Merge branch 'master' into ecs-serve-expired-bug

.gitignore

@@ -10,6 +10,7 @@
 /config.status
 /dnstap/dnstap_config.h
 /dnscrypt/dnscrypt_config.h
+/clubsyms.def
 /doc/example.conf
 /doc/libunbound.3
 /doc/unbound-anchor.8

contrib/aaaa-filter-iterator.patch

@@ -105,9 +105,9 @@ index 2482a1f4..bd5ba243 100644
 --- a/iterator/iter_utils.c
 +++ b/iterator/iter_utils.c
 @@ -177,6 +177,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg)
- 	iter_env->supports_ipv6 = cfg->do_ip6;
- 	iter_env->supports_ipv4 = cfg->do_ip4;
  	iter_env->outbound_msg_retry = cfg->outbound_msg_retry;
+ 	iter_env->max_sent_count = cfg->max_sent_count;
+ 	iter_env->max_query_restarts = cfg->max_query_restarts;
 +	iter_env->aaaa_filter = cfg->aaaa_filter;
  	return 1;
  }

doc/Changelog

@@ -1,3 +1,25 @@
+10 February 2023: George
+	- Clean up iterator/iterator.c::error_response_cache() and allow for
+	  better interaction with serve-expired, prefetch and cached error
+	  responses.
+
+9 February 2023: George
+	- Allow TTL refresh of expired error responses.
+	- Add testcase for refreshing expired error responses.
+
+9 February 2023: Wouter
+	- Fix to ignore entirely empty responses, and try at another authority.
+	  This turns completely empty responses, a type of noerror/nodata into
+	  a servfail, but they do not conform to RFC2308, and the retry can
+	  fetch improved content.
+	- Fix unit tests for spurious empty messages.
+	- Fix consistency of unit test without roundrobin answers for the
+	  cnametooptout unit test.
+	- Fix to git ignore the library symbol file that configure can create.
+
+8 February 2023: Wouter
+	- Fix #841: Unbound won't build with aaaa-filter-iterator.patch.
+
 30 January 2023: George
 	- Add duration variable for speed_local.test.
 

iterator/iter_resptype.c

@@ -284,6 +284,13 @@ response_type_from_server(int rdset,
 
 	/* If we've gotten this far, this is NOERROR/NODATA (which could 
 	 * be an entirely empty message) */
+	/* but ignore entirely empty messages, noerror/nodata has a soa
+	 * negative ttl value in the authority section, this makes it try
+	 * again at another authority. And turns it from a 5 second empty
+	 * message into a 5 second servfail response. */
+	if(msg->rep->an_numrrsets == 0 && msg->rep->ns_numrrsets == 0 &&
+		msg->rep->ar_numrrsets == 0)
+		return RESPONSE_TYPE_THROWAWAY;
 	/* check if recursive answer; saying it has empty cache */
 	if( (msg->rep->flags&BIT_RA) && !(msg->rep->flags&BIT_AA) && !rdset)
 		return RESPONSE_TYPE_REC_LAME;

iterator/iterator.c

@@ -302,81 +302,65 @@ error_response(struct module_qstate* qstate, int id, int rcode)
 static int
 error_response_cache(struct module_qstate* qstate, int id, int rcode)
 {
-	if(!qstate->no_cache_store) {
-		/* store in cache */
-		struct reply_info err;
-		if(qstate->prefetch_leeway > NORR_TTL) {
-			verbose(VERB_ALGO, "error response for prefetch in cache");
-			/* attempt to adjust the cache entry prefetch */
-			if(dns_cache_prefetch_adjust(qstate->env, &qstate->qinfo,
-				NORR_TTL, qstate->query_flags))
-				return error_response(qstate, id, rcode);
-			/* if that fails (not in cache), fall through to store err */
-		}
-		if(qstate->env->cfg->serve_expired) {
-			/* if serving expired contents, and such content is
-			 * already available, don't overwrite this servfail */
-			struct msgreply_entry* msg;
-			if((msg=msg_cache_lookup(qstate->env,
-				qstate->qinfo.qname, qstate->qinfo.qname_len,
-				qstate->qinfo.qtype, qstate->qinfo.qclass,
-				qstate->query_flags, 0,
-				qstate->env->cfg->serve_expired_ttl_reset))
-				!= NULL) {
-				if(qstate->env->cfg->serve_expired_ttl_reset) {
-					struct reply_info* rep =
-						(struct reply_info*)msg->entry.data;
-					if(rep && *qstate->env->now +
-						qstate->env->cfg->serve_expired_ttl  >
-						rep->serve_expired_ttl) {
-						rep->serve_expired_ttl =
-							*qstate->env->now +
-							qstate->env->cfg->serve_expired_ttl;
-					}
-				}
-				lock_rw_unlock(&msg->entry.lock);
-				return error_response(qstate, id, rcode);
-			}
-			/* serving expired contents, but nothing is cached
-			 * at all, so the servfail cache entry is useful
-			 * (stops waste of time on this servfail NORR_TTL) */
-		} else {
-			/* don't overwrite existing (non-expired) data in
-			 * cache with a servfail */
-			struct msgreply_entry* msg;
-			if((msg=msg_cache_lookup(qstate->env,
-				qstate->qinfo.qname, qstate->qinfo.qname_len,
-				qstate->qinfo.qtype, qstate->qinfo.qclass,
-				qstate->query_flags, *qstate->env->now, 0))
-				!= NULL) {
-				struct reply_info* rep = (struct reply_info*)
-					msg->entry.data;
-				if(FLAGS_GET_RCODE(rep->flags) ==
-					LDNS_RCODE_NOERROR ||
-					FLAGS_GET_RCODE(rep->flags) ==
-					LDNS_RCODE_NXDOMAIN) {
-					/* we have a good entry,
-					 * don't overwrite */
-					lock_rw_unlock(&msg->entry.lock);
-					return error_response(qstate, id, rcode);
-				}
-				lock_rw_unlock(&msg->entry.lock);
-			}
-			
-		}
-		memset(&err, 0, sizeof(err));
-		err.flags = (uint16_t)(BIT_QR | BIT_RA);
-		FLAGS_SET_RCODE(err.flags, rcode);
-		err.qdcount = 1;
-		err.ttl = NORR_TTL;
-		err.prefetch_ttl = PREFETCH_TTL_CALC(err.ttl);
-		err.serve_expired_ttl = NORR_TTL;
-		/* do not waste time trying to validate this servfail */
-		err.security = sec_status_indeterminate;
-		verbose(VERB_ALGO, "store error response in message cache");
-		iter_dns_store(qstate->env, &qstate->qinfo, &err, 0, 0, 0, NULL,
-			qstate->query_flags, qstate->qstarttime);
+	struct reply_info err;
+	struct msgreply_entry* msg;
+	if(qstate->no_cache_store) {
+		return error_response(qstate, id, rcode);
 	}
+	if(qstate->prefetch_leeway > NORR_TTL) {
+		verbose(VERB_ALGO, "error response for prefetch in cache");
+		/* attempt to adjust the cache entry prefetch */
+		if(dns_cache_prefetch_adjust(qstate->env, &qstate->qinfo,
+			NORR_TTL, qstate->query_flags))
+			return error_response(qstate, id, rcode);
+		/* if that fails (not in cache), fall through to store err */
+	}
+	if((msg=msg_cache_lookup(qstate->env,
+		qstate->qinfo.qname, qstate->qinfo.qname_len,
+		qstate->qinfo.qtype, qstate->qinfo.qclass,
+		qstate->query_flags, 0,
+		qstate->env->cfg->serve_expired_ttl_reset)) != NULL) {
+		struct reply_info* rep = (struct reply_info*)msg->entry.data;
+		if(qstate->env->cfg->serve_expired &&
+			qstate->env->cfg->serve_expired_ttl_reset && rep &&
+			*qstate->env->now + qstate->env->cfg->serve_expired_ttl
+			> rep->serve_expired_ttl) {
+			verbose(VERB_ALGO, "reset serve-expired-ttl for "
+				"response in cache");
+			rep->serve_expired_ttl = *qstate->env->now +
+				qstate->env->cfg->serve_expired_ttl;
+		}
+		if(rep && (FLAGS_GET_RCODE(rep->flags) ==
+			LDNS_RCODE_NOERROR ||
+			FLAGS_GET_RCODE(rep->flags) ==
+			LDNS_RCODE_NXDOMAIN ||
+			FLAGS_GET_RCODE(rep->flags) ==
+			LDNS_RCODE_YXDOMAIN) &&
+			(qstate->env->cfg->serve_expired ||
+			*qstate->env->now <= rep->ttl)) {
+			/* we have a good entry, don't overwrite */
+			lock_rw_unlock(&msg->entry.lock);
+			return error_response(qstate, id, rcode);
+		}
+		lock_rw_unlock(&msg->entry.lock);
+		/* nothing interesting is cached (already error response or
+		 * expired good record when we don't serve expired), so this
+		 * servfail cache entry is useful (stops waste of time on this
+		 * servfail NORR_TTL) */
+	}
+	/* store in cache */
+	memset(&err, 0, sizeof(err));
+	err.flags = (uint16_t)(BIT_QR | BIT_RA);
+	FLAGS_SET_RCODE(err.flags, rcode);
+	err.qdcount = 1;
+	err.ttl = NORR_TTL;
+	err.prefetch_ttl = PREFETCH_TTL_CALC(err.ttl);
+	err.serve_expired_ttl = NORR_TTL;
+	/* do not waste time trying to validate this servfail */
+	err.security = sec_status_indeterminate;
+	verbose(VERB_ALGO, "store error response in message cache");
+	iter_dns_store(qstate->env, &qstate->qinfo, &err, 0, 0, 0, NULL,
+		qstate->query_flags, qstate->qstarttime);
 	return error_response(qstate, id, rcode);
 }
 

testdata/auth_xfr_host.rpl

@@ -84,6 +84,8 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 ns.example.net. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 RANGE_END
 

testdata/autotrust_revtp_use.rpl

@@ -109,6 +109,8 @@ SECTION QUESTION
 ns.example.com. IN AAAA
 SECTION ANSWER
 ; no AAAA
+SECTION AUTHORITY
+example.com.    IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 RANGE_END
 

testdata/iter_dnsseclame_bug.rpl

@@ -117,6 +117,8 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 e.gtld-servers.net. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+net.    IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN
@@ -126,6 +128,8 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 a.gtld-servers.net. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+net.    IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ; no example.net delegation answers yet.
@@ -156,6 +160,8 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 e.gtld-servers.net. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+net.    IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN
@@ -165,6 +171,8 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 a.gtld-servers.net. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+net.    IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN
@@ -287,6 +295,8 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 ns.sub.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+sub.example.com.    IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 RANGE_END
 
@@ -321,6 +331,8 @@ ADJUST copy_id
 REPLY QR AA NOERROR
 SECTION QUESTION
 ns.example.com. IN AAAA
+SECTION AUTHORITY
+example.com.    IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ; fine DNSKEY response.
@@ -417,6 +429,8 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 ns.sub.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+sub.example.com.    IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ; response to query of interest

testdata/iter_dnsseclame_ds.rpl

@@ -116,6 +116,8 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 e.gtld-servers.net. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+net.    IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN
@@ -125,6 +127,8 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 a.gtld-servers.net. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+net.    IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN
@@ -245,6 +249,9 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 ns.sub.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+sub.example.com.	3600	IN	SOA	ns.example.com. root.example.com. 4 14400 3600 604800 3600
+sub.example.com.	3600	IN	RRSIG	SOA 5 3 3600 20070926134150 20070829134150 30899 sub.example.com. o6B6mzZ2pzXRE9qBagNw+U5kZOCViyuYRObCJTMsEQn8kNzSIxOhuqjBoo0ifKmxvUmCxaNtsWaG4eDC+vCBdQ==
 ENTRY_END
 RANGE_END
 
@@ -279,6 +286,8 @@ ADJUST copy_id
 REPLY QR AA NOERROR
 SECTION QUESTION
 ns.example.com. IN AAAA
+SECTION AUTHORITY
+example.com.    IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ; fine DNSKEY response.
@@ -375,6 +384,8 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 ns.sub.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+sub.example.com.    IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ; response to query of interest

testdata/iter_dnsseclame_ta.rpl

@@ -119,6 +119,8 @@ REPLY QR NOERROR
 SECTION QUESTION
 a.gtld-servers.net. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+net.    IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN
@@ -128,6 +130,8 @@ REPLY QR NOERROR
 SECTION QUESTION
 e.gtld-servers.net. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+net.    IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN
@@ -239,6 +243,9 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 ns.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.com.	3600	IN	SOA	ns.example.com. root.example.com. 4 14400 3600 604800 3600
+example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AC23LvSspto6Zqctz05urK/2OKTnB+7nppMKInYkyjZbZotq2wjJA9s=
 ENTRY_END
 RANGE_END
 
@@ -261,6 +268,8 @@ ADJUST copy_id
 REPLY QR AA NOERROR
 SECTION QUESTION
 ns.example.com. IN AAAA
+SECTION AUTHORITY
+example.com.    IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ; lame DNSKEY response.

testdata/iter_donotq127.rpl

@@ -35,6 +35,8 @@ REPLY QR NOERROR
 SECTION QUESTION
 a.gtld-servers.net. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN

testdata/iter_emptydp.rpl

@@ -108,6 +108,8 @@ REPLY QR NOERROR
 SECTION QUESTION
 a.gtld-servers.net. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN
@@ -156,6 +158,8 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 ns.example.net. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ; example.com. zone
@@ -180,7 +184,9 @@ REPLY QR NOERROR
 SECTION QUESTION
 ns.example.com. IN AAAA
 SECTION ANSWER
-; bogus
+SECTION AUTHORITY
+example.com.   3600    IN      SOA     ns.example.com. root.example.com. 4 14400 3600 604800 3600
+example.com.   3600    IN      RRSIG   SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AC23LvSspto6Zqctz05urK/2OKTnB+7nppMKInYkyjZbZotq2wjJA9s=
 ENTRY_END
 
 ; response to DNSKEY priming query
@@ -261,6 +267,7 @@ SECTION QUESTION
 ns.example.net. IN AAAA
 SECTION ANSWER
 SECTION AUTHORITY
+example.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 SECTION ADDITIONAL
 ENTRY_END
 

testdata/iter_emptydp_for_glue.rpl

@@ -135,6 +135,8 @@ REPLY QR NOERROR
 SECTION QUESTION
 a.gtld-servers.net. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+net.    IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN
@@ -211,6 +213,8 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 ns.example.org. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.org.    IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ; example.net. zone
@@ -244,6 +248,8 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 ns.example.net. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ; example.com. zone
@@ -268,7 +274,9 @@ REPLY QR NOERROR
 SECTION QUESTION
 ns.example.com. IN AAAA
 SECTION ANSWER
-; bogus message.
+SECTION AUTHORITY
+example.com.   3600    IN      SOA     ns.example.com. root.example.com. 4 14400 3600 604800 3600
+example.com.   3600    IN      RRSIG   SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AC23LvSspto6Zqctz05urK/2OKTnB+7nppMKInYkyjZbZotq2wjJA9s=
 ENTRY_END
 
 ; response to DNSKEY priming query
@@ -343,6 +351,8 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 ns.example.org. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.org. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ; example.net. zone
@@ -376,6 +386,8 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 ns.example.net. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ; example.com. zone
@@ -471,6 +483,7 @@ SECTION QUESTION
 ns.example.net. IN AAAA
 SECTION ANSWER
 SECTION AUTHORITY
+example.net.	IN	SOA	ns.example.com. root.example.com. 4 14400 3600 604800 3600
 SECTION ADDITIONAL
 ENTRY_END
 
@@ -490,6 +503,7 @@ SECTION QUESTION
 ns.example.net. IN AAAA
 SECTION ANSWER
 SECTION AUTHORITY
+example.net.	IN	SOA	ns.example.com. root.example.com. 4 14400 3600 604800 3600
 SECTION ADDITIONAL
 ENTRY_END
 

testdata/iter_ignore_empty.rpl

@@ -0,0 +1,198 @@
+; config options
+server:
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: "no"
+	minimal-responses: no
+
+stub-zone:
+	name: "."
+	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test ignore of an empty response.
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+	ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS	K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.	IN	A	193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+	ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.	IN NS	a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.	IN 	A	192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+example.com.	IN NS	ns2.example2.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example2.com. IN NS
+SECTION AUTHORITY
+example2.com.	IN NS	ns2.example2.com.
+SECTION ADDITIONAL
+ns2.example2.com.		IN 	A	1.2.3.5
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.	IN NS	ns.example.com.
+example.com.	IN NS	ns2.example.net.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.example.com. IN A
+SECTION ANSWER
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns.example.com. IN AAAA
+SECTION AUTHORITY
+example.com.	IN SOA ns root 4 14400 3600 604800 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+SECTION AUTHORITY
+SECTION ADDITIONAL
+ENTRY_END
+RANGE_END
+
+; ns2.example2.com.
+RANGE_BEGIN 0 100
+	ADDRESS 1.2.3.5
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+example2.com. IN NS
+SECTION ANSWER
+example2.com.	IN NS	ns2.example2.com.
+SECTION ADDITIONAL
+ns2.example2.com.		IN 	A	1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns2.example2.com. IN A
+SECTION ANSWER
+ns2.example2.com.		IN 	A	1.2.3.5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+ns2.example2.com. IN AAAA
+SECTION AUTHORITY
+example2.com.	IN SOA ns2 root 4 14400 3600 604800 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A	10.20.30.40
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN A
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN A
+SECTION ANSWER
+www.example.com. IN A	10.20.30.40
+ENTRY_END
+
+; wait for pending nameserver lookups.
+STEP 20 TRAFFIC
+
+SCENARIO_END

testdata/iter_lame_aaaa.rpl

@@ -76,6 +76,8 @@ REPLY QR NOERROR
 SECTION QUESTION
 ns.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN
@@ -85,6 +87,8 @@ REPLY QR NOERROR
 SECTION QUESTION
 ns.example.com. IN A
 SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN

testdata/iter_lamescrub.rpl

@@ -42,6 +42,8 @@ REPLY QR NOERROR
 SECTION QUESTION
 a.gtld-servers.net. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 ENTRY_BEGIN
 

testdata/iter_nxns_cached.rpl

@@ -152,6 +152,8 @@ RANGE_BEGIN 31 100
 		REPLY QR NOERROR
 		SECTION QUESTION
 			nameservers.com. IN A
+		SECTION AUTHORITY
+			nameservers.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 	ENTRY_END
 RANGE_END
 

testdata/iter_nxns_fallback.rpl

@@ -137,6 +137,8 @@ RANGE_BEGIN 0 100
 		REPLY QR NOERROR
 		SECTION QUESTION
 			ns.example.com. IN AAAA
+		SECTION AUTHORITY
+			example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 	ENTRY_END
 
 	ENTRY_BEGIN

testdata/iter_primenoglue.rpl

@@ -114,15 +114,6 @@ SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
 
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-A.ROOT-SERVERS.NET.    IN      AAAA
-SECTION ANSWER
-ENTRY_END
-
 ENTRY_BEGIN
 MATCH opcode qname
 ADJUST copy_id copy_query
@@ -130,29 +121,22 @@ REPLY QR NOERROR
 SECTION QUESTION
 a.gtld-servers.net. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN
-MATCH opcode qname
+MATCH opcode subdomain
 ADJUST copy_id copy_query
 REPLY QR NOERROR
 SECTION QUESTION
-K.ROOT-SERVERS.NET.    IN      A
+ROOT-SERVERS.NET.    IN      A
 SECTION AUTHORITY
 ROOT-SERVERS.NET.	IN	NS A.ROOT-SERVERS.NET.
 SECTION ADDITIONAL
 A.ROOT-SERVERS.NET.	IN	A	198.41.0.4
 ENTRY_END
 
-ENTRY_BEGIN
-MATCH opcode qname
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-K.ROOT-SERVERS.NET.    IN      AAAA
-SECTION ANSWER
-ENTRY_END
-
 ENTRY_BEGIN
 MATCH opcode qname
 ADJUST copy_id copy_query
@@ -213,6 +197,7 @@ K.ROOT-SERVERS.NET.    IN      A
 SECTION ANSWER
 K.ROOT-SERVERS.NET.    IN      A	193.0.14.129
 ENTRY_END
+
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
@@ -222,6 +207,8 @@ K.ROOT-SERVERS.NET.    IN      AAAA
 SECTION ANSWER
 ; no ip6 address: we want to use only one address for K. to avoid having
 ; to duplicate the entries in this file for both addresses.
+SECTION AUTHORITY
+root-servers.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 RANGE_END
 
@@ -258,6 +245,8 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 ns.example.net. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ; example.com. zone
@@ -282,6 +271,8 @@ REPLY QR NOERROR
 SECTION QUESTION
 ns.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 
@@ -363,6 +354,7 @@ SECTION QUESTION
 ns.example.net. IN AAAA
 SECTION ANSWER
 SECTION AUTHORITY
+example.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 SECTION ADDITIONAL
 ENTRY_END
 
@@ -381,6 +373,7 @@ SECTION QUESTION
 K.ROOT-SERVERS.NET.  IN      AAAA
 SECTION ANSWER
 SECTION AUTHORITY
+root-servers.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 SECTION ADDITIONAL
 ENTRY_END
 

testdata/iter_privaddr.rpl

@@ -122,6 +122,8 @@ REPLY QR NOERROR
 SECTION QUESTION
 ns.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN

testdata/iter_ranoaa_lame.rpl

@@ -198,6 +198,8 @@ REPLY QR NOERROR
 SECTION QUESTION
 ns.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 RANGE_END
@@ -235,6 +237,8 @@ REPLY QR NOERROR
 SECTION QUESTION
 ns.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN
@@ -243,6 +247,8 @@ ADJUST copy_id
 REPLY QR NOERROR
 SECTION QUESTION
 ns.example.net. IN AAAA
+SECTION AUTHORITY
+example.net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ; the lame response.

testdata/iter_reclame_two.rpl

@@ -95,6 +95,8 @@ REPLY QR RA NOERROR
 SECTION QUESTION
 ns.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN
@@ -104,6 +106,8 @@ REPLY QR RA NOERROR
 SECTION QUESTION
 lame.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN

testdata/iter_scrub_ns.rpl

@@ -39,6 +39,7 @@ REPLY QR NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
+www.example.com. IN A 1.2.3.4
 ; must be scrubbed
 www.burritolovers.com. IN A	10.20.30.40
 SECTION AUTHORITY
@@ -78,6 +79,7 @@ REPLY QR RD RA NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
+www.example.com. IN A 1.2.3.4
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END

testdata/iter_scrub_ns_fwd.rpl

@@ -39,6 +39,7 @@ REPLY RD RA QR NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
+www.example.com. IN A 1.2.3.4
 ; must be scrubbed
 www.burritolovers.com. IN A	10.20.30.40
 SECTION AUTHORITY
@@ -78,6 +79,7 @@ REPLY QR RD RA NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
+www.example.com. IN A 1.2.3.4
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END

testdata/iter_scrub_ns_side.rpl

@@ -39,6 +39,7 @@ REPLY QR NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
+www.example.com. IN A 1.2.3.4
 ; must be scrubbed
 www.burritolovers.com. IN A	10.20.30.40
 SECTION AUTHORITY
@@ -54,6 +55,7 @@ REPLY QR NOERROR
 SECTION QUESTION
 mail.example.com. IN A
 SECTION ANSWER
+mail.example.com. IN A 1.2.3.11
 SECTION AUTHORITY
 ; not pertinent to the query
 www.example.com.	IN NS	ns.example.com.
@@ -78,6 +80,7 @@ REPLY QR RD RA NOERROR
 SECTION QUESTION
 www.example.com. IN A
 SECTION ANSWER
+www.example.com. IN A 1.2.3.4
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END
@@ -96,6 +99,7 @@ REPLY QR RD RA NOERROR
 SECTION QUESTION
 mail.example.com. IN A
 SECTION ANSWER
+mail.example.com. IN A 1.2.3.11
 SECTION AUTHORITY
 SECTION ADDITIONAL
 ENTRY_END

testdata/iter_stublastresort.rpl

@@ -105,6 +105,8 @@ REPLY QR NOERROR
 SECTION QUESTION
 ns.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN
@@ -156,6 +158,8 @@ REPLY QR AA SERVFAIL
 SECTION QUESTION
 ns.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN
@@ -204,6 +208,8 @@ REPLY QR AA
 SECTION QUESTION
 ns.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 
 ENTRY_BEGIN

testdata/nsid_bogus.rpl

@@ -117,6 +117,9 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 ns.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.com.   3600    IN      SOA     ns.example.com. root.example.com. 4 1440 0 3600 604800 3600
+example.com.   3600    IN      RRSIG   SOA 3 2 3600 20070926134150 20070829134150 2854 example.com. AC23LvSspto6Zqctz05urK/2OKTnB+7nppMKInYkyjZbZotq2wjJA9s=
 SECTION ADDITIONAL
 ENTRY_END
 

testdata/ratelimit.tdir/ratelimit.testns

@@ -10,4 +10,6 @@ SECTION QUESTION
 wild	IN	A
 SECTION ANSWER
 wild	IN	A	10.20.30.40
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
 ENTRY_END

testdata/serve_expired_cached_servfail_refresh.rpl

@@ -0,0 +1,145 @@
+; config options
+server:
+	module-config: "validator iterator"
+	qname-minimisation: "no"
+	minimal-responses: no
+	serve-expired: yes
+	serve-expired-reply-ttl: 123
+	log-servfail: yes
+	ede: yes
+	ede-serve-expired: yes
+
+
+stub-zone:
+	name: "example.com"
+	stub-addr: 1.2.3.4
+CONFIG_END
+
+SCENARIO_BEGIN Test serve-expired with client-timeout and a SERVFAIL upstream reply
+; Scenario overview:
+; - query for example.com. IN A
+; - answer from upstream is SERVFAIL; will be cached for NORR_TTL(5)
+; - check that the client gets the SERVFAIL; also cached
+; - query again right after the TTL expired
+; - cached SERVFAIL should be ignored and upstream queried
+; - answer from upstream is still SERVFAIL; the cached error response will be
+;   refreshed for another NORR_TTL(5)
+; - check that the client gets the SERVFAIL
+; - query again; the upstream now has the answer available
+; - check that we get the refreshed cached response instead
+
+; ns.example.com.
+RANGE_BEGIN 0 50
+	ADDRESS 1.2.3.4
+	; response to A query
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR AA SERVFAIL
+		SECTION QUESTION
+			example.com. IN A
+	ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 60 100
+	ADDRESS 1.2.3.4
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. 10 IN NS
+		SECTION ANSWER
+			example.com. 10 IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. 10 IN A 1.2.3.4
+	ENTRY_END
+
+	ENTRY_BEGIN
+		MATCH opcode qtype qname
+		ADJUST copy_id
+		REPLY QR NOERROR
+		SECTION QUESTION
+			example.com. IN A
+		SECTION ANSWER
+			example.com. 10 IN A 5.6.7.8
+		SECTION AUTHORITY
+			example.com. 10 IN NS ns.example.com.
+		SECTION ADDITIONAL
+			ns.example.com. 10 IN A 1.2.3.4
+	ENTRY_END
+RANGE_END
+
+; Query with RD flag
+STEP 0 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we get the SERVFAIL (will be cached)
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all
+	REPLY QR RD RA SERVFAIL
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Query again
+STEP 20 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we get the cached SERVFAIL
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all
+	REPLY QR RD RA SERVFAIL
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Wait for the SERVFAIL to expire
+STEP 31 TIME_PASSES ELAPSE 6
+
+; Query again
+STEP 40 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we get the SERVFAIL (will be refreshed)
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all
+	REPLY QR RD RA SERVFAIL
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Query again, upstream has the real answer available
+STEP 60 QUERY
+ENTRY_BEGIN
+	REPLY RD
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+; Check that we get the refreshed cached SERVFAIL
+STEP 70 CHECK_ANSWER
+ENTRY_BEGIN
+	MATCH all
+	REPLY QR RD RA SERVFAIL
+	SECTION QUESTION
+		example.com. IN A
+ENTRY_END
+
+SCENARIO_END

testdata/stream_ssl.tdir/stream_ssl.serv.conf

@@ -9,9 +9,15 @@ server:
 	chroot: ""
 	username: ""
 	do-not-query-localhost: yes
+	local-zone: "example.com" static
+	local-zone: "server" static
+	local-zone: "host" static
 	local-data: "www.example.com. IN A 10.20.30.40"
 	local-data: "unbound.server. IN A 127.0.0.1"
 	local-data: "test.host. IN A 1.2.3.4"
+	local-data: "example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600"
+	local-data: "server. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600"
+	local-data: "host. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600"
 	ssl-port: @SERVPORT@
 	ssl-service-key: "unbound_server.key"
 	ssl-service-pem: "unbound_server.pem"

testdata/subnet_derived.crpl

@@ -39,6 +39,7 @@ RANGE_BEGIN 0 100
 		SECTION QUESTION
 			a.gtld-servers.net. IN AAAA
 		SECTION AUTHORITY
+			net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 		SECTION ADDITIONAL
 			HEX_EDNSDATA_BEGIN
 				;; we expect to receive empty
@@ -111,6 +112,8 @@ RANGE_BEGIN 0 100
 		SECTION QUESTION
 			ns.example.com. IN AAAA
 		SECTION ANSWER
+		SECTION AUTHORITY
+			example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 		SECTION ADDITIONAL
 			HEX_EDNSDATA_BEGIN
 				;; we expect to receive empty

testdata/subnet_format_ip4.crpl

@@ -38,6 +38,7 @@ RANGE_BEGIN 0 100
 		SECTION QUESTION
 			a.gtld-servers.net. IN AAAA
 		SECTION AUTHORITY
+			net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 		SECTION ADDITIONAL
 			HEX_EDNSDATA_BEGIN
 				;; we expect to receive empty
@@ -108,6 +109,8 @@ RANGE_BEGIN 0 100
 		SECTION QUESTION
 			ns.example.com. IN AAAA
 		SECTION ANSWER
+		SECTION AUTHORITY
+			example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 		SECTION ADDITIONAL
 			HEX_EDNSDATA_BEGIN
 				;; we expect to receive empty

testdata/subnet_not_whitelisted.crpl

@@ -39,6 +39,7 @@ RANGE_BEGIN 0 100
 		SECTION QUESTION
 			a.gtld-servers.net. IN AAAA
 		SECTION AUTHORITY
+			net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 		SECTION ADDITIONAL
 			HEX_EDNSDATA_BEGIN
 				;; we expect to receive empty
@@ -109,6 +110,8 @@ RANGE_BEGIN 0 100
 		SECTION QUESTION
 			ns.example.com. IN AAAA
 		SECTION ANSWER
+		SECTION AUTHORITY
+			example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 		SECTION ADDITIONAL
 			HEX_EDNSDATA_BEGIN
 				;; we expect to receive empty

testdata/subnet_without_validator.crpl

@@ -38,6 +38,7 @@ RANGE_BEGIN 0 100
 		SECTION QUESTION
 			a.gtld-servers.net. IN AAAA
 		SECTION AUTHORITY
+			net. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 		SECTION ADDITIONAL
 			HEX_EDNSDATA_BEGIN
 				;; we expect to receive empty
@@ -108,6 +109,8 @@ RANGE_BEGIN 0 100
 		SECTION QUESTION
 			ns.example.com. IN AAAA
 		SECTION ANSWER
+		SECTION AUTHORITY
+			example.com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 		SECTION ADDITIONAL
 			HEX_EDNSDATA_BEGIN
 				;; we expect to receive empty

testdata/val_cnametoinsecure.rpl

@@ -50,9 +50,11 @@ SECTION QUESTION
 unsafe.example.com. IN AAAA
 SECTION ANSWER
 ; empty response
+SECTION AUTHORITY
+example.com.	3600	IN	SOA	ns.example.com. root.example.com. 4 14400 3600 604800 3600
+example.com.	3600	IN	RRSIG	SOA 5 2 3600 20091012000000 20091010000000 30899 example.com. gJkF06xR3FoD/d+rxcLOwGpT8+DV+nbxED8C6T1qZyhWfKlfpYzISNooKBWD+JQbaGKV/nfm+rT3M0fnIXPpQQ==
 ENTRY_END
 
-
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
@@ -88,6 +90,9 @@ SECTION QUESTION
 unsafe.example.org. IN AAAA
 SECTION ANSWER
 ; empty response
+SECTION AUTHORITY
+example.org.	3600	IN	SOA	ns.example.com. root.example.com. 4 14400 3600 604800 3600
+example.org.	3600	IN	RRSIG	SOA 5 2 3600 20091012000000 20091010000000 30899 example.org. lYlSk7saPytwcu6Dp3HKYdyCOIlpTm+T8kjf0hnrLgPDZuksUjw/GLB+d6onTDpWLlasHfi0eoAkNvTeuR0+1w==
 ENTRY_END
 
 RANGE_END
@@ -112,6 +117,8 @@ www.example.com.        3600    IN      RRSIG   CNAME 5 3 3600 20091012000000 20
 SECTION AUTHORITY
 unsafe.example.com.     3600    IN      NSEC    v.example.com. NS RRSIG NSEC 
 unsafe.example.com.     3600    IN      RRSIG   NSEC 5 3 3600 20091012000000 20091010000000 30899 example.com. Le9EsRd2MxkOGRCvGtQkXRDAob5ZJOFQlZbDvcWAh5OXVpmcwZmCHctxw/Zyi4LkNYoYCSCc8PiVRrJM3IsGrQ== ;{id = 30899}
+example.com.	3600	IN	SOA	ns.example.com. root.example.com. 4 14400 3600 604800 3600
+example.com.	3600	IN	RRSIG	SOA 5 2 3600 20091012000000 20091010000000 30899 example.com. gJkF06xR3FoD/d+rxcLOwGpT8+DV+nbxED8C6T1qZyhWfKlfpYzISNooKBWD+JQbaGKV/nfm+rT3M0fnIXPpQQ==
 ENTRY_END
 
 ; NSEC3
@@ -134,6 +141,8 @@ www.example.org.        3600    IN      RRSIG   CNAME 5 3 3600 20091012000000 20
 SECTION AUTHORITY
 ltchu0548v0cof8f25u2pj4mjf4shcms.example.org.   3600    IN      NSEC3   1 0 1 -  ltchu0548v0cof8f25u2pj4mjf4shcmt NS 
 ltchu0548v0cof8f25u2pj4mjf4shcms.example.org.   3600    IN      RRSIG   NSEC3 5 3 3600 20091012000000 20091010000000 30899 example.org. yxuYgfkg8QTdB5yBMN9Up9GyKu7xjKDScqq95/tsy3lx22tLsdLD9Fojdrq7eB+K7Tr72AejmVJs44v6TmWkZw== ;{id = 30899}
+example.org.	3600	IN	SOA	ns.example.com. root.example.com. 4 14400 3600 604800 3600
+example.org.	3600	IN	RRSIG	SOA 5 2 3600 20091012000000 20091010000000 30899 example.org. lYlSk7saPytwcu6Dp3HKYdyCOIlpTm+T8kjf0hnrLgPDZuksUjw/GLB+d6onTDpWLlasHfi0eoAkNvTeuR0+1w==
 ENTRY_END
 
 SCENARIO_END

testdata/val_cnametonodata_nonsec.rpl

@@ -146,11 +146,13 @@ ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
-REPLY QR NOERROR
+REPLY QR AA NOERROR
 SECTION QUESTION
 ns.example.com. IN AAAA
 SECTION ANSWER
 SECTION AUTHORITY
+example.com.	3600	IN	SOA	ns.example.com. root.example.com. 4 14400 3600 604800 3600
+example.com.	3600	IN	RRSIG	SOA 3 2 3600 20070926135752 20070829135752 2854 example.com. AI+pFL3opyI/Mx3pCwnULbwc99bqXrJjRp4ds1lIBPN9X/Pia3wQdkM=
 ; NSEC here ...
 SECTION ADDITIONAL
 ENTRY_END
@@ -208,11 +210,13 @@ ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
-REPLY QR NOERROR
+REPLY QR AA NOERROR
 SECTION QUESTION
 ns.example.net. IN AAAA
 SECTION ANSWER
 SECTION AUTHORITY
+example.net.	IN NS	ns.example.net.
+example.net.    3600    IN      RRSIG   NS RSASHA1 2 3600 20070926134150 20070829134150 30899 example.net. E8JX0l4B+cSR5bkHQwOJy1pBmlLMTYCJ8EwfNMU/eCv0YhKwo26rHhn52FGisgv+Nwp7/NbhHqQ+kJgoZC94XA== ;{id = 30899}
 ; NSEC here
 SECTION ADDITIONAL
 ENTRY_END
@@ -226,6 +230,8 @@ SECTION QUESTION
 www.example.net. IN A
 SECTION ANSWER
 SECTION AUTHORITY
+example.net.	3600	IN	SOA	ns.example.com. root.example.com. 4 14400 3600 604800 3600
+;example.net.	3600	IN	RRSIG	SOA 3 2 3600 20070926135752 20070829135752 2854 example.net. ADNbj4XoTESBEkbFri3OG7SujbOUAoyrxPNHbULhxbvbB48Y0YAwvNY=
 ;www.example.net. IN NSEC	example.net. MX NSEC RRSIG
 ;www.example.net.        3600    IN      RRSIG   NSEC 5 3 3600 20070926134150 20070829134150 30899 example.net. Z+3/WKJEqhWoMOQLC7Yb1dTVGaqzmU0bZ2cH9jSfNQZiT0O37yzCNNUmMsW4gsJOh3o61iZ+hxpze3aO3aedqQ== ;{id = 30899}
 SECTION ADDITIONAL

testdata/val_cnametooptout.rpl

@@ -4,6 +4,7 @@ server:
 	val-override-date: "20091113091234"
 	fake-sha1: yes
 	trust-anchor-signaling: no
+	rrset-roundrobin: no
 
 forward-zone:
 	name: "."
@@ -44,6 +45,9 @@ REPLY QR NOERROR
 SECTION QUESTION
 www.content.hud.gov. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+content.hud.gov.        86400   IN      NS      drfswitch.hud.gov.
+content.hud.gov.        86400   IN      NS      lanswitch.hud.gov.
 ENTRY_END
 
 ENTRY_BEGIN
@@ -107,6 +111,8 @@ SECTION AUTHORITY
 3RUD2HK5O5KA0IC6BF22C1T4R1BJGJ3R.hud.gov.       86400   IN      RRSIG   NSEC3 7 3 86400 20091204150200 20091104150200 64775 hud.gov. APf75Nx4eY9eHov3T9hduDLuG4TJfVfEUEhSgm7HIZRvSPFgajHz2q+Wy6888G3C0T1Zft1qL2PdHMonK6H1OEE+NiOxroDsZaH+aWZjAsbIO86qQ2xcC+/Z9DsddQtONk0zAqpuYxHSn879rAk/BIKeDukNoBChHCSTy8olUFiYt7XEmjz5AOoc8R5VQhMQi/vmbmC0BoFOemDxxowG2MX27Hj2MbVBEJiT8xioFEk41jsdDI0WQtpnory2NT/UM4kWZdmDdxbpwu2F8oixe3oi4AOI9j3EukoOZT9f0Sx+tCg/I9zLNZJi+VuI5oUlpZkSH5EoUyRgK33eO+KJhQ== ;{id = 64775}
 GO8CPDSLPULIOURE31GBK5JJKA0BKIVN.hud.gov.       86400   IN      NSEC3   1 1 5 abcd  gvfjd9enpjtet8a14uhb8hlrfeon2b72 A RRSIG  ; flags: optout
 GO8CPDSLPULIOURE31GBK5JJKA0BKIVN.hud.gov.       86400   IN      RRSIG   NSEC3 7 3 86400 20091204150200 20091104150200 64775 hud.gov. eQFg/RvJ640k+Fa5yIUZwkx8FvsYSivykYFjc6dOiGt7r3VprfxwGWeYpyjYr/+mzu0ugE5ePDjZWtr5naK3dvqmt7qKk4/nEvVDoUmrg7joIUmeTzami9RB9lzCq2O/ddempQ6jpwfjiIDuEKUxHMpBFpw8QQZnZSZHKKQCDB4pOj8U8J/wNJXCS+SP7plU1hEVroC+QXCOYS8NHY2wFyeuW7A+xvg9tyYp9PH6c5MoNMkRQt36Kdvfk1nk3osktwalJNLmMhDr/vtErFieGGD6E9Ud9Pg70bPF2G5nqwwLDRevy7hIFjaMDHfYrcWc4B5hrUSpGtLJkYog9vsd2w== ;{id = 64775}
+content.hud.gov.        86400   IN      NS      drfswitch.hud.gov.
+content.hud.gov.        86400   IN      NS      lanswitch.hud.gov.
 ENTRY_END
 
 SCENARIO_END

testdata/val_ds_cname.rpl

@@ -78,6 +78,8 @@ REPLY QR AA NOERROR
 SECTION QUESTION
 ns.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+com. IN SOA ns.example.com. root.example.com. 4 14400 3600 604800 3600
 ENTRY_END
 RANGE_END
 

testdata/val_faildnskey.rpl

@@ -143,10 +143,13 @@ ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
-REPLY QR NOERROR
+REPLY QR AA NOERROR
 SECTION QUESTION
 ns.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 ENTRY_END
 
 RANGE_END

testdata/val_faildnskey_ok.rpl

@@ -144,10 +144,13 @@ ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
-REPLY QR NOERROR
+REPLY QR AA NOERROR
 SECTION QUESTION
 ns.example.com. IN AAAA
 SECTION ANSWER
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 ENTRY_END
 
 RANGE_END

testdata/val_nsec3_b2_nodata_nons.rpl

@@ -97,6 +97,9 @@ ADJUST copy_id
 REPLY QR AA DO NOERROR
 SECTION QUESTION
 ns1.example.        IN DS
+SECTION AUTHORITY
+example.       SOA     ns1.example. bugs.x.w.example. 1 3600 300 ( 3600000 3600 )
+example.        RRSIG   SOA 7 1 3600 20150420235959 20051021000000 ( 40430 example.  Hu25UIyNPmvPIVBrldN+9Mlp9Zql39qaUd8i q4ZLlYWfUUbbAS41pG+68z81q1xhkYAcEyHd VI2LmKusbZsT0Q== )
 ENTRY_END
 
 ENTRY_BEGIN

testdata/val_nsec3_b4_wild_wr.rpl

@@ -129,6 +129,10 @@ SECTION QUESTION
 ns2.example. IN      A
 SECTION ANSWER
 ; nothing to make sure the ns1 server is used for queries.
+SECTION AUTHORITY
+example.       NS      ns1.example.
+example.       NS      ns2.example.
+example. RRSIG   NS 7 1 3600 20150420235959 20051021000000 ( 40430 example.  PVOgtMK1HHeSTau+HwDWC8Ts+6C8qtqd4pQJ qOtdEVgg+MA+ai4fWDEhu3qHJyLcQ9tbD2vv CnMXjtz6SyObxA== )
 ENTRY_END
 
 ENTRY_BEGIN
@@ -139,6 +143,10 @@ SECTION QUESTION
 ns2.example. IN      AAAA
 SECTION ANSWER
 ; nothing to make sure the ns1 server is used for queries.
+SECTION AUTHORITY
+example.       NS      ns1.example.
+example.       NS      ns2.example.
+example. RRSIG   NS 7 1 3600 20150420235959 20051021000000 ( 40430 example.  PVOgtMK1HHeSTau+HwDWC8Ts+6C8qtqd4pQJ qOtdEVgg+MA+ai4fWDEhu3qHJyLcQ9tbD2vv CnMXjtz6SyObxA== )
 ENTRY_END
 
 

testdata/val_positive_nosigs.rpl

@@ -137,10 +137,13 @@ ENTRY_END
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
-REPLY QR NOERROR
+REPLY QR AA NOERROR
 SECTION QUESTION
 www.example.com. IN DS
 SECTION ANSWER
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+example.com.    3600    IN      RRSIG   NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854}
 ENTRY_END
 
 ; response to query of interest