused.rpl b/testdata/iter_resolve_minimised_refused.rpl
941index 66e8e63..8dc76e2 100644
942--- a/testdata/iter_resolve_minimised_refused.rpl
943+++ b/testdata/iter_resolve_minimised_refused.rpl
944@@ -3,6 +3,7 @@ server:
945 target-fetch-policy: "0 0 0 0 0"
946 qname-minimisation: yes
947 minimal-responses: no
948+ iter-scrub-promiscuous: no
949
950 stub-zone:
951 name: "."
952diff --git a/testdata/iter_resolve_minimised_timeout.rpl b/testdata/iter_resolve_minimised_timeout.rpl
953index 86b9321..3740d79 100644
954--- a/testdata/iter_resolve_minimised_timeout.rpl
955+++ b/testdata/iter_resolve_minimised_timeout.rpl
956@@ -3,6 +3,7 @@ server:
957 target-fetch-policy: "0 0 0 0 0"
958 qname-minimisation: yes
959 minimal-responses: no
960+ iter-scrub-promiscuous: no
961
962 stub-zone:
963 name: "."
964diff --git a/testdata/iter_scrub_cname_an.rpl b/testdata/iter_scrub_cname_an.rpl
965index 9c5060a..f81916b 100644
966--- a/testdata/iter_scrub_cname_an.rpl
967+++ b/testdata/iter_scrub_cname_an.rpl
968@@ -4,6 +4,7 @@ server:
969 target-fetch-policy: "0 0 0 0 0"
970 qname-minimisation: "no"
971 minimal-responses: no
972+ iter-scrub-promiscuous: no
973
974 stub-zone:
975 name: "."
976diff --git a/testdata/iter_scrub_dname_insec.rpl b/testdata/iter_scrub_dname_insec.rpl
977index 826d89e..82ff1d3 100644
978--- a/testdata/iter_scrub_dname_insec.rpl
979+++ b/testdata/iter_scrub_dname_insec.rpl
980@@ -4,6 +4,7 @@ server:
981 target-fetch-policy: "0 0 0 0 0"
982 qname-minimisation: "no"
983 minimal-responses: no
984+ iter-scrub-promiscuous: no
985
986 stub-zone:
987 name: "."
988diff --git a/testdata/iter_scrub_dname_rev.rpl b/testdata/iter_scrub_dname_rev.rpl
989index 9caca66..dfb21b8 100644
990--- a/testdata/iter_scrub_dname_rev.rpl
991+++ b/testdata/iter_scrub_dname_rev.rpl
992@@ -8,6 +8,7 @@ server:
993 fake-sha1: yes
994 trust-anchor-signaling: no
995 minimal-responses: no
996+ iter-scrub-promiscuous: no
997
998 stub-zone:
999 name: "."
1000diff --git a/testdata/iter_scrub_dname_sec.rpl b/testdata/iter_scrub_dname_sec.rpl
1001index 34a7b32..943b19f 100644
1002--- a/testdata/iter_scrub_dname_sec.rpl
1003+++ b/testdata/iter_scrub_dname_sec.rpl
1004@@ -8,6 +8,7 @@ server:
1005 fake-sha1: yes
1006 trust-anchor-signaling: no
1007 minimal-responses: no
1008+ iter-scrub-promiscuous: no
1009
1010 stub-zone:
1011 name: "."
1012diff --git a/testdata/iter_scrub_rr_length.rpl b/testdata/iter_scrub_rr_length.rpl
1013index 2ef73c2..5463723 100644
1014--- a/testdata/iter_scrub_rr_length.rpl
1015+++ b/testdata/iter_scrub_rr_length.rpl
1016@@ -3,6 +3,7 @@ server:
1017 target-fetch-policy: "0 0 0 0 0"
1018 qname-minimisation: "no"
1019 minimal-responses: no
1020+ iter-scrub-promiscuous: no
1021 rrset-roundrobin: no
1022 ede: yes
1023 log-servfail: yes
1024diff --git a/testdata/iter_soamin.rpl b/testdata/iter_soamin.rpl
1025index 7e90260..0facc35 100644
1026--- a/testdata/iter_soamin.rpl
1027+++ b/testdata/iter_soamin.rpl
1028@@ -2,6 +2,7 @@
1029 server:
1030 target-fetch-policy: "0 0 0 0 0"
1031 minimal-responses: no
1032+ iter-scrub-promiscuous: no
1033
1034 stub-zone:
1035 name: "."
1036diff --git a/testdata/iter_stub_noroot.rpl b/testdata/iter_stub_noroot.rpl
1037index ef306bd..749462b 100644
1038--- a/testdata/iter_stub_noroot.rpl
1039+++ b/testdata/iter_stub_noroot.rpl
1040@@ -2,6 +2,7 @@
1041 server:
1042 target-fetch-policy: "0 0 0 0 0"
1043 minimal-responses: no
1044+ iter-scrub-promiscuous: no
1045
1046 stub-zone:
1047 name: "."
1048diff --git a/testdata/iter_stubfirst.rpl b/testdata/iter_stubfirst.rpl
1049index 1a7112d..7cd3305 100644
1050--- a/testdata/iter_stubfirst.rpl
1051+++ b/testdata/iter_stubfirst.rpl
1052@@ -2,6 +2,7 @@
1053 server:
1054 target-fetch-policy: "0 0 0 0 0"
1055 minimal-responses: no
1056+ iter-scrub-promiscuous: no
1057
1058 stub-zone:
1059 name: "."
1060diff --git a/testdata/iter_timeout_ra_aaaa.rpl b/testdata/iter_timeout_ra_aaaa.rpl
1061index 126867b..9456f04 100644
1062--- a/testdata/iter_timeout_ra_aaaa.rpl
1063+++ b/testdata/iter_timeout_ra_aaaa.rpl
1064@@ -3,6 +3,7 @@ server:
1065 target-fetch-policy: "0 0 0 0 0"
1066 qname-minimisation: "no"
1067 minimal-responses: no
1068+ iter-scrub-promiscuous: no
1069
1070 stub-zone:
1071 name: "."
1072diff --git a/testdata/rrset_rettl.rpl b/testdata/rrset_rettl.rpl
1073index 55dd623..131a98e 100644
1074--- a/testdata/rrset_rettl.rpl
1075+++ b/testdata/rrset_rettl.rpl
1076@@ -2,6 +2,7 @@
1077 ; config options go here.
1078 server:
1079 minimal-responses: no
1080+ iter-scrub-promiscuous: no
1081 forward-zone: name: "." forward-addr: 216.0.0.1
1082 CONFIG_END
1083
1084diff --git a/testdata/rrset_untrusted.rpl b/testdata/rrset_untrusted.rpl
1085index 6370ebf..207275b 100644
1086--- a/testdata/rrset_untrusted.rpl
1087+++ b/testdata/rrset_untrusted.rpl
1088@@ -2,6 +2,7 @@
1089 ; config options go here.
1090 server:
1091 minimal-responses: no
1092+ iter-scrub-promiscuous: no
1093 forward-zone: name: "." forward-addr: 216.0.0.1
1094 CONFIG_END
1095
1096diff --git a/testdata/rrset_updated.rpl b/testdata/rrset_updated.rpl
1097index 55da56b..ba8e492 100644
1098--- a/testdata/rrset_updated.rpl
1099+++ b/testdata/rrset_updated.rpl
1100@@ -2,6 +2,7 @@
1101 ; config options go here.
1102 server:
1103 minimal-responses: no
1104+ iter-scrub-promiscuous: no
1105 rrset-roundrobin: no
1106 forward-zone: name: "." forward-addr: 216.0.0.1
1107 CONFIG_END
1108diff --git a/testdata/rrset_use_cached.rpl b/testdata/rrset_use_cached.rpl
1109index 8420ae0..17696f6 100644
1110--- a/testdata/rrset_use_cached.rpl
1111+++ b/testdata/rrset_use_cached.rpl
1112@@ -1,5 +1,6 @@
1113 server:
1114 minimal-responses: no
1115+ iter-scrub-promiscuous: no
1116 serve-expired: yes
1117 # The value does not matter, we will not simulate delay.
1118 # We do not want only serve-expired because fetches from that
1119diff --git a/testdata/serve_expired.rpl b/testdata/serve_expired.rpl
1120index 3f61019..2bba0d9 100644
1121--- a/testdata/serve_expired.rpl
1122+++ b/testdata/serve_expired.rpl
1123@@ -3,6 +3,7 @@ server:
1124 module-config: "validator iterator"
1125 qname-minimisation: "no"
1126 minimal-responses: no
1127+ iter-scrub-promiscuous: no
1128 serve-expired: yes
1129 access-control: 127.0.0.1/32 allow_snoop
1130 ede: yes
1131diff --git a/testdata/serve_expired_0ttl_nodata.rpl b/testdata/serve_expired_0ttl_nodata.rpl
1132index 7f1b5a5..d16a115 100644
1133--- a/testdata/serve_expired_0ttl_nodata.rpl
1134+++ b/testdata/serve_expired_0ttl_nodata.rpl
1135@@ -3,6 +3,7 @@ server:
1136 module-config: "validator iterator"
1137 qname-minimisation: "no"
1138 minimal-responses: no
1139+ iter-scrub-promiscuous: no
1140 serve-expired: yes
1141 log-servfail: yes
1142 ede: yes
1143diff --git a/testdata/serve_expired_0ttl_nxdomain.rpl b/testdata/serve_expired_0ttl_nxdomain.rpl
1144index 4adb4b8..a9195b0 100644
1145--- a/testdata/serve_expired_0ttl_nxdomain.rpl
1146+++ b/testdata/serve_expired_0ttl_nxdomain.rpl
1147@@ -3,6 +3,7 @@ server:
1148 module-config: "validator iterator"
1149 qname-minimisation: "no"
1150 minimal-responses: no
1151+ iter-scrub-promiscuous: no
1152 serve-expired: yes
1153 log-servfail: yes
1154 ede: yes
1155diff --git a/testdata/serve_expired_0ttl_servfail.rpl b/testdata/serve_expired_0ttl_servfail.rpl
1156index 6833af1..b0fa484 100644
1157--- a/testdata/serve_expired_0ttl_servfail.rpl
1158+++ b/testdata/serve_expired_0ttl_servfail.rpl
1159@@ -3,6 +3,7 @@ server:
1160 module-config: "validator iterator"
1161 qname-minimisation: "no"
1162 minimal-responses: no
1163+ iter-scrub-promiscuous: no
1164 serve-expired: yes
1165 log-servfail: yes
1166 ede: yes
1167diff --git a/testdata/serve_expired_cached_servfail.rpl b/testdata/serve_expired_cached_servfail.rpl
1168index f5f4c70..0beb8fc 100644
1169--- a/testdata/serve_expired_cached_servfail.rpl
1170+++ b/testdata/serve_expired_cached_servfail.rpl
1171@@ -3,6 +3,7 @@ server:
1172 module-config: "validator iterator"
1173 qname-minimisation: "no"
1174 minimal-responses: no
1175+ iter-scrub-promiscuous: no
1176 serve-expired: yes
1177 serve-expired-reply-ttl: 123
1178 log-servfail: yes
1179diff --git a/testdata/serve_expired_client_timeout.rpl b/testdata/serve_expired_client_timeout.rpl
1180index 5560aa0..e40e1b4 100644
1181--- a/testdata/serve_expired_client_timeout.rpl
1182+++ b/testdata/serve_expired_client_timeout.rpl
1183@@ -3,6 +3,7 @@ server:
1184 module-config: "validator iterator"
1185 qname-minimisation: "no"
1186 minimal-responses: no
1187+ iter-scrub-promiscuous: no
1188 serve-expired: yes
1189 serve-expired-client-timeout: 1
1190 serve-expired-reply-ttl: 123
1191diff --git a/testdata/serve_expired_client_timeout_no_prefetch.rpl b/testdata/serve_expired_client_timeout_no_prefetch.rpl
1192index aed397d..3a35c46 100644
1193--- a/testdata/serve_expired_client_timeout_no_prefetch.rpl
1194+++ b/testdata/serve_expired_client_timeout_no_prefetch.rpl
1195@@ -3,6 +3,7 @@ server:
1196 module-config: "validator iterator"
1197 qname-minimisation: "no"
1198 minimal-responses: no
1199+ iter-scrub-promiscuous: no
1200 serve-expired: yes
1201 serve-expired-client-timeout: 1
1202 serve-expired-reply-ttl: 123
1203diff --git a/testdata/serve_expired_client_timeout_servfail.rpl b/testdata/serve_expired_client_timeout_servfail.rpl
1204index 51aa043..226e4b5 100644
1205--- a/testdata/serve_expired_client_timeout_servfail.rpl
1206+++ b/testdata/serve_expired_client_timeout_servfail.rpl
1207@@ -3,6 +3,7 @@ server:
1208 module-config: "validator iterator"
1209 qname-minimisation: "no"
1210 minimal-responses: no
1211+ iter-scrub-promiscuous: no
1212 serve-expired: yes
1213 serve-expired-client-timeout: 1
1214 serve-expired-reply-ttl: 123
1215diff --git a/testdata/serve_expired_reply_ttl.rpl b/testdata/serve_expired_reply_ttl.rpl
1216index 124fb87..063aad9 100644
1217--- a/testdata/serve_expired_reply_ttl.rpl
1218+++ b/testdata/serve_expired_reply_ttl.rpl
1219@@ -3,6 +3,7 @@ server:
1220 module-config: "validator iterator"
1221 qname-minimisation: "no"
1222 minimal-responses: no
1223+ iter-scrub-promiscuous: no
1224 serve-expired: yes
1225 serve-expired-reply-ttl: 123
1226 ede: yes
1227diff --git a/testdata/serve_expired_ttl.rpl b/testdata/serve_expired_ttl.rpl
1228index df4ecb8..df3cd90 100644
1229--- a/testdata/serve_expired_ttl.rpl
1230+++ b/testdata/serve_expired_ttl.rpl
1231@@ -3,6 +3,7 @@ server:
1232 module-config: "validator iterator"
1233 qname-minimisation: "no"
1234 minimal-responses: no
1235+ iter-scrub-promiscuous: no
1236 serve-expired: yes
1237 serve-expired-ttl: 10
1238
1239diff --git a/testdata/serve_expired_ttl_client_timeout.rpl b/testdata/serve_expired_ttl_client_timeout.rpl
1240index 169d070..f285790 100644
1241--- a/testdata/serve_expired_ttl_client_timeout.rpl
1242+++ b/testdata/serve_expired_ttl_client_timeout.rpl
1243@@ -3,6 +3,7 @@ server:
1244 module-config: "validator iterator"
1245 qname-minimisation: "no"
1246 minimal-responses: no
1247+ iter-scrub-promiscuous: no
1248 serve-expired: yes
1249 serve-expired-ttl: 10
1250 serve-expired-client-timeout: 1
1251diff --git a/testdata/serve_expired_zerottl.rpl b/testdata/serve_expired_zerottl.rpl
1252index 0239b4a..fbb76f9 100644
1253--- a/testdata/serve_expired_zerottl.rpl
1254+++ b/testdata/serve_expired_zerottl.rpl
1255@@ -3,6 +3,7 @@ server:
1256 module-config: "validator iterator"
1257 qname-minimisation: "no"
1258 minimal-responses: no
1259+ iter-scrub-promiscuous: no
1260 serve-expired: yes
1261 serve-expired-reply-ttl: 123
1262 ede: yes
1263diff --git a/testdata/serve_original_ttl.rpl b/testdata/serve_original_ttl.rpl
1264index 24d01b6..ced0672 100644
1265--- a/testdata/serve_original_ttl.rpl
1266+++ b/testdata/serve_original_ttl.rpl
1267@@ -4,6 +4,7 @@ server:
1268 module-config: "validator iterator"
1269 qname-minimisation: "no"
1270 minimal-responses: no
1271+ iter-scrub-promiscuous: no
1272 serve-original-ttl: yes
1273 cache-max-ttl: 1000
1274 cache-min-ttl: 20
1275diff --git a/testdata/subnet_cached.crpl b/testdata/subnet_cached.crpl
1276index 2098313..8f3c3de 100644
1277--- a/testdata/subnet_cached.crpl
1278+++ b/testdata/subnet_cached.crpl
1279@@ -15,6 +15,7 @@ server:
1280 access-control: 127.0.0.1 allow_snoop
1281 qname-minimisation: "no"
1282 minimal-responses: no
1283+ iter-scrub-promiscuous: no
1284
1285 stub-zone:
1286 name: "."
1287diff --git a/testdata/subnet_cached_servfail.crpl b/testdata/subnet_cached_servfail.crpl
1288index 9c746d5..535671b 100644
1289--- a/testdata/subnet_cached_servfail.crpl
1290+++ b/testdata/subnet_cached_servfail.crpl
1291@@ -11,6 +11,7 @@ server:
1292 access-control: 127.0.0.1 allow_snoop
1293 qname-minimisation: no
1294 minimal-responses: no
1295+ iter-scrub-promiscuous: no
1296 serve-expired: yes
1297 prefetch: yes
1298
1299diff --git a/testdata/subnet_global_prefetch.crpl b/testdata/subnet_global_prefetch.crpl
1300index 2f005d4..7665015 100644
1301--- a/testdata/subnet_global_prefetch.crpl
1302+++ b/testdata/subnet_global_prefetch.crpl
1303@@ -12,6 +12,7 @@ server:
1304 access-control: 127.0.0.1 allow_snoop
1305 qname-minimisation: no
1306 minimal-responses: no
1307+ iter-scrub-promiscuous: no
1308 prefetch: yes
1309
1310 stub-zone:
1311diff --git a/testdata/subnet_global_prefetch_always_forward.crpl b/testdata/subnet_global_prefetch_always_forward.crpl
1312index ccfe5df..0713629 100644
1313--- a/testdata/subnet_global_prefetch_always_forward.crpl
1314+++ b/testdata/subnet_global_prefetch_always_forward.crpl
1315@@ -12,6 +12,7 @@ server:
1316 access-control: 127.0.0.1 allow_snoop
1317 qname-minimisation: no
1318 minimal-responses: no
1319+ iter-scrub-promiscuous: no
1320
1321 stub-zone:
1322 name: "."
1323diff --git a/testdata/subnet_global_prefetch_expired.crpl b/testdata/subnet_global_prefetch_expired.crpl
1324index de1b780..7c00d82 100644
1325--- a/testdata/subnet_global_prefetch_expired.crpl
1326+++ b/testdata/subnet_global_prefetch_expired.crpl
1327@@ -13,6 +13,7 @@ server:
1328 access-control: 127.0.0.1 allow_snoop
1329 qname-minimisation: no
1330 minimal-responses: no
1331+ iter-scrub-promiscuous: no
1332 serve-expired: yes
1333 serve-expired-ttl: 1
1334 prefetch: yes
1335diff --git a/testdata/subnet_global_prefetch_with_client_ecs.crpl b/testdata/subnet_global_prefetch_with_client_ecs.crpl
1336index ddc832c..8589db7 100644
1337--- a/testdata/subnet_global_prefetch_with_client_ecs.crpl
1338+++ b/testdata/subnet_global_prefetch_with_client_ecs.crpl
1339@@ -12,6 +12,7 @@ server:
1340 access-control: 127.0.0.1 allow_snoop
1341 qname-minimisation: no
1342 minimal-responses: no
1343+ iter-scrub-promiscuous: no
1344 prefetch: yes
1345
1346 stub-zone:
1347diff --git a/testdata/subnet_max_source.crpl b/testdata/subnet_max_source.crpl
1348index f5c7464..f3f71e7 100644
1349--- a/testdata/subnet_max_source.crpl
1350+++ b/testdata/subnet_max_source.crpl
1351@@ -11,6 +11,7 @@ server:
1352 verbosity: 3
1353 qname-minimisation: "no"
1354 minimal-responses: no
1355+ iter-scrub-promiscuous: no
1356
1357 stub-zone:
1358 name: "."
1359diff --git a/testdata/subnet_prefetch.crpl b/testdata/subnet_prefetch.crpl
1360index aaa6bf0..243e409 100644
1361--- a/testdata/subnet_prefetch.crpl
1362+++ b/testdata/subnet_prefetch.crpl
1363@@ -12,6 +12,7 @@ server:
1364 access-control: 127.0.0.1 allow_snoop
1365 qname-minimisation: no
1366 minimal-responses: no
1367+ iter-scrub-promiscuous: no
1368 prefetch: yes
1369
1370 stub-zone:
1371diff --git a/testdata/subnet_val_positive.crpl b/testdata/subnet_val_positive.crpl
1372index 01456e5..10996ad 100644
1373--- a/testdata/subnet_val_positive.crpl
1374+++ b/testdata/subnet_val_positive.crpl
1375@@ -13,6 +13,7 @@ server:
1376 fake-dsa: yes
1377 qname-minimisation: "no"
1378 minimal-responses: no
1379+ iter-scrub-promiscuous: no
1380
1381 stub-zone:
1382 name: "."
1383diff --git a/testdata/subnet_val_positive_client.crpl b/testdata/subnet_val_positive_client.crpl
1384index b573742..1b51d52 100644
1385--- a/testdata/subnet_val_positive_client.crpl
1386+++ b/testdata/subnet_val_positive_client.crpl
1387@@ -14,6 +14,7 @@ server:
1388 fake-dsa: yes
1389 qname-minimisation: "no"
1390 minimal-responses: no
1391+ iter-scrub-promiscuous: no
1392
1393 stub-zone:
1394 name: "."
1395diff --git a/testdata/trust_cname_chain.rpl b/testdata/trust_cname_chain.rpl
1396index f8415ba..e24f8c1 100644
1397--- a/testdata/trust_cname_chain.rpl
1398+++ b/testdata/trust_cname_chain.rpl
1399@@ -2,6 +2,7 @@
1400 server:
1401 target-fetch-policy: "0 0 0 0 0"
1402 minimal-responses: no
1403+ iter-scrub-promiscuous: no
1404 stub-zone:
1405 name: "."
1406 stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
1407diff --git a/testdata/ttl_max.rpl b/testdata/ttl_max.rpl
1408index 3256963..b24eea3 100644
1409--- a/testdata/ttl_max.rpl
1410+++ b/testdata/ttl_max.rpl
1411@@ -4,6 +4,7 @@ server:
1412 cache-max-ttl: 10
1413 qname-minimisation: "no"
1414 minimal-responses: no
1415+ iter-scrub-promiscuous: no
1416
1417 stub-zone:
1418 name: "."
1419diff --git a/testdata/ttl_min.rpl b/testdata/ttl_min.rpl
1420index 3c79ff5..94206c7 100644
1421--- a/testdata/ttl_min.rpl
1422+++ b/testdata/ttl_min.rpl
1423@@ -4,6 +4,7 @@ server:
1424 cache-min-ttl: 10
1425 qname-minimisation: "no"
1426 minimal-responses: no
1427+ iter-scrub-promiscuous: no
1428
1429 stub-zone:
1430 name: "."
1431diff --git a/testdata/val_adbit.rpl b/testdata/val_adbit.rpl
1432index 7ce62de..233c58b 100644
1433--- a/testdata/val_adbit.rpl
1434+++ b/testdata/val_adbit.rpl
1435@@ -8,6 +8,7 @@ server:
1436 fake-sha1: yes
1437 trust-anchor-signaling: no
1438 minimal-responses: no
1439+ iter-scrub-promiscuous: no
1440
1441 stub-zone:
1442 name: "."
1443diff --git a/testdata/val_adcopy.rpl b/testdata/val_adcopy.rpl
1444index 604fd57..7bc31df 100644
1445--- a/testdata/val_adcopy.rpl
1446+++ b/testdata/val_adcopy.rpl
1447@@ -7,6 +7,7 @@ server:
1448 qname-minimisation: "no"
1449 fake-sha1: yes
1450 minimal-responses: no
1451+ iter-scrub-promiscuous: no
1452
1453 stub-zone:
1454 name: "."
1455diff --git a/testdata/val_cnametocnamewctoposwc.rpl b/testdata/val_cnametocnamewctoposwc.rpl
1456index 407666e..9ea8b49 100644
1457--- a/testdata/val_cnametocnamewctoposwc.rpl
1458+++ b/testdata/val_cnametocnamewctoposwc.rpl
1459@@ -7,6 +7,7 @@ server:
1460 qname-minimisation: "no"
1461 fake-sha1: yes
1462 trust-anchor-signaling: no
1463+ iter-scrub-promiscuous: no
1464
1465 stub-zone:
1466 name: "."
1467diff --git a/testdata/val_ds_afterprime.rpl b/testdata/val_ds_afterprime.rpl
1468index 3b1c0d6..301a1f6 100644
1469--- a/testdata/val_ds_afterprime.rpl
1470+++ b/testdata/val_ds_afterprime.rpl
1471@@ -8,6 +8,7 @@ server:
1472 fake-sha1: yes
1473 trust-anchor-signaling: no
1474 minimal-responses: no
1475+ iter-scrub-promiscuous: no
1476
1477 stub-zone:
1478 name: "."
1479diff --git a/testdata/val_faildnskey_ok.rpl b/testdata/val_faildnskey_ok.rpl
1480index 50f3184..f9196f3 100644
1481--- a/testdata/val_faildnskey_ok.rpl
1482+++ b/testdata/val_faildnskey_ok.rpl
1483@@ -8,6 +8,7 @@ server:
1484 fake-sha1: yes
1485 trust-anchor-signaling: no
1486 minimal-responses: no
1487+ iter-scrub-promiscuous: no
1488
1489 stub-zone:
1490 name: "."
1491diff --git a/testdata/val_keyprefetch_verify.rpl b/testdata/val_keyprefetch_verify.rpl
1492index 9b901a8..6cf8184 100644
1493--- a/testdata/val_keyprefetch_verify.rpl
1494+++ b/testdata/val_keyprefetch_verify.rpl
1495@@ -10,6 +10,7 @@ server:
1496 fake-sha1: yes
1497 trust-anchor-signaling: no
1498 minimal-responses: no
1499+ iter-scrub-promiscuous: no
1500
1501 stub-zone:
1502 name: "."
1503diff --git a/testdata/val_noadwhennodo.rpl b/testdata/val_noadwhennodo.rpl
1504index 46e1bad..dbdeb78 100644
1505--- a/testdata/val_noadwhennodo.rpl
1506+++ b/testdata/val_noadwhennodo.rpl
1507@@ -8,6 +8,7 @@ server:
1508 fake-sha1: yes
1509 trust-anchor-signaling: no
1510 minimal-responses: no
1511+ iter-scrub-promiscuous: no
1512
1513 stub-zone:
1514 name: "."
1515diff --git a/testdata/val_nsec3_b3_optout.rpl b/testdata/val_nsec3_b3_optout.rpl
1516index 9d84be9..5d8a43a 100644
1517--- a/testdata/val_nsec3_b3_optout.rpl
1518+++ b/testdata/val_nsec3_b3_optout.rpl
1519@@ -7,6 +7,7 @@ server:
1520 fake-sha1: yes
1521 trust-anchor-signaling: no
1522 minimal-responses: no
1523+ iter-scrub-promiscuous: no
1524 rrset-roundrobin: no
1525
1526 stub-zone:
1527diff --git a/testdata/val_nsec3_b3_optout_negcache.rpl b/testdata/val_nsec3_b3_optout_negcache.rpl
1528index 497a859..e7be762 100644
1529--- a/testdata/val_nsec3_b3_optout_negcache.rpl
1530+++ b/testdata/val_nsec3_b3_optout_negcache.rpl
1531@@ -7,6 +7,7 @@ server:
1532 fake-sha1: yes
1533 trust-anchor-signaling: no
1534 minimal-responses: no
1535+ iter-scrub-promiscuous: no
1536 rrset-roundrobin: no
1537
1538 stub-zone:
1539diff --git a/testdata/val_nsec3_b4_wild.rpl b/testdata/val_nsec3_b4_wild.rpl
1540index 8bf3a54..295932f 100644
1541--- a/testdata/val_nsec3_b4_wild.rpl
1542+++ b/testdata/val_nsec3_b4_wild.rpl
1543@@ -6,6 +6,7 @@ server:
1544 qname-minimisation: "no"
1545 fake-sha1: yes
1546 trust-anchor-signaling: no
1547+ iter-scrub-promiscuous: no
1548 rrset-roundrobin: no
1549
1550 stub-zone:
1551diff --git a/testdata/val_nsec3_cnametocnamewctoposwc.rpl b/testdata/val_nsec3_cnametocnamewctoposwc.rpl
1552index 1651ae7..3e4c55a 100644
1553--- a/testdata/val_nsec3_cnametocnamewctoposwc.rpl
1554+++ b/testdata/val_nsec3_cnametocnamewctoposwc.rpl
1555@@ -7,6 +7,7 @@ server:
1556 qname-minimisation: "no"
1557 fake-sha1: yes
1558 trust-anchor-signaling: no
1559+ iter-scrub-promiscuous: no
1560
1561 stub-zone:
1562 name: "."
1563diff --git a/testdata/val_positive.rpl b/testdata/val_positive.rpl
1564index daaf360..c808517 100644
1565--- a/testdata/val_positive.rpl
1566+++ b/testdata/val_positive.rpl
1567@@ -8,6 +8,7 @@ server:
1568 fake-sha1: yes
1569 trust-anchor-signaling: no
1570 minimal-responses: no
1571+ iter-scrub-promiscuous: no
1572
1573 stub-zone:
1574 name: "."
1575diff --git a/testdata/val_positive_wc.rpl b/testdata/val_positive_wc.rpl
1576index 5384acf..591dcc6 100644
1577--- a/testdata/val_positive_wc.rpl
1578+++ b/testdata/val_positive_wc.rpl
1579@@ -7,6 +7,7 @@ server:
1580 qname-minimisation: "no"
1581 fake-sha1: yes
1582 trust-anchor-signaling: no
1583+ iter-scrub-promiscuous: no
1584
1585 stub-zone:
1586 name: "."
1587diff --git a/testdata/val_qds_badanc.rpl b/testdata/val_qds_badanc.rpl
1588index dc68615..cb53136 100644
1589--- a/testdata/val_qds_badanc.rpl
1590+++ b/testdata/val_qds_badanc.rpl
1591@@ -7,6 +7,7 @@ server:
1592 qname-minimisation: "no"
1593 fake-sha1: yes
1594 minimal-responses: no
1595+ iter-scrub-promiscuous: no
1596
1597 stub-zone:
1598 name: "."
1599diff --git a/testdata/val_qds_oneanc.rpl b/testdata/val_qds_oneanc.rpl
1600index f21ab42..bda9f90 100644
1601--- a/testdata/val_qds_oneanc.rpl
1602+++ b/testdata/val_qds_oneanc.rpl
1603@@ -8,6 +8,7 @@ server:
1604 fake-sha1: yes
1605 trust-anchor-signaling: no
1606 minimal-responses: no
1607+ iter-scrub-promiscuous: no
1608
1609 stub-zone:
1610 name: "."
1611diff --git a/testdata/val_qds_twoanc.rpl b/testdata/val_qds_twoanc.rpl
1612index 4e4f2e7..f801c02 100644
1613--- a/testdata/val_qds_twoanc.rpl
1614+++ b/testdata/val_qds_twoanc.rpl
1615@@ -9,6 +9,7 @@ server:
1616 fake-sha1: yes
1617 trust-anchor-signaling: no
1618 minimal-responses: no
1619+ iter-scrub-promiscuous: no
1620
1621 stub-zone:
1622 name: "."
1623diff --git a/testdata/val_refer_unsignadd.rpl b/testdata/val_refer_unsignadd.rpl
1624index 4d07301..22f15d2 100644
1625--- a/testdata/val_refer_unsignadd.rpl
1626+++ b/testdata/val_refer_unsignadd.rpl
1627@@ -9,6 +9,7 @@ server:
1628 qname-minimisation: "no"
1629 fake-sha1: yes
1630 trust-anchor-signaling: no
1631+ iter-scrub-promiscuous: no
1632 rrset-roundrobin: no
1633
1634 stub-zone:
1635diff --git a/testdata/val_referd.rpl b/testdata/val_referd.rpl
1636index d475f83..a25ca7b 100644
1637--- a/testdata/val_referd.rpl
1638+++ b/testdata/val_referd.rpl
1639@@ -10,6 +10,7 @@ server:
1640 fake-sha1: yes
1641 trust-anchor-signaling: no
1642 minimal-responses: no
1643+ iter-scrub-promiscuous: no
1644
1645 stub-zone:
1646 name: "."
1647diff --git a/testdata/val_referglue.rpl b/testdata/val_referglue.rpl
1648index 54b7671..3ca0c0e 100644
1649--- a/testdata/val_referglue.rpl
1650+++ b/testdata/val_referglue.rpl
1651@@ -10,6 +10,7 @@ server:
1652 fake-sha1: yes
1653 trust-anchor-signaling: no
1654 minimal-responses: no
1655+ iter-scrub-promiscuous: no
1656 rrset-roundrobin: no
1657
1658 stub-zone:
1659diff --git a/testdata/val_rrsig.rpl b/testdata/val_rrsig.rpl
1660index 0b672e0..69df344 100644
1661--- a/testdata/val_rrsig.rpl
1662+++ b/testdata/val_rrsig.rpl
1663@@ -7,6 +7,7 @@ server:
1664 qname-minimisation: "no"
1665 fake-sha1: yes
1666 minimal-responses: no
1667+ iter-scrub-promiscuous: no
1668
1669 stub-zone:
1670 name: "."
1671diff --git a/testdata/val_spurious_ns.rpl b/testdata/val_spurious_ns.rpl
1672index cb0a6e5..8db94a1 100644
1673--- a/testdata/val_spurious_ns.rpl
1674+++ b/testdata/val_spurious_ns.rpl
1675@@ -8,6 +8,7 @@ server:
1676 fake-sha1: yes
1677 trust-anchor-signaling: no
1678 minimal-responses: no
1679+ iter-scrub-promiscuous: no
1680
1681 stub-zone:
1682 name: "."
1683diff --git a/testdata/val_stub_noroot.rpl b/testdata/val_stub_noroot.rpl
1684index 07113be..66c3d8e 100644
1685--- a/testdata/val_stub_noroot.rpl
1686+++ b/testdata/val_stub_noroot.rpl
1687@@ -6,6 +6,7 @@ server:
1688 fake-sha1: yes
1689 trust-anchor-signaling: no
1690 minimal-responses: no
1691+ iter-scrub-promiscuous: no
1692
1693 stub-zone:
1694 name: "."
1695diff --git a/testdata/val_ta_algo_dnskey.rpl b/testdata/val_ta_algo_dnskey.rpl
1696index 03bac83..5b0b64d 100644
1697--- a/testdata/val_ta_algo_dnskey.rpl
1698+++ b/testdata/val_ta_algo_dnskey.rpl
1699@@ -9,6 +9,7 @@ server:
1700 fake-sha1: yes
1701 trust-anchor-signaling: no
1702 minimal-responses: no
1703+ iter-scrub-promiscuous: no
1704
1705 stub-zone:
1706 name: "."
1707diff --git a/testdata/val_ta_algo_dnskey_dp.rpl b/testdata/val_ta_algo_dnskey_dp.rpl
1708index 2b3609b..ae0c499 100644
1709--- a/testdata/val_ta_algo_dnskey_dp.rpl
1710+++ b/testdata/val_ta_algo_dnskey_dp.rpl
1711@@ -10,6 +10,7 @@ server:
1712 fake-sha1: yes
1713 trust-anchor-signaling: no
1714 minimal-responses: no
1715+ iter-scrub-promiscuous: no
1716
1717 stub-zone:
1718 name: "."
1719diff --git a/testdata/val_ta_algo_missing_dp.rpl b/testdata/val_ta_algo_missing_dp.rpl
1720index dc55a09..14efdec 100644
1721--- a/testdata/val_ta_algo_missing_dp.rpl
1722+++ b/testdata/val_ta_algo_missing_dp.rpl
1723@@ -11,6 +11,7 @@ server:
1724 fake-sha1: yes
1725 trust-anchor-signaling: no
1726 minimal-responses: no
1727+ iter-scrub-promiscuous: no
1728
1729 stub-zone:
1730 name: "."
1731diff --git a/testdata/val_twocname.rpl b/testdata/val_twocname.rpl
1732index bc7c3bc..b432364 100644
1733--- a/testdata/val_twocname.rpl
1734+++ b/testdata/val_twocname.rpl
1735@@ -5,6 +5,7 @@ server:
1736 fake-sha1: yes
1737 trust-anchor-signaling: no
1738 minimal-responses: no
1739+ iter-scrub-promiscuous: no
1740 rrset-roundrobin: no
1741
1742 forward-zone:
1743diff --git a/testdata/val_unalgo_anchor.rpl b/testdata/val_unalgo_anchor.rpl
1744index fbbf288..a935201 100644
1745--- a/testdata/val_unalgo_anchor.rpl
1746+++ b/testdata/val_unalgo_anchor.rpl
1747@@ -7,6 +7,7 @@ server:
1748 qname-minimisation: "no"
1749 fake-sha1: yes
1750 minimal-responses: no
1751+ iter-scrub-promiscuous: no
1752
1753 stub-zone:
1754 name: "."
1755diff --git a/testdata/val_wild_pos.rpl b/testdata/val_wild_pos.rpl
1756index 624d8e0..9fafa65 100644
1757--- a/testdata/val_wild_pos.rpl
1758+++ b/testdata/val_wild_pos.rpl
1759@@ -8,6 +8,7 @@ server:
1760 fake-sha1: yes
1761 trust-anchor-signaling: no
1762 minimal-responses: no
1763+ iter-scrub-promiscuous: no
1764
1765 stub-zone:
1766 name: "."
1767diff --git a/testdata/views.rpl b/testdata/views.rpl
1768index 6a9052f..a602624 100644
1769--- a/testdata/views.rpl
1770+++ b/testdata/views.rpl
1771@@ -3,6 +3,7 @@ server:
1772 target-fetch-policy: "0 0 0 0 0"
1773 qname-minimisation: "no"
1774 minimal-responses: no
1775+ iter-scrub-promiscuous: no
1776
1777 access-control: 10.10.10.0/24 allow
1778 access-control-view: 10.10.10.10/32 "view1"
1779diff --git a/util/config_file.c b/util/config_file.c
1780index c403d74..a2fefde 100644
1781--- a/util/config_file.c
1782+++ b/util/config_file.c
1783@@ -404,6 +404,7 @@ config_create(void)
1784 cfg->ipset_name_v6 = NULL;
1785 #endif
1786 cfg->ede = 0;
1787+ cfg->iter_scrub_promiscuous = 1;
1788 return cfg;
1789 error_exit:
1790 config_delete(cfg);
1791@@ -712,6 +713,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
1792 else S_NUMBER_OR_ZERO("serve-expired-client-timeout:", serve_expired_client_timeout)
1793 else S_YNO("ede:", ede)
1794 else S_YNO("ede-serve-expired:", ede_serve_expired)
1795+ else S_YNO("iter-scrub-promiscuous:", iter_scrub_promiscuous)
1796 else S_YNO("serve-original-ttl:", serve_original_ttl)
1797 else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations)
1798 else S_YNO("zonemd-permissive-mode:", zonemd_permissive_mode)
1799@@ -1175,6 +1177,7 @@ config_get_option(struct config_file* cfg, const char* opt,
1800 else O_DEC(opt, "serve-expired-client-timeout", serve_expired_client_timeout)
1801 else O_YNO(opt, "ede", ede)
1802 else O_YNO(opt, "ede-serve-expired", ede_serve_expired)
1803+ else O_YNO(opt, "iter-scrub-promiscuous", iter_scrub_promiscuous)
1804 else O_YNO(opt, "serve-original-ttl", serve_original_ttl)
1805 else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations)
1806 else O_YNO(opt, "zonemd-permissive-mode", zonemd_permissive_mode)
1807diff --git a/util/config_file.h b/util/config_file.h
1808index 7ded3c2..b037261 100644
1809--- a/util/config_file.h
1810+++ b/util/config_file.h
1811@@ -752,6 +752,9 @@ struct config_file {
1812 #endif
1813 /** respond with Extended DNS Errors (RFC8914) */
1814 int ede;
1815+ /** Should the iterator scrub promiscuous NS rrsets, from positive
1816+ * answers. */
1817+ int iter_scrub_promiscuous;
1818 };
1819
1820 /** from cfg username, after daemonize setup performed */
1821diff --git a/util/configlexer.lex b/util/configlexer.lex
1822index 7455f50..5e9a355 100644
1823--- a/util/configlexer.lex
1824+++ b/util/configlexer.lex
1825@@ -584,6 +584,7 @@ edns-client-string-opcode{COLON} { YDVAR(1, VAR_EDNS_CLIENT_STRING_OPCODE) }
1826 nsid{COLON} { YDVAR(1, VAR_NSID ) }
1827 ede{COLON} { YDVAR(1, VAR_EDE ) }
1828 proxy-protocol-port{COLON} { YDVAR(1, VAR_PROXY_PROTOCOL_PORT) }
1829+iter-scrub-promiscuous{COLON} { YDVAR(1, VAR_ITER_SCRUB_PROMISCUOUS) }
1830 <INITIAL,val>{NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; }
1831
1832 /* Quoted strings. Strip leading and ending quotes */
1833diff --git a/util/configparser.y b/util/configparser.y
1834index 7d95690..ab99aa0 100644
1835--- a/util/configparser.y
1836+++ b/util/configparser.y
1837@@ -203,6 +203,7 @@ extern struct config_parser_state* cfg_parser;
1838 %token VAR_PROXY_PROTOCOL_PORT VAR_STATISTICS_INHIBIT_ZERO
1839 %token VAR_HARDEN_UNKNOWN_ADDITIONAL VAR_DISABLE_EDNS_DO VAR_CACHEDB_NO_STORE
1840 %token VAR_LOG_DESTADDR
1841+%token VAR_ITER_SCRUB_PROMISCUOUS
1842
1843 %%
1844 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
1845@@ -339,7 +340,8 @@ content_server: server_num_threads | server_verbosity | server_port |
1846 server_interface_automatic_ports | server_ede |
1847 server_proxy_protocol_port | server_statistics_inhibit_zero |
1848 server_harden_unknown_additional | server_disable_edns_do |
1849- server_log_destaddr
1850+ server_log_destaddr |
1851+ server_iter_scrub_promiscuous
1852 ;
1853 stubstart: VAR_STUB_ZONE
1854 {
1855@@ -3945,6 +3947,16 @@ server_cookie_secret: VAR_COOKIE_SECRET STRING_ARG
1856 free($2);
1857 }
1858 ;
1859+server_iter_scrub_promiscuous: VAR_ITER_SCRUB_PROMISCUOUS STRING_ARG
1860+ {
1861+ OUTYY(("P(server_iter_scrub_promiscuous:%s)\n", $2));
1862+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
1863+ yyerror("expected yes or no.");
1864+ else cfg_parser->cfg->iter_scrub_promiscuous =
1865+ (strcmp($2, "yes")==0);
1866+ free($2);
1867+ }
1868+ ;
1869 ipsetstart: VAR_IPSET
1870 {
1871 OUTYY(("\nP(ipset:)\n"));
1872--
18732.34.1
1874
diff --git a/meta-networking/recipes-support/unbound/unbound/0002-CVE-2025-11411-2.patch b/meta-networking/recipes-support/unbound/unbound/0002-CVE-2025-11411-2.patch
new file mode 100644
index 0000000000..382c9f7c64
--- /dev/null
+++ b/meta-networking/recipes-support/unbound/unbound/0002-CVE-2025-11411-2.patch
@@ -0,0 +1,153 @@
1From f6269baa605d31859f28770e01a24e3677e5f82c Mon Sep 17 00:00:00 2001
2From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
3Date: Wed, 26 Nov 2025 11:09:40 +0100
4Subject: [PATCH] - Additional fix for CVE-2025-11411 (possible domain
5 hijacking attack), to include YXDOMAIN and non-referral nodata answers in
6 the mitigation as well, reported by TaoFei Guo from Peking University, Yang
7 Luo and JianJun Chen from Tsinghua University.
8
9CVE: CVE-2025-11411
10Upstream-Status: Backport [https://github.com/NLnetLabs/unbound/commit/f6269baa605d31859f28770e01a24e3677e5f82c]
11
12Comment: Patch refreshed
13
14Signed-off-by: Jackson James <jacksonj2@kpit.com>
15---
16 iterator/iter_scrub.c | 39 +++++++++++++++++++++---
17 testdata/ratelimit.tdir/ratelimit.testns | 30 ++++++++++++++----
18 2 files changed, 59 insertions(+), 10 deletions(-)
19
20diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
21index cc12f97..02f1b48 100644
22--- a/iterator/iter_scrub.c
23+++ b/iterator/iter_scrub.c
24@@ -377,19 +377,21 @@ type_allowed_in_additional_section(uint16_t tp)
25 * @param qinfo: original query.
26 * @param region: where to allocate synthesized CNAMEs.
27 * @param env: module env with config options.
28+ * @param zonename: name of server zone.
29 * @return 0 on error.
30 */
31 static int
32 scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
33 struct query_info* qinfo, struct regional* region,
34- struct module_env* env)
35+ struct module_env* env, uint8_t* zonename)
36 {
37 uint8_t* sname = qinfo->qname;
38 size_t snamelen = qinfo->qname_len;
39 struct rrset_parse* rrset, *prev, *nsset=NULL;
40
41 if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR &&
42- FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NXDOMAIN)
43+ FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NXDOMAIN &&
44+ FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_YXDOMAIN)
45 return 1;
46
47 /* For the ANSWER section, remove all "irrelevant" records and add
48@@ -418,6 +420,11 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
49 &aliaslen, pkt)) {
50 verbose(VERB_ALGO, "synthesized CNAME "
51 "too long");
52+ if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_YXDOMAIN) {
53+ prev = rrset;
54+ rrset = rrset->rrset_all_next;
55+ continue;
56+ }
57 return 0;
58 }
59 if(nx && nx->type == LDNS_RR_TYPE_CNAME &&
60@@ -587,6 +594,29 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
61 "RRset:", pkt, msg, prev, &rrset);
62 continue;
63 }
64+ /* Also delete promiscuous NS for other RCODEs */
65+ if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR
66+ && env->cfg->iter_scrub_promiscuous) {
67+ remove_rrset("normalize: removing promiscuous "
68+ "RRset:", pkt, msg, prev, &rrset);
69+ continue;
70+ }
71+ /* Also delete promiscuous NS for NOERROR with nodata
72+ * for authoritative answers, not for delegations.
73+ * NOERROR with an_rrsets!=0 already handled.
74+ * Also NOERROR and soa_in_auth already handled.
75+ * NOERROR with an_rrsets==0, and not a referral.
76+ * referral is (NS not the zonename, noSOA).
77+ */
78+ if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR
79+ && msg->an_rrsets == 0
80+ && !(dname_pkt_compare(pkt, rrset->dname,
81+ zonename) != 0 && !soa_in_auth(msg))
82+ && env->cfg->iter_scrub_promiscuous) {
83+ remove_rrset("normalize: removing promiscuous "
84+ "RRset:", pkt, msg, prev, &rrset);
85+ continue;
86+ }
87 if(nsset == NULL) {
88 nsset = rrset;
89 } else {
90@@ -947,7 +977,8 @@ scrub_message(sldns_buffer* pkt, struct msg_parse* msg,
91 /* this is not required for basic operation but is a forgery
92 * resistance (security) feature */
93 if((FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR ||
94- FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN) &&
95+ FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN ||
96+ FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_YXDOMAIN) &&
97 msg->qdcount == 0)
98 return 0;
99
100@@ -961,7 +992,7 @@ scrub_message(sldns_buffer* pkt, struct msg_parse* msg,
101 }
102
103 /* normalize the response, this cleans up the additional. */
104- if(!scrub_normalize(pkt, msg, qinfo, region, env))
105+ if(!scrub_normalize(pkt, msg, qinfo, region, env, zonename))
106 return 0;
107 /* delete all out-of-zone information */
108 if(!scrub_sanitize(pkt, msg, qinfo, zonename, env, ie, qstate))
109diff --git a/testdata/ratelimit.tdir/ratelimit.testns b/testdata/ratelimit.tdir/ratelimit.testns
110index 563c1db..5c22c29 100644
111--- a/testdata/ratelimit.tdir/ratelimit.testns
112+++ b/testdata/ratelimit.tdir/ratelimit.testns
113@@ -3,13 +3,31 @@ $ORIGIN example.com.
114 $TTL 3600
115
116 ENTRY_BEGIN
117-MATCH opcode qtype
118+MATCH opcode qname qtype
119 REPLY QR AA NOERROR
120-ADJUST copy_id copy_query
121+ADJUST copy_id
122 SECTION QUESTION
123-wild IN A
124+www1 IN A
125 SECTION ANSWER
126-wild IN A 10.20.30.40
127-SECTION AUTHORITY
128-example.com. IN NS ns.example.com.
129+www1 IN A 1.1.1.1
130+ENTRY_END
131+
132+ENTRY_BEGIN
133+MATCH opcode qname qtype
134+REPLY QR AA NOERROR
135+ADJUST copy_id
136+SECTION QUESTION
137+www2 IN A
138+SECTION ANSWER
139+www2 IN A 2.2.2.2
140+ENTRY_END
141+
142+ENTRY_BEGIN
143+MATCH opcode qname qtype
144+REPLY QR AA NOERROR
145+ADJUST copy_id
146+SECTION QUESTION
147+www3 IN A
148+SECTION ANSWER
149+www3 IN A 3.3.3.3
150 ENTRY_END
151--
1522.34.1
153
diff --git a/meta-networking/recipes-support/unbound/unbound/CVE-2025-11411.patch b/meta-networking/recipes-support/unbound/unbound/CVE-2025-11411.patch
deleted file mode 100644
index a653090770..0000000000
--- a/meta-networking/recipes-support/unbound/unbound/CVE-2025-11411.patch
+++ /dev/null
@@ -1,48 +0,0 @@
1From 98fac0b396e1e85a6345baa59fc178b1f51759b8 Mon Sep 17 00:00:00 2001
2From: Patrick Vogelaar <patrick.vogelaar@belden.com>
3Date: Wed, 29 Oct 2025 13:33:23 +0100
4Subject: [PATCH] Fix CVE-2025-11411 (possible domain hijacking attack)
5
6This fixes CVE-2025-11411 by applying the minimal patch [1] listed in [2]
7
8[1] https://nlnetlabs.nl/downloads/unbound/patch_CVE-2025-11411.diff
9[2] https://www.nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt
10
11CVE: CVE-2025-11411
12Upstream-Status: Backport [minimal backport of https://github.com/NLnetLabs/unbound/commit/a33f0638e1dacf2633cf2292078a674576bca852]
13
14Signed-off-by: Patrick Vogelaar <patrick.vogelaar@belden.com>
15---
16 iterator/iter_scrub.c | 16 ++++++++++++++++
17 1 file changed, 16 insertions(+)
18
19diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
20index 48867e50..5beaa048 100644
21--- a/iterator/iter_scrub.c
22+++ b/iterator/iter_scrub.c
23@@ -571,6 +571,22 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
24 "RRset:", pkt, msg, prev, &rrset);
25 continue;
26 }
27+ /* If the NS set is a promiscuous NS set, scrub that
28+ * to remove potential for poisonous contents that
29+ * affects other names in the same zone. Remove
30+ * promiscuous NS sets in positive answers, that
31+ * thus have records in the answer section. Nodata
32+ * and nxdomain promiscuous NS sets have been removed
33+ * already. Since the NS rrset is scrubbed, its
34+ * address records are also not marked to be allowed
35+ * and are removed later. */
36+ if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR &&
37+ msg->an_rrsets != 0 &&
38+ 1 /* env->cfg->iter_scrub_promiscuous */) {
39+ remove_rrset("normalize: removing promiscuous "
40+ "RRset:", pkt, msg, prev, &rrset);
41+ continue;
42+ }
43 if(nsset == NULL) {
44 nsset = rrset;
45 } else {
46--
472.34.1
48
diff --git a/meta-networking/recipes-support/unbound/unbound_1.19.3.bb b/meta-networking/recipes-support/unbound/unbound_1.19.3.bb
index 7e3e37406f..6841049ac5 100644
--- a/meta-networking/recipes-support/unbound/unbound_1.19.3.bb
+++ b/meta-networking/recipes-support/unbound/unbound_1.19.3.bb
@@ -12,7 +12,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5308494bc0590c0cb036afd781d78f06"
12SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=https;nobranch=1 \ 12SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=https;nobranch=1 \
13 file://CVE-2024-8508.patch \ 13 file://CVE-2024-8508.patch \
14 file://CVE-2024-33655.patch \ 14 file://CVE-2024-33655.patch \
15 file://CVE-2025-11411.patch \ 15 file://0001-CVE-2025-11411-1.patch \
16 file://0002-CVE-2025-11411-2.patch \
16 file://CVE-2024-43167.patch \ 17 file://CVE-2024-43167.patch \
17 file://CVE-2024-43168_1.patch \ 18 file://CVE-2024-43168_1.patch \
18 file://CVE-2024-43168_2.patch \ 19 file://CVE-2024-43168_2.patch \