From fe8bc79f2bec2272a86e91e8670d6aa26440e4d4 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 28 Oct 2021 11:08:18 +1100
Subject: [PATCH] Check 'rndc stats' output for 'covering nsec returned'

---
 bin/tests/system/synthfromdnssec/clean.sh     |  1 +
 .../system/synthfromdnssec/ns1/named.conf.in  |  9 +++++++++
 .../system/synthfromdnssec/ns2/named.conf.in  |  9 +++++++++
 .../system/synthfromdnssec/ns3/named.conf.in  |  9 +++++++++
 .../system/synthfromdnssec/ns4/named.conf.in  |  9 +++++++++
 .../system/synthfromdnssec/ns5/named.conf.in  |  9 +++++++++
 .../system/synthfromdnssec/ns6/named.conf.in  |  9 +++++++++
 bin/tests/system/synthfromdnssec/tests.sh     | 20 +++++++++++++++++++
 8 files changed, 75 insertions(+)

diff --git a/bin/tests/system/synthfromdnssec/clean.sh b/bin/tests/system/synthfromdnssec/clean.sh
index 872d02bc95..b02e421536 100644
--- a/bin/tests/system/synthfromdnssec/clean.sh
+++ b/bin/tests/system/synthfromdnssec/clean.sh
@@ -15,6 +15,7 @@ rm -f ./*/named.memstats
 rm -f ./*/named.conf
 rm -f ./*/named.run
 rm -f ./*/named.run.prev
+rm -f ./*/named.stats
 rm -f ./dig.out.*
 rm -f ./ns1/K*+*+*.key
 rm -f ./ns1/K*+*+*.private
diff --git a/bin/tests/system/synthfromdnssec/ns1/named.conf.in b/bin/tests/system/synthfromdnssec/ns1/named.conf.in
index 072c7d208a..192979965f 100644
--- a/bin/tests/system/synthfromdnssec/ns1/named.conf.in
+++ b/bin/tests/system/synthfromdnssec/ns1/named.conf.in
@@ -24,6 +24,15 @@ options {
 	dnssec-validation yes;
 };
 
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.1 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
 zone "." {
 	type primary;
 	file "root.db.signed";
diff --git a/bin/tests/system/synthfromdnssec/ns2/named.conf.in b/bin/tests/system/synthfromdnssec/ns2/named.conf.in
index b130d305d3..ffb32b9ae1 100644
--- a/bin/tests/system/synthfromdnssec/ns2/named.conf.in
+++ b/bin/tests/system/synthfromdnssec/ns2/named.conf.in
@@ -24,6 +24,15 @@ options {
 	dnssec-validation yes;
 };
 
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
 zone "." {
 	type hint;
 	file "root.hints";
diff --git a/bin/tests/system/synthfromdnssec/ns3/named.conf.in b/bin/tests/system/synthfromdnssec/ns3/named.conf.in
index 5a8fbd6718..fcc44a2d8a 100644
--- a/bin/tests/system/synthfromdnssec/ns3/named.conf.in
+++ b/bin/tests/system/synthfromdnssec/ns3/named.conf.in
@@ -24,6 +24,15 @@ options {
 	dnssec-validation yes;
 };
 
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
 zone "." {
 	type hint;
 	file "root.hints";
diff --git a/bin/tests/system/synthfromdnssec/ns4/named.conf.in b/bin/tests/system/synthfromdnssec/ns4/named.conf.in
index 042c6cf0b6..32e4845c35 100644
--- a/bin/tests/system/synthfromdnssec/ns4/named.conf.in
+++ b/bin/tests/system/synthfromdnssec/ns4/named.conf.in
@@ -25,6 +25,15 @@ options {
 	synth-from-dnssec no;
 };
 
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
 zone "." {
 	type hint;
 	file "root.hints";
diff --git a/bin/tests/system/synthfromdnssec/ns5/named.conf.in b/bin/tests/system/synthfromdnssec/ns5/named.conf.in
index 90b83a6432..0dc554aa0e 100644
--- a/bin/tests/system/synthfromdnssec/ns5/named.conf.in
+++ b/bin/tests/system/synthfromdnssec/ns5/named.conf.in
@@ -25,6 +25,15 @@ options {
 	synth-from-dnssec yes;
 };
 
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
 zone "." {
 	type hint;
 	file "root.hints";
diff --git a/bin/tests/system/synthfromdnssec/ns6/named.conf.in b/bin/tests/system/synthfromdnssec/ns6/named.conf.in
index f6c137d05e..0b2c712a00 100644
--- a/bin/tests/system/synthfromdnssec/ns6/named.conf.in
+++ b/bin/tests/system/synthfromdnssec/ns6/named.conf.in
@@ -25,6 +25,15 @@ options {
 	synth-from-dnssec yes;
 };
 
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
 zone "." {
 	type hint;
 	file "root.hints";
diff --git a/bin/tests/system/synthfromdnssec/tests.sh b/bin/tests/system/synthfromdnssec/tests.sh
index 4b4ea83b56..0970a07255 100644
--- a/bin/tests/system/synthfromdnssec/tests.sh
+++ b/bin/tests/system/synthfromdnssec/tests.sh
@@ -12,6 +12,8 @@
 # shellcheck source=conf.sh
 . ../conf.sh
 
+RNDCCMD="$RNDC -c ../common/rndc.conf -p ${CONTROLPORT} -s"
+
 set -e
 
 status=0
@@ -385,6 +387,24 @@ do
     n=$((n+1))
     if [ $ret != 0 ]; then echo_i "failed"; fi
     status=$((status+ret))
+
+    echo_i "check 'rndc stats' output for 'covering nsec returned' (synth-from-dnssec ${description};) ($n)"
+    ret=0
+    ${RNDCCMD} 10.53.0.${ns} stats 2>&1 | sed 's/^/ns6 /' | cat_i
+    # 2 views, _bind should always be '0 covering nsec returned'
+    count=$(grep "covering nsec returned" ns${ns}/named.stats | wc -l)
+    test $count = 2 || ret=1
+    zero=$(grep " 0 covering nsec returned" ns${ns}/named.stats | wc -l)
+    if [ ${synth} = yes ]
+    then
+	test $zero = 1 || ret=1
+    else
+	test $zero = 2 || ret=1
+    fi
+    n=$((n+1))
+    if [ $ret != 0 ]; then echo_i "failed"; fi
+    status=$((status+ret))
+
 done
 
 echo_i "check redirect response (+dnssec) (synth-from-dnssec <default>;) ($n)"