Blackhole queries to root servers in tests

Some tests don't have a mock root server configured, because they don't
need one. However, these tests might still leak queries to actual name
servers. Add a shared root hints file which can serve as a blackhole for
these queries.

bin/tests/system/_common/root.hint.blackhole

@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 999999
+.			 IN NS	ns99.root-servers.nil.
+ns99.root-servers.nil.	 IN A	10.53.0.99

bin/tests/system/journal/ns1/named.conf.in

@@ -36,6 +36,11 @@ controls {
 	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
+zone . {
+	type hint;
+	file "../../_common/root.hint.blackhole";
+};
+
 zone changed {
 	type primary;
 	update-policy local;

bin/tests/system/journal/ns2/named.conf.in

@@ -35,3 +35,8 @@ key rndc_key {
 controls {
 	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
+
+zone . {
+	type hint;
+	file "../../_common/root.hint.blackhole";
+};

bin/tests/system/kasp/ns3/named-fips.conf.in

@@ -39,6 +39,11 @@ controls {
         inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
+zone "." {
+	type hint;
+	file "../../_common/root.hint.blackhole";
+};
+
 /* Zones that are getting initially signed */
 
 /* The default case: No keys created, using default policy. */

bin/tests/system/kasp/ns6/named.conf.in

@@ -39,6 +39,11 @@ controls {
 	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
+zone "." {
+	type hint;
+	file "../../_common/root.hint.blackhole";
+};
+
 /* This zone switch from dynamic to inline-signing. */
 zone "dynamic2inline.kasp" {
 	type primary;

bin/tests/system/kasp/ns6/named2.conf.in

@@ -38,6 +38,11 @@ controls {
 	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
+zone "." {
+	type hint;
+	file "../../_common/root.hint.blackhole";
+};
+
 /* This zone switch from dynamic to inline-signing. */
 zone "dynamic2inline.kasp" {
 	type primary;

bin/tests/system/nsupdate/ns3/named.conf.in

@@ -35,6 +35,11 @@ controls {
 	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
+zone "." {
+	type hint;
+	file "../../_common/root.hint.blackhole";
+};
+
 dnssec-policy "default-dynamic" {
 	inline-signing no;
 };