From 6b2b2f2db5870df63858acfe956aaf90e0918f37 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Thu, 26 Jun 2025 13:49:20 +0000
Subject: [PATCH] Add a new serve-stale system test check

Check serve-stale with 'stale-answer-client-timeout 0;' and a CNAME
targeting a cached auth zone.
---
 bin/tests/system/serve-stale/ans2/ans.pl      | 19 ++++++++
 .../system/serve-stale/ns3/named10.conf.in    | 48 +++++++++++++++++++
 bin/tests/system/serve-stale/tests.sh         | 32 +++++++++++++
 3 files changed, 99 insertions(+)
 create mode 100644 bin/tests/system/serve-stale/ns3/named10.conf.in

diff --git a/bin/tests/system/serve-stale/ans2/ans.pl b/bin/tests/system/serve-stale/ans2/ans.pl
index 12d54b4a30..ae8ce8bb59 100644
--- a/bin/tests/system/serve-stale/ans2/ans.pl
+++ b/bin/tests/system/serve-stale/ans2/ans.pl
@@ -70,6 +70,7 @@ my $CNAME = "cname.example 7 IN CNAME target.example";
 my $TARGET = "target.example 9 IN A $localaddr";
 my $SHORTCNAME = "shortttl.cname.example 1 IN CNAME longttl.target.example";
 my $LONGTARGET = "longttl.target.example 600 IN A $localaddr";
+my $OUTCNAME = "out-cname.example 600 IN CNAME serve.stale";
 
 sub reply_handler {
     my ($qname, $qclass, $qtype) = @_;
@@ -105,6 +106,15 @@ sub reply_handler {
 	}
 	$rcode = "NOERROR";
         return ($rcode, \@ans, \@auth, \@add, { aa => 1 });
+    } elsif ($qname eq "normal" ) {
+	if ($qtype eq "TXT") {
+	    $send_response = 1;
+	    $slow_response = 0;
+            my $rr = new Net::DNS::RR("$qname 0 $qclass TXT \"$send_response\"");
+            push @ans, $rr;
+	}
+	$rcode = "NOERROR";
+        return ($rcode, \@ans, \@auth, \@add, { aa => 1 });
     }
 
     # If we are not responding to queries we are done.
@@ -220,6 +230,15 @@ sub reply_handler {
 	    push @auth, $rr;
 	}
 	$rcode = "NOERROR";
+    } elsif ($qname eq "out-cname.example") {
+	if ($qtype eq "A") {
+	    my $rr = new Net::DNS::RR($OUTCNAME);
+	    push @ans, $rr;
+	} else {
+	    my $rr = new Net::DNS::RR($negSOA);
+	    push @auth, $rr;
+	}
+	$rcode = "NOERROR";
     } elsif ($qname eq "nxdomain.example") {
 	my $rr = new Net::DNS::RR($negSOA);
 	push @auth, $rr;
diff --git a/bin/tests/system/serve-stale/ns3/named10.conf.in b/bin/tests/system/serve-stale/ns3/named10.conf.in
new file mode 100644
index 0000000000..dc6fb5e375
--- /dev/null
+++ b/bin/tests/system/serve-stale/ns3/named10.conf.in
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion yes;
+	dnssec-validation no;
+	stale-answer-enable yes;
+	stale-cache-enable yes;
+	stale-answer-ttl 3;
+	stale-answer-client-timeout 0;
+};
+
+zone "." {
+	type hint;
+	file "root.db";
+};
+
+zone "serve.stale" IN {
+    type primary;
+    notify no;
+    file "serve.stale.db";
+};
diff --git a/bin/tests/system/serve-stale/tests.sh b/bin/tests/system/serve-stale/tests.sh
index fee2b376b7..d0fbb6f721 100755
--- a/bin/tests/system/serve-stale/tests.sh
+++ b/bin/tests/system/serve-stale/tests.sh
@@ -2758,5 +2758,37 @@ grep "target\.example\..*[1-2].*IN.*A" dig.out.test$n >/dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+# disable delaying auth answering
+n=$((n + 1))
+echo_i "disable delaying responses from authoritative server ($n)"
+ret=0
+$DIG -p ${PORT} @10.53.0.2 txt normal >dig.out.test$n || ret=1
+grep "ANSWER: 1," dig.out.test$n >/dev/null || ret=1
+grep "TXT.\"1\"" dig.out.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+# configure ns3 with stale-answer-client-timeout 0 and a auth zone
+copy_setports ns3/named10.conf.in ns3/named.conf
+rndc_reload ns3 10.53.0.3
+
+# GL#5383
+n=$((n + 1))
+echo_i "check serve-stale (stale-answer-client-timeout 0) with a CNAME targeting a cached auth zone ($n)"
+ret=0
+# flush cache, make sure serve-stale is on
+$RNDCCMD 10.53.0.3 flush >rndc.out.test$n.1 2>&1 || ret=1
+$RNDCCMD 10.53.0.3 serve-stale on >rndc.out.test$n.2 2>&1 || ret=1
+# prime the cache with the A response
+$DIG -p ${PORT} @10.53.0.3 out-cname.example >dig.out.1.test$n || ret=1
+grep -F "status: NOERROR" dig.out.1.test$n >/dev/null || ret=1
+grep -F "QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1" dig.out.1.test$n >/dev/null || ret=1
+# resend the query; we should immediately get a cached answer
+$DIG -p ${PORT} @10.53.0.3 out-cname.example >dig.out.2.test$n || ret=1
+grep -F "status: NOERROR" dig.out.2.test$n >/dev/null || ret=1
+grep -F "QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1" dig.out.2.test$n >/dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1