; subnet unit test server: trust-anchor-signaling: no send-client-subnet: 1.2.3.4 send-client-subnet: 1.2.3.5 target-fetch-policy: "0 0 0 0 0" module-config: "subnetcache validator iterator" qname-minimisation: no minimal-responses: no stub-zone: name: "example.com" stub-addr: 1.2.3.4 CONFIG_END SCENARIO_BEGIN Test subnetcache source prefix zero from client. ; In RFC7871 section-7.1.2 (para. 2). ; It says that the recursor must send no EDNS subnet or its own address ; in the EDNS subnet to the upstream server. And use that answer for the ; source prefix length zero query. That type of query is for privacy. ; The authority server is then going to use the resolver's IP, if any, to ; tailor the answer to the query source address. ; ns.example.com RANGE_BEGIN 0 100 ADDRESS 1.2.3.4 ; reply with 0.0.0.0/0 in reply ; For the test the answers for 0.0.0.0/0 queries are SERVFAIL, the normal ; answers are NOERROR. ENTRY_BEGIN MATCH opcode qtype qname ednsdata ADJUST copy_id REPLY QR AA DO SERVFAIL SECTION QUESTION www.example.com. IN A SECTION ANSWER www.example.com. IN CNAME star.c10r.example.com. SECTION ADDITIONAL HEX_EDNSDATA_BEGIN 00 08 00 04 ; OPCODE=subnet, optlen 00 01 00 00 ; ip4, scope 0, source 0 ; 0.0.0.0/0 HEX_EDNSDATA_END ENTRY_END ; reply without subnet ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR AA DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER www.example.com. IN CNAME star.c10r.example.com. ENTRY_END ; delegation answer for c10r.example.com, with subnet /0 ENTRY_BEGIN MATCH opcode subdomain ednsdata ADJUST copy_id copy_query REPLY QR DO SERVFAIL SECTION QUESTION c10r.example.com. IN NS SECTION AUTHORITY c10r.example.com. IN NS ns.c10r.example.com. SECTION ADDITIONAL ns.c10r.example.com. IN A 1.2.3.5 HEX_EDNSDATA_BEGIN 00 08 00 04 ; OPCODE=subnet, optlen 00 01 00 00 ; ip4, scope 0, source 0 ; 0.0.0.0/0 HEX_EDNSDATA_END ENTRY_END ; delegation answer for c10r.example.com, without subnet ENTRY_BEGIN MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR DO NOERROR SECTION QUESTION c10r.example.com. IN NS SECTION AUTHORITY c10r.example.com. IN NS ns.c10r.example.com. SECTION ADDITIONAL ns.c10r.example.com. IN A 1.2.3.5 ENTRY_END RANGE_END ; ns.c10r.example.com RANGE_BEGIN 0 100 ADDRESS 1.2.3.5 ; reply with 0.0.0.0/0 in reply ENTRY_BEGIN MATCH opcode qtype qname ednsdata ADJUST copy_id REPLY QR AA DO SERVFAIL SECTION QUESTION star.c10r.example.com. IN A SECTION ANSWER star.c10r.example.com. IN A 1.2.3.6 SECTION ADDITIONAL HEX_EDNSDATA_BEGIN 00 08 00 04 ; OPCODE=subnet, optlen 00 01 00 00 ; ip4, scope 0, source 0 ; 0.0.0.0/0 HEX_EDNSDATA_END ENTRY_END ; reply without subnet ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR AA DO NOERROR SECTION QUESTION star.c10r.example.com. IN A SECTION ANSWER star.c10r.example.com. IN A 1.2.3.6 ENTRY_END RANGE_END ; ask for www.example.com ; server answers with CNAME to a delegation, that then ; returns a /24 answer. STEP 1 QUERY ENTRY_BEGIN REPLY RD DO SECTION QUESTION www.example.com. IN A SECTION ADDITIONAL HEX_EDNSDATA_BEGIN 00 08 00 04 ; OPCODE=subnet, optlen 00 01 00 00 ; ip4, scope 0, source 0 ; 0.0.0.0/0 HEX_EDNSDATA_END ENTRY_END STEP 10 CHECK_ANSWER ENTRY_BEGIN MATCH all ednsdata REPLY QR RD RA DO NOERROR SECTION QUESTION www.example.com. IN A SECTION ANSWER www.example.com. IN CNAME star.c10r.example.com. star.c10r.example.com. IN A 1.2.3.6 SECTION ADDITIONAL HEX_EDNSDATA_BEGIN 00 08 00 04 ; OPCODE=subnet, optlen 00 01 00 00 ; ip4, scope 0, source 0 ; 0.0.0.0/0 HEX_EDNSDATA_END ENTRY_END SCENARIO_END