From: Ondřej Surý <ondrej@isc.org>
Date: Thu, 21 Aug 2025 07:47:32 +0000 (+0200)
Subject: Add a test for non-existence of RRSIG in the unsigned zone
X-Git-Tag: v9.21.12~26^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bdd59dace805a81facc71365212601e01cc6a546;p=thirdparty%2Fbind9.git

Add a test for non-existence of RRSIG in the unsigned zone

This tests that the result is NOERROR and a single SOA record is
returned.
---

diff --git a/bin/tests/system/dnssec/tests_validation.py b/bin/tests/system/dnssec/tests_validation.py
index 36c743f6a04..88b0a920f11 100644
--- a/bin/tests/system/dnssec/tests_validation.py
+++ b/bin/tests/system/dnssec/tests_validation.py
@@ -82,6 +82,20 @@ def test_load_transfer(qname, qtype):
     isctest.check.noerror(res1)
 
 
+def test_insecure_rrsig():
+    # check that for a rrsig query against a validating resolver where the
+    # authoritative zone is unsigned (insecure delegation), noerror is
+    # returned.
+    msg = isctest.query.create("a.insecure.example", "RRSIG")
+    res = isctest.query.tcp(msg, "10.53.0.4")
+    isctest.check.noerror(res)
+    isctest.check.rr_count_eq(res.answer, 0)
+    isctest.check.rr_count_eq(res.authority, 1)
+    isctest.check.rr_count_eq(res.additional, 0)
+    assert str(res.authority[0].name) == "insecure.example."
+    assert res.authority[0].rdtype == rdatatype.SOA
+
+
 def test_insecure_glue():
     # check that for a query against a validating resolver where the
     # authoritative zone is unsigned (insecure delegation), glue is returned