Check that minimal NSEC records are not cached

construct a test zone which contains a minimal NSEC record,
emit priming queries for this record, and then check that
a respose that would be synthesised from it isn't.

bin/tests/system/synthfromdnssec/clean.sh

@@ -25,6 +25,8 @@ rm -f ./ns1/insecure.example.db
 rm -f ./ns1/insecure.example.db.signed
 rm -f ./ns1/dnamed.db
 rm -f ./ns1/dnamed.db.signed
+rm -f ./ns1/minimal.db
+rm -f ./ns1/minimal.db.signed
 rm -f ./ns1/root.db
 rm -f ./ns1/root.db.signed
 rm -f ./ns1/trusted.conf
@@ -34,3 +36,4 @@ rm -f ./nodata.out ./insecure.nodata.out
 rm -f ./nxdomain.out ./insecure.nxdomain.out
 rm -f ./wild.out ./insecure.wild.out
 rm -f ./wildcname.out ./insecure.wildcname.out
+rm -f ./minimal.nxdomain.out

bin/tests/system/synthfromdnssec/ns1/minimal.db.in

@@ -0,0 +1,28 @@
+$TTL 3600
+minimal.		3600	SOA	ns1.minimal. hostmaster.minimal. (
+					1          ; serial
+					3600       ; refresh (1 hour)
+					1200       ; retry (20 minutes)
+					604800     ; expire (1 week)
+					3600       ; minimum (1 hour)
+					)
+			3600	NS	ns1.minimal.
+			3600	NSEC	dnamed.minimal. NS SOA RRSIG NSEC DNSKEY
+dnamed.minimal.		3600	DNAME	dnamed.
+			3600	NSEC	insecure.minimal. DNAME RRSIG NSEC
+insecure.minimal.	3600	NS	ns1.insecure.minimal.
+			3600	NSEC	nodata.minimal. NS RRSIG NSEC
+nodata.minimal.		3600	TXT	"nodata"
+			3600	NSEC	ns1.minimal. TXT RRSIG NSEC
+; incomplete chain pointing at non-existent ns2.minimal
+ns1.minimal.		3600	A	10.53.0.1
+			3600	NSEC	ns2.minimal. A RRSIG NSEC
+; minimal response for nxdomain.minimal.
+nxdomaia.minimal.	3600	NSEC	nxdomaiz.minimal. RRSIG NSEC
+;
+*.wild-a.minimal.	3600	A	1.2.3.4
+			3600	NSEC	*.wild-cname.minimal. A RRSIG NSEC
+*.wild-cname.minimal.	3600	CNAME	ns1.minimal.
+			3600	NSEC	minimal. CNAME RRSIG NSEC
+; glue
+ns1.insecure.minimal.	3600	A	10.53.0.1

bin/tests/system/synthfromdnssec/ns1/named.conf.in

@@ -44,4 +44,9 @@ zone "dnamed" {
 	file "dnamed.db.signed";
 };
 
+zone "minimal" {
+	type primary;
+	file "minimal.db.signed";
+};
+
 include "trusted.conf";

bin/tests/system/synthfromdnssec/ns1/root.db.in

@@ -15,3 +15,5 @@ example		NS	ns1.example
 ns1.example	A	10.53.0.1
 dnamed		NS	ns1.dnamed
 ns1.dnamed	A	10.53.0.1
+minimal		NS	ns1.minimal
+ns1.minimal	A	10.53.0.1

bin/tests/system/synthfromdnssec/ns1/sign.sh

@@ -41,6 +41,16 @@ cat "$infile" "$keyname.key" > "$zonefile"
 
 $SIGNER -P -o $zone $zonefile > /dev/null
 
+zone=minimal
+infile=minimal.db.in
+zonefile=minimal.db
+
+keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
+cat "$infile" "$keyname.key" > "$zonefile"
+
+# do not regenerate NSEC chain as there in a minimal NSEC record present
+$SIGNER -P -Z nonsecify -o $zone $zonefile > /dev/null
+
 zone=.
 infile=root.db.in
 zonefile=root.db

bin/tests/system/synthfromdnssec/tests.sh

@@ -173,6 +173,18 @@ do
     n=$((n+1))
     if [ $ret != 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
+
+    echo_i "prime minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    dig_with_opts nxdomain.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+    check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+    grep "nxdomaia.minimal.*3600.IN.NSEC.nxdomaiz.minimal. RRSIG NSEC" dig.out.ns${ns}.test$n > /dev/null || ret=1
+    [ $ns -eq 2 ] && cp dig.out.ns${ns}.test$n minimal.nxdomain.out
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
 done
 
 echo_i "prime redirect response (+nodnssec) (synth-from-dnssec <default>;) ($n)"
@@ -328,6 +340,19 @@ do
     n=$((n+1))
     if [ $ret != 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
+
+    echo_i "check minimal NXDOMAIN response (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    nextpart ns1/named.run > /dev/null
+    dig_with_opts nxdomaic.minimal. @10.53.0.${ns} a > dig.out.ns${ns}.test$n || ret=1
+    check_ad_flag $ad dig.out.ns${ns}.test$n || ret=1
+    check_status NXDOMAIN dig.out.ns${ns}.test$n || ret=1
+    check_nosynth_soa minimal. dig.out.ns${ns}.test$n || ret=1
+    nextpart ns1/named.run | grep nxdomaic.minimal/A > /dev/null || ret=1
+    digcomp minimal.nxdomain.out dig.out.ns${ns}.test$n || ret=1
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
 done
 
 echo_i "check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)"