add a test for handling illegal NS below DNAME

an assertion could be triggered in the QPDB cache if an NS
was encountered that pointed to a name below a DNAME.

diff --git a/bin/tests/system/chain/ans3/ans.pl b/bin/tests/system/chain/ans3/ans.pl
index e42240be63a99980b9fbb0eab4a9dc0d835f0bff..434eaa98097e09208a049be645868da1850fb2d9 100644 (file)
--- a/bin/tests/system/chain/ans3/ans.pl
+++ b/bin/tests/system/chain/ans3/ans.pl
@@ -51,22 +51,22 @@ sub reply_handler {
     STDOUT->flush();
 
     if ($qname eq "example.broken") {
-        if ($qtype eq "SOA") {
+       if ($qtype eq "SOA") {
            my $rr = new Net::DNS::RR("$qname $ttl $qclass SOA . . 0 0 0 0 0");
            push @ans, $rr;
-        } elsif ($qtype eq "NS") {
+       } elsif ($qtype eq "NS") {
            my $rr = new Net::DNS::RR("$qname $ttl $qclass NS $nsname");
            push @ans, $rr;
            $rr = new Net::DNS::RR("$nsname $ttl $qclass A $localaddr");
            push @add, $rr;
-        }
-        $rcode = "NOERROR";
+       }
+       $rcode = "NOERROR";
     } elsif ($qname eq "cname-to-$synth2") {
-        my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name.$synth2");
+       my $rr = new Net::DNS::RR("$qname $ttl $qclass CNAME name.$synth2");
        push @ans, $rr;
-        $rr = new Net::DNS::RR("name.$synth2 $ttl $qclass CNAME name");
+       $rr = new Net::DNS::RR("name.$synth2 $ttl $qclass CNAME name");
        push @ans, $rr;
-        $rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME .");
+       $rr = new Net::DNS::RR("$synth2 $ttl $qclass DNAME .");
        push @ans, $rr;
        $rcode = "NOERROR";
     } elsif ($qname eq "$synth" || $qname eq "$synth2") {
@@ -115,6 +115,30 @@ sub reply_handler {
                push @ans, $rr;
        }
        $rcode = "NOERROR";
+    # The next few branches produce a zone with an illegal NS below a DNAME.
+    } elsif ($qname eq "jeff.dname") {
+       if ($qtype eq "SOA") {
+           my $rr = new Net::DNS::RR("$qname $ttl $qclass SOA . . 0 0 0 0 0");
+           push @ans, $rr;
+       } elsif ($qtype eq "NS") {
+           my $rr = new Net::DNS::RR("$qname $ttl $qclass NS ns.jeff.dname.");
+           push @ans, $rr;
+           $rr = new Net::DNS::RR("$nsname $ttl $qclass A $localaddr");
+           push @add, $rr;
+       } elsif ($qtype eq "DNAME") {
+           my $rr = new Net::DNS::RR("$qname $ttl $qclass DNAME mutt.example.");
+           push @ans, $rr;
+       }
+       $rcode = "NOERROR";
+    } elsif ($qname eq "ns.jeff.dname") {
+       if ($qtype eq "A") {
+               my $rr = new Net::DNS::RR("$qname $ttl $qclass A 10.53.0.3");
+               push @ans, $rr;
+       } elsif ($qtype eq "AAAA") {
+               my $rr = new Net::DNS::RR("jeff.dname. $ttl $qclass SOA . . 0 0 0 0 $ttl");
+               push @auth, $rr;
+       }
+       $rcode = "NOERROR";
     } else {
        $rcode = "REFUSED";
     }

diff --git a/bin/tests/system/chain/ns1/root.db b/bin/tests/system/chain/ns1/root.db
index 3469fb526b6a194a677ef3e58bcd5b65c9b4049d..1c99ba865ce3c2fb642847db09f3003b24f6fc09 100644 (file)
--- a/bin/tests/system/chain/ns1/root.db
+++ b/bin/tests/system/chain/ns1/root.db
@@ -30,6 +30,10 @@ ns3.example.broken.  A       10.53.0.3
 example.dname.         NS      ns3.example.dname.
 ns3.example.dname.     A       10.53.0.3
 
+; regression test for illegal NS below DNAME
+jeff.dname.            NS      ns.jeff.dname.
+ns.jeff.dname.         A       10.53.0.3
+
 domain0.nil.           NS      ns2.domain0.nil
 domain1.nil.           NS      ns2.domain0.nil
 domain2.nil.           NS      ns2.domain0.nil

diff --git a/bin/tests/system/chain/ns2/example.db b/bin/tests/system/chain/ns2/example.db
index c13f2d22d47d561fc8ce9d89cea446204d4ad58c..a5a4811b1a788c95d47807d21a653c2418c42fbd 100644 (file)
--- a/bin/tests/system/chain/ns2/example.db
+++ b/bin/tests/system/chain/ns2/example.db
@@ -48,6 +48,9 @@ signed-sub2           NS      ns2.sub2
 signed-sub2            DS      44137 8 2 1CB4F54E0B4F4F85109143113A3C679716A2377D86EB0907846A03FB 0C0A3927
 d                      CNAME   d.signed-sub2
 
+mutt                    NS      ns5.mutt
+ns5.mutt                A       10.53.0.5
+
 ; long CNAME loop
 loop                   CNAME   goop
 goop                   CNAME   boop

diff --git a/bin/tests/system/chain/ns5/named.conf.in b/bin/tests/system/chain/ns5/named.conf.in
index ba8cc6f0010ef6408b22f70dd8a7e0e3d865960e..00f0de5857ceea053fbbdfba59507a76f313856d 100644 (file)
--- a/bin/tests/system/chain/ns5/named.conf.in
+++ b/bin/tests/system/chain/ns5/named.conf.in
@@ -40,3 +40,8 @@ zone "signed-sub5.example" {
        type primary;
        file "sub.db";
 };
+
+zone "mutt.example" {
+       type primary;
+       file "mutt.db";
+};

diff --git a/bin/tests/system/chain/tests.sh b/bin/tests/system/chain/tests.sh
index 4957fe769b82d9f4d71dc780d2a52371dc3097eb..dc49ff5141b845cd6606eaa9c19c6e8ac99d4abd 100644 (file)
--- a/bin/tests/system/chain/tests.sh
+++ b/bin/tests/system/chain/tests.sh
@@ -626,5 +626,16 @@ grep 'status: NOERROR' dig.out.7.$n >/dev/null 2>&1 || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+# Regression test for GL #4652
+n=$((n + 1))
+echo_i "checking handling of illegal NS below DNAME ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.7 DNAME jeff.dname. >dig.out.ns7.1.$n 2>&1
+grep 'status: NOERROR' dig.out.ns7.1.$n >/dev/null 2>&1 || ret=1
+$DIG $DIGOPTS @10.53.0.7 NS jeff.dname. >dig.out.ns7.2.$n 2>&1
+grep 'status: SERVFAIL' dig.out.ns7.2.$n >/dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1