Check Cloudflare "black lies" response

"black lies" with a different QTYPE should synthesis NODATA responses.

diff --git a/bin/tests/system/synthfromdnssec/clean.sh b/bin/tests/system/synthfromdnssec/clean.sh
index 6c9647f9f6bf380ebdde99ee44af781a368c487f..872d02bc95c98a5e9ba04888833b1a6954d695fc 100644 (file)
--- a/bin/tests/system/synthfromdnssec/clean.sh
+++ b/bin/tests/system/synthfromdnssec/clean.sh
@@ -37,3 +37,4 @@ rm -f ./nxdomain.out ./insecure.nxdomain.out
 rm -f ./wild.out ./insecure.wild.out
 rm -f ./wildcname.out ./insecure.wildcname.out
 rm -f ./minimal.nxdomain.out
+rm -f ./black.out

diff --git a/bin/tests/system/synthfromdnssec/ns1/minimal.db.in b/bin/tests/system/synthfromdnssec/ns1/minimal.db.in
index 1755c4035b7c4f6a7a40e160e68464fee1920448..6dd356a3cfb0abb2f9b2bbee7f9faa1a74e48a18 100644 (file)
--- a/bin/tests/system/synthfromdnssec/ns1/minimal.db.in
+++ b/bin/tests/system/synthfromdnssec/ns1/minimal.db.in
@@ -7,7 +7,10 @@ minimal.               3600    SOA     ns1.minimal. hostmaster.minimal. (
                                        3600       ; minimum (1 hour)
                                        )
                        3600    NS      ns1.minimal.
-                       3600    NSEC    dnamed.minimal. NS SOA RRSIG NSEC DNSKEY
+                       3600    NSEC    black.minimal. NS SOA RRSIG NSEC DNSKEY
+; cloudflare black lie
+black.minimal.         3600    NSEC    \000.black.minimal. RRSIG NSEC
+;
 dnamed.minimal.                3600    DNAME   dnamed.
                        3600    NSEC    insecure.minimal. DNAME RRSIG NSEC
 insecure.minimal.      3600    NS      ns1.insecure.minimal.

diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh
index 72981635e7495c62f1ae9f6dff61617622e48b62..badeeb14bb0a206dd213ae029b61da21f7011dd2 100644 (file)
--- a/bin/tests/system/synthfromdnssec/tests.sh
+++ b/bin/tests/system/synthfromdnssec/tests.sh
@@ -185,6 +185,18 @@ do
     n=$((n+1))
     if [ $ret != 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
+
+    echo_i "prime black lie NODATA response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts black.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+    grep 'black.minimal.*3600.IN.NSEC.\\000.black.minimal. RRSIG NSEC' dig.out.ns${ns}.test$n > /dev/null || ret=1
+    [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n black.out
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
 done
 
 echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
@@ -353,6 +365,25 @@ do
     n=$((n+1))
     if [ $ret != 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
+
+    echo_i "check back lie NODATA response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    nextpart ns1/named.run > /dev/null
+    dig_with_opts black.minimal. @10.53.0.${ns} aaaa > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    if [ ${synth} = yes ]
+    then
+       check_synth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+       nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null && ret=1
+    else
+       check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+       nextpart ns1/named.run | grep black.minimal/AAAA > /dev/null || ret=1
+    fi
+    digcomp black.out dig.out.ns${ns}.test$n || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
 done
 
 echo_i "check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)"