From 1a37f439cee610f41a3f7ea0e9f53f3e4fe3ad7c Mon Sep 17 00:00:00 2001
From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Mon, 4 Dec 2023 09:24:18 +0100
Subject: [PATCH] Add test for RD=0 is disallowed by default and basic RD=1
 processing

---
 .../test_RDFlag.py                            | 53 +++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 regression-tests.recursor-dnssec/test_RDFlag.py

diff --git a/regression-tests.recursor-dnssec/test_RDFlag.py b/regression-tests.recursor-dnssec/test_RDFlag.py
new file mode 100644
index 0000000000..16f50d2afe
--- /dev/null
+++ b/regression-tests.recursor-dnssec/test_RDFlag.py
@@ -0,0 +1,53 @@
+import dns
+import os
+from recursortests import RecursorTest
+
+class testRDNotAllowed(RecursorTest):
+    _confdir = 'RDFlagNotAllowed'
+
+    _config_template = """
+"""
+    def testRD0(self):
+        query = dns.message.make_query('ns.secure.example', 'A', want_dnssec=True)
+        query.flags |= dns.flags.AD
+        query.flags &= ~dns.flags.RD
+
+        res = self.sendUDPQuery(query)
+
+        self.assertRcodeEqual(res, dns.rcode.REFUSED)
+        self.assertAnswerEmpty(res)
+
+class testRDAllowed(RecursorTest):
+    _confdir = 'RDFlagAllowed'
+
+    _config_template = """
+    disable-packetcache=yes
+    allow-no-rd=yes
+"""
+    def testRD0(self):
+        expected = dns.rrset.from_text('ns.secure.example.', 0, dns.rdataclass.IN, 'A', '{prefix}.9'.format(prefix=self._PREFIX))
+        query = dns.message.make_query('ns.secure.example', 'A', want_dnssec=True)
+        query.flags |= dns.flags.AD
+        query.flags &= ~dns.flags.RD
+
+        # First time empty answer
+        res = self.sendUDPQuery(query)
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertAnswerEmpty(res)
+
+        # Second time with RD=1 fills the record cache
+        query.flags |= dns.flags.RD
+
+        res = self.sendUDPQuery(query)
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertMessageIsAuthenticated(res)
+        self.assertRRsetInAnswer(res, expected)
+        self.assertMatchingRRSIGInAnswer(res, expected)
+
+        # Third time with RD=0 retrieves record cache content
+        query.flags &= ~dns.flags.RD
+
+        res = self.sendUDPQuery(query)
+        self.assertMessageIsAuthenticated(res)
+        self.assertRRsetInAnswer(res, expected)
+        self.assertMatchingRRSIGInAnswer(res, expected)
-- 
2.47.2