--- /dev/null
+This test will test the fix made for issue #2600. When we receive a CNAME chain
+in the ANSWER-section from an authoritative server, we should discard any record
+in a zone that we (as a recursor) are authoritative for (by e.g. using auth-zones)
+
+The issue here was that an auth returns the following CNAME chain (where the
+auth server is indeed authoritative for all these zones):
+service.box.answer-cname-in-local.example.net -->
+ pfs.global.box.answer-cname-in-local.example.net -->
+ vip-metropole.pfsbox.answer-cname-in-local.example.net
+
+However, the resolver has the zone 'global.box.answer-cname-in-local.example.net'
+loaded whereby the CNAME chain becomes:
+service.box.answer-cname-in-local.example.net -->
+ pfs.global.box.answer-cname-in-local.example.net -->
+ vip-reunion.pfsbox.answer-cname-in-local.example.net
+
+Hence, it should reject the last CNAME sent from the authoritative server.
--- /dev/null
+0 pfs.global.box.answer-cname-in-local.example.net. IN CNAME 3600 vip-reunion.pfsbox.answer-cname-in-local.example.net.
+0 service.box.answer-cname-in-local.example.net. IN CNAME 3600 pfs.global.box.answer-cname-in-local.example.net.
+0 vip-reunion.pfsbox.answer-cname-in-local.example.net. IN A 3600 10.1.1.1
+Rcode: 0, RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='service.box.answer-cname-in-local.example.net.', qtype=A
ns.hijackme.example.net. 3600 IN A $PREFIX.20
hijacker.example.net. 3600 IN NS ns.hijacker.example.net.
ns.hijacker.example.net. 3600 IN A $PREFIX.21
+answer-cname-in-local.example.net. 3600 IN NS ns.answer-cname-in-local.example.net.
+pfsbox.answer-cname-in-local.example.net. 3600 IN NS ns.answer-cname-in-local.example.net.
+box.answer-cname-in-local.example.net. 3600 IN NS ns.answer-cname-in-local.example.net.
+ns.answer-cname-in-local.example.net. 3600 IN A $PREFIX.22
EOF
mkdir $PREFIX.11
EOF
+## Several domains where one gets overwritten as a local auth zone
+mkdir $PREFIX.22
+cat > $PREFIX.22/box.answer-cname-in-local.example.net.zone <<EOF
+box.answer-cname-in-local.example.net. 3600 IN SOA $SOA
+box.answer-cname-in-local.example.net. 20 IN NS ns.answer-cname-in-local.example.net.
+
+global.box.answer-cname-in-local.example.net. 20 IN NS ns.answer-cname-in-local.example.net.
+service.box.answer-cname-in-local.example.net. 20 IN CNAME pfs.global.box.answer-cname-in-local.example.net.
+
+EOF
+
+cat > $PREFIX.22/global.box.answer-cname-in-local.example.net.zone <<EOF
+global.box.answer-cname-in-local.example.net. 3600 IN SOA $SOA
+global.box.answer-cname-in-local.example.net. 20 IN NS ns.answer-cname-in-local.example.net.
+
+pfs.global.box.answer-cname-in-local.example.net. 20 IN CNAME vip-metropole.pfsbox.answer-cname-in-local.example.net.
+
+EOF
+
+cat > $PREFIX.22/pfsbox.answer-cname-in-local.example.net.zone <<EOF
+pfsbox.answer-cname-in-local.example.net. 3600 IN SOA $SOA
+pfsbox.answer-cname-in-local.example.net. 20 IN NS ns.answer-cname-in-local.example.net.
+
+vip-metropole.pfsbox.answer-cname-in-local.example.net. 20 IN A 10.0.0.1
+vip-reunion.pfsbox.answer-cname-in-local.example.net. 20 IN A 10.1.1.1
+
+EOF
+
+# And for the recursor
+cat > recursor-service/global.box.answer-cname-in-local.example.net.zone <<EOF
+global.box.answer-cname-in-local.example.net. 3600 IN SOA $SOA
+global.box.answer-cname-in-local.example.net. 20 IN NS ns.answer-cname-in-local.example.net.
+
+pfs.global.box.answer-cname-in-local.example.net. 20 IN CNAME vip-reunion.pfsbox.answer-cname-in-local.example.net.
+
+EOF
+
for dir in $PREFIX.*
do
cat > $dir/pdns.conf <<EOF
ln -s ../run-auth $dir/run
done
-cat > recursor-service/recursor.conf << EOF
-socket-dir=$(pwd)/recursor-service
-EOF
\ No newline at end of file
+cat > recursor-service/recursor.conf <<EOF
+socket-dir=$(pwd)/recursor-serviceS
+auth-zones=global.box.answer-cname-in-local.example.net=$(pwd)/recursor-service/global.box.answer-cname-in-local.example.net.zone
+
+EOF
projects / pdns / commitdiff