verify that dnssec-signzone generates NSEC3 records with DNAME at the apex

bin/tests/system/dnssec/clean.sh

@@ -11,9 +11,9 @@
 
 rm -f */K* */keyset-* */dsset-* */dlvset-* */signedkey-* */*.signed
 rm -f */example.bk
+rm -f */named.conf
 rm -f */named.memstats
 rm -f */named.run
-rm -f */named.conf
 rm -f */named.secroots
 rm -f */tmp* */*.jnl */*.bk */*.jbk
 rm -f */trusted.conf */managed.conf */revoked.conf
@@ -27,6 +27,7 @@ rm -f keygen.err
 rm -f named.secroots.test*
 rm -f nosign.before
 rm -f ns*/*.nta
+rm -f ns*/managed-keys.bind* ns*/*.mkeys*
 rm -f ns*/named.lock
 rm -f ns1/managed.key.id
 rm -f ns1/root.db ns2/example.db ns3/secure.example.db
@@ -47,6 +48,7 @@ rm -f ns2/private.secure.example.db
 rm -f ns2/single-nsec3.db
 rm -f ns3/auto-nsec.example.db ns3/auto-nsec3.example.db
 rm -f ns3/badds.example.db
+rm -f ns3/dname-at-apex-nsec3.example.db
 rm -f ns3/dnskey-nsec3-unknown.example.db
 rm -f ns3/dnskey-nsec3-unknown.example.db.tmp
 rm -f ns3/dnskey-unknown.example.db
@@ -84,17 +86,16 @@ rm -f ns6/optout-tld.db
 rm -f ns7/multiple.example.bk ns7/nsec3.example.bk ns7/optout.example.bk
 rm -f ns7/split-rrsig.db ns7/split-rrsig.db.unsplit
 rm -f nsupdate.out*
+rm -f python.out.*
 rm -f rndc.out.*
 rm -f signer/*.db
 rm -f signer/*.signed.post*
 rm -f signer/*.signed.pre*
 rm -f signer/example.db.after signer/example.db.before
 rm -f signer/example.db.changed
-rm -f signer/nsec3param.out
-rm -f signer/signer.out.*
+rm -f signer/general/dsset*
 rm -f signer/general/signed.zone
 rm -f signer/general/signer.out.*
-rm -f signer/general/dsset*
+rm -f signer/nsec3param.out
+rm -f signer/signer.out.*
 rm -f signing.out*
-rm -f python.out.*
-rm -f ns*/managed-keys.bind* ns*/*.mkeys*

bin/tests/system/dnssec/ns2/example.db.in

@@ -158,3 +158,5 @@ ns.managed-future	A	10.53.0.3
 
 revkey			NS	ns.revkey
 ns.revkey		A	10.53.0.3
+
+dname-at-apex-nsec3	NS	ns3

bin/tests/system/dnssec/ns2/sign.sh

@@ -24,7 +24,8 @@ for subdomain in secure badds bogus dynamic keyless nsec3 optout \
 	nsec3-unknown optout-unknown multiple rsasha256 rsasha512 \
 	kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
 	ttlpatch split-dnssec split-smart expired expiring upper lower \
-	dnskey-unknown dnskey-nsec3-unknown managed-future revkey
+	dnskey-unknown dnskey-nsec3-unknown managed-future revkey \
+	dname-at-apex-nsec3
 do
 	cp ../ns3/dsset-$subdomain.example$TP .
 done

bin/tests/system/dnssec/ns3/dname-at-apex-nsec3.example.db.in

@@ -0,0 +1,4 @@
+$TTL	600
+@	SOA	ns3.example. . 1 1200 1200 1814400 3600
+@	NS	ns3.example.
+@	DNAME	example.

bin/tests/system/dnssec/ns3/named.conf.in

@@ -294,6 +294,11 @@ zone "revkey.example" {
 	file "revkey.example.db.signed";
 };
 
+zone "dname-at-apex-nsec3.example" {
+	type master;
+	file "dname-at-apex-nsec3.example.db.signed";
+};
+
 include "siginterval.conf";
 
 include "trusted.conf";

bin/tests/system/dnssec/ns3/sign.sh

@@ -543,3 +543,14 @@ zsk1=`$KEYGEN -q -a RSASHA1 -3 $zone`
 cat $infile ${ksk1}.key ${ksk2}.key ${zsk1}.key >$zonefile
 
 $SIGNER -P -o $zone $zonefile > /dev/null 2>&1
+
+#
+# Check that NSEC3 are correctly signed and returned from below a DNAME
+#
+zone=dname-at-apex-nsec3.example
+infile=dname-at-apex-nsec3.example.db.in
+zonefile=dname-at-apex-nsec3.example.db
+kskname=`$KEYGEN -q -a RSASHA256 -3fk $zone`
+zskname=`$KEYGEN -q -a RSASHA256 -3 $zone`
+cat $infile $kskname.key $zskname.key >$zonefile
+$SIGNER -P -3 - -o $zone $zonefile > /dev/null 2>&1

bin/tests/system/dnssec/tests.sh

@@ -3569,6 +3569,14 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-signzone) ($n)"
+ret=0
+$DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "RRSIG.NSEC3 8 3 3600" dig.out.ns3.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 # Note: after this check, ns4 will not be validating any more; do not add any
 # further validation tests employing ns4 below this check.
 echo_i "check that validation defaults to off when dnssec-enable is off ($n)"