From 074a152c4f1a8c4bd2ff52d01df23427fd304224 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Mon, 26 Jan 2026 14:28:10 +0000
Subject: [PATCH] Add a new check in the RPZ system test

Check that reloading a response policy zone which has an '$INCLUDE'
directive defined is working as expected.

(cherry picked from commit d81a2457d6fe09a01d60d4204fb80c3e2feec88d)
---
 bin/tests/system/rpz/ns2/tld2.db              |  3 +++
 bin/tests/system/rpz/ns3/include-rpz.db.in    | 14 ++++++++++++++
 bin/tests/system/rpz/ns3/include-rpz.inc-1.in | 14 ++++++++++++++
 bin/tests/system/rpz/ns3/include-rpz.inc-2.in | 16 ++++++++++++++++
 bin/tests/system/rpz/ns3/named.conf.j2        |  7 +++++++
 bin/tests/system/rpz/setup.sh                 |  3 +++
 bin/tests/system/rpz/tests.sh                 | 10 ++++++++++
 bin/tests/system/rpz/tests_sh_rpz.py          |  2 ++
 bin/tests/system/rpz/tests_sh_rpz_dnsrps.py   |  2 ++
 9 files changed, 71 insertions(+)
 create mode 100644 bin/tests/system/rpz/ns3/include-rpz.db.in
 create mode 100644 bin/tests/system/rpz/ns3/include-rpz.inc-1.in
 create mode 100644 bin/tests/system/rpz/ns3/include-rpz.inc-2.in

diff --git a/bin/tests/system/rpz/ns2/tld2.db b/bin/tests/system/rpz/ns2/tld2.db
index c6f2556db5..a66ee16d14 100644
--- a/bin/tests/system/rpz/ns2/tld2.db
+++ b/bin/tests/system/rpz/ns2/tld2.db
@@ -123,3 +123,6 @@ a7-1		A	192.168.7.1
 
 a7-2		A	192.168.7.2
 		TXT	"a7-2 tld2 text"
+
+a8-1		A	192.168.8.1
+		TXT	"a8-1 tld2 text"
diff --git a/bin/tests/system/rpz/ns3/include-rpz.db.in b/bin/tests/system/rpz/ns3/include-rpz.db.in
new file mode 100644
index 0000000000..5133b78964
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/include-rpz.db.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+
+$INCLUDE include-rpz.inc
diff --git a/bin/tests/system/rpz/ns3/include-rpz.inc-1.in b/bin/tests/system/rpz/ns3/include-rpz.inc-1.in
new file mode 100644
index 0000000000..5d316a89b0
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/include-rpz.inc-1.in
@@ -0,0 +1,14 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		SOA	include-rpz.  hostmaster.ns.include-rpz. ( 1 3600 1200 604800 60 )
+	NS	ns.tld3.
diff --git a/bin/tests/system/rpz/ns3/include-rpz.inc-2.in b/bin/tests/system/rpz/ns3/include-rpz.inc-2.in
new file mode 100644
index 0000000000..4bce8532cc
--- /dev/null
+++ b/bin/tests/system/rpz/ns3/include-rpz.inc-2.in
@@ -0,0 +1,16 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		SOA	include-rpz.  hostmaster.ns.include-rpz. ( 2 3600 1200 604800 60 )
+	NS	ns.tld3.
+
+a8-1.tld2	CNAME	.
diff --git a/bin/tests/system/rpz/ns3/named.conf.j2 b/bin/tests/system/rpz/ns3/named.conf.j2
index 6d8c9e7b66..19ed919968 100644
--- a/bin/tests/system/rpz/ns3/named.conf.j2
+++ b/bin/tests/system/rpz/ns3/named.conf.j2
@@ -53,6 +53,7 @@ options {
 	    zone "bl.tld2";
 	    zone "manual-update-rpz"	ede forged;
 	    zone "mixed-case-rpz";
+	    zone "include-rpz";
 	    zone "evil-cname"  policy cname a12.tld2. ede blocked;
 	    zone "wild-cname"  ede blocked;
 	    zone "slow-rpz";
@@ -130,6 +131,12 @@ zone "mixed-case-rpz." {
 	notify no;
 };
 
+zone "include-rpz." {
+	type primary;
+	file "include-rpz.db";
+	notify no;
+};
+
 zone "slow-rpz." {
     type primary;
     file "slow-rpz.db";
diff --git a/bin/tests/system/rpz/setup.sh b/bin/tests/system/rpz/setup.sh
index 0762a68441..c40782185d 100644
--- a/bin/tests/system/rpz/setup.sh
+++ b/bin/tests/system/rpz/setup.sh
@@ -43,6 +43,9 @@ cp ns3/wild-cname.db.in ns3/wild-cname.db
 
 cp ns3/mixed-case-rpz-1.db.in ns3/mixed-case-rpz.db
 
+cp ns3/include-rpz.db.in ns3/include-rpz.db
+cp ns3/include-rpz.inc-1.in ns3/include-rpz.inc
+
 # a "big" zone (tested with '-T rpzslow' enabled to slow down loading)
 cp ns3/slow-rpz.db.in ns3/slow-rpz.db
 
diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh
index 7104b0180b..6e81866126 100644
--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@@ -795,6 +795,16 @@ if [ native = "$MODE" ]; then
   $DIG -p ${PORT} @$ns3 walled.tld2 >dig.out.$t.after || setret "failed"
   grep "walled\.tld2\..*IN.*A.*10\.0\.0\.1" dig.out.$t.after >/dev/null || setret "failed"
 
+  t=$((t + 1))
+  echo_i "checking rpz with included rules can reload (${t})"
+  $DIG -p ${PORT} @$ns3 a8-1.tld2 >dig.out.$t.before || setret "failed"
+  grep "status: NOERROR" dig.out.$t.before >/dev/null || setret "failed"
+  cp ns3/include-rpz.inc-2.in ns3/include-rpz.inc
+  rndc_reload ns3 $ns3 include-rpz
+  sleep 1
+  $DIG -p ${PORT} @$ns3 a8-1.tld2 >dig.out.$t.after || setret "failed"
+  grep "status: NXDOMAIN" dig.out.$t.after >/dev/null || setret "failed"
+
   t=$((t + 1))
   echo_i "checking the default (unset) extended DNS error code (EDE) (${t})"
   $DIG -p ${PORT} @$ns3 a6-2.tld2. A >dig.out.$t || setret "failed"
diff --git a/bin/tests/system/rpz/tests_sh_rpz.py b/bin/tests/system/rpz/tests_sh_rpz.py
index 303a71f50d..86fe2acc2b 100644
--- a/bin/tests/system/rpz/tests_sh_rpz.py
+++ b/bin/tests/system/rpz/tests_sh_rpz.py
@@ -39,6 +39,8 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns3/bl.tld2.db",
         "ns3/evil-cname.db",
         "ns3/fast-expire.db",
+        "ns3/include-rpz.db",
+        "ns3/include-rpz.inc",
         "ns3/manual-update-rpz.db",
         "ns3/mixed-case-rpz.db",
         "ns3/named.conf.tmp",
diff --git a/bin/tests/system/rpz/tests_sh_rpz_dnsrps.py b/bin/tests/system/rpz/tests_sh_rpz_dnsrps.py
index e286db9ce5..1b7e33b014 100644
--- a/bin/tests/system/rpz/tests_sh_rpz_dnsrps.py
+++ b/bin/tests/system/rpz/tests_sh_rpz_dnsrps.py
@@ -43,6 +43,8 @@ pytestmark = [
             "ns3/bl.tld2.db",
             "ns3/evil-cname.db",
             "ns3/fast-expire.db",
+            "ns3/include-rpz.db",
+            "ns3/include-rpz.inc",
             "ns3/manual-update-rpz.db",
             "ns3/mixed-case-rpz.db",
             "ns3/named.conf.tmp",