From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Thu, 1 Sep 2016 09:23:35 +0000 (+0200)
Subject: Add test for NTA at level of TA
X-Git-Tag: dnsdist-1.1.0-beta2~158^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F4391%2Fhead;p=thirdparty%2Fpdns.git

Add test for NTA at level of TA
---

diff --git a/regression-tests.recursor-dnssec/test_NTA.py b/regression-tests.recursor-dnssec/test_NTA.py
index 7f58c5b645..b21d7f6b6b 100644
--- a/regression-tests.recursor-dnssec/test_NTA.py
+++ b/regression-tests.recursor-dnssec/test_NTA.py
@@ -5,7 +5,9 @@ class testSimple(RecursorTest):
     _confdir = 'NTA'
 
     _config_template = """dnssec=validate"""
-    _lua_config_file = """addNTA("bogus.example")"""
+    _lua_config_file = """addNTA("bogus.example")
+addNTA('secure.optout.example', 'Should be Insecure, even with DS configured')
+addDS('secure.optout.example', '64215 13 1 b88284d7a8d8605c398e8942262f97b9a5a31787')"""
 
     def testDirectNTA(self):
         """Ensure a direct query to a bogus name with an NTA is Insecure"""
@@ -29,3 +31,14 @@ class testSimple(RecursorTest):
 
         self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
         self.assertRcodeEqual(res, dns.rcode.NOERROR)
+
+    def testSecureWithNTAandDS(self):
+        """#4391: when there is a TA *and* NTA configured for a name, the result must be insecure"""
+        msg = dns.message.make_query("node1.secure.optout.example.", dns.rdatatype.A)
+        msg.flags = dns.flags.from_text('AD RD')
+        msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text('DO'))
+
+        res = self.sendUDPQuery(msg)
+
+        self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)