Check 'deny name' + 'grant subdomain' for the same name

bin/tests/system/nsupdate/clean.sh

@@ -13,21 +13,29 @@
 # Clean up after zone transfer tests.
 #
 
-rm -f verylarge
+rm -f */*.jnl
+rm -f */named.conf
 rm -f */named.memstats
 rm -f */named.run */ans.run
-rm -f */named.conf
+rm -f */named.run.prev
 rm -f Kxxx.*
+rm -f check.out.*
 rm -f dig.out.*
 rm -f jp.out.ns3.*
+rm -f nextpart.out.*
+rm -f ns*/managed-keys.bind* ns*/*.mkeys*
 rm -f ns*/named.lock
-rm -f */*.jnl
 rm -f ns1/example.db ns1/unixtime.db ns1/yyyymmddvv.db ns1/update.db ns1/other.db ns1/keytests.db
 rm -f ns1/many.test.db
 rm -f ns1/maxjournal.db
 rm -f ns1/md5.key ns1/sha1.key ns1/sha224.key ns1/sha256.key ns1/sha384.key
+rm -f ns1/sample.db
 rm -f ns1/sha512.key ns1/ddns.key
+rm -f ns10/_default.tsigkeys
+rm -f ns10/example.com.db
+rm -f ns10/in-addr.db
 rm -f ns2/example.bk
+rm -f ns2/sample.db
 rm -f ns2/update.bk ns2/update.alt.bk
 rm -f ns3/*.signed
 rm -f ns3/K*
@@ -40,25 +48,17 @@ rm -f ns3/nsec3param.test.db
 rm -f ns3/too-big.test.db
 rm -f ns5/local.db
 rm -f ns6/in-addr.db
-rm -f ns7/in-addr.db
-rm -f ns7/example.com.db
 rm -f ns7/_default.tsigkeys
-rm -f ns8/in-addr.db
-rm -f ns8/example.com.db
+rm -f ns7/example.com.db
+rm -f ns7/in-addr.db
 rm -f ns8/_default.tsigkeys
-rm -f ns9/in-addr.db
-rm -f ns9/example.com.db
+rm -f ns8/example.com.db
+rm -f ns8/in-addr.db
 rm -f ns9/_default.tsigkeys
-rm -f ns10/example.com.db
-rm -f ns10/in-addr.db
-rm -f ns10/_default.tsigkeys
+rm -f ns9/denyname.example.db
+rm -f ns9/example.com.db
+rm -f ns9/in-addr.db
 rm -f nsupdate.out*
 rm -f typelist.out.*
-rm -f ns1/sample.db
-rm -f ns2/sample.db
 rm -f update.out.*
-rm -f check.out.*
-rm -f update.out.*
-rm -f ns*/managed-keys.bind* ns*/*.mkeys*
-rm -f nextpart.out.*
-rm -f */named.run.prev
+rm -f verylarge

bin/tests/system/nsupdate/ns9/named.conf.in

@@ -28,6 +28,11 @@ key rndc_key {
 	algorithm hmac-sha256;
 };
 
+key subkey {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
 controls {
 	inet 10.53.0.9 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
@@ -46,3 +51,12 @@ zone "example.com" {
 		grant EXAMPLE.COM ms-subdomain _tcp.example.com SRV;
 	};
 };
+
+zone "denyname.example" {
+	type master;
+	file "denyname.example.db";
+	update-policy {
+		deny subkey name denyname.example;
+		grant subkey subdomain denyname.example;
+	};
+};

bin/tests/system/nsupdate/setup.sh

@@ -79,5 +79,6 @@ cp -f ns8/in-addr.db.in ns8/in-addr.db
 cp -f ns8/example.com.db.in ns8/example.com.db
 cp -f ns9/in-addr.db.in ns9/in-addr.db
 cp -f ns9/example.com.db.in ns9/example.com.db
+cp -f ns9/example.com.db.in ns9/denyname.example.db
 cp -f ns10/in-addr.db.in ns10/in-addr.db
 cp -f ns10/example.com.db.in ns10/example.com.db

bin/tests/system/nsupdate/tests.sh

@@ -691,6 +691,34 @@ grep "ANSWER: 1," dig.out.2.test$n > /dev/null || ret=1
 grep "TXT.*everywhere" dig.out.2.test$n > /dev/null || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
+n=`expr $n + 1`
+ret=0
+echo_i "check 'grant' in deny name + grant subdomain ($n)"
+$NSUPDATE << EOF > nsupdate.out-$n 2>&1 || ret=1
+key hmac-sha256:subkey 1234abcd8765
+server 10.53.0.9 ${PORT}
+zone denyname.example
+update add foo.denyname.example 3600 IN TXT added
+send
+EOF
+$DIG $DIGOPTS +tcp @10.53.0.9 foo.denyname.example TXT > dig.out.ns9.test$n
+grep "added" dig.out.ns9.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=`expr $n + 1`
+ret=0
+echo_i "check 'deny' in deny name + grant subdomain ($n)"
+$NSUPDATE << EOF > nsupdate.out-$n 2>&1 && ret=1
+key hmac-sha256:subkey 1234abcd8765
+server 10.53.0.9 ${PORT}
+zone denyname.example
+update add denyname.example 3600 IN TXT added
+send
+EOF
+$DIG $DIGOPTS +tcp @10.53.0.9 denyname.example TXT > dig.out.ns9.test$n
+grep "added" dig.out.ns9.test$n > /dev/null && ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
 n=`expr $n + 1`
 ret=0
 echo_i "check that changes to the DNSKEY RRset TTL do not have side effects ($n)"