; config options stub-addr: 1.2.3.4 feature-list: policy=policy:add(policy.rpz(policy.DENY, '{{INSTALL_DIR}}/sets/resolver/zone.rpz')) query-minimization: off CONFIG_END SCENARIO_BEGIN policy.rpz test RANGE_BEGIN 0 110 ADDRESS 1.2.3.4 ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR RD RA NOERROR SECTION QUESTION example.cz. IN A SECTION ANSWER example.cz. IN A 5.6.7.8 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR RD RA NOERROR SECTION QUESTION dummy.example.cz. IN A SECTION ANSWER dummy.example.cz. IN A 9.10.11.12 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR RD RA NOERROR SECTION QUESTION nic.cz. IN A SECTION ANSWER nic.cz. IN A 13.14.15.16 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR RD RA NOERROR SECTION QUESTION dummy.nic.cz. IN A SECTION ANSWER dummy.nic.cz. IN A 17.18.19.20 ENTRY_END ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id REPLY QR RD RA NOERROR SECTION QUESTION example.com. IN A SECTION ANSWER example.com. IN A 21.22.23.24 ENTRY_END RANGE_END ; blocked by example.cz CNAME . ; NXDOMAIN expected STEP 10 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION example.cz. IN A ENTRY_END STEP 20 CHECK_ANSWER ENTRY_BEGIN MATCH flags rcode question answer REPLY QR RD RA AA NXDOMAIN SECTION QUESTION example.cz. IN A SECTION ANSWER ENTRY_END ; blocked by *.example.cz CNAME *. ; NXDOMAIN expected STEP 30 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION dummy.example.cz. IN A ENTRY_END STEP 40 CHECK_ANSWER ENTRY_BEGIN MATCH flags rcode question answer REPLY QR RD RA AA NXDOMAIN SECTION QUESTION dummy.example.cz. IN A SECTION ANSWER ENTRY_END ; blocked nic.cz CNAME rpz-drop. ; SERVFAIL expected STEP 50 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION nic.cz. IN A ENTRY_END STEP 55 CHECK_ANSWER ENTRY_BEGIN MATCH flags rcode question answer REPLY QR RD RA SERVFAIL SECTION QUESTION nic.cz. IN A SECTION ANSWER ENTRY_END ; matches *.nic.cz CNAME rpz-tcp-only. ; TC flag expected STEP 60 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION dummy.nic.cz. IN A ENTRY_END STEP 65 CHECK_ANSWER ENTRY_BEGIN MATCH flags rcode question answer REPLY QR TC RD RA NOERROR SECTION QUESTION dummy.nic.cz. IN A SECTION ANSWER ENTRY_END ; matches example.com CNAME rpz-passthru. ; rpz not affected STEP 70 QUERY ENTRY_BEGIN REPLY RD SECTION QUESTION example.com. IN A ENTRY_END STEP 80 CHECK_ANSWER ENTRY_BEGIN MATCH flags rcode question answer REPLY QR RD RA NOERROR SECTION QUESTION example.com. IN A SECTION ANSWER example.com. IN A 21.22.23.24 ENTRY_END SCENARIO_END