From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Thu, 28 Apr 2016 15:40:11 +0000 (+0200)
Subject: Add DNSSEC tests for cnames to/from (in)secure
X-Git-Tag: rec-4.0.0-alpha3~31^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F3792%2Fhead;p=thirdparty%2Fpdns.git

Add DNSSEC tests for cnames to/from (in)secure
---

diff --git a/regression-tests.recursor-dnssec/basicDNSSEC.py b/regression-tests.recursor-dnssec/basicDNSSEC.py
index 36f858ba6d..b8990ad85e 100644
--- a/regression-tests.recursor-dnssec/basicDNSSEC.py
+++ b/regression-tests.recursor-dnssec/basicDNSSEC.py
@@ -133,3 +133,24 @@ class BasicDNSSEC(RecursorTest):
         self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
         self.assertAuthorityHasSOA(res)
         self.assertMessageIsAuthenticated(res)
+
+    def testInsecureToSecureCNAMEAnswer(self):
+        res = self.sendQuery('cname-to-secure.insecure.example.', 'A')
+        expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2')
+        expectedCNAME = dns.rrset.from_text('cname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
+
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedCNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedA)
+
+    def testSecureToInsecureCNAMEAnswer(self):
+        res = self.sendQuery('cname-to-insecure.secure.example.', 'A')
+        expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6')
+        expectedCNAME = dns.rrset.from_text('cname-to-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.secure.example.')
+
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedA)
+        self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
+
diff --git a/regression-tests.recursor-dnssec/recursortests.py b/regression-tests.recursor-dnssec/recursortests.py
index dd61f7a525..16520eae2e 100644
--- a/regression-tests.recursor-dnssec/recursortests.py
+++ b/regression-tests.recursor-dnssec/recursortests.py
@@ -97,6 +97,7 @@ ns.secure.example.       3600 IN A    {prefix}.9
 
 host1.secure.example.    3600 IN A    192.0.2.2
 cname.secure.example.    3600 IN CNAME host1.secure.example.
+cname-to-insecure.secure.example. 3600 IN CNAME node1.insecure.example.
 
 host1.sub.secure.example. 3600 IN A    192.0.2.11
 
@@ -119,6 +120,8 @@ insecure.example.        3600 IN NS   ns1.insecure.example.
 ns1.insecure.example.    3600 IN A    {prefix}.13
 
 node1.insecure.example.  3600 IN A    192.0.2.6
+
+cname-to-secure.insecure.example. 3600 IN CNAME host1.secure.example.
         """,
         'optout.example': """
 optout.example.        3600 IN SOA  {soa}
@@ -610,7 +613,7 @@ distributor-threads=1""".format(confdir=confdir,
                 found = True
 
         if not found:
-            raise AssertionError("RRset not found in answer")
+            raise AssertionError("RRset not found in answer\n\n%s" % ret)
 
     def assertMatchingRRSIGInAnswer(self, msg, coveredRRset, keys=None):
         """Looks for coveredRRset in the answer section and if there is an RRSIG RRset