Treat mirror zone data as cache data for access control purposes

As mirror zone data should be treated the way validated, cached DNS
responses are, it should not be used when responding to clients who are
not allowed cache access.  Reuse code responsible for determining cache
database access for evaluating mirror zone access.

bin/tests/system/mirror/tests.sh

@@ -12,7 +12,7 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-DIGOPTS="-p ${PORT} +dnssec +time=1 +tries=1 +multi"
+DIGOPTS="-p ${PORT} -b 10.53.0.1 +dnssec +time=1 +tries=1 +multi"
 RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
 
 # Wait until the transfer of the given zone to ns3 either completes successfully
@@ -329,5 +329,15 @@ nextpart ns2/named.run | grep "query 'foo.initially-unavailable/A/IN'" > /dev/nu
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "checking that clients without cache access cannot retrieve mirror zone data ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 -b 10.53.0.3 +norec . SOA > dig.out.ns3.test$n 2>&1 || ret=1
+# Check response code and flags in the answer.
+grep "REFUSED" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.* ad" dig.out.ns3.test$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1