From faa3b298f071135f9826662567f123a663a4507f Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Fri, 27 May 2016 13:18:00 +0200
Subject: [PATCH] Add 2 simple NTA tests

---
 .../recursortests.py                          |  1 +
 regression-tests.recursor-dnssec/test_NTA.py  | 31 +++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 regression-tests.recursor-dnssec/test_NTA.py

diff --git a/regression-tests.recursor-dnssec/recursortests.py b/regression-tests.recursor-dnssec/recursortests.py
index 93fb8e11b5..1d2db69404 100644
--- a/regression-tests.recursor-dnssec/recursortests.py
+++ b/regression-tests.recursor-dnssec/recursortests.py
@@ -101,6 +101,7 @@ ns.secure.example.       3600 IN A    {prefix}.9
 host1.secure.example.    3600 IN A    192.0.2.2
 cname.secure.example.    3600 IN CNAME host1.secure.example.
 cname-to-insecure.secure.example. 3600 IN CNAME node1.insecure.example.
+cname-to-bogus.secure.example.    3600 IN CNAME ted.bogus.example.
 
 host1.sub.secure.example. 3600 IN A    192.0.2.11
 
diff --git a/regression-tests.recursor-dnssec/test_NTA.py b/regression-tests.recursor-dnssec/test_NTA.py
new file mode 100644
index 0000000000..7f58c5b645
--- /dev/null
+++ b/regression-tests.recursor-dnssec/test_NTA.py
@@ -0,0 +1,31 @@
+import dns
+from recursortests import RecursorTest
+
+class testSimple(RecursorTest):
+    _confdir = 'NTA'
+
+    _config_template = """dnssec=validate"""
+    _lua_config_file = """addNTA("bogus.example")"""
+
+    def testDirectNTA(self):
+        """Ensure a direct query to a bogus name with an NTA is Insecure"""
+
+        msg = dns.message.make_query("ted.bogus.example.", dns.rdatatype.A)
+        msg.flags = dns.flags.from_text('AD RD')
+        msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text('DO'))
+
+        res = self.sendUDPQuery(msg)
+
+        self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
+
+    def testCNAMENTA(self):
+        """Ensure a CNAME from a secure zone to a bogus one with an NTA is Insecure"""
+        msg = dns.message.make_query("cname-to-bogus.secure.example.", dns.rdatatype.A)
+        msg.flags = dns.flags.from_text('AD RD')
+        msg.use_edns(edns=0, ednsflags=dns.flags.edns_from_text('DO'))
+
+        res = self.sendUDPQuery(msg)
+
+        self.assertMessageHasFlags(res, ['QR', 'RA', 'RD'], ['DO'])
+        self.assertRcodeEqual(res, dns.rcode.NOERROR)
-- 
2.47.3