add a regression test for a new ENT node

this test adds a record with empty non-terminal nodes above it. this
has also been observed to trigger the crash in NSEC3 zones.

NOTE: the test currently fails, because while there is no crash, the
query results are not as expected.  when we add a node below an ENT,
receive_secure_serial() gets DNS_R_PARTIALMATCH, and the signed
zone is never updated. this is not a regression from fixing the
crash bug; it's a separate inline-signing bug.

diff --git a/bin/tests/system/nsec3/ns3/named2-fips.conf.in b/bin/tests/system/nsec3/ns3/named2-fips.conf.in
index 6c7499d01f2726f6df10e1677a0e1593645d4f32..2c9a2b7e201dd39ece4287e1a20cafa5b4fc3635 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named2-fips.conf.in
+++ b/bin/tests/system/nsec3/ns3/named2-fips.conf.in
@@ -147,7 +147,7 @@ zone "nsec3-inline-to-dynamic.kasp" {
 };
 
 /*
- * This zone will have a node deleted.
+ * This zone will have an empty nonterminal node added and a node deleted.
  */
 zone "nsec3-ent.kasp" {
        type primary;

diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh
index 37a9faa849c469030cd7ccbf6c6b2d81e350486b..757d181203b01e1ca5f4874039b297e79c81ee74 100644 (file)
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@@ -586,19 +586,37 @@ check_nsec3
 
 # Zone: nsec3-ent.kasp (regression test for #5108)
 n=$((n + 1))
-echo_i "check queries for newly empty names do not crash ($n)"
+echo_i "check query for newly empty name does not crash ($n)"
 set_zone_policy "nsec3-ent.kasp"
 set_server "ns3" "10.53.0.3"
 # confirm the pre-existing name still exists
 dig_with_opts +noquestion "@${SERVER}" c.$ZONE >"dig.out.$ZONE.test$n.1" || ret=1
 grep "c\.nsec3-ent\.kasp\..*IN.*A.*10\.0\.0\.3" "dig.out.$ZONE.test$n.1" >/dev/null || ret=1
-# remove a name, bump the SOA, reload, and try the query again
+# remove a name, bump the SOA, and reload
 sed -e 's/1 *; serial/2/' -e '/^c/d' ns3/template.db.in >ns3/nsec3-ent.kasp.db
 rndc_reload ns3 10.53.0.3
+# try the query again
 dig_with_opts +noquestion "@${SERVER}" c.$ZONE >"dig.out.$ZONE.test$n.2" || ret=1
 grep "status: NXDOMAIN" "dig.out.$ZONE.test$n.2" >/dev/null || ret=1
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+n=$((n + 1))
+echo_i "check queries for new names below ENT do not crash ($n)"
+set_zone_policy "nsec3-ent.kasp"
+set_server "ns3" "10.53.0.3"
+# confirm the ENT name does not exist yet
+dig_with_opts +noquestion "@${SERVER}" x.y.z.$ZONE >"dig.out.$ZONE.test$n.1" || ret=1
+grep "status: NXDOMAIN" "dig.out.$ZONE.test$n.1" >/dev/null || ret=1
+# add a name with an ENT, bump the SOA, and reload
+sed -e 's/1 *; serial/3/' ns3/template.db.in >ns3/nsec3-ent.kasp.db
+echo "x.y.z A 10.0.0.4" >>ns3/nsec3-ent.kasp.db
+rndc_reload ns3 10.53.0.3
+# try the query again
+dig_with_opts +noquestion "@${SERVER}" x.y.z.$ZONE >"dig.out.$ZONE.test$n.2" || ret=1
+grep "x\.y\.z\.nsec3-ent\.kasp\..*IN.*A.*10\.0\.0\.4" "dig.out.$ZONE.test$n.2" >/dev/null || ret=1
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1