verify that dnssec-signzone generates NSEC3 records with DNAME at the apex

bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in

@@ -0,0 +1,4 @@
+$TTL	600
+@	SOA	ns3.example. . 1 1200 1200 1814400 3600
+@	NS	ns3.example.
+@	DNAME	example.

bin/tests/system/dnssec/ns3/named.conf.in

@@ -294,6 +294,11 @@ zone "revkey.example" {
 	file "revkey.example.db.signed";
 };
 
+zone "dname-at-apex-nsec3.example" {
+	type master;
+	file "dname-at-apex-nsec3.example.db.signed";
+};
+
 include "siginterval.conf";
 
 include "trusted.conf";

bin/tests/system/dnssec/ns3/sign.sh

@@ -543,3 +543,14 @@ zsk1=`$KEYGEN -q -a RSASHA1 -3 $zone`
 cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile
 
 $SIGNER -P -o $zone $zonefile > /dev/null 2>&1
+
+#
+# Check that NSEC3 are correctly signed and returned from below a DNAME
+#
+zone=dname-at-apex-nsec3.example
+infile=dname-at-apex-nsec3.example.db.in
+zonefile=dname-at-apex-nsec3.example.db
+kskname=`$KEYGEN -q -a RSASHA256 -3fk $zone`
+zskname=`$KEYGEN -q -a RSASHA256 -3 $zone`
+cat $infile $kskname.key $zskname.key >$zonefile
+$SIGNER -P -3 - -o $zone $zonefile > /dev/null 2>&1