From 2fbadaeec617a5ac7b33eabfeb1eb95a1c1711c9 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 26 Feb 2019 15:38:18 +0100
Subject: [PATCH] Add test for nxdomain-redirect ncachenxdomain

(cherry picked from commit 2d65626630c19bb8159a025accb18e5179da5dc3)
(cherry picked from commit 05d29443eb422748eec0e359f03474bbb983d28c)
---
 bin/tests/system/redirect/clean.sh          |  5 +++
 bin/tests/system/redirect/ns1/root.db       |  2 +-
 bin/tests/system/redirect/ns4/named.conf.in |  3 +-
 bin/tests/system/redirect/ns5/named.conf.in | 30 ++++++++++++++
 bin/tests/system/redirect/ns5/root.db.in    | 16 ++++++++
 bin/tests/system/redirect/ns5/sign.sh       | 43 +++++++++++++++++++++
 bin/tests/system/redirect/ns5/signed.db.in  | 18 +++++++++
 bin/tests/system/redirect/ns5/unsigned.db   | 18 +++++++++
 bin/tests/system/redirect/ns6/named.conf.in | 30 ++++++++++++++
 bin/tests/system/redirect/ns6/root.db       | 16 ++++++++
 bin/tests/system/redirect/setup.sh          |  3 ++
 bin/tests/system/redirect/tests.sh          | 16 ++++++++
 util/copyrights                             |  1 +
 13 files changed, 198 insertions(+), 3 deletions(-)
 create mode 100644 bin/tests/system/redirect/ns5/named.conf.in
 create mode 100644 bin/tests/system/redirect/ns5/root.db.in
 create mode 100644 bin/tests/system/redirect/ns5/sign.sh
 create mode 100644 bin/tests/system/redirect/ns5/signed.db.in
 create mode 100644 bin/tests/system/redirect/ns5/unsigned.db
 create mode 100644 bin/tests/system/redirect/ns6/named.conf.in
 create mode 100644 bin/tests/system/redirect/ns6/root.db

diff --git a/bin/tests/system/redirect/clean.sh b/bin/tests/system/redirect/clean.sh
index 27a65d2a5e..b8bba0d107 100644
--- a/bin/tests/system/redirect/clean.sh
+++ b/bin/tests/system/redirect/clean.sh
@@ -27,5 +27,10 @@ rm -f ns3/dsset-signed.
 rm -f ns3/nsec3.db*
 rm -f ns3/signed.db*
 rm -f ns4/*.db
+rm -f ns5/dsset-*
+rm -f ns5/K* ns5/sign.ns5.*
+rm -f ns5/root.db ns5/root.db.signed
+rm -f ns5/signed.db ns5/signed.db.signed
+rm -f ns6/signed.db.signed
 rm -f rndc.out
 rm -f ns*/managed-keys.bind*
diff --git a/bin/tests/system/redirect/ns1/root.db b/bin/tests/system/redirect/ns1/root.db
index 532063c05c..7b8caea29a 100644
--- a/bin/tests/system/redirect/ns1/root.db
+++ b/bin/tests/system/redirect/ns1/root.db
@@ -11,7 +11,7 @@ $TTL 3600
 @		SOA	a.root-servers.nil. marka.isc.org. 0 0 0 0 0
 @		NS	a.root-servers.nil.
 a.root-servers.nil.      A   10.53.0.1
-example 	NS	ns1.example.
+example		NS	ns1.example.
 ns1.example.	A	10.53.0.1
 signed		NS	ns1.example.
 ns1.signed.	A	10.53.0.1
diff --git a/bin/tests/system/redirect/ns4/named.conf.in b/bin/tests/system/redirect/ns4/named.conf.in
index 8e9a0afd19..c6003441fa 100644
--- a/bin/tests/system/redirect/ns4/named.conf.in
+++ b/bin/tests/system/redirect/ns4/named.conf.in
@@ -16,7 +16,7 @@ controls { /* empty */ };
 acl rfc1918 { 10/8; 192.168/16; 172.16/12; };
 
 options {
-	query-source address 10.53.0.2;	/* note this is not 10.53.0.3 */
+	query-source address 10.53.0.2;	/* note this is not 10.53.0.4 */
 	notify-source 10.53.0.4;
 	transfer-source 10.53.0.4;
 	port @PORT@;
@@ -27,7 +27,6 @@ options {
 	notify yes;
 	dnssec-validation yes;
 	nxdomain-redirect "redirect";
-
 };
 
 key rndc_key {
diff --git a/bin/tests/system/redirect/ns5/named.conf.in b/bin/tests/system/redirect/ns5/named.conf.in
new file mode 100644
index 0000000000..e06deb02a9
--- /dev/null
+++ b/bin/tests/system/redirect/ns5/named.conf.in
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+options {
+	port @PORT@;
+	listen-on port @PORT@ { 10.53.0.5; };
+	pid-file "named.pid";
+	nxdomain-redirect signed;
+};
+
+zone "." {
+        type master;
+        file "root.db.signed";
+};
+
+// An unsigned zone that ns6 has a delegation for.
+zone "unsigned." {
+        type master;
+        file "unsigned.db";
+};
diff --git a/bin/tests/system/redirect/ns5/root.db.in b/bin/tests/system/redirect/ns5/root.db.in
new file mode 100644
index 0000000000..90c634706b
--- /dev/null
+++ b/bin/tests/system/redirect/ns5/root.db.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.			86400	IN	SOA	a.root-servers.nil. hostmaster.example.net. 2019022100 1800 900 604800 86400
+.			518400	IN	NS	a.root-servers.nil.
+a.root-servers.nil.	518400	IN	A	10.53.0.5
+signed.			172800	IN	NS	ns.signed.
+ns.signed.		172800	IN	A	10.53.0.6
+unsigned.		172800	IN	NS	ns.unsigned.
+ns.unsigned.		172800	IN	A	10.53.0.5
diff --git a/bin/tests/system/redirect/ns5/sign.sh b/bin/tests/system/redirect/ns5/sign.sh
new file mode 100644
index 0000000000..e26904a6b2
--- /dev/null
+++ b/bin/tests/system/redirect/ns5/sign.sh
@@ -0,0 +1,43 @@
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+# We sign the zone here and move the signed zone to ns6.
+# The ns5 server actually does not serve this zone but
+# the DS and NS records are in the test root zone, and
+# delegate to ns6.
+zone=signed.
+infile=signed.db.in
+zonefile=signed.db
+
+key1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2> /dev/null`
+key2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null`
+
+cat $infile $key1.key $key2.key > $zonefile
+
+$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.signed.out 2>&1
+
+cp signed.db.signed ../ns6
+
+# Root zone.
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+key1=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone 2> /dev/null`
+key2=`$KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS -fk $zone 2> /dev/null`
+
+# cat $infile $key1.key $key2.key > $zonefile
+cat $infile dsset-signed. $key1.key $key2.key > $zonefile
+
+$SIGNER -P -g -O full -o $zone $zonefile > sign.ns5.root.out 2>&1
diff --git a/bin/tests/system/redirect/ns5/signed.db.in b/bin/tests/system/redirect/ns5/signed.db.in
new file mode 100644
index 0000000000..8884120b6c
--- /dev/null
+++ b/bin/tests/system/redirect/ns5/signed.db.in
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN SOA	ns.signed. hostmaster.signed. 0 0 0 0 0
+@			IN NS	ns.signed.
+
+ns.signed.		IN A	10.0.53.6
+domain.signed.		IN A	10.0.53.1
+
+*			IN A	100.100.100.1
+*			IN AAAA	2001:ffff:ffff::100.100.100.1
diff --git a/bin/tests/system/redirect/ns5/unsigned.db b/bin/tests/system/redirect/ns5/unsigned.db
new file mode 100644
index 0000000000..0f0604d79e
--- /dev/null
+++ b/bin/tests/system/redirect/ns5/unsigned.db
@@ -0,0 +1,18 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@			IN SOA	ns.unsigned. hostmaster.unsigned. 0 0 0 0 0
+@			IN NS	ns.unsigned.
+
+ns.unsigned.		IN A	10.53.0.6
+domain.unsigned.	IN A	10.0.53.1
+
+*			IN A	100.100.100.1
+*			IN AAAA	2001:ffff:ffff::100.100.100.1
diff --git a/bin/tests/system/redirect/ns6/named.conf.in b/bin/tests/system/redirect/ns6/named.conf.in
new file mode 100644
index 0000000000..bca355c3ea
--- /dev/null
+++ b/bin/tests/system/redirect/ns6/named.conf.in
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS6
+
+options {
+	port @PORT@;
+	listen-on port @PORT@ { 10.53.0.6; };
+	pid-file "named.pid";
+	nxdomain-redirect unsigned;
+};
+
+zone "." {
+        type master;
+        file "root.db";
+};
+
+// A signed zone that ns5 has a delegation for.
+zone "signed." {
+        type master;
+        file "signed.db.signed";
+};
diff --git a/bin/tests/system/redirect/ns6/root.db b/bin/tests/system/redirect/ns6/root.db
new file mode 100644
index 0000000000..5e78d23ea2
--- /dev/null
+++ b/bin/tests/system/redirect/ns6/root.db
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+.			86400	IN	SOA	a.root-servers.nil. hostmaster.example.net. 2019022100 1800 900 604800 86400
+.			518400	IN	NS	a.root-servers.nil.
+a.root-servers.nil.	518400	IN	A	10.53.0.6
+signed.			172800	IN	NS	ns.signed.
+ns.signed.		172800	IN	A	10.53.0.6
+unsigned.		172800	IN	NS	ns.unsigned.
+ns.unsigned.		172800	IN	A	10.53.0.5
diff --git a/bin/tests/system/redirect/setup.sh b/bin/tests/system/redirect/setup.sh
index c5400205f2..cad235bd43 100644
--- a/bin/tests/system/redirect/setup.sh
+++ b/bin/tests/system/redirect/setup.sh
@@ -18,6 +18,8 @@ copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
+copy_setports ns6/named.conf.in ns6/named.conf
 
 cp ns2/redirect.db.in ns2/redirect.db
 cp ns2/example.db.in ns2/example.db
@@ -25,3 +27,4 @@ cp ns2/example.db.in ns2/example.db
 
 cp ns4/example.db.in ns4/example.db
 ( cd ns3 && $SHELL sign.sh )
+( cd ns5 && $SHELL sign.sh )
diff --git a/bin/tests/system/redirect/tests.sh b/bin/tests/system/redirect/tests.sh
index 9eb6b42462..810e43e8d8 100644
--- a/bin/tests/system/redirect/tests.sh
+++ b/bin/tests/system/redirect/tests.sh
@@ -517,5 +517,21 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+echo_i "checking tld nxdomain-redirect against signed root zone ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.5 asdfasdfasdf > dig.out.ns5.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns5.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+echo_i "checking tld nxdomain-redirect against unsigned root zone ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.6 asdfasdfasdf > dig.out.ns6.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns6.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/util/copyrights b/util/copyrights
index d469c5e706..ef4e48809d 100644
--- a/util/copyrights
+++ b/util/copyrights
@@ -914,6 +914,7 @@
 ./bin/tests/system/redirect/clean.sh		SH	2011,2012,2013,2014,2015,2016,2018,2019
 ./bin/tests/system/redirect/ns1/sign.sh		SH	2011,2012,2014,2016,2017,2018,2019
 ./bin/tests/system/redirect/ns3/sign.sh		SH	2015,2016,2017,2018,2019
+./bin/tests/system/redirect/ns5/sign.sh		SH	2019
 ./bin/tests/system/redirect/setup.sh		SH	2011,2012,2013,2014,2015,2016,2017,2018,2019
 ./bin/tests/system/redirect/tests.sh		SH	2011,2012,2013,2014,2015,2016,2018,2019
 ./bin/tests/system/resolver/ans2/ans.pl		PERL	2000,2001,2004,2007,2009,2010,2012,2016,2018,2019