test correct occlusion of DNSSEC records

bin/tests/system/dnssec/ns3/insecure.example.db

@@ -21,4 +21,5 @@ ns			A	10.53.0.3
 a			A	10.0.0.1
 b			A	10.0.0.2
 d			A	10.0.0.4
+x			DNSKEY	258 3 5 Cg==
 z			A	10.0.0.26

bin/tests/system/dnssec/ns3/secure.example.db.in

@@ -28,6 +28,7 @@ g			A	10.0.0.7
 z			A	10.0.0.26
 a.a.a.a.a.a.a.a.a.a.e	A	10.0.0.27
 x			CNAME	a
+zz			DNSKEY	258 3 5 Cg==
 
 private			NS	ns.private
 ns.private		A	10.53.0.2

bin/tests/system/dnssec/tests.sh

@@ -3635,6 +3635,19 @@ n=$((n+1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
+echo_i "checking DNSSEC records are occluded from ANY in an insecure zone ($n)"
+ret=0
+dig_with_opts any x.insecure.example. @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.1.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.ns3.1.test$n > /dev/null || ret=1
+dig_with_opts any zz.secure.example. @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.2.test$n > /dev/null || ret=1
+# DNSKEY+RRSIG, NSEC+RRSIG
+grep "ANSWER: 4," dig.out.ns3.2.test$n > /dev/null || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 # Note: after this check, ns4 will not be validating any more; do not add any
 # further validation tests employing ns4 below this check.
 echo_i "check that validation defaults to off when dnssec-enable is off ($n)"