diff --git a/meta-networking/recipes-support/unbound/unbound/0001-CVE-2025-11411-1.patch b/meta-networking/recipes-support/unbound/unbound/0001-CVE-2025-11411-1.patch new file mode 100644 index 0000000000..5cb0b96c66 --- /dev/null +++ b/meta-networking/recipes-support/unbound/unbound/0001-CVE-2025-11411-1.patch @@ -0,0 +1,1874 @@ +From a33f0638e1dacf2633cf2292078a674576bca852 Mon Sep 17 00:00:00 2001 +From: Yorgos Thessalonikefs +Date: Wed, 22 Oct 2025 10:54:57 +0200 +Subject: [PATCH] - Fix CVE-2025-11411 (possible domain hijacking attack), + reported by Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from + Tsinghua University. + +This fixes CVE-2025-11411 by applying the complete patch + +CVE: CVE-2025-11411 +Upstream-Status: Backport [complete backport of https://github.com/NLnetLabs/unbound/commit/a33f0638e1dacf2633cf2292078a674576bca852] + +Comment: Patch refreshed + +Signed-off-by: Jackson James +--- + iterator/iter_scrub.c | 16 ++++++++++++++++ + testdata/autotrust_init.rpl | 1 + + testdata/autotrust_init_ds.rpl | 1 + + testdata/autotrust_init_sigs.rpl | 1 + + testdata/autotrust_init_zsk.rpl | 1 + + testdata/black_data.rpl | 1 + + testdata/black_prime.rpl | 1 + + testdata/disable_edns_do.rpl | 1 + + testdata/dns64_lookup.rpl | 1 + + testdata/fetch_glue.rpl | 1 + + testdata/fetch_glue_cname.rpl | 1 + + testdata/fwd_cached.rpl | 1 + + .../fwd_compress_c00c.conf | 1 + + testdata/fwd_minimal.rpl | 1 + + testdata/ipsecmod_bogus_ipseckey.crpl | 1 + + testdata/ipsecmod_enabled.crpl | 1 + + testdata/ipsecmod_ignore_bogus_ipseckey.crpl | 1 + + testdata/ipsecmod_max_ttl.crpl | 1 + + testdata/ipsecmod_strict.crpl | 1 + + testdata/ipsecmod_whitelist.crpl | 1 + + testdata/iter_class_any.rpl | 1 + + testdata/iter_cycle_noh.rpl | 1 + + testdata/iter_domain_sale.rpl | 1 + + testdata/iter_domain_sale_nschange.rpl | 1 + + testdata/iter_emptydp.rpl | 1 + + testdata/iter_emptydp_for_glue.rpl | 1 + + testdata/iter_fwdfirst.rpl | 1 + + testdata/iter_fwdfirstequal.rpl | 1 + + testdata/iter_fwdstub.rpl | 1 + + testdata/iter_fwdstubroot.rpl | 1 + + testdata/iter_ghost_sub.rpl | 1 + + testdata/iter_ghost_timewindow.rpl | 1 + + testdata/iter_got6only.rpl | 1 + + testdata/iter_hint_lame.rpl | 1 + + testdata/iter_lame_noaa.rpl | 1 + + testdata/iter_lame_nosoa.rpl | 1 + + testdata/iter_mod.rpl | 1 + + testdata/iter_ns_badip.rpl | 1 + + testdata/iter_ns_spoof.rpl | 1 + + testdata/iter_nxns_fallback.rpl | 1 + + testdata/iter_pc_a.rpl | 1 + + testdata/iter_pc_aaaa.rpl | 1 + + testdata/iter_pcdiff.rpl | 1 + + testdata/iter_pcdirect.rpl | 1 + + testdata/iter_pcname.rpl | 1 + + testdata/iter_pcnamech.rpl | 1 + + testdata/iter_pcnamechrec.rpl | 1 + + testdata/iter_pcnamerec.rpl | 1 + + testdata/iter_pcttl.rpl | 1 + + testdata/iter_prefetch.rpl | 1 + + testdata/iter_prefetch_change.rpl | 1 + + testdata/iter_prefetch_change2.rpl | 1 + + testdata/iter_prefetch_childns.rpl | 1 + + testdata/iter_prefetch_fail.rpl | 1 + + testdata/iter_prefetch_ns.rpl | 1 + + testdata/iter_primenoglue.rpl | 1 + + testdata/iter_privaddr.rpl | 1 + + testdata/iter_ranoaa_lame.rpl | 1 + + testdata/iter_reclame_one.rpl | 1 + + testdata/iter_reclame_two.rpl | 1 + + testdata/iter_recurse.rpl | 1 + + testdata/iter_resolve.rpl | 1 + + testdata/iter_resolve_minimised.rpl | 1 + + testdata/iter_resolve_minimised_nx.rpl | 1 + + testdata/iter_resolve_minimised_refused.rpl | 1 + + testdata/iter_resolve_minimised_timeout.rpl | 1 + + testdata/iter_scrub_cname_an.rpl | 1 + + testdata/iter_scrub_dname_insec.rpl | 1 + + testdata/iter_scrub_dname_rev.rpl | 1 + + testdata/iter_scrub_dname_sec.rpl | 1 + + testdata/iter_scrub_rr_length.rpl | 1 + + testdata/iter_soamin.rpl | 1 + + testdata/iter_stub_noroot.rpl | 1 + + testdata/iter_stubfirst.rpl | 1 + + testdata/iter_timeout_ra_aaaa.rpl | 1 + + testdata/rrset_rettl.rpl | 1 + + testdata/rrset_untrusted.rpl | 1 + + testdata/rrset_updated.rpl | 1 + + testdata/rrset_use_cached.rpl | 1 + + testdata/serve_expired.rpl | 1 + + testdata/serve_expired_0ttl_nodata.rpl | 1 + + testdata/serve_expired_0ttl_nxdomain.rpl | 1 + + testdata/serve_expired_0ttl_servfail.rpl | 1 + + testdata/serve_expired_cached_servfail.rpl | 1 + + testdata/serve_expired_client_timeout.rpl | 1 + + .../serve_expired_client_timeout_no_prefetch.rpl | 1 + + .../serve_expired_client_timeout_servfail.rpl | 1 + + testdata/serve_expired_reply_ttl.rpl | 1 + + testdata/serve_expired_ttl.rpl | 1 + + testdata/serve_expired_ttl_client_timeout.rpl | 1 + + testdata/serve_expired_zerottl.rpl | 1 + + testdata/serve_original_ttl.rpl | 1 + + testdata/subnet_cached.crpl | 1 + + testdata/subnet_cached_servfail.crpl | 1 + + testdata/subnet_global_prefetch.crpl | 1 + + .../subnet_global_prefetch_always_forward.crpl | 1 + + testdata/subnet_global_prefetch_expired.crpl | 1 + + .../subnet_global_prefetch_with_client_ecs.crpl | 1 + + testdata/subnet_max_source.crpl | 1 + + testdata/subnet_prefetch.crpl | 1 + + testdata/subnet_val_positive.crpl | 1 + + testdata/subnet_val_positive_client.crpl | 1 + + testdata/trust_cname_chain.rpl | 1 + + testdata/ttl_max.rpl | 1 + + testdata/ttl_min.rpl | 1 + + testdata/val_adbit.rpl | 1 + + testdata/val_adcopy.rpl | 1 + + testdata/val_cnametocnamewctoposwc.rpl | 1 + + testdata/val_ds_afterprime.rpl | 1 + + testdata/val_faildnskey_ok.rpl | 1 + + testdata/val_keyprefetch_verify.rpl | 1 + + testdata/val_noadwhennodo.rpl | 1 + + testdata/val_nsec3_b3_optout.rpl | 1 + + testdata/val_nsec3_b3_optout_negcache.rpl | 1 + + testdata/val_nsec3_b4_wild.rpl | 1 + + testdata/val_nsec3_cnametocnamewctoposwc.rpl | 1 + + testdata/val_positive.rpl | 1 + + testdata/val_positive_wc.rpl | 1 + + testdata/val_qds_badanc.rpl | 1 + + testdata/val_qds_oneanc.rpl | 1 + + testdata/val_qds_twoanc.rpl | 1 + + testdata/val_refer_unsignadd.rpl | 1 + + testdata/val_referd.rpl | 1 + + testdata/val_referglue.rpl | 1 + + testdata/val_rrsig.rpl | 1 + + testdata/val_spurious_ns.rpl | 1 + + testdata/val_stub_noroot.rpl | 1 + + testdata/val_ta_algo_dnskey.rpl | 1 + + testdata/val_ta_algo_dnskey_dp.rpl | 1 + + testdata/val_ta_algo_missing_dp.rpl | 1 + + testdata/val_twocname.rpl | 1 + + testdata/val_unalgo_anchor.rpl | 1 + + testdata/val_wild_pos.rpl | 1 + + testdata/views.rpl | 1 + + util/config_file.c | 3 +++ + util/config_file.h | 3 +++ + util/configlexer.lex | 1 + + util/configparser.y | 14 +++++++++++++- + 138 files changed, 169 insertions(+), 1 deletion(-) + +diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c +index 48867e5..cc12f97 100644 +--- a/iterator/iter_scrub.c ++++ b/iterator/iter_scrub.c +@@ -571,6 +571,22 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, + "RRset:", pkt, msg, prev, &rrset); + continue; + } ++ /* If the NS set is a promiscuous NS set, scrub that ++ * to remove potential for poisonous contents that ++ * affects other names in the same zone. Remove ++ * promiscuous NS sets in positive answers, that ++ * thus have records in the answer section. Nodata ++ * and nxdomain promiscuous NS sets have been removed ++ * already. Since the NS rrset is scrubbed, its ++ * address records are also not marked to be allowed ++ * and are removed later. */ ++ if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR && ++ msg->an_rrsets != 0 && ++ env->cfg->iter_scrub_promiscuous) { ++ remove_rrset("normalize: removing promiscuous " ++ "RRset:", pkt, msg, prev, &rrset); ++ continue; ++ } + if(nsset == NULL) { + nsset = rrset; + } else { +diff --git a/testdata/autotrust_init.rpl b/testdata/autotrust_init.rpl +index d722273..d69e70b 100644 +--- a/testdata/autotrust_init.rpl ++++ b/testdata/autotrust_init.rpl +@@ -5,6 +5,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +diff --git a/testdata/autotrust_init_ds.rpl b/testdata/autotrust_init_ds.rpl +index ad4019e..9ffb4d4 100644 +--- a/testdata/autotrust_init_ds.rpl ++++ b/testdata/autotrust_init_ds.rpl +@@ -5,6 +5,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +diff --git a/testdata/autotrust_init_sigs.rpl b/testdata/autotrust_init_sigs.rpl +index d5d52f4..a7cb796 100644 +--- a/testdata/autotrust_init_sigs.rpl ++++ b/testdata/autotrust_init_sigs.rpl +@@ -5,6 +5,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +diff --git a/testdata/autotrust_init_zsk.rpl b/testdata/autotrust_init_zsk.rpl +index 56a5bc0..2d28d43 100644 +--- a/testdata/autotrust_init_zsk.rpl ++++ b/testdata/autotrust_init_zsk.rpl +@@ -5,6 +5,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +diff --git a/testdata/black_data.rpl b/testdata/black_data.rpl +index e6ef1b7..e928d63 100644 +--- a/testdata/black_data.rpl ++++ b/testdata/black_data.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/black_prime.rpl b/testdata/black_prime.rpl +index fbe92a7..0301c85 100644 +--- a/testdata/black_prime.rpl ++++ b/testdata/black_prime.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/disable_edns_do.rpl b/testdata/disable_edns_do.rpl +index 82a16da..45b4ffc 100644 +--- a/testdata/disable_edns_do.rpl ++++ b/testdata/disable_edns_do.rpl +@@ -5,6 +5,7 @@ server: + qname-minimisation: "no" + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + disable-edns-do: yes + + stub-zone: +diff --git a/testdata/dns64_lookup.rpl b/testdata/dns64_lookup.rpl +index 327f7df..cec8012 100644 +--- a/testdata/dns64_lookup.rpl ++++ b/testdata/dns64_lookup.rpl +@@ -7,6 +7,7 @@ server: + dns64-ignore-aaaa: ip6ignore.example.com + dns64-ignore-aaaa: ip6only.example.com + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/fetch_glue.rpl b/testdata/fetch_glue.rpl +index 8860d85..daf687a 100644 +--- a/testdata/fetch_glue.rpl ++++ b/testdata/fetch_glue.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/fetch_glue_cname.rpl b/testdata/fetch_glue_cname.rpl +index 64f00fb..c786a41 100644 +--- a/testdata/fetch_glue_cname.rpl ++++ b/testdata/fetch_glue_cname.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/fwd_cached.rpl b/testdata/fwd_cached.rpl +index 2d6b0c2..4a00f87 100644 +--- a/testdata/fwd_cached.rpl ++++ b/testdata/fwd_cached.rpl +@@ -2,6 +2,7 @@ + ; config options go here. + server: + minimal-responses: no ++ iter-scrub-promiscuous: no + forward-zone: name: "." forward-addr: 216.0.0.1 + CONFIG_END + +diff --git a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf +index 5b2c804..7bc7408 100644 +--- a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf ++++ b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf +@@ -10,6 +10,7 @@ server: + username: "" + do-not-query-localhost: no + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + forward-zone: + name: "." +diff --git a/testdata/fwd_minimal.rpl b/testdata/fwd_minimal.rpl +index e85d712..ef1d7fc 100644 +--- a/testdata/fwd_minimal.rpl ++++ b/testdata/fwd_minimal.rpl +@@ -5,6 +5,7 @@ server: + ; is fine for that, not removed by minimal-responses. + access-control: 127.0.0.1 allow_snoop + minimal-responses: yes ++ iter-scrub-promiscuous: no + forward-zone: name: "." forward-addr: 216.0.0.1 + CONFIG_END + +diff --git a/testdata/ipsecmod_bogus_ipseckey.crpl b/testdata/ipsecmod_bogus_ipseckey.crpl +index 094710b..98bc454 100644 +--- a/testdata/ipsecmod_bogus_ipseckey.crpl ++++ b/testdata/ipsecmod_bogus_ipseckey.crpl +@@ -9,6 +9,7 @@ server: + qname-minimisation: "no" + # test that default value of harden-dnssec-stripped is still yes. + fake-sha1: yes ++ iter-scrub-promiscuous: no + trust-anchor-signaling: no + access-control: 127.0.0.1 allow_snoop + module-config: "ipsecmod validator iterator" +diff --git a/testdata/ipsecmod_enabled.crpl b/testdata/ipsecmod_enabled.crpl +index 4498429..04e8cb1 100644 +--- a/testdata/ipsecmod_enabled.crpl ++++ b/testdata/ipsecmod_enabled.crpl +@@ -11,6 +11,7 @@ server: + ipsecmod-enabled: no + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/ipsecmod_ignore_bogus_ipseckey.crpl b/testdata/ipsecmod_ignore_bogus_ipseckey.crpl +index a605c34..4c4d80c 100644 +--- a/testdata/ipsecmod_ignore_bogus_ipseckey.crpl ++++ b/testdata/ipsecmod_ignore_bogus_ipseckey.crpl +@@ -18,6 +18,7 @@ server: + ipsecmod-ignore-bogus: yes + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/ipsecmod_max_ttl.crpl b/testdata/ipsecmod_max_ttl.crpl +index 592bae0..4dfeddf 100644 +--- a/testdata/ipsecmod_max_ttl.crpl ++++ b/testdata/ipsecmod_max_ttl.crpl +@@ -10,6 +10,7 @@ server: + ipsecmod-max-ttl: 200 + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/ipsecmod_strict.crpl b/testdata/ipsecmod_strict.crpl +index f74e308..51cc11b 100644 +--- a/testdata/ipsecmod_strict.crpl ++++ b/testdata/ipsecmod_strict.crpl +@@ -10,6 +10,7 @@ server: + ipsecmod-max-ttl: 200 + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/ipsecmod_whitelist.crpl b/testdata/ipsecmod_whitelist.crpl +index 34108f3..350c2ad 100644 +--- a/testdata/ipsecmod_whitelist.crpl ++++ b/testdata/ipsecmod_whitelist.crpl +@@ -11,6 +11,7 @@ server: + ipsecmod-whitelist: white.example.com + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_class_any.rpl b/testdata/iter_class_any.rpl +index 6fb296e..87e0db0 100644 +--- a/testdata/iter_class_any.rpl ++++ b/testdata/iter_class_any.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_cycle_noh.rpl b/testdata/iter_cycle_noh.rpl +index eee26ca..e551ac6 100644 +--- a/testdata/iter_cycle_noh.rpl ++++ b/testdata/iter_cycle_noh.rpl +@@ -4,6 +4,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_domain_sale.rpl b/testdata/iter_domain_sale.rpl +index 6110148..7c3cc1f 100644 +--- a/testdata/iter_domain_sale.rpl ++++ b/testdata/iter_domain_sale.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_domain_sale_nschange.rpl b/testdata/iter_domain_sale_nschange.rpl +index 5664855..886ed51 100644 +--- a/testdata/iter_domain_sale_nschange.rpl ++++ b/testdata/iter_domain_sale_nschange.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_emptydp.rpl b/testdata/iter_emptydp.rpl +index ecb49b6..3879a9b 100644 +--- a/testdata/iter_emptydp.rpl ++++ b/testdata/iter_emptydp.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_emptydp_for_glue.rpl b/testdata/iter_emptydp_for_glue.rpl +index 94dec2b..fc7933f 100644 +--- a/testdata/iter_emptydp_for_glue.rpl ++++ b/testdata/iter_emptydp_for_glue.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_fwdfirst.rpl b/testdata/iter_fwdfirst.rpl +index 0f8a85f..509a1cd 100644 +--- a/testdata/iter_fwdfirst.rpl ++++ b/testdata/iter_fwdfirst.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_fwdfirstequal.rpl b/testdata/iter_fwdfirstequal.rpl +index dc64814..abd25d1 100644 +--- a/testdata/iter_fwdfirstequal.rpl ++++ b/testdata/iter_fwdfirstequal.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_fwdstub.rpl b/testdata/iter_fwdstub.rpl +index ad5b57c..4c741a5 100644 +--- a/testdata/iter_fwdstub.rpl ++++ b/testdata/iter_fwdstub.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_fwdstubroot.rpl b/testdata/iter_fwdstubroot.rpl +index fa93043..dd93ecd 100644 +--- a/testdata/iter_fwdstubroot.rpl ++++ b/testdata/iter_fwdstubroot.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_ghost_sub.rpl b/testdata/iter_ghost_sub.rpl +index ccb7367..36767bb 100644 +--- a/testdata/iter_ghost_sub.rpl ++++ b/testdata/iter_ghost_sub.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_ghost_timewindow.rpl b/testdata/iter_ghost_timewindow.rpl +index 9e30462..24390a0 100644 +--- a/testdata/iter_ghost_timewindow.rpl ++++ b/testdata/iter_ghost_timewindow.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + discard-timeout: 86400 + + stub-zone: +diff --git a/testdata/iter_got6only.rpl b/testdata/iter_got6only.rpl +index 1552284..b0d20b3 100644 +--- a/testdata/iter_got6only.rpl ++++ b/testdata/iter_got6only.rpl +@@ -4,6 +4,7 @@ server: + target-fetch-policy: "0 0 0 0 0 " + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +diff --git a/testdata/iter_hint_lame.rpl b/testdata/iter_hint_lame.rpl +index 2fb6dde..26aa5dc 100644 +--- a/testdata/iter_hint_lame.rpl ++++ b/testdata/iter_hint_lame.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_lame_noaa.rpl b/testdata/iter_lame_noaa.rpl +index defaa5c..050866c 100644 +--- a/testdata/iter_lame_noaa.rpl ++++ b/testdata/iter_lame_noaa.rpl +@@ -4,6 +4,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/iter_lame_nosoa.rpl b/testdata/iter_lame_nosoa.rpl +index 3bf6ccc..d55ff78 100644 +--- a/testdata/iter_lame_nosoa.rpl ++++ b/testdata/iter_lame_nosoa.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/iter_mod.rpl b/testdata/iter_mod.rpl +index 35b3a5a..3d3d678 100644 +--- a/testdata/iter_mod.rpl ++++ b/testdata/iter_mod.rpl +@@ -4,6 +4,7 @@ server: + qname-minimisation: "no" + module-config: "iterator" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_ns_badip.rpl b/testdata/iter_ns_badip.rpl +index e0bf966..481f47a 100644 +--- a/testdata/iter_ns_badip.rpl ++++ b/testdata/iter_ns_badip.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "3 2 1 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/iter_ns_spoof.rpl b/testdata/iter_ns_spoof.rpl +index f674576..999ff05 100644 +--- a/testdata/iter_ns_spoof.rpl ++++ b/testdata/iter_ns_spoof.rpl +@@ -4,6 +4,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +diff --git a/testdata/iter_nxns_fallback.rpl b/testdata/iter_nxns_fallback.rpl +index 2a6a3fd..8c0beb8 100644 +--- a/testdata/iter_nxns_fallback.rpl ++++ b/testdata/iter_nxns_fallback.rpl +@@ -8,6 +8,7 @@ server: + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/iter_pc_a.rpl b/testdata/iter_pc_a.rpl +index d9add00..be73a79 100644 +--- a/testdata/iter_pc_a.rpl ++++ b/testdata/iter_pc_a.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_pc_aaaa.rpl b/testdata/iter_pc_aaaa.rpl +index a283543..a7ce186 100644 +--- a/testdata/iter_pc_aaaa.rpl ++++ b/testdata/iter_pc_aaaa.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_pcdiff.rpl b/testdata/iter_pcdiff.rpl +index 57fb109..a462d33 100644 +--- a/testdata/iter_pcdiff.rpl ++++ b/testdata/iter_pcdiff.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_pcdirect.rpl b/testdata/iter_pcdirect.rpl +index 0bd5dfe..656ec7a 100644 +--- a/testdata/iter_pcdirect.rpl ++++ b/testdata/iter_pcdirect.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_pcname.rpl b/testdata/iter_pcname.rpl +index e17c910..af53c90 100644 +--- a/testdata/iter_pcname.rpl ++++ b/testdata/iter_pcname.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_pcnamech.rpl b/testdata/iter_pcnamech.rpl +index 32b3130..805cb18 100644 +--- a/testdata/iter_pcnamech.rpl ++++ b/testdata/iter_pcnamech.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/iter_pcnamechrec.rpl b/testdata/iter_pcnamechrec.rpl +index 8bf7ad8..bbb9c86 100644 +--- a/testdata/iter_pcnamechrec.rpl ++++ b/testdata/iter_pcnamechrec.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/iter_pcnamerec.rpl b/testdata/iter_pcnamerec.rpl +index faee6d0..2ea0dad 100644 +--- a/testdata/iter_pcnamerec.rpl ++++ b/testdata/iter_pcnamerec.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_pcttl.rpl b/testdata/iter_pcttl.rpl +index 413f8cb..a702017 100644 +--- a/testdata/iter_pcttl.rpl ++++ b/testdata/iter_pcttl.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + do-ip6: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_prefetch.rpl b/testdata/iter_prefetch.rpl +index bad92dc..fdf5955 100644 +--- a/testdata/iter_prefetch.rpl ++++ b/testdata/iter_prefetch.rpl +@@ -4,6 +4,7 @@ server: + qname-minimisation: "no" + prefetch: "yes" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_prefetch_change.rpl b/testdata/iter_prefetch_change.rpl +index 1be9e6a..c1a1a71 100644 +--- a/testdata/iter_prefetch_change.rpl ++++ b/testdata/iter_prefetch_change.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + prefetch: "yes" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_prefetch_change2.rpl b/testdata/iter_prefetch_change2.rpl +index 7a8370f..4a966fe 100644 +--- a/testdata/iter_prefetch_change2.rpl ++++ b/testdata/iter_prefetch_change2.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + prefetch: "yes" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_prefetch_childns.rpl b/testdata/iter_prefetch_childns.rpl +index 00a91fc..f234065 100644 +--- a/testdata/iter_prefetch_childns.rpl ++++ b/testdata/iter_prefetch_childns.rpl +@@ -4,6 +4,7 @@ server: + qname-minimisation: "no" + prefetch: "yes" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_prefetch_fail.rpl b/testdata/iter_prefetch_fail.rpl +index 1d92a4c..d1e3083 100644 +--- a/testdata/iter_prefetch_fail.rpl ++++ b/testdata/iter_prefetch_fail.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + prefetch: "yes" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_prefetch_ns.rpl b/testdata/iter_prefetch_ns.rpl +index 93af216..3192d31 100644 +--- a/testdata/iter_prefetch_ns.rpl ++++ b/testdata/iter_prefetch_ns.rpl +@@ -4,6 +4,7 @@ server: + qname-minimisation: "no" + prefetch: "yes" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_primenoglue.rpl b/testdata/iter_primenoglue.rpl +index b9808dd..f8c9803 100644 +--- a/testdata/iter_primenoglue.rpl ++++ b/testdata/iter_primenoglue.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_privaddr.rpl b/testdata/iter_privaddr.rpl +index 0c87b4b..b7a6fde 100644 +--- a/testdata/iter_privaddr.rpl ++++ b/testdata/iter_privaddr.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + private-address: 10.0.0.0/8 + private-address: 172.16.0.0/12 +diff --git a/testdata/iter_ranoaa_lame.rpl b/testdata/iter_ranoaa_lame.rpl +index 8ee8241..313192f 100644 +--- a/testdata/iter_ranoaa_lame.rpl ++++ b/testdata/iter_ranoaa_lame.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/iter_reclame_one.rpl b/testdata/iter_reclame_one.rpl +index 4a6abfa..d273e60 100644 +--- a/testdata/iter_reclame_one.rpl ++++ b/testdata/iter_reclame_one.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/iter_reclame_two.rpl b/testdata/iter_reclame_two.rpl +index 76c310b..e2b2bc1 100644 +--- a/testdata/iter_reclame_two.rpl ++++ b/testdata/iter_reclame_two.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/iter_recurse.rpl b/testdata/iter_recurse.rpl +index be50b4a..1352876 100644 +--- a/testdata/iter_recurse.rpl ++++ b/testdata/iter_recurse.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_resolve.rpl b/testdata/iter_resolve.rpl +index ed051ff..3ea56ab 100644 +--- a/testdata/iter_resolve.rpl ++++ b/testdata/iter_resolve.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_resolve_minimised.rpl b/testdata/iter_resolve_minimised.rpl +index 2c6f9cc..13f04d4 100644 +--- a/testdata/iter_resolve_minimised.rpl ++++ b/testdata/iter_resolve_minimised.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_resolve_minimised_nx.rpl b/testdata/iter_resolve_minimised_nx.rpl +index 74e612c..c68f20c 100644 +--- a/testdata/iter_resolve_minimised_nx.rpl ++++ b/testdata/iter_resolve_minimised_nx.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: yes + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_resolve_minimised_refused.rpl b/testdata/iter_resolve_minimised_refused.rpl +index 66e8e63..8dc76e2 100644 +--- a/testdata/iter_resolve_minimised_refused.rpl ++++ b/testdata/iter_resolve_minimised_refused.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: yes + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_resolve_minimised_timeout.rpl b/testdata/iter_resolve_minimised_timeout.rpl +index 86b9321..3740d79 100644 +--- a/testdata/iter_resolve_minimised_timeout.rpl ++++ b/testdata/iter_resolve_minimised_timeout.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: yes + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_scrub_cname_an.rpl b/testdata/iter_scrub_cname_an.rpl +index 9c5060a..f81916b 100644 +--- a/testdata/iter_scrub_cname_an.rpl ++++ b/testdata/iter_scrub_cname_an.rpl +@@ -4,6 +4,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_scrub_dname_insec.rpl b/testdata/iter_scrub_dname_insec.rpl +index 826d89e..82ff1d3 100644 +--- a/testdata/iter_scrub_dname_insec.rpl ++++ b/testdata/iter_scrub_dname_insec.rpl +@@ -4,6 +4,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_scrub_dname_rev.rpl b/testdata/iter_scrub_dname_rev.rpl +index 9caca66..dfb21b8 100644 +--- a/testdata/iter_scrub_dname_rev.rpl ++++ b/testdata/iter_scrub_dname_rev.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_scrub_dname_sec.rpl b/testdata/iter_scrub_dname_sec.rpl +index 34a7b32..943b19f 100644 +--- a/testdata/iter_scrub_dname_sec.rpl ++++ b/testdata/iter_scrub_dname_sec.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_scrub_rr_length.rpl b/testdata/iter_scrub_rr_length.rpl +index 2ef73c2..5463723 100644 +--- a/testdata/iter_scrub_rr_length.rpl ++++ b/testdata/iter_scrub_rr_length.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + ede: yes + log-servfail: yes +diff --git a/testdata/iter_soamin.rpl b/testdata/iter_soamin.rpl +index 7e90260..0facc35 100644 +--- a/testdata/iter_soamin.rpl ++++ b/testdata/iter_soamin.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_stub_noroot.rpl b/testdata/iter_stub_noroot.rpl +index ef306bd..749462b 100644 +--- a/testdata/iter_stub_noroot.rpl ++++ b/testdata/iter_stub_noroot.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_stubfirst.rpl b/testdata/iter_stubfirst.rpl +index 1a7112d..7cd3305 100644 +--- a/testdata/iter_stubfirst.rpl ++++ b/testdata/iter_stubfirst.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/iter_timeout_ra_aaaa.rpl b/testdata/iter_timeout_ra_aaaa.rpl +index 126867b..9456f04 100644 +--- a/testdata/iter_timeout_ra_aaaa.rpl ++++ b/testdata/iter_timeout_ra_aaaa.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/rrset_rettl.rpl b/testdata/rrset_rettl.rpl +index 55dd623..131a98e 100644 +--- a/testdata/rrset_rettl.rpl ++++ b/testdata/rrset_rettl.rpl +@@ -2,6 +2,7 @@ + ; config options go here. + server: + minimal-responses: no ++ iter-scrub-promiscuous: no + forward-zone: name: "." forward-addr: 216.0.0.1 + CONFIG_END + +diff --git a/testdata/rrset_untrusted.rpl b/testdata/rrset_untrusted.rpl +index 6370ebf..207275b 100644 +--- a/testdata/rrset_untrusted.rpl ++++ b/testdata/rrset_untrusted.rpl +@@ -2,6 +2,7 @@ + ; config options go here. + server: + minimal-responses: no ++ iter-scrub-promiscuous: no + forward-zone: name: "." forward-addr: 216.0.0.1 + CONFIG_END + +diff --git a/testdata/rrset_updated.rpl b/testdata/rrset_updated.rpl +index 55da56b..ba8e492 100644 +--- a/testdata/rrset_updated.rpl ++++ b/testdata/rrset_updated.rpl +@@ -2,6 +2,7 @@ + ; config options go here. + server: + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + forward-zone: name: "." forward-addr: 216.0.0.1 + CONFIG_END +diff --git a/testdata/rrset_use_cached.rpl b/testdata/rrset_use_cached.rpl +index 8420ae0..17696f6 100644 +--- a/testdata/rrset_use_cached.rpl ++++ b/testdata/rrset_use_cached.rpl +@@ -1,5 +1,6 @@ + server: + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + # The value does not matter, we will not simulate delay. + # We do not want only serve-expired because fetches from that +diff --git a/testdata/serve_expired.rpl b/testdata/serve_expired.rpl +index 3f61019..2bba0d9 100644 +--- a/testdata/serve_expired.rpl ++++ b/testdata/serve_expired.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + access-control: 127.0.0.1/32 allow_snoop + ede: yes +diff --git a/testdata/serve_expired_0ttl_nodata.rpl b/testdata/serve_expired_0ttl_nodata.rpl +index 7f1b5a5..d16a115 100644 +--- a/testdata/serve_expired_0ttl_nodata.rpl ++++ b/testdata/serve_expired_0ttl_nodata.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + log-servfail: yes + ede: yes +diff --git a/testdata/serve_expired_0ttl_nxdomain.rpl b/testdata/serve_expired_0ttl_nxdomain.rpl +index 4adb4b8..a9195b0 100644 +--- a/testdata/serve_expired_0ttl_nxdomain.rpl ++++ b/testdata/serve_expired_0ttl_nxdomain.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + log-servfail: yes + ede: yes +diff --git a/testdata/serve_expired_0ttl_servfail.rpl b/testdata/serve_expired_0ttl_servfail.rpl +index 6833af1..b0fa484 100644 +--- a/testdata/serve_expired_0ttl_servfail.rpl ++++ b/testdata/serve_expired_0ttl_servfail.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + log-servfail: yes + ede: yes +diff --git a/testdata/serve_expired_cached_servfail.rpl b/testdata/serve_expired_cached_servfail.rpl +index f5f4c70..0beb8fc 100644 +--- a/testdata/serve_expired_cached_servfail.rpl ++++ b/testdata/serve_expired_cached_servfail.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + serve-expired-reply-ttl: 123 + log-servfail: yes +diff --git a/testdata/serve_expired_client_timeout.rpl b/testdata/serve_expired_client_timeout.rpl +index 5560aa0..e40e1b4 100644 +--- a/testdata/serve_expired_client_timeout.rpl ++++ b/testdata/serve_expired_client_timeout.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + serve-expired-client-timeout: 1 + serve-expired-reply-ttl: 123 +diff --git a/testdata/serve_expired_client_timeout_no_prefetch.rpl b/testdata/serve_expired_client_timeout_no_prefetch.rpl +index aed397d..3a35c46 100644 +--- a/testdata/serve_expired_client_timeout_no_prefetch.rpl ++++ b/testdata/serve_expired_client_timeout_no_prefetch.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + serve-expired-client-timeout: 1 + serve-expired-reply-ttl: 123 +diff --git a/testdata/serve_expired_client_timeout_servfail.rpl b/testdata/serve_expired_client_timeout_servfail.rpl +index 51aa043..226e4b5 100644 +--- a/testdata/serve_expired_client_timeout_servfail.rpl ++++ b/testdata/serve_expired_client_timeout_servfail.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + serve-expired-client-timeout: 1 + serve-expired-reply-ttl: 123 +diff --git a/testdata/serve_expired_reply_ttl.rpl b/testdata/serve_expired_reply_ttl.rpl +index 124fb87..063aad9 100644 +--- a/testdata/serve_expired_reply_ttl.rpl ++++ b/testdata/serve_expired_reply_ttl.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + serve-expired-reply-ttl: 123 + ede: yes +diff --git a/testdata/serve_expired_ttl.rpl b/testdata/serve_expired_ttl.rpl +index df4ecb8..df3cd90 100644 +--- a/testdata/serve_expired_ttl.rpl ++++ b/testdata/serve_expired_ttl.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + serve-expired-ttl: 10 + +diff --git a/testdata/serve_expired_ttl_client_timeout.rpl b/testdata/serve_expired_ttl_client_timeout.rpl +index 169d070..f285790 100644 +--- a/testdata/serve_expired_ttl_client_timeout.rpl ++++ b/testdata/serve_expired_ttl_client_timeout.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + serve-expired-ttl: 10 + serve-expired-client-timeout: 1 +diff --git a/testdata/serve_expired_zerottl.rpl b/testdata/serve_expired_zerottl.rpl +index 0239b4a..fbb76f9 100644 +--- a/testdata/serve_expired_zerottl.rpl ++++ b/testdata/serve_expired_zerottl.rpl +@@ -3,6 +3,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + serve-expired-reply-ttl: 123 + ede: yes +diff --git a/testdata/serve_original_ttl.rpl b/testdata/serve_original_ttl.rpl +index 24d01b6..ced0672 100644 +--- a/testdata/serve_original_ttl.rpl ++++ b/testdata/serve_original_ttl.rpl +@@ -4,6 +4,7 @@ server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-original-ttl: yes + cache-max-ttl: 1000 + cache-min-ttl: 20 +diff --git a/testdata/subnet_cached.crpl b/testdata/subnet_cached.crpl +index 2098313..8f3c3de 100644 +--- a/testdata/subnet_cached.crpl ++++ b/testdata/subnet_cached.crpl +@@ -15,6 +15,7 @@ server: + access-control: 127.0.0.1 allow_snoop + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/subnet_cached_servfail.crpl b/testdata/subnet_cached_servfail.crpl +index 9c746d5..535671b 100644 +--- a/testdata/subnet_cached_servfail.crpl ++++ b/testdata/subnet_cached_servfail.crpl +@@ -11,6 +11,7 @@ server: + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + prefetch: yes + +diff --git a/testdata/subnet_global_prefetch.crpl b/testdata/subnet_global_prefetch.crpl +index 2f005d4..7665015 100644 +--- a/testdata/subnet_global_prefetch.crpl ++++ b/testdata/subnet_global_prefetch.crpl +@@ -12,6 +12,7 @@ server: + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no ++ iter-scrub-promiscuous: no + prefetch: yes + + stub-zone: +diff --git a/testdata/subnet_global_prefetch_always_forward.crpl b/testdata/subnet_global_prefetch_always_forward.crpl +index ccfe5df..0713629 100644 +--- a/testdata/subnet_global_prefetch_always_forward.crpl ++++ b/testdata/subnet_global_prefetch_always_forward.crpl +@@ -12,6 +12,7 @@ server: + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/subnet_global_prefetch_expired.crpl b/testdata/subnet_global_prefetch_expired.crpl +index de1b780..7c00d82 100644 +--- a/testdata/subnet_global_prefetch_expired.crpl ++++ b/testdata/subnet_global_prefetch_expired.crpl +@@ -13,6 +13,7 @@ server: + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no ++ iter-scrub-promiscuous: no + serve-expired: yes + serve-expired-ttl: 1 + prefetch: yes +diff --git a/testdata/subnet_global_prefetch_with_client_ecs.crpl b/testdata/subnet_global_prefetch_with_client_ecs.crpl +index ddc832c..8589db7 100644 +--- a/testdata/subnet_global_prefetch_with_client_ecs.crpl ++++ b/testdata/subnet_global_prefetch_with_client_ecs.crpl +@@ -12,6 +12,7 @@ server: + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no ++ iter-scrub-promiscuous: no + prefetch: yes + + stub-zone: +diff --git a/testdata/subnet_max_source.crpl b/testdata/subnet_max_source.crpl +index f5c7464..f3f71e7 100644 +--- a/testdata/subnet_max_source.crpl ++++ b/testdata/subnet_max_source.crpl +@@ -11,6 +11,7 @@ server: + verbosity: 3 + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/subnet_prefetch.crpl b/testdata/subnet_prefetch.crpl +index aaa6bf0..243e409 100644 +--- a/testdata/subnet_prefetch.crpl ++++ b/testdata/subnet_prefetch.crpl +@@ -12,6 +12,7 @@ server: + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no ++ iter-scrub-promiscuous: no + prefetch: yes + + stub-zone: +diff --git a/testdata/subnet_val_positive.crpl b/testdata/subnet_val_positive.crpl +index 01456e5..10996ad 100644 +--- a/testdata/subnet_val_positive.crpl ++++ b/testdata/subnet_val_positive.crpl +@@ -13,6 +13,7 @@ server: + fake-dsa: yes + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/subnet_val_positive_client.crpl b/testdata/subnet_val_positive_client.crpl +index b573742..1b51d52 100644 +--- a/testdata/subnet_val_positive_client.crpl ++++ b/testdata/subnet_val_positive_client.crpl +@@ -14,6 +14,7 @@ server: + fake-dsa: yes + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/trust_cname_chain.rpl b/testdata/trust_cname_chain.rpl +index f8415ba..e24f8c1 100644 +--- a/testdata/trust_cname_chain.rpl ++++ b/testdata/trust_cname_chain.rpl +@@ -2,6 +2,7 @@ + server: + target-fetch-policy: "0 0 0 0 0" + minimal-responses: no ++ iter-scrub-promiscuous: no + stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +diff --git a/testdata/ttl_max.rpl b/testdata/ttl_max.rpl +index 3256963..b24eea3 100644 +--- a/testdata/ttl_max.rpl ++++ b/testdata/ttl_max.rpl +@@ -4,6 +4,7 @@ server: + cache-max-ttl: 10 + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/ttl_min.rpl b/testdata/ttl_min.rpl +index 3c79ff5..94206c7 100644 +--- a/testdata/ttl_min.rpl ++++ b/testdata/ttl_min.rpl +@@ -4,6 +4,7 @@ server: + cache-min-ttl: 10 + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_adbit.rpl b/testdata/val_adbit.rpl +index 7ce62de..233c58b 100644 +--- a/testdata/val_adbit.rpl ++++ b/testdata/val_adbit.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_adcopy.rpl b/testdata/val_adcopy.rpl +index 604fd57..7bc31df 100644 +--- a/testdata/val_adcopy.rpl ++++ b/testdata/val_adcopy.rpl +@@ -7,6 +7,7 @@ server: + qname-minimisation: "no" + fake-sha1: yes + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_cnametocnamewctoposwc.rpl b/testdata/val_cnametocnamewctoposwc.rpl +index 407666e..9ea8b49 100644 +--- a/testdata/val_cnametocnamewctoposwc.rpl ++++ b/testdata/val_cnametocnamewctoposwc.rpl +@@ -7,6 +7,7 @@ server: + qname-minimisation: "no" + fake-sha1: yes + trust-anchor-signaling: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_ds_afterprime.rpl b/testdata/val_ds_afterprime.rpl +index 3b1c0d6..301a1f6 100644 +--- a/testdata/val_ds_afterprime.rpl ++++ b/testdata/val_ds_afterprime.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_faildnskey_ok.rpl b/testdata/val_faildnskey_ok.rpl +index 50f3184..f9196f3 100644 +--- a/testdata/val_faildnskey_ok.rpl ++++ b/testdata/val_faildnskey_ok.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_keyprefetch_verify.rpl b/testdata/val_keyprefetch_verify.rpl +index 9b901a8..6cf8184 100644 +--- a/testdata/val_keyprefetch_verify.rpl ++++ b/testdata/val_keyprefetch_verify.rpl +@@ -10,6 +10,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_noadwhennodo.rpl b/testdata/val_noadwhennodo.rpl +index 46e1bad..dbdeb78 100644 +--- a/testdata/val_noadwhennodo.rpl ++++ b/testdata/val_noadwhennodo.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_nsec3_b3_optout.rpl b/testdata/val_nsec3_b3_optout.rpl +index 9d84be9..5d8a43a 100644 +--- a/testdata/val_nsec3_b3_optout.rpl ++++ b/testdata/val_nsec3_b3_optout.rpl +@@ -7,6 +7,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/val_nsec3_b3_optout_negcache.rpl b/testdata/val_nsec3_b3_optout_negcache.rpl +index 497a859..e7be762 100644 +--- a/testdata/val_nsec3_b3_optout_negcache.rpl ++++ b/testdata/val_nsec3_b3_optout_negcache.rpl +@@ -7,6 +7,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/val_nsec3_b4_wild.rpl b/testdata/val_nsec3_b4_wild.rpl +index 8bf3a54..295932f 100644 +--- a/testdata/val_nsec3_b4_wild.rpl ++++ b/testdata/val_nsec3_b4_wild.rpl +@@ -6,6 +6,7 @@ server: + qname-minimisation: "no" + fake-sha1: yes + trust-anchor-signaling: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/val_nsec3_cnametocnamewctoposwc.rpl b/testdata/val_nsec3_cnametocnamewctoposwc.rpl +index 1651ae7..3e4c55a 100644 +--- a/testdata/val_nsec3_cnametocnamewctoposwc.rpl ++++ b/testdata/val_nsec3_cnametocnamewctoposwc.rpl +@@ -7,6 +7,7 @@ server: + qname-minimisation: "no" + fake-sha1: yes + trust-anchor-signaling: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_positive.rpl b/testdata/val_positive.rpl +index daaf360..c808517 100644 +--- a/testdata/val_positive.rpl ++++ b/testdata/val_positive.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_positive_wc.rpl b/testdata/val_positive_wc.rpl +index 5384acf..591dcc6 100644 +--- a/testdata/val_positive_wc.rpl ++++ b/testdata/val_positive_wc.rpl +@@ -7,6 +7,7 @@ server: + qname-minimisation: "no" + fake-sha1: yes + trust-anchor-signaling: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_qds_badanc.rpl b/testdata/val_qds_badanc.rpl +index dc68615..cb53136 100644 +--- a/testdata/val_qds_badanc.rpl ++++ b/testdata/val_qds_badanc.rpl +@@ -7,6 +7,7 @@ server: + qname-minimisation: "no" + fake-sha1: yes + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_qds_oneanc.rpl b/testdata/val_qds_oneanc.rpl +index f21ab42..bda9f90 100644 +--- a/testdata/val_qds_oneanc.rpl ++++ b/testdata/val_qds_oneanc.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_qds_twoanc.rpl b/testdata/val_qds_twoanc.rpl +index 4e4f2e7..f801c02 100644 +--- a/testdata/val_qds_twoanc.rpl ++++ b/testdata/val_qds_twoanc.rpl +@@ -9,6 +9,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_refer_unsignadd.rpl b/testdata/val_refer_unsignadd.rpl +index 4d07301..22f15d2 100644 +--- a/testdata/val_refer_unsignadd.rpl ++++ b/testdata/val_refer_unsignadd.rpl +@@ -9,6 +9,7 @@ server: + qname-minimisation: "no" + fake-sha1: yes + trust-anchor-signaling: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/val_referd.rpl b/testdata/val_referd.rpl +index d475f83..a25ca7b 100644 +--- a/testdata/val_referd.rpl ++++ b/testdata/val_referd.rpl +@@ -10,6 +10,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_referglue.rpl b/testdata/val_referglue.rpl +index 54b7671..3ca0c0e 100644 +--- a/testdata/val_referglue.rpl ++++ b/testdata/val_referglue.rpl +@@ -10,6 +10,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + stub-zone: +diff --git a/testdata/val_rrsig.rpl b/testdata/val_rrsig.rpl +index 0b672e0..69df344 100644 +--- a/testdata/val_rrsig.rpl ++++ b/testdata/val_rrsig.rpl +@@ -7,6 +7,7 @@ server: + qname-minimisation: "no" + fake-sha1: yes + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_spurious_ns.rpl b/testdata/val_spurious_ns.rpl +index cb0a6e5..8db94a1 100644 +--- a/testdata/val_spurious_ns.rpl ++++ b/testdata/val_spurious_ns.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_stub_noroot.rpl b/testdata/val_stub_noroot.rpl +index 07113be..66c3d8e 100644 +--- a/testdata/val_stub_noroot.rpl ++++ b/testdata/val_stub_noroot.rpl +@@ -6,6 +6,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_ta_algo_dnskey.rpl b/testdata/val_ta_algo_dnskey.rpl +index 03bac83..5b0b64d 100644 +--- a/testdata/val_ta_algo_dnskey.rpl ++++ b/testdata/val_ta_algo_dnskey.rpl +@@ -9,6 +9,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_ta_algo_dnskey_dp.rpl b/testdata/val_ta_algo_dnskey_dp.rpl +index 2b3609b..ae0c499 100644 +--- a/testdata/val_ta_algo_dnskey_dp.rpl ++++ b/testdata/val_ta_algo_dnskey_dp.rpl +@@ -10,6 +10,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_ta_algo_missing_dp.rpl b/testdata/val_ta_algo_missing_dp.rpl +index dc55a09..14efdec 100644 +--- a/testdata/val_ta_algo_missing_dp.rpl ++++ b/testdata/val_ta_algo_missing_dp.rpl +@@ -11,6 +11,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_twocname.rpl b/testdata/val_twocname.rpl +index bc7c3bc..b432364 100644 +--- a/testdata/val_twocname.rpl ++++ b/testdata/val_twocname.rpl +@@ -5,6 +5,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + rrset-roundrobin: no + + forward-zone: +diff --git a/testdata/val_unalgo_anchor.rpl b/testdata/val_unalgo_anchor.rpl +index fbbf288..a935201 100644 +--- a/testdata/val_unalgo_anchor.rpl ++++ b/testdata/val_unalgo_anchor.rpl +@@ -7,6 +7,7 @@ server: + qname-minimisation: "no" + fake-sha1: yes + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/val_wild_pos.rpl b/testdata/val_wild_pos.rpl +index 624d8e0..9fafa65 100644 +--- a/testdata/val_wild_pos.rpl ++++ b/testdata/val_wild_pos.rpl +@@ -8,6 +8,7 @@ server: + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no ++ iter-scrub-promiscuous: no + + stub-zone: + name: "." +diff --git a/testdata/views.rpl b/testdata/views.rpl +index 6a9052f..a602624 100644 +--- a/testdata/views.rpl ++++ b/testdata/views.rpl +@@ -3,6 +3,7 @@ server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no ++ iter-scrub-promiscuous: no + + access-control: 10.10.10.0/24 allow + access-control-view: 10.10.10.10/32 "view1" +diff --git a/util/config_file.c b/util/config_file.c +index c403d74..a2fefde 100644 +--- a/util/config_file.c ++++ b/util/config_file.c +@@ -404,6 +404,7 @@ config_create(void) + cfg->ipset_name_v6 = NULL; + #endif + cfg->ede = 0; ++ cfg->iter_scrub_promiscuous = 1; + return cfg; + error_exit: + config_delete(cfg); +@@ -712,6 +713,7 @@ int config_set_option(struct config_file* cfg, const char* opt, + else S_NUMBER_OR_ZERO("serve-expired-client-timeout:", serve_expired_client_timeout) + else S_YNO("ede:", ede) + else S_YNO("ede-serve-expired:", ede_serve_expired) ++ else S_YNO("iter-scrub-promiscuous:", iter_scrub_promiscuous) + else S_YNO("serve-original-ttl:", serve_original_ttl) + else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations) + else S_YNO("zonemd-permissive-mode:", zonemd_permissive_mode) +@@ -1175,6 +1177,7 @@ config_get_option(struct config_file* cfg, const char* opt, + else O_DEC(opt, "serve-expired-client-timeout", serve_expired_client_timeout) + else O_YNO(opt, "ede", ede) + else O_YNO(opt, "ede-serve-expired", ede_serve_expired) ++ else O_YNO(opt, "iter-scrub-promiscuous", iter_scrub_promiscuous) + else O_YNO(opt, "serve-original-ttl", serve_original_ttl) + else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations) + else O_YNO(opt, "zonemd-permissive-mode", zonemd_permissive_mode) +diff --git a/util/config_file.h b/util/config_file.h +index 7ded3c2..b037261 100644 +--- a/util/config_file.h ++++ b/util/config_file.h +@@ -752,6 +752,9 @@ struct config_file { + #endif + /** respond with Extended DNS Errors (RFC8914) */ + int ede; ++ /** Should the iterator scrub promiscuous NS rrsets, from positive ++ * answers. */ ++ int iter_scrub_promiscuous; + }; + + /** from cfg username, after daemonize setup performed */ +diff --git a/util/configlexer.lex b/util/configlexer.lex +index 7455f50..5e9a355 100644 +--- a/util/configlexer.lex ++++ b/util/configlexer.lex +@@ -584,6 +584,7 @@ edns-client-string-opcode{COLON} { YDVAR(1, VAR_EDNS_CLIENT_STRING_OPCODE) } + nsid{COLON} { YDVAR(1, VAR_NSID ) } + ede{COLON} { YDVAR(1, VAR_EDE ) } + proxy-protocol-port{COLON} { YDVAR(1, VAR_PROXY_PROTOCOL_PORT) } ++iter-scrub-promiscuous{COLON} { YDVAR(1, VAR_ITER_SCRUB_PROMISCUOUS) } + {NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; } + + /* Quoted strings. Strip leading and ending quotes */ +diff --git a/util/configparser.y b/util/configparser.y +index 7d95690..ab99aa0 100644 +--- a/util/configparser.y ++++ b/util/configparser.y +@@ -203,6 +203,7 @@ extern struct config_parser_state* cfg_parser; + %token VAR_PROXY_PROTOCOL_PORT VAR_STATISTICS_INHIBIT_ZERO + %token VAR_HARDEN_UNKNOWN_ADDITIONAL VAR_DISABLE_EDNS_DO VAR_CACHEDB_NO_STORE + %token VAR_LOG_DESTADDR ++%token VAR_ITER_SCRUB_PROMISCUOUS + + %% + toplevelvars: /* empty */ | toplevelvars toplevelvar ; +@@ -339,7 +340,8 @@ content_server: server_num_threads | server_verbosity | server_port | + server_interface_automatic_ports | server_ede | + server_proxy_protocol_port | server_statistics_inhibit_zero | + server_harden_unknown_additional | server_disable_edns_do | +- server_log_destaddr ++ server_log_destaddr | ++ server_iter_scrub_promiscuous + ; + stubstart: VAR_STUB_ZONE + { +@@ -3945,6 +3947,16 @@ server_cookie_secret: VAR_COOKIE_SECRET STRING_ARG + free($2); + } + ; ++server_iter_scrub_promiscuous: VAR_ITER_SCRUB_PROMISCUOUS STRING_ARG ++ { ++ OUTYY(("P(server_iter_scrub_promiscuous:%s)\n", $2)); ++ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) ++ yyerror("expected yes or no."); ++ else cfg_parser->cfg->iter_scrub_promiscuous = ++ (strcmp($2, "yes")==0); ++ free($2); ++ } ++ ; + ipsetstart: VAR_IPSET + { + OUTYY(("\nP(ipset:)\n")); +-- +2.34.1 + diff --git a/meta-networking/recipes-support/unbound/unbound/0002-CVE-2025-11411-2.patch b/meta-networking/recipes-support/unbound/unbound/0002-CVE-2025-11411-2.patch new file mode 100644 index 0000000000..382c9f7c64 --- /dev/null +++ b/meta-networking/recipes-support/unbound/unbound/0002-CVE-2025-11411-2.patch @@ -0,0 +1,153 @@ +From f6269baa605d31859f28770e01a24e3677e5f82c Mon Sep 17 00:00:00 2001 +From: Yorgos Thessalonikefs +Date: Wed, 26 Nov 2025 11:09:40 +0100 +Subject: [PATCH] - Additional fix for CVE-2025-11411 (possible domain + hijacking attack), to include YXDOMAIN and non-referral nodata answers in + the mitigation as well, reported by TaoFei Guo from Peking University, Yang + Luo and JianJun Chen from Tsinghua University. + +CVE: CVE-2025-11411 +Upstream-Status: Backport [https://github.com/NLnetLabs/unbound/commit/f6269baa605d31859f28770e01a24e3677e5f82c] + +Comment: Patch refreshed + +Signed-off-by: Jackson James +--- + iterator/iter_scrub.c | 39 +++++++++++++++++++++--- + testdata/ratelimit.tdir/ratelimit.testns | 30 ++++++++++++++---- + 2 files changed, 59 insertions(+), 10 deletions(-) + +diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c +index cc12f97..02f1b48 100644 +--- a/iterator/iter_scrub.c ++++ b/iterator/iter_scrub.c +@@ -377,19 +377,21 @@ type_allowed_in_additional_section(uint16_t tp) + * @param qinfo: original query. + * @param region: where to allocate synthesized CNAMEs. + * @param env: module env with config options. ++ * @param zonename: name of server zone. + * @return 0 on error. + */ + static int + scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, + struct query_info* qinfo, struct regional* region, +- struct module_env* env) ++ struct module_env* env, uint8_t* zonename) + { + uint8_t* sname = qinfo->qname; + size_t snamelen = qinfo->qname_len; + struct rrset_parse* rrset, *prev, *nsset=NULL; + + if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR && +- FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NXDOMAIN) ++ FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NXDOMAIN && ++ FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_YXDOMAIN) + return 1; + + /* For the ANSWER section, remove all "irrelevant" records and add +@@ -418,6 +420,11 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, + &aliaslen, pkt)) { + verbose(VERB_ALGO, "synthesized CNAME " + "too long"); ++ if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_YXDOMAIN) { ++ prev = rrset; ++ rrset = rrset->rrset_all_next; ++ continue; ++ } + return 0; + } + if(nx && nx->type == LDNS_RR_TYPE_CNAME && +@@ -587,6 +594,29 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, + "RRset:", pkt, msg, prev, &rrset); + continue; + } ++ /* Also delete promiscuous NS for other RCODEs */ ++ if(FLAGS_GET_RCODE(msg->flags) != LDNS_RCODE_NOERROR ++ && env->cfg->iter_scrub_promiscuous) { ++ remove_rrset("normalize: removing promiscuous " ++ "RRset:", pkt, msg, prev, &rrset); ++ continue; ++ } ++ /* Also delete promiscuous NS for NOERROR with nodata ++ * for authoritative answers, not for delegations. ++ * NOERROR with an_rrsets!=0 already handled. ++ * Also NOERROR and soa_in_auth already handled. ++ * NOERROR with an_rrsets==0, and not a referral. ++ * referral is (NS not the zonename, noSOA). ++ */ ++ if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR ++ && msg->an_rrsets == 0 ++ && !(dname_pkt_compare(pkt, rrset->dname, ++ zonename) != 0 && !soa_in_auth(msg)) ++ && env->cfg->iter_scrub_promiscuous) { ++ remove_rrset("normalize: removing promiscuous " ++ "RRset:", pkt, msg, prev, &rrset); ++ continue; ++ } + if(nsset == NULL) { + nsset = rrset; + } else { +@@ -947,7 +977,8 @@ scrub_message(sldns_buffer* pkt, struct msg_parse* msg, + /* this is not required for basic operation but is a forgery + * resistance (security) feature */ + if((FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR || +- FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN) && ++ FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN || ++ FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_YXDOMAIN) && + msg->qdcount == 0) + return 0; + +@@ -961,7 +992,7 @@ scrub_message(sldns_buffer* pkt, struct msg_parse* msg, + } + + /* normalize the response, this cleans up the additional. */ +- if(!scrub_normalize(pkt, msg, qinfo, region, env)) ++ if(!scrub_normalize(pkt, msg, qinfo, region, env, zonename)) + return 0; + /* delete all out-of-zone information */ + if(!scrub_sanitize(pkt, msg, qinfo, zonename, env, ie, qstate)) +diff --git a/testdata/ratelimit.tdir/ratelimit.testns b/testdata/ratelimit.tdir/ratelimit.testns +index 563c1db..5c22c29 100644 +--- a/testdata/ratelimit.tdir/ratelimit.testns ++++ b/testdata/ratelimit.tdir/ratelimit.testns +@@ -3,13 +3,31 @@ $ORIGIN example.com. + $TTL 3600 + + ENTRY_BEGIN +-MATCH opcode qtype ++MATCH opcode qname qtype + REPLY QR AA NOERROR +-ADJUST copy_id copy_query ++ADJUST copy_id + SECTION QUESTION +-wild IN A ++www1 IN A + SECTION ANSWER +-wild IN A 10.20.30.40 +-SECTION AUTHORITY +-example.com. IN NS ns.example.com. ++www1 IN A 1.1.1.1 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode qname qtype ++REPLY QR AA NOERROR ++ADJUST copy_id ++SECTION QUESTION ++www2 IN A ++SECTION ANSWER ++www2 IN A 2.2.2.2 ++ENTRY_END ++ ++ENTRY_BEGIN ++MATCH opcode qname qtype ++REPLY QR AA NOERROR ++ADJUST copy_id ++SECTION QUESTION ++www3 IN A ++SECTION ANSWER ++www3 IN A 3.3.3.3 + ENTRY_END +-- +2.34.1 + diff --git a/meta-networking/recipes-support/unbound/unbound/CVE-2025-11411.patch b/meta-networking/recipes-support/unbound/unbound/CVE-2025-11411.patch deleted file mode 100644 index a653090770..0000000000 --- a/meta-networking/recipes-support/unbound/unbound/CVE-2025-11411.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 98fac0b396e1e85a6345baa59fc178b1f51759b8 Mon Sep 17 00:00:00 2001 -From: Patrick Vogelaar -Date: Wed, 29 Oct 2025 13:33:23 +0100 -Subject: [PATCH] Fix CVE-2025-11411 (possible domain hijacking attack) - -This fixes CVE-2025-11411 by applying the minimal patch [1] listed in [2] - -[1] https://nlnetlabs.nl/downloads/unbound/patch_CVE-2025-11411.diff -[2] https://www.nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt - -CVE: CVE-2025-11411 -Upstream-Status: Backport [minimal backport of https://github.com/NLnetLabs/unbound/commit/a33f0638e1dacf2633cf2292078a674576bca852] - -Signed-off-by: Patrick Vogelaar ---- - iterator/iter_scrub.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c -index 48867e50..5beaa048 100644 ---- a/iterator/iter_scrub.c -+++ b/iterator/iter_scrub.c -@@ -571,6 +571,22 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, - "RRset:", pkt, msg, prev, &rrset); - continue; - } -+ /* If the NS set is a promiscuous NS set, scrub that -+ * to remove potential for poisonous contents that -+ * affects other names in the same zone. Remove -+ * promiscuous NS sets in positive answers, that -+ * thus have records in the answer section. Nodata -+ * and nxdomain promiscuous NS sets have been removed -+ * already. Since the NS rrset is scrubbed, its -+ * address records are also not marked to be allowed -+ * and are removed later. */ -+ if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR && -+ msg->an_rrsets != 0 && -+ 1 /* env->cfg->iter_scrub_promiscuous */) { -+ remove_rrset("normalize: removing promiscuous " -+ "RRset:", pkt, msg, prev, &rrset); -+ continue; -+ } - if(nsset == NULL) { - nsset = rrset; - } else { --- -2.34.1 - diff --git a/meta-networking/recipes-support/unbound/unbound_1.19.3.bb b/meta-networking/recipes-support/unbound/unbound_1.19.3.bb index 7e3e37406f..6841049ac5 100644 --- a/meta-networking/recipes-support/unbound/unbound_1.19.3.bb +++ b/meta-networking/recipes-support/unbound/unbound_1.19.3.bb @@ -12,7 +12,8 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=5308494bc0590c0cb036afd781d78f06" SRC_URI = "git://github.com/NLnetLabs/unbound.git;protocol=https;nobranch=1 \ file://CVE-2024-8508.patch \ file://CVE-2024-33655.patch \ - file://CVE-2025-11411.patch \ + file://0001-CVE-2025-11411-1.patch \ + file://0002-CVE-2025-11411-2.patch \ file://CVE-2024-43167.patch \ file://CVE-2024-43168_1.patch \ file://CVE-2024-43168_2.patch \