[master] Merge branch 'trac1836'

src/bin/auth/query.cc

@@ -278,8 +278,10 @@ Query::addDS(ZoneFinder& finder, const Name& dname) {
                ds_context->isNSEC3Signed()) {
         // Add no DS proof with NSEC3 as specified in RFC 5155 Section 7.2.7.
         addClosestEncloserProof(finder, dname, true);
-    } else {
-        // Any other case should be an error
+    } else if (ds_context->code != ZoneFinder::NXRRSET) {
+        // We know this domain should exist, so the result must be NXRRSET.
+        // If not, the zone is broken, so we'll return SERVFAIL by triggering
+        // an exception.
         isc_throw(BadDS, "Unexpected result for DS lookup for delegation");
     }
 }

src/bin/auth/tests/query_unittest.cc

@@ -239,6 +239,10 @@ const char* const unsigned_delegation_optout_nsec_txt =
 const char* const bad_delegation_txt =
     "bad-delegation.example.com. 3600 IN NS ns.example.net.\n";
 
+// Delegation from an unsigned parent.  There's no DS, and there's no NSEC
+// or NSEC3 that proves it.
+const char* const nosec_delegation_txt =
+    "nosec-delegation.example.com. 3600 IN NS ns.nosec.example.net.\n";
 
 // A helper function that generates a textual representation of RRSIG RDATA
 // for the given covered type.  The resulting RRSIG may not necessarily make
@@ -314,7 +318,7 @@ public:
             unsigned_delegation_txt << unsigned_delegation_nsec_txt <<
             unsigned_delegation_optout_txt <<
             unsigned_delegation_optout_nsec_txt <<
-            bad_delegation_txt;
+            bad_delegation_txt << nosec_delegation_txt;
 
         masterLoad(zone_stream, origin_, rrclass_,
                    boost::bind(&MockZoneFinder::loadRRset, this, _1));
@@ -715,8 +719,9 @@ MockZoneFinder::find(const Name& name, const RRType& type,
                                       RESULT_NSEC_SIGNED));
             }
         }
-        return (createContext(options, NXRRSET, RRsetPtr(),
-                              RESULT_NSEC_SIGNED));
+        // If no NSEC is found or DNSSEC isn't specified, behave as if the
+        // zone is unsigned.
+        return (createContext(options, NXRRSET, RRsetPtr()));
     }
 
     // query name isn't found in our domains.
@@ -1097,6 +1102,17 @@ TEST_F(QueryTest, delegation) {
                   NULL, delegation_txt, ns_addrs_txt);
 }
 
+TEST_F(QueryTest, delegationWithDNSSEC) {
+    // Similar to the previous one, but with requesting DNSSEC.
+    // In this case the parent zone would behave as unsigned, so the result
+    // should be just like non DNSSEC delegation.
+    query.process(memory_client, Name("www.nosec-delegation.example.com"),
+                  qtype, response, true);
+
+    responseCheck(response, Rcode::NOERROR(), 0, 0, 1, 0,
+                  NULL, nosec_delegation_txt, NULL);
+}
+
 TEST_F(QueryTest, secureDelegation) {
     EXPECT_NO_THROW(query.process(memory_client,
                                   Name("foo.signed-delegation.example.com"),

tests/lettuce/features/queries.feature

@@ -79,3 +79,19 @@ Feature: Querying feature
         ns2.example.org.	3600	IN	A	192.0.2.4
         mail.example.org.	3600	IN	A	192.0.2.10
         """
+    Scenario: Delegation query for unsigned child zone
+        Given I have bind10 running with configuration example.org.inmem.config
+        A dnssec query for www.sub.example.org type AAAA should have rcode NOERROR
+        The last query response should have flags qr rd
+        The last query response should have edns_flags do
+        The last query response should have ancount 0
+        The last query response should have nscount 1
+        The last query response should have adcount 2
+        The authority section of the last query response should be
+        """
+        sub.example.org.	3600	IN	NS	ns.sub.example.org.
+        """
+        The additional section of the last query response should be
+        """
+        ns.sub.example.org.	3600	IN	A	192.0.2.101
+        """