Test whether mirror zones can be added and removed dynamically

Extend the "mirror" zone system test to make sure mirror zones can be
added and removed dynamically using rndc.

bin/tests/system/mirror/clean.sh

@@ -11,6 +11,7 @@ rm -f */*.conf
 rm -f */*.db
 rm -f */*.jnl
 rm -f */*.mirror
+rm -f */*.nzd*
 rm -f */*.prev
 rm -f */*.signed
 rm -f */K*

bin/tests/system/mirror/ns2/named.conf.in

@@ -45,6 +45,11 @@ zone "initially-unavailable" {
 	allow-transfer { 10.53.0.254; };
 };
 
+zone "verify-addzone" {
+	type master;
+	file "verify-addzone.db.original.signed";
+};
+
 zone "verify-axfr" {
 	type master;
 	file "verify-axfr.db.signed";

bin/tests/system/mirror/ns2/sign.sh

@@ -36,7 +36,7 @@ ORIGINAL_SERIAL=`awk '$2 == "SOA" {print $5}' verify.db.in`
 UPDATED_SERIAL_BAD=`expr ${ORIGINAL_SERIAL} + 1`
 UPDATED_SERIAL_GOOD=`expr ${ORIGINAL_SERIAL} + 2`
 
-for variant in axfr ixfr load reconfig untrusted; do
+for variant in addzone axfr ixfr load reconfig untrusted; do
 	zone=verify-$variant
 	infile=verify.db.in
 	zonefile=verify-$variant.db

bin/tests/system/mirror/ns3/named.conf.in

@@ -29,6 +29,7 @@ options {
 	recursion yes;
 	allow-query-cache { 10.53.0.1; };
 	trust-anchor-telemetry yes;
+	allow-new-zones yes;
 };
 
 zone "." {

bin/tests/system/mirror/tests.sh

@@ -427,6 +427,39 @@ nextpart ns3/named.run | grep "No correct RSASHA256 signature for verify-reconfi
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "checking that a mirror zone can be added using rndc ($n)"
+ret=0
+# Sanity check: the zone should not exist in the root zone.
+$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n.1 2>&1 || ret=1
+grep "NXDOMAIN" dig.out.ns3.test$n.1 > /dev/null || ret=1
+grep "flags:.* aa" dig.out.ns3.test$n.1 > /dev/null && ret=1
+grep "flags:.* ad" dig.out.ns3.test$n.1 > /dev/null || ret=1
+# Mirror a zone which does not exist in the root zone.
+nextpart ns3/named.run > /dev/null
+$RNDCCMD 10.53.0.3 addzone verify-addzone '{ type mirror; masters { 10.53.0.2; }; };' > rndc.out.ns3.test$n 2>&1 || ret=1
+wait_for_transfer verify-addzone
+# Check whether the mirror zone was added and whether it behaves as expected.
+$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n.2 2>&1 || ret=1
+grep "NOERROR" dig.out.ns3.test$n.2 > /dev/null || ret=1
+grep "flags:.* aa" dig.out.ns3.test$n.2 > /dev/null && ret=1
+grep "flags:.* ad" dig.out.ns3.test$n.2 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking that a mirror zone can be deleted using rndc ($n)"
+ret=0
+# Remove the mirror zone added in the previous test.
+$RNDCCMD 10.53.0.3 delzone verify-addzone > rndc.out.ns3.test$n 2>&1 || ret=1
+# Check whether the mirror zone was removed.
+$DIG $DIGOPTS @10.53.0.3 +norec verify-addzone SOA > dig.out.ns3.test$n 2>&1 || ret=1
+grep "NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
+grep "flags:.* aa" dig.out.ns3.test$n > /dev/null && ret=1
+grep "flags:.* ad" dig.out.ns3.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 n=`expr $n + 1`
 echo_i "ensuring trust anchor telemetry queries are sent upstream for a mirror zone ($n)"
 ret=0