Version in base suite: 1.22.0-2 Base version: unbound_1.22.0-2 Target version: unbound_1.22.0-2+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/u/unbound/unbound_1.22.0-2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/u/unbound/unbound_1.22.0-2+deb13u1.dsc changelog | 13 gbp.conf | 3 patches/CVE-2025-11411-additional-nodata.patch | 264 ++ patches/CVE-2025-11411.patch | 2371 +++++++++++++++++++++++++ patches/series | 2 salsa-ci.yml | 3 6 files changed, 2656 insertions(+) diff -Nru unbound-1.22.0/debian/changelog unbound-1.22.0/debian/changelog --- unbound-1.22.0/debian/changelog 2025-07-17 16:05:22.000000000 +0000 +++ unbound-1.22.0/debian/changelog 2025-11-26 20:12:47.000000000 +0000 @@ -1,3 +1,16 @@ +unbound (1.22.0-2+deb13u1) trixie-security; urgency=high + + [ Guilhem Moulin ] + * Fix CVE-2025-11411: Cache poisoning vulnerability via NS RRSet injection + * debian/salsa-ci.yml: Disable reprotest and lintian jobs, set RELEASE=trixie + + [ Michael Tokarev ] + * CVE-2025-11411-additional-nodata.patch -- additional fixes + for CVE-2025-11411 (Closes: #1121446, CVE-2025-11411) + * d/gbp.conf: set default branch to debian/trixie + + -- Michael Tokarev Wed, 26 Nov 2025 23:12:47 +0300 + unbound (1.22.0-2) unstable; urgency=medium * add Fix-RebirthDay-Attack-CVE-2025-5994.patch from upstream diff -Nru unbound-1.22.0/debian/gbp.conf unbound-1.22.0/debian/gbp.conf --- unbound-1.22.0/debian/gbp.conf 2025-07-15 11:01:49.000000000 +0000 +++ unbound-1.22.0/debian/gbp.conf 2025-11-26 20:12:47.000000000 +0000 @@ -1,3 +1,6 @@ +[DEFAULT] +debian-branch = debian/trixie + [buildpackage] pristine-tar = True diff -Nru unbound-1.22.0/debian/patches/CVE-2025-11411-additional-nodata.patch unbound-1.22.0/debian/patches/CVE-2025-11411-additional-nodata.patch --- unbound-1.22.0/debian/patches/CVE-2025-11411-additional-nodata.patch 1970-01-01 00:00:00.000000000 +0000 +++ unbound-1.22.0/debian/patches/CVE-2025-11411-additional-nodata.patch 2025-11-26 20:12:47.000000000 +0000 @@ -0,0 +1,264 @@ +From: Yorgos Thessalonikefs +Date: Wed, 26 Nov 2025 11:09:40 +0100 +Subject: Additional fix for CVE-2025-11411 (possible domain + hijacking attack), to include YXDOMAIN and non-referral nodata answers in + the mitigation as well, reported by TaoFei Guo from Peking University, Yang + Luo and JianJun Chen from Tsinghua University. +Origin: upstream, https://github.com/NLnetLabs/unbound/commit/f6269baa605d31859f28770e01a24e3677e5f82c +Forwarded: not-needed + +--- + iterator/iter_scrub.c | 39 +++++++++-- + testdata/iter_scrub_promiscuous.rpl | 84 ++++++++++++++++++++++++ + testdata/ratelimit.tdir/ratelimit.testns | 30 +++++++-- + 3 files changed, 143 insertions(+), 10 deletions(-) + +diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c +index 553d3655f..8507a3fb6 100644 +--- a/iterator/iter_scrub.c ++++ b/iterator/iter_scrub.c +@@ -418,12 +418,13 @@ shorten_rrset(sldns_buffer* pkt, struct rrset_parse* rrset, int count) + * @param qinfo: original query. + * @param region: where to allocate synthesized CNAMEs. + * @param env: module env with config options. ++ * @param zonename: name of server zone. + * @return 0 on error. + */ + static int + scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, + struct query_info* qinfo, struct regional* region, +- struct module_env* env) ++ struct module_env* env, uint8_t* zonename) + { + uint8_t* sname = qinfo->qname; + size_t snamelen = qinfo->qname_len; +@@ -431,7 +432,8 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, + int cname_length = 0; /* number of CNAMEs, or DNAMEs */ + + if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR && +- FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NXDOMAIN) ++ FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NXDOMAIN && ++ FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_YXDOMAIN) + return 1; + + /* For the ANSWER section, remove all "irrelevant" records and add +@@ -470,6 +472,11 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, + &aliaslen, pkt)) { + verbose(VERB_ALGO, "synthesized CNAME " + "too long"); ++ if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_YXDOMAIN) { ++ prev = rrset; ++ rrset = rrset->rrset_all_next; ++ continue; ++ } + return 0; + } + cname_length++; +@@ -650,6 +657,29 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, + "RRset:", pkt, msg, prev, &rrset); + continue; + } ++ /* Also delete promiscuous NS for other RCODEs */ ++ if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR ++ && env->cfg->iter_scrub_promiscuous) { ++ remove_rrset("normalize: removing promiscuous " ++ "RRset:", pkt, msg, prev, &rrset); ++ continue; ++ } ++ /* Also delete promiscuous NS for NOERROR with nodata ++ * for authoritative answers, not for delegations. ++ * NOERROR with an_rrsets!=0 already handled. ++ * Also NOERROR and soa_in_auth already handled. ++ * NOERROR with an_rrsets==0, and not a referral. ++ * referral is (NS not the zonename, noSOA). ++ */ ++ if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR ++ && msg->an_rrsets == 0 ++ && !(dname_pkt_compare(pkt, rrset->dname, ++ zonename) != 0 && !soa_in_auth(msg)) ++ && env->cfg->iter_scrub_promiscuous) { ++ remove_rrset("normalize: removing promiscuous " ++ "RRset:", pkt, msg, prev, &rrset); ++ continue; ++ } + if(nsset == NULL) { + nsset = rrset; + } else { +@@ -1060,7 +1090,8 @@ scrub_message(sldns_buffer* pkt, struct msg_parse* msg, + /* this is not required for basic operation but is a forgery + * resistance (security) feature */ + if((FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR || +- FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN) && ++ FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN || ++ FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_YXDOMAIN) && + msg->qdcount == 0) + return 0; + +@@ -1074,7 +1105,7 @@ scrub_message(sldns_buffer* pkt, struct msg_parse* msg, + } + + /* normalize the response, this cleans up the additional. */ +- if(!scrub_normalize(pkt, msg, qinfo, region, env)) ++ if(!scrub_normalize(pkt, msg, qinfo, region, env, zonename)) + return 0; + /* delete all out-of-zone information */ + if(!scrub_sanitize(pkt, msg, qinfo, zonename, env, ie, qstate)) +diff --git a/testdata/iter_scrub_promiscuous.rpl b/testdata/iter_scrub_promiscuous.rpl +index 61fca0d28..febbee81c 100644 +--- a/testdata/iter_scrub_promiscuous.rpl ++++ b/testdata/iter_scrub_promiscuous.rpl +@@ -16,6 +16,7 @@ SCENARIO_BEGIN Test iterator with scrub of promiscuous records + ; The spoofed contents are ns.attacker.mesa and its IPs 5.6.7.8 and 5.6.7.9. + ; The pollute1.mesa NS, ns.pollute2.mesa A, and test3.atkr.pollute3.mesa NS + ; with ns.pollute3.mesa A records are tested for cache placement. ++; pollute4.mesa uses YXDOMAIN. + + ; ns.root + RANGE_BEGIN 0 400 +@@ -84,6 +85,18 @@ SECTION ADDITIONAL + ns.pollute3.mesa. IN A 1.2.4.3 + ENTRY_END + ++ENTRY_BEGIN ++MATCH opcode subdomain ++ADJUST copy_id copy_query ++REPLY QR NOERROR ++SECTION QUESTION ++pollute4.mesa. IN NS ++SECTION AUTHORITY ++pollute4.mesa. IN NS ns.pollute4.mesa. ++SECTION ADDITIONAL ++ns.pollute4.mesa. IN A 1.2.4.4 ++ENTRY_END ++ + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query +@@ -188,6 +201,35 @@ check.pollute3.mesa. IN A 1.8.9.3 + ENTRY_END + RANGE_END + ++; ns.pollute4.mesa ++RANGE_BEGIN 0 400 ++ ADDRESS 1.2.4.4 ++ ++; This is the spoofed answer that is returned. ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA YXDOMAIN ++SECTION QUESTION ++test4.atkr.pollute4.mesa. IN A ++SECTION ANSWER ++test4.atkr.pollute4.mesa. 86400 IN A 1.2.3.4 ++SECTION AUTHORITY ++pollute4.mesa. 86400 IN NS ns.attacker.mesa. ++ENTRY_END ++ ++; correct answer for the check query. ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++check.pollute4.mesa. IN A ++SECTION ANSWER ++check.pollute4.mesa. IN A 1.8.9.4 ++ENTRY_END ++RANGE_END ++ + ; ns.attacker.mesa + RANGE_BEGIN 0 400 + ADDRESS 5.6.7.8 +@@ -370,4 +412,46 @@ check.pollute3.mesa. IN A 1.8.9.3 + ;check.pollute3.mesa. IN A 5.6.7.9 + ENTRY_END + ++; Test query 4 ++STEP 120 QUERY ++ENTRY_BEGIN ++REPLY RD ++SECTION QUESTION ++test4.atkr.pollute4.mesa. IN A ++ENTRY_END ++ ++STEP 130 CHECK_ANSWER ++ENTRY_BEGIN ++MATCH all ++REPLY QR RD RA YXDOMAIN ++SECTION QUESTION ++test4.atkr.pollute4.mesa. IN A ++SECTION ANSWER ++test4.atkr.pollute4.mesa. 86400 IN A 1.2.3.4 ++SECTION AUTHORITY ++; removed record ++;pollute4.mesa. 0 IN NS ns.attacker.mesa. ++ENTRY_END ++ ++; Check the cache contents, for query 4. ++STEP 140 QUERY ++ENTRY_BEGIN ++REPLY RD ++SECTION QUESTION ++check.pollute4.mesa. IN A ++ENTRY_END ++ ++STEP 150 CHECK_ANSWER ++ENTRY_BEGIN ++MATCH all ++REPLY QR RD RA NOERROR ++SECTION QUESTION ++check.pollute4.mesa. IN A ++SECTION ANSWER ++; good answer ++check.pollute4.mesa. IN A 1.8.9.4 ++; bad answer ++;check.pollute4.mesa. IN A 5.6.7.9 ++ENTRY_END ++ + SCENARIO_END +diff --git a/testdata/ratelimit.tdir/ratelimit.testns b/testdata/ratelimit.tdir/ratelimit.testns +index 563c1db6a..5c22c292d 100644 +--- a/testdata/ratelimit.tdir/ratelimit.testns ++++ b/testdata/ratelimit.tdir/ratelimit.testns +@@ -3,13 +3,31 @@ $ORIGIN example.com. + $TTL 3600 + + ENTRY_BEGIN +-MATCH opcode qtype ++MATCH opcode qname qtype + REPLY QR AA NOERROR +-ADJUST copy_id copy_query ++ADJUST copy_id + SECTION QUESTION +-wild IN A ++www1 IN A + SECTION ANSWER +-wild IN A 10.20.30.40 +-SECTION AUTHORITY +-example.com. IN NS ns.example.com. ++www1 IN A 1.1.1.1 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode qname qtype ++REPLY QR AA NOERROR ++ADJUST copy_id ++SECTION QUESTION ++www2 IN A ++SECTION ANSWER ++www2 IN A 2.2.2.2 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode qname qtype ++REPLY QR AA NOERROR ++ADJUST copy_id ++SECTION QUESTION ++www3 IN A ++SECTION ANSWER ++www3 IN A 3.3.3.3 + ENTRY_END +-- +2.47.3 + diff -Nru unbound-1.22.0/debian/patches/CVE-2025-11411.patch unbound-1.22.0/debian/patches/CVE-2025-11411.patch --- unbound-1.22.0/debian/patches/CVE-2025-11411.patch 1970-01-01 00:00:00.000000000 +0000 +++ unbound-1.22.0/debian/patches/CVE-2025-11411.patch 2025-11-26 20:12:47.000000000 +0000 @@ -0,0 +1,2371 @@ +From: Yorgos Thessalonikefs +Date: Wed, 22 Oct 2025 10:54:57 +0200 +Subject: Fix CVE-2025-11411 (possible domain hijacking attack) + +Reported by Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from +Tsinghua University. + +Origin: https://github.com/NLnetLabs/unbound/commit/a33f0638e1dacf2633cf2292078a674576bca852 +Bug: https://www.nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-11411 +--- + doc/example.conf.in | 4 + + doc/unbound.conf.5.in | 6 + + iterator/iter_scrub.c | 16 + + testdata/autotrust_init.rpl | 1 + + testdata/autotrust_init_ds.rpl | 1 + + testdata/autotrust_init_sigs.rpl | 1 + + testdata/autotrust_init_zsk.rpl | 1 + + testdata/black_data.rpl | 1 + + testdata/black_prime.rpl | 1 + + testdata/disable_edns_do.rpl | 1 + + testdata/dns64_lookup.rpl | 1 + + testdata/dns64_prefetch_cache.rpl | 1 + + testdata/fetch_glue.rpl | 1 + + testdata/fetch_glue_cname.rpl | 1 + + testdata/fwd_cached.rpl | 1 + + .../fwd_compress_c00c.tdir/fwd_compress_c00c.conf | 1 + + testdata/fwd_minimal.rpl | 1 + + testdata/ipsecmod_bogus_ipseckey.crpl | 1 + + testdata/ipsecmod_enabled.crpl | 1 + + testdata/ipsecmod_ignore_bogus_ipseckey.crpl | 1 + + testdata/ipsecmod_max_ttl.crpl | 1 + + testdata/ipsecmod_strict.crpl | 1 + + testdata/ipsecmod_whitelist.crpl | 1 + + testdata/iter_class_any.rpl | 1 + + testdata/iter_cycle_noh.rpl | 1 + + testdata/iter_domain_sale.rpl | 1 + + testdata/iter_domain_sale_nschange.rpl | 1 + + testdata/iter_emptydp.rpl | 1 + + testdata/iter_emptydp_for_glue.rpl | 1 + + testdata/iter_fwdfirst.rpl | 1 + + testdata/iter_fwdfirstequal.rpl | 1 + + testdata/iter_fwdstub.rpl | 1 + + testdata/iter_fwdstubroot.rpl | 1 + + testdata/iter_ghost_grandchild_delegation.rpl | 1 + + testdata/iter_ghost_sub.rpl | 1 + + testdata/iter_ghost_timewindow.rpl | 1 + + testdata/iter_got6only.rpl | 1 + + testdata/iter_hint_lame.rpl | 1 + + testdata/iter_lame_noaa.rpl | 1 + + testdata/iter_lame_nosoa.rpl | 1 + + testdata/iter_mod.rpl | 1 + + testdata/iter_ns_badip.rpl | 1 + + testdata/iter_ns_spoof.rpl | 1 + + testdata/iter_nxns_fallback.rpl | 1 + + testdata/iter_pc_a.rpl | 1 + + testdata/iter_pc_aaaa.rpl | 1 + + testdata/iter_pcdiff.rpl | 1 + + testdata/iter_pcdirect.rpl | 1 + + testdata/iter_pcname.rpl | 1 + + testdata/iter_pcnamech.rpl | 1 + + testdata/iter_pcnamechrec.rpl | 1 + + testdata/iter_pcnamerec.rpl | 1 + + testdata/iter_pcttl.rpl | 1 + + testdata/iter_prefetch.rpl | 1 + + testdata/iter_prefetch_change.rpl | 1 + + testdata/iter_prefetch_change2.rpl | 1 + + testdata/iter_prefetch_childns.rpl | 1 + + testdata/iter_prefetch_fail.rpl | 1 + + testdata/iter_prefetch_ns.rpl | 1 + + testdata/iter_primenoglue.rpl | 1 + + testdata/iter_privaddr.rpl | 1 + + testdata/iter_ranoaa_lame.rpl | 1 + + testdata/iter_reclame_one.rpl | 1 + + testdata/iter_reclame_two.rpl | 1 + + testdata/iter_recurse.rpl | 1 + + testdata/iter_resolve.rpl | 1 + + testdata/iter_resolve_minimised.rpl | 1 + + testdata/iter_resolve_minimised_nx.rpl | 1 + + testdata/iter_resolve_minimised_refused.rpl | 1 + + testdata/iter_resolve_minimised_timeout.rpl | 1 + + testdata/iter_scrub_cname_an.rpl | 1 + + testdata/iter_scrub_dname_insec.rpl | 1 + + testdata/iter_scrub_dname_rev.rpl | 1 + + testdata/iter_scrub_dname_sec.rpl | 1 + + testdata/iter_scrub_promiscuous.rpl | 373 +++++++++++++++++++++ + testdata/iter_scrub_rr_length.rpl | 1 + + testdata/iter_soamin.rpl | 1 + + testdata/iter_stub_noroot.rpl | 1 + + testdata/iter_stubfirst.rpl | 1 + + testdata/iter_timeout_ra_aaaa.rpl | 1 + + testdata/iter_unverified_glue.rpl | 1 + + testdata/rrset_rettl.rpl | 1 + + testdata/rrset_untrusted.rpl | 1 + + testdata/rrset_updated.rpl | 1 + + testdata/rrset_use_cached.rpl | 1 + + testdata/serve_expired.rpl | 1 + + testdata/serve_expired_0ttl_nodata.rpl | 1 + + testdata/serve_expired_0ttl_nxdomain.rpl | 1 + + testdata/serve_expired_0ttl_servfail.rpl | 1 + + testdata/serve_expired_cached_servfail.rpl | 1 + + testdata/serve_expired_client_timeout.rpl | 1 + + .../serve_expired_client_timeout_no_prefetch.rpl | 1 + + testdata/serve_expired_client_timeout_servfail.rpl | 1 + + .../serve_expired_client_timeout_val_bogus.rpl | 1 + + ...ired_client_timeout_val_insecure_delegation.rpl | 1 + + testdata/serve_expired_reply_ttl.rpl | 1 + + testdata/serve_expired_ttl.rpl | 1 + + testdata/serve_expired_ttl_client_timeout.rpl | 1 + + testdata/serve_expired_val_bogus.rpl | 1 + + testdata/serve_expired_zerottl.rpl | 1 + + testdata/serve_original_ttl.rpl | 1 + + testdata/subnet_cached.crpl | 1 + + testdata/subnet_cached_servfail.crpl | 1 + + testdata/subnet_cached_size.crpl | 1 + + testdata/subnet_global_prefetch.crpl | 1 + + .../subnet_global_prefetch_always_forward.crpl | 1 + + testdata/subnet_global_prefetch_expired.crpl | 1 + + .../subnet_global_prefetch_with_client_ecs.crpl | 1 + + testdata/subnet_max_source.crpl | 1 + + testdata/subnet_prefetch.crpl | 1 + + testdata/subnet_val_positive.crpl | 1 + + testdata/subnet_val_positive_client.crpl | 1 + + testdata/trust_cname_chain.rpl | 1 + + testdata/ttl_max.rpl | 1 + + testdata/ttl_min.rpl | 1 + + testdata/val_adbit.rpl | 1 + + testdata/val_adcopy.rpl | 1 + + testdata/val_cnametocnamewctoposwc.rpl | 1 + + testdata/val_ds_afterprime.rpl | 1 + + testdata/val_faildnskey_ok.rpl | 1 + + testdata/val_keyprefetch_verify.rpl | 1 + + testdata/val_noadwhennodo.rpl | 1 + + testdata/val_nsec3_b3_optout.rpl | 1 + + testdata/val_nsec3_b3_optout_negcache.rpl | 1 + + testdata/val_nsec3_b4_wild.rpl | 1 + + testdata/val_nsec3_cnametocnamewctoposwc.rpl | 1 + + testdata/val_positive.rpl | 1 + + testdata/val_positive_wc.rpl | 1 + + testdata/val_qds_badanc.rpl | 1 + + testdata/val_qds_oneanc.rpl | 1 + + testdata/val_qds_twoanc.rpl | 1 + + testdata/val_refer_unsignadd.rpl | 1 + + testdata/val_referd.rpl | 1 + + testdata/val_referglue.rpl | 1 + + testdata/val_rrsig.rpl | 1 + + testdata/val_spurious_ns.rpl | 1 + + testdata/val_stub_noroot.rpl | 1 + + testdata/val_ta_algo_dnskey.rpl | 1 + + testdata/val_ta_algo_dnskey_dp.rpl | 1 + + testdata/val_ta_algo_missing_dp.rpl | 1 + + testdata/val_twocname.rpl | 1 + + testdata/val_unalgo_anchor.rpl | 1 + + testdata/val_wild_pos.rpl | 1 + + testdata/views.rpl | 1 + + util/config_file.c | 3 + + util/config_file.h | 3 + + util/configlexer.lex | 1 + + util/configparser.y | 13 +- + 148 files changed, 558 insertions(+), 1 deletion(-) + create mode 100644 testdata/iter_scrub_promiscuous.rpl + +diff --git a/doc/example.conf.in b/doc/example.conf.in +index 59090c6..1a46436 100644 +--- a/doc/example.conf.in ++++ b/doc/example.conf.in +@@ -196,6 +196,10 @@ server: + # Limit on upstream queries for an incoming query and its recursion. + # max-global-quota: 128 + ++ # Should the scrubber remove promiscuous NS from positive answers, ++ # protects against poison attempts. ++ # iter-scrub-promiscuous: yes ++ + # msec for waiting for an unknown server to reply. Increase if you + # are behind a slow satellite link, to eg. 1128. + # unknown-server-time-limit: 376 +diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in +index 5364743..375447c 100644 +--- a/doc/unbound.conf.5.in ++++ b/doc/unbound.conf.5.in +@@ -2000,6 +2000,12 @@ its subqueries from recursion. It is not reset during the resolution. When + it is exceeded the query is failed and the lookup process stops. + Default is 128. + .TP 5 ++.B iter\-scrub\-promiscuous: \fI ++Should the iterator scrubber remove promiscuous NS from positive answers. ++This protects against poisonous contents, that could affect names in the ++same zone as a spoofed packet. ++Default is yes. ++.TP 5 + .B fast\-server\-permil: \fI + Specify how many times out of 1000 to pick from the set of fastest servers. + 0 turns the feature off. A value of 900 would pick from the fastest +diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c +index 49a5f5d..553d365 100644 +--- a/iterator/iter_scrub.c ++++ b/iterator/iter_scrub.c +@@ -634,6 +634,22 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, + "RRset:", pkt, msg, prev, &rrset); + continue; + } ++ /* If the NS set is a promiscuous NS set, scrub that ++ * to remove potential for poisonous contents that ++ * affects other names in the same zone. Remove ++ * promiscuous NS sets in positive answers, that ++ * thus have records in the answer section. Nodata ++ * and nxdomain promiscuous NS sets have been removed ++ * already. Since the NS rrset is scrubbed, its ++ * address records are also not marked to be allowed ++ * and are removed later. */ ++ if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR && ++ msg->an_rrsets != 0 && ++ env->cfg->iter_scrub_promiscuous) { ++ remove_rrset("normalize: removing promiscuous " ++ "RRset:", pkt, msg, prev, &rrset); ++ continue; ++ } + if(nsset == NULL) { + nsset = rrset; + } else { +diff --git a/testdata/autotrust_init.rpl b/testdata/autotrust_init.rpl +index d722273..d69e70b 100644 +--- a/testdata/autotrust_init.rpl ++++ b/testdata/autotrust_init.rpl +@@ -5,6 +5,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +diff --git a/testdata/autotrust_init_ds.rpl b/testdata/autotrust_init_ds.rpl +index ad4019e..9ffb4d4 100644 +--- a/testdata/autotrust_init_ds.rpl ++++ b/testdata/autotrust_init_ds.rpl +@@ -5,6 +5,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +diff --git a/testdata/autotrust_init_sigs.rpl b/testdata/autotrust_init_sigs.rpl +index d5d52f4..a7cb796 100644 +--- a/testdata/autotrust_init_sigs.rpl ++++ b/testdata/autotrust_init_sigs.rpl +@@ -5,6 +5,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +diff --git a/testdata/autotrust_init_zsk.rpl b/testdata/autotrust_init_zsk.rpl +index 56a5bc0..2d28d43 100644 +--- a/testdata/autotrust_init_zsk.rpl ++++ b/testdata/autotrust_init_zsk.rpl +@@ -5,6 +5,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +diff --git a/testdata/black_data.rpl b/testdata/black_data.rpl +index e6ef1b7..e928d63 100644 +--- a/testdata/black_data.rpl ++++ b/testdata/black_data.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/black_prime.rpl b/testdata/black_prime.rpl +index fbe92a7..0301c85 100644 +--- a/testdata/black_prime.rpl ++++ b/testdata/black_prime.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/disable_edns_do.rpl b/testdata/disable_edns_do.rpl +index 82a16da..45b4ffc 100644 +--- a/testdata/disable_edns_do.rpl ++++ b/testdata/disable_edns_do.rpl +@@ -5,6 +5,7 @@ server: + qname-minimisation: "no" + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + disable-edns-do: yes + + stub-zone: +diff --git a/testdata/dns64_lookup.rpl b/testdata/dns64_lookup.rpl +index 327f7df..cec8012 100644 +--- a/testdata/dns64_lookup.rpl ++++ b/testdata/dns64_lookup.rpl +@@ -7,6 +7,7 @@ server: + dns64-ignore-aaaa: ip6ignore.example.com + dns64-ignore-aaaa: ip6only.example.com + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/dns64_prefetch_cache.rpl b/testdata/dns64_prefetch_cache.rpl +index a23b92f..b28839c 100644 +--- a/testdata/dns64_prefetch_cache.rpl ++++ b/testdata/dns64_prefetch_cache.rpl +@@ -5,6 +5,7 @@ server: + module-config: "dns64 iterator" + dns64-prefix: 64:ff9b::0/96 + minimal-responses: no ++ iter-scrub-promiscuous: no + prefetch: yes + + stub-zone: +diff --git a/testdata/fetch_glue.rpl b/testdata/fetch_glue.rpl +index 8860d85..daf687a 100644 +--- a/testdata/fetch_glue.rpl ++++ b/testdata/fetch_glue.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/fetch_glue_cname.rpl b/testdata/fetch_glue_cname.rpl +index 64f00fb..c786a41 100644 +--- a/testdata/fetch_glue_cname.rpl ++++ b/testdata/fetch_glue_cname.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/fwd_cached.rpl b/testdata/fwd_cached.rpl +index 2d6b0c2..4a00f87 100644 +--- a/testdata/fwd_cached.rpl ++++ b/testdata/fwd_cached.rpl +@@ -2,6 +2,7 @@ + ; config options go here. + server: + minimal-responses: no ++ iter-scrub-promiscuous: no + forward-zone: name: "." forward-addr: 216.0.0.1 + CONFIG_END + +diff --git a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf +index 5b2c804..7bc7408 100644 +--- a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf ++++ b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf +@@ -10,6 +10,7 @@ server: + username: "" + do-not-query-localhost: no + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + forward-zone: + name: "." +diff --git a/testdata/fwd_minimal.rpl b/testdata/fwd_minimal.rpl +index e85d712..ef1d7fc 100644 +--- a/testdata/fwd_minimal.rpl ++++ b/testdata/fwd_minimal.rpl +@@ -5,6 +5,7 @@ server: + ; is fine for that, not removed by minimal-responses. + access-control: 127.0.0.1 allow_snoop + minimal-responses: yes ++ iter-scrub-promiscuous: no + forward-zone: name: "." forward-addr: 216.0.0.1 + CONFIG_END + +diff --git a/testdata/ipsecmod_bogus_ipseckey.crpl b/testdata/ipsecmod_bogus_ipseckey.crpl +index 094710b..98bc454 100644 +--- a/testdata/ipsecmod_bogus_ipseckey.crpl ++++ b/testdata/ipsecmod_bogus_ipseckey.crpl +@@ -9,6 +9,7 @@ server: + qname-minimisation: "no" + # test that default value of harden-dnssec-stripped is still yes. + fake-sha1: yes ++ iter-scrub-promiscuous: no + trust-anchor-signaling: no + access-control: 127.0.0.1 allow_snoop + module-config: "ipsecmod validator iterator" +diff --git a/testdata/ipsecmod_enabled.crpl b/testdata/ipsecmod_enabled.crpl +index 4498429..04e8cb1 100644 +--- a/testdata/ipsecmod_enabled.crpl ++++ b/testdata/ipsecmod_enabled.crpl +@@ -11,6 +11,7 @@ server: + ipsecmod-enabled: no + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/ipsecmod_ignore_bogus_ipseckey.crpl b/testdata/ipsecmod_ignore_bogus_ipseckey.crpl +index a605c34..4c4d80c 100644 +--- a/testdata/ipsecmod_ignore_bogus_ipseckey.crpl ++++ b/testdata/ipsecmod_ignore_bogus_ipseckey.crpl +@@ -18,6 +18,7 @@ server: + ipsecmod-ignore-bogus: yes + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/ipsecmod_max_ttl.crpl b/testdata/ipsecmod_max_ttl.crpl +index 592bae0..4dfeddf 100644 +--- a/testdata/ipsecmod_max_ttl.crpl ++++ b/testdata/ipsecmod_max_ttl.crpl +@@ -10,6 +10,7 @@ server: + ipsecmod-max-ttl: 200 + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/ipsecmod_strict.crpl b/testdata/ipsecmod_strict.crpl +index f74e308..51cc11b 100644 +--- a/testdata/ipsecmod_strict.crpl ++++ b/testdata/ipsecmod_strict.crpl +@@ -10,6 +10,7 @@ server: + ipsecmod-max-ttl: 200 + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/ipsecmod_whitelist.crpl b/testdata/ipsecmod_whitelist.crpl +index 34108f3..350c2ad 100644 +--- a/testdata/ipsecmod_whitelist.crpl ++++ b/testdata/ipsecmod_whitelist.crpl +@@ -11,6 +11,7 @@ server: + ipsecmod-whitelist: white.example.com + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_class_any.rpl b/testdata/iter_class_any.rpl +index 6fb296e..87e0db0 100644 +--- a/testdata/iter_class_any.rpl ++++ b/testdata/iter_class_any.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_cycle_noh.rpl b/testdata/iter_cycle_noh.rpl +index eee26ca..e551ac6 100644 +--- a/testdata/iter_cycle_noh.rpl ++++ b/testdata/iter_cycle_noh.rpl +@@ -4,6 +4,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_domain_sale.rpl b/testdata/iter_domain_sale.rpl +index 6110148..7c3cc1f 100644 +--- a/testdata/iter_domain_sale.rpl ++++ b/testdata/iter_domain_sale.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_domain_sale_nschange.rpl b/testdata/iter_domain_sale_nschange.rpl +index 5664855..886ed51 100644 +--- a/testdata/iter_domain_sale_nschange.rpl ++++ b/testdata/iter_domain_sale_nschange.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_emptydp.rpl b/testdata/iter_emptydp.rpl +index ecb49b6..3879a9b 100644 +--- a/testdata/iter_emptydp.rpl ++++ b/testdata/iter_emptydp.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_emptydp_for_glue.rpl b/testdata/iter_emptydp_for_glue.rpl +index 94dec2b..fc7933f 100644 +--- a/testdata/iter_emptydp_for_glue.rpl ++++ b/testdata/iter_emptydp_for_glue.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_fwdfirst.rpl b/testdata/iter_fwdfirst.rpl +index 0f8a85f..509a1cd 100644 +--- a/testdata/iter_fwdfirst.rpl ++++ b/testdata/iter_fwdfirst.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_fwdfirstequal.rpl b/testdata/iter_fwdfirstequal.rpl +index dc64814..abd25d1 100644 +--- a/testdata/iter_fwdfirstequal.rpl ++++ b/testdata/iter_fwdfirstequal.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_fwdstub.rpl b/testdata/iter_fwdstub.rpl +index ad5b57c..4c741a5 100644 +--- a/testdata/iter_fwdstub.rpl ++++ b/testdata/iter_fwdstub.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_fwdstubroot.rpl b/testdata/iter_fwdstubroot.rpl +index fa93043..dd93ecd 100644 +--- a/testdata/iter_fwdstubroot.rpl ++++ b/testdata/iter_fwdstubroot.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_ghost_grandchild_delegation.rpl b/testdata/iter_ghost_grandchild_delegation.rpl +index d1e521b..af6a570 100644 +--- a/testdata/iter_ghost_grandchild_delegation.rpl ++++ b/testdata/iter_ghost_grandchild_delegation.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_ghost_sub.rpl b/testdata/iter_ghost_sub.rpl +index ccb7367..36767bb 100644 +--- a/testdata/iter_ghost_sub.rpl ++++ b/testdata/iter_ghost_sub.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_ghost_timewindow.rpl b/testdata/iter_ghost_timewindow.rpl +index 9e30462..24390a0 100644 +--- a/testdata/iter_ghost_timewindow.rpl ++++ b/testdata/iter_ghost_timewindow.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + discard-timeout: 86400 + + stub-zone: +diff --git a/testdata/iter_got6only.rpl b/testdata/iter_got6only.rpl +index 1552284..b0d20b3 100644 +--- a/testdata/iter_got6only.rpl ++++ b/testdata/iter_got6only.rpl +@@ -4,6 +4,7 @@ server: + target-fetch-policy: "0 0 0 0 0 " + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +diff --git a/testdata/iter_hint_lame.rpl b/testdata/iter_hint_lame.rpl +index 2fb6dde..26aa5dc 100644 +--- a/testdata/iter_hint_lame.rpl ++++ b/testdata/iter_hint_lame.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_lame_noaa.rpl b/testdata/iter_lame_noaa.rpl +index defaa5c..050866c 100644 +--- a/testdata/iter_lame_noaa.rpl ++++ b/testdata/iter_lame_noaa.rpl +@@ -4,6 +4,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/iter_lame_nosoa.rpl b/testdata/iter_lame_nosoa.rpl +index 3bf6ccc..d55ff78 100644 +--- a/testdata/iter_lame_nosoa.rpl ++++ b/testdata/iter_lame_nosoa.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/iter_mod.rpl b/testdata/iter_mod.rpl +index 35b3a5a..3d3d678 100644 +--- a/testdata/iter_mod.rpl ++++ b/testdata/iter_mod.rpl +@@ -4,6 +4,7 @@ server: + qname-minimisation: "no" + module-config: "iterator" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_ns_badip.rpl b/testdata/iter_ns_badip.rpl +index e0bf966..481f47a 100644 +--- a/testdata/iter_ns_badip.rpl ++++ b/testdata/iter_ns_badip.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "3 2 1 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/iter_ns_spoof.rpl b/testdata/iter_ns_spoof.rpl +index f674576..999ff05 100644 +--- a/testdata/iter_ns_spoof.rpl ++++ b/testdata/iter_ns_spoof.rpl +@@ -4,6 +4,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +diff --git a/testdata/iter_nxns_fallback.rpl b/testdata/iter_nxns_fallback.rpl +index 2a6a3fd..8c0beb8 100644 +--- a/testdata/iter_nxns_fallback.rpl ++++ b/testdata/iter_nxns_fallback.rpl +@@ -8,6 +8,7 @@ server: + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/iter_pc_a.rpl b/testdata/iter_pc_a.rpl +index d9add00..be73a79 100644 +--- a/testdata/iter_pc_a.rpl ++++ b/testdata/iter_pc_a.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_pc_aaaa.rpl b/testdata/iter_pc_aaaa.rpl +index a283543..a7ce186 100644 +--- a/testdata/iter_pc_aaaa.rpl ++++ b/testdata/iter_pc_aaaa.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_pcdiff.rpl b/testdata/iter_pcdiff.rpl +index 57fb109..a462d33 100644 +--- a/testdata/iter_pcdiff.rpl ++++ b/testdata/iter_pcdiff.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_pcdirect.rpl b/testdata/iter_pcdirect.rpl +index 0bd5dfe..656ec7a 100644 +--- a/testdata/iter_pcdirect.rpl ++++ b/testdata/iter_pcdirect.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_pcname.rpl b/testdata/iter_pcname.rpl +index e17c910..af53c90 100644 +--- a/testdata/iter_pcname.rpl ++++ b/testdata/iter_pcname.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_pcnamech.rpl b/testdata/iter_pcnamech.rpl +index 32b3130..805cb18 100644 +--- a/testdata/iter_pcnamech.rpl ++++ b/testdata/iter_pcnamech.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/iter_pcnamechrec.rpl b/testdata/iter_pcnamechrec.rpl +index 8bf7ad8..bbb9c86 100644 +--- a/testdata/iter_pcnamechrec.rpl ++++ b/testdata/iter_pcnamechrec.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/iter_pcnamerec.rpl b/testdata/iter_pcnamerec.rpl +index faee6d0..2ea0dad 100644 +--- a/testdata/iter_pcnamerec.rpl ++++ b/testdata/iter_pcnamerec.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_pcttl.rpl b/testdata/iter_pcttl.rpl +index 413f8cb..a702017 100644 +--- a/testdata/iter_pcttl.rpl ++++ b/testdata/iter_pcttl.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + do-ip6: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_prefetch.rpl b/testdata/iter_prefetch.rpl +index bad92dc..fdf5955 100644 +--- a/testdata/iter_prefetch.rpl ++++ b/testdata/iter_prefetch.rpl +@@ -4,6 +4,7 @@ server: + qname-minimisation: "no" + prefetch: "yes" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_prefetch_change.rpl b/testdata/iter_prefetch_change.rpl +index 1be9e6a..c1a1a71 100644 +--- a/testdata/iter_prefetch_change.rpl ++++ b/testdata/iter_prefetch_change.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + prefetch: "yes" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_prefetch_change2.rpl b/testdata/iter_prefetch_change2.rpl +index 7a8370f..4a966fe 100644 +--- a/testdata/iter_prefetch_change2.rpl ++++ b/testdata/iter_prefetch_change2.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + prefetch: "yes" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_prefetch_childns.rpl b/testdata/iter_prefetch_childns.rpl +index 00a91fc..f234065 100644 +--- a/testdata/iter_prefetch_childns.rpl ++++ b/testdata/iter_prefetch_childns.rpl +@@ -4,6 +4,7 @@ server: + qname-minimisation: "no" + prefetch: "yes" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_prefetch_fail.rpl b/testdata/iter_prefetch_fail.rpl +index 1d92a4c..d1e3083 100644 +--- a/testdata/iter_prefetch_fail.rpl ++++ b/testdata/iter_prefetch_fail.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + prefetch: "yes" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_prefetch_ns.rpl b/testdata/iter_prefetch_ns.rpl +index 93af216..3192d31 100644 +--- a/testdata/iter_prefetch_ns.rpl ++++ b/testdata/iter_prefetch_ns.rpl +@@ -4,6 +4,7 @@ server: + qname-minimisation: "no" + prefetch: "yes" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_primenoglue.rpl b/testdata/iter_primenoglue.rpl +index b9808dd..f8c9803 100644 +--- a/testdata/iter_primenoglue.rpl ++++ b/testdata/iter_primenoglue.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_privaddr.rpl b/testdata/iter_privaddr.rpl +index 0c87b4b..b7a6fde 100644 +--- a/testdata/iter_privaddr.rpl ++++ b/testdata/iter_privaddr.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + private-address: 10.0.0.0/8 + private-address: 172.16.0.0/12 +diff --git a/testdata/iter_ranoaa_lame.rpl b/testdata/iter_ranoaa_lame.rpl +index 8ee8241..313192f 100644 +--- a/testdata/iter_ranoaa_lame.rpl ++++ b/testdata/iter_ranoaa_lame.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/iter_reclame_one.rpl b/testdata/iter_reclame_one.rpl +index 4a6abfa..d273e60 100644 +--- a/testdata/iter_reclame_one.rpl ++++ b/testdata/iter_reclame_one.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/iter_reclame_two.rpl b/testdata/iter_reclame_two.rpl +index 76c310b..e2b2bc1 100644 +--- a/testdata/iter_reclame_two.rpl ++++ b/testdata/iter_reclame_two.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/iter_recurse.rpl b/testdata/iter_recurse.rpl +index be50b4a..1352876 100644 +--- a/testdata/iter_recurse.rpl ++++ b/testdata/iter_recurse.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_resolve.rpl b/testdata/iter_resolve.rpl +index ed051ff..3ea56ab 100644 +--- a/testdata/iter_resolve.rpl ++++ b/testdata/iter_resolve.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_resolve_minimised.rpl b/testdata/iter_resolve_minimised.rpl +index 2c6f9cc..13f04d4 100644 +--- a/testdata/iter_resolve_minimised.rpl ++++ b/testdata/iter_resolve_minimised.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_resolve_minimised_nx.rpl b/testdata/iter_resolve_minimised_nx.rpl +index 74e612c..c68f20c 100644 +--- a/testdata/iter_resolve_minimised_nx.rpl ++++ b/testdata/iter_resolve_minimised_nx.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: yes + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_resolve_minimised_refused.rpl b/testdata/iter_resolve_minimised_refused.rpl +index 66e8e63..8dc76e2 100644 +--- a/testdata/iter_resolve_minimised_refused.rpl ++++ b/testdata/iter_resolve_minimised_refused.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: yes + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_resolve_minimised_timeout.rpl b/testdata/iter_resolve_minimised_timeout.rpl +index 86b9321..3740d79 100644 +--- a/testdata/iter_resolve_minimised_timeout.rpl ++++ b/testdata/iter_resolve_minimised_timeout.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: yes + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_scrub_cname_an.rpl b/testdata/iter_scrub_cname_an.rpl +index 9c5060a..f81916b 100644 +--- a/testdata/iter_scrub_cname_an.rpl ++++ b/testdata/iter_scrub_cname_an.rpl +@@ -4,6 +4,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_scrub_dname_insec.rpl b/testdata/iter_scrub_dname_insec.rpl +index 826d89e..82ff1d3 100644 +--- a/testdata/iter_scrub_dname_insec.rpl ++++ b/testdata/iter_scrub_dname_insec.rpl +@@ -4,6 +4,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_scrub_dname_rev.rpl b/testdata/iter_scrub_dname_rev.rpl +index 9caca66..dfb21b8 100644 +--- a/testdata/iter_scrub_dname_rev.rpl ++++ b/testdata/iter_scrub_dname_rev.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_scrub_dname_sec.rpl b/testdata/iter_scrub_dname_sec.rpl +index 34a7b32..943b19f 100644 +--- a/testdata/iter_scrub_dname_sec.rpl ++++ b/testdata/iter_scrub_dname_sec.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_scrub_promiscuous.rpl b/testdata/iter_scrub_promiscuous.rpl +new file mode 100644 +index 0000000..61fca0d +--- /dev/null ++++ b/testdata/iter_scrub_promiscuous.rpl +@@ -0,0 +1,373 @@ ++; config options ++server: ++ target-fetch-policy: "0 0 0 0 0" ++ qname-minimisation: no ++ iter-scrub-promiscuous: yes ++ ++stub-zone: ++ name: "." ++ stub-addr: 1.2.3.0 # ns.root ++CONFIG_END ++ ++SCENARIO_BEGIN Test iterator with scrub of promiscuous records ++; The test queries receive spoofed answers. The check queries see if ++; the record is returned by the original server or by a spoofed source. ++; The test domains are pollute1.mesa, pollute2.mesa and pollute3.mesa. ++; The spoofed contents are ns.attacker.mesa and its IPs 5.6.7.8 and 5.6.7.9. ++; The pollute1.mesa NS, ns.pollute2.mesa A, and test3.atkr.pollute3.mesa NS ++; with ns.pollute3.mesa A records are tested for cache placement. ++ ++; ns.root ++RANGE_BEGIN 0 400 ++ ADDRESS 1.2.3.0 ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++. IN NS ++SECTION ANSWER ++. IN NS NS.ROOT. ++SECTION ADDITIONAL ++NS.ROOT. IN A 1.2.3.0 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode subdomain ++ADJUST copy_id copy_query ++REPLY QR NOERROR ++SECTION QUESTION ++mesa. IN NS ++SECTION AUTHORITY ++mesa. IN NS ns.mesa. ++SECTION ADDITIONAL ++ns.mesa. IN A 1.2.7.7 ++ENTRY_END ++RANGE_END ++ ++; ns.mesa ++RANGE_BEGIN 0 400 ++ ADDRESS 1.2.7.7 ++ENTRY_BEGIN ++MATCH opcode subdomain ++ADJUST copy_id copy_query ++REPLY QR NOERROR ++SECTION QUESTION ++pollute1.mesa. IN NS ++SECTION AUTHORITY ++pollute1.mesa. IN NS ns.pollute1.mesa. ++SECTION ADDITIONAL ++ns.pollute1.mesa. IN A 1.2.4.1 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode subdomain ++ADJUST copy_id copy_query ++REPLY QR NOERROR ++SECTION QUESTION ++pollute2.mesa. IN NS ++SECTION AUTHORITY ++pollute2.mesa. IN NS ns.pollute2.mesa. ++SECTION ADDITIONAL ++ns.pollute2.mesa. IN A 1.2.4.2 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode subdomain ++ADJUST copy_id copy_query ++REPLY QR NOERROR ++SECTION QUESTION ++pollute3.mesa. IN NS ++SECTION AUTHORITY ++pollute3.mesa. IN NS ns.pollute3.mesa. ++SECTION ADDITIONAL ++ns.pollute3.mesa. IN A 1.2.4.3 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode subdomain ++ADJUST copy_id copy_query ++REPLY QR NOERROR ++SECTION QUESTION ++attacker.mesa. IN NS ++SECTION AUTHORITY ++attacker.mesa. IN NS ns.attacker.mesa. ++SECTION ADDITIONAL ++ns.attacker.mesa. IN A 5.6.7.8 ++ENTRY_END ++RANGE_END ++ ++; ns.pollute1.mesa ++RANGE_BEGIN 0 400 ++ ADDRESS 1.2.4.1 ++ ++; This is the spoofed answer that is returned. ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++test1.atkr.pollute1.mesa. IN A ++SECTION ANSWER ++test1.atkr.pollute1.mesa. 86400 IN A 1.2.3.4 ++SECTION AUTHORITY ++pollute1.mesa. 86400 IN NS ns.attacker.mesa. ++ENTRY_END ++ ++; correct answer for the check query. ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++check.pollute1.mesa. IN A ++SECTION ANSWER ++check.pollute1.mesa. IN A 1.8.9.1 ++ENTRY_END ++RANGE_END ++ ++; ns.pollute2.mesa ++RANGE_BEGIN 0 400 ++ ADDRESS 1.2.4.2 ++ ++; This is the spoofed answer that is returned. ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++test2.atkr.pollute2.mesa. IN A ++SECTION ANSWER ++test2.atkr.pollute2.mesa. 86400 IN A 1.2.3.4 ++SECTION AUTHORITY ++pollute2.mesa. 86400 IN NS ns.pollute2.mesa. ++SECTION ADDITIONAL ++ns.pollute2.mesa. 86400 IN A 5.6.7.8 ++ENTRY_END ++ ++; correct answer for the check query. ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++check.pollute2.mesa. IN A ++SECTION ANSWER ++check.pollute2.mesa. IN A 1.8.9.2 ++ENTRY_END ++RANGE_END ++ ++; ns.pollute3.mesa ++RANGE_BEGIN 0 400 ++ ADDRESS 1.2.4.3 ++ ++; This is the spoofed answer that is returned. ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++test3.atkr.pollute3.mesa. IN A ++SECTION ANSWER ++test3.atkr.pollute3.mesa. 86400 IN A 1.2.3.4 ++SECTION AUTHORITY ++test3.atkr.pollute3.mesa. 86400 IN NS ns.pollute3.mesa. ++SECTION ADDITIONAL ++ns.pollute3.mesa. 86400 IN A 5.6.7.8 ++ENTRY_END ++ ++; correct answer for the check query. ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++check.pollute3.mesa. IN A ++SECTION ANSWER ++check.pollute3.mesa. IN A 1.8.9.3 ++ENTRY_END ++RANGE_END ++ ++; ns.attacker.mesa ++RANGE_BEGIN 0 400 ++ ADDRESS 5.6.7.8 ++ ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++ns.attacker.mesa. IN A ++SECTION ANSWER ++ns.attacker.mesa. 86400 IN A 5.6.7.8 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++ns.attacker.mesa. IN AAAA ++SECTION AUTHORITY ++attacker.mesa. 3600 IN SOA ns.attacker.mesa. root.attacker.mesa. 4 7200 3600 604800 3600 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++ns.attacker.mesa. IN A ++SECTION ANSWER ++ns.attacker.mesa. 86400 IN A 5.6.7.8 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++check.pollute1.mesa. IN A ++SECTION ANSWER ++check.pollute1.mesa. 86400 IN A 5.6.7.9 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++check.pollute2.mesa. IN A ++SECTION ANSWER ++check.pollute2.mesa. 86400 IN A 5.6.7.9 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode qtype qname ++ADJUST copy_id ++REPLY QR AA NOERROR ++SECTION QUESTION ++check.pollute3.mesa. IN A ++SECTION ANSWER ++check.pollute3.mesa. 86400 IN A 5.6.7.9 ++ENTRY_END ++RANGE_END ++ ++; Test query 1 ++STEP 1 QUERY ++ENTRY_BEGIN ++REPLY RD ++SECTION QUESTION ++test1.atkr.pollute1.mesa. IN A ++ENTRY_END ++ ++STEP 10 CHECK_ANSWER ++ENTRY_BEGIN ++MATCH all ++REPLY QR RD RA NOERROR ++SECTION QUESTION ++test1.atkr.pollute1.mesa. IN A ++SECTION ANSWER ++test1.atkr.pollute1.mesa. 86400 IN A 1.2.3.4 ++ENTRY_END ++ ++; Test query 2 ++STEP 20 QUERY ++ENTRY_BEGIN ++REPLY RD ++SECTION QUESTION ++test2.atkr.pollute2.mesa. IN A ++ENTRY_END ++ ++STEP 30 CHECK_ANSWER ++ENTRY_BEGIN ++MATCH all ++REPLY QR RD RA NOERROR ++SECTION QUESTION ++test2.atkr.pollute2.mesa. IN A ++SECTION ANSWER ++test2.atkr.pollute2.mesa. 86400 IN A 1.2.3.4 ++ENTRY_END ++ ++; Test query 3 ++STEP 40 QUERY ++ENTRY_BEGIN ++REPLY RD ++SECTION QUESTION ++test3.atkr.pollute3.mesa. IN A ++ENTRY_END ++ ++STEP 50 CHECK_ANSWER ++ENTRY_BEGIN ++MATCH all ++REPLY QR RD RA NOERROR ++SECTION QUESTION ++test3.atkr.pollute3.mesa. IN A ++SECTION ANSWER ++test3.atkr.pollute3.mesa. 86400 IN A 1.2.3.4 ++ENTRY_END ++ ++; Check the cache contents, for query 1. ++STEP 60 QUERY ++ENTRY_BEGIN ++REPLY RD ++SECTION QUESTION ++check.pollute1.mesa. IN A ++ENTRY_END ++ ++STEP 70 CHECK_ANSWER ++ENTRY_BEGIN ++MATCH all ++REPLY QR RD RA NOERROR ++SECTION QUESTION ++check.pollute1.mesa. IN A ++SECTION ANSWER ++; good answer ++check.pollute1.mesa. IN A 1.8.9.1 ++; bad answer ++;check.pollute1.mesa. IN A 5.6.7.9 ++ENTRY_END ++ ++; Check the cache contents, for query 2. ++STEP 80 QUERY ++ENTRY_BEGIN ++REPLY RD ++SECTION QUESTION ++check.pollute2.mesa. IN A ++ENTRY_END ++ ++STEP 90 CHECK_ANSWER ++ENTRY_BEGIN ++MATCH all ++REPLY QR RD RA NOERROR ++SECTION QUESTION ++check.pollute2.mesa. IN A ++SECTION ANSWER ++; good answer ++check.pollute2.mesa. IN A 1.8.9.2 ++; bad answer ++;check.pollute2.mesa. IN A 5.6.7.9 ++ENTRY_END ++ ++; Check the cache contents, for query 3. ++STEP 100 QUERY ++ENTRY_BEGIN ++REPLY RD ++SECTION QUESTION ++check.pollute3.mesa. IN A ++ENTRY_END ++ ++STEP 110 CHECK_ANSWER ++ENTRY_BEGIN ++MATCH all ++REPLY QR RD RA NOERROR ++SECTION QUESTION ++check.pollute3.mesa. IN A ++SECTION ANSWER ++; good answer ++check.pollute3.mesa. IN A 1.8.9.3 ++; bad answer ++;check.pollute3.mesa. IN A 5.6.7.9 ++ENTRY_END ++ ++SCENARIO_END +diff --git a/testdata/iter_scrub_rr_length.rpl b/testdata/iter_scrub_rr_length.rpl +index 2ef73c2..5463723 100644 +--- a/testdata/iter_scrub_rr_length.rpl ++++ b/testdata/iter_scrub_rr_length.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + ede: yes + log-servfail: yes +diff --git a/testdata/iter_soamin.rpl b/testdata/iter_soamin.rpl +index 7e90260..0facc35 100644 +--- a/testdata/iter_soamin.rpl ++++ b/testdata/iter_soamin.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_stub_noroot.rpl b/testdata/iter_stub_noroot.rpl +index ef306bd..749462b 100644 +--- a/testdata/iter_stub_noroot.rpl ++++ b/testdata/iter_stub_noroot.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_stubfirst.rpl b/testdata/iter_stubfirst.rpl +index 1a7112d..7cd3305 100644 +--- a/testdata/iter_stubfirst.rpl ++++ b/testdata/iter_stubfirst.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_timeout_ra_aaaa.rpl b/testdata/iter_timeout_ra_aaaa.rpl +index 126867b..9456f04 100644 +--- a/testdata/iter_timeout_ra_aaaa.rpl ++++ b/testdata/iter_timeout_ra_aaaa.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_unverified_glue.rpl b/testdata/iter_unverified_glue.rpl +index 017f220..bc96bb1 100644 +--- a/testdata/iter_unverified_glue.rpl ++++ b/testdata/iter_unverified_glue.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + minimal-responses: no ++ iter-scrub-promiscuous: no + do-ip6: no + harden-unverified-glue: yes + stub-zone: +diff --git a/testdata/rrset_rettl.rpl b/testdata/rrset_rettl.rpl +index 55dd623..131a98e 100644 +--- a/testdata/rrset_rettl.rpl ++++ b/testdata/rrset_rettl.rpl +@@ -2,6 +2,7 @@ + ; config options go here. + server: + minimal-responses: no ++ iter-scrub-promiscuous: no + forward-zone: name: "." forward-addr: 216.0.0.1 + CONFIG_END + +diff --git a/testdata/rrset_untrusted.rpl b/testdata/rrset_untrusted.rpl +index 6370ebf..207275b 100644 +--- a/testdata/rrset_untrusted.rpl ++++ b/testdata/rrset_untrusted.rpl +@@ -2,6 +2,7 @@ + ; config options go here. + server: + minimal-responses: no ++ iter-scrub-promiscuous: no + forward-zone: name: "." forward-addr: 216.0.0.1 + CONFIG_END + +diff --git a/testdata/rrset_updated.rpl b/testdata/rrset_updated.rpl +index 55da56b..ba8e492 100644 +--- a/testdata/rrset_updated.rpl ++++ b/testdata/rrset_updated.rpl +@@ -2,6 +2,7 @@ + ; config options go here. + server: + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + forward-zone: name: "." forward-addr: 216.0.0.1 + CONFIG_END +diff --git a/testdata/rrset_use_cached.rpl b/testdata/rrset_use_cached.rpl +index 8420ae0..17696f6 100644 +--- a/testdata/rrset_use_cached.rpl ++++ b/testdata/rrset_use_cached.rpl +@@ -1,5 +1,6 @@ + server: + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + # The value does not matter, we will not simulate delay. + # We do not want only serve-expired because fetches from that +diff --git a/testdata/serve_expired.rpl b/testdata/serve_expired.rpl +index 3f61019..2bba0d9 100644 +--- a/testdata/serve_expired.rpl ++++ b/testdata/serve_expired.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + access-control: 127.0.0.1/32 allow_snoop + ede: yes +diff --git a/testdata/serve_expired_0ttl_nodata.rpl b/testdata/serve_expired_0ttl_nodata.rpl +index 7f1b5a5..d16a115 100644 +--- a/testdata/serve_expired_0ttl_nodata.rpl ++++ b/testdata/serve_expired_0ttl_nodata.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + log-servfail: yes + ede: yes +diff --git a/testdata/serve_expired_0ttl_nxdomain.rpl b/testdata/serve_expired_0ttl_nxdomain.rpl +index 4adb4b8..a9195b0 100644 +--- a/testdata/serve_expired_0ttl_nxdomain.rpl ++++ b/testdata/serve_expired_0ttl_nxdomain.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + log-servfail: yes + ede: yes +diff --git a/testdata/serve_expired_0ttl_servfail.rpl b/testdata/serve_expired_0ttl_servfail.rpl +index 6833af1..b0fa484 100644 +--- a/testdata/serve_expired_0ttl_servfail.rpl ++++ b/testdata/serve_expired_0ttl_servfail.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + log-servfail: yes + ede: yes +diff --git a/testdata/serve_expired_cached_servfail.rpl b/testdata/serve_expired_cached_servfail.rpl +index edec744..259fd99 100644 +--- a/testdata/serve_expired_cached_servfail.rpl ++++ b/testdata/serve_expired_cached_servfail.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + serve-expired-reply-ttl: 123 + log-servfail: yes +diff --git a/testdata/serve_expired_client_timeout.rpl b/testdata/serve_expired_client_timeout.rpl +index 5560aa0..e40e1b4 100644 +--- a/testdata/serve_expired_client_timeout.rpl ++++ b/testdata/serve_expired_client_timeout.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + serve-expired-client-timeout: 1 + serve-expired-reply-ttl: 123 +diff --git a/testdata/serve_expired_client_timeout_no_prefetch.rpl b/testdata/serve_expired_client_timeout_no_prefetch.rpl +index aed397d..3a35c46 100644 +--- a/testdata/serve_expired_client_timeout_no_prefetch.rpl ++++ b/testdata/serve_expired_client_timeout_no_prefetch.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + serve-expired-client-timeout: 1 + serve-expired-reply-ttl: 123 +diff --git a/testdata/serve_expired_client_timeout_servfail.rpl b/testdata/serve_expired_client_timeout_servfail.rpl +index cea216d..8ac491f 100644 +--- a/testdata/serve_expired_client_timeout_servfail.rpl ++++ b/testdata/serve_expired_client_timeout_servfail.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + serve-expired-client-timeout: 1 + serve-expired-reply-ttl: 123 +diff --git a/testdata/serve_expired_client_timeout_val_bogus.rpl b/testdata/serve_expired_client_timeout_val_bogus.rpl +index f4937a1..226e922 100644 +--- a/testdata/serve_expired_client_timeout_val_bogus.rpl ++++ b/testdata/serve_expired_client_timeout_val_bogus.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + serve-expired: yes + serve-expired-client-timeout: 1 +diff --git a/testdata/serve_expired_client_timeout_val_insecure_delegation.rpl b/testdata/serve_expired_client_timeout_val_insecure_delegation.rpl +index 6654a2c..08fc071 100644 +--- a/testdata/serve_expired_client_timeout_val_insecure_delegation.rpl ++++ b/testdata/serve_expired_client_timeout_val_insecure_delegation.rpl +@@ -9,6 +9,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + serve-expired: yes +diff --git a/testdata/serve_expired_reply_ttl.rpl b/testdata/serve_expired_reply_ttl.rpl +index 124fb87..063aad9 100644 +--- a/testdata/serve_expired_reply_ttl.rpl ++++ b/testdata/serve_expired_reply_ttl.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + serve-expired-reply-ttl: 123 + ede: yes +diff --git a/testdata/serve_expired_ttl.rpl b/testdata/serve_expired_ttl.rpl +index df4ecb8..df3cd90 100644 +--- a/testdata/serve_expired_ttl.rpl ++++ b/testdata/serve_expired_ttl.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + serve-expired-ttl: 10 + +diff --git a/testdata/serve_expired_ttl_client_timeout.rpl b/testdata/serve_expired_ttl_client_timeout.rpl +index 169d070..f285790 100644 +--- a/testdata/serve_expired_ttl_client_timeout.rpl ++++ b/testdata/serve_expired_ttl_client_timeout.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + serve-expired-ttl: 10 + serve-expired-client-timeout: 1 +diff --git a/testdata/serve_expired_val_bogus.rpl b/testdata/serve_expired_val_bogus.rpl +index 35365be..e8b4bbd 100644 +--- a/testdata/serve_expired_val_bogus.rpl ++++ b/testdata/serve_expired_val_bogus.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + serve-expired: yes + serve-expired-reply-ttl: 123 +diff --git a/testdata/serve_expired_zerottl.rpl b/testdata/serve_expired_zerottl.rpl +index 0239b4a..fbb76f9 100644 +--- a/testdata/serve_expired_zerottl.rpl ++++ b/testdata/serve_expired_zerottl.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + serve-expired-reply-ttl: 123 + ede: yes +diff --git a/testdata/serve_original_ttl.rpl b/testdata/serve_original_ttl.rpl +index 24d01b6..ced0672 100644 +--- a/testdata/serve_original_ttl.rpl ++++ b/testdata/serve_original_ttl.rpl +@@ -4,6 +4,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-original-ttl: yes + cache-max-ttl: 1000 + cache-min-ttl: 20 +diff --git a/testdata/subnet_cached.crpl b/testdata/subnet_cached.crpl +index 3cee6e9..c97bfbb 100644 +--- a/testdata/subnet_cached.crpl ++++ b/testdata/subnet_cached.crpl +@@ -15,6 +15,7 @@ server: + access-control: 127.0.0.1 allow_snoop + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/subnet_cached_servfail.crpl b/testdata/subnet_cached_servfail.crpl +index 9c746d5..535671b 100644 +--- a/testdata/subnet_cached_servfail.crpl ++++ b/testdata/subnet_cached_servfail.crpl +@@ -11,6 +11,7 @@ server: + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + prefetch: yes + +diff --git a/testdata/subnet_cached_size.crpl b/testdata/subnet_cached_size.crpl +index d221d0d..4a8c464 100644 +--- a/testdata/subnet_cached_size.crpl ++++ b/testdata/subnet_cached_size.crpl +@@ -15,6 +15,7 @@ server: + access-control: 127.0.0.0/8 allow_snoop + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + ; the size for the edns subnet cache + msg-cache-size: 1500 + +diff --git a/testdata/subnet_global_prefetch.crpl b/testdata/subnet_global_prefetch.crpl +index 2f005d4..7665015 100644 +--- a/testdata/subnet_global_prefetch.crpl ++++ b/testdata/subnet_global_prefetch.crpl +@@ -12,6 +12,7 @@ server: + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no ++ iter-scrub-promiscuous: no + prefetch: yes + + stub-zone: +diff --git a/testdata/subnet_global_prefetch_always_forward.crpl b/testdata/subnet_global_prefetch_always_forward.crpl +index ccfe5df..0713629 100644 +--- a/testdata/subnet_global_prefetch_always_forward.crpl ++++ b/testdata/subnet_global_prefetch_always_forward.crpl +@@ -12,6 +12,7 @@ server: + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/subnet_global_prefetch_expired.crpl b/testdata/subnet_global_prefetch_expired.crpl +index de1b780..7c00d82 100644 +--- a/testdata/subnet_global_prefetch_expired.crpl ++++ b/testdata/subnet_global_prefetch_expired.crpl +@@ -13,6 +13,7 @@ server: + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + serve-expired-ttl: 1 + prefetch: yes +diff --git a/testdata/subnet_global_prefetch_with_client_ecs.crpl b/testdata/subnet_global_prefetch_with_client_ecs.crpl +index ddc832c..8589db7 100644 +--- a/testdata/subnet_global_prefetch_with_client_ecs.crpl ++++ b/testdata/subnet_global_prefetch_with_client_ecs.crpl +@@ -12,6 +12,7 @@ server: + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no ++ iter-scrub-promiscuous: no + prefetch: yes + + stub-zone: +diff --git a/testdata/subnet_max_source.crpl b/testdata/subnet_max_source.crpl +index f5c7464..f3f71e7 100644 +--- a/testdata/subnet_max_source.crpl ++++ b/testdata/subnet_max_source.crpl +@@ -11,6 +11,7 @@ server: + verbosity: 3 + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/subnet_prefetch.crpl b/testdata/subnet_prefetch.crpl +index aaa6bf0..243e409 100644 +--- a/testdata/subnet_prefetch.crpl ++++ b/testdata/subnet_prefetch.crpl +@@ -12,6 +12,7 @@ server: + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no ++ iter-scrub-promiscuous: no + prefetch: yes + + stub-zone: +diff --git a/testdata/subnet_val_positive.crpl b/testdata/subnet_val_positive.crpl +index 01456e5..10996ad 100644 +--- a/testdata/subnet_val_positive.crpl ++++ b/testdata/subnet_val_positive.crpl +@@ -13,6 +13,7 @@ server: + fake-dsa: yes + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/subnet_val_positive_client.crpl b/testdata/subnet_val_positive_client.crpl +index b573742..1b51d52 100644 +--- a/testdata/subnet_val_positive_client.crpl ++++ b/testdata/subnet_val_positive_client.crpl +@@ -14,6 +14,7 @@ server: + fake-dsa: yes + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/trust_cname_chain.rpl b/testdata/trust_cname_chain.rpl +index f8415ba..e24f8c1 100644 +--- a/testdata/trust_cname_chain.rpl ++++ b/testdata/trust_cname_chain.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +diff --git a/testdata/ttl_max.rpl b/testdata/ttl_max.rpl +index 3256963..b24eea3 100644 +--- a/testdata/ttl_max.rpl ++++ b/testdata/ttl_max.rpl +@@ -4,6 +4,7 @@ server: + cache-max-ttl: 10 + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/ttl_min.rpl b/testdata/ttl_min.rpl +index 3c79ff5..94206c7 100644 +--- a/testdata/ttl_min.rpl ++++ b/testdata/ttl_min.rpl +@@ -4,6 +4,7 @@ server: + cache-min-ttl: 10 + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_adbit.rpl b/testdata/val_adbit.rpl +index 7ce62de..233c58b 100644 +--- a/testdata/val_adbit.rpl ++++ b/testdata/val_adbit.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_adcopy.rpl b/testdata/val_adcopy.rpl +index 604fd57..7bc31df 100644 +--- a/testdata/val_adcopy.rpl ++++ b/testdata/val_adcopy.rpl +@@ -7,6 +7,7 @@ server: + qname-minimisation: "no" + fake-sha1: yes + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_cnametocnamewctoposwc.rpl b/testdata/val_cnametocnamewctoposwc.rpl +index 407666e..9ea8b49 100644 +--- a/testdata/val_cnametocnamewctoposwc.rpl ++++ b/testdata/val_cnametocnamewctoposwc.rpl +@@ -7,6 +7,7 @@ server: + qname-minimisation: "no" + fake-sha1: yes + trust-anchor-signaling: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_ds_afterprime.rpl b/testdata/val_ds_afterprime.rpl +index 3b1c0d6..301a1f6 100644 +--- a/testdata/val_ds_afterprime.rpl ++++ b/testdata/val_ds_afterprime.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_faildnskey_ok.rpl b/testdata/val_faildnskey_ok.rpl +index 50f3184..f9196f3 100644 +--- a/testdata/val_faildnskey_ok.rpl ++++ b/testdata/val_faildnskey_ok.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_keyprefetch_verify.rpl b/testdata/val_keyprefetch_verify.rpl +index 9b901a8..6cf8184 100644 +--- a/testdata/val_keyprefetch_verify.rpl ++++ b/testdata/val_keyprefetch_verify.rpl +@@ -10,6 +10,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_noadwhennodo.rpl b/testdata/val_noadwhennodo.rpl +index 46e1bad..dbdeb78 100644 +--- a/testdata/val_noadwhennodo.rpl ++++ b/testdata/val_noadwhennodo.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_nsec3_b3_optout.rpl b/testdata/val_nsec3_b3_optout.rpl +index 9d84be9..5d8a43a 100644 +--- a/testdata/val_nsec3_b3_optout.rpl ++++ b/testdata/val_nsec3_b3_optout.rpl +@@ -7,6 +7,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/val_nsec3_b3_optout_negcache.rpl b/testdata/val_nsec3_b3_optout_negcache.rpl +index 497a859..e7be762 100644 +--- a/testdata/val_nsec3_b3_optout_negcache.rpl ++++ b/testdata/val_nsec3_b3_optout_negcache.rpl +@@ -7,6 +7,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/val_nsec3_b4_wild.rpl b/testdata/val_nsec3_b4_wild.rpl +index 8bf3a54..295932f 100644 +--- a/testdata/val_nsec3_b4_wild.rpl ++++ b/testdata/val_nsec3_b4_wild.rpl +@@ -6,6 +6,7 @@ server: + qname-minimisation: "no" + fake-sha1: yes + trust-anchor-signaling: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/val_nsec3_cnametocnamewctoposwc.rpl b/testdata/val_nsec3_cnametocnamewctoposwc.rpl +index 1651ae7..3e4c55a 100644 +--- a/testdata/val_nsec3_cnametocnamewctoposwc.rpl ++++ b/testdata/val_nsec3_cnametocnamewctoposwc.rpl +@@ -7,6 +7,7 @@ server: + qname-minimisation: "no" + fake-sha1: yes + trust-anchor-signaling: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_positive.rpl b/testdata/val_positive.rpl +index daaf360..c808517 100644 +--- a/testdata/val_positive.rpl ++++ b/testdata/val_positive.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_positive_wc.rpl b/testdata/val_positive_wc.rpl +index 5384acf..591dcc6 100644 +--- a/testdata/val_positive_wc.rpl ++++ b/testdata/val_positive_wc.rpl +@@ -7,6 +7,7 @@ server: + qname-minimisation: "no" + fake-sha1: yes + trust-anchor-signaling: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_qds_badanc.rpl b/testdata/val_qds_badanc.rpl +index dc68615..cb53136 100644 +--- a/testdata/val_qds_badanc.rpl ++++ b/testdata/val_qds_badanc.rpl +@@ -7,6 +7,7 @@ server: + qname-minimisation: "no" + fake-sha1: yes + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_qds_oneanc.rpl b/testdata/val_qds_oneanc.rpl +index f21ab42..bda9f90 100644 +--- a/testdata/val_qds_oneanc.rpl ++++ b/testdata/val_qds_oneanc.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_qds_twoanc.rpl b/testdata/val_qds_twoanc.rpl +index 4e4f2e7..f801c02 100644 +--- a/testdata/val_qds_twoanc.rpl ++++ b/testdata/val_qds_twoanc.rpl +@@ -9,6 +9,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_refer_unsignadd.rpl b/testdata/val_refer_unsignadd.rpl +index 4d07301..22f15d2 100644 +--- a/testdata/val_refer_unsignadd.rpl ++++ b/testdata/val_refer_unsignadd.rpl +@@ -9,6 +9,7 @@ server: + qname-minimisation: "no" + fake-sha1: yes + trust-anchor-signaling: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/val_referd.rpl b/testdata/val_referd.rpl +index d475f83..a25ca7b 100644 +--- a/testdata/val_referd.rpl ++++ b/testdata/val_referd.rpl +@@ -10,6 +10,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_referglue.rpl b/testdata/val_referglue.rpl +index 54b7671..3ca0c0e 100644 +--- a/testdata/val_referglue.rpl ++++ b/testdata/val_referglue.rpl +@@ -10,6 +10,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/val_rrsig.rpl b/testdata/val_rrsig.rpl +index 0b672e0..69df344 100644 +--- a/testdata/val_rrsig.rpl ++++ b/testdata/val_rrsig.rpl +@@ -7,6 +7,7 @@ server: + qname-minimisation: "no" + fake-sha1: yes + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_spurious_ns.rpl b/testdata/val_spurious_ns.rpl +index cb0a6e5..8db94a1 100644 +--- a/testdata/val_spurious_ns.rpl ++++ b/testdata/val_spurious_ns.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_stub_noroot.rpl b/testdata/val_stub_noroot.rpl +index 07113be..66c3d8e 100644 +--- a/testdata/val_stub_noroot.rpl ++++ b/testdata/val_stub_noroot.rpl +@@ -6,6 +6,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_ta_algo_dnskey.rpl b/testdata/val_ta_algo_dnskey.rpl +index 03bac83..5b0b64d 100644 +--- a/testdata/val_ta_algo_dnskey.rpl ++++ b/testdata/val_ta_algo_dnskey.rpl +@@ -9,6 +9,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_ta_algo_dnskey_dp.rpl b/testdata/val_ta_algo_dnskey_dp.rpl +index 2b3609b..ae0c499 100644 +--- a/testdata/val_ta_algo_dnskey_dp.rpl ++++ b/testdata/val_ta_algo_dnskey_dp.rpl +@@ -10,6 +10,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_ta_algo_missing_dp.rpl b/testdata/val_ta_algo_missing_dp.rpl +index dc55a09..14efdec 100644 +--- a/testdata/val_ta_algo_missing_dp.rpl ++++ b/testdata/val_ta_algo_missing_dp.rpl +@@ -11,6 +11,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_twocname.rpl b/testdata/val_twocname.rpl +index bc7c3bc..b432364 100644 +--- a/testdata/val_twocname.rpl ++++ b/testdata/val_twocname.rpl +@@ -5,6 +5,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + forward-zone: +diff --git a/testdata/val_unalgo_anchor.rpl b/testdata/val_unalgo_anchor.rpl +index fbbf288..a935201 100644 +--- a/testdata/val_unalgo_anchor.rpl ++++ b/testdata/val_unalgo_anchor.rpl +@@ -7,6 +7,7 @@ server: + qname-minimisation: "no" + fake-sha1: yes + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_wild_pos.rpl b/testdata/val_wild_pos.rpl +index 624d8e0..9fafa65 100644 +--- a/testdata/val_wild_pos.rpl ++++ b/testdata/val_wild_pos.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/views.rpl b/testdata/views.rpl +index 6a9052f..a602624 100644 +--- a/testdata/views.rpl ++++ b/testdata/views.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + access-control: 10.10.10.0/24 allow + access-control-view: 10.10.10.10/32 "view1" +diff --git a/util/config_file.c b/util/config_file.c +index aca0039..9aebf7c 100644 +--- a/util/config_file.c ++++ b/util/config_file.c +@@ -416,6 +416,7 @@ config_create(void) + cfg->ede = 0; + cfg->iter_scrub_ns = 20; + cfg->iter_scrub_cname = 11; ++ cfg->iter_scrub_promiscuous = 1; + cfg->max_global_quota = 128; + return cfg; + error_exit: +@@ -737,6 +738,7 @@ int config_set_option(struct config_file* cfg, const char* opt, + else S_YNO("ede-serve-expired:", ede_serve_expired) + else S_NUMBER_OR_ZERO("iter-scrub-ns:", iter_scrub_ns) + else S_NUMBER_OR_ZERO("iter-scrub-cname:", iter_scrub_cname) ++ else S_YNO("iter-scrub-promiscuous:", iter_scrub_promiscuous) + else S_NUMBER_OR_ZERO("max-global-quota:", max_global_quota) + else S_YNO("serve-original-ttl:", serve_original_ttl) + else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations) +@@ -1212,6 +1214,7 @@ config_get_option(struct config_file* cfg, const char* opt, + else O_YNO(opt, "ede-serve-expired", ede_serve_expired) + else O_DEC(opt, "iter-scrub-ns", iter_scrub_ns) + else O_DEC(opt, "iter-scrub-cname", iter_scrub_cname) ++ else O_YNO(opt, "iter-scrub-promiscuous", iter_scrub_promiscuous) + else O_DEC(opt, "max-global-quota", max_global_quota) + else O_YNO(opt, "serve-original-ttl", serve_original_ttl) + else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations) +diff --git a/util/config_file.h b/util/config_file.h +index 2969f84..5ed95d0 100644 +--- a/util/config_file.h ++++ b/util/config_file.h +@@ -779,6 +779,9 @@ struct config_file { + int iter_scrub_cname; + /** limit on upstream queries for an incoming query and subqueries. */ + int max_global_quota; ++ /** Should the iterator scrub promiscuous NS rrsets, from positive ++ * answers. */ ++ int iter_scrub_promiscuous; + }; + + /** from cfg username, after daemonize setup performed */ +diff --git a/util/configlexer.lex b/util/configlexer.lex +index 4c0416f..93c4fff 100644 +--- a/util/configlexer.lex ++++ b/util/configlexer.lex +@@ -597,6 +597,7 @@ proxy-protocol-port{COLON} { YDVAR(1, VAR_PROXY_PROTOCOL_PORT) } + iter-scrub-ns{COLON} { YDVAR(1, VAR_ITER_SCRUB_NS) } + iter-scrub-cname{COLON} { YDVAR(1, VAR_ITER_SCRUB_CNAME) } + max-global-quota{COLON} { YDVAR(1, VAR_MAX_GLOBAL_QUOTA) } ++iter-scrub-promiscuous{COLON} { YDVAR(1, VAR_ITER_SCRUB_PROMISCUOUS) } + {NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; } + + /* Quoted strings. Strip leading and ending quotes */ +diff --git a/util/configparser.y b/util/configparser.y +index c10a5f4..a102fee 100644 +--- a/util/configparser.y ++++ b/util/configparser.y +@@ -209,6 +209,7 @@ extern struct config_parser_state* cfg_parser; + %token VAR_LOG_DESTADDR VAR_CACHEDB_CHECK_WHEN_SERVE_EXPIRED + %token VAR_COOKIE_SECRET_FILE VAR_ITER_SCRUB_NS VAR_ITER_SCRUB_CNAME + %token VAR_MAX_GLOBAL_QUOTA VAR_HARDEN_UNVERIFIED_GLUE VAR_LOG_TIME_ISO ++%token VAR_ITER_SCRUB_PROMISCUOUS + + %% + toplevelvars: /* empty */ | toplevelvars toplevelvar ; +@@ -349,7 +350,7 @@ content_server: server_num_threads | server_verbosity | server_port | + server_harden_unknown_additional | server_disable_edns_do | + server_log_destaddr | server_cookie_secret_file | + server_iter_scrub_ns | server_iter_scrub_cname | server_max_global_quota | +- server_harden_unverified_glue | server_log_time_iso ++ server_harden_unverified_glue | server_log_time_iso | server_iter_scrub_promiscuous + ; + stub_clause: stubstart contents_stub + { +@@ -4111,6 +4112,16 @@ server_max_global_quota: VAR_MAX_GLOBAL_QUOTA STRING_ARG + free($2); + } + ; ++server_iter_scrub_promiscuous: VAR_ITER_SCRUB_PROMISCUOUS STRING_ARG ++ { ++ OUTYY(("P(server_iter_scrub_promiscuous:%s)\n", $2)); ++ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) ++ yyerror("expected yes or no."); ++ else cfg_parser->cfg->iter_scrub_promiscuous = ++ (strcmp($2, "yes")==0); ++ free($2); ++ } ++ ; + ipsetstart: VAR_IPSET + { + OUTYY(("\nP(ipset:)\n")); diff -Nru unbound-1.22.0/debian/patches/series unbound-1.22.0/debian/patches/series --- unbound-1.22.0/debian/patches/series 2025-07-17 16:02:37.000000000 +0000 +++ unbound-1.22.0/debian/patches/series 2025-11-26 20:12:47.000000000 +0000 @@ -1,2 +1,4 @@ do-not-chown-control-socket.patch Fix-RebirthDay-Attack-CVE-2025-5994.patch +CVE-2025-11411.patch +CVE-2025-11411-additional-nodata.patch diff -Nru unbound-1.22.0/debian/salsa-ci.yml unbound-1.22.0/debian/salsa-ci.yml --- unbound-1.22.0/debian/salsa-ci.yml 2025-07-15 11:01:49.000000000 +0000 +++ unbound-1.22.0/debian/salsa-ci.yml 2025-11-26 20:12:47.000000000 +0000 @@ -4,7 +4,10 @@ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml variables: + RELEASE: 'trixie' # autopkgtest fails autodep8 for python SALSA_CI_DISABLE_AUTOPKGTEST: 1 SALSA_CI_DISABLE_BUILD_PACKAGE_ALL: 1 SALSA_CI_DISABLE_BUILD_PACKAGE_ANY: 1 + SALSA_CI_DISABLE_LINTIAN: 1 + SALSA_CI_DISABLE_REPROTEST: 1