Perform basic resolution checks with a mirror zone in use

Make ns3 mirror the "root" zone from ns1 and query the former for a
properly signed record below the root.  Ensure ns1 is not queried during
resolution and that the AD bit is set in the response.

bin/tests/system/mirror/ns1/named.conf.in

@@ -19,3 +19,8 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 };
+
+zone "." {
+	type master;
+	file "root.db.signed";
+};

bin/tests/system/mirror/ns1/root.db.in

@@ -11,3 +11,5 @@ $TTL 3600
 @				SOA	a.root-servers.nil. hostmaster 2000010100 3600 1200 604800 3600
 @				NS	a.root-servers.nil.
 a.root-servers.nil.		A	10.53.0.1
+example				NS	ns2.example.
+ns2.example.			A	10.53.0.2

bin/tests/system/mirror/ns1/sign.sh

@@ -0,0 +1,30 @@
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+( cd ../ns2 && $SHELL -e sign.sh )
+
+cp ../ns2/dsset-* .
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+keyname1=`$KEYGEN -a RSASHA256 -f KSK $zone 2> /dev/null`
+keyname2=`$KEYGEN -a RSASHA256 $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -P -g -o $zone $zonefile > /dev/null
+
+keyfile_to_trusted_keys $keyname1 > trusted.conf

bin/tests/system/mirror/ns2/example.db.in

@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 3600
+@		SOA	ns2 hostmaster 1 3600 1200 604800 3600
+@		NS	ns2
+ns2		A	10.53.0.2
+foo		A	127.0.0.1

bin/tests/system/mirror/ns2/named.conf.in

@@ -29,6 +29,11 @@ options {
 	recursion no;
 };
 
+zone "example" {
+	type master;
+	file "example.db.signed";
+};
+
 zone "verify-axfr" {
 	type master;
 	file "verify-axfr.db.signed";

bin/tests/system/mirror/ns2/sign.sh

@@ -14,6 +14,19 @@ SYSTEMTESTTOP=../..
 
 keys_to_trust=""
 
+for zonename in example; do
+	zone=$zonename
+	infile=$zonename.db.in
+	zonefile=$zonename.db
+
+	keyname1=`$KEYGEN -a RSASHA256 -f KSK $zone 2> /dev/null`
+	keyname2=`$KEYGEN -a RSASHA256 $zone 2> /dev/null`
+
+	cat $infile $keyname1.key $keyname2.key > $zonefile
+
+	$SIGNER -P -o $zone $zonefile > /dev/null
+done
+
 ORIGINAL_SERIAL=`awk '$2 == "SOA" {print $5}' verify.db.in`
 UPDATED_SERIAL_BAD=`expr ${ORIGINAL_SERIAL} + 1`
 UPDATED_SERIAL_GOOD=`expr ${ORIGINAL_SERIAL} + 2`

bin/tests/system/mirror/ns3/named.conf.in

@@ -34,6 +34,13 @@ zone "." {
 	file "../../common/root.hint";
 };
 
+zone "." {
+	type slave;
+	masters { 10.53.0.1; };
+	mirror yes;
+	file "root.db.mirror";
+};
+
 zone "verify-axfr" {
 	type slave;
 	masters { 10.53.0.2; };
@@ -71,4 +78,5 @@ zone "verify-untrusted" {
 	file "verify-untrusted.db.mirror";
 };
 
+include "../ns1/trusted.conf";
 include "../ns2/trusted-mirror.conf";

bin/tests/system/mirror/setup.sh

@@ -18,7 +18,7 @@ copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
 
-( cd ns2 && $SHELL -e sign.sh )
+( cd ns1 && $SHELL -e sign.sh )
 
 cat ns2/verify-axfr.db.bad.signed > ns2/verify-axfr.db.signed
 cat ns2/verify-ixfr.db.original.signed > ns2/verify-ixfr.db.signed

bin/tests/system/mirror/tests.sh

@@ -204,5 +204,17 @@ grep "${UPDATED_SERIAL_GOOD}.*; serial" dig.out.ns3.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "checking that resolution involving a mirror zone works as expected ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 foo.example A > dig.out.ns3.test$n 2>&1 || ret=1
+# Check response code and flags in the answer.
+grep "NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
+# Ensure ns1 was not queried.
+grep "query 'foo.example/A/IN'" ns1/named.run > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

util/copyrights

@@ -1598,6 +1598,8 @@
 ./bin/tests/system/mirror/clean.sh		SH	2018
 ./bin/tests/system/mirror/ns1/named.conf.in	CONF-C	2018
 ./bin/tests/system/mirror/ns1/root.db.in	ZONE	2018
+./bin/tests/system/mirror/ns1/sign.sh		SH	2018
+./bin/tests/system/mirror/ns2/example.db.in	ZONE	2018
 ./bin/tests/system/mirror/ns2/named.conf.in	CONF-C	2018
 ./bin/tests/system/mirror/ns2/sign.sh		SH	2018
 ./bin/tests/system/mirror/ns2/verify.db.in	ZONE	2018