From a970f30027d7116968b462003a40c0bb97b6480f Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Wed, 24 Jun 2015 10:10:54 +0200
Subject: [PATCH] Add regression test for #2600

---
 .../answer-in-local-auth/command              |  1 +
 .../answer-in-local-auth/description          | 17 +++++++
 .../answer-in-local-auth/expected_result      |  5 ++
 regression-tests.recursor/config.sh           | 49 +++++++++++++++++--
 4 files changed, 69 insertions(+), 3 deletions(-)
 create mode 100755 regression-tests.recursor/answer-in-local-auth/command
 create mode 100644 regression-tests.recursor/answer-in-local-auth/description
 create mode 100644 regression-tests.recursor/answer-in-local-auth/expected_result

diff --git a/regression-tests.recursor/answer-in-local-auth/command b/regression-tests.recursor/answer-in-local-auth/command
new file mode 100755
index 0000000000..329992db1e
--- /dev/null
+++ b/regression-tests.recursor/answer-in-local-auth/command
@@ -0,0 +1 @@
+cleandig service.box.answer-cname-in-local.example.net. A | sed 's/\(.*\tIN\t[A-Z0-9]\+\t\)\([0-9]\+\)/\13600/'
diff --git a/regression-tests.recursor/answer-in-local-auth/description b/regression-tests.recursor/answer-in-local-auth/description
new file mode 100644
index 0000000000..088c7e0ec1
--- /dev/null
+++ b/regression-tests.recursor/answer-in-local-auth/description
@@ -0,0 +1,17 @@
+This test will test the fix made for issue #2600. When we receive a CNAME chain
+in the ANSWER-section from an authoritative server, we should discard any record
+in a zone that we (as a recursor) are authoritative for (by e.g. using auth-zones)
+
+The issue here was that an auth returns the following CNAME chain (where the
+auth server is indeed authoritative for all these zones):
+service.box.answer-cname-in-local.example.net -->
+  pfs.global.box.answer-cname-in-local.example.net -->
+    vip-metropole.pfsbox.answer-cname-in-local.example.net
+
+However, the resolver has the zone 'global.box.answer-cname-in-local.example.net'
+loaded whereby the CNAME chain becomes:
+service.box.answer-cname-in-local.example.net -->
+  pfs.global.box.answer-cname-in-local.example.net -->
+    vip-reunion.pfsbox.answer-cname-in-local.example.net
+
+Hence, it should reject the last CNAME sent from the authoritative server.
diff --git a/regression-tests.recursor/answer-in-local-auth/expected_result b/regression-tests.recursor/answer-in-local-auth/expected_result
new file mode 100644
index 0000000000..e423919cea
--- /dev/null
+++ b/regression-tests.recursor/answer-in-local-auth/expected_result
@@ -0,0 +1,5 @@
+0	pfs.global.box.answer-cname-in-local.example.net.	IN	CNAME	3600	vip-reunion.pfsbox.answer-cname-in-local.example.net.
+0	service.box.answer-cname-in-local.example.net.	IN	CNAME	3600	pfs.global.box.answer-cname-in-local.example.net.
+0	vip-reunion.pfsbox.answer-cname-in-local.example.net.	IN	A	3600	10.1.1.1
+Rcode: 0, RD: 1, QR: 1, TC: 0, AA: 0, opcode: 0
+Reply to question for qname='service.box.answer-cname-in-local.example.net.', qtype=A
diff --git a/regression-tests.recursor/config.sh b/regression-tests.recursor/config.sh
index 65b8d4a4f9..ec45bbc5b7 100755
--- a/regression-tests.recursor/config.sh
+++ b/regression-tests.recursor/config.sh
@@ -81,6 +81,10 @@ hijackme.example.net.    3600 IN NS  ns.hijackme.example.net.
 ns.hijackme.example.net. 3600 IN A   $PREFIX.20
 hijacker.example.net.    3600 IN NS  ns.hijacker.example.net.
 ns.hijacker.example.net. 3600 IN A   $PREFIX.21
+answer-cname-in-local.example.net. 3600 IN NS ns.answer-cname-in-local.example.net.
+pfsbox.answer-cname-in-local.example.net. 3600 IN NS ns.answer-cname-in-local.example.net.
+box.answer-cname-in-local.example.net. 3600 IN NS ns.answer-cname-in-local.example.net.
+ns.answer-cname-in-local.example.net. 3600 IN A  $PREFIX.22
 EOF
 
 mkdir $PREFIX.11
@@ -328,6 +332,43 @@ www.hijackme.example.net.  20 IN A   192.0.2.21
 
 EOF
 
+## Several domains where one gets overwritten as a local auth zone
+mkdir $PREFIX.22
+cat > $PREFIX.22/box.answer-cname-in-local.example.net.zone <<EOF
+box.answer-cname-in-local.example.net. 3600 IN SOA $SOA
+box.answer-cname-in-local.example.net. 20 IN NS ns.answer-cname-in-local.example.net.
+
+global.box.answer-cname-in-local.example.net. 20 IN NS ns.answer-cname-in-local.example.net.
+service.box.answer-cname-in-local.example.net. 20 IN CNAME pfs.global.box.answer-cname-in-local.example.net.
+
+EOF
+
+cat > $PREFIX.22/global.box.answer-cname-in-local.example.net.zone <<EOF
+global.box.answer-cname-in-local.example.net. 3600 IN SOA $SOA
+global.box.answer-cname-in-local.example.net. 20 IN NS ns.answer-cname-in-local.example.net.
+
+pfs.global.box.answer-cname-in-local.example.net. 20 IN  CNAME vip-metropole.pfsbox.answer-cname-in-local.example.net.
+
+EOF
+
+cat > $PREFIX.22/pfsbox.answer-cname-in-local.example.net.zone <<EOF
+pfsbox.answer-cname-in-local.example.net. 3600 IN SOA $SOA
+pfsbox.answer-cname-in-local.example.net. 20 IN NS ns.answer-cname-in-local.example.net.
+
+vip-metropole.pfsbox.answer-cname-in-local.example.net. 20 IN  A 10.0.0.1
+vip-reunion.pfsbox.answer-cname-in-local.example.net. 20 IN  A 10.1.1.1
+
+EOF
+
+# And for the recursor
+cat > recursor-service/global.box.answer-cname-in-local.example.net.zone <<EOF
+global.box.answer-cname-in-local.example.net. 3600 IN SOA $SOA
+global.box.answer-cname-in-local.example.net. 20 IN NS ns.answer-cname-in-local.example.net.
+
+pfs.global.box.answer-cname-in-local.example.net. 20 IN  CNAME vip-reunion.pfsbox.answer-cname-in-local.example.net.
+
+EOF
+
 for dir in $PREFIX.*
 do
     cat > $dir/pdns.conf <<EOF
@@ -372,6 +413,8 @@ EOF
     ln -s ../run-auth $dir/run
 done
 
-cat > recursor-service/recursor.conf << EOF
-socket-dir=$(pwd)/recursor-service
-EOF
\ No newline at end of file
+cat > recursor-service/recursor.conf <<EOF
+socket-dir=$(pwd)/recursor-serviceS
+auth-zones=global.box.answer-cname-in-local.example.net=$(pwd)/recursor-service/global.box.answer-cname-in-local.example.net.zone
+
+EOF
-- 
2.47.2