From 6552b37ba78bdc9281c198353ccea0e96b9cd578 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Thu, 28 Apr 2016 17:40:11 +0200
Subject: [PATCH] Add DNSSEC tests for cnames to/from (in)secure

---
 .../basicDNSSEC.py                            | 21 +++++++++++++++++++
 .../recursortests.py                          |  5 ++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/regression-tests.recursor-dnssec/basicDNSSEC.py b/regression-tests.recursor-dnssec/basicDNSSEC.py
index 36f858ba6d..b8990ad85e 100644
--- a/regression-tests.recursor-dnssec/basicDNSSEC.py
+++ b/regression-tests.recursor-dnssec/basicDNSSEC.py
@@ -133,3 +133,24 @@ class BasicDNSSEC(RecursorTest):
         self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
         self.assertAuthorityHasSOA(res)
         self.assertMessageIsAuthenticated(res)
+
+    def testInsecureToSecureCNAMEAnswer(self):
+        res = self.sendQuery('cname-to-secure.insecure.example.', 'A')
+        expectedA = dns.rrset.from_text('host1.secure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.2')
+        expectedCNAME = dns.rrset.from_text('cname-to-secure.insecure.example.', 0, dns.rdataclass.IN, 'CNAME', 'host1.secure.example.')
+
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedCNAME)
+        self.assertMatchingRRSIGInAnswer(res, expectedA)
+
+    def testSecureToInsecureCNAMEAnswer(self):
+        res = self.sendQuery('cname-to-insecure.secure.example.', 'A')
+        expectedA = dns.rrset.from_text('node1.insecure.example.', 0, dns.rdataclass.IN, 'A', '192.0.2.6')
+        expectedCNAME = dns.rrset.from_text('cname-to-insecure.secure.example.', 0, dns.rdataclass.IN, 'CNAME', 'node1.secure.example.')
+
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+        self.assertMessageHasFlags(res, ['QR', 'RD', 'RA'], ['DO'])
+        self.assertRRsetInAnswer(res, expectedA)
+        self.assertMatchingRRSIGInAnswer(res, expectedCNAME)
+
diff --git a/regression-tests.recursor-dnssec/recursortests.py b/regression-tests.recursor-dnssec/recursortests.py
index dd61f7a525..16520eae2e 100644
--- a/regression-tests.recursor-dnssec/recursortests.py
+++ b/regression-tests.recursor-dnssec/recursortests.py
@@ -97,6 +97,7 @@ ns.secure.example.       3600 IN A    {prefix}.9
 
 host1.secure.example.    3600 IN A    192.0.2.2
 cname.secure.example.    3600 IN CNAME host1.secure.example.
+cname-to-insecure.secure.example. 3600 IN CNAME node1.insecure.example.
 
 host1.sub.secure.example. 3600 IN A    192.0.2.11
 
@@ -119,6 +120,8 @@ insecure.example.        3600 IN NS   ns1.insecure.example.
 ns1.insecure.example.    3600 IN A    {prefix}.13
 
 node1.insecure.example.  3600 IN A    192.0.2.6
+
+cname-to-secure.insecure.example. 3600 IN CNAME host1.secure.example.
         """,
         'optout.example': """
 optout.example.        3600 IN SOA  {soa}
@@ -610,7 +613,7 @@ distributor-threads=1""".format(confdir=confdir,
                 found = True
 
         if not found:
-            raise AssertionError("RRset not found in answer")
+            raise AssertionError("RRset not found in answer\n\n%s" % ret)
 
     def assertMatchingRRSIGInAnswer(self, msg, coveredRRset, keys=None):
         """Looks for coveredRRset in the answer section and if there is an RRSIG RRset
-- 
2.47.2