unbound/testdata/iter_ns_spoof.rpl

; config options
server:
	harden-referral-path: yes
	target-fetch-policy: "0 0 0 0 0"
	qname-minimisation: "no"
stub-zone:
	name: "."
	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
CONFIG_END

SCENARIO_BEGIN Test NS record spoof protection.

; K.ROOT-SERVERS.NET.
RANGE_BEGIN 0 100
	ADDRESS 193.0.14.129 
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
. IN NS
SECTION ANSWER
. IN NS	K.ROOT-SERVERS.NET.
SECTION ADDITIONAL
K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
ENTRY_END

ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
com.	IN NS
SECTION AUTHORITY
com.	IN NS	a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net.	IN 	A	192.5.6.30
ENTRY_END

; for simplicity the root server is authoritative for root-servers.net
; and also for gtld-servers.net
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
K.ROOT-SERVERS.NET.	IN	A
SECTION ANSWER
K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
ENTRY_END

ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
a.gtld-servers.net.	IN 	A
SECTION ANSWER
a.gtld-servers.net.	IN 	A	192.5.6.30
ENTRY_END

RANGE_END

; a.gtld-servers.net.
RANGE_BEGIN 0 100
	ADDRESS 192.5.6.30
ENTRY_BEGIN
MATCH opcode subdomain
ADJUST copy_id copy_query
REPLY QR NOERROR
SECTION QUESTION
example.com.	IN NS
SECTION AUTHORITY
example.com.	IN NS	ns.example.com.
SECTION ADDITIONAL
ns.example.com.		IN 	A	1.2.3.4
ENTRY_END

ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
com.	IN NS
SECTION ANSWER
com.	IN NS	a.gtld-servers.net.
SECTION ADDITIONAL
a.gtld-servers.net.	IN 	A	192.5.6.30
ENTRY_END
RANGE_END

; ns.example.com.
RANGE_BEGIN 0 100
	ADDRESS 1.2.3.4
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. IN A	10.20.30.40
SECTION AUTHORITY
example.com.	IN NS	ns.example.com.
SECTION ADDITIONAL
ns.example.com.		IN 	A	1.2.3.4
ENTRY_END

ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
mail.example.com. IN A
SECTION ANSWER
mail.example.com. IN A	10.20.30.50
SECTION AUTHORITY
example.com.	IN NS	ns.example.com.
SECTION ADDITIONAL
ns.example.com.		IN 	A	1.2.3.4
ENTRY_END

ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
example.com. IN NS
SECTION ANSWER
example.com.	IN NS	ns.example.com.
SECTION ADDITIONAL
ns.example.com.		IN 	A	1.2.3.4
ENTRY_END

ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR AA NOERROR
SECTION QUESTION
ns.example.com. IN A
SECTION ANSWER
ns.example.com.		IN 	A	1.2.3.4
SECTION AUTHORITY
example.com.	IN NS	ns.example.com.
ENTRY_END

;; answer to the spoofed query ; spoofed reply answer.
; here we put it in the nameserver for ease.
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
bad123.example.com. IN A
SECTION ANSWER
bad123.example.com. IN A	6.6.6.6
SECTION AUTHORITY
; evil NS set.
example.com.	IN NS	bad123.example.com.
ENTRY_END

RANGE_END

; evil server
RANGE_BEGIN 0 100
	ADDRESS 6.6.6.6
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. IN A	6.6.6.6
SECTION AUTHORITY
example.com.	IN NS	bad123.example.com.
SECTION ADDITIONAL
bad123.example.com. IN A	6.6.6.6
ENTRY_END

ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
mail.example.com. IN A
SECTION ANSWER
mail.example.com. IN A	6.6.6.6
SECTION AUTHORITY
example.com.	IN NS	bad123.example.com.
SECTION ADDITIONAL
bad123.example.com. IN A	6.6.6.6
ENTRY_END

ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
bad123.example.com. IN A
SECTION ANSWER
bad123.example.com. IN A	6.6.6.6
SECTION AUTHORITY
; evil NS set.
example.com.	IN NS	bad123.example.com.
ENTRY_END
RANGE_END

STEP 1 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
www.example.com. IN A
ENTRY_END

; recursion happens here.
STEP 10 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
www.example.com. IN A
SECTION ANSWER
www.example.com. IN A	10.20.30.40
SECTION AUTHORITY
example.com.	IN NS	ns.example.com.
SECTION ADDITIONAL
ns.example.com.		IN 	A	1.2.3.4
ENTRY_END

; spoofed query
STEP 20 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
bad123.example.com. IN A
ENTRY_END

; recursion happens here.
STEP 30 CHECK_ANSWER
ENTRY_BEGIN
; no matching here, just accept the answer to the spoofed query.
; it is wrong, but only one query ...
; this test is to check further on, that we still have the right nameserver.
;MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
bad123.example.com. IN A
SECTION ANSWER
bad123.example.com. IN A	6.6.6.6
SECTION AUTHORITY
example.com.	IN NS	ns.example.com.
SECTION ADDITIONAL
ns.example.com.		IN 	A	1.2.3.4
ENTRY_END

; a new query 
STEP 40 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
mail.example.com. IN A
ENTRY_END

STEP 50 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
mail.example.com. IN A
SECTION ANSWER
mail.example.com. IN A 	10.20.30.50
SECTION AUTHORITY
example.com.	IN NS	ns.example.com.
SECTION ADDITIONAL
ns.example.com.		IN 	A	1.2.3.4
ENTRY_END

SCENARIO_END
- Fixup rrset security updates overwriting 2181 trust status. This makes validated to be insecure data just as worthless as nonvalidated data, and 2181 rules prevent cache overwrites to them. - Fix assertion fail on bogus key handling. - dnssec lameness detection works on first query at trust apex. - NS queries get proper cache and dnssec lameness treatment. - fixup compilation without pthreads on linux. - NS queries are done after every referral. validator is used on those NS records (if anchors enabled). git-svn-id: file:///svn/unbound/trunk@1185 be551aaa-1e26-0410-a405-d3ace91eadb9 2008-08-12 10:13:57 +00:00			`; config options`
new NS queries is not an option (off by default). git-svn-id: file:///svn/unbound/trunk@1219 be551aaa-1e26-0410-a405-d3ace91eadb9 2008-08-29 14:46:08 +00:00			`server:`
			`harden-referral-path: yes`
Fixup for problems with do-ip6: no and only ipv6 addresses. git-svn-id: file:///svn/unbound/trunk@1353 be551aaa-1e26-0410-a405-d3ace91eadb9 2008-11-17 12:47:34 +00:00			`target-fetch-policy: "0 0 0 0 0"`
- Qname minimisation default changed to yes. git-svn-id: file:///svn/unbound/trunk@4685 be551aaa-1e26-0410-a405-d3ace91eadb9 2018-05-17 10:33:19 +00:00			`qname-minimisation: "no"`
- Fixup rrset security updates overwriting 2181 trust status. This makes validated to be insecure data just as worthless as nonvalidated data, and 2181 rules prevent cache overwrites to them. - Fix assertion fail on bogus key handling. - dnssec lameness detection works on first query at trust apex. - NS queries get proper cache and dnssec lameness treatment. - fixup compilation without pthreads on linux. - NS queries are done after every referral. validator is used on those NS records (if anchors enabled). git-svn-id: file:///svn/unbound/trunk@1185 be551aaa-1e26-0410-a405-d3ace91eadb9 2008-08-12 10:13:57 +00:00			`stub-zone:`
			`name: "."`
			`stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.`
			`CONFIG_END`

			`SCENARIO_BEGIN Test NS record spoof protection.`

			`; K.ROOT-SERVERS.NET.`
			`RANGE_BEGIN 0 100`
			`ADDRESS 193.0.14.129`
			`ENTRY_BEGIN`
			`MATCH opcode qtype qname`
			`ADJUST copy_id`
			`REPLY QR NOERROR`
			`SECTION QUESTION`
			`. IN NS`
			`SECTION ANSWER`
			`. IN NS K.ROOT-SERVERS.NET.`
			`SECTION ADDITIONAL`
			`K.ROOT-SERVERS.NET. IN A 193.0.14.129`
			`ENTRY_END`

			`ENTRY_BEGIN`
Referral path checking, for spoof mitigation, improved. git-svn-id: file:///svn/unbound/trunk@1305 be551aaa-1e26-0410-a405-d3ace91eadb9 2008-10-15 13:32:49 +00:00			`MATCH opcode subdomain`
			`ADJUST copy_id copy_query`
- Fixup rrset security updates overwriting 2181 trust status. This makes validated to be insecure data just as worthless as nonvalidated data, and 2181 rules prevent cache overwrites to them. - Fix assertion fail on bogus key handling. - dnssec lameness detection works on first query at trust apex. - NS queries get proper cache and dnssec lameness treatment. - fixup compilation without pthreads on linux. - NS queries are done after every referral. validator is used on those NS records (if anchors enabled). git-svn-id: file:///svn/unbound/trunk@1185 be551aaa-1e26-0410-a405-d3ace91eadb9 2008-08-12 10:13:57 +00:00			`REPLY QR NOERROR`
			`SECTION QUESTION`
Referral path checking, for spoof mitigation, improved. git-svn-id: file:///svn/unbound/trunk@1305 be551aaa-1e26-0410-a405-d3ace91eadb9 2008-10-15 13:32:49 +00:00			`com. IN NS`
- Fixup rrset security updates overwriting 2181 trust status. This makes validated to be insecure data just as worthless as nonvalidated data, and 2181 rules prevent cache overwrites to them. - Fix assertion fail on bogus key handling. - dnssec lameness detection works on first query at trust apex. - NS queries get proper cache and dnssec lameness treatment. - fixup compilation without pthreads on linux. - NS queries are done after every referral. validator is used on those NS records (if anchors enabled). git-svn-id: file:///svn/unbound/trunk@1185 be551aaa-1e26-0410-a405-d3ace91eadb9 2008-08-12 10:13:57 +00:00			`SECTION AUTHORITY`
			`com. IN NS a.gtld-servers.net.`
			`SECTION ADDITIONAL`
			`a.gtld-servers.net. IN A 192.5.6.30`
			`ENTRY_END`
Referral path checking, for spoof mitigation, improved. git-svn-id: file:///svn/unbound/trunk@1305 be551aaa-1e26-0410-a405-d3ace91eadb9 2008-10-15 13:32:49 +00:00
			`; for simplicity the root server is authoritative for root-servers.net`
			`; and also for gtld-servers.net`
			`ENTRY_BEGIN`
			`MATCH opcode qtype qname`
			`ADJUST copy_id`
			`REPLY QR AA NOERROR`
			`SECTION QUESTION`
			`K.ROOT-SERVERS.NET. IN A`
			`SECTION ANSWER`
			`K.ROOT-SERVERS.NET. IN A 193.0.14.129`
			`ENTRY_END`

			`ENTRY_BEGIN`
			`MATCH opcode qtype qname`
			`ADJUST copy_id`
			`REPLY QR AA NOERROR`
			`SECTION QUESTION`
			`a.gtld-servers.net. IN A`
			`SECTION ANSWER`
			`a.gtld-servers.net. IN A 192.5.6.30`
			`ENTRY_END`

- Fixup rrset security updates overwriting 2181 trust status. This makes validated to be insecure data just as worthless as nonvalidated data, and 2181 rules prevent cache overwrites to them. - Fix assertion fail on bogus key handling. - dnssec lameness detection works on first query at trust apex. - NS queries get proper cache and dnssec lameness treatment. - fixup compilation without pthreads on linux. - NS queries are done after every referral. validator is used on those NS records (if anchors enabled). git-svn-id: file:///svn/unbound/trunk@1185 be551aaa-1e26-0410-a405-d3ace91eadb9 2008-08-12 10:13:57 +00:00			`RANGE_END`

			`; a.gtld-servers.net.`
			`RANGE_BEGIN 0 100`
			`ADDRESS 192.5.6.30`
			`ENTRY_BEGIN`
Referral path checking, for spoof mitigation, improved. git-svn-id: file:///svn/unbound/trunk@1305 be551aaa-1e26-0410-a405-d3ace91eadb9 2008-10-15 13:32:49 +00:00			`MATCH opcode subdomain`
			`ADJUST copy_id copy_query`
- Fixup rrset security updates overwriting 2181 trust status. This makes validated to be insecure data just as worthless as nonvalidated data, and 2181 rules prevent cache overwrites to them. - Fix assertion fail on bogus key handling. - dnssec lameness detection works on first query at trust apex. - NS queries get proper cache and dnssec lameness treatment. - fixup compilation without pthreads on linux. - NS queries are done after every referral. validator is used on those NS records (if anchors enabled). git-svn-id: file:///svn/unbound/trunk@1185 be551aaa-1e26-0410-a405-d3ace91eadb9 2008-08-12 10:13:57 +00:00			`REPLY QR NOERROR`
			`SECTION QUESTION`
Referral path checking, for spoof mitigation, improved. git-svn-id: file:///svn/unbound/trunk@1305 be551aaa-1e26-0410-a405-d3ace91eadb9 2008-10-15 13:32:49 +00:00			`example.com. IN NS`
- Fixup rrset security updates overwriting 2181 trust status. This makes validated to be insecure data just as worthless as nonvalidated data, and 2181 rules prevent cache overwrites to them. - Fix assertion fail on bogus key handling. - dnssec lameness detection works on first query at trust apex. - NS queries get proper cache and dnssec lameness treatment. - fixup compilation without pthreads on linux. - NS queries are done after every referral. validator is used on those NS records (if anchors enabled). git-svn-id: file:///svn/unbound/trunk@1185 be551aaa-1e26-0410-a405-d3ace91eadb9 2008-08-12 10:13:57 +00:00			`SECTION AUTHORITY`
			`example.com. IN NS ns.example.com.`
			`SECTION ADDITIONAL`
			`ns.example.com. IN A 1.2.3.4`
			`ENTRY_END`

			`ENTRY_BEGIN`
			`MATCH opcode qtype qname`
			`ADJUST copy_id`
			`REPLY QR NOERROR`
			`SECTION QUESTION`
Referral path checking, for spoof mitigation, improved. git-svn-id: file:///svn/unbound/trunk@1305 be551aaa-1e26-0410-a405-d3ace91eadb9 2008-10-15 13:32:49 +00:00			`com. IN NS`
- Fixup rrset security updates overwriting 2181 trust status. This makes validated to be insecure data just as worthless as nonvalidated data, and 2181 rules prevent cache overwrites to them. - Fix assertion fail on bogus key handling. - dnssec lameness detection works on first query at trust apex. - NS queries get proper cache and dnssec lameness treatment. - fixup compilation without pthreads on linux. - NS queries are done after every referral. validator is used on those NS records (if anchors enabled). git-svn-id: file:///svn/unbound/trunk@1185 be551aaa-1e26-0410-a405-d3ace91eadb9 2008-08-12 10:13:57 +00:00			`SECTION ANSWER`
			`com. IN NS a.gtld-servers.net.`
			`SECTION ADDITIONAL`
			`a.gtld-servers.net. IN A 192.5.6.30`
			`ENTRY_END`
			`RANGE_END`

			`; ns.example.com.`
			`RANGE_BEGIN 0 100`
			`ADDRESS 1.2.3.4`
			`ENTRY_BEGIN`
			`MATCH opcode qtype qname`
			`ADJUST copy_id`
			`REPLY QR NOERROR`
			`SECTION QUESTION`
			`www.example.com. IN A`
			`SECTION ANSWER`
			`www.example.com. IN A 10.20.30.40`
			`SECTION AUTHORITY`
			`example.com. IN NS ns.example.com.`
			`SECTION ADDITIONAL`
			`ns.example.com. IN A 1.2.3.4`
			`ENTRY_END`

			`ENTRY_BEGIN`
			`MATCH opcode qtype qname`
			`ADJUST copy_id`
			`REPLY QR NOERROR`
			`SECTION QUESTION`
			`mail.example.com. IN A`
			`SECTION ANSWER`
			`mail.example.com. IN A 10.20.30.50`
			`SECTION AUTHORITY`
			`example.com. IN NS ns.example.com.`
			`SECTION ADDITIONAL`
			`ns.example.com. IN A 1.2.3.4`
			`ENTRY_END`

			`ENTRY_BEGIN`
			`MATCH opcode qtype qname`
			`ADJUST copy_id`
			`REPLY QR AA NOERROR`
			`SECTION QUESTION`
			`example.com. IN NS`
			`SECTION ANSWER`
			`example.com. IN NS ns.example.com.`
			`SECTION ADDITIONAL`
			`ns.example.com. IN A 1.2.3.4`
			`ENTRY_END`

Referral path checking, for spoof mitigation, improved. git-svn-id: file:///svn/unbound/trunk@1305 be551aaa-1e26-0410-a405-d3ace91eadb9 2008-10-15 13:32:49 +00:00			`ENTRY_BEGIN`
			`MATCH opcode qtype qname`
			`ADJUST copy_id`
			`REPLY QR AA NOERROR`
			`SECTION QUESTION`
			`ns.example.com. IN A`
			`SECTION ANSWER`
			`ns.example.com. IN A 1.2.3.4`
			`SECTION AUTHORITY`
			`example.com. IN NS ns.example.com.`
			`ENTRY_END`

- Fixup rrset security updates overwriting 2181 trust status. This makes validated to be insecure data just as worthless as nonvalidated data, and 2181 rules prevent cache overwrites to them. - Fix assertion fail on bogus key handling. - dnssec lameness detection works on first query at trust apex. - NS queries get proper cache and dnssec lameness treatment. - fixup compilation without pthreads on linux. - NS queries are done after every referral. validator is used on those NS records (if anchors enabled). git-svn-id: file:///svn/unbound/trunk@1185 be551aaa-1e26-0410-a405-d3ace91eadb9 2008-08-12 10:13:57 +00:00			`;; answer to the spoofed query ; spoofed reply answer.`
			`; here we put it in the nameserver for ease.`
			`ENTRY_BEGIN`
			`MATCH opcode qtype qname`
			`ADJUST copy_id`
			`REPLY QR NOERROR`
			`SECTION QUESTION`
			`bad123.example.com. IN A`
			`SECTION ANSWER`
			`bad123.example.com. IN A 6.6.6.6`
			`SECTION AUTHORITY`
			`; evil NS set.`
			`example.com. IN NS bad123.example.com.`
			`ENTRY_END`

			`RANGE_END`

			`; evil server`
			`RANGE_BEGIN 0 100`
			`ADDRESS 6.6.6.6`
			`ENTRY_BEGIN`
			`MATCH opcode qtype qname`
			`ADJUST copy_id`
			`REPLY QR NOERROR`
			`SECTION QUESTION`
			`www.example.com. IN A`
			`SECTION ANSWER`
			`www.example.com. IN A 6.6.6.6`
			`SECTION AUTHORITY`
			`example.com. IN NS bad123.example.com.`
			`SECTION ADDITIONAL`
			`bad123.example.com. IN A 6.6.6.6`
			`ENTRY_END`

			`ENTRY_BEGIN`
			`MATCH opcode qtype qname`
			`ADJUST copy_id`
			`REPLY QR NOERROR`
			`SECTION QUESTION`
			`mail.example.com. IN A`
			`SECTION ANSWER`
			`mail.example.com. IN A 6.6.6.6`
			`SECTION AUTHORITY`
			`example.com. IN NS bad123.example.com.`
			`SECTION ADDITIONAL`
			`bad123.example.com. IN A 6.6.6.6`
			`ENTRY_END`

			`ENTRY_BEGIN`
			`MATCH opcode qtype qname`
			`ADJUST copy_id`
			`REPLY QR NOERROR`
			`SECTION QUESTION`
			`bad123.example.com. IN A`
			`SECTION ANSWER`
			`bad123.example.com. IN A 6.6.6.6`
			`SECTION AUTHORITY`
			`; evil NS set.`
			`example.com. IN NS bad123.example.com.`
			`ENTRY_END`
			`RANGE_END`

			`STEP 1 QUERY`
			`ENTRY_BEGIN`
			`REPLY RD`
			`SECTION QUESTION`
			`www.example.com. IN A`
			`ENTRY_END`

			`; recursion happens here.`
			`STEP 10 CHECK_ANSWER`
			`ENTRY_BEGIN`
			`MATCH all`
			`REPLY QR RD RA NOERROR`
			`SECTION QUESTION`
			`www.example.com. IN A`
			`SECTION ANSWER`
			`www.example.com. IN A 10.20.30.40`
			`SECTION AUTHORITY`
			`example.com. IN NS ns.example.com.`
			`SECTION ADDITIONAL`
			`ns.example.com. IN A 1.2.3.4`
			`ENTRY_END`

			`; spoofed query`
			`STEP 20 QUERY`
			`ENTRY_BEGIN`
			`REPLY RD`
			`SECTION QUESTION`
			`bad123.example.com. IN A`
			`ENTRY_END`

			`; recursion happens here.`
			`STEP 30 CHECK_ANSWER`
			`ENTRY_BEGIN`
			`; no matching here, just accept the answer to the spoofed query.`
			`; it is wrong, but only one query ...`
			`; this test is to check further on, that we still have the right nameserver.`
			`;MATCH all`
			`REPLY QR RD RA NOERROR`
			`SECTION QUESTION`
			`bad123.example.com. IN A`
			`SECTION ANSWER`
			`bad123.example.com. IN A 6.6.6.6`
			`SECTION AUTHORITY`
			`example.com. IN NS ns.example.com.`
			`SECTION ADDITIONAL`
			`ns.example.com. IN A 1.2.3.4`
			`ENTRY_END`

			`; a new query`
			`STEP 40 QUERY`
			`ENTRY_BEGIN`
			`REPLY RD`
			`SECTION QUESTION`
			`mail.example.com. IN A`
			`ENTRY_END`

			`STEP 50 CHECK_ANSWER`
			`ENTRY_BEGIN`
			`MATCH all`
			`REPLY QR RD RA NOERROR`
			`SECTION QUESTION`
			`mail.example.com. IN A`
			`SECTION ANSWER`
			`mail.example.com. IN A 10.20.30.50`
			`SECTION AUTHORITY`
			`example.com. IN NS ns.example.com.`
			`SECTION ADDITIONAL`
			`ns.example.com. IN A 1.2.3.4`
			`ENTRY_END`

			`SCENARIO_END`