; config options
server:
	answer-cookie: yes
	cookie-secret: "000102030405060708090a0b0c0d0e0f"
	access-control: 127.0.0.1 allow_cookie
	access-control: 1.2.3.4 allow
	local-data: "test. TXT test"

CONFIG_END

SCENARIO_BEGIN Test downstream DNS Cookies

; Note: When a valid hash was required, it was generated by running this test
; with an invalid one and checking the output for the valid one.
; Actual hash generation is tested with unit tests.

; Query without a client cookie ...
STEP 0 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test. IN TXT
ENTRY_END
; ... get TC and refused
STEP 1 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA TC REFUSED
SECTION QUESTION
test. IN TXT
ENTRY_END

; Query without a client cookie on TCP ...
STEP 10 QUERY
ENTRY_BEGIN
REPLY RD
MATCH TCP
SECTION QUESTION
test. IN TXT
ENTRY_END
; ... get an answer
STEP 11 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA AA NOERROR
SECTION QUESTION
test. IN TXT
SECTION ANSWER
test. IN TXT "test"
ENTRY_END

; Query with only a client cookie ...
STEP 20 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test. IN TXT
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
	00 0a			; Opcode 10
	00 08			; Length 8
	31 32 33 34 35 36 37 38	; Random bits
HEX_EDNSDATA_END
ENTRY_END
; ... get BADCOOKIE and a new cookie
STEP 21 CHECK_ANSWER
ENTRY_BEGIN
MATCH all server_cookie
REPLY QR RD RA DO YXRRSET	; BADCOOKIE is an extended rcode
SECTION QUESTION
test. IN TXT
ENTRY_END

; Query with an invalid cookie ...
STEP 30 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test. IN TXT
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
	00 0a			; Opcode 10
	00 18			; Length 24
	31 32 33 34 35 36 37 38	; Random bits
	02 00 00 00		; wrong version
	00 00 00 00		; Timestamp
	31 32 33 34 35 36 37 38	; wrong hash
HEX_EDNSDATA_END
ENTRY_END
; ... get BADCOOKIE and a new cookie
STEP 31 CHECK_ANSWER
ENTRY_BEGIN
MATCH all server_cookie
REPLY QR RD RA DO YXRRSET	; BADCOOKIE is an extended rcode
SECTION QUESTION
test. IN TXT
ENTRY_END

; Query with an invalid cookie from a non-cookie protected address ...
STEP 40 QUERY ADDRESS 1.2.3.4
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test. IN TXT
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
	00 0a			; Opcode 10
	00 18			; Length 24
	31 32 33 34 35 36 37 38	; Random bits
	02 00 00 00		; wrong version
	00 00 00 00		; Timestamp
	31 32 33 34 35 36 37 38	; wrong hash
HEX_EDNSDATA_END
ENTRY_END
; ... get answer and a cookie
STEP 41 CHECK_ANSWER
ENTRY_BEGIN
MATCH all server_cookie
REPLY QR RD RA AA DO NOERROR
SECTION QUESTION
test. IN TXT
SECTION ANSWER
test. IN TXT "test"
ENTRY_END

; Query with a valid cookie ...
STEP 50 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test. IN TXT
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
	00 0a			; Opcode 10
	00 18			; Length 24
	31 32 33 34 35 36 37 38	; Random bits
	01 00 00 00		; Version/Reserved
	00 00 00 00		; Timestamp
	38 52 7b a8 c6 a4 ea 96	; Hash
HEX_EDNSDATA_END
ENTRY_END
; ... get answer and the cookie
STEP 51 CHECK_ANSWER
ENTRY_BEGIN
MATCH all server_cookie
REPLY QR RD RA AA DO NOERROR
SECTION QUESTION
test. IN TXT
SECTION ANSWER
test. IN TXT "test"
ENTRY_END

; Query with a valid >30 minutes old cookie ...
STEP 59 TIME_PASSES ELAPSE 1801
STEP 60 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test. IN TXT
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
	00 0a			; Opcode 10
	00 18			; Length 24
	31 32 33 34 35 36 37 38	; Random bits
	01 00 00 00		; Version/Reserved
	00 00 00 00		; Timestamp
	38 52 7b a8 c6 a4 ea 96	; Hash
HEX_EDNSDATA_END
ENTRY_END
; ... Get answer and a refreshed cookie
;     (we don't check the re-freshness here; it has its own unit test)
STEP 61 CHECK_ANSWER
ENTRY_BEGIN
MATCH all server_cookie
REPLY QR RD RA AA DO NOERROR
SECTION QUESTION
test. IN TXT
SECTION ANSWER
test. IN TXT "test"
ENTRY_END

; Query with a hash-valid >60 minutes old cookie ...
STEP 69 TIME_PASSES ELAPSE 3601
STEP 70 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test. IN TXT
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
	00 0a			; Opcode 10
	00 18			; Length 24
	31 32 33 34 35 36 37 38	; Random bits
	01 00 00 00		; Version/Reserved
	00 00 07 09		; Timestamp (1801)
	77 81 38 e3 8f aa 72 86	; Hash
HEX_EDNSDATA_END
ENTRY_END
; ... get BADCOOKIE and a new cookie
STEP 71 CHECK_ANSWER
ENTRY_BEGIN
MATCH all server_cookie
REPLY QR RD RA DO YXRRSET	; BADCOOKIE is an extended rcode
SECTION QUESTION
test. IN TXT
ENTRY_END

; Query with a valid future (<5 minutes) cookie ...
STEP 80 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
test. IN TXT
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
	00 0a			; Opcode 10
	00 18			; Length 24
	31 32 33 34 35 36 37 38	; Random bits
	01 00 00 00		; Version/Reserved
	00 00 16 45		; Timestamp (1801 + 3601 + 299)
	4a f5 0f df f0 e8 c7 09	; Hash
HEX_EDNSDATA_END
ENTRY_END
; ... get an answer
STEP 81 CHECK_ANSWER
ENTRY_BEGIN
MATCH all server_cookie
REPLY QR RD RA AA DO NOERROR
SECTION QUESTION
test. IN TXT
SECTION ANSWER
test. IN TXT "test"
ENTRY_END

SCENARIO_END