From 73e4201331fb468664aa72faa785acabe97fc820 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Thu, 10 Jul 2025 15:14:06 +0200
Subject: [PATCH] Test dangling DNAME answers come with NXDOMAIN proofs

Simplistic test. Ignores the possibility of DNAME chain going through
multiple zones and/or wildcard expansions.
---
 bin/tests/system/nsec3-answer/ns1/root.db.in |  3 ++-
 bin/tests/system/nsec3-answer/tests_nsec3.py | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/bin/tests/system/nsec3-answer/ns1/root.db.in b/bin/tests/system/nsec3-answer/ns1/root.db.in
index 2171c44239..fbddc2dca2 100644
--- a/bin/tests/system/nsec3-answer/ns1/root.db.in
+++ b/bin/tests/system/nsec3-answer/ns1/root.db.in
@@ -29,7 +29,8 @@ cname.						CNAME	does-not-exist.
 cname.cname.					CNAME	cname.
 cname.ent.cname.				CNAME	cname.cname.
 d.						A	10.0.0.4
-dname-nowhere.					DNAME	does-not-exist.
+dname-to-nowhere.				DNAME	does-not-exist.
+; DNAME owner longer than target to avoid YXDOMAIN dependent on QNAME
 insecure.					NS	a.root-servers.nil.
 ns.insecure.					A	10.53.0.3
 a.root-servers.nil.				A	10.53.0.1
diff --git a/bin/tests/system/nsec3-answer/tests_nsec3.py b/bin/tests/system/nsec3-answer/tests_nsec3.py
index f1b0a70154..578b5ddc05 100755
--- a/bin/tests/system/nsec3-answer/tests_nsec3.py
+++ b/bin/tests/system/nsec3-answer/tests_nsec3.py
@@ -116,6 +116,24 @@ def test_cname_nxdomain(server, qname: dns.name.Name, named_port: int) -> None:
     check_nxdomain(chain.canonical_name, nsec3check)
 
 
+@pytest.mark.parametrize(
+    "server", [pytest.param(AUTH, id="ns1"), pytest.param(RESOLVER, id="ns2")]
+)
+@given(qname=dns_names(suffix=ZONE.get_names_with_type(dns.rdatatype.DNAME)))
+def test_dname_nxdomain(server, qname: dns.name.Name, named_port: int) -> None:
+    """DNAME which terminates by NXDOMAIN, no wildcards involved"""
+    assume(qname not in ZONE.reachable)
+
+    response, nsec3check = do_test_query(qname, dns.rdatatype.A, server, named_port)
+    chain = response.resolve_chaining()
+    assume_nx_and_no_delegation(chain.canonical_name)
+
+    wname = ZONE.source_of_synthesis(chain.canonical_name)
+    assume(wname not in ZONE.reachable_wildcards)
+
+    check_nxdomain(chain.canonical_name, nsec3check)
+
+
 @pytest.mark.parametrize(
     "server", [pytest.param(AUTH, id="ns1"), pytest.param(RESOLVER, id="ns2")]
 )