[1306] added simple NXRRSET case.

src/bin/auth/query.cc

@@ -310,15 +310,18 @@ Query::process() {
             case ZoneFinder::NXDOMAIN:
                 response_.setRcode(Rcode::NXDOMAIN());
                 addSOA(*result.zone_finder);
-
-                // If DNSSEC proof is requested and we've got it, add it.
                 if (dnssec_ && db_result.rrset) {
                     addNXDOMAINProof(zfinder, db_result.rrset);
                 }
                 break;
             case ZoneFinder::NXRRSET:
-                // Just empty answer with SOA in authority section
                 addSOA(*result.zone_finder);
+                if (dnssec_ && db_result.rrset) {
+                    response_.addRRset(Message::SECTION_AUTHORITY,
+                                       boost::const_pointer_cast<RRset>(
+                                           db_result.rrset),
+                                       dnssec_);
+                }
                 break;
             default:
                 // These are new result codes (WILDCARD and WILDCARD_NXRRSET)

src/bin/auth/tests/query_unittest.cc

@@ -123,6 +123,10 @@ const char* const nsec_nz_txt =
 const char* const nsec_nxdomain_txt =
     "noglue.example.com. 3600 IN NSEC www.example.com. A\n";
 
+// NSEC for the normal NXRRSET case
+const char* const nsec_www_txt =
+    "www.example.com. 3600 IN NSEC example.com. A NSEC RRSIG\n";
+
 // A helper function that generates a textual representation of RRSIG RDATA
 // for the given covered type.  The resulting RRSIG may not necessarily make
 // sense in terms of the DNSSEC protocol, but for our testing purposes it's
@@ -163,7 +167,7 @@ public:
             cname_nxdom_txt << cname_out_txt << dname_txt << dname_a_txt <<
             other_zone_rrs << no_txt << nz_txt <<
             nsec_apex_txt << nsec_mx_txt << nsec_no_txt << nsec_nz_txt <<
-            nsec_nxdomain_txt;
+            nsec_nxdomain_txt << nsec_www_txt;
 
         masterLoad(zone_stream, origin_, rrclass_,
                    boost::bind(&MockZoneFinder::loadRRset, this, _1));
@@ -324,6 +328,12 @@ MockZoneFinder::find(const Name& name, const RRType& type,
         }
 
         // Otherwise it's NXRRSET case.
+        if ((options & FIND_DNSSEC) != 0) {
+            found_rrset = found_domain->second.find(RRType::NSEC());
+            if (found_rrset != found_domain->second.end()) {
+                return (FindResult(NXRRSET, found_rrset->second));
+            }
+        }
         return (FindResult(NXRRSET, RRsetPtr()));
     }
 
@@ -717,6 +727,24 @@ TEST_F(QueryTest, nxrrset) {
                   NULL, soa_txt, NULL, mock_finder->getOrigin());
 }
 
+TEST_F(QueryTest, nxrrsetWithNSEC) {
+    // NXRRSET with DNSSEC proof.  We should have SOA, NSEC that proves the
+    // NXRRSET and their RRSIGs.
+    EXPECT_NO_THROW(Query(memory_client, Name("www.example.com"),
+                          RRType::TXT(), response, true).process());
+
+    responseCheck(response, Rcode::NOERROR(), AA_FLAG, 0, 4, 0, NULL,
+                  (string(soa_txt) + string("example.com. 3600 IN RRSIG ") +
+                   getCommonRRSIGText("SOA") + "\n" +
+                   string(nsec_www_txt) + "\n" +
+                   string("www.example.com. 3600 IN RRSIG ") +
+                   getCommonRRSIGText("NSEC")).c_str(),
+                  NULL, mock_finder->getOrigin());
+}
+
+// TODO: specify DNSSEC but no NSEC
+// TODO: empty non terminal NXRRSET
+
 /*
  * This tests that when there's no SOA and we need a negative answer. It should
  * throw in that case.