From 8cdd4da16a8b32ed9327fd0a0aa94bf6dce3181a Mon Sep 17 00:00:00 2001
From: eaglegai <eaglegai@163.com>
Date: Fri, 7 Nov 2025 03:32:09 +0000
Subject: [PATCH] fix CVE-2025-11411

(cherry picked from commit d232f4794f425c3954b073624c5bbcbef06f4419)
---
 backport-CVE-2025-11411.patch | 2088 +++++++++++++++++++++++++++++++++
 unbound.conf                  |    4 +
 unbound.spec                  |    9 +-
 3 files changed, 2100 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-11411.patch

diff --git a/backport-CVE-2025-11411.patch b/backport-CVE-2025-11411.patch
new file mode 100644
index 0000000..d13e35a
--- /dev/null
+++ b/backport-CVE-2025-11411.patch
@@ -0,0 +1,2088 @@
+From a33f0638e1dacf2633cf2292078a674576bca852 Mon Sep 17 00:00:00 2001
+From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
+Date: Wed, 22 Oct 2025 10:54:57 +0200
+Subject: [PATCH] - Fix CVE-2025-11411 (possible domain hijacking attack),
+ reported by Yuxiao Wu,   Yunyi Zhang, Baojun Liu and Haixin Duan from
+ Tsinghua University.
+
+Conflict:remove modify about remote.c unbound-control.* unbound.conf.rst and test files; change modify context about iter_scrub.c config_file.c config_file.h configlexer.lex configparser.y
+Reference:https://github.com/NLnetLabs/unbound/commit/a33f0638e1dacf2633cf2292078a674576bca852
+
+---
+
+ doc/example.conf.in                           |   4 +
+ doc/unbound.conf.5.in                         |   9 +
+ iterator/iter_scrub.c                         |  22 +-
+ testdata/autotrust_init.rpl                   |   1 +
+ testdata/autotrust_init_ds.rpl                |   1 +
+ testdata/autotrust_init_sigs.rpl              |   1 +
+ testdata/autotrust_init_zsk.rpl               |   1 +
+ testdata/black_data.rpl                       |   1 +
+ testdata/black_prime.rpl                      |   1 +
+ testdata/dns64_lookup.rpl                     |   1 +
+ testdata/fetch_glue.rpl                       |   1 +
+ testdata/fetch_glue_cname.rpl                 |   1 +
+ testdata/fwd_cached.rpl                       |   1 +
+ .../fwd_compress_c00c.conf                    |   1 +
+ testdata/fwd_minimal.rpl                      |   1 +
+ testdata/ipsecmod_bogus_ipseckey.crpl         |   1 +
+ testdata/ipsecmod_enabled.crpl                |   1 +
+ testdata/ipsecmod_ignore_bogus_ipseckey.crpl  |   1 +
+ testdata/ipsecmod_max_ttl.crpl                |   1 +
+ testdata/ipsecmod_strict.crpl                 |   1 +
+ testdata/ipsecmod_whitelist.crpl              |   1 +
+ testdata/iter_class_any.rpl                   |   1 +
+ testdata/iter_cycle_noh.rpl                   |   1 +
+ testdata/iter_domain_sale.rpl                 |   1 +
+ testdata/iter_domain_sale_nschange.rpl        |   1 +
+ testdata/iter_emptydp.rpl                     |   1 +
+ testdata/iter_emptydp_for_glue.rpl            |   1 +
+ testdata/iter_fwdfirst.rpl                    |   1 +
+ testdata/iter_fwdfirstequal.rpl               |   1 +
+ testdata/iter_fwdstub.rpl                     |   1 +
+ testdata/iter_fwdstubroot.rpl                 |   1 +
+ testdata/iter_got6only.rpl                    |   1 +
+ testdata/iter_hint_lame.rpl                   |   1 +
+ testdata/iter_lame_noaa.rpl                   |   1 +
+ testdata/iter_lame_nosoa.rpl                  |   1 +
+ testdata/iter_mod.rpl                         |   1 +
+ testdata/iter_ns_badip.rpl                    |   1 +
+ testdata/iter_ns_spoof.rpl                    |   1 +
+ testdata/iter_pc_a.rpl                        |   1 +
+ testdata/iter_pc_aaaa.rpl                     |   1 +
+ testdata/iter_pcdiff.rpl                      |   1 +
+ testdata/iter_pcdirect.rpl                    |   1 +
+ testdata/iter_pcname.rpl                      |   1 +
+ testdata/iter_pcnamech.rpl                    |   1 +
+ testdata/iter_pcnamechrec.rpl                 |   1 +
+ testdata/iter_pcnamerec.rpl                   |   1 +
+ testdata/iter_pcttl.rpl                       |   1 +
+ testdata/iter_prefetch.rpl                    |   1 +
+ testdata/iter_prefetch_change.rpl             |   1 +
+ testdata/iter_prefetch_change2.rpl            |   1 +
+ testdata/iter_prefetch_childns.rpl            |   1 +
+ testdata/iter_prefetch_fail.rpl               |   1 +
+ testdata/iter_prefetch_ns.rpl                 |   1 +
+ testdata/iter_primenoglue.rpl                 |   1 +
+ testdata/iter_privaddr.rpl                    |   1 +
+ testdata/iter_ranoaa_lame.rpl                 |   1 +
+ testdata/iter_reclame_one.rpl                 |   1 +
+ testdata/iter_reclame_two.rpl                 |   1 +
+ testdata/iter_recurse.rpl                     |   1 +
+ testdata/iter_resolve.rpl                     |   1 +
+ testdata/iter_resolve_minimised.rpl           |   1 +
+ testdata/iter_resolve_minimised_nx.rpl        |   1 +
+ testdata/iter_resolve_minimised_refused.rpl   |   1 +
+ testdata/iter_resolve_minimised_timeout.rpl   |   1 +
+ testdata/iter_scrub_cname_an.rpl              |   1 +
+ testdata/iter_scrub_dname_insec.rpl           |   1 +
+ testdata/iter_scrub_dname_rev.rpl             |   1 +
+ testdata/iter_scrub_dname_sec.rpl             |   1 +
+ testdata/iter_scrub_promiscuous.rpl           | 373 ++++++++++++++++++
+ testdata/iter_soamin.rpl                      |   1 +
+ testdata/iter_stub_noroot.rpl                 |   1 +
+ testdata/iter_stubfirst.rpl                   |   1 +
+ testdata/iter_timeout_ra_aaaa.rpl             |   1 +
+ testdata/rrset_rettl.rpl                      |   1 +
+ testdata/rrset_untrusted.rpl                  |   1 +
+ testdata/rrset_updated.rpl                    |   1 +
+ testdata/serve_expired.rpl                    |   1 +
+ testdata/serve_expired_client_timeout.rpl     |   1 +
+ testdata/serve_expired_reply_ttl.rpl          |   1 +
+ testdata/serve_expired_servfail.rpl           |   1 +
+ testdata/serve_expired_ttl.rpl                |   1 +
+ testdata/serve_expired_ttl_client_timeout.rpl |   1 +
+ testdata/serve_expired_zerottl.rpl            |   1 +
+ testdata/serve_original_ttl.rpl               |   1 +
+ testdata/subnet_cached.crpl                   |   1 +
+ testdata/subnet_max_source.crpl               |   1 +
+ testdata/subnet_val_positive.crpl             |   1 +
+ testdata/subnet_val_positive_client.crpl      |   1 +
+ testdata/trust_cname_chain.rpl                |   1 +
+ testdata/ttl_max.rpl                          |   1 +
+ testdata/ttl_min.rpl                          |   1 +
+ testdata/val_adbit.rpl                        |   1 +
+ testdata/val_adcopy.rpl                       |   1 +
+ testdata/val_cnametocnamewctoposwc.rpl        |   1 +
+ testdata/val_ds_afterprime.rpl                |   1 +
+ testdata/val_faildnskey_ok.rpl                |   1 +
+ testdata/val_keyprefetch_verify.rpl           |   1 +
+ testdata/val_noadwhennodo.rpl                 |   1 +
+ testdata/val_nsec3_b3_optout.rpl              |   1 +
+ testdata/val_nsec3_b3_optout_negcache.rpl     |   1 +
+ testdata/val_nsec3_b4_wild.rpl                |   1 +
+ testdata/val_nsec3_cnametocnamewctoposwc.rpl  |   1 +
+ testdata/val_positive.rpl                     |   1 +
+ testdata/val_positive_wc.rpl                  |   1 +
+ testdata/val_qds_badanc.rpl                   |   1 +
+ testdata/val_qds_oneanc.rpl                   |   1 +
+ testdata/val_qds_twoanc.rpl                   |   1 +
+ testdata/val_refer_unsignadd.rpl              |   1 +
+ testdata/val_referd.rpl                       |   1 +
+ testdata/val_referglue.rpl                    |   1 +
+ testdata/val_rrsig.rpl                        |   1 +
+ testdata/val_spurious_ns.rpl                  |   1 +
+ testdata/val_stub_noroot.rpl                  |   1 +
+ testdata/val_ta_algo_dnskey.rpl               |   1 +
+ testdata/val_ta_algo_dnskey_dp.rpl            |   1 +
+ testdata/val_ta_algo_missing_dp.rpl           |   1 +
+ testdata/val_twocname.rpl                     |   1 +
+ testdata/val_unalgo_anchor.rpl                |   1 +
+ testdata/val_wild_pos.rpl                     |   1 +
+ testdata/views.rpl                            |   1 +
+ util/config_file.c                            |   3 +
+ util/config_file.h                            |   3 +
+ util/configlexer.lex                          |   1 +
+ util/configparser.y                           |  13 +-
+ 124 files changed, 541 insertions(+), 3 deletions(-)
+ create mode 100644 testdata/iter_scrub_promiscuous.rpl
+
+diff --git a/doc/example.conf.in b/doc/example.conf.in
+index b33e65bfe..d151f8468 100644
+--- a/doc/example.conf.in
++++ b/doc/example.conf.in
+@@ -196,6 +196,10 @@ server:
+ 	# perform connect for UDP sockets to mitigate ICMP side channel.
+ 	# udp-connect: yes
+ 
++	# Should the scrubber remove promiscuous NS from positive answers,
++	# protects against poison attempts.
++	# iter-scrub-promiscuous: yes
++
+ 	# msec for waiting for an unknown server to reply.  Increase if you
+ 	# are behind a slow satellite link, to eg. 1128.
+ 	# unknown-server-time-limit: 376
+diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
+index 172eb26c5..3df4daeb0 100644
+--- a/doc/unbound.conf.5.in
++++ b/doc/unbound.conf.5.in
+@@ -3656,6 +3656,15 @@ Default: 200
+ and enter the cache, whilst also mitigating the traffic flow by the
+ factor given.
+ .TP 5
++.B iter\-scrub\-promiscuous: \fI<yes or no>\fP 
++Should the iterator scrubber remove promiscuous NS from positive answers.
++This protects against poisonous contents, that could affect names in the
++same zone as a spoofed packet.
++.sp
++Default: yes
++.UNINDENT
++.INDENT 0.0
++.TP
+ .B fast\-server\-permil: \fI<number>
+ Specify how many times out of 1000 to pick from the set of fastest servers.
+ 0 turns the feature off.  A value of 900 would pick from the fastest
+diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
+index 49a5f5da1..553d3655f 100644
+--- a/iterator/iter_scrub.c
++++ b/iterator/iter_scrub.c
+@@ -355,11 +375,13 @@ soa_in_auth(struct msg_parse* msg)
+  * @param msg: msg to normalize.
+  * @param qinfo: original query.
+  * @param region: where to allocate synthesized CNAMEs.
++ * @param env: module env with config options.
+  * @return 0 on error.
+  */
+ static int
+ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, 
+-	struct query_info* qinfo, struct regional* region)
++	struct query_info* qinfo, struct regional* region,
++	struct module_env* env)
+ {
+ 	uint8_t* sname = qinfo->qname;
+ 	size_t snamelen = qinfo->qname_len;
+@@ -634,6 +634,22 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
+ 					"RRset:", pkt, msg, prev, &rrset);
+ 				continue;
+ 			}
++			/* If the NS set is a promiscuous NS set, scrub that
++			 * to remove potential for poisonous contents that
++			 * affects other names in the same zone. Remove
++			 * promiscuous NS sets in positive answers, that
++			 * thus have records in the answer section. Nodata
++			 * and nxdomain promiscuous NS sets have been removed
++			 * already. Since the NS rrset is scrubbed, its
++			 * address records are also not marked to be allowed
++			 * and are removed later. */
++			if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR &&
++				msg->an_rrsets != 0 &&
++				env->cfg->iter_scrub_promiscuous) {
++				remove_rrset("normalize: removing promiscuous "
++					"RRset:", pkt, msg, prev, &rrset);
++				continue;
++			}
+ 			if(nsset == NULL) {
+ 				nsset = rrset;
+ 			} else {
+@@ -846,7 +883,7 @@ scrub_message(sldns_buffer* pkt, struct msg_parse* msg,
+ 	}
+ 
+ 	/* normalize the response, this cleans up the additional.  */
+-	if(!scrub_normalize(pkt, msg, qinfo, region))
++	if(!scrub_normalize(pkt, msg, qinfo, region, env))
+ 		return 0;
+ 	/* delete all out-of-zone information */
+ 	if(!scrub_sanitize(pkt, msg, qinfo, zonename, env, ie))
+diff --git a/testdata/autotrust_init.rpl b/testdata/autotrust_init.rpl
+index d722273e0..d69e70b4b 100644
+--- a/testdata/autotrust_init.rpl
++++ b/testdata/autotrust_init.rpl
+@@ -5,6 +5,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ stub-zone:
+ 	name: "."
+ 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
+diff --git a/testdata/autotrust_init_ds.rpl b/testdata/autotrust_init_ds.rpl
+index ad4019ebe..9ffb4d4ba 100644
+--- a/testdata/autotrust_init_ds.rpl
++++ b/testdata/autotrust_init_ds.rpl
+@@ -5,6 +5,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ stub-zone:
+ 	name: "."
+ 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
+diff --git a/testdata/autotrust_init_sigs.rpl b/testdata/autotrust_init_sigs.rpl
+index d5d52f473..a7cb7963b 100644
+--- a/testdata/autotrust_init_sigs.rpl
++++ b/testdata/autotrust_init_sigs.rpl
+@@ -5,6 +5,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ stub-zone:
+ 	name: "."
+ 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
+diff --git a/testdata/autotrust_init_zsk.rpl b/testdata/autotrust_init_zsk.rpl
+index 56a5bc0b3..2d28d4340 100644
+--- a/testdata/autotrust_init_zsk.rpl
++++ b/testdata/autotrust_init_zsk.rpl
+@@ -5,6 +5,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ stub-zone:
+ 	name: "."
+ 	stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
+diff --git a/testdata/black_data.rpl b/testdata/black_data.rpl
+index e6ef1b79d..e928d630d 100644
+--- a/testdata/black_data.rpl
++++ b/testdata/black_data.rpl
+@@ -8,6 +8,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	rrset-roundrobin: no
+ 
+ stub-zone:
+diff --git a/testdata/black_prime.rpl b/testdata/black_prime.rpl
+index fbe92a721..0301c85b6 100644
+--- a/testdata/black_prime.rpl
++++ b/testdata/black_prime.rpl
+@@ -8,6 +8,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	rrset-roundrobin: no
+ 
+ stub-zone:
+diff --git a/testdata/dns64_lookup.rpl b/testdata/dns64_lookup.rpl
+index 327f7dfed..cec801232 100644
+--- a/testdata/dns64_lookup.rpl
++++ b/testdata/dns64_lookup.rpl
+@@ -7,6 +7,7 @@ server:
+ 	module-config: "dns64 validator iterator"
+ 	dns64-prefix: 64:ff9b::0/96
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/fetch_glue.rpl b/testdata/fetch_glue.rpl
+index 8860d85b0..daf687ad4 100644
+--- a/testdata/fetch_glue.rpl
++++ b/testdata/fetch_glue.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/fetch_glue_cname.rpl b/testdata/fetch_glue_cname.rpl
+index 64f00fb20..c786a417c 100644
+--- a/testdata/fetch_glue_cname.rpl
++++ b/testdata/fetch_glue_cname.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/fwd_cached.rpl b/testdata/fwd_cached.rpl
+index 2d6b0c2b8..4a00f8715 100644
+--- a/testdata/fwd_cached.rpl
++++ b/testdata/fwd_cached.rpl
+@@ -2,6 +2,7 @@
+ ; config options go here.
+ server:
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ forward-zone: name: "." forward-addr: 216.0.0.1
+ CONFIG_END
+ 
+diff --git a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf
+index 5b2c8045a..7bc7408cd 100644
+--- a/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf
++++ b/testdata/fwd_compress_c00c.tdir/fwd_compress_c00c.conf
+@@ -10,6 +10,7 @@ server:
+ 	username: ""
+ 	do-not-query-localhost: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	rrset-roundrobin: no
+ forward-zone:
+ 	name: "."
+diff --git a/testdata/fwd_minimal.rpl b/testdata/fwd_minimal.rpl
+index e85d7124b..ef1d7fc41 100644
+--- a/testdata/fwd_minimal.rpl
++++ b/testdata/fwd_minimal.rpl
+@@ -5,6 +5,7 @@ server:
+ 	; is fine for that, not removed by minimal-responses.
+ 	access-control: 127.0.0.1 allow_snoop
+ 	minimal-responses: yes
++	iter-scrub-promiscuous: no
+ forward-zone: name: "." forward-addr: 216.0.0.1
+ CONFIG_END
+ 
+diff --git a/testdata/ipsecmod_bogus_ipseckey.crpl b/testdata/ipsecmod_bogus_ipseckey.crpl
+index 094710b60..98bc454f2 100644
+--- a/testdata/ipsecmod_bogus_ipseckey.crpl
++++ b/testdata/ipsecmod_bogus_ipseckey.crpl
+@@ -9,6 +9,7 @@ server:
+ 	qname-minimisation: "no"
+ 	# test that default value of harden-dnssec-stripped is still yes.
+ 	fake-sha1: yes
++	iter-scrub-promiscuous: no
+ 	trust-anchor-signaling: no
+ 	access-control: 127.0.0.1 allow_snoop
+ 	module-config: "ipsecmod validator iterator"
+diff --git a/testdata/ipsecmod_enabled.crpl b/testdata/ipsecmod_enabled.crpl
+index 449842961..04e8cb1a1 100644
+--- a/testdata/ipsecmod_enabled.crpl
++++ b/testdata/ipsecmod_enabled.crpl
+@@ -11,6 +11,7 @@ server:
+ 	ipsecmod-enabled: no
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/ipsecmod_ignore_bogus_ipseckey.crpl b/testdata/ipsecmod_ignore_bogus_ipseckey.crpl
+index a605c3445..4c4d80c10 100644
+--- a/testdata/ipsecmod_ignore_bogus_ipseckey.crpl
++++ b/testdata/ipsecmod_ignore_bogus_ipseckey.crpl
+@@ -18,6 +18,7 @@ server:
+ 	ipsecmod-ignore-bogus: yes
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/ipsecmod_max_ttl.crpl b/testdata/ipsecmod_max_ttl.crpl
+index 592bae046..4dfeddfd9 100644
+--- a/testdata/ipsecmod_max_ttl.crpl
++++ b/testdata/ipsecmod_max_ttl.crpl
+@@ -10,6 +10,7 @@ server:
+ 	ipsecmod-max-ttl: 200
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/ipsecmod_strict.crpl b/testdata/ipsecmod_strict.crpl
+index f74e308bd..51cc11b53 100644
+--- a/testdata/ipsecmod_strict.crpl
++++ b/testdata/ipsecmod_strict.crpl
+@@ -10,6 +10,7 @@ server:
+ 	ipsecmod-max-ttl: 200
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/ipsecmod_whitelist.crpl b/testdata/ipsecmod_whitelist.crpl
+index 34108f3b1..350c2ad48 100644
+--- a/testdata/ipsecmod_whitelist.crpl
++++ b/testdata/ipsecmod_whitelist.crpl
+@@ -11,6 +11,7 @@ server:
+ 	ipsecmod-whitelist: white.example.com
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_class_any.rpl b/testdata/iter_class_any.rpl
+index 6fb296e99..87e0db032 100644
+--- a/testdata/iter_class_any.rpl
++++ b/testdata/iter_class_any.rpl
+@@ -8,6 +8,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_cycle_noh.rpl b/testdata/iter_cycle_noh.rpl
+index eee26ca70..e551ac6e8 100644
+--- a/testdata/iter_cycle_noh.rpl
++++ b/testdata/iter_cycle_noh.rpl
+@@ -4,6 +4,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_domain_sale.rpl b/testdata/iter_domain_sale.rpl
+index 6110148a3..7c3cc1f2f 100644
+--- a/testdata/iter_domain_sale.rpl
++++ b/testdata/iter_domain_sale.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_domain_sale_nschange.rpl b/testdata/iter_domain_sale_nschange.rpl
+index 5664855d5..886ed51a3 100644
+--- a/testdata/iter_domain_sale_nschange.rpl
++++ b/testdata/iter_domain_sale_nschange.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_emptydp.rpl b/testdata/iter_emptydp.rpl
+index ecb49b6cd..3879a9b43 100644
+--- a/testdata/iter_emptydp.rpl
++++ b/testdata/iter_emptydp.rpl
+@@ -8,6 +8,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_emptydp_for_glue.rpl b/testdata/iter_emptydp_for_glue.rpl
+index 94dec2bc5..fc7933fbc 100644
+--- a/testdata/iter_emptydp_for_glue.rpl
++++ b/testdata/iter_emptydp_for_glue.rpl
+@@ -8,6 +8,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_fwdfirst.rpl b/testdata/iter_fwdfirst.rpl
+index 0f8a85f5a..509a1cdad 100644
+--- a/testdata/iter_fwdfirst.rpl
++++ b/testdata/iter_fwdfirst.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_fwdfirstequal.rpl b/testdata/iter_fwdfirstequal.rpl
+index dc648143c..abd25d149 100644
+--- a/testdata/iter_fwdfirstequal.rpl
++++ b/testdata/iter_fwdfirstequal.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_fwdstub.rpl b/testdata/iter_fwdstub.rpl
+index ad5b57cb7..4c741a50f 100644
+--- a/testdata/iter_fwdstub.rpl
++++ b/testdata/iter_fwdstub.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_fwdstubroot.rpl b/testdata/iter_fwdstubroot.rpl
+index fa930430d..dd93ecdef 100644
+--- a/testdata/iter_fwdstubroot.rpl
++++ b/testdata/iter_fwdstubroot.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_got6only.rpl b/testdata/iter_got6only.rpl
+index 155228439..b0d20b3f4 100644
+--- a/testdata/iter_got6only.rpl
++++ b/testdata/iter_got6only.rpl
+@@ -4,6 +4,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0 "
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ stub-zone:
+ 	name: "."
+ 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+diff --git a/testdata/iter_hint_lame.rpl b/testdata/iter_hint_lame.rpl
+index 2fb6dde72..26aa5dc73 100644
+--- a/testdata/iter_hint_lame.rpl
++++ b/testdata/iter_hint_lame.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_lame_noaa.rpl b/testdata/iter_lame_noaa.rpl
+index defaa5ca8..050866c65 100644
+--- a/testdata/iter_lame_noaa.rpl
++++ b/testdata/iter_lame_noaa.rpl
+@@ -4,6 +4,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	rrset-roundrobin: no
+ 
+ stub-zone:
+diff --git a/testdata/iter_lame_nosoa.rpl b/testdata/iter_lame_nosoa.rpl
+index 3bf6ccc18..d55ff78d6 100644
+--- a/testdata/iter_lame_nosoa.rpl
++++ b/testdata/iter_lame_nosoa.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	rrset-roundrobin: no
+ 
+ stub-zone:
+diff --git a/testdata/iter_mod.rpl b/testdata/iter_mod.rpl
+index 35b3a5af6..3d3d6789d 100644
+--- a/testdata/iter_mod.rpl
++++ b/testdata/iter_mod.rpl
+@@ -4,6 +4,7 @@ server:
+ 	qname-minimisation: "no"
+ 	module-config: "iterator"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_ns_badip.rpl b/testdata/iter_ns_badip.rpl
+index e0bf96674..481f47a0a 100644
+--- a/testdata/iter_ns_badip.rpl
++++ b/testdata/iter_ns_badip.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "3 2 1 0 0"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	rrset-roundrobin: no
+ 
+ stub-zone:
+diff --git a/testdata/iter_ns_spoof.rpl b/testdata/iter_ns_spoof.rpl
+index f67457635..999ff05ff 100644
+--- a/testdata/iter_ns_spoof.rpl
++++ b/testdata/iter_ns_spoof.rpl
+@@ -4,6 +4,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ stub-zone:
+ 	name: "."
+ 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+diff --git a/testdata/iter_pc_a.rpl b/testdata/iter_pc_a.rpl
+index d9add0056..be73a796a 100644
+--- a/testdata/iter_pc_a.rpl
++++ b/testdata/iter_pc_a.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_pc_aaaa.rpl b/testdata/iter_pc_aaaa.rpl
+index a28354306..a7ce1866f 100644
+--- a/testdata/iter_pc_aaaa.rpl
++++ b/testdata/iter_pc_aaaa.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_pcdiff.rpl b/testdata/iter_pcdiff.rpl
+index 57fb109af..a462d333e 100644
+--- a/testdata/iter_pcdiff.rpl
++++ b/testdata/iter_pcdiff.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_pcdirect.rpl b/testdata/iter_pcdirect.rpl
+index 0bd5dfe78..656ec7af4 100644
+--- a/testdata/iter_pcdirect.rpl
++++ b/testdata/iter_pcdirect.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_pcname.rpl b/testdata/iter_pcname.rpl
+index e17c9102c..af53c901b 100644
+--- a/testdata/iter_pcname.rpl
++++ b/testdata/iter_pcname.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_pcnamech.rpl b/testdata/iter_pcnamech.rpl
+index 32b3130c8..805cb18f7 100644
+--- a/testdata/iter_pcnamech.rpl
++++ b/testdata/iter_pcnamech.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	rrset-roundrobin: no
+ 
+ stub-zone:
+diff --git a/testdata/iter_pcnamechrec.rpl b/testdata/iter_pcnamechrec.rpl
+index 8bf7ad879..bbb9c863d 100644
+--- a/testdata/iter_pcnamechrec.rpl
++++ b/testdata/iter_pcnamechrec.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	rrset-roundrobin: no
+ 
+ stub-zone:
+diff --git a/testdata/iter_pcnamerec.rpl b/testdata/iter_pcnamerec.rpl
+index faee6d029..2ea0dada3 100644
+--- a/testdata/iter_pcnamerec.rpl
++++ b/testdata/iter_pcnamerec.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_pcttl.rpl b/testdata/iter_pcttl.rpl
+index 413f8cb88..a70201710 100644
+--- a/testdata/iter_pcttl.rpl
++++ b/testdata/iter_pcttl.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	do-ip6: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_prefetch.rpl b/testdata/iter_prefetch.rpl
+index bad92dc57..fdf595564 100644
+--- a/testdata/iter_prefetch.rpl
++++ b/testdata/iter_prefetch.rpl
+@@ -4,6 +4,7 @@ server:
+ 	qname-minimisation: "no"
+ 	prefetch: "yes"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_prefetch_change.rpl b/testdata/iter_prefetch_change.rpl
+index 1be9e6abe..c1a1a710f 100644
+--- a/testdata/iter_prefetch_change.rpl
++++ b/testdata/iter_prefetch_change.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	prefetch: "yes"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_prefetch_change2.rpl b/testdata/iter_prefetch_change2.rpl
+index 7a8370ff6..4a966fea0 100644
+--- a/testdata/iter_prefetch_change2.rpl
++++ b/testdata/iter_prefetch_change2.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	prefetch: "yes"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_prefetch_childns.rpl b/testdata/iter_prefetch_childns.rpl
+index 00a91fcde..f234065e7 100644
+--- a/testdata/iter_prefetch_childns.rpl
++++ b/testdata/iter_prefetch_childns.rpl
+@@ -4,6 +4,7 @@ server:
+ 	qname-minimisation: "no"
+ 	prefetch: "yes"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_prefetch_fail.rpl b/testdata/iter_prefetch_fail.rpl
+index 1d92a4c1c..d1e308305 100644
+--- a/testdata/iter_prefetch_fail.rpl
++++ b/testdata/iter_prefetch_fail.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	prefetch: "yes"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_prefetch_ns.rpl b/testdata/iter_prefetch_ns.rpl
+index 93af21638..3192d31c0 100644
+--- a/testdata/iter_prefetch_ns.rpl
++++ b/testdata/iter_prefetch_ns.rpl
+@@ -4,6 +4,7 @@ server:
+ 	qname-minimisation: "no"
+ 	prefetch: "yes"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_primenoglue.rpl b/testdata/iter_primenoglue.rpl
+index b9808dd2c..f8c980350 100644
+--- a/testdata/iter_primenoglue.rpl
++++ b/testdata/iter_primenoglue.rpl
+@@ -8,6 +8,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_privaddr.rpl b/testdata/iter_privaddr.rpl
+index 0c87b4b9a..b7a6fde29 100644
+--- a/testdata/iter_privaddr.rpl
++++ b/testdata/iter_privaddr.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ 	private-address: 10.0.0.0/8
+ 	private-address: 172.16.0.0/12
+diff --git a/testdata/iter_ranoaa_lame.rpl b/testdata/iter_ranoaa_lame.rpl
+index 8ee82415a..313192f10 100644
+--- a/testdata/iter_ranoaa_lame.rpl
++++ b/testdata/iter_ranoaa_lame.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	rrset-roundrobin: no
+ 
+ stub-zone:
+diff --git a/testdata/iter_reclame_one.rpl b/testdata/iter_reclame_one.rpl
+index 4a6abfae5..d273e6056 100644
+--- a/testdata/iter_reclame_one.rpl
++++ b/testdata/iter_reclame_one.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	rrset-roundrobin: no
+ 
+ stub-zone:
+diff --git a/testdata/iter_reclame_two.rpl b/testdata/iter_reclame_two.rpl
+index 76c310b28..e2b2bc126 100644
+--- a/testdata/iter_reclame_two.rpl
++++ b/testdata/iter_reclame_two.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	rrset-roundrobin: no
+ 
+ stub-zone:
+diff --git a/testdata/iter_recurse.rpl b/testdata/iter_recurse.rpl
+index be50b4af8..135287678 100644
+--- a/testdata/iter_recurse.rpl
++++ b/testdata/iter_recurse.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_resolve.rpl b/testdata/iter_resolve.rpl
+index ed051ff24..3ea56abe9 100644
+--- a/testdata/iter_resolve.rpl
++++ b/testdata/iter_resolve.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_resolve_minimised.rpl b/testdata/iter_resolve_minimised.rpl
+index 2c6f9ccf5..13f04d481 100644
+--- a/testdata/iter_resolve_minimised.rpl
++++ b/testdata/iter_resolve_minimised.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_resolve_minimised_nx.rpl b/testdata/iter_resolve_minimised_nx.rpl
+index 74e612ccb..c68f20ca8 100644
+--- a/testdata/iter_resolve_minimised_nx.rpl
++++ b/testdata/iter_resolve_minimised_nx.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: yes
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_resolve_minimised_refused.rpl b/testdata/iter_resolve_minimised_refused.rpl
+index 66e8e631e..8dc76e258 100644
+--- a/testdata/iter_resolve_minimised_refused.rpl
++++ b/testdata/iter_resolve_minimised_refused.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: yes
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_resolve_minimised_timeout.rpl b/testdata/iter_resolve_minimised_timeout.rpl
+index 86b932160..3740d79f4 100644
+--- a/testdata/iter_resolve_minimised_timeout.rpl
++++ b/testdata/iter_resolve_minimised_timeout.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: yes
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_scrub_cname_an.rpl b/testdata/iter_scrub_cname_an.rpl
+index 9c5060af7..f81916b0c 100644
+--- a/testdata/iter_scrub_cname_an.rpl
++++ b/testdata/iter_scrub_cname_an.rpl
+@@ -4,6 +4,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+         name: "."
+diff --git a/testdata/iter_scrub_dname_insec.rpl b/testdata/iter_scrub_dname_insec.rpl
+index 826d89e29..82ff1d3da 100644
+--- a/testdata/iter_scrub_dname_insec.rpl
++++ b/testdata/iter_scrub_dname_insec.rpl
+@@ -4,6 +4,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+         name: "."
+diff --git a/testdata/iter_scrub_dname_rev.rpl b/testdata/iter_scrub_dname_rev.rpl
+index 9caca66c0..dfb21b8b6 100644
+--- a/testdata/iter_scrub_dname_rev.rpl
++++ b/testdata/iter_scrub_dname_rev.rpl
+@@ -8,6 +8,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+         name: "."
+diff --git a/testdata/iter_scrub_dname_sec.rpl b/testdata/iter_scrub_dname_sec.rpl
+index 34a7b324d..943b19ff5 100644
+--- a/testdata/iter_scrub_dname_sec.rpl
++++ b/testdata/iter_scrub_dname_sec.rpl
+@@ -8,6 +8,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+         name: "."
+diff --git a/testdata/iter_scrub_promiscuous.rpl b/testdata/iter_scrub_promiscuous.rpl
+new file mode 100644
+index 000000000..61fca0d28
+--- /dev/null
++++ b/testdata/iter_scrub_promiscuous.rpl
+@@ -0,0 +1,373 @@
++; config options
++server:
++	target-fetch-policy: "0 0 0 0 0"
++	qname-minimisation: no
++	iter-scrub-promiscuous: yes
++
++stub-zone:
++	name: "."
++	stub-addr: 1.2.3.0 # ns.root
++CONFIG_END
++
++SCENARIO_BEGIN Test iterator with scrub of promiscuous records
++; The test queries receive spoofed answers. The check queries see if
++; the record is returned by the original server or by a spoofed source.
++; The test domains are pollute1.mesa, pollute2.mesa and pollute3.mesa.
++; The spoofed contents are ns.attacker.mesa and its IPs 5.6.7.8 and 5.6.7.9.
++; The pollute1.mesa NS, ns.pollute2.mesa A, and test3.atkr.pollute3.mesa NS
++; with ns.pollute3.mesa A records are tested for cache placement.
++
++; ns.root
++RANGE_BEGIN 0 400
++	ADDRESS 1.2.3.0
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY QR AA NOERROR
++SECTION QUESTION
++. IN NS
++SECTION ANSWER
++. IN NS NS.ROOT.
++SECTION ADDITIONAL
++NS.ROOT. IN A 1.2.3.0
++ENTRY_END
++
++ENTRY_BEGIN
++MATCH opcode subdomain
++ADJUST copy_id copy_query
++REPLY QR NOERROR
++SECTION QUESTION
++mesa. IN NS
++SECTION AUTHORITY
++mesa. IN NS ns.mesa.
++SECTION ADDITIONAL
++ns.mesa. IN A 1.2.7.7
++ENTRY_END
++RANGE_END
++
++; ns.mesa
++RANGE_BEGIN 0 400
++	ADDRESS 1.2.7.7
++ENTRY_BEGIN
++MATCH opcode subdomain
++ADJUST copy_id copy_query
++REPLY QR NOERROR
++SECTION QUESTION
++pollute1.mesa. IN NS
++SECTION AUTHORITY
++pollute1.mesa. IN NS ns.pollute1.mesa.
++SECTION ADDITIONAL
++ns.pollute1.mesa. IN A 1.2.4.1
++ENTRY_END
++
++ENTRY_BEGIN
++MATCH opcode subdomain
++ADJUST copy_id copy_query
++REPLY QR NOERROR
++SECTION QUESTION
++pollute2.mesa. IN NS
++SECTION AUTHORITY
++pollute2.mesa. IN NS ns.pollute2.mesa.
++SECTION ADDITIONAL
++ns.pollute2.mesa. IN A 1.2.4.2
++ENTRY_END
++
++ENTRY_BEGIN
++MATCH opcode subdomain
++ADJUST copy_id copy_query
++REPLY QR NOERROR
++SECTION QUESTION
++pollute3.mesa. IN NS
++SECTION AUTHORITY
++pollute3.mesa. IN NS ns.pollute3.mesa.
++SECTION ADDITIONAL
++ns.pollute3.mesa. IN A 1.2.4.3
++ENTRY_END
++
++ENTRY_BEGIN
++MATCH opcode subdomain
++ADJUST copy_id copy_query
++REPLY QR NOERROR
++SECTION QUESTION
++attacker.mesa. IN NS
++SECTION AUTHORITY
++attacker.mesa. IN NS ns.attacker.mesa.
++SECTION ADDITIONAL
++ns.attacker.mesa. IN A 5.6.7.8
++ENTRY_END
++RANGE_END
++
++; ns.pollute1.mesa
++RANGE_BEGIN 0 400
++	ADDRESS 1.2.4.1
++
++; This is the spoofed answer that is returned.
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY QR AA NOERROR
++SECTION QUESTION
++test1.atkr.pollute1.mesa. IN A
++SECTION ANSWER
++test1.atkr.pollute1.mesa. 86400 IN A 1.2.3.4
++SECTION AUTHORITY
++pollute1.mesa. 86400 IN NS ns.attacker.mesa.
++ENTRY_END
++
++; correct answer for the check query.
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY QR AA NOERROR
++SECTION QUESTION
++check.pollute1.mesa. IN A
++SECTION ANSWER
++check.pollute1.mesa. IN A 1.8.9.1
++ENTRY_END
++RANGE_END
++
++; ns.pollute2.mesa
++RANGE_BEGIN 0 400
++	ADDRESS 1.2.4.2
++
++; This is the spoofed answer that is returned.
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY QR AA NOERROR
++SECTION QUESTION
++test2.atkr.pollute2.mesa. IN A
++SECTION ANSWER
++test2.atkr.pollute2.mesa. 86400 IN A 1.2.3.4
++SECTION AUTHORITY
++pollute2.mesa. 86400 IN NS ns.pollute2.mesa.
++SECTION ADDITIONAL
++ns.pollute2.mesa. 86400 IN A 5.6.7.8
++ENTRY_END
++
++; correct answer for the check query.
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY QR AA NOERROR
++SECTION QUESTION
++check.pollute2.mesa. IN A
++SECTION ANSWER
++check.pollute2.mesa. IN A 1.8.9.2
++ENTRY_END
++RANGE_END
++
++; ns.pollute3.mesa
++RANGE_BEGIN 0 400
++	ADDRESS 1.2.4.3
++
++; This is the spoofed answer that is returned.
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY QR AA NOERROR
++SECTION QUESTION
++test3.atkr.pollute3.mesa. IN A
++SECTION ANSWER
++test3.atkr.pollute3.mesa. 86400 IN A 1.2.3.4
++SECTION AUTHORITY
++test3.atkr.pollute3.mesa. 86400 IN NS ns.pollute3.mesa.
++SECTION ADDITIONAL
++ns.pollute3.mesa. 86400 IN A 5.6.7.8
++ENTRY_END
++
++; correct answer for the check query.
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY QR AA NOERROR
++SECTION QUESTION
++check.pollute3.mesa. IN A
++SECTION ANSWER
++check.pollute3.mesa. IN A 1.8.9.3
++ENTRY_END
++RANGE_END
++
++; ns.attacker.mesa
++RANGE_BEGIN 0 400
++	ADDRESS 5.6.7.8
++
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY QR AA NOERROR
++SECTION QUESTION
++ns.attacker.mesa. IN A
++SECTION ANSWER
++ns.attacker.mesa. 86400 IN A 5.6.7.8
++ENTRY_END
++
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY QR AA NOERROR
++SECTION QUESTION
++ns.attacker.mesa. IN AAAA
++SECTION AUTHORITY
++attacker.mesa. 3600 IN SOA ns.attacker.mesa. root.attacker.mesa. 4 7200 3600 604800 3600
++ENTRY_END
++
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY QR AA NOERROR
++SECTION QUESTION
++ns.attacker.mesa. IN A
++SECTION ANSWER
++ns.attacker.mesa. 86400 IN A 5.6.7.8
++ENTRY_END
++
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY QR AA NOERROR
++SECTION QUESTION
++check.pollute1.mesa. IN A
++SECTION ANSWER
++check.pollute1.mesa. 86400 IN A 5.6.7.9
++ENTRY_END
++
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY QR AA NOERROR
++SECTION QUESTION
++check.pollute2.mesa. IN A
++SECTION ANSWER
++check.pollute2.mesa. 86400 IN A 5.6.7.9
++ENTRY_END
++
++ENTRY_BEGIN
++MATCH opcode qtype qname
++ADJUST copy_id
++REPLY QR AA NOERROR
++SECTION QUESTION
++check.pollute3.mesa. IN A
++SECTION ANSWER
++check.pollute3.mesa. 86400 IN A 5.6.7.9
++ENTRY_END
++RANGE_END
++
++; Test query 1
++STEP 1 QUERY
++ENTRY_BEGIN
++REPLY RD
++SECTION QUESTION
++test1.atkr.pollute1.mesa. IN A
++ENTRY_END
++
++STEP 10 CHECK_ANSWER
++ENTRY_BEGIN
++MATCH all
++REPLY QR RD RA NOERROR
++SECTION QUESTION
++test1.atkr.pollute1.mesa. IN A
++SECTION ANSWER
++test1.atkr.pollute1.mesa. 86400 IN A 1.2.3.4
++ENTRY_END
++
++; Test query 2
++STEP 20 QUERY
++ENTRY_BEGIN
++REPLY RD
++SECTION QUESTION
++test2.atkr.pollute2.mesa. IN A
++ENTRY_END
++
++STEP 30 CHECK_ANSWER
++ENTRY_BEGIN
++MATCH all
++REPLY QR RD RA NOERROR
++SECTION QUESTION
++test2.atkr.pollute2.mesa. IN A
++SECTION ANSWER
++test2.atkr.pollute2.mesa. 86400 IN A 1.2.3.4
++ENTRY_END
++
++; Test query 3
++STEP 40 QUERY
++ENTRY_BEGIN
++REPLY RD
++SECTION QUESTION
++test3.atkr.pollute3.mesa. IN A
++ENTRY_END
++
++STEP 50 CHECK_ANSWER
++ENTRY_BEGIN
++MATCH all
++REPLY QR RD RA NOERROR
++SECTION QUESTION
++test3.atkr.pollute3.mesa. IN A
++SECTION ANSWER
++test3.atkr.pollute3.mesa. 86400 IN A 1.2.3.4
++ENTRY_END
++
++; Check the cache contents, for query 1.
++STEP 60 QUERY
++ENTRY_BEGIN
++REPLY RD
++SECTION QUESTION
++check.pollute1.mesa. IN A
++ENTRY_END
++
++STEP 70 CHECK_ANSWER
++ENTRY_BEGIN
++MATCH all
++REPLY QR RD RA NOERROR
++SECTION QUESTION
++check.pollute1.mesa. IN A
++SECTION ANSWER
++; good answer
++check.pollute1.mesa. IN A 1.8.9.1
++; bad answer
++;check.pollute1.mesa. IN A 5.6.7.9
++ENTRY_END
++
++; Check the cache contents, for query 2.
++STEP 80 QUERY
++ENTRY_BEGIN
++REPLY RD
++SECTION QUESTION
++check.pollute2.mesa. IN A
++ENTRY_END
++
++STEP 90 CHECK_ANSWER
++ENTRY_BEGIN
++MATCH all
++REPLY QR RD RA NOERROR
++SECTION QUESTION
++check.pollute2.mesa. IN A
++SECTION ANSWER
++; good answer
++check.pollute2.mesa. IN A 1.8.9.2
++; bad answer
++;check.pollute2.mesa. IN A 5.6.7.9
++ENTRY_END
++
++; Check the cache contents, for query 3.
++STEP 100 QUERY
++ENTRY_BEGIN
++REPLY RD
++SECTION QUESTION
++check.pollute3.mesa. IN A
++ENTRY_END
++
++STEP 110 CHECK_ANSWER
++ENTRY_BEGIN
++MATCH all
++REPLY QR RD RA NOERROR
++SECTION QUESTION
++check.pollute3.mesa. IN A
++SECTION ANSWER
++; good answer
++check.pollute3.mesa. IN A 1.8.9.3
++; bad answer
++;check.pollute3.mesa. IN A 5.6.7.9
++ENTRY_END
++
++SCENARIO_END
+diff --git a/testdata/iter_soamin.rpl b/testdata/iter_soamin.rpl
+index 7e902601b..0facc3508 100644
+--- a/testdata/iter_soamin.rpl
++++ b/testdata/iter_soamin.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_stub_noroot.rpl b/testdata/iter_stub_noroot.rpl
+index ef306bd42..749462b6e 100644
+--- a/testdata/iter_stub_noroot.rpl
++++ b/testdata/iter_stub_noroot.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_stubfirst.rpl b/testdata/iter_stubfirst.rpl
+index 1a7112de4..7cd3305a9 100644
+--- a/testdata/iter_stubfirst.rpl
++++ b/testdata/iter_stubfirst.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/iter_timeout_ra_aaaa.rpl b/testdata/iter_timeout_ra_aaaa.rpl
+index 126867ba4..9456f0420 100644
+--- a/testdata/iter_timeout_ra_aaaa.rpl
++++ b/testdata/iter_timeout_ra_aaaa.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/rrset_rettl.rpl b/testdata/rrset_rettl.rpl
+index 55dd62386..131a98e71 100644
+--- a/testdata/rrset_rettl.rpl
++++ b/testdata/rrset_rettl.rpl
+@@ -2,6 +2,7 @@
+ ; config options go here.
+ server:
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ forward-zone: name: "." forward-addr: 216.0.0.1
+ CONFIG_END
+ 
+diff --git a/testdata/rrset_untrusted.rpl b/testdata/rrset_untrusted.rpl
+index 6370ebf49..207275b56 100644
+--- a/testdata/rrset_untrusted.rpl
++++ b/testdata/rrset_untrusted.rpl
+@@ -2,6 +2,7 @@
+ ; config options go here.
+ server:
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ forward-zone: name: "." forward-addr: 216.0.0.1
+ CONFIG_END
+ 
+diff --git a/testdata/rrset_updated.rpl b/testdata/rrset_updated.rpl
+index 55da56bac..ba8e4924c 100644
+--- a/testdata/rrset_updated.rpl
++++ b/testdata/rrset_updated.rpl
+@@ -2,6 +2,7 @@
+ ; config options go here.
+ server:
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	rrset-roundrobin: no
+ forward-zone: name: "." forward-addr: 216.0.0.1
+ CONFIG_END
+diff --git a/testdata/serve_expired.rpl b/testdata/serve_expired.rpl
+index 990a562c7..573e18bcf 100644
+--- a/testdata/serve_expired.rpl
++++ b/testdata/serve_expired.rpl
+@@ -3,6 +3,7 @@ server:
+ 	module-config: "validator iterator"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	serve-expired: yes
+ 	access-control: 127.0.0.1/32 allow_snoop
+ 
+diff --git a/testdata/serve_expired_client_timeout.rpl b/testdata/serve_expired_client_timeout.rpl
+index 5560aa05a..e40e1b4c3 100644
+--- a/testdata/serve_expired_client_timeout.rpl
++++ b/testdata/serve_expired_client_timeout.rpl
+@@ -3,6 +3,7 @@ server:
+ 	module-config: "validator iterator"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	serve-expired: yes
+ 	serve-expired-client-timeout: 1
+ 	serve-expired-reply-ttl: 123
+diff --git a/testdata/serve_expired_reply_ttl.rpl b/testdata/serve_expired_reply_ttl.rpl
+index e76976bde..06128a736 100644
+--- a/testdata/serve_expired_reply_ttl.rpl
++++ b/testdata/serve_expired_reply_ttl.rpl
+@@ -3,6 +3,7 @@ server:
+ 	module-config: "validator iterator"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	serve-expired: yes
+ 	serve-expired-reply-ttl: 123
+
+diff --git a/testdata/serve_expired_servfail.rpl b/testdata/serve_expired_servfail.rpl
+index 990a562c7..573e18bcf 100644
+--- a/testdata/serve_expired_servfail.rpl
++++ b/testdata/serve_expired_servfail.rpl
+@@ -3,6 +3,7 @@ server:
+ 	module-config: "validator iterator"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	serve-expired: yes
+ 	serve-expired-client-timeout: 1800
+ 	serve-expired-reply-ttl: 123
+diff --git a/testdata/serve_expired_ttl.rpl b/testdata/serve_expired_ttl.rpl
+index 66acbdcf1..24cb34136 100644
+--- a/testdata/serve_expired_ttl.rpl
++++ b/testdata/serve_expired_ttl.rpl
+@@ -3,6 +3,7 @@ server:
+ 	module-config: "validator iterator"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	serve-expired: yes
+ 	serve-expired-ttl: 10
+ 
+diff --git a/testdata/serve_expired_ttl_client_timeout.rpl b/testdata/serve_expired_ttl_client_timeout.rpl
+index 169d070ea..f28579014 100644
+--- a/testdata/serve_expired_ttl_client_timeout.rpl
++++ b/testdata/serve_expired_ttl_client_timeout.rpl
+@@ -3,6 +3,7 @@ server:
+ 	module-config: "validator iterator"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	serve-expired: yes
+ 	serve-expired-ttl: 10
+ 	serve-expired-client-timeout: 1
+diff --git a/testdata/serve_expired_zerottl.rpl b/testdata/serve_expired_zerottl.rpl
+index 1411cb8e7..1dd7547a9 100644
+--- a/testdata/serve_expired_zerottl.rpl
++++ b/testdata/serve_expired_zerottl.rpl
+@@ -3,6 +3,7 @@ server:
+ 	module-config: "validator iterator"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	serve-expired: yes
+ 	serve-expired-reply-ttl: 123
+ 
+diff --git a/testdata/serve_original_ttl.rpl b/testdata/serve_original_ttl.rpl
+index 30503c285..ee80b550f 100644
+--- a/testdata/serve_original_ttl.rpl
++++ b/testdata/serve_original_ttl.rpl
+@@ -4,6 +4,7 @@ server:
+ 	module-config: "validator iterator"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	serve-original-ttl: yes
+ 	cache-max-ttl: 1000
+ 	cache-min-ttl: 20
+diff --git a/testdata/subnet_cached.crpl b/testdata/subnet_cached.crpl
+index 3cee6e978..c97bfbbe8 100644
+--- a/testdata/subnet_cached.crpl
++++ b/testdata/subnet_cached.crpl
+@@ -15,6 +15,7 @@ server:
+ 	access-control: 127.0.0.1 allow_snoop
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/subnet_max_source.crpl b/testdata/subnet_max_source.crpl
+index f5c7464ed..f3f71e7fd 100644
+--- a/testdata/subnet_max_source.crpl
++++ b/testdata/subnet_max_source.crpl
+@@ -11,6 +11,7 @@ server:
+ 	verbosity: 3
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/subnet_val_positive.crpl b/testdata/subnet_val_positive.crpl
+index 01456e58b..10996ada8 100644
+--- a/testdata/subnet_val_positive.crpl
++++ b/testdata/subnet_val_positive.crpl
+@@ -13,6 +13,7 @@ server:
+ 	fake-dsa: yes
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/subnet_val_positive_client.crpl b/testdata/subnet_val_positive_client.crpl
+index b573742b7..1b51d52ef 100644
+--- a/testdata/subnet_val_positive_client.crpl
++++ b/testdata/subnet_val_positive_client.crpl
+@@ -14,6 +14,7 @@ server:
+ 	fake-dsa: yes
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/trust_cname_chain.rpl b/testdata/trust_cname_chain.rpl
+index f8415ba23..e24f8c10d 100644
+--- a/testdata/trust_cname_chain.rpl
++++ b/testdata/trust_cname_chain.rpl
+@@ -2,6 +2,7 @@
+ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ stub-zone:
+ 	name: "."
+ 	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
+diff --git a/testdata/ttl_max.rpl b/testdata/ttl_max.rpl
+index 325696321..b24eea383 100644
+--- a/testdata/ttl_max.rpl
++++ b/testdata/ttl_max.rpl
+@@ -4,6 +4,7 @@ server:
+ 	cache-max-ttl: 10
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/ttl_min.rpl b/testdata/ttl_min.rpl
+index 3c79ff5ed..94206c7c5 100644
+--- a/testdata/ttl_min.rpl
++++ b/testdata/ttl_min.rpl
+@@ -4,6 +4,7 @@ server:
+ 	cache-min-ttl: 10
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_adbit.rpl b/testdata/val_adbit.rpl
+index 7ce62de77..233c58bef 100644
+--- a/testdata/val_adbit.rpl
++++ b/testdata/val_adbit.rpl
+@@ -8,6 +8,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_adcopy.rpl b/testdata/val_adcopy.rpl
+index 604fd57f2..7bc31df23 100644
+--- a/testdata/val_adcopy.rpl
++++ b/testdata/val_adcopy.rpl
+@@ -7,6 +7,7 @@ server:
+ 	qname-minimisation: "no"
+ 	fake-sha1: yes
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_cnametocnamewctoposwc.rpl b/testdata/val_cnametocnamewctoposwc.rpl
+index 407666efc..9ea8b493e 100644
+--- a/testdata/val_cnametocnamewctoposwc.rpl
++++ b/testdata/val_cnametocnamewctoposwc.rpl
+@@ -7,6 +7,7 @@ server:
+ 	qname-minimisation: "no"
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_ds_afterprime.rpl b/testdata/val_ds_afterprime.rpl
+index 3b1c0d614..301a1f6b6 100644
+--- a/testdata/val_ds_afterprime.rpl
++++ b/testdata/val_ds_afterprime.rpl
+@@ -8,6 +8,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_faildnskey_ok.rpl b/testdata/val_faildnskey_ok.rpl
+index 50f3184b4..f9196f35f 100644
+--- a/testdata/val_faildnskey_ok.rpl
++++ b/testdata/val_faildnskey_ok.rpl
+@@ -8,6 +8,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_keyprefetch_verify.rpl b/testdata/val_keyprefetch_verify.rpl
+index 9b901a8cb..6cf81848d 100644
+--- a/testdata/val_keyprefetch_verify.rpl
++++ b/testdata/val_keyprefetch_verify.rpl
+@@ -10,6 +10,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_noadwhennodo.rpl b/testdata/val_noadwhennodo.rpl
+index 46e1bad5a..dbdeb780e 100644
+--- a/testdata/val_noadwhennodo.rpl
++++ b/testdata/val_noadwhennodo.rpl
+@@ -8,6 +8,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_nsec3_b3_optout.rpl b/testdata/val_nsec3_b3_optout.rpl
+index 9d84be974..5d8a43a9b 100644
+--- a/testdata/val_nsec3_b3_optout.rpl
++++ b/testdata/val_nsec3_b3_optout.rpl
+@@ -7,6 +7,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	rrset-roundrobin: no
+ 
+ stub-zone:
+diff --git a/testdata/val_nsec3_b3_optout_negcache.rpl b/testdata/val_nsec3_b3_optout_negcache.rpl
+index 497a8591a..e7be762fb 100644
+--- a/testdata/val_nsec3_b3_optout_negcache.rpl
++++ b/testdata/val_nsec3_b3_optout_negcache.rpl
+@@ -7,6 +7,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	rrset-roundrobin: no
+ 
+ stub-zone:
+diff --git a/testdata/val_nsec3_b4_wild.rpl b/testdata/val_nsec3_b4_wild.rpl
+index 8bf3a5466..295932fad 100644
+--- a/testdata/val_nsec3_b4_wild.rpl
++++ b/testdata/val_nsec3_b4_wild.rpl
+@@ -6,6 +6,7 @@ server:
+ 	qname-minimisation: "no"
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
++	iter-scrub-promiscuous: no
+ 	rrset-roundrobin: no
+ 
+ stub-zone:
+diff --git a/testdata/val_nsec3_cnametocnamewctoposwc.rpl b/testdata/val_nsec3_cnametocnamewctoposwc.rpl
+index 1651ae7dc..3e4c55a18 100644
+--- a/testdata/val_nsec3_cnametocnamewctoposwc.rpl
++++ b/testdata/val_nsec3_cnametocnamewctoposwc.rpl
+@@ -7,6 +7,7 @@ server:
+ 	qname-minimisation: "no"
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_positive.rpl b/testdata/val_positive.rpl
+index daaf36089..c80851703 100644
+--- a/testdata/val_positive.rpl
++++ b/testdata/val_positive.rpl
+@@ -8,6 +8,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_positive_wc.rpl b/testdata/val_positive_wc.rpl
+index 5384acf63..591dcc603 100644
+--- a/testdata/val_positive_wc.rpl
++++ b/testdata/val_positive_wc.rpl
+@@ -7,6 +7,7 @@ server:
+ 	qname-minimisation: "no"
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_qds_badanc.rpl b/testdata/val_qds_badanc.rpl
+index dc686153f..cb53136f6 100644
+--- a/testdata/val_qds_badanc.rpl
++++ b/testdata/val_qds_badanc.rpl
+@@ -7,6 +7,7 @@ server:
+ 	qname-minimisation: "no"
+ 	fake-sha1: yes
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_qds_oneanc.rpl b/testdata/val_qds_oneanc.rpl
+index f21ab422b..bda9f9032 100644
+--- a/testdata/val_qds_oneanc.rpl
++++ b/testdata/val_qds_oneanc.rpl
+@@ -8,6 +8,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_qds_twoanc.rpl b/testdata/val_qds_twoanc.rpl
+index 4e4f2e732..f801c023b 100644
+--- a/testdata/val_qds_twoanc.rpl
++++ b/testdata/val_qds_twoanc.rpl
+@@ -9,6 +9,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_refer_unsignadd.rpl b/testdata/val_refer_unsignadd.rpl
+index 4d073016f..22f15d21a 100644
+--- a/testdata/val_refer_unsignadd.rpl
++++ b/testdata/val_refer_unsignadd.rpl
+@@ -9,6 +9,7 @@ server:
+ 	qname-minimisation: "no"
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
++	iter-scrub-promiscuous: no
+ 	rrset-roundrobin: no
+ 
+ stub-zone:
+diff --git a/testdata/val_referd.rpl b/testdata/val_referd.rpl
+index d475f835e..a25ca7b7d 100644
+--- a/testdata/val_referd.rpl
++++ b/testdata/val_referd.rpl
+@@ -10,6 +10,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_referglue.rpl b/testdata/val_referglue.rpl
+index 54b767156..3ca0c0e80 100644
+--- a/testdata/val_referglue.rpl
++++ b/testdata/val_referglue.rpl
+@@ -10,6 +10,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	rrset-roundrobin: no
+ 
+ stub-zone:
+diff --git a/testdata/val_rrsig.rpl b/testdata/val_rrsig.rpl
+index 0b672e0f2..69df344a5 100644
+--- a/testdata/val_rrsig.rpl
++++ b/testdata/val_rrsig.rpl
+@@ -7,6 +7,7 @@ server:
+ 	qname-minimisation: "no"
+ 	fake-sha1: yes
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_spurious_ns.rpl b/testdata/val_spurious_ns.rpl
+index cb0a6e529..8db94a108 100644
+--- a/testdata/val_spurious_ns.rpl
++++ b/testdata/val_spurious_ns.rpl
+@@ -8,6 +8,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_stub_noroot.rpl b/testdata/val_stub_noroot.rpl
+index 07113bef7..66c3d8e88 100644
+--- a/testdata/val_stub_noroot.rpl
++++ b/testdata/val_stub_noroot.rpl
+@@ -6,6 +6,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_ta_algo_dnskey.rpl b/testdata/val_ta_algo_dnskey.rpl
+index 03bac83aa..5b0b64d25 100644
+--- a/testdata/val_ta_algo_dnskey.rpl
++++ b/testdata/val_ta_algo_dnskey.rpl
+@@ -9,6 +9,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_ta_algo_dnskey_dp.rpl b/testdata/val_ta_algo_dnskey_dp.rpl
+index 2b3609be8..ae0c499ca 100644
+--- a/testdata/val_ta_algo_dnskey_dp.rpl
++++ b/testdata/val_ta_algo_dnskey_dp.rpl
+@@ -10,6 +10,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_ta_algo_missing_dp.rpl b/testdata/val_ta_algo_missing_dp.rpl
+index dc55a09da..14efdeccb 100644
+--- a/testdata/val_ta_algo_missing_dp.rpl
++++ b/testdata/val_ta_algo_missing_dp.rpl
+@@ -11,6 +11,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_twocname.rpl b/testdata/val_twocname.rpl
+index bc7c3bcb2..b4323644a 100644
+--- a/testdata/val_twocname.rpl
++++ b/testdata/val_twocname.rpl
+@@ -5,6 +5,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 	rrset-roundrobin: no
+ 
+ forward-zone:
+diff --git a/testdata/val_unalgo_anchor.rpl b/testdata/val_unalgo_anchor.rpl
+index fbbf288a5..a93520122 100644
+--- a/testdata/val_unalgo_anchor.rpl
++++ b/testdata/val_unalgo_anchor.rpl
+@@ -7,6 +7,7 @@ server:
+ 	qname-minimisation: "no"
+ 	fake-sha1: yes
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/val_wild_pos.rpl b/testdata/val_wild_pos.rpl
+index 624d8e07b..9fafa6554 100644
+--- a/testdata/val_wild_pos.rpl
++++ b/testdata/val_wild_pos.rpl
+@@ -8,6 +8,7 @@ server:
+ 	fake-sha1: yes
+ 	trust-anchor-signaling: no
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ stub-zone:
+ 	name: "."
+diff --git a/testdata/views.rpl b/testdata/views.rpl
+index 6a9052fbe..a6026244b 100644
+--- a/testdata/views.rpl
++++ b/testdata/views.rpl
+@@ -3,6 +3,7 @@ server:
+ 	target-fetch-policy: "0 0 0 0 0"
+ 	qname-minimisation: "no"
+ 	minimal-responses: no
++	iter-scrub-promiscuous: no
+ 
+ 	access-control: 10.10.10.0/24 allow
+ 	access-control-view: 10.10.10.10/32 "view1"
+diff --git a/util/config_file.c b/util/config_file.c
+index b1e767b3b..25c2b3e30 100644
+--- a/util/config_file.c
++++ b/util/config_file.c
+@@ -421,6 +421,7 @@ config_create(void)
+ 	cfg->ipset_name_v4 = NULL;
+ 	cfg->ipset_name_v6 = NULL;
+ #endif
++	cfg->iter_scrub_promiscuous = 1;
+ 	return cfg;
+ error_exit:
+ 	config_delete(cfg);
+@@ -765,6 +766,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
+ 	else if(strcmp(opt, "serve-expired-reply-ttl:") == 0)
+ 	{ IS_NUMBER_OR_ZERO; cfg->serve_expired_reply_ttl = atoi(val); SERVE_EXPIRED_REPLY_TTL=(time_t)cfg->serve_expired_reply_ttl;}
+ 	else S_NUMBER_OR_ZERO("serve-expired-client-timeout:", serve_expired_client_timeout)
++	else S_YNO("iter-scrub-promiscuous:", iter_scrub_promiscuous)
+ 	else S_YNO("serve-original-ttl:", serve_original_ttl)
+ 	else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations)
+ 	else S_YNO("zonemd-permissive-mode:", zonemd_permissive_mode)
+@@ -1241,6 +1243,7 @@ config_get_option(struct config_file* cfg, const char* opt,
+ 	else O_YNO(opt, "serve-expired-ttl-reset", serve_expired_ttl_reset)
+ 	else O_DEC(opt, "serve-expired-reply-ttl", serve_expired_reply_ttl)
+ 	else O_DEC(opt, "serve-expired-client-timeout", serve_expired_client_timeout)
++	else O_YNO(opt, "iter-scrub-promiscuous", iter_scrub_promiscuous)
+ 	else O_YNO(opt, "serve-original-ttl", serve_original_ttl)
+ 	else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations)
+ 	else O_YNO(opt, "zonemd-permissive-mode", zonemd_permissive_mode)
+diff --git a/util/config_file.h b/util/config_file.h
+index 44ac036b8..f77538b0d 100644
+--- a/util/config_file.h
++++ b/util/config_file.h
+@@ -792,6 +792,9 @@ struct config_file {
+ 	char* ipset_name_v4;
+ 	char* ipset_name_v6;
+ #endif
++	/** Should the iterator scrub promiscuous NS rrsets, from positive
++	 * answers. */
++	int iter_scrub_promiscuous;
+ };
+ 
+ /** from cfg username, after daemonize setup performed */
+diff --git a/util/configlexer.lex b/util/configlexer.lex
+index bc258673d..0ba8d60c9 100644
+--- a/util/configlexer.lex
++++ b/util/configlexer.lex
+@@ -606,6 +606,7 @@ proxy-protocol-port{COLON}	{ YDVAR(1, VAR_PROXY_PROTOCOL_PORT) }
+ edns-client-string{COLON}	{ YDVAR(2, VAR_EDNS_CLIENT_STRING) }
+ edns-client-string-opcode{COLON} { YDVAR(1, VAR_EDNS_CLIENT_STRING_OPCODE) }
+ nsid{COLON}			{ YDVAR(1, VAR_NSID ) }
++iter-scrub-promiscuous{COLON}	{ YDVAR(1, VAR_ITER_SCRUB_PROMISCUOUS) }
+ <INITIAL,val>{NEWLINE}		{ LEXOUT(("NL\n")); cfg_parser->line++; }
+ 
+ 	/* Quoted strings. Strip leading and ending quotes */
+diff --git a/util/configparser.y b/util/configparser.y
+index 82e1d8782..bef1fd38d 100644
+--- a/util/configparser.y
++++ b/util/configparser.y
+@@ -215,6 +215,7 @@ extern struct config_parser_state* cfg_parser;
+ %token VAR_DYNLIB VAR_DYNLIB_FILE VAR_EDNS_CLIENT_STRING
+ %token VAR_EDNS_CLIENT_STRING_OPCODE VAR_NSID
+ %token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_CHECK VAR_ZONEMD_REJECT_ABSENCE
++%token VAR_ITER_SCRUB_PROMISCUOUS
+ 
+ %%
+ toplevelvars: /* empty */ | toplevelvars toplevelvar ;
+@@ -356,7 +357,7 @@ content_server: server_num_threads | server_verbosity | server_port |
+ 	server_tls_use_sni | server_edns_client_string |
+ 	server_edns_client_string_opcode | server_nsid |
+ 	server_zonemd_permissive_mode | server_max_reuse_tcp_queries |
+-	server_tcp_reuse_timeout | server_tcp_auth_query_timeout
++	server_tcp_reuse_timeout | server_tcp_auth_query_timeout | server_iter_scrub_promiscuous
+ 
+ 	;
+ stubstart: VAR_STUB_ZONE
+@@ -4240,6 +4241,16 @@ server_max_global_quota: VAR_MAX_GLOBAL_QUOTA STRING_ARG
+ 		}
+ 	}
+ 	;
++server_iter_scrub_promiscuous: VAR_ITER_SCRUB_PROMISCUOUS STRING_ARG
++	{
++		OUTYY(("P(server_iter_scrub_promiscuous:%s)\n", $2));
++		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
++			yyerror("expected yes or no.");
++		else cfg_parser->cfg->iter_scrub_promiscuous =
++			(strcmp($2, "yes")==0);
++		free($2);
++	}
++	;
+ 	ipsetstart: VAR_IPSET
+ 		{
+ 			OUTYY(("\nP(ipset:)\n"));
diff --git a/unbound.conf b/unbound.conf
index 4dd684a..539d9bc 100644
--- a/unbound.conf
+++ b/unbound.conf
@@ -166,6 +166,10 @@ server:
 	# msec to wait before close of port on timeout UDP. 0 disables.
 	# delay-close: 0
 
+	# Should the scrubber remove promiscuous NS from positive answers,
+	# protects against poison attempts.
+	# iter-scrub-promiscuous: yes
+
 	# msec before recursion replies are dropped. The work item continues.
 	# discard-timeout: 1900
 
diff --git a/unbound.spec b/unbound.spec
index 7ae1484..0b60369 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -2,7 +2,7 @@
 
 Name:          unbound
 Version:       1.13.2
-Release:       19
+Release:       20
 Summary:       Unbound is a validating, recursive, caching DNS resolver
 License:       BSD
 Url:           https://nlnetlabs.nl/projects/unbound/about/
@@ -39,6 +39,7 @@ Patch14:       backport-check-before-use-daemon-shm_info.patch
 Patch15:       backport-CVE-2025-5994.patch
 Patch16:       backport-CVE-2025-5994-after-fix-edns-subnet-when-subquery-is-nonsubnet-and-scopezero.patch
 Patch17:       backport-CVE-2025-5994-after-fix-that-edns-subnet-failure-to-create-a-subquery-errors-as-servfail.patch
+Patch18:       backport-CVE-2025-11411.patch
 
 BuildRequires: make flex swig pkgconfig systemd
 BuildRequires: libevent-devel expat-devel openssl-devel python3-devel
@@ -263,6 +264,12 @@ popd
 %{_mandir}/man*
 
 %changelog
+* Fri Nov 07 2025 gaihuiying <eaglegai@163.com> - 1.13.2-20
+- Type:cves
+- CVE:CVE-2025-11411
+- SUG:NA
+- DESC:fix CVE-2025-11411
+
 * Tue Aug 19 2025 gaihuiying <eaglegai@163.com> - 1.13.2-19
 - Type:bugfix
 - CVE:NA
-- 
Gitee