From: Mark Andrews <marka@isc.org>
Date: Wed, 1 Dec 2021 06:03:13 +0000 (+1100)
Subject: Check SOA without DNSKEY behaviour
X-Git-Tag: v9.17.21~5^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8878adcd6124f6e3629332d31937a28caf0d28ea;p=thirdparty%2Fbind9.git

Check SOA without DNSKEY behaviour
---

diff --git a/bin/tests/system/synthfromdnssec/clean.sh b/bin/tests/system/synthfromdnssec/clean.sh
index 12e5ca13882..e4a0ad86ebc 100644
--- a/bin/tests/system/synthfromdnssec/clean.sh
+++ b/bin/tests/system/synthfromdnssec/clean.sh
@@ -30,6 +30,8 @@ rm -f ./ns1/minimal.db
 rm -f ./ns1/minimal.db.signed
 rm -f ./ns1/root.db
 rm -f ./ns1/root.db.signed
+rm -f ./ns1/soa-without-dnskey.db
+rm -f ./ns1/soa-without-dnskey.db.signed
 rm -f ./ns1/trusted.conf
 rm -f ./ns2/named_dump.db
 rm -f ./ns*/managed-keys.bind*
diff --git a/bin/tests/system/synthfromdnssec/ns1/named.conf.in b/bin/tests/system/synthfromdnssec/ns1/named.conf.in
index 7f157df3ff5..136a98bf6eb 100644
--- a/bin/tests/system/synthfromdnssec/ns1/named.conf.in
+++ b/bin/tests/system/synthfromdnssec/ns1/named.conf.in
@@ -62,4 +62,9 @@ zone "minimal" {
 	file "minimal.db.signed";
 };
 
+zone "soa-without-dnskey" {
+	type primary;
+	file "soa-without-dnskey.db.signed";
+};
+
 include "trusted.conf";
diff --git a/bin/tests/system/synthfromdnssec/ns1/root.db.in b/bin/tests/system/synthfromdnssec/ns1/root.db.in
index 3ef5f9702d6..9c63514846b 100644
--- a/bin/tests/system/synthfromdnssec/ns1/root.db.in
+++ b/bin/tests/system/synthfromdnssec/ns1/root.db.in
@@ -17,3 +17,5 @@ dnamed		NS	ns1.dnamed
 ns1.dnamed	A	10.53.0.1
 minimal		NS	ns1.minimal
 ns1.minimal	A	10.53.0.1
+soa-without-dnskey NS	ns1.soa-without-dnskey
+ns1.soa-without-dnskey A 10.53.0.1
diff --git a/bin/tests/system/synthfromdnssec/ns1/sign.sh b/bin/tests/system/synthfromdnssec/ns1/sign.sh
index ee517b0a099..572dadaa661 100644
--- a/bin/tests/system/synthfromdnssec/ns1/sign.sh
+++ b/bin/tests/system/synthfromdnssec/ns1/sign.sh
@@ -51,6 +51,16 @@ cat "$infile" "$keyname.key" > "$zonefile"
 # do not regenerate NSEC chain as there in a minimal NSEC record present
 $SIGNER -P -Z nonsecify -o $zone $zonefile > /dev/null
 
+zone=soa-without-dnskey
+infile=soa-without-dnskey.db.in
+zonefile=soa-without-dnskey.db
+
+keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
+cat "$infile" "$keyname.key" > "$zonefile"
+
+# do not regenerate NSEC chain as there in a minimal NSEC record present
+$SIGNER -P -Z nonsecify -o $zone $zonefile > /dev/null
+
 zone=.
 infile=root.db.in
 zonefile=root.db
diff --git a/bin/tests/system/synthfromdnssec/ns1/soa-without-dnskey.db.in b/bin/tests/system/synthfromdnssec/ns1/soa-without-dnskey.db.in
new file mode 100644
index 00000000000..6e51db2fe4f
--- /dev/null
+++ b/bin/tests/system/synthfromdnssec/ns1/soa-without-dnskey.db.in
@@ -0,0 +1,12 @@
+$TTL 3600
+soa-without-dnskey.	3600	SOA	ns1.soa-without-dnskey. hostmaster.soa-without-dnskey. (
+					1          ; serial
+					3600       ; refresh (1 hour)
+					1200       ; retry (20 minutes)
+					604800     ; expire (1 week)
+					3600       ; minimum (1 hour)
+					)
+			3600	NS	ns1.soa-without-dnskey.
+			3600	NSEC	ns1.soa-without-dnskey. NS SOA RRSIG NSEC
+ns1.soa-without-dnskey.	3600	A	10.53.0.1
+			3600	NSEC	soa-without-dnskey. A RRSIG NSEC
diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh
index 7bceeaf6c20..614a1145ccd 100644
--- a/bin/tests/system/synthfromdnssec/tests.sh
+++ b/bin/tests/system/synthfromdnssec/tests.sh
@@ -302,6 +302,18 @@ do
     n=$((n+1))
     if [ $ret != 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
+
+    echo_i "prime SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts soa-without-dnskey. @10.53.0.${ns} TXT > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1
+    grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n > /dev/null || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
 done
 
 echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
@@ -616,6 +628,17 @@ do
     if [ $ret != 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
 
+    echo_i "check SOA without DNSKEY bad type map NODATA response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts soa-without-dnskey. @10.53.0.${ns} A > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+    check_status NOERROR dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_soa soa-without-dnskey. dig.out.ns${ns}.test$n || ret=1
+    grep 'soa-without-dnskey.*3600.IN.NSEC.ns1.soa-without-dnskey. NS SOA RRSIG NSEC$' dig.out.ns${ns}.test$n > /dev/null || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
     echo_i "check 'rndc stats' output for 'covering nsec returned' (synth-from-dnssec ${description};) ($n)"
     ret=0
     ${RNDCCMD} 10.53.0.${ns} stats 2>&1 | sed 's/^/ns6 /' | cat_i