From a402ffbced528549cf784c520539d4e001e9f1b3 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 6 Mar 2019 17:45:03 +1100
Subject: [PATCH] Check 'deny name' + 'grant subdomain' for the same name

---
 bin/tests/system/nsupdate/clean.sh          | 38 ++++++++++-----------
 bin/tests/system/nsupdate/ns9/named.conf.in | 14 ++++++++
 bin/tests/system/nsupdate/setup.sh          |  1 +
 bin/tests/system/nsupdate/tests.sh          | 28 +++++++++++++++
 4 files changed, 62 insertions(+), 19 deletions(-)

diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh
index 9b8af4a7ff..655be32423 100644
--- a/bin/tests/system/nsupdate/clean.sh
+++ b/bin/tests/system/nsupdate/clean.sh
@@ -13,21 +13,29 @@
 # Clean up after zone transfer tests.
 #
 
-rm -f verylarge
+rm -f */*.jnl
+rm -f */named.conf
 rm -f */named.memstats
 rm -f */named.run */ans.run
-rm -f */named.conf
+rm -f */named.run.prev
 rm -f Kxxx.*
+rm -f check.out.*
 rm -f dig.out.*
 rm -f jp.out.ns3.*
+rm -f nextpart.out.*
+rm -f ns*/managed-keys.bind* ns*/*.mkeys*
 rm -f ns*/named.lock
-rm -f */*.jnl
 rm -f ns1/example.db ns1/unixtime.db ns1/yyyymmddvv.db ns1/update.db ns1/other.db ns1/keytests.db
 rm -f ns1/many.test.db
 rm -f ns1/maxjournal.db
 rm -f ns1/md5.key ns1/sha1.key ns1/sha224.key ns1/sha256.key ns1/sha384.key
+rm -f ns1/sample.db
 rm -f ns1/sha512.key ns1/ddns.key
+rm -f ns10/_default.tsigkeys
+rm -f ns10/example.com.db
+rm -f ns10/in-addr.db
 rm -f ns2/example.bk
+rm -f ns2/sample.db
 rm -f ns2/update.bk ns2/update.alt.bk
 rm -f ns3/*.signed
 rm -f ns3/K*
@@ -40,25 +48,17 @@ rm -f ns3/nsec3param.test.db
 rm -f ns3/too-big.test.db
 rm -f ns5/local.db
 rm -f ns6/in-addr.db
-rm -f ns7/in-addr.db
-rm -f ns7/example.com.db
 rm -f ns7/_default.tsigkeys
-rm -f ns8/in-addr.db
-rm -f ns8/example.com.db
+rm -f ns7/example.com.db
+rm -f ns7/in-addr.db
 rm -f ns8/_default.tsigkeys
-rm -f ns9/in-addr.db
-rm -f ns9/example.com.db
+rm -f ns8/example.com.db
+rm -f ns8/in-addr.db
 rm -f ns9/_default.tsigkeys
-rm -f ns10/example.com.db
-rm -f ns10/in-addr.db
-rm -f ns10/_default.tsigkeys
+rm -f ns9/denyname.example.db
+rm -f ns9/example.com.db
+rm -f ns9/in-addr.db
 rm -f nsupdate.out*
 rm -f typelist.out.*
-rm -f ns1/sample.db
-rm -f ns2/sample.db
 rm -f update.out.*
-rm -f check.out.*
-rm -f update.out.*
-rm -f ns*/managed-keys.bind* ns*/*.mkeys*
-rm -f nextpart.out.*
-rm -f */named.run.prev
+rm -f verylarge
diff --git a/bin/tests/system/nsupdate/ns9/named.conf.in b/bin/tests/system/nsupdate/ns9/named.conf.in
index 88c0d7a709..a65f069ac7 100644
--- a/bin/tests/system/nsupdate/ns9/named.conf.in
+++ b/bin/tests/system/nsupdate/ns9/named.conf.in
@@ -28,6 +28,11 @@ key rndc_key {
 	algorithm hmac-sha256;
 };
 
+key subkey {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
 controls {
 	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
@@ -46,3 +51,12 @@ zone "example.com" {
 		grant EXAMPLE.COM ms-subdomain _tcp.example.com SRV;
 	};
 };
+
+zone "denyname.example" {
+	type master;
+	file "denyname.example.db";
+	update-policy {
+		deny subkey name denyname.example;
+		grant subkey subdomain denyname.example;
+	};
+};
diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
index b19d9083c5..4c95da5f28 100644
--- a/bin/tests/system/nsupdate/setup.sh
+++ b/bin/tests/system/nsupdate/setup.sh
@@ -79,5 +79,6 @@ cp -f ns8/in-addr.db.in ns8/in-addr.db
 cp -f ns8/example.com.db.in ns8/example.com.db
 cp -f ns9/in-addr.db.in ns9/in-addr.db
 cp -f ns9/example.com.db.in ns9/example.com.db
+cp -f ns9/example.com.db.in ns9/denyname.example.db
 cp -f ns10/in-addr.db.in ns10/in-addr.db
 cp -f ns10/example.com.db.in ns10/example.com.db
diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index 9e0e618541..32ac8a2aad 100755
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -691,6 +691,34 @@ grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
 grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
+n=`expr $n + 1`
+ret=0
+echo_i "check 'grant' in deny name + grant subdomain ($n)"
+$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+key hmac-sha256:subkey 1234abcd8765
+server 10.53.0.9 ${PORT}
+zone denyname.example
+update add foo.denyname.example 3600 IN TXT added
+send
+EOF
+$DIG $DIGOPTS +tcp @10.53.0.9 foo.denyname.example TXT > dig.out.ns9.test$n
+grep "added" dig.out.ns9.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=`expr $n + 1`
+ret=0
+echo_i "check 'deny' in deny name + grant subdomain ($n)"
+$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+key hmac-sha256:subkey 1234abcd8765
+server 10.53.0.9 ${PORT}
+zone denyname.example
+update add denyname.example 3600 IN TXT added
+send
+EOF
+$DIG $DIGOPTS +tcp @10.53.0.9 denyname.example TXT > dig.out.ns9.test$n
+grep "added" dig.out.ns9.test$n > /dev/null && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
 n=`expr $n + 1`
 ret=0
 echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"