[2267] catch and reject RRSIGs that don't have a covered RRset.

the loadRRSIGFollowsNothing test now passes and is re-enabled.
the 'name unmatched' and 'type unmatched' tests are essentially the same
so are removed (so are their test zone files).

src/lib/datasrc/memory/memory_client.cc

@@ -526,10 +526,11 @@ public:
     void flushNodeRRsets(const Name& zone_name, ZoneData* zone_data) {
         BOOST_FOREACH(NodeRRsetsVal val, node_rrsets_) {
             ConstRRsetPtr sig_rrset;
-            NodeRRsets::const_iterator sig_it =
+            NodeRRsets::iterator sig_it =
                 node_rrsigsets_.find(val.first);
             if (sig_it != node_rrsigsets_.end()) {
                 sig_rrset = sig_it->second;
+                node_rrsigsets_.erase(sig_it);
             }
             const result::Result result =
                 client_impl_->add(val.second, sig_rrset, zone_name,
@@ -537,6 +538,14 @@ public:
             assert(result == result::SUCCESS);
         }
 
+        // Right now, we don't accept RRSIG without covered RRsets (this
+        // should eventually allowed, but to do so we'll need to update the
+        // finder).
+        if (!node_rrsigsets_.empty()) {
+            isc_throw(AddError, "RRSIG is added without covered RRset for "
+                      << getCurrentName());
+        }
+
         node_rrsets_.clear();
         node_rrsigsets_.clear();
     }

src/lib/datasrc/memory/tests/memory_client_unittest.cc

@@ -489,8 +489,9 @@ TEST_F(MemoryClientTest, loadDNAMEAndNSNonApex2) {
     // Teardown checks for memory segment leaks
 }
 
-// Disable for now: we should actually allow this case.
-TEST_F(MemoryClientTest, DISABLED_loadRRSIGFollowsNothing) {
+TEST_F(MemoryClientTest, loadRRSIGFollowsNothing) {
+    // This causes the situation where an RRSIG is added without a covered
+    // RRset.  Such cases are currently rejected.
     EXPECT_THROW(client_->load(Name("example.org"),
                                TEST_DATA_DIR
                                "/example.org-rrsig-follows-nothing.zone"),
@@ -498,24 +499,6 @@ TEST_F(MemoryClientTest, DISABLED_loadRRSIGFollowsNothing) {
     // Teardown checks for memory segment leaks
 }
 
-// Disable for now: we should actually allow this case.
-TEST_F(MemoryClientTest, DISABLED_loadRRSIGNameUnmatched) {
-    EXPECT_THROW(client_->load(Name("example.org"),
-                               TEST_DATA_DIR
-                               "/example.org-rrsig-name-unmatched.zone"),
-                 InMemoryClient::AddError);
-    // Teardown checks for memory segment leaks
-}
-
-// Disable for now: we should actually allow this case.
-TEST_F(MemoryClientTest, DISABLED_loadRRSIGTypeUnmatched) {
-    EXPECT_THROW(client_->load(Name("example.org"),
-                               TEST_DATA_DIR
-                               "/example.org-rrsig-type-unmatched.zone"),
-                 InMemoryClient::AddError);
-    // Teardown checks for memory segment leaks
-}
-
 TEST_F(MemoryClientTest, loadRRSIGs) {
     client_->load(Name("example.org"),
                   TEST_DATA_DIR "/example.org-rrsigs.zone");

src/lib/datasrc/memory/tests/testdata/Makefile.am

@@ -24,8 +24,6 @@ EXTRA_DIST += example.org-nsec3-signed-no-param.zone
 EXTRA_DIST += example.org-nsec3-signed.zone
 EXTRA_DIST += example.org-out-of-zone.zone
 EXTRA_DIST += example.org-rrsig-follows-nothing.zone
-EXTRA_DIST += example.org-rrsig-name-unmatched.zone
-EXTRA_DIST += example.org-rrsig-type-unmatched.zone
 EXTRA_DIST += example.org-rrsigs.zone
 EXTRA_DIST += example.org-wildcard-dname.zone
 EXTRA_DIST += example.org-wildcard-ns.zone

src/lib/datasrc/memory/tests/testdata/example.org-rrsig-name-unmatched.zone

@@ -1,6 +0,0 @@
-;; test zone file used for ZoneFinderContext tests.
-;; RRSIGs are (obviouslly) faked ones for testing.
-
-example.org. 3600 IN SOA	ns1.example.org. bugs.x.w.example.org. 70 3600 300 3600000 3600
-ns1.example.org.		      3600 IN A		192.0.2.1
-ns2.example.org.		      3600 IN RRSIG	A 7 3 3600 20150420235959 20051021000000 40430 example.org. FAKEFAKE

src/lib/datasrc/memory/tests/testdata/example.org-rrsig-type-unmatched.zone

@@ -1,6 +0,0 @@
-;; test zone file used for ZoneFinderContext tests.
-;; RRSIGs are (obviouslly) faked ones for testing.
-
-example.org. 3600 IN SOA	ns1.example.org. bugs.x.w.example.org. 72 3600 300 3600000 3600
-ns1.example.org.		      3600 IN AAAA	2001:db8::1
-ns1.example.org.		      3600 IN RRSIG	A 7 3 3600 20150420235959 20051021000000 40430 example.org. FAKEFAKE